[wp-trac] [WordPress Trac] #16940: Prevent 403 errors in Press This

WordPress Trac noreply at wordpress.org
Fri Feb 21 16:27:10 UTC 2014


#16940: Prevent 403 errors in Press This
--------------------------+-----------------------------
 Reporter:  scribu        |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Future Release
Component:  Press This    |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+-----------------------------

Comment (by aubreypwd):

 After discovering that applying this patch *seems* to do nothing other
 than replacing `/` with `\/` which gets you `/`, I landed on
 http://stackoverflow.com/questions/14215419/mod-security-exception-rule-
 for-url-as-parameter that seems to show that passing a url via a parameter
 is not fun for `mod_security`

 When I looked at what's happening in the patch (
 http://jsfiddle.net/4s4Xb/4/ ) it appears that what actually get's sent to
 the parameter is `\/`, an escaped `/`. This causes, I think, the parameter
 to not be a URL, but be something like a URL.

 So what we end up passing from JS to the URL is
 `?u=http:\/\/fiddle.jshell.net\/_display\/` or
 `?u=http%3A%2F%2Ffiddle.jshell.net%2F_display%2F` which works when press-
 this.php processes it, see https://cloudup.com/cqDbBglTWO4

 I did some
 [Googling](https://www.google.com/search?btnI=&q=press+this+404+error#q=press+this+404+wordpress&tbs=qdr:y)
 and this has come up recently in some blogs, etc, so it might still be an
 issue with some people.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/16940#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list