CloudFlare can unexpectedly block REST API requests #3527
Comments
youknowriad
added
the
[Status] Needs More Info
|
Not able to reproduce, can you add more details? Do you see a failing request? Are you able to get the response of the request...? |
|
I'll check the Apache log later. The Firefox don't return any error log msg. |
|
There's no log error on Firefox console or Apache. Can I enable some debug mode on Wordpress? |
Yes, I think it's related. Can you take a look at this issue, there's a workaround there #2704 (even if it seems CloudFlare is not blocking the API anymore) |
|
Thanks a lot, @youknowriad!
|
thenets
changed the title
|
Talking with CloudFlare support and later analyzing the "request" content I found the problem with API request. The CloudFlare firewall identifies the Gutenberg request as a possible SQL Injection attack. The way the requests is made looks like an SQL Injection can be done. Maybe is better encode and strip special chars before sending to Wordpress API. |
|
I had a similar problem just this morning in Gutenberg v1.8.0. Setting a background or text color on the block seems to push CloudFlare over the edge. Here's the full JSON export of the triggers that caused this. See: https://gist.github.com/jaswrks/e1985e071502099b53aac01f33b97b27
|
|
I have a similar problem just like @jaswrks . While updating the table or button elements of gutenberg editor. I will get 403 forbidden from cloudflare with
|
|
I'm afraid we can't do anything about this on our side. The REST API should allow storing any post content string and this is not a security issue IMO. |
|
I wonder if anyone working on the REST API has been in contact with the OWASP team that works on the core ruleset, which is used by Mod Security and many web application firewalls, including CloudFlare. Referencing: https://coreruleset.org/ There's a file in the core ruleset with several WordPress exceptions, and it helps to avoid things like this. However, I don't see that any of the existing rules deal with raw HTML content being POSTd to JSON API endpoints. That seems like a problem. If we have someone who has a contact at CloudFlare or with the OWASP core ruleset team, it would be awesome if they could inquire about adding JSON API exceptions. That may improve this situation, over time, across many hosts that use the core ruleset, including at CloudFlare. |
|
For now, we should solve this problem with documentation. I've captured the CloudFlare issue to #4646 |
danielbachhuber
changed the title
designsimply
added
[Type] Bug
|
I had to whitelist my IP address to get this working. The rule that was triggered for me was Rule
|
Issue Overview
Don't save when my list item has parentheses.
Steps to Reproduce
Expected Behavior
Should save.
Versions
Wordpress 4.9
Gutenberg 1.7.0
The text was updated successfully, but these errors were encountered: