Problems with urls containing % (php urlencode())

Claus Hansen
26 December 2008, 23:53

First i'd like to thanks for this great free software. I use it on a small torrent tracker, where it has replaced lighttpd, mainly because of the latest security problems with lighty and also because it simply performs alot better.

My problem with hiawatha is with GET requests, containing binary urlencoded data, for instance, it will result in a 403 Forbidden error message. I've tried to disable all the ban triggers i could find, however, no success in fixing this. Any suggestions on how to fix this?

Best regards,
Hugo Leisink
27 December 2008, 09:53
Most of the time, when an URL contains suchs binary characters, it's because someone is trying to hack your server. The dangerous characters are those below ASCII 32 (space). Those are special control character with special meanings in many applications. By default, Hiawatha will deny an URL which contains characters with an ASCII value lower than 32. You can disable this via the hidden setting 'SecureURL':

VirtualHost {
SecureURL = false

Be sure that your dangerouse characters are treated correctly!!
Claus Hansen
27 December 2008, 17:57
Hi Hugo,

Thanks alot for such a quick reply, really appreciated . And it of course worked like a charm. I have one question regarding the SecureURL, if it's possible to disable it on just 1 file? I really like the secure features of your software, and feel it's a shame to disable them.

I also got another error with urlencoded data when using pathinfo. works, but returns 404. Any suggestions on what can cause this?

Best regards,
Hugo Leisink
29 December 2008, 09:57
The cause is a small bug. Has been fixed. Will be available in 6.11, which will be released today.
This topic has been closed.