IDS blocking webhook

[crusonweb]

I have discovered that the webhook on one of my clients site (running Civi 4.5.6 and Joomla 3.3.6) has begun erroring out on every attempt starting on Feb. 13th. The error is the standard IDS error, "There is a validation error with your HTML input. Your activity is a bit suspicious, hence aborting". Skipping the IDS check for the public user group resolved the issue, although that is only useful to confirm that the problem indeed lies with the IDS check. The problem occurs on all event payloads, even ones that only contain a single event. I believe Feb 13th is when I did the upgrade from Civi 4.5.5 to Civi 4.5.6 so that might be the cause, but I'm not positive.

[JoeMurray]

Thanks for the report @crusonweb. Just to confirm, every callback from Mandrill to CiviCRM on the webhook for the Mandrill Transactional Email extension started causing this IDS error the day of the upgrade from 4.5.5 to 4.5.6. Are there any other webhooks for other services on this instance that are still working? Any other problems with IDS besides this one? Thanks.

[crusonweb]

Yes, it is every callback from Mandrill to CiviCRM since the date and time that I believe the update took place. There were even others on that day that worked and then at a specific time it stopped working, which was right about the time the upgrade had been completed. We have not noticed any other problems with the IDS besides that one, but we don't have a lot of things running on the public end that would trigger the IDS.

[JoeMurray]

There were no direct changes to any IDS code between 4.5.5 and 4.5.6, but some other change may have affected this. Could you provide details on a payload that might help?

[crusonweb]

What would be helpful? Would you like me to just download the .txt it offers me for you or do you need something else? I will need to let it build up so it might take me until tomorrow to have it ready for you, but I can definitely get you something.

[JoeMurray]

The .txt is what I'd like I think (I can't remember what it may provide). Could you also check if there is anything interesting in the CiviCRM error log? For slightly improved privacy, email at joe dot murray at jmaconsulting dot biz. Or friend me on Skype josephpmurray and transfer the files that way for reasonable privacy since it's encrypted.

Cheers, Joe

[crusonweb]

Well this is interesting, I left it over night to try and build up a new text file (because once I had the IDS disabled I cleared the ones that were still pending and once they aren't pending you can't get the payload anymore) and it now seems to be running fine. The only thing I can think of at the moment is the size, none of the payloads since I cleared the backlog have more than 1 event, maybe the size triggered the IDS? I know I saw that listed in JIRA as an issue (which I believe was unresolved) when I went looking yesterday. Most of the stuck payloads were 38 or more events (although there were a couple of 1's that had timed out).

I will keep an eye on it and see if it builds up something after our next mailing.

[JoeMurray]

Interesting indeed. Please reopen when/ if you find something. I have heard of issues with truncation sometimes affecting keys being passed: perhaps something with a longer payload and the max post length on your server might be the cause?? We'll see.

[crusonweb]

It has begun happening again intermittently. There are 3 failures in the last few days. I am sending you an email with one of the payloads that failed.