Cannot pass URL in PHP GET

When going to http://foo.com/bar.php?url=http://foobar.com/ I get a 403 Forbidden error. The same happens if I encode the URL: http://foo.com开发者_Go百科/bar.php?url=http%3A%2F%2Ffoobar.com%2F

But if I encodes it twice, it will work: http://foo.com/bar.phpurl=http%253A%252F%252Ffoobar.com%252F

I know I can do this, but it's really annoying.

I have tried to add the following line to .htaccess: SecFilterEngine Off

It doesn't matter if bar.php, exist or is empty, it will still display 403 Forbbidden.

But, I then get the error: Invalid command 'SecFilterEngine', perhaps misspelled or defined by a module not included in the server configuration

---

If you get the error: "Invalid command 'SecFilterEngine', perhaps misspelled or defined by a module not included"

It is because you have not included the ":LoadModule security_module modules/mod_security.so" in the httpd.conf.

Another posible reason is that you are using mod_security2 and the SecFilterEngine is obsolete and you should migrate it to SecRuleEngine as is explained in the migration document.

http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf

---

Here is solution in PHP.

You can keep it encoded twice and decode it twice

<?php 
echo rawurldecode(rawurldecode("http://foo.com/bar.php?url=http%253A%252F%252Ffoobar.com%252F"));