Web page archived as of 2018-05-22. Some links & features might not work.

Bad-Behavior URL-based whitelisting bug in 2.0.31

Version 2.0.30 of Bad-Behavior introduced a whitelist mechanism to exclude some pages from Bad-Behavior's protection. Unfortunately, the respective code is broken. The whitelisting is ignored.

I contacted the author, Michael Hampton, and he confirmed my findings. Though, for some reasons he never approved my comment with details and a fix so I publish it here. May it help others.

Update 2009-11-02: Version 2.0.32 has been published today, and my original comment has been approved.

The code in bad-behavior/whitelist.inc.php (of version 2.0.31) after if (!empty($bb2_whitelist_urls)) does not work. The following works for me:

if (!empty($bb2_whitelist_urls)) {
    if (strpos($package['request_uri'], "?") === FALSE) {
        $request_uri = $package['request_uri'];
    } else {
        $request_uri = substr($package['request_uri'], 0, strpos($package['request_uri'], "?"));
    foreach ($bb2_whitelist_urls as $url) {
        if (!strcmp($request_uri, $url)) return true;

Code also available at http://pastebin.com/f362a0492

blog/091028_bad-behavior_url-based_whitelisting_bug_in_2.0.31.txt ยท Last modified: 2013-04-20 23:35 (external edit)