You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users-de@httpd.apache.org by Reindl Harald <h....@thelounge.net> on 2012/08/21 10:57:00 UTC
is there a way to replace & with & in URLs
/show_content.php?sid=126&detail_id=3984
i have a modsec-rule to kill such requests because they
will never show the expected content - is there a way
for modsec or httpd to replace them with the correct &
and fix this transparent?
Re: [mod-security-users] is there a way to replace & with & in
URLs
Posted by Reindl Harald <h....@thelounge.net>.
you completly missunderstood what i am saying
there is no problem with "arg_separator.output"
there are only a lot of problems with by stupidity
broken clients not able to handle a 100% valid
<a href="/your-script.php?test1=1&test2=0">
and following the URL with & in the request
to the webserver INSTEAD decode the entity
this is plain wrong, there are hundrets of robots
doing it wrong and there are many clients (java,
apple-software) doing it also wrong what means
finally that the variable "test2" never reaches
the script leading to have hundrets of duplicate
contents form the view of this crap-clients
and yes you MUST encode & in a href with & if
you are using html-validators to verify your work
and before i write any software producing invalid
HTML i leave this business at all
__________________
the following mod_rewrite-rule does the trick but
i would be much more satisfied if mod_security could
do this replace instead having mod_rewrite active on
some hundret domains with the overhead of a normally
not needed and problably even not loaded module
<Directory />
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)&(.*)
RewriteRule .* %{REQUEST_URI}?%1&%2 [N,R=301]
</IfModule>
</Directory>
Am 21.08.2012 18:26, schrieb Mario Brandt:
> Usualy that is set in php.ini
> see arg_separator.output
>
> On Tue, Aug 21, 2012 at 12:44 PM, Reindl Harald <h....@thelounge.net> wrote:
>>
>>
>> Am 21.08.2012 12:37, schrieb Josh Amishav-Zlatin:
>>> On Tue, Aug 21, 2012 at 11:57 AM, Reindl Harald <h.reindl@thelounge.net <ma...@thelounge.net>> wrote:
>>>
>>> /show_content.php?sid=126&detail_id=3984
>>>
>>> i have a modsec-rule to kill such requests because they
>>> will never show the expected content - is there a way
>>> for modsec or httpd to replace them with the correct &
>>> and fix this transparent?
>>>
>>> Hi Reindl,
>>> Mod_Rewrite should be able to help
>>
>> i doubt mod_rewrite for some hundret of vhosts before
>> the application firewall will not be so good :-(
>>
>> it is so frustrating that there are so many broken
>> mail-clients and robots which are too stupid to
>> handle correct encoded HTML-URLs in a proper way
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-de-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-de-help@httpd.apache.org
>
--
Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / CISO / Software-Development
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/
http://www.thelounge.net/signature.asc.what.htm
Re: [mod-security-users] is there a way to replace & with & in URLs
Posted by Mario Brandt <jb...@gmail.com>.
Usualy that is set in php.ini
see arg_separator.output
Mario
On Tue, Aug 21, 2012 at 12:44 PM, Reindl Harald <h....@thelounge.net> wrote:
>
>
> Am 21.08.2012 12:37, schrieb Josh Amishav-Zlatin:
>> On Tue, Aug 21, 2012 at 11:57 AM, Reindl Harald <h.reindl@thelounge.net <ma...@thelounge.net>> wrote:
>>
>> /show_content.php?sid=126&detail_id=3984
>>
>> i have a modsec-rule to kill such requests because they
>> will never show the expected content - is there a way
>> for modsec or httpd to replace them with the correct &
>> and fix this transparent?
>>
>> Hi Reindl,
>> Mod_Rewrite should be able to help
>
> i doubt mod_rewrite for some hundret of vhosts before
> the application firewall will not be so good :-(
>
> it is so frustrating that there are so many broken
> mail-clients and robots which are too stupid to
> handle correct encoded HTML-URLs in a proper way
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-de-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-de-help@httpd.apache.org
Re: [mod-security-users] is there a way to replace & with & in
URLs
Posted by Reindl Harald <h....@thelounge.net>.
Am 21.08.2012 12:37, schrieb Josh Amishav-Zlatin:
> On Tue, Aug 21, 2012 at 11:57 AM, Reindl Harald <h.reindl@thelounge.net <ma...@thelounge.net>> wrote:
>
> /show_content.php?sid=126&detail_id=3984
>
> i have a modsec-rule to kill such requests because they
> will never show the expected content - is there a way
> for modsec or httpd to replace them with the correct &
> and fix this transparent?
>
> Hi Reindl,
> Mod_Rewrite should be able to help
i doubt mod_rewrite for some hundret of vhosts before
the application firewall will not be so good :-(
it is so frustrating that there are so many broken
mail-clients and robots which are too stupid to
handle correct encoded HTML-URLs in a proper way