I am trying to do this:
http://somehost.net/edit.php?url=http://www.youtube.com/watch?v=EgHY53dOZ-U
Forbidden
You don't have permission to access edit.php on this server.
Is there a way to fix this through javascript(jquery), cause I am passing argument through ajax call.
I have tried it this way but without success:
$('#videofrm').load('edit.php?url='+encodeURI($(this).siblings('a').attr('href'))
You should fix the chmoding issues on the server.
Edit
What your edit.php doing ? If it redirecting to somewhere else ? then echo the result url before redirecting.
You can follow Tomalak Geret'kal if you want/can rewrite the .htaccess. otherwise you need to pass the url without the http:// part and prepend an http:// on edit.php
If you don't have permission to access edit.php, then it doesn't matter how many different ways you try to request it: you don't have permission.
Fix the permissions on the server, likely using chmod if the server is on Linux.
Update
You have a server configuration issue. I can only replicate the problem when passing the string :// inside the querystring.
Try writing AllowEncodedSlashes On in your httpd config, as per this question/answer.
You will then need to make sure you encode your URI properly:
http://somehost.net/edit.php?url=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv=EgHY53dOZ-U
(it looks like your encodeURI call should take care of that part)
AllowEncodedSlashes allows slashes to be present in the query string as long as they're encoded which, for some reason, is not the case by default. The docs say that failure produces a 404, not a 403, but I still think that this is the cause.
If you are not able to manipulate configuration options for your webserver, workarounds include:
Choosing a stand-in term for http:// like http!!! that you will programmatically revert in the PHP script;
If you always use http:// (as opposed to, say, ftp:// or some local path), just leave it off the query string entirely and prepend it to the input in your PHP script (preferred workaround).
Hope that helps.
Related
While I'm sure the title could be improved for clarity, my meaning is thus:
When fetching a URL for a file download at http://example.com/dir1/dir2/file.zip, the response code is 200, yet attempting to access http://example.com/dir1, or http://example.com/dir1/dir2, elicits a 404 response code.
Why is this?
URLs don't necessarily correspond to actual directories on the server. Ultimately the path component of a URL is just a name; the server can translate that name to whatever it wants on the back end.
In this case it seems likely that /dir1/dir2/ is a directory on the server, but even so that doesn't mean anything. The server knows about a resource named /dir1/dir2/file.zip, but doesn't know anything about a resource named /dir1.
I may be barking up completely the wrong tree here but what I would like to do is protect my .js pages by having them return a 403 Forbidden http error status page if someone tries to access them directly via http. I use them to support my index.html page but would like for them to remain hidden.
The helpdesk guys at my ISP basically say they don't know if it's possible but it may be something you could do with a web.config file (which is not something I have used before).
Any help at all would be gratefully received - I am a bit out of my comfort zone with this one
I would like to […] protect my .js pages by having them return a 403 Forbidden http error status page if someone tries to access them directly via http.
Please note that if you include some resource, for example a script via the <script>-tag in HTML or an image via the <img>-tag, the browser does nothing else than simply run another HTTP request to get that resource. The whole communication already happens over HTTP.
While a browser may include additional details in its HTTP request when requesting additional resources, like the Referer-header, it definitely is not required to do so. So if you look out for the Referer-header, be advised that you may lock out other valid clients which do not send the Referer-header in their requests.
Also note that this will not give you any protection whatsoever. One can simply construct HTTP headers when requesting things, so “faking” requests your server would allow (because it thinks they are correct) is not a problem at all. And even without that; every resource you tell the client to use to make your website work will be downloaded by the client. And after that, the client can do whatever he wants with it. It can cache them on the hard disk, or allow the user to quickly look at it without having to run another request.
So if you want to do this for protecting your code, then just forget about it, and make it easier for everyone by just not adding a non-optimal protection. Code you put on the web can be made difficult to read, but if you want the user to see the end result, then you also give out your code in the same step.
In php you can do this with:
header("HTTP/1.0 403 Forbidden");
I have the need to redirect back to the current page minus any query arguments.
I just found Request.Url.AbsolutePath, which looks like it provides just the ticket to pass to Response.Redirect().
It seems to work on my dev machine okay. Does anyone know of any potential problems redirecting to the value of this property? It's hard to confirm it's "safe" in all cases.
It could be a problem if you "re-written" the URL internally. For example, the user request "/team.aspx" but internally you transfer execution or rewrite the url as "/page.aspx?id=137".
Personally, I prefer to use the Request.RawUrl (which is always local) and you can strip the query-string.
Getting rid of the host part of a request is not an issue because HTTP Redirect can be path on Absolute Paths ("/foo/bar") and the browser will preserve the protocol, port and hostname.
I would use Request.Url.OriginalString.
Absolute path gets rid of the host part of the URL.
Take a look at this: http://wdevs.blogspot.com/2009/03/url-properties-of-request-to-aspnet.html
I'm doing some requests to an API via WordPress, and the API uses SSL connections if they're turned on in the API settings. I'd like to determine whether SSL is turned on or off without having to ask the user if SSL is turned on on their account, and the API does a good job at redirecting, meaning
If I access http://api/endpoint and SSL is turned on, I'm redirected to https://api/endpoint
If I access https://api/endpoint and SSL is turned off, I'm redirected to http://api/endpoint
Now what I'd like to do is see whether a redirect happened or not and record that to my options so that the other requests are fired to the correct URL without any redirections.
So my question is: is there a way to determine the final destination after firing a WP_Http->request() when the request is being redirected?
I can't see any info about that in the response arrays, I only get to see the final response but I have no idea what URL that came from. What I can do is set the redirection parameter to 0 and catch the max redirects allowed error, but that's not bullet-proof, since I still don't know whether the redirect happened from http to https or simply another page under http.
I hope this all makes sense, let me know if you have any ideas.
Thanks!
~ K
check $response['headers'] - they may contain 'location' key.
It all depends on the HTTP library you are using.
See class-http.php(wp 3.0.1) file:
line 1393, http_api_curl action - curl handle available directly to catch anything.
fopen:
check lines 887-888, and $http_response_header variable.
also, try to override processHeaders function as it has an access to raw http headers.
The WP_Http class processes the headers and removes all but the last one. So you could do what jetdog described above. Check the original URL and compare it to the returned $response['headers']['location']. If it is different, than you know it redirected.
I found and tried Jeff's rules found here but I can't get it to work exactly right:
What I need is to have http://a.b.com go to https://a.b.com (where a is not www, but that distinction shouldn't really affect the rule, should it? www is just another subdomain, right?)
Where Jeff has (.*)billing/(.*), I replaced with (.*), but that's not working.
The results of my attempts produce "redirect loop" errors.
This rewriting stuff is new to me.
Appreciate all your help.
Rather than using redirections, you should make sure your application (that sends to http://a.b.com/ sends to https://a.b.com/ directly), otherwise, the same request will go over plain HTTP before being redirected to HTTPS, which defeats the point.
(This this other question for more details.)
Well not exactly the answer you are asking for, but if you by any chance are using this on an ASP.net page, you can open your Global.ASPX file and inside the "Application_BeginRequest" page you can put:
Dim url As New System.UriBuilder(Context.Request.Url)
'Do our redirect if we need
If Context.Request.IsSecureConnection = False Then
url.Scheme = "https"
url.Port = -1
System.Web.HttpContext.Current.Response.Redirect(url.Uri.ToString())
End If