View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 5853 | Composr | core | public | 2024-08-07 20:51 | 2024-08-13 01:47 |
| Reporter | Adam Edington | Assigned To | PDStig | ||
| Priority | normal | Severity | minor | ||
| Status | resolved | Resolution | fixed | ||
| Product Version | 10.0.47 | ||||
| Fixed in Version | 10.0.49 | ||||
| Summary | 5853: Internal redirects failing with Forbidden error | ||||
| Description | This may be related to my hosting environment, but if so it is a new thing as I haven't had this issue before. Basically any links with ?redirect= throw this error. Removing the appended redirection loads the content as expected. | ||||
| Tags | No tags attached. | ||||
| Attach Tags | |||||
| Attached Files | |||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Do you notice any patterns with the redirects such as them containing spaces (%20) or control characters? |
|
|
It's probably a ModSecurity rule set to not allow URLs as GET parameters, as that can sometimes be used in attacks. Complain to the webhost for imposing rules on you unilaterally. |
|
|
Webhost restriction. v11 changes already work around this kind of issue. |
|
|
Thank you, I will contact my hosting provider. It's an annoyance rather than a problem. |
|
|
Hosting company replied that this error may be relevant, not sure what to do with this information however:- mediafeeder.net [Fri Aug 09 21:58:02 2024] [error] [client 185.146.164.254:0] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F |
|
|
%3F is an encoded question mark. Sounds like their firewall is blocking it. As Chris mentioned, v11 works around those issues. I'm re-opening this issue and assigning it to myself. Multiple people running v10 are reporting similar issues. I'm going to include a patch for 10.0.49. |
|
|
Thanks. From what I read on StackOverflow the issue is related to mod_rewrite redirects and the suggested workarounds via .htaccess had their own security implications. I imagine I will be running v10 for some time, I like how it looks even if it doesn't have all the new bells and whistles I am glad it is still getting some attention. |
|
|
Automated response: Internal redirects failing with Forbidden error Since the cms URL encode was last touched, we discovered additional characters which could get blocked by either mod_rewrite or ModSecurity, even when using urlencode, that must be specially encoded by Composr. These have already been implemented in v11. The full list is now the following: 1) '/', '&', '#', '+', ' ' when outside the query string 2) '?', '=' when inside a query string parameter |
|
|
Fixed in git commit f852d49697 (https://gitlab.com/composr-foundation/composr/commit/f852d49697 - link will become active once code pushed to GitLab) A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-08-07 20:51 | Adam Edington | New Issue | |
| 2024-08-07 20:51 | Adam Edington | Project | Composr website (compo.sr) => Composr |
| 2024-08-07 20:52 | Adam Edington | Product Version | => 10.0.47 |
| 2024-08-07 20:53 | Adam Edington | Description Updated | |
| 2024-08-07 20:56 | PDStig | Relationship added | related to 5770 |
| 2024-08-07 20:57 | PDStig | Note Added: 0009128 | |
| 2024-08-08 00:57 | Chris Graham | Note Added: 0009129 | |
| 2024-08-08 00:58 | Chris Graham | Assigned To | => Chris Graham |
| 2024-08-08 00:58 | Chris Graham | Status | Not Assigned => Closed |
| 2024-08-08 00:58 | Chris Graham | Resolution | open => no change required |
| 2024-08-08 00:58 | Chris Graham | Note Added: 0009130 | |
| 2024-08-08 20:25 | Adam Edington | Note Added: 0009132 | |
| 2024-08-09 08:12 | Guest | Relationship added | related to 5865 |
| 2024-08-13 00:56 | Adam Edington | Note Added: 0009170 | |
| 2024-08-13 01:10 | PDStig | Assigned To | Chris Graham => user4172 |
| 2024-08-13 01:10 | PDStig | Status | Closed => Assigned |
| 2024-08-13 01:10 | PDStig | Note Added: 0009171 | |
| 2024-08-13 01:12 | PDStig | Relationship replaced | has duplicate 5865 |
| 2024-08-13 01:13 | PDStig | Relationship deleted | has duplicate 5865 |
| 2024-08-13 01:17 | Adam Edington | Note Added: 0009173 |
