Mod Security

[Yabs]

Been seeing this problem a tad on evo forums, just had it confirmed by leeturner as happening on hostgator.

Mod sec kills contact form ( it also kills parts of admin as well ) because of ?param=htp:// ( normally ?redirect_to ) ... pretty damn sure the same problem exists in QP as well, although not installed mod sec so I can test.

This *could* be an easy fix. Basically remove http(s):// part of redirect_to and add an extra "is_secure" param flag so we know if (s) needs adding

Anyway, would be nice if we didn't have this problem when we launch ... assuming I can get past my coding block with the evo converter

¥

[Tblue]

<Tblue> Real fix is fixing mod_security...
<Tblue> But yeah, I guess we have to add yet another stupid workaround for broken setups

[Yabs]

<Tblue> Real fix is fixing mod_security...
<Tblue> But yeah, I guess we have to add yet another stupid workaround for broken setups
<yabs> I look forward to the day that we can rely on every server in the world running the fixes that you submit to mod_sec() ... until then we treat it a smidge like ie6

¥

[EdB]

Could we make up a param for what the leading bits should be? Like ?redirect_to=domain.tld/post_title&lb=foo where we then have a little legend of what the various lb bits might be? Or even drop the first three letters and use them as the lb part? As in htt or ftp? For a legend type of thing all I can think of is http:// and https:// and ftp:// but there are probably more. Might have to do the www. versions as well?

[Yabs]

redirect_to should only ever be http:// or https:// so a flag for "add_s" should be enough, the rest of the url can be in redirect_to. I'm pretty sure that there's a few other admin areas/actions that spark of mod sec as well, but can't think of any off hand.

I'm not sure how easy/hard it'd be to implement the fix, but it'd be nice if we could for v0 although I wouldn't consider it a deal killer if it had to wait until v1

¥