By visiting this website you accept its use of cookies. Manage your cookie preferences.

URLs with space characters return 403 (Forbidden) error

As of version 2.4.56 of the Apache web server, an important security fix was implemented for the vulnerability "Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy" (CVE-2023-25690). With this fix, all rewrite requests via .htaccess files that contain spaces or control characters in backreferences, will result in 403 error messages as these characters will not be escaped correctly before being transformed/rewritten.

If you use the Live HTTP logs section of the hosting Control Panel to investigate the problem, you will find the full error:

AH10411: Rewritten query string contains control characters or spaces
The change causing error AH10411 is considered code-breaking for some software applications like OpenCart and Drupal (see below), when there are space characters in Search Engine Friendly (SEF) URLs, images, or other elements. By default, the software applications display informational messages within the SEF URLs settings or their online documentations that spaces should be avoided and dashes should be used instead; however, that is not always possible.

How to fix Apache error AH10411?

To resolve problems with applications or custom scripts related to this change, you have two options:

  1. Remove all space characters (intervals) from your SEF URLs, page slugs, and file names that are rewritten via an .htaccess file.
  2. Add the BCTLS or B flags to your rewrite rules that rely on backreferences and may contain space characters.

The second solution is usually preferred as it doesn't require you to modify all elements within your website, and restores the old rewrite behavior. To fix the "Rewritten query string contains control characters or spaces" error with the second solution, you will basically need to modify the rewrite rules with backreferences in your .htaccess file following this example:

RewriteRule ^(.*)$ index.php?p=$1
to:

RewriteRule ^(.*)$ index.php?p=$1 [BCTLS]

OpenCart

In OpenCart, SEF URLs are generated with dashes instead of spaces by default. If some URLs or other elements of your website that contain space characters in their name return 403 errors while SEO URLs are enabled for OpenCart, the problem is most likely caused by the change implemented by the Apache web server team. To restore the old rewrite behavior for OpenCart search-engine-optimized links, you will need to change the following line in your .htaccess file:

RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]
to:

RewriteRule ^([^?]*) index.php?_route_=$1 [BCTLS,L,QSA]
You should repeat the same process (adding the BCTLS tag) for all rewrite rules with backreferences.

Drupal

Older versions of Drupal may return 403 errors due to intervals in the URL when Clean URLs are enabled. If this happens, you will need to change the following line in your Drupal .htaccess file from:

RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
to:

RewriteRule ^(.*)$ index.php?q=$1 [BCTLS,L,QSA]
This should allow your Drupal application to again use pages, images, and other elements that contain space characters as was the case before the changes implemented in version 2.4.56 of the Apache web server. We would also recommend that you update to a newer version of Drupal where the Clean URLs are handled correctly and space characters are not supported.