Allow REQUEST_BODY to be populated for an unparsable request body type #160
Comments
|
Original reporter: brectanus |
ghost
assigned
|
brectanus: Changeset: 1185 |
|
ivanr: The code is all right, but I don't think the name of the ctl option is adequate, especially in the light of MODSEC-17. There are two different features here: one is request buffering from an external point of view, and the other is the same but from the internal point of view. I think most users would take request buffering to refer to the former. For example, ModSecurity 2.5.6 always buffers requests, but what we are adding with this ticket is having request data in a continuous buffer. Being practical, I think we should only change the name of the directive at this point to, say, haveRequestBodyVariable, purely from the perspective that this feature is going to be used by 2.5.x users to inspect traffic that they wouldn't otherwise be able to inspect. |
|
brectanus: I agree, but I am not sure that haveRequestBodyVariable makes much sense to the user either. What we are doing is forcing the creation and allowing use of REQUEST_BODY. Some other choices:
Any preference? |
|
ivanr: I think forceRequestBodyVariable is the best choice. |
|
brectanus: Ivan, I am just waiting a review on this before closing. Thanks, |
|
brectanus: The attached patch adds support for ctl:requestBodyBuffering=on|off to force request body buffering in memory and populating REQUEST_BODY. |
|
brectanus: Changed in #1201. |
MODSEC-6: REQUEST_BODY is only populated for known parseable types. But sometimes we may need access to this target for content types we know nothing about. Right now, you can set ctl:requestBodyProcessor=URLENCODED and REQUEST_BODY may be used, but there will be warnings/errors parsing the protocol.
There needs to be a way to force buffering the request so that REQUEST_BODY can be used without attempting to parse.
The text was updated successfully, but these errors were encountered: