When a request is blocked, the following code is ran. The drupal_add_http_header causes a 404 page, rather than displaying the blocked message. It would be nice to have a checkbox on the "Blocking" tab of the PHPIDS configuration page to choose between the two methods. The checkbox text could read "Block with HTTP 404 error", and when not checked the Title/Body fields would be displayed for the blocking message. The 404 page is nice as it hides that the IDS is blocking the request, and I prefer it to using a message.

/**
 * Display simple html block page with configured blocking title and text.
 */
function _phpids_block_page() {
  drupal_add_http_header('Status', '404 Not Found');
  $phpids_block_html = '<html xmlns="http://www.w3.org/1999/xhtml"><head><title>@phpids_block_title</title></head><body><h1>@phpids_block_title</h1><p>@phpids_block_text</p></body></html>';
  $phpids_block_title = variable_get('phpids_block_title', 'Security warning');
  $phpids_block_text = variable_get('phpids_block_text', 'Your request to this website has been blocked. Please inform the webmaster of this site if you think that your access has been blocked by mistake.');
  // Replace @path in the variable with the page path.
  print strtr($phpids_block_html, array('@phpids_block_title' => check_plain($phpids_block_title), '@phpids_block_text' => check_plain($phpids_block_text)));
  exit;
}

Also, it would be nice to have a small message on the "Testing" tab content, noting that when test mode is enabled blocking will not occur. Without understanding how the module worked I got tripped up on that and thought it wasn't blocking requests correctly.

Comments

rudetrue’s picture

rudetrue commented

After some research it looks like it might be this (on chrome and ff it works as expected): http://www.404-error-page.com/404-error-page-too-short-problem-microsoft...

Sorry for the confusion.