[wp-hackers] What would strip $_POST before 'init' runs?
mpwalsh8 at gmail.com
Sun Jun 3 15:39:10 UTC 2012
On Sun, Jun 3, 2012 at 1:48 PM, Gavin Pearce <Gavin.Pearce at 3seven9.com>wrote:
> > The FireBug net tab is helpful, thanks for pointing my in that
> > The problem I am chasing seems to be a 403 Forbidden error which I
> can't figure out the source of. This one has me stumped.
> Is the 403 returned when WordPress receives the POST data? What data are
> you posting?
> Do the usual trick of disabling all plugins one-by-one, and switching to
> the default theme first.
> If it doesn't help - certain $_POST keys trigger different behaviours in
> WordPress. $_POST['name'] is one of them, though will usually give you a
> 404 rather than a 403. Try prefixing all POST data with the name of your
> plugin. $_POST['pluginname_name'], $_POST['pluginname_email'] etc. Any
> Failing that, make sure you check your .htaccess file and virtual host
> to check you haven't got any strange configurations in there.
> Give a shout if none of the above helps.
I created a simple 'init' hook at priority 0 which does nothing more than
dump the contents of $_SERVER, $_POST, and $_GET. $_SERVER has a bunch of
REDIRECT_x (where x is one of number variable suffixes) of array elements
including REDIRECT_URL as shown below (with the IP address removed).
[REDIRECT_REDIRECT_REQUEST_METHOD] => POST
[REDIRECT_REDIRECT_STATUS] => 403
[REDIRECT_REDIRECT_UNIQUE_ID] => T8uDs3rJTaEAAEPWSkMAAAAA
[REDIRECT_STATUS] => 403
[REDIRECT_UNIQUE_ID] => T8uDs3rJTaEAAEPWSkMAAAAA
[REDIRECT_URL] => /403.shtml
[REMOTE_ADDR] => nn.nn.nnn.nnn
[REMOTE_PORT] => 52560
[REQUEST_METHOD] => GET
What I find odd (well, there is a lot odd ...) is the REQUEST_METHOD is
shown as a GET when the form is set up as a POST. I have admin access to
WordPress and FTP access to the installation but I can't look at how the
server is set up. The .htaccess file looks fine BUT when I dump phpinfo(),
I can see that eAccellerator is installed. Could it be the source of the
problem? Is there any way to turn it off using ini_set() or .htaccess? I
tried putting ini_set('eaccellerator.enable', 0); in wp-config.php but it
didn't make any difference.
Mike Walsh - mpwalsh8 at gmail.com
More information about the wp-hackers