Invalid URLs?

[dirtwaterfox]

I installed serendipity-0.8.5 on my local Apache server easily. Child's play.

However, installation on my client's server stops dead with a 403 Forbidden error as soon as I click on Install (either Simple or Expert).

Can anybody comment on the ISP Unix Administrator's explanation?

" Hi Mike,

The "serendipity" script you have on your site has invalid URLs, which is why you are unable to continue the setup.

The URL is:
http://oregoncatalyst.com/serendipity/s ... y[step]=2a

The problem is the "[" and "]" characters. Please refer to RFC 1738 (or refer the makers of serendipity to it) which states that the following characters are *never* to appear in a URL: """ / "#" / "%" / "~" / "^" / "`" / "|" / "<" / ">" / "[" / "]" / "{" / "}". There are some other RFCs (1630 for example) which alter this list of characters, however the "[" and "]" characters remain in all the lists. If these characters are required in the URL, they must be percent encoded to adhere to proper URL forming standards.

The reason that this has been enforced is as a security measure to reduce the amount of succesful hacks to unpatched/old/poorly coded software which may be succeptible to a variety of attacks through the (mis)use of certain restricted characters (such as ";"). This prevents sites from being hacked, which ultimately prevents our servers from getting hacked or secure information being leaked out. Unfortunately the only way around this is to change how the program works by either encoding the "[" and "]" characters, or by removing them entirely."

[garvinhicking]

Sadly your sysadmin has decided to enforce a security measurement that will break about 50% of all existing web applications.

He should please read section 2.2 of the quoted RFC carefully, which tells that the special "unsafe" characters are reserved for future use.

The quoted document is from 1994, and since such future use has come to present tense; the special characters are used quite often in todays server environments. Today the world is able to speak 8bit, so applying a 7bit enforcement is like forcing people to drive in carriages on the streets and shutting down their cars.

So please convince your provider into offering you a environment you can work with. Your current restrictions are paranoid and not suitable for today's web applications.

Serendipity does follow "common practice" in some terms, such as the use of URL encoding characters.

Your server administrator should instead use mod_security with sane filtering - you are simply filtering too much. There are other means of enforcing security, and not such ground-level paranoia.

Regards,
Garvin

[jhermanns]

well, using a tilde in a url is not really a new thing. reading the http1.1 rfc states, that in http 1.1 RFC 2396 replaces RFCs 1738 and RFC 1808.

in "2.4.3. Excluded US-ASCII Characters" 2396 states that the square brackets are included in the following group of characters:

"Although they are disallowed within the URI syntax, we include here a
description of those US-ASCII characters that have been excluded and
the reasons for their exclusion."

" Other characters are excluded because gateways and other transport
agents are known to sometimes modify such characters, or they are
used as delimiters.

unwise = "{" | "}" | "|" | "\" | "^" | "[" | "]" | "`"
"

so i guess in order to behave, these "http-get-arrays" would need to be escaped.

[garvinhicking]

Jannis: Even though in fact all browsers since 1996 or so support transparent encoding of special characters for HTTP requests, thus the apache server would only see a %3E request for the "HTTP-Get array".

Using browser pre 1996 will most probably have other HTTP problems, so paying attention o those is like making everything CSS-compatible to MSIE 1.0.

Even if we fixed this compatibility for browser dinosaurs, many other applications on your host will still not work. Enforcing such a HTTP 403 restriction is just plain off reality and does more harm than good.

Regards,
Garvin

[jhermanns]

Jannis: Even though in fact all browsers since 1996 or so support transparent encoding of special characters for HTTP requests, thus the apache server would only see a %3E request for the "HTTP-Get array".

Try http://jayniz.de/http11.php?foo[0]=bar&foo[1]=foobar and http://jayniz.de/http11.php?foo%5B0%5D= ... %5D=foobar (XSS, please). So for HTTP1.1 at least, things should be fine with a correctly escaped request.

Using browser pre 1996 will most probably have other HTTP problems, so paying attention o those is like making everything CSS-compatible to MSIE 1.0.

Even if we fixed this compatibility for browser dinosaurs, many other applications on your host will still not work. Enforcing such a HTTP 403 restriction is just plain off reality and does more harm than good.

I wasn't defending that server admin, but arguing like that we could say "hey fuck the handicapped", let's use spacer images and layout-tables all over the place

If I wasn't wrong with what I looked up/tried to understand so hectically (which I of course may be!), using the %5B and %5D would be just right (and it also makes dirtwaterfoxe's installation work: http://oregoncatalyst.com/serendipity/s ... step%5D=2a. So why not go for it? We wouldn't be supporting browser dinosaurs, but web standards

Edit: BBCode sucks.

[garvinhicking]

Okay, Jannis - if you like, go ahead and patch those entities. I don't mind - I'm just saying it's fixing things that ain't broken, and I for one better dedicate my time on things that are really broken or not existing. *gg*

I would like to have such a patch, but still that would leave dirtwaterfox have problems with other Web Apps )

Best regards,
Garvin

[dirtwaterfox]

Thanks for the comments, guys. When I checked the Forum, there didn't seem to be any postings about a problem similar to mine. I thought that there must be a balanced point-of-view.

I could choose another blog but, having done my research, I still think this is the best choice.

I could try to find and change the affected URL's, but since I have no experience with Serendipity, I have no idea what kind of winding, tortuous trail that could be.

So...unless escaping out the problem characters is basically going to be easy, I think I will just move the website to another server.

Mike

[garvinhicking]

Even though the escaping could done in some time, the basic problem is just with your Server Admin. Restricting server access with those filters is a very paranoid standpoint, and you'll never really be happy with using ANY web application on this host. So I strongly recommend to either make your server admin remove the filter setting, or to move hosts. Trust me, you don't want to be hosted on that server.

Anyways, I'm really sorry for your problem. That the developers of Serendipity made it like almost all other webapplications with this encoding was not the propper way to go, and we should have investigated this more carefully. And we will try to look for ways of fixing this in the future.

Best regards,
Garvin