Bad Behavior 2.0.32
November 2nd, 2009 by Michael Hampton
Bad Behavior 2.0.32 has been released. It is a maintenance release and is recommended for specific users identified below.
Please note: As of this release, 2.0 has been branched and development suspended. Further updates to the 2.0 tree will be bug fixes and security fixes only. Future development will be to the 2.1 development tree, the first release of which should be shortly. Expect a post within the next day with more information.
MediaWiki and WordPress users who have not updated in the last year or so should take note of special upgrade instructions below.
Who should upgrade?
Users of specialized web services integrated into their host platforms, for which Bad Behavior should not screen requests, should upgrade to correct potential problems with new functionality introduced in recent releases.
IPv6 users should upgrade to prevent users from being blocked inappropriately.
Users whose web site is hosted on a Windows server using IIS should upgrade to take advantage of new protection against certain attacks.
WordPress users should upgrade for enhancements to the administrative pages.
What’s new?
New in this release (since 2.0.31):
- Due to ongoing issues with various web services such as OpenID and PayPal IPN behaving in strange ways which trigger Bad Behavior, a new whitelist was added in version 2.0.30. You may now add URLs of your site to Bad Behavior’s whitelist. When a URL is added, Bad Behavior will ignore any HTTP request to that particular URL. If you need this feature, please check the
bad-behavior/whitelist.inc.phpfile for further information. In version 2.0.31 this feature failed on some PHP versions due to undocumented PHP behavior. This has been fixed. In addition, the PHP documentation has been fixed to reflect PHP’s actual behavior (which I still think is broken). - Users whose sites are accessible using IPv6 may find IPv6 users are blocked by Bad Behavior when the http:BL feature is enabled and certain versions of PHP are in use. This issue has been fixed.
- A SQL injection attack against Windows servers running IIS has been identified and blocked.
- The WordPress administrative page showing Bad Behavior logs has been enhanced slightly. It now shows reverse DNS records when available and identifies more search engines via http:BL.
Support
Thank you to everyone who has chosen to make a financial contribution toward further development of Bad Behavior. Your contributions ensure that I can prioritize Bad Behavior development and make more frequent and timely releases, like this one.
Download
Special Upgrade Instructions
Users of MediaWiki and WordPress upgrading from version 2.0.20 or earlier should follow these special directions (from 2.0.21 or later, upgrade normally):
For MediaWiki: Before installing this version of Bad Behavior, manually remove (e.g. using FTP or ssh) any old versions you may have, including the lines added to LocalSettings.php. Then install the new version fresh, following the installation instructions for MediaWiki.
For WordPress: If updating to this version through the automatic updater fails, manually remove (e.g. using FTP or ssh) any old versions you may have installed. Then upload and install the new version fresh, following the installation instructions for WordPress. After doing so, future automatic updates should proceed normally.
For other platforms: No changes to your upgrade procedures should be necessary.
CT Says
Am I the only one who can’t figure out how to access the whitelist and blacklist? Near as I can figure there’s no UI for it — you have to alter php files, correct? If so, I’d hope to see a friendlier version in 2.1.
Nov 2nd, 2009 at 2:11 pm
Josh Straub Says
Check Michael’s latest blog post, the roadmap for Bad Behavior 2.2. He mentions the whitelist/blacklist UI specifically and says for 2.2 he intends to write a native admin interface for it.
I am thankful for this because I also was hand editing the white/blacklists and lost them a few times during an upgrade.
Nov 2nd, 2009 at 8:59 pm
Sam Lewis Says
Installed Bad Behaviour to try to stop some subscription spam but think I found a bug in the code which makes the plugin whitelist all urls that are not listed in the whitelist url parameter.
From whitelist.inc.php:
if (!empty($bb2_whitelist_urls)) {
$request_uri = substr($settings['request_uri'], 0, strpos($settings['request_uri'], “?”));
foreach ($bb2_whitelist_urls as $url) {
if (!strcmp($request_uri, $url)) return true;
}
}
Isn’t this code saying that if the url and the whitlist url DON’T match then return true? Returning true indicates a whitelist situation and none of the other checks will be performed.
By changing this one line:
if (!strcmp($request_uri, $url)) return true;
to
if (strcmp($request_uri, $url)) return true;
Should solve the issue.
This seems to be in the latest Bad Behavior code.
Can someone check me on that?
Nov 5th, 2009 at 5:22 pm
Michael Hampton Says
The logic you have pointed out is correct as written. Please check the documentation; it’s certainly confusing the first time you run across strcmp().
Nov 5th, 2009 at 6:01 pm
Sam Lewis Says
Michael,
Thanks for the logic check. You are absolutely right. Found my issue. I am working with the Joomla port of BB and there is some code discrepancy between the two.
Thanks.
Nov 5th, 2009 at 6:18 pm
Michael Hampton Says
Such discrepancies are one reason I want more separation between the core and platform connector.
Nov 5th, 2009 at 6:29 pm
John Says
Hi, after updating to this version i get the following error message after clicking bad behaviour under the manage tab in wordpress
Warning: gethostbyaddr() [function.gethostbyaddr]: Address is not a valid IPv4 or IPv6 address
Nov 7th, 2009 at 1:31 am
Michael Hampton Says
John, you failed to give your web site, so I can’t take a look to see if anything is obviously wrong with your web hosting provider. Please contact me and send the Bad Behavior log entries corresponding to this request.
Nov 7th, 2009 at 1:37 am
Michael Hampton Says
Not to mention you gave a fake email address, so I can’t contact you. You’ll have to get hold of me.
Nov 7th, 2009 at 1:42 am
Paul Says
[quote]Not to mention you gave a fake email address, so I can’t contact you. [/quote]
Bwahaha. I’m sure there’s some irony there. Somewhere…
Incidentally Michael, I’ve seen the stuff about the ‘new’ bad behavior, and it would appear to be being used in places, but cannot find any downloads for it.
Are you still after alpha/beta testers?
I run a very low-volume site, bespoke code (no wordpress etc.) but still get hits from bad bots (or that’s the majority of my hits according to the stuff your software is blocking.)
More details on request if you need them. My email should be good if I’ve not mispelled it
Nov 7th, 2009 at 8:22 pm
Dave McAuley Says
I’ve got an issue with wp-estore and bad behaviour together. Paypal IPN email notifications are being blocked by bad behaviour yet works when I disable bad behaviour plugin. Any idea how I can whitelist or sort it out as I’m a technophobe really.
Cheers
Dave
Feb 9th, 2010 at 12:53 pm
Michael Hampton Says
You should whitelist PayPal’s IP addresses (they are in their help documentation). You should also complain to PayPal until they fix this problem.
Feb 9th, 2010 at 4:31 pm