Invalid character -> Access denied


#1

I have been looking through my error logs and came across this error message:

After some investigation I found that simply adding “?% 00” (without the quotes and without the space) to any url causes a 503 error:

The default error message suggests to “try again later”, but there is nothing temporary about this problem, it’s a permanent problem that requires the incoming link to be fixed. So somehow I feel the error message should be different and I have created my own 503 error message which now also includes the text “[…] or you sent a request that caused an error.”

One instance of this particular error, that I tracked down, was caused by a person, who linked to a page on my site where I allow people to set the background and foreground colors via a querystring argument in the link. And he accidentally gave “% 000fff” as argument instead or “% 23000fff” (without the quotes and without the space). Basically a simple user error, and I have mailed this information to him.

So yes it’s not like no mistakes are being made here, but I would not classify this as an “emergency” (like the error message says) and deny access to the page, rather I would much prefer if the “Invalid character” was simply filtered out and the page served using the filtered querystring.

Edit: I had to add a space after the % sign, because the forum mangles the codes otherwise.

7is7.com


#2

According to the Unicode charts, character #FFFD (the one you embedded above, which shows up in Firefox 3 as a box with “FFFD” in it) is a “replacement character used to replace an incoming character whose value is unknown or unrepresentable in Unicode.” I don’t know how somebody is expected to type such a character in a URL, but I don’t think it’s valid by the standards to include such a thing anyway.

– Dan


#3

It’s strange but the forum seems to have changed the the way those codes are displayed after I posted. I have edited the original post and added a space after the % sign, so you should now see what I mean. You need to remove the space to get the correct effect. Try adding “?% 00” without the space and the quotes to your Dreamhost hosted domain and you will see the error message.

7is7.com