[dokuwiki] Re: AJAX Request content-type
- From: guifa@xxxxxxxxxxx
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Mon, 19 Feb 2007 16:07:21 -0600
Andi,
I got an e-mail today. OIT at my school changed the rules this morning.
Thanks so much,
Matthew Stuckwisch
On 17.02.2007, at 5’13, Andreas Gohr wrote:
It's not a problem of POST or GET. The mod_security rule forbids
access to requests using POST together with a certain Content-Type
header. It's clearly a fault of that rule but might point to a
problem in DokuWiki, which seems to send requests which aren't as
RFC/standards compliant as they could be. Thats why I asked for a bug
report (to be sure the problem is tracked and not forgotten).
Okay I had a look at the headers and the rules you posted. There is a
problem with the second rule:
SecFilterSelective HTTP_Content-Type
"!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
The problem is the end-of-string anchor after
application/x-www-form-urlencoded - DokiWiki sends a valid header
there, specifiying the used character encoding:
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
The rule above does not allow anything after the initial type which is
simply too strict. Forward this to your IT guys and ask them honour
the
HTTP specs when writing security rules. Their rule should be
modified to
SecFilterSelective HTTP_Content-Type
"!(^$|^application/x-www-form-urlencoded|^multipart/form-data)"
Andi
--
http://www.splitbrain.org
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
- References:
- [dokuwiki] AJAX Request content-type
- From: guifa
- [dokuwiki] Re: AJAX Request content-type
- From: Andreas Gohr
- [dokuwiki] Re: AJAX Request content-type
- From: guifa
- [dokuwiki] Re: AJAX Request content-type
- From: Andreas Gohr
- [dokuwiki] Re: AJAX Request content-type
- From: Andreas Gohr
Other related posts:
- » [dokuwiki] AJAX Request content-type
- » [dokuwiki] Re: AJAX Request content-type
- » [dokuwiki] Re: AJAX Request content-type
- » [dokuwiki] Re: AJAX Request content-type
- » [dokuwiki] Re: AJAX Request content-type
- » [dokuwiki] Re: AJAX Request content-type
- » [dokuwiki] Re: AJAX Request content-type
- » [dokuwiki] Re: AJAX Request content-type
It's not a problem of POST or GET. The mod_security rule forbids access to requests using POST together with a certain Content-Type header. It's clearly a fault of that rule but might point to a problem in DokuWiki, which seems to send requests which aren't as RFC/standards compliant as they could be. Thats why I asked for a bug report (to be sure the problem is tracked and not forgotten).
Okay I had a look at the headers and the rules you posted. There is a problem with the second rule: SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" The problem is the end-of-string anchor after application/x-www-form-urlencoded - DokiWiki sends a valid header there, specifiying the used character encoding: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 The rule above does not allow anything after the initial type which issimply too strict. Forward this to your IT guys and ask them honour the HTTP specs when writing security rules. Their rule should be modified to
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded|^multipart/form-data)" Andi -- http://www.splitbrain.org
- [dokuwiki] AJAX Request content-type
- From: guifa
- [dokuwiki] Re: AJAX Request content-type
- From: Andreas Gohr
- [dokuwiki] Re: AJAX Request content-type
- From: guifa
- [dokuwiki] Re: AJAX Request content-type
- From: Andreas Gohr
- [dokuwiki] Re: AJAX Request content-type
- From: Andreas Gohr