Our Web servers now ignore consecutive slashes in URLs

Today our servers began using an updated version of the Apache web server software that adds a new security feature: it collapses and ignores consecutive slashes in URLs it receives (among other security fixes).

For example, this URL (note the two slashes between “admin” and “options”):

 https://www.example.com/wp-admin//options-permalink.php

… would now be treated exactly as if the web server had been sent:

 https://www.example.com/wp-admin/options-permalink.php

This feature ensures that “hackers” cannot add extra slashes to bypass rules intended to restrict access to certain URLs. (The example above is a real security problem in WordPress from 2009 — it allowed hackers to access the permalink screen because the access restrictions were only applied to the exact pattern “/wp-admin/options-permalink.php”, and not to variations like “/wp-admin//options-permalink.php”.)

This change should not cause any problems, and our customers should not notice any change.

However, in the unlikely event that you have intentionally written script code that behaves differently when it sees two consecutive slashes in a URL instead of one slash, you would need to change your code to not rely on that behavior. (Two consecutive slashes in the path of a URI are not valid anyway, and other web servers will remove them by default, so relying on it would be unreliable to start with.)

As always, don’t hesitate to contact us if you have any questions or difficulties.