etc_post: post anything from the public side

etc · 2024-07-09 15:44:32

Saving published articles looks a bit inconsistent: event="article" step="edit". But you also need to append at least two (hidden?) inputs to your form or the plugin: ID=## and save=something. Probably some other article fields are mandatory, I’m not sure. Try saving some article on the admin side and inspecting the request in the browsers console to see what is typically sent by txp.

whocarez · 2026-04-08 14:35:07

Hello, is this plugin still working in Textpattern 4.9.1? I updated recently an installation from 4.8.8 to 4.9.1, where a autoposting plugin was relying on etc_post.

I called in this plugin something like that.

$title = "test";	
$body	=	"This is a test.";
$excerpt =	"This is an excerpt.";
$keywords = "Test, Test2";
etc_post(
                array(
                      'user'  => 'newsrobot',
                      'event' => 'article',
                      'step' => 'save',
                ),
                '{"Title":"'. $title .'",
                      "Body":"'. $body .'",
                      "Excerpt":"'. $excerpt .'",
                      "Section":"autonews",
                      "Category1":"newsrobot",
                      "Status":"4",
                      "publish_now":"1",
                      "Keywords":"'. $keywords .'"
               }'
);

and that:

etc_post(
                array(
                      'user' => 'newsrobot',
                      'event' => 'image',
                      'step' => 'image_list'
                ),
                'import='.$working_dir.$title_dash.'.webp'
            );

No errors in log files. I tried it also on a special testing subpage inside <txp:php>...</txp:php> tags and with the etc_post function in my plugin itself, but it is running through without complainings or errors and posting nothing.

Any hint?

jakob · 2026-04-08 16:06:10

Hmm, you’re using this in a plugin, right? Otherwise I would have pointed to this post.

whocarez · 2026-04-08 16:43:29

Yes, etc_post is called in a plugin, which receives the data via a curl post. So, the data is there in the right variables and passed over to the function etc_post, but nothing happens and there is no complaining or error.

whocarez · 2026-04-08 17:23:33

ok, I played a little bit around.

$res from this line

$res = file_get_contents(ahu.'index.php', false, stream_context_create($opts));

contained this warning:

I’m sorry. I’m afraid I can’t do that; article save is an unsafe operation.

So, the problem is certainly related to a security issue.

colak · Yesterday 04:41:48

You can try

SecFilterEngine Off
SecFilterScanPOST Off

to override unsafe operations security issues

etc · Yesterday 14:37:26

IIRC, the lifetime of txp cookies in 4.9 has been reduced to 1 month (instead of 3), to agree admin/public cookies. Have you recently logged into textpattern?

whocarez · Today 10:19:29

colak wrote #343132:

You can try

SecFilterEngine Off...

to override unsafe operations security issues

I use nginx with php 8.2/8.4 running.

etc wrote #343138:

IIRC, the lifetime of txp cookies in 4.9 has been reduced to 1 month (instead of 3), to agree admin/public cookies. Have you recently logged into textpattern?

Yes, this botuser account posted last time on the 7th of April and so etc_post logged him in. And last_access is actually 2026-04-10 12:11:57, what means, that this user account is successfully logging in, but he can’t post.

I oversaw, that there is a new version 0.4 of etc_post, but that didn’t change the behavior.

$res = etc_get_contents(ahu.'index.php', $opts); contains still this warning of an unsafe operation.

gaekwad · Today 10:24:49

whocarez wrote #343145:

I use nginx with php 8.2/8.4 running.

I’m curious about your Nginx modules…can you post your load_module entries from your conf, including any that might be loaded from includes? Might be Naxsi, might be mod_security, might be something else.

whocarez · Today 10:51:37

There is no load_module in my nginx.conf. So, etc_post in version 0.2 worked with textpattern 4.8.8. It stopped working after updating to textpattern 4.9.1. I see in textpattern history, that there was for example this change:

Security: Resolved admin-side XSS vulnerability. Many thanks to Jan Jeffrie Galvez Salloman, aka ‘0xj4n’.

Maybe this applies to etc_post?

Textpattern CMS

Textpattern CMS support forum

#31 2024-07-09 15:44:32

Re: etc_post: post anything from the public side

#32 2026-04-08 14:35:07

Re: etc_post: post anything from the public side

#33 2026-04-08 16:06:10

Re: etc_post: post anything from the public side

#34 2026-04-08 16:43:29

Re: etc_post: post anything from the public side

#35 2026-04-08 17:23:33

Re: etc_post: post anything from the public side

#36 Yesterday 04:41:48

Re: etc_post: post anything from the public side

#37 Yesterday 14:37:26

Re: etc_post: post anything from the public side

#38 Today 10:19:29

Re: etc_post: post anything from the public side

colak wrote #343132:

etc wrote #343138:

#39 Today 10:24:49

Re: etc_post: post anything from the public side

whocarez wrote #343145:

#40 Today 10:51:37

Re: etc_post: post anything from the public side

Board footer