Merge pull request #3218 from azurit/http3

coreruleset · Jul 17, 2023 · cdf3ebc · cdf3ebc
2 parents f1476f5 + 069d311
commit cdf3ebc
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 9 deletions.
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
@@ -503,7 +503,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    pass,\
 #    t:none,\
 #    nolog,\
-#    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
+#    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
 
 # Forbidden file extensions.
 # Guards against unintended exposure of development/configuration files.

diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
@@ -201,7 +201,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \
     pass,\
     nolog,\
     ver:'OWASP_CRS/4.0.0-rc1',\
-    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
+    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
 
 # Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf)
 SecRule &TX:restricted_extensions "@eq 0" \

diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -217,19 +217,23 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
 
 #
 # Require Content-Length or Transfer-Encoding to be provided with
-# every POST request if the protocol version is not HTTP/2.
+# every POST request if the protocol version is not HTTP/2 or HTTP/3.
 #
 # In case of HTTP/2, see the RFC7540 8.1 p52:
 # HTTP/2 does not use the Transfer-Encoding: chunked anymore, because
 # the underlying transport protocol is already using data frames with
 # known length.
 #
+# In case of HTTP/3, see the RFC9114 4.1:
+# Transfer codings (see Section 7 of [HTTP/1.1]) are not defined for
+# HTTP/3; the Transfer-Encoding header field MUST NOT be used.
+#
 # -=[ Rule Logic ]=-
-# This chained rule checks if the protocol is not HTTP/2, then checks
-# request method is POST, if so, it checks that a Content-Length or
-# Transfer-Encoding headers are also present.
+# This chained rule checks if the protocol is not HTTP/2 or HTTP/3,
+# then checks request method is POST, if so, it checks that a
+# Content-Length or Transfer-Encoding headers are also present.
 #
-SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" \
+SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \
     "id:920180,\
     phase:1,\
     block,\

diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "csanders-git"
+  author: "csanders-git, azurit"
   enabled: true
   name: "920430.yaml"
   description: "Description"
@@ -116,7 +116,7 @@ tests:
             method: GET
             port: 80
             uri: /
-            version: HTTP/3.0
+            version: HTTP/4.0
           output:
             log_contains: id "920430"
   - test_title: 920430-9