This repository has been archived by the owner on May 14, 2020. It is now read-only.
Content-Type var fix ModSec v2 v3 900220 soap xml #1748
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
franbuehler
changed the title
|
Also a quick note :) - what do you think about this comment? diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
index 5098498..e7b9d81 100644
--- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -964,9 +964,9 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
- setvar:'tx.content_type_%{tx.0}=|%{tx.0}|',\
+ setvar:'tx.content_type=|%{tx.0}|',\
chain"
- SecRule TX:/^CONTENT_TYPE_/ "!@within %{tx.allowed_request_content_type}" \
+ SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"You don't need to check the TX variable with regex, and the whole rule will be cleaner (IMHO). |
|
Thanks again for your suggestions, @airween !! |
This was referenced Apr 29, 2020
|
In the monthly chat meeting from May 4 we decided to merge this PR: |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR solves the following problem:
Problem description from slack channel:
Did you ever stumble over this FP on NGINX only?? It's not an nginx but a v3 problem. Thanks for clarifying this, Ervin.
curl -vH "Content-Type: application/soap+xml" -d @payload localhost2020/03/09 09:54:02 [info] 15590#15590: *1 ModSecurity: Warning. Matched "OperatorRx' with parameter^application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss- (26 characters omitted)' against variableTX:0' (Value:application/soap+xml' ) [file "/.../rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "894"] [id "920420"] [rev ""] [msg "Request content type is not allowed by policy"] [data "application/soap+xml"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "127.0.0.1"] [uri "/"] [unique_id "158374764270.974560"] [ref "o0,20v82,20"], client: 127.0.0.1, server: localhost, request: "POST / HTTP/1.1", host: "localhost"The variable in rule 901162 has to be
...|application/soap\+xml|...instead ofapplication/soap+xml.For NGINX I have to escape the + sign.For Apache this escape throws an error during Apache startup.This is a strange behaviour / difference of/between Apache/nginx.
Solution.
The solution to this problem is to use the
@withinoperator instead of the@rxoperator. This PR here makes all the changes to use the@withinoperator.Thank you @airween for your support and tests!
This PR will probably make a conflict with #1740. I think it would be good to merge this PR here first and then have a look at #1740 again.
This PR makes PR #1717 obsolete. I will close this PR. Thanks @rsbrisci for your PR!