Bad Behavior 2.0.29
September 23rd, 2009 by Michael Hampton
Bad Behavior 2.0.29 has been released. It is a maintenance release and is recommended for all users.
MediaWiki and WordPress users who have not updated in the last year or so should take note of special upgrade instructions below.
Who should upgrade?
All users should upgrade to resolve issues with certain specialized web crawlers being blocked. Users who wish to use OpenID in conjunction with Bad Behavior should also upgrade to resolve authentication issues.
What’s new?
New in this release (since 2.0.28):
- Users authenticating to a Bad Behavior-protected site using a third party OpenID were blocked with a message stating that: “Data may not be posted from offsite forms.” In most circumstances, your site does not want to receive a POST which originated from another site; however, OpenID requires this. A new option, offsite_forms, has been added to Bad Behavior to permit data to be posted to your site from other sites. Enabling this option will allow OpenID to work but may expose your site to spam which was previously blocked. WordPress users will find the option on Bad Behavior’s options page; other platforms should check their platform-specific documentation for how to set options.
- A few specialized web crawlers use an unusual form of the Range: HTTP header in their requests, requesting a range starting with 0. This behavior, while technically permitted by the HTTP specification, is most often seen with malicious crawlers; web browsers and major search engines do not use it. Bad Behavior will now block these requests only when strict mode is enabled.
Support
Thank you to everyone who has chosen to make a financial contribution toward further development of Bad Behavior. Your contributions ensure that I can prioritize Bad Behavior development and make more frequent and timely releases, like this one.
Download
Special Upgrade Instructions
Users of MediaWiki and WordPress upgrading from version 2.0.20 or earlier should follow these special directions (from 2.0.21 or later, upgrade normally):
For MediaWiki: Before installing this version of Bad Behavior, manually remove (e.g. using FTP or ssh) any old versions you may have, including the lines added to LocalSettings.php. Then install the new version fresh, following the installation instructions for MediaWiki.
For WordPress: If updating to this version through the automatic updater fails, manually remove (e.g. using FTP or ssh) any old versions you may have installed. Then upload and install the new version fresh, following the installation instructions for WordPress. After doing so, future automatic updates should proceed normally.
For other platforms: No changes to your upgrade procedures should be necessary.
PJH Says
15:23UTC 23/9 – I’m getting a 404 for the download link.
Sep 23rd, 2009 at 3:27 pm
Michael Hampton Says
Thanks. I’m aware of the 404 and working on it.
Sep 23rd, 2009 at 3:31 pm
Les Warren Says
I recently installed Bad Behavior through the dashboard of my Wordpress 2.8.4 installation and after activating it could no longer access the admin interface. I got a 500 error whenever I logged on.
The public face of the site was working fine and the Bad Behavior message was showing in the footer but I could no longer administer the site.
I deleted the Bad Behavior files from the server, but have been unable to drop the table from the database. I am able to access the dashboard now when I log in, but I am no longer able to add images and it asks for authentication every time I go to a new page. I have checked all the WP settings but can’t seem to find anything that would cause this. It looks like I am going to have to scrap this install and start over. thanks a lot.
Sep 27th, 2009 at 11:20 pm
Michael Hampton Says
I don’t recall ever receiving a message from you about your particular trouble with Bad Behavior, but based on your description, it doesn’t sound like Bad Behavior itself is the cause. Your description of what happened after removing Bad Behavior is consistent with problems with the cookies in your web browser. Have you tried clearing your cookies?
Sep 27th, 2009 at 11:25 pm
Les Warren Says
I cleared the cookies in my browser, FFv3.014 and then reinstalled Bad Behavior, but when I activated it I got the same results, a 500 error.
I also am still getting the request for login on pages that I added pictures to after I installed Bad Behavior. Everything works normally on the post that existed before that.
I am now going through the process of deactivating plugins and testing to see if there was a conflict with a plugin that messed something up. I thought if I just used the plugins that were available throught the dashboard I would be able to avoid conflicts, that’s probably a lot to expect considering how many there are.
I am not able to administer the site at all with Bad Behavior installed so I can’t test directly against that.
Any other ideas what might be going on?
Sep 28th, 2009 at 6:48 am
Les Warren Says
Okay, I sussed through this a bit and I am sure it doesn’t involve your plugin. I think I may have changed a setting on the theme which triggered this. I haven’t found the cause but I have eliminated Bad Behavior as the source.
Sorry for the bother.
Sep 28th, 2009 at 8:30 am
ken winston caine Says
Not sure when this started, and suspect it has more to do with a Wordpress upgrade than with Bad Behavior’s basic code, but…. wondering if you might know how to fix it:
Bad Behavior prints the stats report line at the bottom of the page. This used to fit nicely and be centered. Now it is way off center to the left. (Incidentally, some other things that used to fit nicely in the footer are not doing so, which makes me think this has little to do with Bad Behavior, per se.)
Any idea on where I should look to fix this relatively recent rash of bad behavior?
Thanks,
kwc
Sep 30th, 2009 at 4:35 am
Michael Hampton Says
Your WordPress theme decides where the display is and how it should be formatted. I would contact the theme designer to report the problem.
Sep 30th, 2009 at 4:38 am
dennyhalim.com Says
offsite_forms: instead of open wide to offsite post, let use enter whitelist which site might do offsite post and only limited to login form, not to all forms.
tnx
Oct 29th, 2009 at 1:00 am