move Content-Encoding check to configurable tx.restricted_headers

crs-setup.conf.example

@@ -509,22 +509,30 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 
 # Forbidden request headers.
 # Header names should be lowercase, enclosed by /slashes/ as delimiters.
-# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
 # Default: /accept-charset/ /proxy/ /lock-token/ /content-range/ /if/ /user-agentt/
 #
 # Note: Accept-Charset is a deprecated header that should not be used by clients and
 # ignored by servers. It can be used for a response WAF bypass, by asking for a charset
 # that the WAF cannot decode.
 # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset
 #
+# Note: Content-Encoding is used to list any encodings that have been applied to the
+# original payload. It is only used for compression, which isn't supported by CRS by
+# default since it blocks newlines and null bytes inside the request body. Most
+# compression algorithms require at least null bytes per RFC. Blocking it shouldn't
+# break anything and increases security since ModSecurity is incapable of properly
+# scanning compressed request bodies.
+#
+# Note: Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
+#
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900250,\
 #  phase:1,\
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.restricted_headers=/accept-charset/ /proxy/ /lock-token/ /content-range/ /if/ /user-agentt/'"
+#  setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
 
 # Content-Types charsets that a client is allowed to send in a request.
 # The content-types are enclosed by |pipes| as delimiters to guarantee exact matches.

rules/REQUEST-901-INITIALIZATION.conf

@@ -237,7 +237,7 @@ SecRule &TX:restricted_headers "@eq 0" \
     pass,\
     nolog,\
     ver:'OWASP_CRS/4.0.0-rc1',\
-    setvar:'tx.restricted_headers=/accept-charset/ /proxy/ /lock-token/ /content-range/ /if/ /user-agentt/'"
+    setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
 
 # Default enforcing of body processor URLENCODED
 SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \

rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

@@ -1218,30 +1218,6 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-#
-# The Content-Encoding header is used to list any encodings that have been applied to the original payload.
-# It is only used for compression, which isn't supported by CRS by default since it blocks newlines and null bytes inside the request body.
-# Most compression algorithms require at least null bytes per RFC. Blocking it shouldn't break anything and increases security
-# since ModSecurity is incapable of properly scanning compressed request bodies.
-#
-SecRule REQUEST_HEADERS:Content-Encoding "@unconditionalMatch" \
-    "id:920620,\
-    phase:1,\
-    block,\
-    t:none,\
-    msg:'Illegal header: Content-Encoding',\
-    logdata:'%{MATCHED_VAR}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-protocol',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
-    severity:'CRITICAL',\
-    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-
-
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #

tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml

@@ -113,3 +113,17 @@ tests:
               Accept-Charset: UTF-8
           output:
             log_contains: "id \"920450\""
+  - test_title: 920450-8
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            uri: "/"
+            headers:
+              User-Agent: "OWASP ModSecurity Core Rule Set"
+              Host: "localhost"
+              Accept: text/html
+              Content-Encoding: deflate
+          output:
+            log_contains: "id \"920450\""