Need to allow encoded slashes on Apache

apache apache2 apache-config
77,044

Solution 1

This issue is not related to Apache Bug 35256. Rather, it is related to Bug 46830. The AllowEncodedSlashes setting is not inherited by virtual hosts, and virtual hosts are used in many default Apache configurations, such as the one in Ubuntu. The workaround is to add the AllowEncodedSlashes setting inside a <VirtualHost> container (/etc/apache2/sites-available/default in Ubuntu).

Bug 35256: %2F will be decoded in PATH_INFO (Documentation to AllowEncodedSlashes says no decoding will be done)

Bug 46830: If AllowEncodedSlashes On is set in the global context, it is not inherited by virtual hosts. You must explicitly set AllowEncodedSlashes On in every <VirtalHost> container.

The documentation for how the different configuration sections are merged says:

Sections inside <VirtualHost> sections are applied after the corresponding sections outside the virtual host definition. This allows virtual hosts to override the main server configuration.

Solution 2

I kept coming across this post for another issue. Let me just explain real quick.

I had the same style URL and was also trying to proxy it.

Example: Proxy requests from /example/ to another server.

/example/http:%2F%2Fwww.someurl.com/

Issue 1: Apache believes that's an invalid url

Solution: AllowEncodedSlashes On in httpd.conf

Issue 2: Apache decodes the encoded slashes

Solution: AllowEncodedSlashes NoDecode in httpd.conf (Requires Apache 2.3.12+)

Issue 3: mod_proxy attempts to re-encode (double encode) the URL changing %2F to %252F (eg. /example/http:%252F%252Fwww.someurl.com/)

Solution: In httpd.conf use the ProxyPass keyword nocanon to pass the raw URL thru the proxy.

ProxyPass http://anotherserver:8080/example/ nocanon

httpd.conf file:

AllowEncodedSlashes NoDecode

<Location /example/>
  ProxyPass http://anotherserver:8080/example/ nocanon
</Location>

Reference:

Solution 3

I wasted a great many hours on this problem too. I'm a bit late to the party, but it seems there's a solution now.

As per this thread, there is (was) a bug in Apache such that if you have AllowEncodedSlashes On, it prevents the 404, but it mistakenly decodes the slashes, which is incorrect according to the RFC.

This comment offers a solution, namely to use:

AllowEncodedSlashes NoDecode

Solution 4

Replace %2F with %252F at the client side.

This is the double-encoded form of the forward slash.

So when it reaches the server and gets prematurely decoded it will decode it to %2F which is exactly what you want.

Solution 5

in light of all the hassles, i opted for base64_encoding followed by urlencoding. It works without having to fool around with apache server settings or looking at bug reports. It also works without having to put the url in the query section.

$enc_url = urlencode(base64_encode($uri_string));

and to get it back

$url = base64_decode(urldecode($enc_url));

http://example.com/admin/supplier_show/8/YWRtaW4vc3VwcGxpZXJz

http://example.com/admin/supplier_show/93/YWRtaW4vc3VwcGxpZXJzLzEwMA%3D%3D

Share:
77,044

Related videos on Youtube

tommizzle
Author by

tommizzle

Updated on July 05, 2022

Comments

  • tommizzle
    tommizzle almost 2 years

    I'm currently trying to place a URL within a URL. For example:

    http://example.com/url/http%3A%2F%2Fwww.url2.com

    I'm aware that I have to encode the URL, which I have done, but now I am getting a 404 error back from the server rather than my app. I think my problem lies with apache and can be fixed with the AllowEncodedSlashes On directive.

    I've tried putting the directive at the bottom of the httpd.conf to no effect, and am unsure what to do next. Am I putting it in the right place? If so, does anyone have any other solutions?

  • tommizzle
    tommizzle over 13 years
    Hi Rob. Yeah, I got the same result, so had to implement the architecture change too. Little disappointing, but just glad that it works at this stage. Thanks.
  • Chris
    Chris about 10 years
    I don't like it, but ended up going this way too
  • Daniel Beardsley
    Daniel Beardsley almost 10 years
    The first two issues were pretty well documented around the net, but issue 3 was a tough nut to crack till I saw this answer. THANK YOU.
  • Jose De Gouveia
    Jose De Gouveia almost 10 years
    this solution worked like a charm! this should be the Answer! thank!
  • Thomas Vander Stichele
    Thomas Vander Stichele over 9 years
    Wow. Perfect answer, works, concise. Please make this the accepted answer.
  • Terje Bråten
    Terje Bråten about 9 years
    You will get the same problem here, because '/' is a base64 character.
  • William Isted
    William Isted almost 8 years
    A urlencoded / regardless of the method to make it is still a %2F is it not?
  • leeb
    leeb almost 8 years
    The top comment on the php.net website for base64_encode() has a good solution for a URL-safe version: php.net/manual/en/function.base64-encode.php#103849 Basically it involves replacing + and / with alternative chars on encode/decode.
  • cmroanirgo
    cmroanirgo over 7 years
    It took me ages to find this answer. Sometimes one upvote is simply not enough. Many thanks!
  • Ameo
    Ameo about 7 years
    Thanks so much for this; the exact thing that was needed.
  • koppor
    koppor almost 7 years
    You should never every double encode: tools.ietf.org/html/rfc3986#section-2.4
  • Neal Gokli
    Neal Gokli almost 7 years
    @koppor But you can double-decode it if you know it has been double-encoded. So you could double-encode that entire component, and then do a second decode on that component on the other side?
  • Andrew
    Andrew about 5 years
    works a charm when using ProxyPass. Fixed an issue with magento API when using SKU codes containing a slash.
  • NullIsNot0
    NullIsNot0 over 4 years
    If you are using balancer, you should add nocanon to ProxyPass directive not BalancerMember. Example: ProxyPass /webservice balancer://api/webservice nocanon Thanks to @stenix stackoverflow.com/a/14339060/8433375
  • Fernando Crespo
    Fernando Crespo about 4 years
    My problem was a little different, but nocanon resolved it. I have a GiLab omnibus installation behind a Apache proxy with SSL and some urls (the ones with slashes) failed to go through. Using canonfixed it! So glad I came across this.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache2 - authorize users against a Location using BasicAuth but ONLY for users outside local subnet
How do I configure Apache2 to allow multiple simultaneous connections from same IP address?
How can I make a virtual host accept multiple domains?
How can I prevent tons of apache processes spawning when I start apache and proceeding to kill my machine?
500 error but no info about the link GET / HTTP/1.1" 500 "-"
Apache in Docker won't deliver sites
Apache multiple domains setup
How to upgrade Apache on a Windows server?
I looked everywhere to change DocumentRoot on Apache to no avail
Apache2 installation : libaprutil-1.so.0 => not found