Re: [mod-security-users] Request Body Size Issue
Brought to you by:
victorhora,
zimmerletw
From: Crawford, A. (IT) <And...@ni...> - 2008-07-30 00:24:53
|
Bummer! Unfortunately that didn't work. I placed the suggested rule in the bottom of "modsecurity_10_config.conf", just to ensure that it would be the very first rule encountered. When I upload a file larger than the configured limit, ModSecurity still logs a complaint in the audit log. I'll wait to hear more soon. I really love using ModSecurity, and would like to continue using it if we can find a way around this prob. Thanks again! Andrew Crawford | Global Brand IT | Nike, Inc. -----Original Message----- From: Brian Rectanus [mailto:Bri...@br...] Sent: Tuesday, July 29, 2008 10:55 AM To: Crawford, Andrew (IT) Cc: mod...@li... Subject: Re: [mod-security-users] Request Body Size Issue It may be an issue with it being in a Location tag. Instead it may be needed to use ctl:ruleEngine=Off in phase 1 so that the body is never parsed by ModSecurity. Have you tried something like this as one of your first rules which will disable further processing by ModSecurity *before* receiving the body of the request? SecRule REQUEST_FILENAME "^/workspaces/UploadServlet$" \ "phase:1,t:none,allow,nolog,ctl:ruleEngine=Off" -B Crawford, Andrew (IT) wrote: > The problem is that ModSecurity currently has a hard-coded limit of 1GB, > and it look like a regular (signed) long data type. Therefore the most > I could increase the hard coded limit to would be 2GB. If my users want > to upload 3GB files, it seems there is nothing I could do from the > standpoint of changing the limit (as suggested below). > > > > Beyond that, what would happen if someone uploaded a 3GB file? I would > think ModSecurity would try to assign the 3GB content length value into > a 2GB signed long variable, and we'd have a problem. Am I mistaken in > how I'm thinking about this? > > > > Is there a way to allow 3GB+ file uploads with ModSecurity loaded? > > > > Thanks again, > > > > Andrew Crawford | Global Brand IT | Nike, Inc. > > > > > ------------------------------------------------------------------------ > > *From:* Ryan Barnett [mailto:Ryan.Barnett@Breach.com] > *Sent:* Friday, July 25, 2008 2:23 PM > *To:* Crawford, Andrew (IT); mod...@li... > *Subject:* RE: [mod-security-users] Request Body Size Issue > > > > This brings up and issue that often confuses people - the setting that > is causing this is the SecRequestBodyLimit directive - > > http://www.modsecurity.org/documentation/modsecurity-apache/2.5.5/modsec urity2-apache-reference.html#N106FA > > > > This is NOT a rule but a config directive, which means that it can not > be controlled by turning off the SecRuleEngine. Can either update the > setting globally or you can dynamically increase it base on a URL > location and use the "ctl" action > (http://www.modsecurity.org/documentation/modsecurity-apache/2.5.5/modse curity2-apache-reference.html#N113B4) > in a rule. > > > > Hope this helps. > > > > -- > */Ryan C. Barnett > /*ModSecurity Community Manager > > Breach Security: Director of Application Security > > Web Application Security Consortium (WASC) Member > > CIS Apache Benchmark Project Lead > > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > Author: Preventing Web Attacks with Apache > > > > ------------------------------------------------------------------------ > > *From:* mod...@li... > [mailto:mod...@li...] *On Behalf Of > *Crawford, Andrew (IT) > *Sent:* Friday, July 25, 2008 5:10 PM > *To:* mod...@li... > *Subject:* [mod-security-users] Request Body Size Issue > > > > Hi all, > > > > I am trying to figure out how to bypass the 1GB file size limit imposed > by ModSecurity, and so far without any luck. I upgraded to ModSecurity > 2.5.5, and it's running in Apache 2.2.8. Both are working great - no > problems aside from the size limit issue. > > > > I set the file size limit in ModSecurity to 50MB for testing, then I > added the Apache directive below, hoping that ModSecurity would sort of > "move out of the way" for specific upload URL's. I originally tried > using "SecRequestBodyAccess Off", but then realized this probably > wouldn't work, since it was likely looking at the "Content Length" > header for incoming file size. > > > > <LocationMatch "/workspaces/UploadServlet"> > > SecRuleEngine Off > > </LocationMatch> > > > > When I upload a 58MB file, I get the ModSecurity message below. Does > anyone know how to effectively turn ModSecurity off for huge file > uploads (assuming they always happen on a known URL)? If ModSecurity is > using a signed long for holding the content size, anything over 2GB > might cause significant problems for the request, is that right? > > > > --00005aa3-A-- > > [25/Jul/2008:13:41:44 --0700] M6vg0JLFFc0AAC7jJDsAAAAH 10.194.193.170 > 3934 146.197.210.215 80 > > --00005aa3-B-- > > POST /workspaces/UploadServlet HTTP/1.1 > > Host: bnx-qa.nike.com > > Cookie: JSESSIONID=5ACD6DFC7F6B57907170DC0D5C155C42 > > User-Agent: Upload-Applet > > Accept: test/plain;q=0.8,*/*;q=0.5 > > Content-type: multipart/form-data; > boundary=---------------------------aqw3gvr5ic1 > > Content-length: 60855160 > > > > --00005aa3-F-- > > HTTP/1.1 413 Request Entity Too Large > > Content-Length: 353 > > Connection: close > > Content-Type: text/html; charset=iso-8859-1 > > > > --00005aa3-H-- > > Message: Request body is larger than the configured limit (52428800). > > Stopwatch: 1217018504929488 6297 (- - -) > > Producer: ModSecurity for Apache/2.5.5 (http://www.modsecurity.org/). > > Server: Apache > > > > --00005aa3-Z-- > > > > > > Andrew Crawford | Global Brand IT | Nike, Inc. > > > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ - > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users -- Brian Rectanus Breach Security |