Search code examples
ruby-on-railsrubyruby-on-rails-3apachemod-security

the words "select from" in my rails app crashes it

Okay, this has been absolutely infuriating to debug, I have finally figured out what it is. I have no idea HOW or WHY, though...

To make matters worse, it doesn't affect my development environment, so I cant test it.. it only happens in production (apache/phusion passenger).

Furthermore, it, for whatever reason, isn't generating a 500 error so I can read the logs... it's giving this error, which isn't helpful. The first thing that catches my eye is its looking for "500.shtml" which isn't the rails standard I don't believe for a 500 page (isn't that just 500.html?). Its like this is being generated by apache or something.

Started GET "/500.shtml" for **ip-address-here** at 2012-07-31 20:22:39 -0400

ActionController::RoutingError (No route matches [GET] "/500.shtml"):
  actionpack (3.2.7) lib/action_dispatch/middleware/debug_exceptions.rb:21:in `call'
  actionpack (3.2.7) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
  railties (3.2.7) lib/rails/rack/logger.rb:26:in `call_app'
  railties (3.2.7) lib/rails/rack/logger.rb:16:in `call'
  actionpack (3.2.7) lib/action_dispatch/middleware/request_id.rb:22:in `call' 
  ... continued ...

If I have any description that matches "select from" it forwards my app to a 404 page (not the missing 500.shtml above)

Do you think this could have to do with some apache module on my server? That's the only thing I can think of

Even if the word isn't "select from" exactly, it still does it. It could be "take your selection happily from the group of snacks" and it still triggers it.

I have root access so I can talk to my host, but I would like to get some more ideas as to what could cause this as they don't provide rails support

Solution

  • Take a look at this link: http://drupal.org/node/110219

    Your web host may have insanely strict rules configured for mod_security.

    You could try turning off mod_security by adding the following to .htaccess for troubleshooting purposes (make sure this is causing it):

     # Turn off mod_security filtering.
 <IfModule mod_security.c>
   SecFilterEngine Off
 </IfModule>

    A safer option (assuming this is a POST):

    # To disable POST filtering:
 <IfModule mod_security.c>
   SecFilterScanPOST Off
 </IfModule>

    http://www.modsecurity.org/documentation/quick-examples.html