Set TX:MSC_PCRE_LIMITS_EXCEEDED variable is limits exceeded #2901
Conversation
|
Cc @brandonpayton. |
I do not know yet. If a rule writer can make a rule both for mod_security2 and libmodsecurity3 (the two are compatible), then - I think - it's not distracting. |
|
I think it is a little confusing to have two different sets of vars indicating MSC PCRE errors. At least I personally find it confusing. :) |
|
I do not see a need why compatibility had to be broken here. Anything bringing it back is good from my perspective. |
|
@brandonpayton, @dune73 - thanks guys. In the meantime, a new issue appeared: #2902, so I think there are three votes to remove the regular variable. @martinhsv - what would be the better: should I add a new commit to this PR which removes the variable by #2736, or (if this PR is fine) after merging this, I will create a new PR? |
|
I have made some comments in #2902 . In brief: to me it would seem confusing to have pcre error flags set by the engine to use TX:, when we don't do that with any other such errors (REQBODY_ERROR, the many MULTIPART_ errors, etc.) In other words, the existing v3 functionality may reasonably be considered an improvement. With the functionality as implemented in #2737 , TX: variables continue to be reserved for transaction variables that are created by individual rules -- either through direct naming or via the capture action). (Of course, if left as is, the v3 doc and rule 200005 in modsecurity.conf-recommended need updates.) For anyone wishing to have a single rule work in both v2 and v3, writing a single SecRule to do so is pretty straightforward. |
Sorry for the request, but could you show an example? mod_security2 does not support |
|
Ugh. I see your point. I didn't think that through fully from the perspective of a v2 installation. Handling both v2 and v3 might indeed be annoying to try to do with a single SecRule. I'll give that a bit more thought. |
No problem.
Thanks. Let me know if I can help you anything. |
|
All right. There is a way to do the test without creating this TX variable within the code. However, the simplest, non-contrived way that I could think of doing so, involves creating a TX variable within a chained rule. Having a synonym for backwards-compatibility reasons isn't terrible. I'm ok with this and will proceed to merge. |
|
@martinhsv thanks. Now what should we do with the "regular" Should I prepare a PR? |
|
A good way to handle such inconsistencies would be to add the version number in a variable. Using an environment variable also allows to perform some checks with mod_header. |
There was a PR (#2737) which fixes an earlier shortcoming, namely that the
@rx(and@rxGlobal) operator(s) do not handle PCRE limit issues.I didn't follow it, but unfortunately seems it implements a different behavior from the other engine (mod_security2).
In mod_security2's reference the relevant behavior is explained as:
May be the documentation is a bit ambiguous, but it means the
TX.MSC_PCRE_LIMITS_EXCEEDEDwill be set, not the "regular"MSC_PCRE_LIMITS_EXCEEDEDvariable.This patch corrects this behavior.
Please note, that the introduced variable is not mentioned in v3's documentation.
Why is this important?
The OWASP Core Rule Set team has a plan for the rule set to handle these types of errors. Without the compatibility, we can't do that.