Fix operator @validateByteRange working with bytes > 127 #1523
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ValidateByteRange::evaluate()
acquires bytes it validates by indexingstd::string
:The problem is that indexing a string gives a
char
, which is signed, so bytes with codes > 127 will appear as negative integers, resulting in incorrect validation. This can be illustrated by this minimal example:And this test config:
Even though this config allows any byte except NULL byte, URI in test will fail the check resulting in alert, because bytes
\xd0
,\xa2
etc are considered negative, hence < 1 and out of range. This breaks rules920270
,920271
etc from OWASP CRS (in fact, config including those rules withtx.paranoia_level=2
can be used as test.conf in the above example, the rules will be mistakenly triggered).The proposed solution is to cast a byte from input string to
unsigned char
before further processing - bytes will then fall in range [0;255] and be validated as expected. In fact, the same thing is done in v2 (https://github.com/SpiderLabs/ModSecurity/blob/v2/master/apache2/re_operators.c#L4168):