WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#13090 closed defect (bug) (invalid)

Widget Update Error

Reported by: greaterweb Owned by: azaozz
Milestone: Priority: normal
Severity: normal Version: 2.9.2
Component: Widgets Keywords:
Focuses: Cc:

Description

A client of mine appears to have surfaced a bug when saving updates to a widget. This bug was originally discovered through an update to a custom slider widget I had developed. Further testing has replicated the issue with other widgets including the basic WordPress text widget.

Turns out widget text (text input or textarea) cannot contain the words select and from, specifically in that order. An error remains present even if words are inserted between the two such as I selected WordPress as the best software from Automattic. Reversing the order of words will not trigger an error.

To Replicate

Place a text widget in one of your widget areas. Enter the text select from in either the title input or main textarea box. Hit save and the circular icon will pop up (as expected), though as the ajax update fails the icon remains present.

I was still able to replicate the issue even after disabling all plugins and reverting to the default WordPress theme.

The Error

It seems pretty apparent that we have a bit SQL Injection prevention kicking in. I have tested this on two separate client sites and did some ajax debugging with the aid of Firebug. What is odd is one site makes the request to wp-admin/admin-ajax.php and gets a 500 Internal Server Error. An identical test on a second site return a 404 Not Found for the wp-admin/admin-ajax.php request. Both of these sites reside on the same web server.

As an additional debugging measure, on the site with the 500 Internal Server Error, I stripped out the entire contents of the wp-admin/admin-ajax.php file. The same 500 Internal Server Error is returned for the ajax request to the blank file. We are choking somewhere before we actually get to the php file. I'll poke around some javascript next.

I couldn't find a ticket for anything similar and was unable to get anyone to confirm/replicate in with post in the forums.

Thanks!

-Ron

Change History (6)

comment:1 jamescollins4 years ago

It sounds like the server you are using has mod_security turned on. It isn't WordPress that is causing this.

I think this ticket should be marked as INVALID, because its a server configuration issue not a WordPress issue.

http://wordpress.org/tags/mod_security has a list of topics relating to mod_security.

comment:2 dd324 years ago

  • Milestone Unassigned deleted
  • Resolution set to invalid
  • Status changed from new to closed

Yeah, Closing as invalid. This is definitely a Mod_security thing, absolutely nothing WordPress itself can do about it.

comment:3 greaterweb4 years ago

James, thanks for the helpful response. This is a relatively new server build and never considered mod_security. A few small updates and it is confirmed as the source.

Forgive me if I'm wrong though but I sense a little bit of "you stupid idiot" from the dd32 response. I'll just go crawl back into my hole now.

comment:4 nacin4 years ago

Forgive me if I'm wrong though but I sense a little bit of "you stupid idiot" from the dd32 response. I'll just go crawl back into my hole now.

No, no, he wasn't at all saying that, just affirming the cause and keeping Trac clean by closing it.

Maybe we need http://www.someblogsite.com/images/zoo-sign.jpg for committers? I tease :-)

comment:5 follow-up: dd324 years ago

Forgive me if I'm wrong though but I sense a little bit of "you stupid idiot" from the dd32 response. I'll just go crawl back into my hole now.

Sorry, James had said everything that needed to be said, and i was just confirming thats the problem at heart.

No offense intended, and this surely isnt going to make it sound any better, But Trac is not a support channel either, I'd have usually included a link to the support forums as well, as thats a better avenue for getting help with non-bugs.

Like nacin said, Trying to keep trac as clean as possible right now, Theres just too many other tickets on here which desperately need attention :)

comment:6 in reply to: ↑ 5 greaterweb4 years ago

No offense intended, and this surely isnt going to make it sound any better, But Trac is not a support channel either, I'd have usually included a link to the support forums as well, as thats a better avenue for getting help with non-bugs.

I can certainly appreciate the value of keeping Trac clean and have never viewed it as a place for support. I genuinely thought I had a bug here, my mistake. My support forum post sat for a day or so before I posted here.

Carry on squashing the real bugs and lets get 3.0 out of beta!

Note: See TracTickets for help on using tickets.