Closed lgarron closed 5 months ago
The simplest repro seems to be to have moves to the either side of a /
in Square-1, for both the setup and the alg:
Given the escaped URI components, I don't see how this could be happening unless Dreamhost is trying to parse the parameters. That sounds… concerning? Those parameters should be opaque to the hosting server.
Woah, it seems to be tripping a ModSecurity
false positive:
[Sat Jan 20 15:36:15.217532 2024] [:error] [pid 264179:tid 115252986328832] [client 76.103.226.2:57127] [client 76.103.226.2] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "alpha.twizzle.net"] [uri "/edit/"] [unique_id "ZaxY7xkx7RLuKnzAM5@SgQAAAAE"], referer: https://github.com/cubing/cubing.js/issues/314
Okay, I've disabled ModSecurity
. We don't have server-side handling for Twizzle anyhow, and fortunately this kind of stuff is my day job expertise.
Steps to reproduce the issue
Observed behaviour
The second URL results in a 500 (internal server error). Something about the URL is tripping up Dreamhost.
🖼 Screenshots
No response
Expected behaviour
No 500 error.
Browser & operating system
Chrome 120 on macOS 14.2.1
Additional info
No response