Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Weird "I’m sorry. I’m afraid I can’t do that." error
This is strange. I just tried to post a new article on a TXP 4.4.1 installation, wrote the article out, chose the section, hit Publish and got this error:
I’m sorry. I’m afraid I can’t do that. I think
article publish
is no safe operation at this time.
Any ideas? I’m stumped. Happy to post diagnostics if it’d be helpful.
Follow up: I’ve just tried this operation again and it seems to have worked this time. For completeness, I’d really like to know what I did to break it the first time :)
Last edited by gaekwad (2011-06-21 10:09:29)
Offline
Re: Weird "I’m sorry. I’m afraid I can’t do that." error
Textpattern 4.4.1 introduced CSRF protection. Basically every form gets an unique token which protects the admin-side from session riding. It’s also the thing that’s giving the message when the token posted with form isn’t up-to-date/correct.
gaekwad wrote:
Follow up: I’ve just tried this operation again and it seems to have worked this time. For completeness, I’d really like to know what I did to break it the first time :)
Nice. Tells that it’s not completely brooken, and we all are not completely stoopid by missing something terribly obvious :) (Just kidding with the stoopid part).
Is there anything that could have modified the token – er – I mean modified your session? For example, did the session expire you had to log in again, while the article editor was open in an another browser tab? Are you using some password protection script or integration with, like a say, a forum software? Like i.e. Ign_password_protect? What plugins do you have installed?
Last edited by Gocom (2011-06-21 11:04:30)
Offline
Re: Weird "I’m sorry. I’m afraid I can’t do that." error
Gocom wrote:
Is there anything that could have modified the token – er – I mean modified your session? For example, did the session expire you had to log in again, while the article editor was open in an another browser tab? Are you using some password protection script or integration with, like a say, a forum software? Like i.e. Ign_password_protect? What plugins do you have installed?
Ah, that’s it – this is one I have caching enabled on (not APC) to speed page loading – I have had some problems before with cached /textpattern/
pages, though it was the cache’s fault and not a TXP problem.
With all that in mind, I can confirm CSRF appears to be working!
Thanks for your help, Gocom – I really appreciate it.
As another follow up, the phrase “I’m sorry. I’m afraid I can’t do that. I think article publish
is no safe operation at this time.” really needs to be reworded into something that makes more sense, and perhaps isn’t displayed on its own on an otherwise blank page (read: no TXP backend stuff, just a white page with a single line of text – it’s not very graceful)…I don’t think I’ll be the only person to encounter this error message. I fully appreciate this new functionality was rolled out with a view to an early release to protect against vulnerabilities, but now it’s out in the wild it would be great to fine-tune the error wording.
Last edited by gaekwad (2011-06-21 12:14:07)
Offline
Re: Weird "I’m sorry. I’m afraid I can’t do that." error
gaekwad wrote:
now it’s out in the wild it would be great to fine-tune the error wording.
Actually, the error message is sparse for a reason. That message is only supposed to appear to people who are intentionally hacking the admin side.
Granted there are edge cases (ign_password_protect and the cacheing issue you just uncovered) where this message may be shown to regular users, but I’d far rather not give anything away to potential script kiddies than show them a partial admin side for them to deduce further what version or whatever of TXP is running.
Last edited by Bloke (2011-06-21 12:36:44)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Weird "I’m sorry. I’m afraid I can’t do that." error
Bloke wrote:
Actually, the error message is sparse for a reason. That message is only supposed to appear to people who are intentionally hacking the admin side.
Ah. Yes, good point, well made. And folks like me that try and be clever then it backfires :)
Bloke wrote:
I’d far rather not give anything away to potential script kiddies
Agreed. Perhaps I should respectfully change my request to fix the error message to actually make sense in the respective language (perhaps it’s just en-GB and I’m a whiny Limey): “I think article publish is no safe operation at this time.” just sounds a bit wonky (he says, idiomatically). How about: “That operation is not permitted at this time.” or something equally innocuous?
Offline
Re: Weird "I’m sorry. I’m afraid I can’t do that." error
gaekwad wrote:
“I think article publish is no safe operation at this time.” just sounds a bit wonky
It’s Robert’s nod to HAL in 2001: A Space Odyssey :-)
Before that it just read “Get off my lawn” so this version is at least more personified. Point taken, though.
Would “I’m sorry, Dave. I’m afraid I can’t do article publish” be better?! :-D
Last edited by Bloke (2011-06-21 12:58:16)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Weird "I’m sorry. I’m afraid I can’t do that." error
Bloke wrote:
It’s Robert’s nod to HAL in 2001: A Space Odyssey :-)
Y’see, now I just feel bad for not having seen it (I know, the horror!).
Bloke wrote:
Would “I’m sorry, Dave. I’m afraid I can’t do article publish” be better?! :-D
YOU HAVE NO CHANCE TO ARTICLE PUBLISH MAKE YOUR TIME. FOR GREAT JUSTICE.
/me prepares Google Code CR…
Offline
Re: Weird "I’m sorry. I’m afraid I can’t do that." error
gaekwad wrote:
YOU HAVE NO CHANCE TO ARTICLE PUBLISH MAKE YOUR TIME. FOR GREAT JUSTICE
lol, yeah. “All your article publish are belong to us”, hehe
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Weird "I’m sorry. I’m afraid I can’t do that." error
Bloke wrote:
That message is only supposed to appear to people who are intentionally hacking the admin side […] rather not give anything away to potential script kiddies than show them a partial admin side
Commonly in session riding the attacker won’t see an admin-side as the requester is the user’s browser, nothing is returned to the attacker.
In the cases when the used browser lacks security, a vulnerable plugin is targeted to do the request or when attack comes from the same domain (bypasses domain-restrictions), can the attacker steal information.
Offline
Re: Weird "I’m sorry. I’m afraid I can’t do that." error
Gocom wrote:
Commonly in session riding the attacker won’t see an admin-side as the requester is the user’s browser, nothing is returned to the attacker.
All true. Thanks for putting my warped sentences straight!
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Weird "I’m sorry. I’m afraid I can’t do that." error
Anyone keen to set up a poll? Title: “Favourite pop quote from computers refusing human orders”
Offline
Re: Weird "I’m sorry. I’m afraid I can’t do that." error
wet wrote:
Anyone keen to set up a poll? Title: “Favourite pop quote from computers refusing human orders”
This shit doesn’t do polls. Balancing it by saing no to rel="nofollow"
.
Great. Another religious nut. Damn you, Leroy Jenkins!
Offline