403 Error when user tries to login/register after searching

Question

When a logged out user searches and gets search results and tries to login or register from the search results page they get a 403 error.

For example if a user visits https://example.com a Q2A site then searches for the term, "equations".

The user then tries to login from that results page and they will be redirected to https://example.com/login?to=search%3Fq%3Dequations which gives a 403 error

Is this a bug or are there some permissions I should enable?

Thanks.

Comments

Remote-mysql-connection-not-working-over-ipv6, Have-any-idea?

https://www.question2answer.org/qa/115886/remote-mysql-connection-not-working-over-ipv6-have-any-idea

---

Still getting the 403 error even with the fix. Currently affects me when trying to log in while visiting the most viewed, voted, answered, etc. questions page filters. Also when viewing the no selected answer and no upvoted answer filters. Not just with search results.

---

my server uses php 8.4, but I could downgrade it to 8.2 and get the same error. Maybe this is a script-wide issue?

---

do you replace with in htacces : RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [BCTLS,L,UnsafeAllow3F]

Answer 1

Same with me!

Answer 2

Yes, it's a Error. It would be nice if someone could fix this issue.

Answer 3

We fixed this problem some how but i dont know this is safe or not, but this is working

Reference: https://github.com/friendica/friendica/issues/14303

in q2a .htaccess file change this line:

FROM:

RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [BCTLS,L]

TO:

RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [BCTLS,L,PT,UnsafeAllow3F]

OR:

RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [BCTLS,L,UnsafeAllow3F]

Please tell me this is safe or not, if anyone knows.

Comments

There is clearly a security problem, but the documentation is very poor.
An Apache update to 2.4.60+ is strongly recommended.

https://stackoverflow.com/questions/78729429/403-forbidden-when-url-contains-get-with-encoded-question-mark-unsafeallow3f

---

The issue here is not question marks in URLs as such. It is url-encoded question marks in URLs that are used for serving static files.

Bad version:

    example.com/images?route=/cats/long-hair%3fsize=large
    example.com/login?returnto=/cats/long-hair%3fsize=large

Good versions:

    example.com/images/cats/long-hair?size=large
    example.com/login?returnto=/cats/long-hair&returntoparams=size%3dlarge

Answer 4

This is a security problem and very few hosters will soften the configuration to such an extent that it continues to work. The “UnsafeAllow3F” was introduced for this purpose until the codes have all been adapted.

As far as I know, the problem only occurs with the URL structure "/123/why-do-birds-sing (requires htaccess file)".
It works for me with all other settings.