500 Internal Server Error with a specific page content

[RELOC-DEV]

Describe the Bug

Creating a new page with a code block contaning somewhere the string "/../" results in a internal server error when trying to save the page.

Steps to Reproduce

1. Create a new page
2. Assign a random title
3. In the page body create a code block ( click to "..." -> "Insert code block")
4. Fill the code block content with "/../" (without quotes)
5. Save Code
6. Save Page

A "500 Internal Server Error" page will be opened and the page will not be saved.

Expected Behaviour

The page should be saved correctly.

Screenshots or Additional Context

No response

Browser Details

Chrome 126

Exact BookStack Version

v24.02.2

[ssddanbrown]

Hi @RELOC-DEV, Please can you detail your BookStack host environment (web-server, hosting service (if any), operating system, PHP version and setup etc....)

[RELOC-DEV]

Hi @ssddanbrown, thanks for your reply!

The hosting service is Dreamhost. It runs Ubuntu 20.04.6 LTS with PHP 8.2

[ssddanbrown]

Thanks @RELOC-DEV. Errors on that kind of content are usually down the addition security systems/layers at play, blocking or stopping the request due to thinking there's an attack attempted.

I think dreamhost may have this kind of thing on by default. Often this will be named/due-to "mod_security" or a Web Application Firewall (WAF). You could try contacting dreamhost regarding this to see if it's something that's active for you, or you could try following the guidance here if it's appropriate for your service, to see if disabling mod_security allows you to save this kind of content.

[RELOC-DEV]

Bingo! That was the issue. Now the page is saved correctly.

We will assess if keeping this option disabled could be a security threat.

We appreciated very much your help.