[Mod-security-developers] validateurlencoding operator being used in the CRS

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

rule 950108 in the CRS is supposed to check for url encoding abuse 
attempts. It chains a content-type header check, to a regex looking for 
percent sequences in REQUEST_BODY or XML, and finally to the 
validateURLEncoding operator. The problem is, the regex check allows for 
% on it's own, %XX and for %uXXXX sequences, while validateUrlEncoding 
only seems to accept %XX.

-- 
Sincerely,
  Ellison

Ellison Marks
Scratchspace Inc.
(831) 621-7928
http://www.scratchspace.com