phpapachepostmod-securityhttp-status-code-406

What causes mod_security 406 Not Acceptable when POSTing data?


I have an article on my website with the (markdown) content:

# PHP Proper Class Name
Class names in PHP are case insensitve. If you have a class declaration like:
```php
class MyWeirdClass {}
```
you can instantiate it with `new myWEIRDclaSS()` or any other variation on the case. In some instances, you may want to know, what is the correct, case-sensitive class name. 

### Example Use case
For example, in one of my libraries under construction [API Doccer](https://github.com/ReedOverflow/PHP-API-Doccer), I can view documentation for a class at url `/doc/class/My-Namespace-Clazzy/` and if you enter the wrong case, like `/doc/class/my-NAMESPACE-CLAzzy`, it should automatically redirect to the proper-cased class. To do this, I use the reflection method below as it is FAR more performant than the `get_delcared_classes` method


## Reflection - get proper case
Credit goes to [l00k on StackOverflow](https://stackoverflow.com/a/35222911/802469)
```php
$className = 'My\caseINAccuRATE\CLassNamE';
$reflection = new ReflectionClass($className);
echo $reflection->getName();
```
results in `My\CaseInaccurate\ClassName`;  
Running the benchmark (see below) on localhost on my laptop, getting the proper case class name of 500 classes took about 0.015 seconds, as opposed to ~0.050 seconds using the `get_declared_classes` method below.

## get_declared_classes - get proper case
This was my idea, as I hadn't even considered using reflection, until I saw [l00k's answer on StackOverflow](https://stackoverflow.com/a/35222911/802469). Guessing it would be less efficient, I wrote the code and figured it out anyway, because it's fun!
```php
$wrongCaseName = 'Some\classy\THIng';
class_exists($wrongCaseName); //so it gets autoloaded if not already done
$classes = get_declared_classes();
$map = array_combine(array_map('strtolower',$classes),$classes);
$proper = $map[strtolower($wrongCaseName)];
```
results in `$proper = 'Some\Classy\Thing'`;  
Running the bencmark (see below) on localhost on my laptop, getting the proper case class name of 500 classes took about 0.050 seconds, as opposed to ~0.015 seconds with reflection (above).


## Benchmark:
I used the following code to do the benchmark, removing the `classes` directory between each run of the benchmark. It's not perfect. At all. But it gets the job done well enough, I think:
```php
<?php

$times = [];
$times['begin'] = microtime(TRUE);

spl_autoload_register(function($className){
    if (file_exists($name=__DIR__.'/classes/'.strtolower($className).'.php')){
        include($name);
    }
});
if (is_dir(__DIR__.'/classes'))return;

mkdir(__DIR__.'/classes');

function generateRandomString($length = 10) {
    $characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    }
    return $randomString;
}

$times['start_file_write'] = microtime(TRUE);
$names = [];
for ($i=0;$i<500;$i++){
    $className = generateRandomString(10);
    $file = __DIR__.'/classes/'.strtolower($className).'.php';
    if (file_exists($file)){
        $i = $i-1;
        continue;
    }
    $code = "<?php \n\n".'class '.$className.' {}'."\n\n ?>";
    file_put_contents($file,$code);
    $names[] = strtoupper($className);
}

$times['begin_get_declared_classes_benchmark'] = microtime(TRUE);
$propers = [];

// foreach($names as $index => $name){
//     $wrongCaseName = strtoupper($name);
//     class_exists($wrongCaseName); //so it gets autoloaded if not already done
//     $classes = get_declared_classes();
//     $map = array_combine(array_map('strtolower',$classes),$classes);
//     $proper = $map[strtolower($wrongCaseName)];
//     if ($index%20===0){
//         $times['intermediate_bench_'.$index] = microtime(TRUE);
//     }
//     $propers[] = $proper;
// }

// the above commented lines are the get_declared_classes() method. 
// the foreach below is for reflection.

foreach ($names as $index => $name){
    $className = strtoupper($name);
    $reflection = new ReflectionClass($className);
    if ($index%20===0){
        $times['intermediate_bench_'.$index] = microtime(TRUE);
    }
    $propers[] = $reflection->getName(); 
}

$times['end_get_declared_classes_benchmark'] = microtime(TRUE);

$start = $times['begin'];
$bench = $times['begin_get_declared_classes_benchmark'];

$lastTime = 0;
foreach($times as $key => $time){
    echo "\nTime since begin:".($time-$start);
    echo "\nTime since last: ".($time-$lastTime)."   key was {$key}";
    echo "\nTime since bench start: ".($time - $bench);
    $lastTime = $time;
}

print_r($times);
print_r($propers);
exit;
```

### Results
```
// get_declared_classes method
//Time since bench start: 0.052499055862427 is total time for processing get_declared_classes w/ $i=500
//Time since bench start: 0.047168016433716
// last bench time Time since begin:0.062150955200195
// 100 intermediate bench: Time since bench start: 0.0063230991363525
// 200                   : Time since bench start: 0.015070915222168
// 300 intermediate bench: Time since bench start: 0.02455997467041
// 400 intermediate bench: Time since bench start: 0.033944129943848
// 480                   : Time since bench start: 0.044310092926025


//reflection method:
//Time since bench start: 0.01493501663208
//Time since bench start: 0.017416954040527
// 100 intermediate:  Time since bench start: 0.0035450458526611
// 200 intermediate:  Time since bench start: 0.0066778659820557
// 300 intermediate:  Time since bench start: 0.010055065155029
// 400 intermediate:  Time since bench start: 0.014182090759277
// 480 intermediate:  Time since bench start: 0.01679801940918
```

#### Results' notes
- "Time since bench start" is the entire time it took to run all the iterations. I share this twice above.  
- "100 Intermediate" (200, 300, etc) are actually the results at 120, 220, etc... I messed up in copy+pasting results & didn't want to do it again. Yes. I'm lazy :)
- The results would of course vary between runs of the code, but it's pretty clear that the reflection option is significantly faster.
- All was run on a localhost server on an Acer laptop.
- PHP Version 7.2.19-0ubuntu0.19.04.1 (from `php info()`)

As shown above, I'm able to submit the article & everything works as expected - saves to DB & everything. The very last line, if I change php info() to phpinfo() (removing the space), I get this error:

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.


When I try to submit with phpinfo() (no space), my PHP does not execute at all and I only get this error. The network tab in firefox shows "406 Not Acceptable" for the status code. Nothing is being written to my error log in $_SERVER['DOCUMENT_ROOT'].'/error_log', which is where all the PHP errors log to, anyway. In my home folder, there is a logs folder, but it remains empty. No logs in /etc/ or /etc/my_website_name.com either.

What could be causing this problem? Is there something in the PHP.ini I could change? Could .htaccess affect this at all?

At the very least, how do I troubleshoot this problem?

Troubleshooting

I am using Simple MDE now, but it happened on multiple other occasions before I started using Simple MDE. It has only been with relatively large posts that also contain code.

I am on Shared Hosting with HostGator, using HTTPS:// and PHP 7.2.19


Solution

  • I contacted HostGator. They added something to a white list, but didn't give me intimate details. It fixed the problem.

    First agent took awhile, failed to resolve the issue, and disconnected prematurely.

    The second agent was reasonably prompt & resolved the problem, saying I shouldn't have this issue with similar types of POST requests which contain code.