%252F instead of %2F in URL - Apache rewrite module and NE flag


Intro


I have been recently migrating some of my company data from one Apache server into another with different configuration. After moving the web content I noticed that some of the links on the website are broken. After detailed troubleshooting I finally compared them with the original ones and it occurred that what's causing the issue was the %252F code in URL instead of %2F. After some hours spent on searching solution in the Internet I have finally managed to fix the above issue by setting up the NE flag in Apache RewriteRule directive. However the above is fully sufficient to make it working and you can stop here, please find the detailed description of the issue both with the solution in the following sections.

Case


1) You are using the Apache server with rewrite module enabled and Rewrite directives inside its configuration files.

2) Some of the URLs get broken that the  %252F code is being displayed in a browser instead of expected %2F code.

Cause


The %2F is an encoded forward slash (/) while the %252F is double encoded forward slash. This happens because of using the rewrite module that the Apache first encodes the forward slash characters and then encodes them one more time by default. As a result the browser refers to the directory on the Apache server that does not exist as the directories paths are separated by '/' characters in file system instead of '%2F' characters, aren't they?

Solution


There is a quick solution for the above issues. All you need to do is to add the NE flag into the Apache RewriteRule directive. The NE flag preserves special characters (i.e. '/' character) from being encoded resulting in '/' being encoded only once. The following is an example of such a directive that I used on my Apache web server:

RewriteRule ^/$ https://www.domain.com/files/ [NE,R,L]

The above redirects browsers connecting into the www.domain.com website into the 'files' directory.

Summary


The above issues is not a bug, but it is rather a bad design. You need to change the default behavior of the rewrite engine to make it working. I hope that you will find this article useful.

10 comments:

  1. awesome.. Thanks for the blog. it helped fixed similar issue.

    ReplyDelete
  2. Thank you a lot. You saved my day...

    ReplyDelete
  3. Great. Thanks for this. Saved me A LOT trouble!!!

    ReplyDelete
  4. Thank you, man! That explanation helped me a lot!

    ReplyDelete
  5. Hello,

    And what do you think about add the following directive in the virtual Host configuration

    AllowEncodedSlashes on

    The Apache documentation said :

    "The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on accordant systems) to be used in the path info."


    Knowledge is only valid if it's shared

    ReplyDelete
    Replies
    1. This actually helped, the NE flag not so much.

      Delete
  6. Thanks for the blog ..this solved my issue ,too :)

    ReplyDelete
  7. Thank you for this writeup. It saved a me a ton of time debugging this issue.

    ReplyDelete
  8. Hi Guys, how would we add the NE flag in IIS? Any help would be appreciated.

    ReplyDelete
  9. OMG this blog post just helped me tremendously. Thank you!!!

    ReplyDelete