"Updating failed" when trying to save / publish post containing phrases that are certain SQL commands (solved by sending some API requests as a JSON blob instead of form encoded data to try to avoid triggering some modsec rules, see 5971) #5675
Comments
ZebulanStanphill
changed the title
|
I did some research and discovered that the phrase "select from" is found in SQL syntax. For example:
This would explain why you could have any number or words between "select" and "from" and the post would fail to save. Unfortunately, it doesn't explain how the content of the post is being interpreted as SQL commands in the first place. I also tested some other SQL phrases which ended up also causing the post to fail to save and give the same "Updating failed" notification:
Note that all of these phrases will only cause the post to fail to save if they are written with no words in between them, as they are singular phrases, unlike "select from" which is really "select INSERT_PARAMETERS_HERE from". |
ZebulanStanphill
changed the title
ZebulanStanphill
changed the title
|
Thanks for the bug report, @SuperGeniusZeb! I think I have a fix for this, could I get you to test #5741? If you don't have a development environment setup, you can also test with Gutenberg 2.4, by copy/pasting this function and hook into your install. |
|
I copy-pasted the function and hook into my instance of Gutenberg 2.4, saved the changes, deactivated and reactivated the Gutenberg plugin, and then tried to save the post. It still failed to save and gave the same "Updating failed" notification. However, the error message in the JavaScript console on Chromium was different. Now the 500 error was for a POST request, instead of a PUT one:
So I guess the issue I'm having is separate from the other ones (which all involved 4xx errors, I think). |
|
That seems to be a bit different, thanks for the update, @SuperGeniusZeb. Do you have access to your server's error logs, to see if there's any more information showing in them? Also, I see your site is hosted with Liquid Web. I think all of their hosting products have a firewall on them, can you check your firewall logs to see if there's a different rule being triggered? |
|
Could this be reopened? I can confirm this issue is still happening in Gutenberg 2.5. I'll try and check out the server firewall logs and see what I can discover. |
|
Thanks for the update, @SuperGeniusZeb. Could you open a new issue with the details of what you find? @ mention me when you do, to ensure I see it. |
|
Okay, will do. :) |
designsimply
changed the title
Issue Overview
Ever since Gutenberg 2.3 (though I can't confirm whether or not the issue was happening before that) and still in 2.4, I've had this rather unusual issue where I couldn't save / publish posts containing this phrase:
For example, if I made a post like the following, I would be unable to save it:
https://pastebin.com/q4L9mPBV
Actually, it's worse than that. I could have any number of words in between the "select" and "from", as well as have the words in different paragraphs, and the post would still fail to save:
https://pastebin.com/fwiKSt9F
https://pastebin.com/rYHbK1JT
You can even have the words "select" and "from" right next to each other as "selectfrom" and it will fail to save:
https://pastebin.com/53n3sTNm
Note that the words "select" and "from" have to be typed in lowercase. Making either or both of them uppercase or mixed case will not trigger the error.
I made sure to test this with no plugins (except Gutenberg obviously) enabled, and using the Twenty Seventeen theme. I have tested this with both posts and pages, but not any custom post types, though I assume the error would occur with all post types when using the Gutenberg editor. Also, this phrase does not cause an error when using the Classic Editor. I also tested this with a Divi theme and an old theme built with Artisteer, and I got the same error on all of them. Also, I am using HTTPS on my websites and I am not using Cloudflare. (There have been some issues reported in the past where Cloudflare was being used, but that's not the case for me, and I also seem to be having different errors than them. I couldn't find anyone who was getting 500 errors.)
Here's what my JavaScript Console looks like on Chromium after trying to save a post containing the phrase of death:
load-scripts.php?c=1&load[]=jquery-core,jquery-migrate,utils&ver=4.9.4:9 JQMIGRATE: Migrate is installed, version 1.4.1 load-scripts.php?c=1&load[]=jquery-core,jquery-migrate,utils&ver=4.9.4:4 PUT http://supergeniuszeb.com/wp-json/wp/v2/posts/9067 500 (Internal Server Error) send @ load-scripts.php?c=1&load[]=jquery-core,jquery-migrate,utils&ver=4.9.4:4 ajax @ load-scripts.php?c=1&load[]=jquery-core,jquery-migrate,utils&ver=4.9.4:4 b @ api-request.min.js?ver=4.9.4:1 REQUEST_POST_UPDATE @ index.js?ver=1521053961:11 (anonymous) @ index.js?ver=1521053961:11 (anonymous) @ index.js?ver=1521053961:6 Le @ react-dom.min.3583f8be.js:92 invokeGuardedCallback @ react-dom.min.3583f8be.js:91 invokeGuardedCallbackAndCatchFirstError @ react-dom.min.3583f8be.js:91 cd @ react-dom.min.3583f8be.js:15 Me @ react-dom.min.3583f8be.js:94 af @ react-dom.min.3583f8be.js:94 da @ react-dom.min.3583f8be.js:16 Zb @ react-dom.min.3583f8be.js:17 pb @ react-dom.min.3583f8be.js:123 yf @ react-dom.min.3583f8be.js:34 batchedUpdates @ react-dom.min.3583f8be.js:169 cc @ react-dom.min.3583f8be.js:26 jc @ react-dom.min.3583f8be.js:35Interestingly, the PUT request with the 500 error does not show up in the JavaScript console on Firefox Nightly. (The post still fails to save and gives the same "Updating failed" notification, though.) Not sure if that's a bug in Nightly or just a difference between Firefox and Chromium/Chrome.
Steps to Reproduce (for bugs)
Expected Behavior
The post should save properly and shouldn't give any HTTP status code 500 errors.
Current Behavior
Trying to save a post containing the word "select" followed by the word "from" will not work, and the "Updating failed" notification will appear. An HTTP status code 500 error will occur.
Possible Solution
The phrase "select from" sounds like code to me. I suspect this has something to do with how the parsing of the document is handled by the Gutenberg editor. Perhaps the parser misinterprets the phrase as code that is supposed to be executed? And apparently it somehow manages to misinterpret it even if there are tons of words between the "select" and "from".
Related Issues and/or PRs
#2565
#2704
#3252
#5632
#5660
The text was updated successfully, but these errors were encountered: