Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Double charset-header #650

Closed
leonelr opened this issue Jan 23, 2014 · 4 comments
Closed

Double charset-header #650

leonelr opened this issue Jan 23, 2014 · 4 comments

Comments

@leonelr
Copy link

leonelr commented Jan 23, 2014

Hi there,
I have appended the same comments below on the following issue "ModSecurity 2.7.5 for Nginx 1.4.2 duplicate charset headers".

In response, I was told that there was an update on the way the header is set and that it was fixed under the development tree.

I have updated my MODSEC with the Branch Master code and I still see the same issue.

Please see below my original comments .... any help would be much appreciated.


Is there a way to prevent MODSEC from adding the second charset-header at all (assuming this is expected behaviour)?

I am running version 2.7.7 on NGINX version 1.4.4 (Ubuntu 12.04 LTS) and I can not find a way to toggle this on / off .... not even sure if this is even possible (sorry.. I am pretty new to modsec).

At the moment I have an issue where with modsecurity enabled we appear to be seeing duplicate charset attributes... for example, Content-Type: text/xml; Charset=UTF-8; charset=UTF-8;.... browsers will ignore the duplicate "Charset=UTF-8; charset=UTF-8"; but this is breaking one of my applications (we think that possibly MSXML is choking on it (when it retrieves such content using a document() call)).. just doesn't like that double charset.... the page throws the following error: "....System does not support the specified encoding......"

Thanks.

@zimmerle
Copy link
Contributor

Hi @leonerl,

Thanks for the bug report. The bug is confirmed. I was able to reproduce with the following configuration:

server {
        listen 8088;
        server_name localhost;
        error_log  logs/error_server_8088.log debug;

        ModSecurityEnabled on;
        ModSecurityConfig /etc/modsecurity/modsecurity.conf;

        location / {
                proxy_pass  http://www.google.com;
                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
                proxy_redirect off;
                proxy_buffering off;
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

Using curl, that is what i got:

(zimmerle@zlinux)-(/usr/local/nginx/sbin)$ curl --head http://localhost:8088
HTTP/1.1 302 Found
Server: nginx/1.4.4
Date: Thu, 23 Jan 2014 01:24:33 GMT
Content-Type: text/html; charset=UTF-8; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Location: http://www.google.com/
Cache-Control: private

There is no configuration directive to suppress the Charset.

Here is the slice of the code where the charset is placed:
https://github.com/SpiderLabs/ModSecurity/blob/master/nginx/modsecurity/ngx_http_modsecurity.c#L617-L620

The bug is also reproducible with nginx-1.4.3.

zimmerle pushed a commit that referenced this issue Jan 23, 2014
Apperantly forcing the charset is not placing any benefits, instead it is
cousing problems as documented on #650. This still experimental, just
testing against our regression tests. Such feature was added by the commit:
177b5b9.
@zimmerle
Copy link
Contributor

Hi @leonerl, can you test the branch: issue_650, it can be found at: https://github.com/SpiderLabs/ModSecurity/tree/issue_650

@leonelr
Copy link
Author

leonelr commented Jan 27, 2014

Thanks Felipe .. I will try it out today ... sorry about the late response, it was a long weekend here in AUS.
Will keep you updated.

Cheers,

On 24/01/2014, at 12:20 AM, Felipe Zimmerle wrote:

Hi @leonerl, can you test the branch: issue_650, it can be found at: https://github.com/SpiderLabs/ModSecurity/tree/issue_650

?
Reply to this email directly or view it on GitHub.

Leonel Retamar
C o n s t r u n e t . c o m . a u
We bring a different future to life
P.O.BOX 1933 NSW 2059
Sydney - Australia
m.: +61 413 770 222
e.: leonel.retamar@construnet.com.au
w.: http://www.construnet.com.au

@leonelr
Copy link
Author

leonelr commented Jan 28, 2014

IT WORKS!
Great jobs... much appreciated.

Regards,

On 24/01/2014, at 12:20 AM, Felipe Zimmerle wrote:

Hi @leonerl, can you test the branch: issue_650, it can be found at: https://github.com/SpiderLabs/ModSecurity/tree/issue_650

?
Reply to this email directly or view it on GitHub.

Leonel Retamar
C o n s t r u n e t . c o m . a u
We bring a different future to life
P.O.BOX 1933 NSW 2059
Sydney - Australia
m.: +61 413 770 222
e.: leonel.retamar@construnet.com.au
w.: http://www.construnet.com.au

zimmerle pushed a commit that referenced this issue Mar 20, 2014
Apperantly forcing the charset is not placing any benefits, instead it is
cousing problems as documented on #650. This still experimental, just
testing against our regression tests. Such feature was added by the commit:
177b5b9.
zimmerle pushed a commit that referenced this issue Mar 26, 2014
Apperantly forcing the charset is not placing any benefits, instead it is
cousing problems as documented on #650. This still experimental, just
testing against our regression tests. Such feature was added by the commit:
177b5b9.
zimmerle pushed a commit that referenced this issue Mar 31, 2014
Apperantly forcing the charset is not placing any benefits, instead it is
cousing problems as documented on #650. This still experimental, just
testing against our regression tests. Such feature was added by the commit:
177b5b9.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants