Skip to content

Update MATCHED_VAR explanation with airween's technical details #436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fzipi merged 3 commits into from
Jan 6, 2026
Merged

Update MATCHED_VAR explanation with airween's technical details #436

fzipi merged 3 commits into from
Jan 6, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 6, 2026
edited
Loading

Incorporated @airween's technical feedback on why MATCHED_VAR and MATCHED_VARS cannot be used as alternative fixes for the CVE-2026-21876 vulnerability.

Changes

  • Primary reason added: MATCHED_VAR exhibits the same last-value-only behavior as TX:1, making it equally vulnerable to the multipart bypass attack
  • Supporting documentation: Added direct quote from ModSecurity reference manual explaining that MATCHED_VAR "holds data for the last operator match"
  • MATCHED_VARS analysis: Explained why the plural variant causes false positives by including all iteration data rather than just the extracted charset values needed for validation

The updated explanation now correctly prioritizes the behavioral similarity over the content format difference.

Before:

A: Because `MATCHED_VAR` contains the **entire** matched string

After:

A: `MATCHED_VAR`'s behavior is almost the same as the `TX:1` captured variable - 
it only holds the **last** inspected target. According to the ModSecurity reference manual:
> This variable holds the value of the most-recently matched variable...
> Note: Be aware that this variable holds data for the last operator match.

So using `MATCHED_VAR` instead of `TX:1` would result in the same vulnerability...

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Jan 6, 2026
Merged
@fzipi
Update MATCHED_VAR explanation with airween's technical details
9fa1f39 
Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com>
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 6, 2026
edited
Loading

Deploying website with  Cloudflare Pages  Cloudflare Pages

Latest commit: 0c9a68a
Status: ✅  Deploy successful!
Preview URL: https://7955fc63.website-1u6.pages.dev
Branch Preview URL: https://copilot-sub-pr-435.website-1u6.pages.dev

View logs

@fzipi
Improve readability of MATCHED_VARS explanation
0c9a68a 
Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com>
Copilot AI changed the title [WIP] Address feedback on original blogpost from CVE pull request Update MATCHED_VAR explanation with airween's technical details Jan 6, 2026
Copilot AI requested a review from fzipi January 6, 2026 20:09
@fzipi fzipi marked this pull request as ready for review January 6, 2026 20:28
@fzipi fzipi merged commit f628002 into chore/add-blogpost Jan 6, 2026
1 check passed
@fzipi fzipi deleted the copilot/sub-pr-435 branch January 6, 2026 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@airween airween airween approved these changes

+1 more reviewer

@fzipi fzipi fzipi approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@fzipi fzipi

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@airween @fzipi