Bad Behaviour Wordpress plugin problems w/beta 19

[Echelon9]

http://www.cocoaforge.com/viewtopic.php?f=18&t=26414&sid=d462c4f3157cf38afda3e361e6e4057a

A feed on my website which Vienna is failing on with a HTTP 403 - even though when I "Show XML Source" it's there and looks fine. I can access the feed directly in a browser and I can validate it fine, but Vienna (Version 3.0.0 Beta 19 :40267c3:) doesn't want to read it.

My site is a Wordpress site.
I did not update or change anything on it recently.
I noticed the problem after updating to Vienna Version 3.0.0 Beta 19.
I just checked on another machine and Beta 18 reads it fine.

My site: http://asmaloney.com
My Feed: http://asmaloney.com/feed
Validation: http://feedvalidator.org/check?url=http://asmaloney.com/feed/

[Echelon9]

The following is a packet trace from a Vienna 3 Beta 19 client subscribing to http://asmaloney.com/feed.

GET /feed HTTP/1.1
Host: asmaloney.com
User-Agent: Mozilla/5.0 Vienna/Master Safari/537.71
Connection: keep-alive
Accept-Encoding: gzip

HTTP/1.1 403 Bad Behavior
Date: Sat, 30 Nov 2013 08:03:29 GMT
Server: Apache
X-Powered-By: PHP/5.3.27
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 523
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html

..........mQK..0...W.r...N.v.D,}$.v.m.UT.=...U........(M.......3..l......*[K....... d.y.fl.n..C...f..R...V..........f.X.uQ7.H.Y........kh/.Qa. ..7a....Z*s.Ek.\... .C.......JL..t.[.I...<f.:..X.Q.{.,.(r...I...F0.u..Yk.C....(.P...RBO....[4.$=a%b...V..A}@...9i~R ..KQ.9.7...88Z...$3M.#G.z....9{..W....$.V.~`B...t.G;.3....s.B....s...b1......6
i....aV...I..E......p.xw..-....o.R....n...X..C...gm..O:j
..7.h.:...._...R..].d&q..AY..'...K....Z.]..0P.?.-4....U...o...ii...0)._+2
.?.G...QNu..K.[8.>.pU.}.V.R8..(.....ME....a...z...v...

The gzip encoded response body decodes to:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--< html xmlns="http://www.w3.org/1999/xhtml">-->
<head>
<title>HTTP Error 403</title>
</head>
<body>
<h1>Error 403</h1>
<p>We're sorry, but we could not fulfill your request for
/feed on this server.</p>
<p>An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.</p>
<p>Your technical support key is: <strong>7ca8-0dec-1756-6707</strong></p>
<p>You can use this key to <a href="http://www.ioerror.us/bb2-support-key?key=7ca8-0dec-1756-6707">fix this problem yourself</a>.</p>
<p>If you are unable to fix the problem yourself, please contact <a href="mailto:asmaloney+nospam@nospam.gmail.com">asmaloney at gmail.com</a> and be sure to provide the technical support key shown above.</p>

[Echelon9]

And a packet trace from a Vienna 3 Beta 18 client subscribing to http://asmaloney.com/feed.

GET /feed HTTP/1.1
Host: asmaloney.com
User-Agent: Vienna 3.0.0 Beta 18 :8c42af7: rv:4990 (Macintosh; Mac OS X 10.9.0; en_AU)
Connection: keep-alive
Accept-Encoding: gzip

HTTP/1.1 301 Moved Permanently
Date: Sat, 30 Nov 2013 08:38:37 GMT
Server: Apache
X-Powered-By: PHP/5.3.27
X-Pingback: http://asmaloney.com/xmlrpc.php
ETag: "28b078a0cef5c75eee183c91a7f2c393"
Set-Cookie: bb2_screener_=1385800717+124.168.13.236; path=/
Last-Modified: Thu, 28 Nov 2013 14:28:22 GMT
Location: http://asmaloney.com/feed/
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html

....................
GET /feed/ HTTP/1.1
Host: asmaloney.com
User-Agent: Vienna 3.0.0 Beta 18 :8c42af7: rv:4990 (Macintosh; Mac OS X 10.9.0; en_AU)
Connection: keep-alive
Accept-Encoding: gzip

HTTP/1.1 200 OK
Date: Sat, 30 Nov 2013 08:38:37 GMT
Server: Apache
X-Powered-By: PHP/5.3.27
X-Pingback: http://asmaloney.com/xmlrpc.php
ETag: "28b078a0cef5c75eee183c91a7f2c393"
Content-Style-Type: text/css
Content-Script-Type: text/javascript
Set-Cookie: bb2_screener_=1385800718+124.168.13.236; path=/
Last-Modified: Thu, 28 Nov 2013 14:28:22 GMT
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20015
Keep-Alive: timeout=2, max=99
Connection: Keep-Alive
Content-Type: text/xml; charset=UTF-8

[Long response]

[Echelon9]

This is caused by the Wordpress plugin Bad Behaviour http://bad-behavior.ioerror.us/contact/

Others have had similar problems tripping either a string or regex based blacklist inadvertantly. i.e. https://bugzilla.mozilla.org/show_bug.cgi?id=932498

[asmaloney]

(I'm the one who reported the error on the forums.) Just to confirm, I deactivated Bad Behaviour and the feed worked in Vienna.

Not sure if it's helpful but with it enabled, the Bad Behaviour logs on my site show this when I try to grab the feed:

2013-11-30 14:13:36

Required header 'Accept' missing

GET /feed/ HTTP/1.1
Accept-Encoding: gzip
Connection: keep-alive
Host: asmaloney.com
If-Modified-Since: Sat, 23 Nov 2013 21:39:34 GMT
User-Agent: Mozilla/5.0 Vienna/3.0.0 Safari/534.59.10

If you need anything from me, or need me to try anything, please let me know.

[sairuh]

I have also noticed this upon upgrading to Vienna 3.0beta19. As a workaround, I've added the user-agent string to Bad Behaviour's whitelist, and that seems to make things work again. But please let me know if there's better, longer term solution to this (esp. if it's a bug which should not require whitelisting). Thanks!

[Echelon9]

I've taken a further look at the plugin code of Bad Behaviour.

Summary

Fundamentally, Bad Behaviour is filtering based on incorrect assumptions made about the HTTP standards.

I've tried reporting this in the Bad Behaviour bug tracker system with no luck so far, and will be looking to their developer to fix it in an upcoming release.

In the mean time we should inform Vienna users that they have subscribed to a server which uses the Bad Behaviour plugin, and request the host contacts the developer of Bad Behaviour to have its code fixed.

Technical details

Bad Behaviour plugin requires the use of an Accept HTTP header when certain strings are contained in the User-Agent, whereas the RFC 2616 clearly states Accept header is optional.

The "Accept" header field can be used by user agents to specify
response media types that are acceptable.  Accept header fields can
be used to indicate that the request is specifically limited to a
small set of desired types, as in the case of a request for an in-
line image.

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-21#section-6.3.2

This standards compliant behaviour is not present in the current Bad Behaviour code (v2.2.14), as seen in browser.inc.php where all browsers which are Mozilla/5.0 compatible (i.e. pretty much every modern browser, not just Firefox) are falsely required to send an Accept header.

// Analyze user agents claiming to be Mozilla
function bb2_mozilla($package)
{
    // First off, workaround for Google Desktop, until they fix it FIXME
    // Google Desktop fixed it, but apparently some old versions are
    // still out there. :(
    // Always check accept header for Mozilla user agents
    if (strpos($package['headers_mixed']['User-Agent'], "Google Desktop") === FALSE && strpos($package['headers_mixed']['User-Agent'], "PLAYSTATION 3") === FALSE) {
        if (!array_key_exists('Accept', $package['headers_mixed'])) {
            return "17566707";
        }
    }
    return false;
}

Of course, our Vienna 3 Beta 18 elected to not use the Accept header as well, which was not an issue with standards compliant web servers.