Page MenuHomePhabricator

Flow request to load.php blocked by mod_security
Closed, InvalidPublic

Description

I'm running a wiki on DreamHost and I enabled mod_security as described here. Apparently, this blocks a request done by Flow and prevents it from running properly. The blocked request is:

https://wikiar.org/load.php?debug=false&lang=es&modules=ext.flow.visualEditor%7Cext.flow.visualEditor.icons%7Cext.visualEditor.core&skin=poncho&version=0x50c35

I have disabled mod_security now so the error will not show up. However, when checking the error.log it appears that the troublesome bit is "0x50c35" which mod_security interprets as "SQL Hex Encoding"

[Sat Aug 03 07:04:27 2019] [error] [client 186.139.106.164] ModSecurity: Access denied with code 418 (phase 1). Pattern match "(?i:(?:\\\\A|[^\\\\d])0x[a-f\\\\d]{3,}[a-f\\\\d]*)+" at ARGS:version. [file "/dh/apache2/template/etc/mod_sec2/99_dreamhost_rules.conf"] [line "329"] [id "1990091"] [msg "SQL Hex Encoding Identified"] [hostname "wikiar.org"] [uri "/load.php"] [unique_id "XUWUa0BvdNoAAHiXNVMAAAAB"]

This may be a DreamHost specific issue, but more likely it's a more general issue with mod_security.

Event Timeline

Restricted Application added a project: Growth-Team. · View Herald TranscriptAug 3 2019, 2:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
kostajh closed this task as Invalid.Aug 19 2019, 11:48 AM
kostajh removed a project: StructuredDiscussions.
kostajh added a subscriber: kostajh.

@Sophivorus the installer should have warned you when installing the wiki with mod_security enabled. The message (config-mod-security) is

<strong>Warning:</strong> Your web server has [https://modsecurity.org/ mod_security]/mod_security2 enabled. Many common configurations of this will cause problems for MediaWiki and other software that allows users to post arbitrary content.
If possible, this should be disabled. Otherwise, refer to [https://modsecurity.org/documentation/ mod_security documentation] or contact your host's support if you encounter random errors.

Given that, I'm untagging Notifications and also closing this task, but please re-open if you feel that my answer doesn't address what you've posted here. Thanks!

Sophivorus added a comment.EditedAug 19 2019, 12:02 PM

@kostajh I won't reopen, but it seems a shame that Flow will not work with mod_security, not because of any real security issue, but because a tiny version number is encoded in such a way that mod_security confuses it with SQL Hex encoding.

@Sophivorus I don't think it's a Flow specific issue but I don't know the internals of ResourceLoader well enough to tell you for sure. AFAICT it seems like a ResourceLoader issue where sometimes version in the request will correspond to a value that mod_security tries to block. 😕