[wp-trac] [WordPress Trac] #10551: wp_die() triggers block when using ModSecurity Core Rules

WordPress Trac wp-trac at lists.automattic.com
Sat Jan 22 08:15:16 UTC 2011 

#10551: wp_die() triggers block when using ModSecurity Core Rules
------------------------------------------------+--------------------------
 Reporter:  cstrosser                           |       Owner:  westi
     Type:  defect (bug)                        |      Status:  accepted
 Priority:  normal                              |   Milestone:  Future
Component:  Security                            |  Release
 Severity:  normal                              |     Version:  2.8.3
 Keywords:  needs-patch 3.2-early dev-feedback  |  Resolution:
------------------------------------------------+--------------------------

Old description:

> wp_die() causes ModSecurity (using Core Rules), a commonly used Apache
> plugin, to throw a 406 error, blocking the message from displaying.
>
> This seems to be triggered by the fact that a 500 error is thrown.  I
> went and changed the default status code to 401 (Unauthorized) and it
> worked like a charm.  I just wonder if there is a better fix for this
> issue... or simply a better status code to use.
>
> Perhaps making a group of functions to make the error codes more focused.
>
> Example:
>
> wp_die_auth( __('You do not have sufficient permissions to access this
> page.') );
>
> /**
>  * Exits WordPress with Unauthorized status code.
>  *
>  * @see wp_die()
>  */
> function wp_die_auth($message, $title = '') {
>         wp_die( $message, $title, 401 );
> }

New description:

 wp_die() causes ModSecurity (using Core Rules), a commonly used Apache
 plugin, to throw a 406 error, blocking the message from displaying.

 This seems to be triggered by the fact that a 500 error is thrown.  I went
 and changed the default status code to 401 (Unauthorized) and it worked
 like a charm.  I just wonder if there is a better fix for this issue... or
 simply a better status code to use.

 Perhaps making a group of functions to make the error codes more focused.

 Example:
 {{{
 wp_die_auth( __('You do not have sufficient permissions to access this
 page.') );

 /**
  * Exits WordPress with Unauthorized status code.
  *
  * @see wp_die()
  */
 function wp_die_auth($message, $title = '') {
         wp_die( $message, $title, 401 );
 }
 }}}

--

Comment (by nacin):

 Don't think we should change the default.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10551#comment:15>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list