I've just discovered a very strange Forbidden error my server is returning when I submit a form. If any of the fields contain "http://" , the server returns a 403 Forbidden error. I really can't understand this? Any help will be greatly appreciated!
Check your folder / file permissions.
The thing is there is no problem until any one of the form fields contains "http://". "htpt://" works fine as well. When would a file/folder permission be that might involve such a thing?
My .htaccess file contains the following:
ErrorDocument 404 /404.php
<Limit GET POST>
deny from all
allow from all
<Limit PUT DELETE>
deny from all
I had denied folder file listings, but I commented that out any I still got the same error.
Does the line "deny from all" in either of your limit directive mean anything to you? Frankly, you don't need either of the limit blocks.
For that matter, I'd uncomment the -Indexes line and delete the +FollowSymLinks (but only because that would be in the httpd.conf or apache.conf file).
The limit part is put in by my host I'm guessing, as it has always been there. I thought it probably didn't mean much so I just left it there. Have removed it now along with your other suggestions, but this still does not solve my problem.
I've done a couple of tests to try isolate the problem, and it definitely seems that the server is throwing this error if and only if any of the form fields contains the text "http://" . I've tried submitting the form to other pages and i get the same error. Also, this only happens when "http://" are the first characters of the form field.
What could possibly be causing this?
What do you mean by http:// form field?
Paste the HTML code of your form
Presumably, the "http://" in the "form field" is in the value for the action - and that should not cause a problem (with the GET block removed).
Sorry, I wasn't very clear. The "http://" was the value of a form field, ie. if a user typed "http://www.mysite.com" in a text box and submitted the form. I found another similar error with another phrase so I took it up with my host, and apparently it's due to a mod_security rule for added site security to prevent sql injection attacks. I've had that lifted now though so it has solved the problem.
Thanks for all the help though, greatly appreciated!
Oh, okay, ben, but I've been faced with that same situation and, knowing that a value is a URL, I never add/allow the protocol to be passed as it's illegal in a URI (http://www.ietf.org/rfc/rfc2396.txt - Uniform Resource Identifiers Generic Syntax). IMHO, strip the protocol (http(s):// or mailto://) before sending your form off to be processed.
This topic is now closed. New replies are no longer allowed.