Q2A fails posting question/answers/comments with Apache2 ModSecurity rule 930110 active

[asterbini]

Hi, I have installed Q2A over an Ubuntu 22.04 with php 8.1, Apache2 and ModSecurity.

When I post a question/answer/comment the rule number 930110 in file /usr/share/modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf detects the presence of the string "../" in the qa_root argument and blocks the submission because it is similar to a path traversal attack.

I have deactivated this rule in my virtual site and things work, but I would prefer to have the site protected.

From a cursory analysis, it seems that the qa_root parameter is computed by qa-include/qa-index.php at line 163, where a relative path is built by repeating the string "../" in some cases.
Would Q2A work fine if this code is rewritten avoiding the generation of relative paths? Are they necessary somewhere?

Thanks
A

[svivian]

I think it's complicated due to the fact Q2A can be in a subfolder, so we'd need to detect and add that to the path, e.g. /qa/path instead of ../path

In theory we may not need to send the qa_root at all in AJAX requests and be able to figure it out automatically, but again it's a bit complicated.