[pmwiki-users] Bug in PmWiki?
Patrick R. Michaud
pmichaud at pobox.com
Tue Jan 17 12:33:22 CST 2006
On Tue, Jan 17, 2006 at 05:38:36PM +0100, Mike wrote:
> Done.
>
> Thanks so much for your support help and work. As I said, I'll do the
> recipe out-commenting as soon as I can...
I'm wondering if it's your Apache mod_security module that is
causing the problem, as opposed to anything within PmWiki.
It looks to me as though mod_security (or something) is blocking
any request that contains "file(" in an argument string somewhere.
Here's a demonstration -- note that the following url works:
http://wiki.use-your-brains.com/pub/skins/brain.png
We can add a parameter to the end (any name) and it still works:
http://wiki.use-your-brains.com/pub/skins/brain.png?foo=xyz
But if the parameter contains the string "file(" anywhere in it,
request is blocked:
http://wiki.use-your-brains.com/pub/skins/brain.png?foo=xyzfile%28xyz
Since each of the above requests isn't using PmWiki at all to
process them, it must be something in the webserver blocking
the request. I suspect mod_security is doing it.
And note that this problem isn't specific to PmWiki; any application
running on this server would block posts containing "file(".
I know very little about how mod_security works, but you might
see if you can disable it for PmWiki with a directive like
SecFilterEngine Off
in a httpd.conf or .htaccess file or something like that.
Hope this helps!
Pm
More information about the pmwiki-users
mailing list