-
Notifications
You must be signed in to change notification settings - Fork 727
Add urlDecodeUni() operation to ARG/ARGS_NAMES #578
Conversation
- Add the urlDecodeUni transform operation to rules which inspect the ARGS/ARGS_NAMES collections, which do not currently call urlDecodeUni - This operation should be here. Some rules were written under the assumption that Apache/Nginx will automatically decode these collections prior to entering Modsecurity. - This change should be a NO-OP for Apache/Nginx
it isn't a NOP but is an extra transformation which is additional overhead - but saying as others use these rules it might be advisable. |
This is a welcome fix. I do not see it applied everywhere, though. How about the following rules?
Am I missing something? |
@dune73 No, I was missing something :) I will update the PR shortly |
So after running the tests, this change will create a regression in 920230:
So perhaps we shouldn't enable it here? The rest of the tests were not impacted. Thoughts? |
Thank you for the update. Are you positive, that all necessary rules have the transformation now? My comment was written after a quick glance over the ruleset. I see why there would be a regression with this rule. It's an encoding check, after all. Maybe the regex needs to be adopted. Are you understanding the regex and can you try and fix it? If that is not possible, we need a comment next to the rule why the transformation is not being applied. |
Yes, I think this rule requires utftounicode() actually, since the rule is looking for the same pattern that would be returned as a result of that transform function [u[0-9a-fA-F]{4}] (basically implying that raw unicode characters were present in the ARGS strings. I will look into it in more detail though. There are a few issues reported with that function too: https://github.com/SpiderLabs/ModSecurity/issues/created_by/katef |
Stop decoding things twice. See SpiderLabs#590 for details.
Stop decoding things twice. See SpiderLabs#590 for details.
Stop decoding things twice. See SpiderLabs#590 for details.
Stop decoding things twice. See SpiderLabs#590 for details.
Stop decoding things twice. See SpiderLabs#590 for details.
ARGS/ARGS_NAMES collections, which do not currently call urlDecodeUni
that Apache/Nginx will automatically decode these collections prior to
entering Modsecurity.
I am creating this PR to start the discussion
Thoughts?