diff --git a/CHANGES b/CHANGES index 6a9804a7d..b0b0d0d64 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ DD mmm YYYY - 2.9.x (to be released) ------------------- + * Adjust parser activation rules in modsecurity.conf-recommended + [Issue #2799 - @terjanq, @martinhsv] * Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [Issue #2797 - @terjanq, @martinhsv] * Limit rsub null termination to where necessary diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended index 203349ecd..11ffbbbdf 100644 --- a/modsecurity.conf-recommended +++ b/modsecurity.conf-recommended @@ -19,21 +19,21 @@ SecRequestBodyAccess On # Enable XML request body parser. # Initiate XML Processor in case of xml content-type # -SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ +SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" # Enable JSON request body parser. # Initiate JSON Processor in case of JSON content-type; change accordingly # if your application does not use 'application/json' # -SecRule REQUEST_HEADERS:Content-Type "application/json" \ +SecRule REQUEST_HEADERS:Content-Type "^application/json" \ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" # Sample rule to enable JSON request body parser for more subtypes. # Uncomment or adapt this rule if you want to engage the JSON # Processor for "+json" subtypes # -#SecRule REQUEST_HEADERS:Content-Type "^application/.+[+]json$" \ +#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \ # "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" # Maximum request body size we will accept for buffering. If you support diff --git a/tests/regression/rule/10-xml.t b/tests/regression/rule/10-xml.t index ea9d6ad99..f2632745b 100644 --- a/tests/regression/rule/10-xml.t +++ b/tests/regression/rule/10-xml.t @@ -394,7 +394,7 @@ SecXmlExternalEntity On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" "id:500029, \\ + SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" "id:500029, \\ phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500030 SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope-bad.dtd" "id:500031 \\ diff --git a/tests/regression/rule/15-json.t b/tests/regression/rule/15-json.t index 370ebba6a..9c1781750 100644 --- a/tests/regression/rule/15-json.t +++ b/tests/regression/rule/15-json.t @@ -236,7 +236,7 @@ SecAuditLog "$ENV{AUDIT_LOG}" SecDebugLogLevel 9 SecRequestBodyJsonDepthLimit 3 - SecRule REQUEST_HEADERS:Content-Type "application/json" \\ + SecRule REQUEST_HEADERS:Content-Type "^application/json" \\ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" SecRule REQBODY_ERROR "!\@eq 0" "id:'200444',phase:2,log,deny,status:403,msg:'Failed to parse request body'" SecRule ARGS "\@streq 25" "id:'200445',phase:2,log,deny,status:403"