Custom Error page isn't loading when URL contains "/ /"

Question

I'm having a very specific issue with a site I'm building that is set up to use friendly URLs and custom error pages. I've been reading the message boards for days and although there are a lot of similar seeming posts, nothing addresses this problem specifically... at least to my newbie eyes.

Mostly everything on my site is running ok:

• URLs like "example.com/main/variable/variable" work just fine (redirects to example.com/index.php, loads main.php internally, and pulls the variables into an array)
• 404 errors are handled by index.php and work fine
• 403 errors when you try to access a subfolder with no index page mostly work fine too: "example.com/folder" shows the custom 403 error page at 403.php

Where I'm running into trouble is if the URL gets corrupted to contain a single space followed by a forward slash:

• "example.com/ /" or "example.com/folder/ /"
• "example.com/%20/" or "example.com/folder/%20/"

When this happens a 403 error gets triggered but it doesn't load the custom 403.php page.

Noteably, this problem does not occur if the URL lacks the trailing slash:

• "example.com/ " or "example.com/%20"
• "example.com/folder/ " or "example.com/folder/%20"

These all trigger 404 errors rather than 403, which is what I would like to happen when the trailing slash is included.

I realize this is a very specific situation that will only occur if someone mangles a url while they're typing it in, but I would love for it to not happen. I talked with my web host and they said everything is correct on their end.

Here's the code I'm currently running in .htaccess in my /public-html/ directory:

ErrorDocument 403 https://www.example.com/403.php

# Begin EnforceSSL 
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www.)?example.com$
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L]
</IfModule>
# End EnforceSSL

RewriteEngine On
RewriteBase /

# The Friendly URLs part
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?$1 [L,QSA,NC]

and here's the code in index.php which handles the friendly URLs:

<?php

// Create a URL array containing any passed variables, including requested page
$URL = explode("/", $_SERVER[QUERY_STRING]);

// Load the page
if (trim($URL[0]) == "index"){
    require_once("home.php");
} else if (trim(($URL[0]) == "")){
    require_once("home.php");           
} else if (file_exists(strtolower(trim($URL[0])).".php")) {
    require_once(strtolower(trim($URL[0])).".php");
} else {
    require_once("404.php");
}
?>

Any help is greatly appreciated!

Answer 1

it's just a default Apache response: "403 Forbidden Forbidden You don't have permission to access / / on this server."

There is likely a rule (mod_security perhaps) that is defined in the server config that is blocking such requests. The issue here is that the ErrorDocument defined in .htaccess is too late to serve your custom response. You would need to define the ErrorDocument earlier in the server config.

If you are on a shared server then you will need to contact your host to debug this further.