绕过 mod_security 在 dreamhost 上编写博客

我已经编写了自己的简单博客软件来显示语法高亮的代码，并且它在我的本地主机上运行良好，但我在 Dreamhost 服务器上使用 mod_security 时遇到了问题。

[Wed Aug 02 06:45:17.149632 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the documentation,</p>\\n<blockquote>... middleware provide a convenient mechanism for inspecting and filter [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.150461 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at REQUEST_BODY. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "53"] [id "921110"] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: lock\\x0alang=\\x22php\\x22\\x0a found within REQUEST_BODY: {\\x22title\\x22:\\x22sharing code for authorised and guest users in laravel\\x22,\\x22slug\\x22:\\x22sharing-code-for-authorised-and-guest-users-in-laravel\\x22,\\x22content\\x22:\\x22<p>my reading order site appears largely the same whether you're a registered user or just a guest. i wanted to use the same code in both cases, with minor changes for authorised users. this is straight foward in traditional php, but it wasn't clear how to do it in..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1" [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.151912 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "[\\\\n\\\\r]" at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the documentation,</p>\\n<blockquote>... middleware provide a convenient mechanism for inspecting and filtering HTTP requests entering your application. For example, Laravel includes a middleware that verifies the user of your application is authenticated.  [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.159647 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?:(?:_(?:\\\\$\\\\$ND_FUNC\\\\$\\\\$_|_js_function)|(?:new\\\\s+Function|\\\\beval)\\\\s*\\\\(|String\\\\s*\\\\.\\\\s*fromCharCode|function\\\\s*\\\\(\\\\s*\\\\)\\\\s*{|this\\\\.constructor)|module\\\\.exports\\\\s*=)" at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the documentation,</p>\\n<blockquote>... middleware provide a convenient mechanism fo [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.163379 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?i:(?:[\\"'`](?:;?\\\\s*?(?:having|select|union)\\\\b\\\\s*?[^\\\\s]|\\\\s*?!\\\\s*?[\\"'`\\\\w])|(?:c(?:onnection_id|urrent_user)|database)\\\\s*?\\\\([^\\\\)]*?|u(?:nion(?:[\\\\w(\\\\s]*?select| select @)|ser\\\\s*?\\\\([^\\\\)]*?)|s(?:chema\\\\s*?\\\\([^\\\\)]*?|elect.*?\\\\w?user\\\\()|in ..." at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the docu [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.175032 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "design.murraygunn.id.au"]

我是唯一被允许发帖的用户，所以我可能可以关闭 mod_security，但我想知道是否有办法绕过这个问题。Dreamhost 不允许修改 mod_security，而 encodeURLComponent(content) 没有帮助。

我想我可以编写一个函数来分解有问题的单词，但我希望已经有可用的函数了。有什么想法吗？