W3TC Minify problem

[Arpan Das]

I was not notified. Thanks…

[Arpan Das]

My wordpress installation is in public_html/w3epic.com I tried both with Still getting error logs…

"...REQUEST_URI} ^/w3epic.com/wp-content/c..." and without.

[AITpro Admin]

Then try these things below.  This may or may not work due to the fact that minifying causes a lot of very undesirable results.  Your scripts are combined and cached in a way that the original source of the actual scripts become unknown to other plugins, site, themes, etc. unless you create additional custom code to handle this undesirable issue/problem.

Try creating a skip/bypass rule for the w3tc plugin folder.

# W3TC Minify skip/bypass rule
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/w3-total-cache/ [NC]
RewriteRule . - [S=13]

Try whitelisting the w3tc minify.php file in the TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS code

RewriteCond %{REQUEST_URI} (minify\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

Try whitelisting all .js scripts in the TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS code

RewriteCond %{REQUEST_URI} (.*\.js|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

Try creating a bypass RewriteRule for W3TC Minify

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# W3TC minify bypass
RewriteRule ^minify/ - [L]

Exclude certain js scripts or all js scripts from being minified in the W3TC plugin settings.

Do not use W3TC Minify for js scripts

[Arpan Das]

I disabled JS minification in W3TC. Above code worked – errors gone.

Thank you AITpro Admin.

[niall.campbell]

Sorry to chime in late on this but I think the issue has nothing to do with what has been previously mentioned in this topic. W3TC’s cache minify folder contains its own .htaccess file to rewrite requests like

/cache/minify/000000/c28f0/default.include.4ddac4.css
to
../../plugins/w3-total-cache/pub/minify.php?file=000000/c28f0/default.include.4ddac4.css

The relative url conflicts with the following rule in BPS’s root htaccess folder. A temporary workaround for this would be to change all the relative urls in W3TC’s htaccess files to absolute urls.
RedirectMatch 403 /\..*$

[AITpro Admin]

This rule says to block access to files or folders that start with a dot.

RedirectMatch 403 /\..*$

Examples of what this rule blocks:
.htaccess – file
.htpasswd – file
.error-logs – folder
.example-folder – folder

This security filter that protects against Directory Traversal attacks and could be the cause of the block if the relative URLs are seen as a Directory Traversal attack.

RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]

Also just an FYI – the Path/Directory Traversal security filter above is pending additional URL encoding filters added to it.

https://www.owasp.org/index.php/Testing_for_Path_Traversal

URL encoding and double URL encoding

%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.

[niall.campbell]

Thanks for the response AITpro.

This is getting a little out of my depth here. I’ve tested the removal of the filter for directory traversal and the 403 error is still present. Removing just the 403 redirection rule produces the 200 (logically), and replacing the relative urls with absolute urls works too.

Here’s the full rewrite code from the minify htaccess file

RewriteEngine On
RewriteBase /blog/wp-content/cache/minify/
RewriteRule /w3tc_rewrite_test$ ../../plugins/w3-total-cache/pub/minify.php?w3tc_rewrite_test=1 [L]
RewriteCond %{HTTP:Accept-Encoding} gzip
RewriteRule .* - [E=APPEND_EXT:.gzip]
RewriteCond %{REQUEST_FILENAME}%{ENV:APPEND_EXT} -f
RewriteRule (.*) $1%{ENV:APPEND_EXT} [L]
RewriteRule ^(.+/[X]+\.css)$ ../../plugins/w3-total-cache/pub/minify.php?test_file=$1 [L]
RewriteRule ^(.+\.(css|js))$ ../../plugins/w3-total-cache/pub/minify.php?file=$1 [L]

hope this helps

[AITpro Admin]

Ok if it works then it works, but it does not make any sense to me why that would work.  When I have some spare time I will figure out exactly what is going on.  Thanks for the info.

[niall.campbell]

Cool, thanks. Send me an email if you need any more info

[AITpro Admin]

OMG Brainfart – of course  /\..*  matches /../plugins/w3-total-cache/pub/minify.php?test_file=$1 [L]

\.[h] - will only match files starting with .h
\.[h]+[t] or \.h[t] - will match files starting with .ht
\.[hel]+[tro] - would match .htaccess, .htpasswd and folders named .errordocs and .logs

So this is probably the better method to use to allow folks to add additional folder or file names. This rule will be changed in the next BPS version release. And the Path / Directory Traversal rule / filter would NOT block the W3TC relative URL since it is not a Query String.

[niall.campbell]

Awesome, thanks AITpro

[AITpro Admin]

We decided that this rule should be very specific and did not use any of the code above because during testing we discovered that “ht” would also block htm and html.  Now that would have been a serious disaster.  LOL

# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$

[Author]

Posts