Character encoding and query string validation

When dynamic URL is enabled, Reverse Proxy maps the dynamic data in the query strings of requests to objects requiring protection (access control). If Reverse Proxy receives dynamic data (in a POST body or query string) using characters that are neither UTF-8 nor from the character set in which Reverse Proxy runs, Reverse Proxy rejects the request and returns an error.

To securely map query strings to objects, the strings need to use the same character set known to Reverse Proxy and the back-end application server. Otherwise, dynamic URL access control could be circumvented by a request that uses a character accepted by the back-end application, but not accepted by Reverse Proxy.

The dynamic URL feature is affected by the value of the decode-query stanza entry in the [server] stanza of the Reverse Proxy configuration file. If Reverse Proxy is configured to not validate query strings in requests (decode-query=no), then dynamic URL mapping for authorization checking, if enabled, must be disabled. Reverse Proxy will not start if this condition is not met.

If Reverse Proxy (with dynamic URL enabled and decode-query=yes) is running in a non-UTF-8 environment, and request POST bodies (or query strings) contain UTF-8 characters, you can use the utf8-form-support-enabled stanza entry in the [server] stanza of the Reverse Proxy configuration file to allow Reverse Proxy to decode the UTF-8 coding in these requests.