requests missing accept header causing default mod_security config to block IP

[opamp77]

Hi,

Posts to xmlrpc.php are causing mod_security's default config to block IP's.
This appears to be a very old issue that was fixed in ios about 7 years ago.

Please see

https://android.forums.wordpress.org/topic/android-mobile-app-triggers-mod_security-when-in-use

and

https://ios.trac.wordpress.org/ticket/898

Expected behavior

User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G900F Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/67.0.3396.68 Mobile Safari/537.36 wp-android/10.0
Content-Type: text/xml; charset=utf-8
Content-Length: 307
Host: myhost.net
Connection: Keep-Alive
Accept-Encoding: gzip
Accept: text/xml

Actual behavior

User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G900F Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/67.0.3396.68 Mobile Safari/537.36 wp-android/10.0
Content-Type: text/xml; charset=utf-8
Content-Length: 307
Host: myhost.net
Connection: Keep-Alive
Accept-Encoding: gzip

Steps to reproduce the behavior

Post a blog with an image to a self hosted wordpress site using mod_security's default config.

Tested on [device], Android [version]

galaxy s5,6.0.1

[stale]

This issue has been marked as stale because:

• It has been inactive for the past year.
• It isn't in a project or a milestone.
• It hasn’t been labeled [Pri] Blocker, [Pri] High, or good first issue.

Please comment with an update if you believe this issue is still valid or if it can be closed. This issue will also be reviewed for validity and priority (cc @designsimply).

[designsimply]

@opamp77 apologies that we weren't able to respond to your request sooner.

I would like to help. I work on QA and have never setup mod_security from scratch on my own before. Can you tell me a little bit more about your hosting environment and how you set that up—maybe you used a tutorial you can link me to for reference?

I also noticed that the bug report about the missing HTTP Accept header that you referenced (https://ios.trac.wordpress.org/ticket/898) has some examples from the error_log which look helpful to note. May I ask if the issue is still happening for you and if so can you please provide some of the related errors from your error_log file?

May I ask what web host you are using?

The next steps for this case will be to compile some more specific testing steps (including mod_security setup) and also get copies of the related lines from the error_log for reference.

[hypest]

Verified that WPAndroid (v17.0-rc-2, tested on Pixel 2XL, Android v11) is not sending the Accept header. WPiOS v16.8.1 does though.

And, here's what the WPiOS app sends: Accept: */*

Feels to me that the WPAndroid app could follow suit so, will add this ticket to the groundskeeping list.