403 Forbidden on PHP page called with url encoded in a $_GET parameter

Question

Given hello.php:

<?php echo "Hello"; ?>

rendering the page works fine and returns Hello, however

http://myserver.com/hello.php?test=http%3a//whatever.com

returns a 403 Forbidden. But oddly enough, making the first letter of http uppercase works fine:

http://myserver.com/hello.php?test=Http%3a//whatever.com

FYI, percent encoding the slashes also 403s:

http://myserver.com/hello.php?test=http%3a%2f%2fwhatever.com

I'm beginning to suspect this may be an issue with Passenger (which I use to serve RoR)

Answer 1

Perhaps your htaccess is picking up on something in that URL and sending forbidden headers. Do you have a .htaccess file?

Answer 2

It is mod_security's 10_asl_rules.conf causing this error.

Answer 3

have you tried encoding the URL in base64?