Re: [mod-security-users] Problems with @inspectFile not escaping arguments
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problems with @inspectFile not escaping arguments
|
From: Gryzli B. <gry...@gm...> - 2015-12-08 13:33:05
|
Hi Reindl,
On 12/08/2015 03:21 PM, Reindl Harald wrote:
>
>
> Am 08.12.2015 um 14:04 schrieb Felipe Costa:
>> Hi Gryzli,
>>
>> Thank you for the report.
>>
>> Do not use the @inspectFile with variables that you don’t have
>> control. @inspectFile
>> was originally created to be used with the FILES_TMPNAMES [1] as
>> cited on the
>> example: [2]. The content of FILES_TMPNAMES is generated by
>> ModSecurity, therefore we
>> don’t need to escape.
>
> SecRule FILES_TMPNAMES "@inspectFile
> /etc/httpd/modsecurity.d/check-upload.php"
> "id:'141',phase:2,block,status:400,t:none"
>
> that script get called for each uploaded file with the full, sanitized
> path as param by modsec
I already know that, but in my case I wanted to inspect part of the
request, I gave the example with FULL_REQUEST, but it could be anything
(ARGS, REQUEST_BODY ...etc).
>
>> I think you concern is more than valid. I am adding a note at the
>> Reference manual,
>> so that, others users will not use it in this fashion.
>>
>> Maybe what you are looking for is to use the Lua engine [3]. Using
>> the Lua engine,
>> you will be able to fetch the variables using: m.getvar("FULL_REQUEST");
>>
>> Notice that using FULL_REQUEST is not always a good practice because
>> it may drop the
>> performance of your server a little bit.
>
> and it's not needed at all to inspect upload-files
As I say earlier, in my case I'm not talking about scanning uploaded
files, which we already know to be working.
Regards,
Gryzli
|
