Home › Forums › BulletProof Security Free › W3TC Minify problem
Tagged: W3TC Minify
- This topic has 26 replies, 4 voices, and was last updated 10 years, 5 months ago by AITpro Admin.
-
AuthorPosts
-
Arpan DasParticipant
I was not notified. Thanks…
Arpan DasParticipantMy wordpress installation is in public_html/w3epic.com I tried both with Still getting error logs…
"...REQUEST_URI} ^/w3epic.com/wp-content/c..." and without.
AITpro AdminKeymasterThen try these things below. This may or may not work due to the fact that minifying causes a lot of very undesirable results. Your scripts are combined and cached in a way that the original source of the actual scripts become unknown to other plugins, site, themes, etc. unless you create additional custom code to handle this undesirable issue/problem.
Try creating a skip/bypass rule for the w3tc plugin folder.
# W3TC Minify skip/bypass rule RewriteCond %{REQUEST_URI} ^/wp-content/plugins/w3-total-cache/ [NC] RewriteRule . - [S=13]
Try whitelisting the w3tc minify.php file in the TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS code
RewriteCond %{REQUEST_URI} (minify\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
Try whitelisting all .js scripts in the TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS code
RewriteCond %{REQUEST_URI} (.*\.js|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
Try creating a bypass RewriteRule for W3TC Minify
# WP REWRITE LOOP START RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] # W3TC minify bypass RewriteRule ^minify/ - [L]
Exclude certain js scripts or all js scripts from being minified in the W3TC plugin settings.
Do not use W3TC Minify for js scripts
Arpan DasParticipantI disabled JS minification in W3TC. Above code worked – errors gone.
Thank you AITpro Admin.
niall.campbellParticipantSorry to chime in late on this but I think the issue has nothing to do with what has been previously mentioned in this topic. W3TC’s cache minify folder contains its own .htaccess file to rewrite requests like
/cache/minify/000000/c28f0/default.include.4ddac4.css to ../../plugins/w3-total-cache/pub/minify.php?file=000000/c28f0/default.include.4ddac4.css
The relative url conflicts with the following rule in BPS’s root htaccess folder. A temporary workaround for this would be to change all the relative urls in W3TC’s htaccess files to absolute urls.
RedirectMatch 403 /\..*$
AITpro AdminKeymasterThis rule says to block access to files or folders that start with a dot.
RedirectMatch 403 /\..*$
Examples of what this rule blocks:
.htaccess – file
.htpasswd – file
.error-logs – folder
.example-folder – folderThis security filter that protects against Directory Traversal attacks and could be the cause of the block if the relative URLs are seen as a Directory Traversal attack.
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
Also just an FYI – the Path/Directory Traversal security filter above is pending additional URL encoding filters added to it.
https://www.owasp.org/index.php/Testing_for_Path_Traversal
URL encoding and double URL encoding
%2e%2e%2f represents ../ %2e%2e/ represents ../ ..%2f represents ../ %2e%2e%5c represents ..\ %2e%2e\ represents ..\ ..%5c represents ..\ %252e%252e%255c represents ..\ ..%255c represents ..\ and so on.
niall.campbellParticipantThanks for the response AITpro.
This is getting a little out of my depth here. I’ve tested the removal of the filter for directory traversal and the 403 error is still present. Removing just the 403 redirection rule produces the 200 (logically), and replacing the relative urls with absolute urls works too.
Here’s the full rewrite code from the minify htaccess file
RewriteEngine On RewriteBase /blog/wp-content/cache/minify/ RewriteRule /w3tc_rewrite_test$ ../../plugins/w3-total-cache/pub/minify.php?w3tc_rewrite_test=1 [L] RewriteCond %{HTTP:Accept-Encoding} gzip RewriteRule .* - [E=APPEND_EXT:.gzip] RewriteCond %{REQUEST_FILENAME}%{ENV:APPEND_EXT} -f RewriteRule (.*) $1%{ENV:APPEND_EXT} [L] RewriteRule ^(.+/[X]+\.css)$ ../../plugins/w3-total-cache/pub/minify.php?test_file=$1 [L] RewriteRule ^(.+\.(css|js))$ ../../plugins/w3-total-cache/pub/minify.php?file=$1 [L]
hope this helps
AITpro AdminKeymasterOk if it works then it works, but it does not make any sense to me why that would work. When I have some spare time I will figure out exactly what is going on. Thanks for the info.
niall.campbellParticipantCool, thanks. Send me an email if you need any more info
AITpro AdminKeymasterOMG Brainfart – of course
/\..* matches /../plugins/w3-total-cache/pub/minify.php?test_file=$1 [L]
\.[h] - will only match files starting with .h \.[h]+[t] or \.h[t] - will match files starting with .ht \.[hel]+[tro] - would match .htaccess, .htpasswd and folders named .errordocs and .logs
So this is probably the better method to use to allow folks to add additional folder or file names. This rule will be changed in the next BPS version release. And the Path / Directory Traversal rule / filter would NOT block the W3TC relative URL since it is not a Query String.
niall.campbellParticipantAwesome, thanks AITpro
AITpro AdminKeymasterWe decided that this rule should be very specific and did not use any of the code above because during testing we discovered that “ht” would also block htm and html. Now that would have been a serious disaster. LOL
# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS # Use BPS Custom Code to modify/edit/change this code and to save it permanently. # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
-
AuthorPosts
- You must be logged in to reply to this topic.