Question 91375 in Apache Question posted in
Some documentation to get you started can be found here.

Stop redirecting page if the url have control character – Apache

I want to check if the URL has control character code like 0x00,0x01..0x1f and 0x7f

example.com/test.php?status0x01Http../

If it has need to redirect to 404 page .If no such character exist redirect to the accessed page.

I want to achieve this in .htaccess.
Tried

RewriteRule ^/?(.*)>$ /$1 [L,R=301]

above code remove all the character

Tags:

2

Answers


  1. 0

    From your example, these control characters appear in the query string only. To form a valid HTTP request these chars would need to be URL-encoded (ie. %-encoded as %HH) in the request. So an actual request would be of the form:

    example.com/test.php?status%01Http../

    We can check the QUERY_STRING server variable using a mod_rewrite condition, which remains %-encoded.

    For example, you could trigger a 404 for such URLs using the following:

    RewriteCond %{QUERY_STRING} %([01][0-9A-F]|7F) [NC]
RewriteRule ^ - [R=404]

    This will need to go near the top of your .htaccess file, before any existing mod_rewrite directives. As a general rule, any blocking directives should be first.

    If no such character exist redirect to the accessed page

    There is nothing that needs to be done in this respect, the above rule simply isn’t triggered and the request falls through and is processed normally.

    UPDATE:

    example.com/test.php?status0x01Http../

    Although it would seem (from more recent questions) that you may be referring to the literal characters 0x01 etc. These are not "control characters" in the URL, they are simply the sequence of characters 0, x, 0 and 1. etc.

    If this is the case then you can modify the above rule to read:

    # Check the query string only for this sequence of chars
RewriteCond %{QUERY_STRING} 0x([01][0-9A-F]|7F) [NC]
RewriteRule ^ - [R=404]

    If this sequence of characters also appears in the URL-path then you shouldn’t need to do anything as I would expect your application to already be triggering a 404 when the URL does not resolve. However, you could check for this sequence of characters anywhere in the URL by checking against THE_REQUEST instead.

    For example:

    # Check the entire URL for this sequence of chars
RewriteCond %{THE_REQUEST} 0x([01][0-9A-F]|7F) [NC]
RewriteRule ^ - [R=404]
    Login or Signup to reply.
  2. 0

    With your shown samples and attempts, please try following htaccess rules file. I am posting here 2 set of htaccess file, keep either of them ONLY not both of them.

    1st one is a Generic one where on any url which has .php followed by query string it will work.

    RewriteEngine ON
RewriteCond %{THE_REQUEST} s(?:[^.]*).php?.*%([01][0-9A-F]|7F) [NC]
RewriteRule ^ - [R=404,L]

    2nd one is a specific case which works on url which contains test.php followed by a query string it will work.

    RewriteEngine ON
RewriteCond %{THE_REQUEST} s/test.php?.*%([01][0-9A-F]|7F) [NC]
RewriteRule ^ - [R=404,L]

    Please make sure to clear your browser cache before testing your URLs.

    Also keep these rules at top of your htaccess rules file.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search