[Mod-security-developers] Multipart boundary characters
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-developers] Multipart boundary characters
|
From: Carlos V. <ca...@ta...> - 2014-07-14 15:47:08
|
I've been testing ModSec with a webmail system (Zimbra) and found that the
rules to validate a multipart boundary are too strict.
The function multipart_boundary_characters_valid()
(apache2/msc_multipart.c) excludes the following characters that are legal
indeed:
( ) , : / ? =
Probably this comes from the fact that Apache does not use them (see
MULTIPART_CHARS in
http://hc.apache.org/httpcomponents-client-ga/httpmime/xref/org/apache/http/entity/mime/MultipartEntity.html
), but it doesn't mean they are illegal according to RFC 2046
<http://ftp.isi.edu/in-notes/rfc2046.txt>, section 5.1.1.
It would be nice to have these characters in a SecSomething directive, so
that it is easy to modify.
|
