Sub Zero wrote:
>>> Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
>>> How do I add ; to the argument seperators?
>> Put in the character set "!^[0-9a-f;]*$"
> Is this an internal bug of mod_security? Can't I define ; as an argument
> seperator like &?
I wouldn't call it a bug. It's more like a missing feature.
> Tom Anderson wrote:
> I see. I hadn't realized semicolons were valid separators. It would
> seem that the mod_security argument parsing needs to be modified, as
> semicolons appear to be RFC-compliant and W3C-recommended separators.
BTW, the RFC you cited does not define the contents of the
query parameter. The semicolons refer to path parameters, which
are different (and, as far as I know, not used in HTTP).
Recommendations like that are seldom helpful. Standards
need to be *very* clear about encodings, with no room
for interpretation. Otherwise we get in a mess, like,
for example, with the cookies specifications.
Tom Anderson wrote:
> 1.9.2 seems to hardcode the "&" character in a couple of places.
It does. I'll probably add support this feature in the
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net