Four Characters That Break WordPress

I was trying to write a post about some code for generating HMAC signatures without PEAR or PHP5 and I discovered that I was unable to post anything that contained these three characters (without the space):

chr (

When I clicked "Save and Continue Editing", I received a 404 error. It took me a good 30-40 minutes of blaming the iG:Syntax Hiliter plugin before I discovered it was actually WordPress. It breaks even if those three letters are enclosed in pre or code tags and I also confirmed this problem occurs when posting a comment.

I'm using WordPress 2.33 so I upgraded one of my other blogs to WordPress 2.5 just to see if this problem was gone (and to maintain my sanity) and was glad to see that it had been fixed*. The new WP looks very spiffy, except for the missing "Save and Continue Editing" button and the annoying lack of a preview feature (the Preview Frame plugin fixes this and I was glad to see it supports the latest WP).

I don't like fixing what isn't broken, so I've been holding off upgrading this blog to the latest WordPress. Besides, I'm pretty sure my customized theme will break with the new version and I simply don't have the time to be fussing around with my theme. If I'm going to fuss around with it, I'd rather change it altogether. This site is due for a new look anyway.

*UPDATE: I don't know if I'm losing my mind or what, but after upgrading this blog to WP 2.5 I'm having the same exact problem with creating a post containing those four characters!

UPDATE UPDATE: I did some Googling and discovered that the Apache mod_security might be doing something because apparently the chr () function is commonly used in exploits. This blog post explains 10 ways to secure WordPress and if you search for chr you'll see that it's part of the SecFilterSelective THE_REQUEST line.

CONFIRMED: I tried disabling mod_security for my entire account by adding SecFilterEngine Off to a .htaccess file in my root web path. I was then able to post those four characters without any problem. After creating a post containing chr(), I removed the .htaccess file to enable mod_security and as expected the post still displayed fine.

So, since this is only a problem when submitting a post, and since permanently disabling mod_security isn’t a great idea, I’ll just temporarily disable it in those rare situations when I need to create a post containing chr().

Write a Comment

Comment