[wp-trac] [WordPress Trac] #35412: ModSecurity2 blocks Potential Obfuscated Javascript in outbound anomaly
WordPress Trac
noreply at wordpress.org
Tue Jan 12 09:40:42 UTC 2016
#35412: ModSecurity2 blocks Potential Obfuscated Javascript in outbound anomaly
--------------------------+------------------------------
Reporter: becki | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Emoji | Version: 4.4.1
Severity: normal | Resolution:
Keywords: | Focuses: javascript
--------------------------+------------------------------
Comment (by dd32):
This is caused by [36161] / #33592.
I'm not sure we should do anything to avoid this, that mod_security rule
is really restrictive..
What's causing this, is that the file
[https://core.trac.wordpress.org/browser/branches/4.4/src/wp-includes/js
/wp-emoji-loader.js wp-emoji-loader.js] contains 5 occurrences of
`String.fromCharCode(` and mod_security only allows 3 instances.
In 4.4.0 we only had 3 instances of that function call.
One reason I say that mod_security rule is crazy, is because we can avoid
it simply by doing `z=String.fromCharCode;` and calling `z()` instead,
completely bypassing it.. and any JS can do the same (I'm actually
surprised our minification process didn't do that automatically)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/35412#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list