All Low add-ons are now owned by EEHarbor. Read the blog post.

Support archive

Low Variables - "forbidden" on resaving variable, with certain strings such as white space

Nevsie / Modeten 28 Oct 2013 18:58 problem, rejected

Low Variables - simple text field only. on original creation of the variable all works fine. On saving it, it continues to work. However, on random occasions, changing the string of text in it to have white space on the end, xxx on the end, or anything causing the script to fail with a nothing error of "forbidden".

Does this ring any bells? mean anything to you...? I originally thought it was a settings issue as i was trying to save to file - but on testing without save to file, problem still occurs.

I wondered if it was a server filtering issue - but these values save perfectly from snippets, and other areas, and save to file works perfectly with them. so really getting stuck here?

Replies

  1. Low 28 Oct 2013 20:18

    Looks like a mod_security issue. Check these resources:

    http://ellislab.com/forums/viewreply/...

    Try to add this to your .htaccess file 

    <IfModule mod_security.c> 
       SecFilterEngine Off 
       SecFilterScanPOST Off 
     </IfModule>


    In one case, the host disabled these mod_security rules:
    300061
    340149
    340163

    Someone else was able to resolve the problem by changing the name from /system/index.php to something else.

  2. Nevsie / Modeten 29 Oct 2013 17:01

    Hi Low,
    Cheers for the response...

    mod_security does not seem to be present - we at least as far as i can see. Adding the rules changes nothing, and when removing the IF part - it errors out. so i am assuming not that.

    The site apparently has "hardening" by Suhosin though - so i suspect it is a custom set of rules within that.

    However, the bit i find funny - is when entering the same content as a global, or a snippet, or a template - they save without issue. Therefore i assume it must be a "cumulative" effect of the content, plus other things going on on your variable page?

    Any ideas on what that might be? i assume post, maybe to many vars, but think that is unlikely unless its false positive as there is only 1 field at this stage!

    Thanks, N

  3. Low 29 Oct 2013 17:08

    My experience is that the 403 Forbidden is thrown even before the POST hits PHP, so it's beyond my reach. I'd recommend you verify with your host to see if mod_security is enabled and if they can tweak it if needed.

    If the htaccess rule makes no difference, it might simply be you have no permissions to disable mod_security that way.

  4. Nevsie / Modeten 29 Oct 2013 17:10

    they probably are preventing the htaccess from being used - makes sense. Joys i will speak to the client they can go back to their host! Teaches me not to force them to use my own guys!

    Thanks Low, N