@bungeshea – Your post inspired me to do further testing and, at least in my case (error 403 while saving the snippet) I can see exactly what code is causing the issue. As to why, I’ll look to you for that answerd and whether it’s related to what you’re saying above.
If I create a completely empty snippet, it saves without error.
If I create a snippet with one simple line, e.g., “$x = 1;”, it saves w/o error.
If, however, I put “$_POST” anywhere in the snippet, such as a one-liner of “$_POST;”, I get the 403 error when saving. Same happens with $_GET and it happens even if I comment out the line, e.g., “//$_POST;”
@elenaocone @retunes @gevcen – I’m curious if you see the same behavior.
In addition to the testing in the previous post, I confirmed that creating a simple snippet with just “$_POST;” in it, fails on all my websites, including the ones where I thought I didn’t have the problem previously. As it turns out, it was because I wasn’t using $_POST in the snippet.
Ok my Hosting Provider solved this Problem by whitelisting the mod_sec rule. Thanks for the Note @elenaocone @bungeshea
Thread Starter
gevcen
(@gevcen)
So guys, what’s the conclusion?
How to solve the problem???
@gevcen
Ask your Hosting Provider to Whitelist the mod_sec rule and maybe show them this Post.
I’m hoping that @bungeshea will update this after reading my posts #16 & #17. The issue that I’m seeing, while whitelist mod_sec masks the problem, it still seems to me that there is a CodeSnippets-specific issue happening.
@elenaocone @retunes @gevcen – I’m still curious if you see the same behavior in that there’s certain code that causes the error.
@rolevine unfortunately, I don’t think there is a lot I am able to do. Being able to write and submit code containing PHP tags and $_POST variables is expected behaviour when using the Code Snippets plugin. There are a lot of situations where it indicates a security hole, and that is what modsecurity is blocking, but in this case it should be considered a false positive.
The best way to solve this may be to turn off the SecFilterScanPOST rule for the wp-admin/admin.php page.
@bungeshea – Thanks for the follow-up. The last point I want to clarify is that up until a few months/weeks ago, there was no issue with saving scripts with $_POST in them. So at some point, and I wish I could help identify that point, the issue started to happen where it previously didn’t.
Thread Starter
gevcen
(@gevcen)
Dear all,
I have just tried again, and surprizingly now I’m not facing the issue anymore…
That’s realy strange to me because I did nt apply the suggestion about the modsec.
So for me the point is resolved. Anyone else still facing the issue?
Kr
@gevcen – on any one of my sites I can disable mod_sec, save a snippet successfully, then reenable mod_sec and fail with a 403 (not 404) every time. Though, as I’ve stated before, it’s because I have $_POST in my snippet.
Hi there!
I’ve just faced the same issue: I can’t save a snippet, the error 404 appears. One month ago everything worked just fine. Is it possible to do anything about it?
@zebra999 have you checked your server settings to see whether a security module is enabled?
@bungeshea unfortunately I don´t have an access to Admin Panel to view server settings, but via Duplicator plugin I can see that “Safe Mode: Off” (PHP section). Does it mean that security module is disabled?
