I typed in those magic words and it is fine in the Haiku discourse but can confirm - on the same machine - break it here on the Framework forum. So the glitch would appear to have been fixed by version 3.3.1.
1 Like
I think the following thread’s issue may come from a similar cause to this thread’s issue. I am not sure what the “WAF” means.
Whenever a post contains "substring" I get a 403 error - #4 by Mr.X_Mr.X - Support - Discourse Meta
You might have a WAF enabled that blocks XSS attempts and substring is commonly used in the exploit syntax. If you’re using Cloudflare with WAF enabled that would be the cause.
2 Likes
This is ridiculous O_O
Assuming Discourse is properly written software (I don’t know if it is, but if it isn’t maybe people should stop using it), one should be able to post anything without causing XSS attacks or similar - it’s not supposed to execute users posts as code, but just to display them
I guess that a software layer or network filtering out the specific words may be different from the place of Discourse application.
I imagined, the software layers such as Discourse (Ruby on Rails, web application) on an HTTP(S) server (Nginx or HTTPD), or HTTP(S) client-server network process, or a firewall between a client and a server.
2 Likes
You might be right about this, someone sent me this link with this suspicious line: coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf at main · coreruleset/coreruleset · GitHub (and WAF supports OWASP rules: WAF Managed Rules)
However, if this is the case, WAF is misconfigured for this particular usecase, IMHO.
People should be able to post arbitrary text, including code and linux shell commands, to this forum, and I’m sure Discourse will be able to escape it properly instead of executing it.
If it doesn’t, this WAF snakeoil isn’t gonna save you anyway, as circumventing it seems easy enough (for example uname --all is accepted even though it does the exact same thing as the forbidden uname invocation - though I’m not sure what was supposed to be so bad about uname in the first place).
And if you think that you need something like this after all, it needs better integration - neither the “drafts offline” nor the “403” message are useful at all. As the very minimum, Discourse would have to tell the user that the post contains a forbidden word/sequence of characters, but of course if you respect your users time you should also tell them what exactly that word was so they can easily fix it.
But really, just don’t use this at all, at least not to filter text from posts.