I've been testing ModSec with a webmail system (Zimbra) and found that the rules to validate a multipart boundary are too strict.

The function multipart_boundary_characters_valid() (apache2/msc_multipart.c) excludes the following characters that are legal indeed:

    (  )  , :  / ?  =

Probably this comes from the fact that Apache does not use them (see MULTIPART_CHARS in
http://hc.apache.org/httpcomponents-client-ga/httpmime/xref/org/apache/http/entity/mime/MultipartEntity.html ), but it doesn't mean they are illegal according to RFC 2046, section 5.1.1.

It would be nice to have these characters in a SecSomething directive, so that it is easy to modify.