我为自己编写了一个简单的webapp,以便能够在我的服务器上编辑文件,当时我在一个只允许http和https端口的地方...
但我遇到了一个奇怪的问题。
通常在保存文件时会更换这些标题(删除机密信息):
https://example.com/?
POST /? HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-HU,en-US;q=0.8,hu;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://example.com/?path=/home/csirmazd/public_html/[...]/fs/view/login.php&view=preview
Cookie: [...]
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 644
[...]
HTTP/1.1 303 See Other
Date: Sat, 28 Mar 2015 14:57:40 GMT
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.4.36
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: ?path=/home/csirmazd/public_html/[...]/fs/view/login.php&view=preview
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
----------------------------------------------------------
https://example.com/?path=/home/csirmazd/public_html/[...]/fs/view/login.php&view=preview
GET /?path=/home/csirmazd/public_html/[...]/fs/view/login.php&view=preview HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-HU,en-US;q=0.8,hu;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://example.com/?path=/home/csirmazd/public_html/[...]/fs/view/login.php&view=preview
Cookie: [...]
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 28 Mar 2015 14:57:40 GMT
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.4.36
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
----------------------------------------------------------
但是当我尝试保存另一个特定文件时,即dir.php有些不同:
https://example.com/?
POST /? HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-HU,en-US;q=0.8,hu;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://example.com/?path=/home/csirmazd/public_html/[...]/fs/view/dir.php&view=preview
Cookie: [...]
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 4604
[...]
HTTP/1.1 501 Method Not Implemented
Date: Sat, 28 Mar 2015 15:03:04 GMT
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Allow: TRACE
Content-Length: 458
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
----------------------------------------------------------
浏览器中的消息是
GET to / not supported.
什么?那为什么它适用于其他一切呢?
根本不会调用基础PHP代码。
首先我认为这是一辆小车.htaccess。但是,如果我记得我禁用了它,通过在根目录中包含单个RewriteEngine On。所以我认为这不是问题所在。 (它仍然通过调用 index.php 来处理 example.com / 。)
我的第二个想法是POST请求的最大大小非常小。但是我可以毫无问题地编辑更大的文件。
现在我的想法用完了,我不知道在哪里看。
有什么想法吗?
答案 0 :(得分:0)
问题的根源似乎是托管服务提供商安装的Apache服务器上的ModSecurity模块。
作为others had issues with it too on a different site。
所以我尝试了一个实验,并将相同的内容发布到随机URI,并得到了与以前相同的错误。显然,当您从表单提交代码时,这件事情并不合适。
所以显而易见的解决办法是将其关闭。
在我的特定情况下,我的cPanel中没有选项可以将其关闭,所以我设法通过base64编码客户端的表单内容来绕过它。