wpGForm and Apache Sercurity

A while back I was contacted by a user who had deployed wpGForm on their site with a problem they wanted my help with.  In looking at it I was absolutely stumped as to why it wasn’t working.  Nothing appeared obvious – when the form was submitted, the form would be displayed again as if for the first time.  In the process of chasing down this problem I’ve added quite a bit of debug code but in the end, I found Firebug’s Net Panel incredibly useful.

In this particular case it was showing me that the form was being posted but a 403 Permission Denied response resulted.  Why?  The exact same URL worked to show the form, why wasn’t it working to process the form?  I ended up separating the rendering and processing part of the plugin thinking this was the problem (like it was on a site a couple of weeks ago) but it didn’t make any difference (although it was the right thing to do).  I was still getting 403 problems.

I was working closely with the site owner, they were nice enough to allow me to really dig into their site.  What did I find?  A bunch of plugin and theme minor issues that I chased thinking they were conflicting somehow to no avail.  I ended up opening a ticket with the hosting provider and once we clarrified the problem, they sent me so error log information:

[error] ModSecurity: Access denied with code 403 (phase 2).Match of "rx
://%{SERVER_NAME}/" against "MATCHED_VARS:gform-action" required.
[file "/usr/local/apache/conf/modsec/10_asl_rules.conf"]
[line "489"]
[id "340162"]
[rev "262"]
[msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt
in ARGS (AE)"] [data "
https://docs.google.com/spreadsheet/formresponse?formkey=dhzsutftwllwzwf6lwd
yb0xcmkzsogc6mq&ifq
"]
[severity "CRITICAL"]
[hostname "lanaddicts.org"]
[uri "/test-form/"]
[unique_id "UAbUbnrJTaEAAHtoboQAAAAG"]

Wow! At first I didn’t know what to make of this. A Google Search led me to this Atomic Corp Wiki. I decided that the Apache Security Module must not like the Google Form URL that I need to carry around through the process in order to submit the form variables to Google. I decided to encode it and then decode it when needed to see if that would satisfy the Apache Security Module.

Guess what?  It works!!!!  This is a big relief as I have another user with almost the exact same error being reported and I am betting my updated plugin will fix their problem too.

If you want to try out an early build while I continue to test, you can find one here.

wp-SwimTeam v1.34.963 available for download

This afternoon I fixed a couple of minor bugs and pushed out v1.34.963.  The primary new feature in this release is the ability to export Meet Entries to Hy-tek Team Manager.  I have had lots of requests to support Hy-tek over the years so I am happy to say I can finally support it!

As anyone who has read my postings over the past few years knows, I am no fan of Hy-tek.  Between the closed data format and the awful user interface, it amazes me that their products have become the defacto standards for Swim Team and Swim Meet management but they have.  If you want to play in this space you need to interface with Hy-tek.  Fortunately some smart guys decoded the HY3 checksum and through lots of experiments some other people have figured out the HY3 file format so building on the work of others, I can now export a roster and meet entries in HY3 format.

I would appreciate feedback in this area as I have tested what I can but there is no such thing as too much testing and I may not have envisioned every scenario.  There is also a very strong possibility that some of the fields in the HY3 format may not be in the right place or contain the right data.

I also fixed a number of issues when browsing Parents, Swimmers, and the Roster where the Search function wasn’t working correctly.  Most of these problems were due to the SQL changes I made to address performance issues but a couple of them were due to allowing search against fields which are computed as opposed to extracted from the database.

wp-SwimTeam v1.34-beta with Hy-tek HY3 meet entries!

Tonight I posted an early build of wp-SwimTeam v1.34.  You can download it and manually install it if you would like to try it.  This build introduces the ability to export Meet Entries in Hy-tek HY3 format which can be imported directly into Team Manager and Meet Manager.

This build also addresses a number of bugs I’ve encountered, the most notable being the inability to generate a single swimmer roster export in SDIF and HY3 formats.  Instead of just one swimmer, the entire roster was exported.  This has been fixed.  The CSV export was not affected by the bug.

Please let me know if you run into any issues.  I plan to release this later today after some more testing.

Download:  [download#14]

If you run into any problems, please let me know.  I’d like to release this update in the next day or so.

wp-SwimTeam v1.33.949 now available

After a day of testing on the MacDolphins site without any issues, I have released v1.33.949.  There are no changes between this build and the v1.33 beta build except the version number and the removal of the beta tag.

This build fixes a number of problems related to swimmer and user data which surfaced after I changed the database queries I was using in v.1.32.

  • Fixed bug which prevented generating roster report.
  • Fixed bug which prevented scratching swimmers from Meet tab.
  • Added additonal table to Meet Report when operating in Stroke mode which reports number of swimmers Opting In or Opting Out per age group.
  • Completed first phase Meet Entries export in Hy-tek HY3 format. Not exposed on the GUI yet.
  • Fixed bug which prevented Job Reminder emails from being sent.

You can find the update on the Download & Installation page or in the WordPress Plugin Repository.

Working on Hy-tek Entries

Over the last few days I have been working the Hy-tek HY3 equivalent of exporting SDIF meet entries.  For the most part the logic is largely the same but the Hy-tek Meet Entries format is different enough that it isn’t a simple port.  In particular, relay entries have me a bit stumped.

In SDIF it is possible to assign any number of swimmers to a relay event as an “Alternate” using the “A” designation in the leg field of the F0 record.  As near as I can tell, the Hy-tek equivalent doesn’t exist.  A relay team can be defined in the HY3 F1 record and the heat and lane assignment can be set in the F2 record.  Swimmers are designated in the F3 record.  So I am somewhat stumped – do I just define the relay teams and then let the assignment of swimmers to the relay teams happen within either Team Manager or Meet Manager or do I keep track of the number of potential swimmers and create the maximum number of relay teams and simply assign swimmers to each team so they can be sorted out later?

The other dilemma I face has to do with the swimmer id field which is not the same as the registration number field.  The swimmer id field is an internal database field which connects D1, E1, and F3 records to the same swimmer.  Within my plugin I have unique swimmer ids in the form of database record identifiers that I know will be unique.  Should I use them or is simply starting at 1 and sequencing the number of swimmers as using that as an id sufficient?

My guess is the answer to both of these questions will be “it depends” and I’ll need to experiment.  Life would be so much easier if Hy-tek would simply support the SDIF format correctly instead of the half assed way they do it now.

wp-SwimTeam v1.33-beta.948 now available

This afternoon I posted an early build of wp-SwimTeam v1.33.  You can download it and manually install it if you would like to try it.  This build addresses a number of bugs which I introduced by changing the SQL in v1.32 for querying user data as it relates to swimmers.

Please let me know if you run into any issues.  I plan to release this later today after some more testing.

Download:  [download#14]

If you run into any problems, please let me know.  I’d like to release this update in the next day or so.