Hello, all :)
I think he really means to block php scripts and allow everything else ..


Ryan Barnett wrote:
Ariel,
If the output of your script is 1, then the request will be allowed.  If
it is anything else (like 0) then it will be blocked.  So, in your
script, if you want to allow the uploading of PHP scripts, you will need
to swap your echo'ed values.  I tested out your script and it worked
once I switched them around.

As for logging, you can increase the debug logging by using the "ctl"
action for this specific rule -

SecRule FILES_TMPNAMES "@inspectFile /bin/uploadparse.sh"
"t:none,ctl:debugLogLevel=9"

Then check out the debug log after testing uploading of some files.
Once you are confident that the inspect script is working, remove the
ctl action.  Here is what my debug log showed -

[18/Feb/2007:15:30:22 --0500]
[192.168.0.101/sid#99d5f48][rid#9ad0570][/cgi-bin/fup.cgi][4] Executing
operator inspec
tFile with param "/usr/local/apache/tests/uploadparse.sh" against
FILES_TMPNAMES:upfile.
[18/Feb/2007:15:30:22 --0500]
[192.168.0.101/sid#99d5f48][rid#9ad0570][/cgi-bin/fup.cgi][9] Target
value: /tmp//20070
218-153022-E-s5gMCoChsAAC7ALE0AAAAA-file-A9sZ1h
[18/Feb/2007:15:30:22 --0500]
[192.168.0.101/sid#99d5f48][rid#9ad0570][/cgi-bin/fup.cgi][4] Executing
/usr/local/apac
he/tests/uploadparse.sh to inspect
/tmp//20070218-153022-E-s5gMCoChsAAC7ALE0AAAAA-file-A9sZ1h.
[18/Feb/2007:15:30:22 --0500]
[192.168.0.101/sid#99d5f48][rid#9ad0570][/cgi-bin/fup.cgi][4] Exec:
First line from scr
ipt output: "1"
[18/Feb/2007:15:30:22 --0500]
[192.168.0.101/sid#99d5f48][rid#9ad0570][/cgi-bin/fup.cgi][4] Operator
completed in 290
47 usec.
[18/Feb/2007:15:30:22 --0500]
[192.168.0.101/sid#99d5f48][rid#9ad0570][/cgi-bin/fup.cgi][4] Rule
returned 0.