I have two Apache servers running PHP. One accepts forward-slashes in the query string and passes it along to PHP in the expected way, for example:
我有两个运行PHP的Apache服务器。一个接受查询字符串中的正斜杠,并以预期的方式将其传递给PHP,例如:
http://server/index.php?url=http://foo.bar
works and in PHP this expression is true:
工作,在PHP中这个表达式是真的:
$_REQUEST['url'] == "http://foo.bar"
However, in the other Apache server, the same URL results in a 403 Forbidden
error! Note that if the query string is properly URL-escaped (i.e. with %2F
instead of forward-slash), then everything works.
但是,在其他Apache服务器中,相同的URL会导致403 Forbidden错误!请注意,如果查询字符串是正确的URL转义(即使用%2F而不是正斜杠),那么一切正常。
Clearly there's some difference in the Apache or PHP configuration that causes this, but I can't figure out what!
显然,Apache或PHP配置有一些不同导致这一点,但我无法弄清楚是什么!
I want to accept this form of URL in both cases, not reject it.
我希望在这两种情况下接受这种形式的URL,而不是拒绝它。
7 个解决方案
#1
http://server/index.php?url=http://foo.bar
is not a valid url. You have to encode the slashes. I think browsers do this automagically, so maybe you were testing with different browsers?
http://server/index.php?url = http://foo.bar不是有效的网址。你必须编码斜杠。我认为浏览器会自动执行此操作,因此您可能正在使用不同的浏览器进行测试?
Or perhaps it's the AllowEncodedSlashes setting?
或许它是AllowEncodedSlashes设置?
#2
A few posts here suggest the OP's usage is wrong, which is false.
这里有一些帖子表明OP的使用是错误的,这是错误的。
Expanding on Sam152's comment, query strings are allowed to contain both ? and / characters, see section 3.4 of http://www.ietf.org/rfc/rfc3986.txt, which is basically the spec written by Tim Berners-Lee and friends governing how the web should operate.
扩展Sam152的注释,允许查询字符串包含两者?和/字符,请参阅http://www.ietf.org/rfc/rfc3986.txt的第3.4节,这基本上是由Tim Berners-Lee和管理网络应如何运作的朋友编写的规范。
The problem is that poorly written (or poorly configured, or misused) parsers interpret query string slashes as separating path components.
问题是编写得不好(或配置不当或误用)的解析器会将查询字符串斜杠解释为分隔路径组件。
I have seen examples of PHP's pathinfo function being used to parse URL's. Pathinfo wasn't written to parse a URL. You can however extract the path using parse_url then use fileinfo to retrieve details from the path. You will see that parse_url handles / and ? in query strings just fine.
我已经看到PHP的pathinfo函数用于解析URL的示例。没有编写Pathinfo来解析URL。但是,您可以使用parse_url提取路径,然后使用fileinfo从路径中检索详细信息。你会看到parse_url处理/和?在查询字符串中就好了。
In any case, the overall problem is that this area is poorly understood all-round, even among experienced developers, and most people (myself included until recently) just assume that anything after the filename has to be urlencoded, which is patently false if you take the standards into consideration.
在任何情况下,整体问题是这个领域全面了解,即使在经验丰富的开发人员中也是如此,并且大多数人(我自己直到最近都包括在内)只是假设文件名之后的任何内容都必须进行urlencoded,如果你是明显错误的话考虑标准。
tl;dr Read the spec :)
tl; dr阅读规范:)
#3
Do you have mod_security
installed? See this thread:
你有mod_security安装?看到这个帖子:
403 Forbidden on PHP page called with url encoded in a $_GET parameter
403在PHP页面上禁止使用在$ _GET参数中编码的url调用
#4
In your Apache config:
在您的Apache配置中:
AllowEncodedSlashes On
See the documentation for more information:
http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes
有关更多信息,请参阅文档:http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes
Edit: Hmm, this may be what you already have working... I had this same problem, and what ended up fixing it for me was to just use $_SERVER['REQUEST_URI']
as that had the data I needed.
编辑:嗯,这可能是你已经有的工作......我遇到了同样的问题,最后为我修复的只是使用$ _SERVER ['REQUEST_URI'],因为那里有我需要的数据。
#5
You dont specify what PHP does with this url. Does it redirect to this page or try to read it?
你没有指定PHP对这个url的作用。它是重定向到此页面还是尝试阅读?
There is probably some mod_rewrite rule to remove double slashes, or for some other purpose, which tries to redirect this to somewhere it should not.
可能有一些mod_rewrite规则要删除双斜杠,或者出于某种其他目的,它会尝试将其重定向到它不应该的位置。
Maybe a regex without ^ before http://
也许在http://之前没有^的正则表达式
#6
Note that if the query string is properly URL-escaped (i.e. with %2F instead of forward-slash), then everything works.
请注意,如果查询字符串是正确的URL转义(即使用%2F而不是正斜杠),那么一切正常。
So it works when the query string is properly formatted and doesn't work when it isn't. What's the problem?
因此,当查询字符串格式正确时它可以工作,而当它没有时,它不起作用。有什么问题?
#7
This sounds like another case of default magic_quotes_gpc. On the server causing problems check the php.ini and make sure that
这听起来像默认的magic_quotes_gpc的另一种情况。在服务器上导致问题检查php.ini并确保
magic_quotes_gpc = Off
#1
http://server/index.php?url=http://foo.bar
is not a valid url. You have to encode the slashes. I think browsers do this automagically, so maybe you were testing with different browsers?
http://server/index.php?url = http://foo.bar不是有效的网址。你必须编码斜杠。我认为浏览器会自动执行此操作,因此您可能正在使用不同的浏览器进行测试?
Or perhaps it's the AllowEncodedSlashes setting?
或许它是AllowEncodedSlashes设置?
#2
A few posts here suggest the OP's usage is wrong, which is false.
这里有一些帖子表明OP的使用是错误的,这是错误的。
Expanding on Sam152's comment, query strings are allowed to contain both ? and / characters, see section 3.4 of http://www.ietf.org/rfc/rfc3986.txt, which is basically the spec written by Tim Berners-Lee and friends governing how the web should operate.
扩展Sam152的注释,允许查询字符串包含两者?和/字符,请参阅http://www.ietf.org/rfc/rfc3986.txt的第3.4节,这基本上是由Tim Berners-Lee和管理网络应如何运作的朋友编写的规范。
The problem is that poorly written (or poorly configured, or misused) parsers interpret query string slashes as separating path components.
问题是编写得不好(或配置不当或误用)的解析器会将查询字符串斜杠解释为分隔路径组件。
I have seen examples of PHP's pathinfo function being used to parse URL's. Pathinfo wasn't written to parse a URL. You can however extract the path using parse_url then use fileinfo to retrieve details from the path. You will see that parse_url handles / and ? in query strings just fine.
我已经看到PHP的pathinfo函数用于解析URL的示例。没有编写Pathinfo来解析URL。但是,您可以使用parse_url提取路径,然后使用fileinfo从路径中检索详细信息。你会看到parse_url处理/和?在查询字符串中就好了。
In any case, the overall problem is that this area is poorly understood all-round, even among experienced developers, and most people (myself included until recently) just assume that anything after the filename has to be urlencoded, which is patently false if you take the standards into consideration.
在任何情况下,整体问题是这个领域全面了解,即使在经验丰富的开发人员中也是如此,并且大多数人(我自己直到最近都包括在内)只是假设文件名之后的任何内容都必须进行urlencoded,如果你是明显错误的话考虑标准。
tl;dr Read the spec :)
tl; dr阅读规范:)
#3
Do you have mod_security
installed? See this thread:
你有mod_security安装?看到这个帖子:
403 Forbidden on PHP page called with url encoded in a $_GET parameter
403在PHP页面上禁止使用在$ _GET参数中编码的url调用
#4
In your Apache config:
在您的Apache配置中:
AllowEncodedSlashes On
See the documentation for more information:
http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes
有关更多信息,请参阅文档:http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes
Edit: Hmm, this may be what you already have working... I had this same problem, and what ended up fixing it for me was to just use $_SERVER['REQUEST_URI']
as that had the data I needed.
编辑:嗯,这可能是你已经有的工作......我遇到了同样的问题,最后为我修复的只是使用$ _SERVER ['REQUEST_URI'],因为那里有我需要的数据。
#5
You dont specify what PHP does with this url. Does it redirect to this page or try to read it?
你没有指定PHP对这个url的作用。它是重定向到此页面还是尝试阅读?
There is probably some mod_rewrite rule to remove double slashes, or for some other purpose, which tries to redirect this to somewhere it should not.
可能有一些mod_rewrite规则要删除双斜杠,或者出于某种其他目的,它会尝试将其重定向到它不应该的位置。
Maybe a regex without ^ before http://
也许在http://之前没有^的正则表达式
#6
Note that if the query string is properly URL-escaped (i.e. with %2F instead of forward-slash), then everything works.
请注意,如果查询字符串是正确的URL转义(即使用%2F而不是正斜杠),那么一切正常。
So it works when the query string is properly formatted and doesn't work when it isn't. What's the problem?
因此,当查询字符串格式正确时它可以工作,而当它没有时,它不起作用。有什么问题?
#7
This sounds like another case of default magic_quotes_gpc. On the server causing problems check the php.ini and make sure that
这听起来像默认的magic_quotes_gpc的另一种情况。在服务器上导致问题检查php.ini并确保
magic_quotes_gpc = Off