mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-05 00:29:48 +03:00
403 when saving text that contains 'create new database' #470
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Awinad on GitHub (Oct 15, 2017).
For Bug Reports
Expected Behavior
No permission error/403
Current Behavior
We had a text saying "Create new database". This seems to be interpreted and then blocked due to the fact that it's an SQL command. It should not even happen...
Steps to Reproduce
Create a page and write "Create new database" and save.
If you write "Create a new database" the error does NOT occur.
@Awinad commented on GitHub (Oct 15, 2017):
Additional comment: It seems to be the case with ALL SQL commands.
e.g. "select * from" causes the same error
@ssddanbrown commented on GitHub (Oct 15, 2017):
Hi @Awinad,
Thanks for raising this issue. The fact this happens is concerning. I have been unable to reproduce this issue on my dev setup.
Please can you confirm your version of MySQL?
Also, Please confirm your PHP-MySQL driver if possible. From the command line this can be fetched via
php -i | grep mysql.@Awinad commented on GitHub (Oct 15, 2017):
Hi @ssddanbrown
mysql -v:
mysql Ver 14.14 Distrib 5.6.33, for Linux (x86_64) using EditLine wrapperphp -i | grep mysql:
mysqli Client API library version => mysqlnd 5.0.12-dev - 20150407 - $Id: ... $ mysqli.allow_local_infile => On => On mysqli.allow_persistent => On => On mysqli.default_host => no value => no value mysqli.default_port => 3306 => 3306 mysqli.default_pw => no value => no value mysqli.default_socket => no value => no value mysqli.default_user => no value => no value mysqli.max_links => Unlimited => Unlimited mysqli.max_persistent => Unlimited => Unlimited mysqli.reconnect => Off => Off mysqli.rollback_on_cached_plink => Off => Off mysqlnd mysqlnd => enabled Version => mysqlnd 5.0.12-dev - 20150407 - $Id: ... $ Loaded plugins => mysqlnd,debug_trace,auth_plugin_mysql_native_password,auth_plugin_mysql_clear_password,auth_plugin_sha256_password API Extensions => mysqli,pdo_mysql mysqlnd statistics => PDO drivers => mysql, sqlite pdo_mysql Client API version => mysqlnd 5.0.12-dev - 20150407 - $Id: ... $ pdo_mysql.default_socket => /tmp/mysql.sock => /tmp/mysql.sockI assume the PDO part was the thing you're looking for. I can provide access to the host if needed.
I do not have root access since it's a shared hosting the app runs on.
@ssddanbrown commented on GitHub (Oct 15, 2017):
@Awinad Thanks for the quick reply.
This is strange, Was expecting to possibly see non-native driver in your details but looks like you're using mysqlnd.
Might be my testing method? Are you able to replicate the issue on the demo site at all? (Login is
admin@example.comandpasswordfor password).@Awinad commented on GitHub (Oct 15, 2017):
@ssddanbrown nope, it does not happen on demo site.
On our site it just shows me 403 right after saving.
Let me know if there's anything else I can do to help identify the issue.
@domainzero commented on GitHub (Nov 2, 2017):
I cannot reproduce this issue either.
@ssddanbrown commented on GitHub (Nov 11, 2017):
@Awinad Have you got any layers sitting in front of BookStack? Like cloudflare or some other caching/CDN service?
Thinking that SQL keywords are maybe triggering a security filter or something is not escaping SQL on a layer before bookstack. I've never seen that style of http error which is leading me to think this is something else.
@ssddanbrown commented on GitHub (Nov 11, 2017):
Apologies for my late response btw
@lommes commented on GitHub (Nov 15, 2017):
Apache
mod_securitymight cause this.@deezaster commented on GitHub (May 29, 2018):
i had the same problem when i write "mysql.db". after deactivating the apache mod_security it works.
@ssddanbrown commented on GitHub (Sep 23, 2018):
Since the last comment on this issue is relatively old I'm going to close this. If the issue remains and is something you still require to be fixed please comment and this can be reopened if required.