400 Bad request

Hi,

Having problems with urls containing percent sign. Most of them return
400 and don’t even appear neither in error.log nor in access.log.

GET /download-%27.07%%27.html?frame=1 HTTP/1.1
Host: www.my.eu
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101
Firefox/6.0 FirePHP/0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
x-insight: activate

HTTP/1.1 400 Bad Request
Server: nginx/1.0.5
Date: Wed, 14 Sep 2011 10:36:24 GMT
Content-Type: text/html
Content-Length: 172
Connection: close

What’s wrong with them?

Thanks

Posted at Nginx Forum:

Hello!

On Wed, Sep 14, 2011 at 06:48:25AM -0400, coviex wrote:

Accept-Language: en-us,en;q=0.5
Connection: close

What’s wrong with them?

They aren’t valid.

Because the percent (“%”) character serves as the indicator for
percent-encoded octets, it must be percent-encoded as “%25” for that
octet to be used as data within a URI.

Maxim D.

On Wed, Sep 14, 2011 at 06:48:25AM -0400, coviex wrote:

Hi there,

Having problems with urls containing percent sign. Most of them return
400 and don’t even appear neither in error.log nor in access.log.

% is an escape character within a url. It must be followed by exactly
two hex-characters, or the url is invalid and the request is bad.

GET /download-%27.07%%27.html?frame=1 HTTP/1.1

The first one there is %27 and decodes to '.

The second one is %%2 and is invalid.

What’s wrong with them?

They’re broken.

Whatever is generating that url should be fixed so that it is properly
encoded/escaped.

If the filename is download-’.07%’.html, it should appear in the url
as download-%27.07%25%27.html

All the best,

f

Francis D. [email protected]

This query string results in 400 on all nginx servers/sites I know of.
Say, http://nginx.org/download-'.07%'.html?frame=1.
Any suggestions?

Posted at Nginx Forum:

Funny thing is there are two sibling threads on the forum named
identically and answers to my question wind up here.

And I didn’t know about that so sorry for asking twice.

I get that requests with %% are invalid.
But why they don’t appear in logs?
Can I show pretty 404 page for those 400?

Posted at Nginx Forum:

On Wed, Sep 14, 2011 at 01:45:15PM -0400, coviex wrote:

Funny thing is there are two sibling threads on the forum named
identically and answers to my question wind up here.
400 bad request
400 Bad request
And I didn’t know about that so sorry for asking twice.

I get that requests with %% are invalid.
But why they don’t appear in logs?
Can I show pretty 404 page for those 400?

nginx logs this on “info” level:
“client sent invalid request while reading client request line”

The default error_log level is “error”.


Igor S.

On Wed, Sep 14, 2011 at 11:25:24AM -0400, coviex wrote:

This query string results in 400 on all nginx servers/sites I know of.
Say, http://nginx.org/download-'.07%'.html?frame=1.

Not only nginx. Apache does (correctly) the same:

$nc apache.org 80
GET /download-%27.07%%27.html HTTP/1.0

HTTP/1.1 400 Bad Request
Date: Wed, 14 Sep 2011 15:29:31 GMT
Server: Apache/2.3.15-dev (Unix) mod_ssl/2.3.15-dev OpenSSL/1.0.0c
Content-Length: 342
Connection: close
Content-Type: text/html; charset=iso-8859-1

[…]

Any suggestions?

-http://nginx.org/download-'.07%'.html?frame=1
+http://nginx.org/download-%27.07%25%27.html?frame=1


Igor S.