1

It seems like my shared host provider is detecting the presence of "http://www" or "http%3A%2F%2Fwww" in any get request and serving up a 403 page.

I also get an 'in addition' error...

"Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request."

This only happens with this string. If I change it to something else the get is successfully submitted and the target page successfully returned.

If it helps I'm writing a QR code getter, so the ability to submit urls is quite important.

Also, strangely I can submit a url as long as it doesn't have 'www' in it. I can also submit 'www' as long as it isn't preceded by 'http://' (or the encoded version)

edit: Just to confirm this wasn't a specific problem with the page I was writing, I went to another page on my website that uses get request and manually inserted the string. This also generates the 403 error.

MrVimes
  • 3,212
  • 10
  • 39
  • 57
  • 1
    Ummm... OK. Sounds like a problem to discuss with your hosting provider. What question are you looking to get answered here? – Yuliy Jun 26 '11 at 03:02
  • well.. maybe someone knows what causes it. Is it necessary to be deliberately unhelpful? – MrVimes Jun 26 '11 at 03:03
  • ... for example, a person in the know (such as one might find on stackoverflow) might recognise this and then tell me what I need to do on my hosting account to stop this from happening – MrVimes Jun 26 '11 at 03:05
  • I clicked in here trying to be helpful, and yet there's really nothing to go off of. Is this error getting returned when someone tries to connect _in_ to your site? If so, then it sounds like code your hosting provider has decides to forbid such a request, and it's something to discuss with them. If it's an error when going _out_ from your site, then your hosting provider is definitely doing something funky. Either way, the answer lies with them. – Yuliy Jun 26 '11 at 03:08
  • OK Perhaps I mistook your comment for flippancy when it wasn't. I'm sorry. I submitted the question thinking I'd encountered something that the dev world has seen before and knows what do do about. It seems that's not the case and my host is actually implementing some weird security measure. – MrVimes Jun 26 '11 at 03:22

2 Answers2

3

Yes -- there are two solutions:

  1. Request to remove this strange security feature for your account from your provider.
  2. Don't send urls with http://www in them. For example replace this scting in javascript before sending data to some "%htpwwwashere:(%", that will be replaced by you back in PHP.
gaRex
  • 4,144
  • 25
  • 37
  • I did think about doing a replace. For some reason I got it into my head that it wouldn't be possible because it would break the functional purpose of the page. Turns out I was being a fool. I've simply replaced 'http' with 'http#' on the submit, then revert back on the target page. The reason I asked about this on stack is that I thought there was some known reason for this behaviour. I guess my host IS running some weird kind of security measure. – MrVimes Jun 26 '11 at 03:20
  • I wouldn't call it a strange feature. It's most likely a crude attempt to prevent injection attacks on the pages they're serving up. – Marc B Jun 26 '11 at 03:31
0

Replace any instances of http://www. with StackOverflowRulez and in your PHP have it replace the $_GET StackOverflowRulez with http://www..

Shaz
  • 15,637
  • 3
  • 41
  • 59