Home / server / Questions / 451521
Accepted
Jarl
Asked: 2012-11-23 04:25:42 +0800 CST

How can I configure apache to respond 400 when request contains an invalid byte sequence?

  • 772

On web application someone is making invalid HTTP request containing invalid bytes.

According to RFC 3986, section 2 only ASCII characters are allowed in the HTTP Request line. However I am receiving request contains the byte sequence (in Hex) \0xC3 \0xA6, which is the UTF-8 byte sequence for 'æ' (which of course should have been percent encoded as %C3%A6). In the apache log they show up as \xc3\xa6. Nevertheless this is an invalid HTTP request, so I would like configure apache to respond with an error 400 Bad Request in this case instead of delegating the request to my Rails app. How can I do that?

BTW: My web application is a Ruby on Rails (served by Phusion Passenger mod_rails 3.0.13), but I don't think it is relevant to the question, as I am interested in configuring apache so that these requests never reaches my application.

url

1 Answers

  1. Best Answer

    I succeeded configuring apache using mod_rewrite to respond 400 Bad request containing URLs with invalid characters.

    Inspired from this tutorial I added this snippet to my apache configuration file:

    # unreserved [a-zA-Z0-9\-\.\_\~]
# reserved gen-delims [\:\/\?\#\[\]\@]
# reserved sub-delims [\!\$\&\'\(\)\*\+\,\;\=]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\%\-\.\_\~\:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+(\ .+)?$
RewriteRule ^.*$  -  [redirect=400,last]

    See RFC3986, section 2.2 and 2.3 for details on the valid characters.

    • 1