Methods of avoiding Cloudflare blocks when posting code

astrogeek · 07-27-2023, 03:04 PM

Numerous members have complained about the inability to paste code snippets here at LQ. This is an especially important issue for participants of the Programming forum, for obvious reasons.

The problem is not caused by LQ itself, unless you wish to blame LQ for using Cloudflare (which I admit has crossed my mind). But the truth is that for a public facing website such as LQ to be available at all in the current abusive social and internet environments it must either have knowledgable staff dedicated to management of the problem or subscribe to external services to manage the problem. LQ has chosen to use Cloudflare.

Cloudflare applies multiple criteria to different parts of the problem, but here we focus on only 1: Pattern matched blocks. Incomming requests are scanned for patterns frequently found in intrusion and exploit attempts, and blocks those requests.

For example, this simple code snippet...

Code:

<?php
   echo "Hello World!";
?>

... currently results in the following bolded but mostly useless message when I attempt to post it in a thread here at LQ.

Quote:

Sorry, you have been blocked
You are unable to access Linuxquestions.org

Why have I been blocked?

This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.

What can I do to resolve this?

You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.

Contacting the site owner only increases workload for them and they will simply not often be able to offer much in the way of help - it isn't in their control either!

Surely there is a more sensible way to resolve this annoyance!

A little trial and error will show that it is the string of characters <?php which produces the blocking match in this case, so the question then becomes how to prevent the match without obscuring the code for other members?

There are multiple ways of doing this, but the one I use most, and one that is easy for even me to remember is to break up that string with BB code markup which produces no effect in the web page when viewed, such as empty italics:

Code:

<?[i][/i]php
   echo "Hello World!";
?>

It also helps reduce frustrations and arguably improves the quality of the final post, to write the post in a text editior first. This way you will not risk wasted effort should your attempt to post end up with a block from which you cannot recover for any reason. And as is always advised, reduce your code snippets to just that necessary to support your question or reply, which makes it easier for you to identify blocking portions of the example.

When you are blocked, take a deep breath, refrain from kicking the cat, hit the browser's Back button, and try to identify the cause by successively removing sections of code to narrow the possibilities (often there may be more than one)! When you find it, try the above method of breaking up the matched pattern to slip past the censors!

Although I have posted only one example, I have seen many in various programming languages, filesystem paths and even in comment text. The matching rules almost certainly change continuously to match whatever Cloudflare defines as the current threat level, so what works today may not work tomorrow.

I have started this thread mostly as a repository for examples of blocking code snippets and methods of avoiding the blocks. Discussion of the larger problem will surely take place as well, but let's try to focus on identifying common causes of blocks and their solutions as much as possible.

So when you encounter a block please return here and post the offending pattern, and the fix you use to get around it here at LQ. If you find one you cannot easily work around, describe it as clearrly as you can we will try to make it work!

teckk · 07-27-2023, 05:31 PM

Script tags will trigger a cloudflare redirect. So will nmap, netcat, some python, some C, even some bash.

From this pages source code:

<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/yui/2.9.0/yahoo-dom-event/yahoo-dom-event.js?v=3810b1"></script>

You have to do something with script tags. Either alter the tags or maybe just colorize the text like a syntax highlighting text editor does. However, that wont preserve bump overs, which are essential for python, and make other source code look neat.

Code:

_script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/yui/2.9.0/yahoo-dom-event/yahoo-dom-event.js?v=3810b1"></script_

And I had to struggle, change web browsers, just to post that. Could not post that with a self made webengine browser with scripts and images off. Some code inside tags I can with that brpwser without javascript on. I had to open a self made webkit2gtk browser with images and scripts on. And, leave the user agent alone to post.

teckk · 07-27-2023, 05:58 PM

I guess I should identify what browser would post and would not post.

Code:

#No
pacman -Ss qt5-webengine
extra/qt5-webengine 5.15.14-2 (qt qt5) [installed]
    Provides support for web applications using the Chromium browser project
    
#Yes
pacman -Ss webkit2gtk
extra/webkit2gtk 2.40.2-1 [installed]
    Web content engine for GTK

Those are the actual "Web browser".

Since that last openssl update, dillo is dead again for LQ. Probably not going to spend much time on it, So can't speak for it.

My point, the web browser that you are using makes a difference. I know that I did not have scripts on in the webengine browser. Doesn't make any difference, tried it before.

And I'm not resisting browser fingerprinting in either one, altering the request header, or refusing cookies.

astrogeek · 07-27-2023, 10:17 PM

I too have seen some HTML tags blocked. In particular, any attempt to post a <script ...> tag, even an empty one...

Code:

<script></script>

... results in a blocked request with this singularly useless warning:

Quote:

www.linuxquestions.org
Warning Your browser is out of date!
Update your browser to view this website correctly.

No doubt, different browsers will result in different responses. In fact there is most likely an overall score generated for each request which will determine the ultimate response. But it should not be necessary to account for all combinations of browser and content, which would be pointless in the end even if remotely possible.

As with the above script tag example, we should be able to identify and work around common cases which affect most users, and work out simple, reliable methods of getting past the block for purposes of asking and answering questions.

The method of identifying the minimal matching examples and breaking those strings with "invisible" content has proven to be general enough to work in most cases I have encountered, including the above <script> tag case.

Code:

<sc[i][/i]ript><[i][/i]/script>

Prevents the block and produces:

<script></script>

teckk · 07-28-2023, 12:34 PM

Yes, I've done that before. I used bold tags.

Code:

<script type="text/javascript" src="https://www.linuxquestions.org/questions/clientscript/vbulletin_global.js?v=3810b1"></script>

<script type="text/javascript" src="https://www.linuxquestions.org/questions/clientscript/vbulletin_menu.js?v=3810b1"></script>

<script type='text/javascript' src='//rev.linuxquestions.org/www/delivery/spcjs.php?id=2'></script>

<script>
 (function(h,o,u,n,d) {
   h=h[d]=h[d]||{q:[],onReady:function(c){h.q.push(c)}}
   d=o.createElement(u);d.async=1;d.src=n
   n=o.getElementsByTagName(u)[0];n.parentNode.insertBefore(d,n)
})(window,document,'script','https://www.datadoghq-browser-agent.com/datadog-rum.js','DD_RUM')
  DD_RUM.onReady(function() {
    DD_RUM.init({
      clientToken: 'pubdfe3d3f97883d30bebd7d86fb4401f1d',
      applicationId: '86c29c7b-d36b-44bb-a819-211494f32b57',
      site: 'datadoghq.com',
      service: 'LQ',
      sampleRate: 100,
      trackInteractions: true,
    })
  })
</script>

That's about the best/easiest solution.

Like astrogeek said:

<sc[b][/b]ript type="https://www.linuxquestions.org/questions/clientscript/vbulletin_global.js?v=3810b1"></sc[b][/b]ript>

pizzipie · 07-28-2023, 02:08 PM

Thank you very much astrogeek.

This is exactly the kind of answer I was hoping to get. With this I can DO SOMETHING.

R

pizzipie · 07-28-2023, 03:11 PM

Example that worked for me - Thank you astrogeek!

Cloudthing doesn't like <?_hp. - Fix <?p[i][i/]hp

JAVASCRIPT

var request=$.ajax({
url: "exiftools_php/exec_exiftools_v0.1.php",
data: { ajaxArr, "srcdir": "<?p[i][i/]hp echo $imageSrcDir; ?>" , "targetdir": "<?p[i][i/]hp echo $imageTargetDir; ?>"},
type: "POST",
dataType : "json"
})

teckk · 07-28-2023, 04:05 PM

Yup, that will work if done right.

Code:

var request=$.ajax({
    url: "exiftools_php/exec_exiftools_v0.1.php",
    data: { ajaxArr, "srcdir":"<?php echo $imageSrcDir; ?> ", "targetdir": "<?php echo $imageTargetDir; ?>"},
    type: "POST",
    dataType : "json"
})

pizzipie · 07-28-2023, 08:23 PM

teckk are you saying that changing the color will do the same as i /i (with brackets)

teckk · 07-28-2023, 08:55 PM

No. I've been working on a python script off and on for a while that adds syntax highlighting before and after keywords. Feed it a code block, and it will highlight it with bb code color tags. Not really necessary, but it looks nice.

And, now that I know how to break up script, php etc., so that it will post. Not too hard to add that. Every time it encounters script, change it to <sc[b][/b]ript

Just need to add to a list of keywords that need to be altered, when they are found.

Sounds like the best way to do it. Run it through an automatic parser/editor.

I wish that there was bb tags for changing background color.