Forum

403 error on long get urls even with maxurllenght disabled

JGM
21 October 2013, 21:36
Hi,

I have been struggling with this one a lot, I disabled MaxUrlLenght by assigning it to none as the manual says. Still this kind of url triggers a 403 forbidden error:

https://mysiteyah.com/admin/ecommerce/order/edit?id=1382217026&status=pending&status_description=Thanks+for+shopping+at+mysiteyah.com.+Your+order+number+is+%23+1234567890123.Please+print+this+page+or+write+this+number+down%2C+for+future+reference.+This+order+should+arrive+within+9+business+days.%0D%0A%0D%0AYou+will+receive+a+shipment+notification+email+message+as+soon+as+we+send+your+order.+We+may+also+send+you+additional+updates+regarding+the+status+of+your+order.+This+email+is+for+your+records+only+and+cannot+be+used+as+a+receipt+for+in-store+returns.%0D%0A%0D%0AIf+we+may+be+of+further+assistance%2C+please+contact+us+at+customerservice%40mysiteyah.com+or+1-800-111-2222+ext.111.%0D%0A%0D%0ASincerely%2C%0D%0Amysiteyah.com%0D%0ACustomer+Service%0D%0A&btnSaveStatus=Save

Im using a url rewriting rule not sure if that is the cuase, but using wigwam -t mytoolkit to test, seems to rewrite correctly, everything else works normally.

Here is the rewrited output:

/index.php?p=admin/ecommerce/order/edit&id=1382217026&status=pending&status_description=Thanks+for+shopping+at+mysiteyah.com.+Your+order+number+is+%23+1234567890123.Please+print+this+page+or+write+this+number+down%2C+for+future+reference.+This+order+should+arrive+within+9+business+days.%0D%0A%0D%0AYou+will+receive+a+shipment+notification+email+message+as+soon+as+we+send+your+order.+We+may+also+send+you+additional+updates+regarding+the+status+of+your+order.+This+email+is+for+your+records+only+and+cannot+be+used+as+a+receipt+for+in-store+returns.%0D%0A%0D%0AIf+we+may+be+of+further+assistance%2C+please+contact+us+at+customerservice%40mysiteyah.com+or+1-800-111-2222+ext.111.%0D%0A%0D%0ASincerely%2C%0D%0Amysiteyah.com%0D%0ACustomer+Service%0D%0A&btnSaveStatus=Save

The toolkit rule:

UrlToolkit {
ToolkitID = mytoolkit
RequestURI exists Return
Match /(.*)\?(.*) Rewrite /index.php?p=$1&$2
Match /(.*) Rewrite /index.php?p=$1
}

The bahaviour could be reproduced on a hiawatha installation by replacing mysiteyah.com with your host/ip

Hiawatha version: 9.2
Operating System: Debian Wheezy
Hugo Leisink
21 October 2013, 21:50
If the max length of the URL is exceeded, a 414 is returned. What does the error logfile say?
JGM
21 October 2013, 21:59
The error log doesn't displays nothing, the request is loggued on the access log file normally but no errors on the error log.
Hugo Leisink
21 October 2013, 22:26
Try adding "SecureURL = no". I advice you to rethink the way you use/format your URL's. Keeping things clean and simple often improves security.
JGM
21 October 2013, 22:40
Thanks a lot!

I temporary fixed it by changing the form method from GET to POST, I use GET because if the user press back on the web browser button, with POST the browser displays a document expired message, I just use GET on some parts of the system. I see that SecureURL isn't documented on the man pages, is that a new option?

Thanks again!
Hugo Leisink
21 October 2013, 22:55
The SecureURL option is not new. But it's not in the manual because allowing al sorts of special characters in the URL is not good coding practice if you ask me.
JGM
23 October 2013, 03:24
Fixed my code, thanks for your advice!
This topic has been closed.