I'm learning Express and I had a problem with the stylesheet. The console was printing an error related to X-Content-Type-Options: nosniff. After a long search through MDN, I came to an efficient(simple and useful) solution 🤩 here on Stack Overflow given by Zahid.
You would need to explicitly tell your express app to consider the folder as static to retain the mime type of the file.
Something like:
app.use(express.static("./"));
I hope it helps everyone who is starting out in this world, like me. ✌🏻
Related
One of my clients has a PHP script that kept crashing inexplicably. After hours of research, I determined if you send any PHP script a variable (either through GET or POST) that contains " having t", or escaped for the URL "+having+t", it crashes the script and returns a "403 forbidden error". To test it, I made a sample script with the entire contents:
<?php echo "works";
I put it live (temporarily) here: http://primecarerefer.com/test/test.php
Now if you try sending it some data like: http://primecarerefer.com/test/test.php?x=+having+x
It fails. The last letter can be any letter and it will still crash, but changing any other letter makes the script load fine. What would cause this and how can it be fixed? The link is live for now if anyone wants to try out different combinations.
PS - I found that if I get the 403 error a bunch of times in a row, the sever blocks me for 15 minutes.
I had this type of issue on a webserver that ran apache mod_security, but it was very poorly configured, actually mod_security has very bad default regex rules, which are very easy to trip with valid POST or GET data.
To be clear, this has nothing to do with PHP or HTML, it's about POST and GET data passing through mod_security, almost certainly, and mod_security rejecting the request because it believes it is an sql injection attempt.
You can edit the rules yourself depending on the server access, but I don't believe you can do anything, well, if it's mod_security, I know you can't do anything via PHP to get around this.
/etc/httpd/conf.d/mod_security.conf (old path, it's changed, but it gives the idea)
Examples of the default rules:
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
These are samples of the rules
https://www.howtoforge.com/apache_mod_security
here they trip the filter:
http://primecarerefer.com/test/test.php?x=%20%22%20%20select%20from%22
Note that the article is very old and the rules actually are quite differently structured now, but the bad regex remains, ie: select[any number of characters, no matter how far removed, or close]from will trip it, any sql that matches these loose rules will trip it.
But since editing those default files requires access to them, and also assumes they won't be altered in an upgrade of apache mod_security at some point, it's not a good way to fix the problem I found, moving to a better, more professionally setup, hoster, fixed those issues for us. But it does help if you talk to the hosting support to know what the cause of the issue is.
In fact 'having' is not irrelevant at all, it's part of sql injection filters in the regex rules in the security filters run on POST/GET. We used to hit this all the time when admins would edit CMS pages, which would trigger invariably some sql filter, since any string of human words would invariably contain something like 'select.*from' or 'insert.*into' etc.
This mod_security issue used to drive me bonkers trying to debug why backend edit form updates would just hang, until I finally realized it was badly done generic regex patterns in the mod_security file itself.
In a sense, this isn't an answer, because the only fix is going into the server and either editing the rules file, which is pretty easy, or disabling mod_security, or moving to a web hoster that doesn't use those bad generic defaults.
We serve some web fonts (.woff) from our static assets and I would like to set the correct mime type (application/x-font-woff). I tried to do this in config/initializers/mime_types.rb but it had no effect:
Mime::Type.register "application/x-font-woff", :woff
The returned mime type still stayed application/octet-stream. I even tried to add this line (because it was the only other place in the rails source where I could find the string "woff"):
Rack::Mime::MIME_TYPES[".woff"] = "application/x-font-woff"
But it still didn't help. How do I properly set the mime type for web fonts?
Until Rack fixes its MIME-type list to a correct woff, the interim hack is indeed your config/initializers/mime_types.rb line:
# tell Rack (and Sprockets) about modern font MIME types:
Rack::Mime::MIME_TYPES['.woff'] = 'application/x-font-woff'
To have it actually take effect, though, you have to wipe tmp/cache and restart your server.
While I also didn't figure out some hack solution to it, I researched this a few days ago (on my rails 3.2 dev server running WEBRick, for reference), and it's Sprockets that sets the bad MIME type on the response, maybe by delegating the choice to Rack, which has a dumb notion of what MIME type to pass for fonts (as of this ravinggenious commit).
I filed a (detailed) ticket on Sprockets and a pull request on Rack, hoping it'd get fixed upstream where it makes the most sense instead, but neither has seen much action yet. I probably should have paid more attention to ttf and eof too, but it was late and I didn't think of it at the time.
(Commenting on either might raise awareness of the problem – one issue is no issue, a people pile is a problem worth fixing? :-)
I have a project set up using ASP.NET WebAPI on top of Azure, and am having a problem whenever I try to make an HTTP Post where the content-length is too long in the header.
Normally I would've just ignored this problem, because you should be correctly setting the content-length on POST, but it turns out that when this happens, it causes the session to hang indefinitely, and then the Azure emulator crashes.
I have a custom JSON Formatter which extends MediaTypeFormatter, and I set a breakpoint on the first line of my implementation of OnReadFromStreamAsync(). However, the breakpoint is never hit because the hangup happens before ever hitting the JSON Deserializer.
I really have no idea where this hanging is occurring from because I receive no exception, just an indefinite hang and occasional Azure emulator crash.
Thank you in advance for any help or insight you might provide!
This sounds like a bug. The good thing is that you can get updated developer bits form codeplex.
There is a chance what your experiencing is related to one of these:
WebAPI: Stream uploading under webhost is not working
DevDiv 388456 -- WebHost should not use Transfer-Encoding chunked when
content length is known.
Zero ContentLength without content type header in body is throwing
If the updated bits don't fix your problem I suggest you try the standard media formatters to rule in/out your formatter. Failing that, then submit an issue.
I'm trying to understand WCF message routing, so I'm trying to recreate a sample passthrough router that I found in order to understand the pieces. The problem is that when I run mine in the debugger, I get the exception:
Multiple headers with name 'VsDebuggerCausalityData' and namespace 'http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink' found.
I've read that this is because I'm debugging all the pieces at the same time, and that the debugger is adding this data on each hop? However, I can debug all the pieces in the original sample I'm working from with no errors, so I'm not sure I believe the explanation I've seen, or I don't understand something yet. Anyone have an explanation how I can debug mine without getting this exception?
Can you check if your machine config has element. You might need to comment this out. (Before any changes to machine config do back it up)
I am curious about the proper way to stop a user from activating my plugin if their system does not meet certain requirements. Doing the checks is easy and I don't need any help with that, I am more curious how to tell WordPress to exit and display an error message.
Currently I have tried both exit($error_message) and die($error_message) in the activation hook method. While my message is displayed and the plugin is not activated, a message saying Fatal Error is also displayed (see image below).
Does anyone know of a better way, that would display my message in a proper error box without displaying Fatal error, it just looks really bad for new users to see that.
Thanks for any help in advance.
This is a little undocumented, as you might have noticed. Instead of die(), do it like this:
$plugin = dirname(__FILE__) . '/functions.php';
deactivate_plugins($plugin);
wp_die('<p>The <strong>X</strong> plugin requires version WordPress 2.8 or greater.</p>','Plugin Activation Error',array('response'=>200,'back_link'=>TRUE));
The lines above wp_die() are to deactivate this plugin. Note that we use functions.php in this case because that's where I have my Plugin Name meta data comment declaration -- and if you use a different file, then change the code above. Note that the path is very specific for a match. So, if you want to see what your path would normally be, use print_r(get_option('active_plugins'));die(); to dump that out so that you know what path you need. Since I had a plugin_code.php where the rest of my plugin code was, and since it was in the same directory as functions.php, I merely had to do dirname(__FILE__) for the proper path.
Note that the end of the wp_die() statement is important because it provides a backlink and prevents an error 500 (which is the default Apache code for wp_die()).
It is only a idea though. Try checking the wordpress version and compare then use php to through custom exception/error. PHP 5.0 try catch can be a good way to do it. Here is some resources.
http://www.w3schools.com/php/php_exception.asp
http://php.net/manual/en/internals2.opcodes.throw.php
You can try the first link. It is pretty basic. Thanks! hope the information will be helpful.