I want to stop Apache from decoding %2B (+) and %3D (=) from URI. I need those chars not decoded in PATH_INFO.
I've did that for %2F (/) by using:
AllowEncodedSlashes NoDecode
But, I can't find any directive(s) that could help me do the same for other encoded characters. Is this even possible?
You can't prevent Apache from decoding those %-encoded characters in the
PATH_INFOApache server variable (which PHP assigns later to the$_SERVER['PATH_INFO']superglobal, seemingly unaltered).The
AllowEncodedSlashesdirective is a special case. This is really a "security feature". By default, an encoded slash (%2F) in the path-part of the URL triggers a system generated 404 response. TheAllowEncodedSlashesdirective allows the request to get through to the application (theNoDecodeoption was only added later).If you want to read the %-encoded
PATH_INFOin PHP then consider using a different$_SERVERvariable instead, such as$_SERVER['REQUEST_URI'], which is not %-decoded, but this will require some additional parsing. (Note that the PHP superglobal$_SERVER['REQUEST_URI']is different from the Apache server variable of the same name, which is %-decoded and could refer to a different URL entirely if the URL is being rewritten!)However, if you want to read the %-encoded
PATH_INFOwith Apache (using mod_rewrite) then consider parsing theTHE_REQUESTserver variable instead, which contains the entire request header, as sent from the client. This variable is not %-decoded. This could be assigned to an environment variable or even a URL parameter and read by PHP that way. (Note that theQUERY_STRINGserver variable, and corresponding$_SERVER['QUERY_STRING']superglobal, are not %-decoded, but PHP decodes the individual parameter values in the$_GETarray.)