Re: [mod-security-users] Spaces in Argument Name
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Rya...@br...> - 2009-02-09 19:40:07
|
-----Original Message----- From: Christian Bockermann [mailto:ch...@jw...] Sent: Monday, February 09, 2009 12:58 PM To: Daniel Draper Cc: mod...@li... Subject: Re: [mod-security-users] Spaces in Argument Name Hi Daniel! Am 09.02.2009 um 15:59 schrieb Daniel Draper: > We have come across a situation in which we need to validate several > arguments. Two of these arguments have spaces in the argument name, > and I am having difficulty in getting ModSecurity to match against > them. > > The argument names are "Add to Basket.x" and "Add to Basket.y". In > the query string these show up as "Add+to+Basket.x" and "Add+to > +Basket.y", as in: http://www.hostname.com?Add+to+Basket.x=0&Add+to+Basket.y=0 I wonder why anyone writes applications using variables containing WS chars. > How would a SecRule be written to match against these types of > arguments? The following certainly do not work: > > SecRule ARGS:Add+to+Basket.x|ARGS:Add+to+Basket.y > SecRule ARGS:Add\+to\+Basket\.x|ARGS:Add\+to\+Basket\.y The arguments to ModSecurity collections for selecting parts of their values can be regular expressions as well. So you may have success with SecRule ARGS:/^Add\sto\sBasket\.(x|y)$/ This will match both "...x" and "...y" variables. Here \s is used to denote the white space character. Use "\s+" for multiple white spaces or "\t" for the absurd case of parameters containing tabulator :-) For some more detail: The names of arguments are urldecoded before being added to the collections, thus "Add+to+Basket" becomes "Add to Basket" as the arguments name. [Ryan Barnett] Following up on Chris' excellent response for this specific issue - in order to get a better view of what/how ModSecurity receives data from Apache and any transformations, you need to inspect the debug log file data. If you review the data, you would see that Apache+Mod are extracting out the parameter data by initially urldecoding the QUERY_STRING/POST_PAYLOAD data and populating the "cooked" ARGS data. In this case, the "+" whitespace character is replaced with an actual space. The debug log is your friend :) However make sure that you are judicious in how/when you use it (for performance reasons). Unless you are on a test system, I usually leave the SecDebugLogLevel setting at 0 and then use the ctl:debugLogLevel action to dynamically create the debug log based on my source IP. |