Re: [mod-security-users] Nulls in post cause false negative (Bug?)
Brought to you by:
victorhora,
zimmerletw
From: <sre...@g8...> - 2003-09-02 16:30:53
|
> It works, but not completely. For example, it would not catch > this: > > GET /cgi-bin/modsec-test.pl?p=dummy%00chicken > > with a filter > > SecFilterSelective ARG_p chicken > (assuming the range allowed is 0-255) I profess, I only tried the patch with filters that worked on POST_PAYLOAD. > To fight this, I will add a piece of code to the URL decoding > function to automatically convert null bytes %00 to a space. That > will work in all cases. That sounds good. If you'd like me to test the new version out, I'd be happy to do so. Thanks. -- sre...@in... |