Allow %0A in url RewriteRule with htaccess
Ok, so first, I had to add a check to make sure that the file didn't exist (the two RewriteCond's take care of that). Then I had to create a pattern that matched any character, or a \r
or a \n
that was matched one or more times(+
). The zero or more times operator (*
) didn't return the results properly.
RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule ^((.|\r|\n)+)/? index.php?params=$1 [L,NC]
Just an FYI here: A common hacking method called Whitespace filtering uses %0A
Filtering can be bypassed on the space character by using alternative whitespace characters to the space character (%20). Most SQL engines consider a line return (%0a in a *NIX environment, %0a%0d in a Windows environment), tab characters, or the + character as valid whitespace:
You must utilize %{THE_REQUEST}
variable to grab actual path from original Apache web server request.
Try this code:
RewriteCond %{QUERY_STRING} !^params=.+ [NC]RewriteCond %{THE_REQUEST} ^[A-Z]{3,}\s/+[^/]+/([^\s]+) [NC]RewriteRule ^ index.php?params=%1 [L,QSA]
Then inside index.php
check $_SERVER["QUERY_STRING"]
for the full unadulterated path with %0A
in it.