Missing Content-Type Header with Request Body

[mnot]

In base_rules/modsecurity_crs_21_protocol_anomalies.conf:

These rules will first check to see if a Content-Type header is missing. The second check is to see if a Content-Length header is present and is not empty or contains a 0. If the Content-Length header contains other data than this means that there is a request body and the RFC states that there MUST be a Content-Type header so that the app knows how to parse the data.

RFC7231 says no such thing; the applicable text is:

A sender that generates a message containing a payload body SHOULD generate a Content-Type header field in that message unless the intended media type of the enclosed representation is unknown to the sender. If a Content-Type header field is not present, the recipient MAY either assume a media type of "application/octet-stream" ([RFC2046], Section 4.5.1) or examine the data to determine its type.

http://httpwg.github.io/specs/rfc7231.html#header.content-type

[dune73]

This is only documentation bug.

Update proposal:

#
# Missing Content-Type Header with Request Body
#
# -=[ Rule Logic]=-
# This rule will first check to see if the value of the Content-Length header is 
# non-equal to 0. The chained rule is then checking the existence of the 
# Content-Type header. The RFCs do not state there must be a 
#Content-Type header. However, a request missing a Content-Header is a 
# strong indication of a non-compliant browser.

-=[ References ]=-
https://www.ietf.org/rfc/rfc2616.txt
http://httpwg.org/specs/rfc7231.html#header.content-type

[mnot]

Content-Type is defined by RFC7231:
http://httpwg.org/specs/rfc7231.html#header.content-type

The 2616 reference is obsolete.

[csanders-git]

@mnot interesting - this seems like a weird design choice - particularly since right below where it says servers may "examine the data to determine its type", there is an entire paragraph about why this is bad.

Any idea of how often popular browsers will fail to send the content-type? I'd think it is rare - rare enough that I wouldn't want my webserver guessing probably.

@dune73 seems to have the right approach from our end, although not to spec i don't suspect that this is very common behavior (or encouraged). We should update the documentation for RC2, good find @mnot

[dune73]

I do not remember an alert in connection with this rule. So I am quite sure the said behaviour is rare.

[mnot]

It certainly will be rare, but not all clients are browsers. I agree it's just a doc bug.

[csanders-git]

@mnot we appreciate the issue and the expertise :). Please feel free to keep us informed of changes you see that affect us or issues you spot. We'll merge this in for CRS 3 rc2

[dune73]

There is a clear reason why the rule is there. But if we decide to be stricter than the RFC, then we need to get the facts right. So reporting this is most welcome.

It's just that we have not worked through all the old issues from the time before we took over the project. But we continue to work on it.

[csanders-git]

Being closed in favor of the PR #586