lucy24 - 2:50 am on Sep 16, 2012 (gmt 0)

Search: Hello World 1.1.1.1 - - [13/Sep/2012:15:20:03 +0100] "GET /?s=Hello+World&submit=Go HTTP/1.1" 301 20 1.1.1.1 - - [13/Sep/2012:15:20:03 +0100] "GET /search/Hello+World/ HTTP/1.1" 301 20

If that's an accurate quote, the change to plus signs is automatic; it happens as soon as you hit Confirm or Find or whatever you do to say "Start searching".

The second step-- converting an "s=" query string to an URL in /search/{searchstring} --is presumably also WordPress. Note that the + sign is unchanged at this point.

The third step is where things go wonky because the code should "recognize" that you can't keep percent-encoding a percent sign.

There's a flag meaning "don't encode" but there isn't one for "do encode" since that's the default.

Quick detour to Firefox with LiveHeaders, followed by close study of raw logs, confirms that Apache-- acting on its own volition without instructions to the contrary-- doesn't mess with a + sign at all. But if a space is allowed to enter the query string before you start redirecting, then each successive redirect will balloon from %20 to %2520 to %252520 and so on. (Firefox appears to allow 40 tries, which strikes me as over-optimistic.)

So if you can intercept the one place where + turns into %2B, then all the subsequent %25 problems should disappear on their own.