0

I've been trying to upgrade a old Game Server Api that sends requests using special non safe characters such as 0x20 and 0x08

Request sent from the application

Answer from apache after the request

What I've trying doing is changing the .htaccess to get those special characters and replace then to their %hex as any other browser would do.

RewriteRule ^(.*)\x08(.*)$ $1%08$2 [B]
RewriteRule ^(.*)\x20(.*)$ $1%20$2 [B]

I've also added the following option to my apache2.conf 

HttpProtocolOptions unsafe

One way that it works is using IIS to host the php and using Windows Registry Editor to force IIS to allow unescaped characters.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"DisableServerHeader"=dword:00000001
"AllowUnEscapedRestrictedChars"=dword:00000001
"AllowWeakHeaderValueSyntax"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\Synchronize]

But then using that I can't run the main API in a Linux based machine - which is the goal for this project. I would like to know if someone already came across with this issue. I want to be able to request unsafe characters on urls without crashing. They must be unescaped in the url because the data source sends the special characters as unescaped

Henrique
  • 9
  • 2
  • Not sure what your are trying to actually achieve, but have you tried the `B` flag and maybe `BNP`? https://httpd.apache.org/docs/2.4/rewrite/flags.html – Pinke Helga Feb 02 '19 at 21:47
  • Maybe `NE` flag https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_ne – user3783243 Feb 02 '19 at 21:50
  • Also this one. One of those flags should fit your needs depending on your actual intention. – Pinke Helga Feb 02 '19 at 21:52
  • Why would you do this? Surely it's an illegal URL at this point. – Progrock Feb 02 '19 at 21:55
  • You can have multiple comma separated flags on a single rule. No need for cascading translations. – Pinke Helga Feb 02 '19 at 21:56
  • So, the way to do it would be using [B, NE, BNP] as flags but what about my searching regex that i have to use on my rewrite rule – Henrique Feb 02 '19 at 21:56
  • It's pretty much illegal but i dont have access to the source code of the server. And the way that it works is sending GET and POST requests and it uses those unescaped characters as url. – Henrique Feb 02 '19 at 21:57
  • Do not have spaces within the flag list. I ran into a hard debugging challange due to this in the past. – Pinke Helga Feb 02 '19 at 21:59
  • You might want `[B,BNP]` and having human readable expressions. – Pinke Helga Feb 02 '19 at 22:01
  • You can also enclose expression and replacements with double quotes. Also refer [rewrite debugging](https://stackoverflow.com/questions/9632852/how-to-debug-apache-mod-rewrite) It's always better to see what you're doing. Use a local development server, e.g. XAMPP or Apache on linux – Pinke Helga Feb 02 '19 at 22:07
  • This expression looks for **toBeFind** ^(.*)toBeFind(.*)$ and replaces it with **Replaced** $1Replaced$2 but now how do I use those flags? i know that [L] makes it be the only rule used – Henrique Feb 02 '19 at 22:08
  • `[L]` restarts the rewrite process with the rewritten URL, `[END]` exits the rewrite process entirely. SO should provide us the "chat discussion" link. I cannot start one on my own with the current reputation... – Pinke Helga Feb 02 '19 at 22:11
  • I can't either. My discord is Teles#7139 If you have discord. – Henrique Feb 02 '19 at 22:21
  • What is actually happening when you do not use rewrite at all? – Pinke Helga Feb 02 '19 at 22:25
  • https://i.stack.imgur.com/gPd03.png Your browser sent a request that this server could not understand. – Henrique Feb 02 '19 at 22:27

0 Answers0