400 Error on % !!

Francis Daly francis at daoine.org
Mon Nov 23 20:14:55 UTC 2015

On Mon, Nov 23, 2015 at 08:34:41PM +0100, B.R. wrote:
> On Mon, Nov 23, 2015 at 9:40 AM, shahzaib shahzaib <shahzaib.cb at gmail.com>
> wrote:

Hi there,

[mostly addressed to the original poster]

> >   Thanks for the reply, now we've tons of these URLs which are not
> > properly encoded.

> The only solution I find viable is that you remove percent character from
> your URIs which are not representing Unicode characters, for example by
> encoding '%'. The percent-encoded version of '%' is '%25'.

The right answer is to fix those tons of urls at the place they are written.

If whoever wrote them had written "domain.org" instead of "domain.com",
you'd have to fix them (or take control of domain.org).

This is broadly similar to that.

Either strip the % in the cases where you know it was written unencoded;
or encode it to %25 in the same cases.

> > Can we redirect '%' request to the same URL by excluding
> > '%' ? Such as
> >
> > http://domain.com/video/100%-working
> >
> > to
> >
> > http://domain.com/video/100-working

In theory, you could have a front-end web service which accepted all
requests, and for the specific ones that are clearly broken like this,
could redirect to the fixed version; otherwise is could pass the request
through to the back-end (current) web server. (Or it could pass through
the fixed version; but that feels like it would be even more complicated.)

It could only work if you know the broken urls, though --
the url /video/100-working is exactly equivalent to the url
/v%69deo/100%2dworkin%67, so you would not want to %-strip that one. And
if you have one request for /video/50%good and one for /video/50%bad
-- is the second one encoded or not? % is followed by two hexadecimal
characters, which should mean "it is correctly encoded".

If you wanted nginx to be this front-end web service, I think that you
would need code-level changes in your version to get it to accept the
broken input. It is not "just" configuration that would achieve it.

Good luck with it,

Francis Daly        francis at daoine.org

More information about the nginx mailing list