Apache .htaccess redirection issue

Question

I've recently come across a very strange problem with my Apache instance that I can't seem to find an answer to, I could be looking in the wrong places.

For my website I always run all requests through my index.php (All other content JS/CSS/PNG goes through a separate CDN), so I use my .htaccess to redirect all requests like so

SetEnv SERVER_ADMIN admin@example.com
SetEnv PHPRC /home/user
ServerSignature email
AddDefaultCharset UTF-8
DefaultLanguage en-US

# Enable Rewriting
RewriteEngine on
RewriteBase /

Options +FollowSymlinks
Options All -Indexes

# Do not redirect these directories
RewriteRule sitemap.xml - [L]
RewriteRule robots.txt - [L]

# Redirect to index
RewriteCond %{REQUEST_URI} !=/index.php
RewriteRule ^.*$ index.php [L]

I read the path provided from the $_SERVER variable, $_SERVER['REQUEST_URI']

I recently came across an issue that when I attempt to send any REQUEST_METHOD to my webserver that the request becomes a GET, but only if my URL contains an escaped / (%2F). While debugging this issue I print_r'd my $_SERVER variable to find the following:

A DELETE request to example.com/%2F

(Just a note that this isn't a trailing / issue, the issue happens no matter where it is in the URL, and I'm not unescaping it in my code)

{
  "REDIRECT_REDIRECT_REDIRECT_REQUEST_METHOD": "DELETE",
  "REDIRECT_REDIRECT_REDIRECT_STATUS": "200",
  "REDIRECT_REDIRECT_SERVER_ADMIN": "admin@example.com",
  "REDIRECT_REDIRECT_PHPRC": "/home/user",
  "REDIRECT_REDIRECT_HTTPS": "on",
  "REDIRECT_REDIRECT_SSL_TLS_SNI": "www.example.com",
  "REDIRECT_REDIRECT_STATUS": "200",
  "REDIRECT_HTTP_AUTHORIZATION": "",
  "REDIRECT_SERVER_ADMIN": "admin@example.com",
  "REDIRECT_PHPRC": "/home/user",
  "REDIRECT_HTTPS": "on",
  "REDIRECT_SSL_TLS_SNI": "www.example.com",
  "REDIRECT_STATUS": "200",
  "HTTPS": "on",
  "SSL_TLS_SNI": "www.example.com",
  "HTTP_HOST": "www.example.com",
  "REQUEST_METHOD": "GET",
  "REQUEST_URI": "/%2F",
  "SCRIPT_NAME": "/index.php"
}

A DELETE request to example.com

{
  "REDIRECT_REDIRECT_SERVER_ADMIN": "admin@example.com",
  "REDIRECT_REDIRECT_PHPRC": "/home/user",
  "REDIRECT_REDIRECT_HTTPS": "on",
  "REDIRECT_REDIRECT_SSL_TLS_SNI": "www.example.com",
  "REDIRECT_REDIRECT_STATUS": "200",
  "REDIRECT_SERVER_ADMIN": "admin@example.com",
  "REDIRECT_PHPRC": "/home/user",
  "REDIRECT_HTTPS": "on",
  "REDIRECT_SSL_TLS_SNI": "www.example.com",
  "REDIRECT_STATUS": "200",
  "HTTPS": "on",
  "SSL_TLS_SNI": "www.example.com",
  "HTTP_HOST": "www.example.com",
  "REQUEST_METHOD": "DELETE",
  "REQUEST_URI": "/",
  "SCRIPT_NAME": "/index.php"
}

I've yet to find out why this escaped symbol is causing an additional redirect, and as to why it's changing the request method. I came across one suggestion on SO to replace my RewriteRule [L] to a RewriteRule [P] to proxy the request, but that only caused errors. The RewriteRule Flags documentation states that the proxy rule should be used with an external URL.

Any suggestions and/or help would be greatly appreciated.

Answer 1

Finally solved the problem with some further digging through StackOverflow.

First idea was just to read the $_SERVER['REDIRECT_REDIRECT_METHOD'] but I would NOT recommend doing this, as it turns out that Apache was also forcing a 404 response code during this redirect, meaning any URLs with an encoding %2F were returning as Not Found (Even with my page content showing up).

Answer came from this other question.

Solution:

# Set this rule in .htaccess/httpd.conf
AllowEncodedSlashes NoDecode