Issue for tracking original pull request created by user dune73 on date 2018-05-30 04:59:31.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#1105.
HEAD is: b677e4b
BASE is: a216353
This solves the problems referenced in issue #1076 and described in #1096 and follows the preferred solution as discussed in #1076.
We introduce a variable tx.enforce_bodyproc_urlencoded that is off by default. This variable can be enabled in the crs-setup.conf immediately after the PL. The PL description suggests to look into this variable too.
The refactoring of this body processor enforcing also removes the inspection of body payloads for NULL-Bytes that was present in the previous form. That form was incompatible to NGINX and meant to block non-ASCII payloads immediately. This constraint is now removed, means a change of behaviour though - but only if tx.enforce_bodyproc_urlencoded is enabled. As this is a manual setting in high security setups, people will be able to handle it themselves and we can gain experience too. Maybe this has to be adopted in the future.
Sorry this took so long. I'm mighty busy at the moment (and a recent flood cut me from the internet for a few days: https://www.facebook.com/christian.folini.5/media_set?set=a.10215175075917432.1073741832.1448781072&type=3¬if_id=1527586249036659¬if_t=feedback_reaction_generic)
Issue for tracking original pull request created by user dune73 on date 2018-05-30 04:59:31.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#1105.
HEAD is: b677e4b
BASE is: a216353
This solves the problems referenced in issue #1076 and described in #1096 and follows the preferred solution as discussed in #1076.
We introduce a variable
tx.enforce_bodyproc_urlencodedthat is off by default. This variable can be enabled in thecrs-setup.confimmediately after the PL. The PL description suggests to look into this variable too.The refactoring of this body processor enforcing also removes the inspection of body payloads for NULL-Bytes that was present in the previous form. That form was incompatible to NGINX and meant to block non-ASCII payloads immediately. This constraint is now removed, means a change of behaviour though - but only if
tx.enforce_bodyproc_urlencodedis enabled. As this is a manual setting in high security setups, people will be able to handle it themselves and we can gain experience too. Maybe this has to be adopted in the future.Sorry this took so long. I'm mighty busy at the moment (and a recent flood cut me from the internet for a few days: https://www.facebook.com/christian.folini.5/media_set?set=a.10215175075917432.1073741832.1448781072&type=3¬if_id=1527586249036659¬if_t=feedback_reaction_generic)