WordPress Bug?

  By Shamus   Dec 8, 2006   9 comments

Here is a strange one for you. Open up WordPress, and make a new post. Into this post put the words:

“Delete”

Then the word:

“from”

Hit save.

Watch WordPress puke all over itself.

This is a very strange bug. Both words must appear in that order with no other letters between them, but you can have line-breaks between them and it still happens. What on earth is going on here?

The problem surfaced when I tried to edit this old post. I saw a typo I wanted to correct, so I edited the post and hit save, which led to the Bizzare error:

Precondition Failed
The precondition on the request for the URL /twentysidedtale/wp-admin/post.php evaluated to false.

Halfway down the page I quote Lileks, and that quote contains the deadly words. It took me a long, long time to figure out what the problem was. Obviously I wrote that post in an earlier version of WordPress that doesn’t have this bug, and now that I’ve upgraded I can’t edit the post without removing those words. I spent a long time removing secitions of the post until I had isolated the offending words.

One guess is that the phrase “de1ete from” is getting misunderstood or misused as part of a command to mySQL. Still, that really shouldn’t happen.

FURTHER NOTE: I’m using WP 2.0.2 and I have the fancy-pants editor turned off.

9Nine comments.


  1. GreyDuck says:

    *blink* It does, in fact, sound as though it’s passing that as a command to MySQL instead of properly encoding it as just more blob data, doesn’t it?

    I’ll pass on the testing of this myself, but, wow.

  2. Adam says:

    You might try some other simple mysql commands. “Select from” would be a (risk-free) one to test.

  3. Pixy Misa says:

    “Precondition failed” sounds like an Apache error, not a PHP error. My guess is that there’s some filtering in .htaccess to prevent SQL injection, and it’s triggering on those keywords.

  4. Pixy Misa says:

    Let’s see: select * from

  5. Shamus says:

    Yeah, select seems fine. But you can’t use the magic words in a comment.

  6. Matt Round says:

    mod_security is cautiously blocking any vaguely suspicious data, that’s all. Apparently, putting “SecFilterEngine off” into .htaccess disables it.

  7. […] mod_security is really aggressive around certain words (like in my previous post). To get around this, add SecFilterEngine off to your .htaccess file. You […]

  8. ishu_rabotu says:

    Ищу работу в Москве или в МО, меня интересуют должности: курьер 19 лет. з/п от 17 000 р. тел. 89160741974 Василий

One Trackback

  1. […] mod_security is really aggressive around certain words (like in my previous post). To get around this, add SecFilterEngine off to your .htaccess file. You […]

Leave a Reply

Comments are moderated and may not be posted immediately. Required fields are marked *

*
*

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun.

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!