GET requests with empty variables causes 403 errors | WordPress.org

computerslayer1
(@computerslayer1)

11 years, 6 months ago

I noticed that if I used the search field without entering any keywords, I got a 403 error.

The search form resulted in a GET request, but with an empty query value. For example:

http://example.org/?s=
or
http://example.org/?s=test&page=

It appears that the generated htaccess rule is causing the issue:

RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]

Is this unintentional or by design?

http://wordpress.org/extend/plugins/better-wp-security/

Viewing 3 replies - 1 through 3 (of 3 total)

matiyin
(@matiyin)

11 years, 4 months ago

great find! I have the same issue, thanks for posting a solution!

I’m using a function to override empty searches with a ‘space’ to prevent routing to home, but indeed in webkit it results in an error because the string is empty

why not in firefox? no idea…

MickeyRoush
(@mickeyroush)

11 years, 4 months ago

You should really try to control that within the theme itself. For example, the word “search” could already be placed in the search box, so if a user just clicks the search button it will use the default word of “search”. You really don’t want spaces in a URL. That’s a good sign of a malicious attack.
matiyin
(@matiyin)

11 years, 4 months ago
indeed, I’ve added a jquery validation check and just return an alert to the user to insert something in the empty search box:
```
$('#searchsubmit').click(function(){
		var searchVal = $("#s").val();
		if(searchVal == '') {
		alert("Please enter a search term");
		return false; }
	});
```
Strangely enough Firefox doesn’t give a 403 like webkit does.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘GET requests with empty variables causes 403 errors’ is closed to new replies.

In: Plugins
3 replies
3 participants
Last reply from: matiyin
Last activity: 11 years, 4 months ago
Status: not resolved