[Mod-security-developers] [JIRA] Closed: (MODSEC-86) The SCRIPT_* family of variables is not valid in reverse proxy mode

[Ryan B. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-86?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ryan Barnett closed MODSEC-86.
------------------------------

    Resolution: Won't Fix

This is a rules issue.  If a user wants to use these variables - they should create a rule to warn if the variables are empty/non-existent.

> The SCRIPT_* family of variables is not valid in reverse proxy mode
> -------------------------------------------------------------------
>
>                 Key: MODSEC-86
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-86
>             Project: ModSecurity
>          Issue Type: Bug
>      Security Level: Normal
>          Components: Targets
>    Affects Versions: 2.5.10-dev2
>            Reporter: Ivan Ristic
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.0
>
>
> In a reverse proxy (phase 2), SCRIPT_FILENAME contains the backend URI. For example: proxy:http://192.168.3.111/phpinfo.php/123 While this may be useful, the information does not beling in SCRIPT_FILENAME.
> I think that we need to detect this case, pretend that SCRIPT_FILENAME does not exist (rule does not run) and emit a warning.
> I would do the same for PATH_INFO, which does not seem to be available in RP mode.
> I also think it might be useful to have a phase 2 flag to tell if the request is about to be proxied. Such a flag could be used to have some rules only run in one of the modes (i.e., embedded vs RP).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira