Just got this when I tried to add a specific permission for ffxbld in Balrog prod: The requested URL /users/ffxbld/permissions//releases/:name/builds/:platform/:locale was not found on this server. I'm suspecting something is broken in the routing.
I was able to reproduce this locally and discovered this: [Wed Jan 08 15:45:08.086283 2014] [core:info] [pid 4121] [client 127.0.0.1:43758] AH00026: found %2f (encoded '/') in URI (decoded='/users/stage/permissions//releases/:name/builds/:platform/:locale'), returning 404, referer: http://localhost/user_permissions.html?username=stage After some googling, I found that setting AllowEncodedSlashes to On or NoDecode fixes the issue.
And from the Apache docs: "If encoded slashes are needed in path info, use of NoDecode is strongly recommended as a security measure. Allowing slashes to be decoded could potentially allow unsafe paths." - so we should be using NoDecode. IT, can we get "AllowEncodedSlashes NoDecode" set for all of the aus4 admin apps (dev, stage, prod).
Whoops, this probably shouldn't be assigned to me anymore...
Any idea when someone can get to this?
Unfortunately we can't use NoDecode because it only ships in 2.2.18  or newer and RHEL 6 httpd is 2.2.15 with backported security patches  http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes Should I set it with just "AllowEncodedSlashes On"?
(In reply to Brandon Burton [:solarce] from comment #5) > Unfortunately we can't use NoDecode because it only ships in 2.2.18  or > newer and RHEL 6 httpd is 2.2.15 with backported security patches > >  http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes > > Should I set it with just "AllowEncodedSlashes On"? That sounds fine to me.
Shipped to dev, stage, and prod via Puppet
Verified - thanks!