Hi,
Having problems with urls containing percent sign. Most of them return
400 and don’t even appear neither in error.log nor in access.log.
GET /download-%27.07%%27.html?frame=1 HTTP/1.1
Host: www.my.eu
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101
Firefox/6.0 FirePHP/0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/ ;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
x-insight: activate
HTTP/1.1 400 Bad Request
Server: nginx/1.0.5
Date: Wed, 14 Sep 2011 10:36:24 GMT
Content-Type: text/html
Content-Length: 172
Connection: close
What’s wrong with them?
Thanks
Posted at Nginx Forum:
coviex
September 14, 2011, 1:12pm
2
Hello!
On Wed, Sep 14, 2011 at 06:48:25AM -0400, coviex wrote:
Accept-Language: en-us,en;q=0.5
Connection: close
What’s wrong with them?
They aren’t valid.
Because the percent (“%”) character serves as the indicator for
percent-encoded octets, it must be percent-encoded as “%25” for that
octet to be used as data within a URI.
Maxim D.
coviex
September 14, 2011, 1:13pm
3
On Wed, Sep 14, 2011 at 06:48:25AM -0400, coviex wrote:
Hi there,
Having problems with urls containing percent sign. Most of them return
400 and don’t even appear neither in error.log nor in access.log.
% is an escape character within a url. It must be followed by exactly
two hex-characters, or the url is invalid and the request is bad.
GET /download-%27.07%%27.html?frame=1 HTTP/1.1
The first one there is %27 and decodes to '.
The second one is %%2 and is invalid.
What’s wrong with them?
They’re broken.
Whatever is generating that url should be fixed so that it is properly
encoded/escaped.
If the filename is download-’.07%’.html, it should appear in the url
as download-%27.07%25%27.html
All the best,
f
Francis D. [email protected]
coviex
September 14, 2011, 5:25pm
4
This query string results in 400 on all nginx servers/sites I know of.
Say, http://nginx.org/download-'.07%'.html?frame=1 .
Any suggestions?
Posted at Nginx Forum:
coviex
September 14, 2011, 7:46pm
5
Funny thing is there are two sibling threads on the forum named
identically and answers to my question wind up here.
And I didn’t know about that so sorry for asking twice.
I get that requests with %% are invalid.
But why they don’t appear in logs?
Can I show pretty 404 page for those 400?
Posted at Nginx Forum:
coviex
September 14, 2011, 8:04pm
6
On Wed, Sep 14, 2011 at 01:45:15PM -0400, coviex wrote:
Funny thing is there are two sibling threads on the forum named
identically and answers to my question wind up here.
400 bad request
400 Bad request
And I didn’t know about that so sorry for asking twice.
I get that requests with %% are invalid.
But why they don’t appear in logs?
Can I show pretty 404 page for those 400?
nginx logs this on “info” level:
“client sent invalid request while reading client request line”
The default error_log level is “error”.
–
Igor S.
coviex
September 14, 2011, 5:31pm
7
On Wed, Sep 14, 2011 at 11:25:24AM -0400, coviex wrote:
This query string results in 400 on all nginx servers/sites I know of.
Say, http://nginx.org/download-'.07%'.html?frame=1 .
Not only nginx. Apache does (correctly) the same:
$nc apache.org 80
GET /download-%27.07%%27.html HTTP/1.0
HTTP/1.1 400 Bad Request
Date: Wed, 14 Sep 2011 15:29:31 GMT
Server: Apache/2.3.15-dev (Unix) mod_ssl/2.3.15-dev OpenSSL/1.0.0c
Content-Length: 342
Connection: close
Content-Type: text/html; charset=iso-8859-1
[…]
Any suggestions?
-http://nginx.org/download-'.07%'.html?frame=1
+http://nginx.org/download-%27.07%25%27.html?frame=1
–
Igor S.