Question posted in 
Since yesterday when our Apache updated himself at night we started to get websites saying 403 Forbidden.
It looks like that encoding the "?" is not anymore allowed. The crazy thing is that PHP does exactly that when using rawurlencode().
We use this for user’s input in form fields which are transfered by GET. Do we need to change all this places?
Using google we read about an option named "UnsafeAllow3F" but I am not sure how to set this.
Has this problem occured at others and what are you doing to fix?
In the code example, in case $test contains a "?" the user get a 403 Forbidden.
<a href='test?a=<?=rawurlencode($test);?>test</a>
2
Answers
We managed to fix this by adding the flag UnsafeAllow3F in our rewrite rules:
[PT]
was changed to
[PT,UnsafeAllow3F]
And this fixed the issue. There is however a security vulnerability associated with this I can’t seem to find much information on except for "The Apache Foundation recommends users upgrade to version 2.4.61."
I tried a manual compile and install of 2.4.61 on Ubuntu this morning, it was a bit of a nightmare and I couldn’t get it working with Coldfusion in the end so am left waiting to see if they’ll bring this fix to the Ubuntu package build (currently 2.4.52)
To fix this, change your rewrite rules from this:
to this:
References:
UnsafeAllow3F Apache documentation
USN-6885-1: Apache HTTP Server vulnerabilities (mod_rewrite)
I saw errors like "AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F" in the Apache error log on AlmaLinux starting 7/11/2024, and the above fixed it.