From 56e868ba32f8d7dc8141ffa47bf1f4272ec94f02 Mon Sep 17 00:00:00 2001 From: franbuehler <franbuehler@gmail.com> Date: Mon, 6 Apr 2020 18:16:55 +0000 Subject: [PATCH 1/2] Resolve issue 1722 and fix content-type whitelisting --- rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 2 +- .../920470.yaml | 31 ++++++++++++++++++- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 9ae2db96b..6a0cb4dd9 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -918,7 +918,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \ # - text/plain; charset="UTF-8" # - multipart/form-data; boundary=----WebKitFormBoundary12345 # -SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+-]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['\"\w.()+,/:=?-]+)?$" \ +SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w\/.+-]+(?:\s?;\s?(?:action|boundary|charset|type|start(?:-info)?)\s?=\s?['\"\w.()+,/:=?<>@-]+)*$" \ "id:920470,\ phase:1,\ block,\ diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml index cc238347b..e1ed055e1 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml @@ -1,6 +1,6 @@ --- meta: - author: "lifeforms" + author: "lifeforms, Franziska Bühler" enabled: true name: "920470.yaml" description: "Content-Type header format checks" @@ -169,3 +169,32 @@ Content-Length: 0 output: log_contains: "id \"920470\"" + - test_title: 920470-13 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + method: POST + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: "localhost" + Content-Type: 'multipart/related; type="application/xop+xml"; boundary="uuid:a111aaa1-aa11-1a11-a11a-11a1111aa11a"; start="<root.message@cxf.apache.org>"; start-info="application/soap+xml' + Content-Length: 0 + output: + no_log_contains: "id \"920470\"" + - test_title: 920470-14 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + method: POST + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: "localhost" + Content-Type: 'application/soap+xml; action="urn:hl7-org:v3:PRPA_IN201305UV02"; charset=UTF-8' + Content-Length: 0 + output: + no_log_contains: "id \"920470\"" + From c3912a69442dfc4059006d91f489e624481d8803 Mon Sep 17 00:00:00 2001 From: franbuehler <franbuehler@gmail.com> Date: Mon, 6 Apr 2020 18:21:43 +0000 Subject: [PATCH 2/2] Resolve issue 1722 and fix content-type whitelisting --- rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 6a0cb4dd9..9de5b4f63 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -918,7 +918,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \ # - text/plain; charset="UTF-8" # - multipart/form-data; boundary=----WebKitFormBoundary12345 # -SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w\/.+-]+(?:\s?;\s?(?:action|boundary|charset|type|start(?:-info)?)\s?=\s?['\"\w.()+,/:=?<>@-]+)*$" \ +SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+-]+(?:\s?;\s?(?:action|boundary|charset|type|start(?:-info)?)\s?=\s?['\"\w.()+,/:=?<>@-]+)*$" \ "id:920470,\ phase:1,\ block,\