Since yesterday, when our Apache updated itself overnight, we started getting web responses saying 403 Forbidden. It looks like that encoding a "?" is not allowed anymore. The crazy thing is that PHP does exactly that when using rawurlencode(). We use it on user input in form fields that are transferred in GET requests. Do we need to change it in all these places? Using Google we read about an option named "UnsafeAllow3F", but I'm not sure how to set this.
Has this problem occurred for others? What are you doing to fix it?
In this code example, whenever $test contains a "?", the user gets a 403 Forbidden.
<a href='test?a=<?=rawurlencode($test);?>test</a>
We managed to fix this by adding the flag UnsafeAllow3F in our rewrite rules:
[PT]
was changed to
[PT,UnsafeAllow3F]
And this fixed the issue. There is however a security vulnerability associated with this I can't seem to find much information on except for "The Apache Foundation recommends users upgrade to version 2.4.61."
I tried a manual compile and install of 2.4.61 on Ubuntu this morning, it was a bit of a nightmare and I couldn't get it working with Coldfusion in the end so am left waiting to see if they'll bring this fix to the Ubuntu package build (currently 2.4.52)