导致数据发布时mod_security 406不可接受的原因是什么?

时间:2019-06-26 18:58:42

标签: php apache post mod-security http-status-code-406

我在我的网站上有一篇文章,内容为(降价):

# PHP Proper Class Name
Class names in PHP are case insensitve. If you have a class declaration like:
```php
class MyWeirdClass {}
```
you can instantiate it with `new myWEIRDclaSS()` or any other variation on the case. In some instances, you may want to know, what is the correct, case-sensitive class name. 

### Example Use case
For example, in one of my libraries under construction [API Doccer](https://github.com/ReedOverflow/PHP-API-Doccer), I can view documentation for a class at url `/doc/class/My-Namespace-Clazzy/` and if you enter the wrong case, like `/doc/class/my-NAMESPACE-CLAzzy`, it should automatically redirect to the proper-cased class. To do this, I use the reflection method below as it is FAR more performant than the `get_delcared_classes` method


## Reflection - get proper case
Credit goes to [l00k on StackOverflow](https://stackoverflow.com/a/35222911/802469)
```php
$className = 'My\caseINAccuRATE\CLassNamE';
$reflection = new ReflectionClass($className);
echo $reflection->getName();
```
results in `My\CaseInaccurate\ClassName`;  
Running the benchmark (see below) on localhost on my laptop, getting the proper case class name of 500 classes took about 0.015 seconds, as opposed to ~0.050 seconds using the `get_declared_classes` method below.

## get_declared_classes - get proper case
This was my idea, as I hadn't even considered using reflection, until I saw [l00k's answer on StackOverflow](https://stackoverflow.com/a/35222911/802469). Guessing it would be less efficient, I wrote the code and figured it out anyway, because it's fun!
```php
$wrongCaseName = 'Some\classy\THIng';
class_exists($wrongCaseName); //so it gets autoloaded if not already done
$classes = get_declared_classes();
$map = array_combine(array_map('strtolower',$classes),$classes);
$proper = $map[strtolower($wrongCaseName)];
```
results in `$proper = 'Some\Classy\Thing'`;  
Running the bencmark (see below) on localhost on my laptop, getting the proper case class name of 500 classes took about 0.050 seconds, as opposed to ~0.015 seconds with reflection (above).


## Benchmark:
I used the following code to do the benchmark, removing the `classes` directory between each run of the benchmark. It's not perfect. At all. But it gets the job done well enough, I think:
```php
<?php

$times = [];
$times['begin'] = microtime(TRUE);

spl_autoload_register(function($className){
    if (file_exists($name=__DIR__.'/classes/'.strtolower($className).'.php')){
        include($name);
    }
});
if (is_dir(__DIR__.'/classes'))return;

mkdir(__DIR__.'/classes');

function generateRandomString($length = 10) {
    $characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    }
    return $randomString;
}

$times['start_file_write'] = microtime(TRUE);
$names = [];
for ($i=0;$i<500;$i++){
    $className = generateRandomString(10);
    $file = __DIR__.'/classes/'.strtolower($className).'.php';
    if (file_exists($file)){
        $i = $i-1;
        continue;
    }
    $code = "<?php \n\n".'class '.$className.' {}'."\n\n ?>";
    file_put_contents($file,$code);
    $names[] = strtoupper($className);
}

$times['begin_get_declared_classes_benchmark'] = microtime(TRUE);
$propers = [];

// foreach($names as $index => $name){
//     $wrongCaseName = strtoupper($name);
//     class_exists($wrongCaseName); //so it gets autoloaded if not already done
//     $classes = get_declared_classes();
//     $map = array_combine(array_map('strtolower',$classes),$classes);
//     $proper = $map[strtolower($wrongCaseName)];
//     if ($index%20===0){
//         $times['intermediate_bench_'.$index] = microtime(TRUE);
//     }
//     $propers[] = $proper;
// }

// the above commented lines are the get_declared_classes() method. 
// the foreach below is for reflection.

foreach ($names as $index => $name){
    $className = strtoupper($name);
    $reflection = new ReflectionClass($className);
    if ($index%20===0){
        $times['intermediate_bench_'.$index] = microtime(TRUE);
    }
    $propers[] = $reflection->getName(); 
}

$times['end_get_declared_classes_benchmark'] = microtime(TRUE);

$start = $times['begin'];
$bench = $times['begin_get_declared_classes_benchmark'];

$lastTime = 0;
foreach($times as $key => $time){
    echo "\nTime since begin:".($time-$start);
    echo "\nTime since last: ".($time-$lastTime)."   key was {$key}";
    echo "\nTime since bench start: ".($time - $bench);
    $lastTime = $time;
}

print_r($times);
print_r($propers);
exit;
```

### Results
```
// get_declared_classes method
//Time since bench start: 0.052499055862427 is total time for processing get_declared_classes w/ $i=500
//Time since bench start: 0.047168016433716
// last bench time Time since begin:0.062150955200195
// 100 intermediate bench: Time since bench start: 0.0063230991363525
// 200                   : Time since bench start: 0.015070915222168
// 300 intermediate bench: Time since bench start: 0.02455997467041
// 400 intermediate bench: Time since bench start: 0.033944129943848
// 480                   : Time since bench start: 0.044310092926025


//reflection method:
//Time since bench start: 0.01493501663208
//Time since bench start: 0.017416954040527
// 100 intermediate:  Time since bench start: 0.0035450458526611
// 200 intermediate:  Time since bench start: 0.0066778659820557
// 300 intermediate:  Time since bench start: 0.010055065155029
// 400 intermediate:  Time since bench start: 0.014182090759277
// 480 intermediate:  Time since bench start: 0.01679801940918
```

#### Results' notes
- "Time since bench start" is the entire time it took to run all the iterations. I share this twice above.  
- "100 Intermediate" (200, 300, etc) are actually the results at 120, 220, etc... I messed up in copy+pasting results & didn't want to do it again. Yes. I'm lazy :)
- The results would of course vary between runs of the code, but it's pretty clear that the reflection option is significantly faster.
- All was run on a localhost server on an Acer laptop.
- PHP Version 7.2.19-0ubuntu0.19.04.1 (from `php info()`)

如上所示,我能够提交文章,一切按预期进行-保存到数据库及所有内容。最后一行,如果我将php info()更改为phpinfo()(删除空格),则会收到此错误:

不可接受!

在此服务器上找不到所请求资源的适当表示形式。此错误是由Mod_Security生成的。

当我尝试使用phpinfo()(无空格)提交时,我的PHP根本不执行,并且仅收到此错误。 firefox中的网络选项卡的状态代码显示为“ 406不可接受”。 $_SERVER['DOCUMENT_ROOT'].'/error_log'的错误日志中没有写入任何内容,这是所有PHP错误都记录到的地方。在我的主文件夹中,有一个logs文件夹,但它保持空白。也没有登录/etc//etc/my_website_name.com

什么可能导致此问题?我可以更改PHP.ini中的某些内容吗? .htaccess会完全影响吗?

至少,如何解决此问题?

问题排查

  • 我可以提交一篇仅包含-正文中的PHP版本7.2.19-0ubuntu0.19.04.1(来自phpinfo())的文章。
  • 如果我删除phpinfo()并将更多内容添加到帖子正文(正在提交更多数据),那么它会起作用
  • 放置空格(例如php info())可以使其正常工作,并且是帖子当前的存在方式。
  • 我不知道该怎么办

我现在正在使用Simple MDE,但是在我开始使用Simple MDE之前,这是在其他多次情况下发生的。只有相对较大的帖子也包含代码。

我正在使用HTTPS://和PHP 7.2.19与HostGator共享主机

1 个答案:

答案 0 :(得分:0)

我联系了HostGator。他们在白名单上添加了一些内容,但没有给我提供详细的信息。它解决了这个问题。

第一个座席花了一段时间,未能解决问题,并过早断开了连接。

第二个代理合理地提示并解决了这个问题,说对于包含代码的类似类型的POST请求,我不应该遇到此问题。

相关问题
最新问题