[wp-trac] [WordPress Trac] #16940: Prevent 403 errors in Press This

[WordPress Trac]

#16940: Prevent 403 errors in Press This
--------------------------+-----------------------------
 Reporter:  scribu        |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Future Release
Component:  Press This    |     Version:  4.2
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+-----------------------------
Changes (by kraftbj):

 * keywords:  reporter-feedback =>


Comment:

 FYI - Once you sign up (free), the rules are licensed under the Apache
 license.

 The rule that is impacting Press This:

 {{{
 SecRule ARGS "^(?i)(?:ft|htt)ps?(.*?)\?+$" \
         "id:211120,msg:'COMODO WAF: Remote File Inclusion
 Attack',phase:2,severity:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched
 Data: %{TX.0} found within %{MATCHED_VAR_NAME}:
 %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none'"
 }}}

 Since the bookmarklet and the direct entry form passes a complete URL,
 including protocol, as the `u` value, it is including http/https in the
 URL, which is triggering this rule. Testing a direct URL, changing the u
 to remove http would avoid the 403 error, but break the feature of PT
 since `_limit_url` returns `''` if `! preg_match(
 '/^([!#$&-;=?-\[\]_a-z~]|%[0-9a-fA-F]{2})+$/'`
 ([[https://core.trac.wordpress.org/browser/tags/4.2.2/src/wp-
 admin/includes/class-wp-press-this.php#L372|ref]]).

 I'm thinking of if there is ways around this that suitably work; open to
 suggestions.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/16940#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform