403 error
  • Folks:

    I was doing fine with MarsEdit but now I can't post and can't download the latest entries on my blog. When I try to do anything, I receive the following error:

    "Can't do get recent posts for XXXXXX because the server reported and error. The server returned an unexpected reponse code: 403"

    Things were fine before. Any help would be great.
  • Hi Wonko - unfortuantely the news is pretty straightforward here - it sounds like either your server is misconfigured, or the RPC URL in your blog settings got changed?

    This is something you can test pretty easily. If you open up the Weblog details (just double-click the blog item in the drawer), you'll find the RPC URL in that setup dialog. Copy and paste that into your browser to test whether the server gives you the same error when you manually load it outside of MarsEdit.

    If that seems to work but the error still occurs in MarsEdit, can you open the RPC Console (from the Widnow menu in MarsEdit) and then try to refresh again? Send the debugging log from that window to support@red-sweater.com and I'll take a look!

    Daniel
  • Daniel:

    Thanks for the prompt response. I entered the RPC URL in my browser and received the message:

    "XML-RPC server accepts POST requests only."

    Clear of RPC Console file and refresh brings up the same error.

    Should I send the RPC Console file?
  • Yes, please do sen the RPC Console file. It sounds like the URL itself is working if it was able to tell you it wants a POST. I'll investigate further!

    Daniel
  • It seems I'm in the same situation as Wonko. At some time in the past, I remember MarsEdit working with my blog, then I didn't use MarsEdit for several months, and now when I try to connect I get the same 403 error as Wonko described.

    Have any further developments come out of this issue? Wonko, did you get your problem resolved?

    Here's my story:

    - I'm running the latest release of WordPress 2.1.2
    - My xmlrpc.php file has permissions set to 644
    - I get a 403 error when connecting with MarsEdit and when going to the xmlrpc.php URL with Safari
    - If I duplicate the xmlrpc.php file and call it test.php and then open it in my browser, I get this:

    XML-RPC server accepts POST requests only.

    - If I then put the test.php URL into MarsEdit's RPC URL field, I get the same 403 error I saw with the original xmlrpc.php file.

    I had been assuming all along that the problem was some kind of a configuration issue with my service provider, so I sent them an email. This was there response:

    "Is this application [MarsEdit] attempting to make a remote connection to our server? That's what it looks like it may be doing from what you say. We do not allow this sort of action between remote hosts -- it proves a great security risk, unfortunately. It's likely that you're getting blocked by a config on our server set to disallow remote hosts to write to your files."

    I'm not sure how to respond to this. Yeah, I guess MarsEdit is making a remote connection, but isn't it over port 80 using HTTP? As far as their web server is concerned, is it really that different from a typical HTTP request from a web browser?

    Any help would be greatly appreciated.
  • Dennis: yes, the extent to which MarsEdit "makes a remote connection" is to provide HTTP POST requests over port 80 to your server (unless it's an HTTPS connection).

    I know some hosts explicitly filter xmlrpc.php, so it was a good idea of yours to test against test.php. I'm not sure how they would filter against this unless they outright forbid all HTTP POST activity. If they won't relent on this policy, it frankly sounds pretty restrictive.

    I would ask them to compare their policy against other hosting services which obviously allow such functionality. It's especially annoying that it sounds like they changed the policy on you after having things work previously :(

    It might be worth sending them a copy of the RPC Console (Window -> RPC Console) when you try to refresh your blog. Then they can confirm or deny that they don't allow that specific type of HTTP activity.

    Daniel
  • Daniel:

    As promised, I did the following:

    Updated WordPress to the latest version (2.1.2)
    Contacted my host

    My host says that they haven't changed anything in a good while so I'm not sure if the problem is on that end as MarsEdit was working fine and then not. They've always been prompt and honest with their support in the past so I've no reason to doubt them.

    The problem remains.

    Anywhere else we can go with this? Could it be a WordPress problem?
  • Wonko: the plot definitely thickens. I should have tried this from the start, but for some reason it didn't occur to me because I don't have your password and such. But there's nothing to keep me setting up your blog on my MarsEdit, with the *wrong* password. I did this, and instead of the expected "bad password" reply, I got the same 403 error you are seeing!

    The funny thing is the same request from curl (a command line tool I use for network debugging) seems to WORK. So I definitely think there's a nuance here and it's something MarsEdit is doing. Sorry to make you run around in circles so many times before I figured this out.

    I will be updating ASAP with more information as I find it.

    Daniel
  • While I'm working on this - a long shot - but did you by any chance change your password on the blog recently? Although the result you're seeing is weird, it's still a "403" which is what I'd expect to see when the password was wrong (although it should be returned in a format more readable by MarsEdit).

    Can you double-check that your password is right, by selecting File -> Enter Weblog Password...

    And also double-check that the user name is the same exact name as you use to login via the WordPress login panel.

    Thanks,
    Daniel
  • OK - I am sorry for the rapid-fire messages here - I think you can ignore the other ones for now :) I'll leave them there for posterity.

    I narrowed the problem down to a rather technical detail. I think you should share this information with your host and see what they say. As far as I can tell there is a configuration problem no your host because they are behaving drastically differently depending on the "Content-Type" of the request:

    When MarsEdit or any other remote editor connects to your WordPress installation, it communicates with HTTP POST requests. In every case the contents of the HTTP messages are XML data, so the "Content-Type: text/xml" header is passed along with the request. But your server seems committed to only returning the expected value if the Content-Type is set to "application/x-www-form-urlencoded", a typical value for *forms* that are posted, e.g. from a web page.

    I don't believe there's anything MarsEdit can do to alleviate this. I think the server has to be accommodating of "Content-Type: text/xml" requests. Can you please run this by your server's support again and see if they have any second thoughts about whether there have been changes?

    Daniel
  • Also, please feel free to put your site's support rep in touch with me directly if you'd like me to hash out the details with them.
  • Daniel:

    The host came up with the following workaround that works like a charm.

    Create a .htaccess file.
    Add the following:


    SecFilterEngine Off
    SecFilterScanPOST Off


    Save and upload the .htaccess file to the directory with the Wordpress files.

    All is well now.

    Thanks for all your time on this.
  • Wonko: *Great* News! Glad you found the workaround, and thanks for sharing. It might be similar for other users.
  • Wonko, Daniel:

    The .htaccess solution worked for me as well. Thanks for your help!
  • The forum repeatedly tells me that my message looks like spam :-(

    I have posted it here...

    http://www.duncanmoran.me.uk/rsforum.htm

    Here's hoping that this works this time!
  • The forum repeatedly tells me that my message looks like spam :-(

    [Editor: Pasted in original content that was filtered ... sorry about that]

    Alas I am still getting 403s. My history...

    I did have a Movable Type blog and tried the demo of MarsEdit with that - it worked. Some time has passed and I now have a WordPress blog. The demo having expired I paid for a working version of MarsEdit but have not managed to get it working :-(

    Have checked names and passwords. Have done the .htaccess thing. Still getting 403s while Posting and Refreshing.

    I noticed the RPC thingy mentions mt.getCategoryList - is that right for a WordPress blog?

    Any further suggestions - have not contacted host but they are usually open/helpful about such things and would not normally be blocking anything.

    RPC listing: http://www.duncanmoran.me.uk/RPCConsoleText.txt

    New WordPress blog: http://www.duncanmoran.me.uk/blog/

    Old Movable Type Blog: http://www.duncanmoran.me.uk/weblog/index.htm

    Thanks for any advice that may get this working for me.
  • Hi LameName - sorry about the spam filtering problem. Maybe I should turn that filter off now that I have the silly captcha (math) at registration.

    Also sorry you've been having bad luck getting the server working with MarsEdit. I'm sure we can get to the bottom of it.

    Thanks for posting the RPC log - it's very helpful. It does look a lot like a simple (heh "simple" is a relative term) HTTP server configuration issue. If you take the URL that MarsEdit is trying to access, your RPC URL: http://www.duncanmoran.me.uk/blog/xmlrpc.php, and paste it into a plain browser like Safari, you'll see the same "Not Allowed" error message. That's not *necessarily* a problem but on the vast majority of servers, the file is "GET"-able from a regular browser, even if the script just says "You shouldn't be getting this. For instance, compare with my blog's URL: http://www.red-sweater.com/blog/xmlrpc.php

    If you can get in touch with your server admins and tell them that the xmlrpc.php file needs to be publicly accessible for POST requests by the web server, then they should be able to help you to get things in working order.

    Let me know if I can be any more assistance.

    Daniel
  • Yes the spam filtering thing is a bit belt and braces although understandable.

    The advice from the hosting people is:

    the xmlrpc.php file is deliberately restricted on our servers because it typically exposes some security risks on the server (allowing posts from anywhere is a risky thing to do despite the benefits). By forcing you to rename the file to something else you are much less likely to be exploited.

    To use, simply rename your xmlrpc.php file to something else like MyXMLPost.php and point any post requests to that instead.

    That seems to get everything working but will renaming the file cause problems elsewhere?
  • My server (Pair.com) has a similar policy, though they're able to "green light" a particular account for xmlrpc.php usage. At least we have a good explanation!

    I don't think renaming it will cause problems, but you will have to remember to rename again whenever you update WordPress. Actually a good trick might be to use a symbolic link. From the shell account, assuming you have one:

    ln -s xmlrpc.php MyXMLPost.php

    That way the renamed version will always point at the real one.
Start a New Discussion

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!