Remove double URL encoding on URL

apache-2.4mod-aliasmod-rewriteurl

I have a third-party shopping cart set up on my server using PayPal for payments. When a user completes a transaction they are redirected to the URL https://example.com/?target=payment%255freturn&txn_id_name=txnId.... The correct URL should include target=payment_return or target=payment%5freturn. These URLs work correctly, presenting the customer with their invoice, but the URL that PayPal redirects to is URL encoded twice and so gives the customer a 404 error.

I cannot change the logic of the application to accept the twice-escaped URL so I have been trying to set up a redirect to correct it. I've tried numerous variants on the following, using mod_alias or mod_rewrite:

RedirectMatch permanent (?i)^/\?target=payment%255freturn(.*) /target=payment_return$1

RewriteRule ^/\?target=payment%255freturn(.*) /target=payment_return$1 [NE]

I've tried variations of %255f, %5f, and _, and I've tried with and without the NE flag.

How can I have the user successfully redirected to the correct URL?

Best Answer

You could try utilizing a scripting language to fix this. For example, you could do something like the following:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^/\?target=payment%255freturn.*
RewriteRule (.*) unescaper.php?url=$1 [L]

Then in unescaper.php do something like:

<?php
$decoded_url = rawurldecode($_GET['url']);
header('Location: ' . $decoded_url);
exit;

Disclaimer: I didn't test this .htaccess or code, but it should get you very close. If rawurldecode isn't right for your case (but I think it is), check out urldecode.

Related Solutions

Why Use ‘www’ in a URL? – Understanding the Purpose

One of the reasons why you need www or some other subdomain has to do with a quirk of DNS and the CNAME record.

Suppose for the purposes of this example that you are running a big site and contract out hosting to a CDN (Content Distribution Network) such as Akamai. What you typically do is set up the DNS record for your site as a CNAME to some akamai.com address. This gives the CDN the opportunity to supply an IP address that is close to the browser (in geographic or network terms). If you used an A record on your site, then you would not be able to offer this flexibility.

The quirk of the DNS is that if you have a CNAME record for a host name, you cannot have any other records for that same host. However, your top level domain example.com usually must have an NS and SOA record. Therefore, you cannot also add a CNAME record for example.com.

The use of www.example.com gives you the opportunity to use a CNAME for www that points to your CDN, while leaving the required NS and SOA records on example.com. The example.com record will usually also have an A record to point to a host that will redirect to www.example.com using an HTTP redirect.

Apache URL Rewriting in Reverse Proxy – How to Configure

This is how I got it to work. As well as the changes as per my comment to my original question, I needed to exclude .js and .css from the rule that added a trailing slash.

<VirtualHost *:80>
    ServerAdmin admin@localhost
    ServerName mydomain.com
    ServerAlias www.mydomain.com

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

    RewriteLog ${APACHE_LOG_DIR}/rewrite.log
    RewriteLogLevel 9

    Alias /images/ "/var/www/images/"

    RewriteEngine On

    # rewrite rule to prevent proxy exploit
    RewriteCond  %{REQUEST_URI}  !^$
    RewriteCond  %{REQUEST_URI}  !^/
    RewriteRule  .*              -    [R=400,L]

    # consolidate non-www requests onto the www subdomain
    RewriteCond  %{HTTP_HOST}    ^yourdomain\.com$
    RewriteRule  ^(.*)           http://www.yourdomain.com/$1  [R=301,L]

    # Add a trailing slash to the URL (ignoring images, CSS and JavaScript)
    RewriteCond  %{REQUEST_URI}  !^/(images)(.*)$
    RewriteCond  %{REQUEST_URI}  !^/(.*)(.js|.css)$
    RewriteCond  %{REQUEST_URI}  !(.*)/$
    RewriteRule  ^(.*)$          http://%{HTTP_HOST}$1/ [R=301,L]

    # proxy to the Jellyfish server (ignoring images)
    RewriteCond  %{REQUEST_URI}  !^/(images)(.*)$
    RewriteRule  ^(/.*)$         http://app-server:8181/jellyfish$1  [P]
    ProxyPassReverse  /          http://app-server:8181/jellyfish/

    # suppress mod_security rules that were giving false positives
    SecRuleRemoveById 981059 981060

    <Directory "/var/www/images">
            Options Indexes MultiViews FollowSymLinks
            AllowOverride None
            Order allow,deny
            Allow from all
    </Directory>

</VirtualHost>

Best Answer

Related Solutions

Why Use ‘www’ in a URL? – Understanding the Purpose

Apache URL Rewriting in Reverse Proxy – How to Configure

Related Topic