We want to block a URL containing a /%2F in it, like: http://www.example.com/%2Fblockme
However, when we add /%2F into BadURLChars ACO parameter list, nothing happens. We have the parameter configured as follows:
Also, if we add %2F into BadURLChars list (without the slash), agent function will break and we get an HTTP error 500 from agent.
As this is not blocked, browser is getting a HTTP 404 error which we do not want to show for security.
The reason why you are getting the HTTP 404 error is because Apache itself is breaking the URL.
In order to avoid Apache to break the URL, you need to add the Apache directive AllowEncodedSlashes to ON:
Determines whether encoded path separators in URLs are allowed to be passed through
server config, virtual host
Available in Apache httpd 2.0.46 and later. NoDecode option available in 2.2.18 and later.
The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on accordant systems) to be used in the path info.
With the default value, Off, such URLs are refused with a 404 (Not found) error.
With the value On, such URLs are accepted, and encoded slashes are decoded like all other encoded characters.
With the value NoDecode, such URLs are accepted, but encoded slashes are not decoded but left in their encoded state.
Turning AllowEncodedSlashes On is mostly useful when used in conjunction with PATH_INFO.