Re: [mod-security-users] trac .sql file extension question
Brought to you by:
victorhora,
zimmerletw
From: Chris C. <fc...@cn...> - 2008-01-28 18:16:07
|
Thanks Ryan, This worked like a charm. I understand the logic better as well now. On Mon, 2008-01-28 at 12:37 -0500, Ryan Barnett wrote: > > -----Original Message----- > > From: mod...@li... [mailto:mod- > > sec...@li...] On Behalf Of Chris > Cuevas > > Sent: Monday, January 28, 2008 12:24 PM > > To: modsec users > > Subject: [mod-security-users] trac .sql file extension question > > > > Hi all, > > > > I have a trac site with mod_security that I maintain and I need to > allow > > some .sql files to be downloaded. With the core rules enabled I > receive > > the following error > > > > Message: Access denied with code 500 (phase 2). Pattern match "\ > > \.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db| > > ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)| > > i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)| > > l(?:icx|nk|og)|\\w{0,5}~|webinfo|ht[rw]|xs[dx ..." at > > REQUEST_BASENAME.[id "960035"] [msg "URL file extension is restricted > by > > policy"][severity "CRITICAL"] > > > > I'm assuming this is triggered by the file extension .sql on these > > files. What I would like to do is allow .sql files from a certian > > directory to be downloaded; as these files are part of the database > > migration for a new version of the project. What I've tried is adding > > the following rules to modsecurity_crs_15_customrules.conf. > > > > SecRule REQUEST_URI "^/database/migrations/*.sql" > > "chain,log,pass,ctl:ruleEngine=Off" > > SecRule REQUEST_BASENAME "sql" "pass" > > > [Ryan Barnett] I would not recommend using the "ctl:ruleEngine=Off" > action in this context as it would disable all other security checks > (which may open you up to other attacks). The main issue is that you > don't want that one rule to trigger for ".sql" file in that one > directory, right? I would suggest the following - > http://www.modsecurity.org/blog/archives/2007/02/handling_false.html > > Put this in your modsecurity_crs_60_customrules.conf file - > > <Location "/database/migrations/"> > SecRuleRemoveById 960035 > > SecRule REQUEST_BASENAME > "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|o > l|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(? > :d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ys)|l(?:icx|nk|o > g)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \ > "t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL > file extension is restricted by policy', severity:'2',id:'1'" > </Location> > > This rule set will disable the current Core Rule ID 960035 for that > directory. I will then apply a new rule with an updated RegEx (that > excludes the check for the .sql extension). > > > I think I'm close I'm just missing something. Could anyone point me > in > > the right direction? > [Ryan Barnett] The main problem with your test chained rule was that was > using the "pass" action which only passes on the current rule. You > probably were thinking more along the lines of "allow." Test out my > example rule above and let me know if it works for you. > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users -- +==================================================================+ | Christopher Cuevas | | FCLA Open Systems Group | | fclcac (at) cns (dot) ufl (dot) edu | +------------------------------------------------------------------+ gpg fingerprint = CB8E B1B5 43DE 94C9 AFA8 8E89 6B1F 3546 87E0 DCF0 |