Re: [mod-security-users] allow only integer for a list of params
Brought to you by:
victorhora,
zimmerletw
From: Christian B. <ch...@jw...> - 2012-01-12 13:06:09
|
Am 12.01.2012 um 12:37 schrieb Reindl Harald: > hm - it does not like it > > [root@rh:~]$ apachectl -t > Syntax error on line 202 of /etc/httpd/modsecurity.d/modsecurity_99_local_rules.conf: > Error creating rule: Unknown variable: s2id > >> By adjusting the regular expression, you can extend the type >> of integers you want to track. > > what do you mean with this? > i like to protect id-params for a cms-systems against non-numeric > input and do not understand what you mean with "type of integers" Ok, here's the story: You might want to have IDs, which are exactly 4 digits long, then you can use a regular expression like SecRule ARGS:myIDparam !^\d{4,4}$ "block,phase:2,msg:'not a 4-digit id!'" or an ID that ranges from 1 to 999 (3 digits long): SecRule ARGS:myIDparam !^\d{1,3}$ "block,phase:2,msg:'not a 1-3 digit ID!'" Different "types of integers" was just referring to different lenghts of your ID parameters. The syntax error is probably due to my errorneous specification of trying to check all parameters in as compact notation as possible, try with SecRule ARGS:sid|ARGS:s2id|ARGS:gi_id \ !^\d{1,4}$ \ "phase:2,block,msg:'Not a proper ID value!' Best regards, Chris |