This repository has been archived by the owner on Nov 8, 2023. It is now read-only.
Lack of support for PATCH method #358
Comments
|
Yes, that sounds like a good idea :) |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Despite the official statement that "Naxsi filters only
GETandPOSTrequests" I have been able to perform a basic experiment observing thatPUTandDELETE(as well asHEADandOPTIONS) are filtered as expected. PATCH seems to be an exception though, and isn't filtered based on its body contents. Is this something that can be fixed?In more detail, I modified the hex encoding rule to be
MainRule "str:0x" "msg:0x, possible hex encoding" "mz:RAW_BODY|BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:DROP" id:1002;and removed a majority of the other rules. I then issued the following request:curl --request PATCH -d '{"test":"0x"}' localhostand saw Naxsi allow the request to pass to the backend. The requestcurl --request PATCH -d '{"test":"abc"}' localhost/0xwas correctly blocked however, indicating there is some basic support for the PATCH method.The text was updated successfully, but these errors were encountered: