#5853 - Internal redirects failing with Forbidden error

Do you notice any patterns with the redirects such as them containing spaces (%20) or control characters?

It's probably a ModSecurity rule set to not allow URLs as GET parameters, as that can sometimes be used in attacks. Complain to the webhost for imposing rules on you unilaterally.

Webhost restriction. v11 changes already work around this kind of issue.

Thank you, I will contact my hosting provider. It's an annoyance rather than a problem.

Hosting company replied that this error may be relevant, not sure what to do with this information however:-
mediafeeder.net [Fri Aug 09 21:58:02 2024] [error] [client 185.146.164.254:0] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

%3F is an encoded question mark. Sounds like their firewall is blocking it. As Chris mentioned, v11 works around those issues.

I'm re-opening this issue and assigning it to myself. Multiple people running v10 are reporting similar issues. I'm going to include a patch for 10.0.49.

Thanks. From what I read on StackOverflow the issue is related to mod_rewrite redirects and the suggested workarounds via .htaccess had their own security implications. I imagine I will be running v10 for some time, I like how it looks even if it doesn't have all the new bells and whistles I am glad it is still getting some attention.

Automated response: Internal redirects failing with Forbidden error

Since the cms URL encode was last touched, we discovered additional characters which could get blocked by either mod_rewrite or ModSecurity, even when using urlencode, that must be specially encoded by Composr. These have already been implemented in v11.

The full list is now the following:

1) '/', '&', '#', '+', ' ' when outside the query string
2) '?', '=' when inside a query string parameter