WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#35838 closed defect (bug) (invalid)

Customizer Save & Publish fails if /*SQL-COMMAND in text box (only on some hosts)

Reported by: wpweaver Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.6
Component: Customize Keywords:
Focuses: Cc:
PR Number:

Description

This is one of the strangest issues I've ever seen in 40 years of programming.

The issue:

On SOME hosts, the Customizer "Save & Publish" fails if text with "/*SQL-COMMAND" is included in any text box with apparently any theme.

For example, on an appropriate hosting company, activate TwentySixteen. Open the Customize : Site Identity tab, and enter a value into the Tagline box (or really, any text box will do). Then try Save & Publish. Normally this will work. BUT, if the string is something like /*insert or /*delete or any other SQL command I tried, the string will show in the preview window, but Save & Publish does not work, and the value is not saved in the settings.

I could only test this on a limited number of hosts, including a couple of different BlueHost share hosting boxes, and a GreenGeeks box. The issue does NOT show on a BlueHost VPS box, nor my Mac MAMP dev system.

I looked at whatever I could, but could not nail down just where/who was causing the issue. This is possibly not a WP bug, but is still a real issue as plenty of users have cheap host like BlueHost or GreenGeeks, so I think it needs to be addressed.

I would suspect some kind of failed attempt on the hosting configuration to stop SQL injection attacks, but who knows.

Change History (5)

#1 @westonruter
4 years ago

@voldemortensen or @mikehansenme, is this something you can help debug from the BlueHost shared hosting side?

#2 @voldemortensen
4 years ago

@westonruter I'll take a look this weekend if I have time. If not I'll do it next week when I get into the office.

#3 @voldemortensen
4 years ago

This is being blocked by mod_security rules. Just looked at the ajax request in the console and saw the 406 Not Acceptable response code with this as the response body:

https://cldup.com/wjN4Gq_F3v-3000x3000.png

When I get into the office next week I'll track down which rule and see if it can be adjust to be secure and allow this, but that seems unlikely. GreenGeeks must be using, at least partially, the same lists as Bluehost.

This is possibly not a WP bug, but is still a real issue as plenty of users have cheap host like BlueHost or GreenGeeks, so I think it needs to be addressed.

While it's true many people are hosted on Bluehost and GreenGeeks, I don't think using /*insert, /*delete, /*select, etc is a very common practice. Seems pretty edge case to me. This is the first I've heard of this after years of experience. Either way, I'll dig deeper when I get to the office. In the mean time, it is possible to use *insert, etc without the leading slash.

Last edited 4 years ago by voldemortensen (previous) (diff)

#4 @voldemortensen
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Marking as invalid since its not really a core issue.

#5 @westonruter
4 years ago

The user experience will be improved once #29932 is implemented.

Note: See TracTickets for help on using tickets.