|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-10-08 15:22:21
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-226?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-226.
--------------------------------------
Resolution: Fixed
> Pb with environment variables set by SetEnv
> -------------------------------------------
>
> Key: MODSEC-226
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-226
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Core
> Affects Versions: 2.5.13
> Environment: All
> Reporter: Marc Stern
> Assignee: Breno Silva Pinto
> Fix For: 2.7.0
>
>
> Inconsistent behaviour with environment variables set by SetEnv:
> Setenv var SETENV
> SecAction "phase:3,pass,auditlog,msg:'phase 3: var=<%{ENV.var}>'"
> shows the value "SETENV", thus var is in the collection
> Adding the following directive to use it:
> SecAction "phase:2,pass,nolog,setenv:var=%{ENV.var}/MS"
> shows the value "/MS"
> same result in phase 1, but works Ok in phase 3
> The behaviour is inconsistent: either the rule runs before setEnv and var should be overwritten, or it runs after and it should use it. In no case we expect to have only "/MS".
> Note that this is probably linked to a strange behaviour of SetEnv which runs, for instance, before mod_rewrite & mod_ setenvif, but the values are not seen by these modules either.
> Although the problem may lie in mod_env, it is strange that %{ENV.var} works in logging but not in a setenv: (I did not test with setvar:).
> Note that everything works correctly when setting the variable with SetEnvIf.
> Maybe the best solution would be to push for a fix in mod_env ...
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
