UPDATE:
I tested in a subdomain – no .htaccess and PHP.
I created a index.html and tried accessing /?p=http:/ and /?p=http://.
I got this error for /?p=http://
Forbidden
You don't have permission to access / on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at test.example.com Port 80
This rules out any PHP or mod_rewrite problem. What is wrong with Apache?
Case 1 (does not work):
mysite.com?p=http://
Case 2 (works):
mysite.com?p=http:/
If there is a http:// or https:// or ftp:// in the query string, there would be an error, even if I encoded it.
I have an index.php (entry script) and a test.php (for testing this error). If I visit a URL (that goes via index.php) with http:// inside the query string, the $_GET variable would be empty even if there are other parameters. If I visit test.php?p=http://, I would get redirected (no change in URL) to index.php with an error (the framework handles invalid requests). Upon replacing http:// with something else, everything works fine – test.php shows what it’s meant to, all other requests goes to index.php with $_GET populated.
I only noticed this error after moving to a new host (hostdime to hostgator). I could not reproduce this anywhere else (old host, local server).
Thank you.
My .htaccess file, stripped of some irrelevant code.
# Use PHP 5.3
AddType application/x-httpd-php53 .php
# ----------------------------------------------------------------------
# Start rewrite engine
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine On
# removes www.
# ------------------------------------------------------------------
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
# rewrite "domain.com/foo -> domain.com/foo/"
# ------------------------------------------------------------------
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(\.[a-zA-Z0-9]{1,5}|/|#(.*))$
RewriteRule ^(.*)$ /$1/ [R=301,L]
# Yii specific rewrite
# ------------------------------------------------------------------
# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# otherwise forward it to index.php
RewriteRule . index.php
</IfModule>
# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist
# ------------------------------------------------------------------
Options -MultiViews
# ----------------------------------------------------------------------
# UTF-8 encoding
# ----------------------------------------------------------------------
# Use UTF-8 encoding for anything served text/plain or text/html
AddDefaultCharset utf-8
# Force UTF-8 for a number of file formats
AddCharset utf-8 .html .css .js .xml .json .rss .atom
# ----------------------------------------------------------------------
# Gzip compression
# ----------------------------------------------------------------------
<IfModule mod_deflate.c>
...
</IfModule>
<IfModule mod_expires.c>
...
</IfModule>
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or Git.
<IfModule mod_rewrite.c>
RewriteCond %{SCRIPT_FILENAME} -d
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
</IfModule>
# Increase cookie security
<IfModule php5_module>
php_value session.cookie_httponly true
</IfModule>
So apperently this is a problem on the host. I contacted HostGator for help and they said it was a mod_security problem.
If you have trouble trying to explain, tell them to run apachetail command on the link you gave.
These links might help you a little
http://forums.hostgator.com/mod-security-and-403-errors-t71394.html
http://www.codingforums.com/showthread.php?t=233958
http://www.codingforums.com/showthread.php?t=244525