In my Apache config I'd like to return 403 when a query string parameter contains a specific value. Everything works fine except when the client query string is encoded in hex. How do I get it to match without having to type out the literal hex string?

RewriteEngine On
RewriteCond %{QUERY_STRING} mykey=myval [NC]
RewriteRule .* - [F,L]

Then test it:

# Works fine, returns 403
curl -I 'http://localhost/?mykey=myval'

# Does not work, returns 200:
curl -I 'http://localhost/?mykey=myval'
curl -I 'http://localhost/?mykey=myval'

thx

CodePudding user response：

The QUERY_STRING server variable remains %-encoded (as it is in the request), unlike the URL-path matched by the RewriteRule pattern, which is %-decoded.

However, on Apache 2.4 you can use an Apache expression with the RewriteCond directive to URL decode the QUERY_STRING before making the comparison. For example:

RewriteCond expr "unescape(%{QUERY_STRING}) =~ /mykey=myval/"
RewriteRule ^ - [F]

This will now successfully match requests of the form ?mykey=myval, ?mykey=myval and ?mykey=myval.

You don't need the L flag when using F, since it is implied. The regex ^ is marginally more efficient than .* if you simply need to be successful for any URL-path (without actually matching anything).

Note that the regex mykey=myval matches that string anywhere in the query string, so it would successfully match anymykey=myval and mykey=myvalany, which may or may not be a problem. To remove that ambiguity and only match the "key=value" pair in the query string then you would need to use a regex like (?:^|&)mykey=myval(?:&|$) instead.