Apache blocks request if URL is submitted as input param
Question
I have been searching on internet, but suprisingly not even single answer or single query has been raised by anyone, am I the only one facing this issue. May be because when we say URL in form google gives all the results related 'attribute' of form. But here I am not talking about action URL at all. so i will start with html code.
<form action="/something_that_does_not_matter" method=post>
<input name="profile" type="text" placeholder="Enter name"/>
<input name="link" type="text" placeholder"="Enter URL"/>
</form>
This form works fine if user submits some strings in both inputs. When it becomes issue? When you enter any url in link field. because that is what is supposed to do. Please do not ask me to tell script here, because I am 100% sure theres no issue on server side, as i have even tried with simplest php like
<?php echo $_POST["link"]; ?>
It happens on certifiedhosting server only, on my local it works fine, little bit guessing and research gave me this one reason, that apache has this security protocol which if enabled wont let you, submit something harmful. And it is blocking my any url, even if is submit " http://hey " it gets blocked so issue is not with url also.
My Hosting provider is ready to disable that rule for me, but then it would be my own risk. so I dont want that obviously.
So now my question is why is security there, and if it is really threat, how do someone who really wants genuinely to do it will do it?
For pure html form submission i cannot find solution at all. But for ajax based request i have found some solutions. First i tried to encode/decode which wont work, as server first tries to find that encoded subsrtring which has http:// in it. So no use
Another solution is to submit ht$$p:// and then fix it in my php script. but its all workaround, and forces me to use Ajax based. what if just want to do it in HTML form, my application wont have JavaScript on it.
Anyone?
2 answers
solution1
0 ACCPTED 2017-07-26 11:50:35
No sure about how to do it without javascript, but you can strip out 'http:' from url using javascript and submit it it will work, and as we all know, // anyway will tell you starting of url.
Making changes to code by @Aayaush
<input type="text" placeholder="Enter URL" onkeyup="document.getElementById('link').value=(this.value).replace(/https?:/,'')" >
<form>
<input name="profile" type="text" placeholder="Enter name"/>
<input name="link" id='link' type="hidden">
<input type="submit">
</form>
Also check this. https://stackoverflow.com/a/39375297/3335776
solution2
-1 2017-07-24 05:42:40
You can encode the input through javascript before posting it through the form, you can use something like the following:-
<input name="link" type="text" placeholder="Enter URL" onkeyup="document.getElementById('link').value=btoa(this.value)" >
<form>
<input name="profile" type="text" placeholder="Enter name"/>
<input name="link" id='link' type="hidden">
<input type="submit">
</form>
by doing so the URL gets base64 encoded and will not be detected by Apache as URL, hence can be passed. As the link input tag is hidden will be hidden in HTML page but will be accessible by the PHP page.
At PHP script the link can be accessed by the following code:-
<?php echo base64_decode($_POST["link"]); ?>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.