[pmwiki-users] Bug in PmWiki?

Patrick R. Michaud pmichaud at pobox.com
Tue Jan 17 12:33:22 CST 2006


On Tue, Jan 17, 2006 at 05:38:36PM +0100, Mike wrote:
> Done.
> 
> Thanks so much for your support help and work. As I said, I'll do the
> recipe out-commenting as soon as I can...

I'm wondering if it's your Apache mod_security module that is
causing the problem, as opposed to anything within PmWiki.
It looks to me as though mod_security (or something) is blocking
any request that contains "file(" in an argument string somewhere.

Here's a demonstration -- note that the following url works:

  http://wiki.use-your-brains.com/pub/skins/brain.png

We can add a parameter to the end (any name) and it still works:

  http://wiki.use-your-brains.com/pub/skins/brain.png?foo=xyz

But if the parameter contains the string "file(" anywhere in it,
request is blocked:

  http://wiki.use-your-brains.com/pub/skins/brain.png?foo=xyzfile%28xyz

Since each of the above requests isn't using PmWiki at all to
process them, it must be something in the webserver blocking
the request.  I suspect mod_security is doing it.

And note that this problem isn't specific to PmWiki; any application
running on this server would block posts containing "file(".

I know very little about how mod_security works, but you might
see if you can disable it for PmWiki with a directive like

    SecFilterEngine Off

in a httpd.conf or .htaccess file or something like that.

Hope this helps!

Pm





More information about the pmwiki-users mailing list