Content-Type var fix ModSec v2 v3 900220 soap xml

crs-setup.conf.example

@@ -388,17 +388,17 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
 
 # Content-Types that a client is allowed to send in a request.
-# Default: application/x-www-form-urlencoded|multipart/form-data|multipart/related|\
-# text/xml|application/xml|application/soap+xml|application/x-amf|application/json|\
-# application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain
+# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
+# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json|
+# |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900220,\
 #  phase:1,\
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|multipart/related|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'"
+#  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'"
 
 # Allowed HTTP versions.
 # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0

rules/REQUEST-901-INITIALIZATION.conf

@@ -182,7 +182,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
     pass,\
     nolog,\
     ver:'OWASP_CRS/3.2.0',\
-    setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|multipart/related|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'"
+    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'"
 
 # Default HTTP policy: allowed_request_content_type_charset (rule 900270)
 SecRule &TX:allowed_request_content_type_charset "@eq 0" \

rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf

@@ -103,7 +103,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
     t:none,\
     nolog,\
     ver:'OWASP_CRS/3.2.0',\
-    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'"
+    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
 
 # Allow the data type 'application/octet-stream'
 
@@ -116,7 +116,7 @@ SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \
     ver:'OWASP_CRS/3.2.0',\
     chain"
     SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
-        "setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'"
+        "setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'"
 
 # Allow data types like video/mp4
 
@@ -290,7 +290,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
     t:none,\
     nolog,\
     ver:'OWASP_CRS/3.2.0',\
-    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'"
+    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
 
 # Allow modifying contacts via the web interface
 SecRule REQUEST_METHOD "@streq PUT" \
@@ -315,7 +315,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
     t:none,\
     nolog,\
     ver:'OWASP_CRS/3.2.0',\
-    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/calendar'"
+    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'"
 
 
 # [ Notes ]

rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

@@ -964,11 +964,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
     tag:'PCI/12.1',\
     ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
+    setvar:'tx.content_type=|%{tx.0}|',\
     chain"
-    SecRule TX:0 "!@rx ^%{tx.allowed_request_content_type}$" \
-        "t:none,\
-        ctl:forceRequestBodyVariable=On,\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \
+        "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #

tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml

@@ -1,6 +1,6 @@
 ---
   meta:
-    author: "csanders-git"
+    author: "csanders-git, Franziska Bühler"
     enabled: true
     name: "920420.yaml"
     description: "Description"
@@ -218,4 +218,37 @@
               data: "test"
             output:
               no_log_contains: "id \"920420\""
+    -
+      test_title: 920420-10
+      stages:
+        -
+          stage:
+            input:
+              dest_addr: "127.0.0.1"
+              port: 80
+              method: "OPTIONS"
+              headers:
+                  User-Agent: "ModSecurity CRS 3 Tests"
+                  Host: "localhost"
+                  Content-Type: "application/soap+xml"
+              data: "test"
+            output:
+              no_log_contains: "id \"920420\""
+    -
+      test_title: 920420-11
+      stages:
+        -
+          stage:
+            input:
+              dest_addr: "127.0.0.1"
+              port: 80
+              method: "OPTIONS"
+              headers:
+                  User-Agent: "ModSecurity CRS 3 Tests"
+                  Host: "localhost"
+                  Content-Type: "application"
+              data: "test"
+            output:
+              log_contains: "id \"920420\""
+