weird error 400 bad request with not-so-long parameter

Question

I have a problem where a not so long url parameter causes a

Bad Request - Invalid URL. HTTP Error 400. The request URL is invalid.

Here is a sample that throws the error (param2 is 415 bytes long):

https://www.example.com/folder/sub/myword&param2=fsadifsdifhsidufhsdiufhieruwhfierfhiurefhierfheriofheriufheriufheriufheriufrehiufherfierhffsaidfsdiufhsdiufshduifsduifsdhfuidssafsdfdsfdsfsdfdsfdsfadsfdsfdsasfsdufsduyfgdsuyfgduysfgdysufgudsfdsufdsfsdfasdfsdiofjdosifjodsifjoisdfjsdoifjdosifjosdifjsdoifjdsoifjodsifjodsifjsdfdsufidshufhiuhiuerfhreuifhreuifhreuifhreuifhreiufhreiufhreifurehfuireihfurefhreifhureifhreuifhreiufhreiufhureifhruiefreuifheruifwheiurfhruie

but if I explicitly set index.php?word=myword&param2=blabla... in the path, this works perfectly well:

https://www.example.com/folder/sub/index.php?word&param2=fsadifsdifhsidufhsdiufhieruwhfierfhiurefhierfheriofheriufheriufheriufheriufrehiufherfierhffsaidfsdiufhsdiufshduifsduifsdhfuidssafsdfdsfdsfsdfdsfdsfadsfdsfdsasfsdufsduyfgdsuyfgduysfgdysufgudsfdsufdsfsdfasdfsdiofjdosifjodsifjoisdfjsdoifjdosifjosdifjsdoifjdsoifjodsifjodsifjsdfdsufidshufhiuhiuerfhreuifhreuifhreuifhreuifhreiufhreiufhreifurehfuireihfurefhreifhureifhreuifhreiufhreiufhureifhruiefreuifheruifwheiurfhruie

here is the web.config that redirects:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Friendly">
                    <match url="^(.+)$" ignoreCase="true" />
                    <conditions>
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="index.php?word={R:1}" appendQueryString="true" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

now, if param2 is shorter, up to 246 bytes, or total 252 bytes (with the first parameter's length), there is no problem at all, which seems weird. Screenshot:

Things i've checked and didn't help:

• Maximum URL length and Maximum query string are both set to 32768 bytes (32KB) in IIS Request Filtering
• I do var_dump($_GET); in index.php and i still get the bad request error
• I enabled Failed Request Tracing and I get nothing in the logs
• I tried both true and false for appendQueryString

I'm not sure what else to do. Web server is IIS 8.5 and PHP is 7.4. Any help or ideas? Thank you in advance.

Answer 1

The problem could also be that HTTP.sys is not even letting the request through, you can change that setting in the registry, after restarting, try again.

Registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters]
"UrlSegmentMaxLength"=dword:00000400

This will effectively set the segment length to 1024.