You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jakub Nieznalski <j....@autohaus24.de> on 2013/02/05 15:29:07 UTC
[users@httpd] response with 400 when URI params are malformed
Hi,
I've got problem that Apache accepts malformed URI, for example
localhost/?foo=bar% The percent sign makes that request unvalid, but Apache
will accept that. Nginx, or Unicorn will respond with 400.
How can I achieve the same result? Is there any mod or rule that will tell
apache to return 400 for invalid request?
Best regards
Jakub Nieznalski
Re: [users@httpd] response with 400 when URI params are malformed
Posted by Jakub Nieznalski <j....@autohaus24.de>.
Hi,
Thanks for the reply.
It looks that Apache is handling the malformed params properly, but
not with phusion passenger module.
I've already created an issue on PP project.
If this will not get resolved I will create a simple rule with mod_taint
Best regards
Jakub Nieznalski
2013/2/5 Nick Kew <ni...@webthing.com>:
>
> On 5 Feb 2013, at 14:29, Jakub Nieznalski wrote:
>
>> Hi,
>>
>> I've got problem that Apache accepts malformed URI, for example localhost/?foo=bar% The percent sign makes that request unvalid, but Apache will accept that. Nginx, or Unicorn will respond with 400.
>
> That's a request for URL / , with parameters foo=bar%
>
> I'd guess nothing in your server is looking at the parameters.
> If it's a static page and there's no complex configuration that
> might be affected by parameters, why should the server waste
> its time?
>
> Note that if you request /foo=bar% you will indeed get a 400.
>
>> How can I achieve the same result? Is there any mod or rule that will tell apache to return 400 for invalid request?
>
> If you want to protect some vulnerable application, a WAF.
> For a simpler solution to just the question, mod_taint.
>
> --
> Nick Kew
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] response with 400 when URI params are malformed
Posted by Nick Kew <ni...@webthing.com>.
On 5 Feb 2013, at 14:29, Jakub Nieznalski wrote:
> Hi,
>
> I've got problem that Apache accepts malformed URI, for example localhost/?foo=bar% The percent sign makes that request unvalid, but Apache will accept that. Nginx, or Unicorn will respond with 400.
That's a request for URL / , with parameters foo=bar%
I'd guess nothing in your server is looking at the parameters.
If it's a static page and there's no complex configuration that
might be affected by parameters, why should the server waste
its time?
Note that if you request /foo=bar% you will indeed get a 400.
> How can I achieve the same result? Is there any mod or rule that will tell apache to return 400 for invalid request?
If you want to protect some vulnerable application, a WAF.
For a simpler solution to just the question, mod_taint.
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org