Mobile app version of vmapp.org
Login or Join
Deb1703797

: 403 when query string contains a dot (.) character EDIT: did more research, asked new question I dug a bit deeper and realized that the contents of the page are indeed not relevant to this

@Deb1703797

Posted in: #403Forbidden #Apache #Htaccess

EDIT: did more research, asked new question

I dug a bit deeper and realized that the contents of the page are indeed not relevant to this issue. As this question has gotten more and more confusing, I've asked a new question to avoid further muddying the waters.

EDIT: did some more detective work

I've created the following file to display query string parameters and set it up on my webserver:

<!DOCTYPE html>
<html>
<body>

<script src="URI.js"></script>
<script>
var bodyEl = document.getElementsByTagName("body")[0];
var url = URI(document.documentURI);
var options = URI.parseQuery(url.query());
var optionsDiv = document.createElement("div");
var optionsText = "";
for (o in options) {
optionsText += "" + o + ": " + options[o] + "n";
}
optionsDiv.innerText = optionsText;
bodyEl.appendChild(optionsDiv);
</script>
</body>
</html>


It works as expected given the URL example.com/querytest/querytest.html?a=1&b=2.
When I send it query string parameters containing a %-escaped url, I get a 403 error from the webserver.

Example URL: example.com/querytest/querytest.html?a=1&b=2&source_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D2Tjp0mRb4XA
However, if I substitute example.com for youtube.com in the %-escaped URL, I do not get a 303.

Based on this, I'm guessing that the library I'm using to parse the URL (URI.js) is doing something with the url that violates the same origin policy.

Original post

I'm using shared hosting, i.e. I have no ability to modify the apache installation, root configuration files, etc. I'm developing a web app that passes URLs as query string parameter values. The web server is giving a 403 FORBIDDEN error whenever the query string contains a period character, even if that character is %-escaped — i.e. either "."or"%2E"` in a query string value will trigger the 403.

It seems that the web server thinks that the file extension is everything after the final "." in the query string. How can I get it to act sensibly and realize that it's just part of the query string?

A .htaccess file in the web app's directory is used by Apache. I tried creating one containing the following line, but it didn't do the trick. It's been a while since I worked with Apache config, so I'm not surprised. The second line serves to verify that Apache is actually reading the local .htaccess file.

RewriteRule ^app.html$ app.html [L,NC,NS,QSA]
RewriteRule ^app$ app.html [L,NC,NS,QSA]


Note: originally posted on Stack Overflow but received little attention and no responses.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Deb1703797

1 Comments

Sorted by latest first Latest Oldest Best

 

@LarsenBagley505

Check the actual file you're running the query strings against to see if it is producing the 403 errors. If you create a PHP file that has the following contents and save it and then run it live on the server while using an actual dot in the query string, then you'll get the 403 error.

<?php
if (strpos($_SERVER['QUERY_STRING'],".") !== false){
header("HTTP/1.0 403 Forbidden",true);
}
?>

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme