表单提交时为 403,使用 cURL/wget 时为 200/302
我有一个包含很多输入的表单。有些名为“日期”、“类型”等。
表单操作通过POST指向http://www.xxx.com/admin/links/create。
当我尝试提交它(正确填充必填字段)时,我收到 403 响应。
在以下情况下,我会收到 302 或 200 响应代码(取决于登录 cookie):
- 普通
http://www.xxx.com/ admin/links/create地址栏中的 URL(我知道这是 GET); - 使用 websniffer (GET & POST)
- curl/wget 从本地
我检查了权限,.htaccess (我只能通过 FTP 访问 web-root)和 各种 其他 地方和一切看起来都很好。
我希望这不是输入的命名冲突(实际上,我确实希望如此,因为这很容易解决)。
以上所有情况都发生在生产中,即Linux(Fedora上的Apache/2.0.51)。在本地(即Windows)上一切正常。不要告诉我它的权限...
有人知道这可能是什么原因吗 - 在我自己的看法 - 奇怪的行为?
I have a form with many inputs. Some named "date", "type" etc.
The form action points to http://www.xxx.com/admin/links/create, via POST.
When I try to submit it (having required fields populated correctly), I get a 403 response.
In the following cases, I get either 302 or 200 response codes (depending on log-in cookie):
- plain
http://www.xxx.com/admin/links/createURL in address bar (I know that's GET); - using websniffer (GET & POST)
- curl/wget from local
I checked the permissions, the .htaccess (I only have FTP access to web-root) and various other places and everything looks fine.
I hope it's not naming collision of the inputs (actually, I do hope so, because that'll be easy to fix).
All the above happen in production, which is Linux (Apache/2.0.51 on Fedora). Everything works fine on local, which is Windows. Don't tell me it's permissions...
Does somebody know what could be the cause for this - in my own perception - strange behavior?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
罪魁祸首:Apache 的 mod_security。
我的 Windows 计算机上没有安装该模块(这就是它在本地工作的原因),但服务器已安装它。
这就是我所做的:
我检查了访问日志。发现这个:
[...] mod_security:访问被拒绝,代码为 403。HEADER 处的模式匹配“!(^application/x-www-form-urlencoded$|^multipart/form-data;)”(“Content” -Type") [...] [uri "/admin/links/create"] [...]由于我不知道如何处理 mod_security(还!),所以我删除了它总而言之,它奏效了。在您的
.htaccess:当然,您可以使用指令来精确定位您的 Apache 目标,以便将该规则应用于某些文件/文件夹。
一些可能有帮助的链接:
http://community.mybb.com/showthread.php?tid=7592
http://wordpress.org/support/topic/upgrade-to -22-仪表板不工作
http://energy- 4-3.com/uncategorized/mod_security-access-denied-with-code-403-pattern-match-http/
http://www.modsecurity.org/(主页)
Culprit: Apache's mod_security.
I didn't have that module installed in my Windows machine (that's why it worked locally), but the server had it installed.
Here's what I did:
I checked the access logs. Found this:
[...] mod_security: Access denied with code 403. Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at HEADER("Content-Type") [...] [uri "/admin/links/create"] [...]As I don't know how to handle mod_security (yet!), I removed it altogether, and it worked. In your
.htaccess:Of course, you can pin-point your Apache targets only to apply that rule to certain files/folders using directives.
Some links that might help:
http://community.mybb.com/showthread.php?tid=7592
http://wordpress.org/support/topic/upgrade-to-22-dashboard-not-working
http://energy-4-3.com/uncategorized/mod_security-access-denied-with-code-403-pattern-match-http/
http://www.modsecurity.org/ (homepage)