#5853 - Internal redirects failing with Forbidden error

By Adam Edington
Added 7th Aug 2024, 4:51 PM
9 views

Identifier	#5853
Issue type	Minor issue (breaks specific functionality)
Title	Internal redirects failing with Forbidden error
Status	Completed
Handling member	PDStig
Version	10.0.47
Addon	core
Description	This may be related to my hosting environment, but if so it is a new thing as I haven't had this issue before. Basically any links with ?redirect= throw this error. Removing the appended redirection loads the content as expected.
Steps to reproduce
Related to	#5770 - Forms specifying a redirect in the action are blocked by CSP
Funded?	No
Commits	Fixed MANTIS-5853 (Internal redirects failing with Forbidden error) (f852d496) · Commits · Composr ecosystem / Composr · GitLab

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 7th Aug 2024, 4:57 PM

Do you notice any patterns with the redirects such as them containing spaces (%20) or control characters?

By Guest posted 7th Aug 2024, 8:57 PM

It's probably a ModSecurity rule set to not allow URLs as GET parameters, as that can sometimes be used in attacks. Complain to the webhost for imposing rules on you unilaterally.

By Guest posted 7th Aug 2024, 8:58 PM

Webhost restriction. v11 changes already work around this kind of issue.

By Guest posted 8th Aug 2024, 4:25 PM

Thank you, I will contact my hosting provider. It's an annoyance rather than a problem.

By Guest posted 12th Aug 2024, 8:56 PM

Hosting company replied that this error may be relevant, not sure what to do with this information however:-
mediafeeder.net [Fri Aug 09 21:58:02 2024] [error] [client 185.146.164.254:0] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

By Guest posted 12th Aug 2024, 9:10 PM

%3F is an encoded question mark. Sounds like their firewall is blocking it. As Chris mentioned, v11 works around those issues.

I'm re-opening this issue and assigning it to myself. Multiple people running v10 are reporting similar issues. I'm going to include a patch for 10.0.49.

By Guest posted 12th Aug 2024, 9:17 PM

Thanks. From what I read on StackOverflow the issue is related to mod_rewrite redirects and the suggested workarounds via .htaccess had their own security implications. I imagine I will be running v10 for some time, I like how it looks even if it doesn't have all the new bells and whistles I am glad it is still getting some attention.

By Guest posted 12th Aug 2024, 9:47 PM

Automated response: Internal redirects failing with Forbidden error

Since the cms URL encode was last touched, we discovered additional characters which could get blocked by either mod_rewrite or ModSecurity, even when using urlencode, that must be specially encoded by Composr. These have already been implemented in v11.

The full list is now the following:

1) '/', '&', '#', '+', ' ' when outside the query string
2) '?', '=' when inside a query string parameter