Christian Bockermann wrote:
> Am 29.05.2007 um 17:23 schrieb Brian Rectanus:
>> Christian Bockermann wrote:
>>> Hi All,
>>> attached to this mail is a small patch which adds two new collections
>>> HEADER_ARGS and BODY_ARGS. They can be used to distinguish arguments
>>> with the same name specified in the QUERY_STRING and in the
>>> I tested it with modsecurity-2.1.0 and 2.2.0-dev1. (The patch is against
>>> the dev-version, but also works with 2.1.0).
>>> After applying the patch you can test parameters by
>>> SecRule BODY_ARGS:text "evil" some-actions
>>> SecRule HEADER_ARGS:text !^(A|B)$ some-actions
>>> The first rule will check only arguments which are placed in the body
>>> of a request, whereas the second one will only apply to QUERY_STRING
>>> Perhaps this might be useful for someone.
>>> @Brian: There is still no CVS/SVN available for ModSecurity, right?
>> Nope, no public SVN.
>> Patch looks good. However, for HEADER_ARGS you call
>> var_generic_args_generate with an origin="QUERY_STRING" which sets the
>> var name to "QUERY_STRING_ARGS:foo", but it is really "HEADER_ARGS:foo".
>> Reason? Or just a typo?
> I am not that much into the source of ModSec (it took me quite a long
> time to figure out where I had to insert my code). As I understand the
> code, the use of origin="QUERY_STRING" sets an internal variable to the
> name "QUERY_STRING_ARGS:foo". However, this variable seems to be accessed
> through var_generic_args_generate only, so it should have no effect.
> But I might be wrong with that. (The whole code could need some more
> documentation ;-))
Agreed. Working on that :)
> However - after spoken to the other Christian - I will post another
> version of the patch which will have the collection renamed to
> QUERY_STRING_ARGS instead of HEADER_ARGS which will then be consistent
> with the above (internal-only?) naming.
Consistency is better. It will show up in the debug log and that might
> Do you plan public SVN (even read-only would be a help for creating
Not anytime soon (lack of time), sorry.