Re: [mod-security-users] Problems with @inspectFile not escaping arguments
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problems with @inspectFile not escaping arguments
|
From: Reindl H. <h.r...@th...> - 2015-12-08 14:02:28
|
Am 08.12.2015 um 14:32 schrieb Gryzli Bugbear: > Hi Reindl, > > On 12/08/2015 03:21 PM, Reindl Harald wrote: >> >> >> Am 08.12.2015 um 14:04 schrieb Felipe Costa: >>> Hi Gryzli, >>> >>> Thank you for the report. >>> >>> Do not use the @inspectFile with variables that you don’t have >>> control. @inspectFile >>> was originally created to be used with the FILES_TMPNAMES [1] as >>> cited on the >>> example: [2]. The content of FILES_TMPNAMES is generated by >>> ModSecurity, therefore we >>> don’t need to escape. >> >> SecRule FILES_TMPNAMES "@inspectFile >> /etc/httpd/modsecurity.d/check-upload.php" >> "id:'141',phase:2,block,status:400,t:none" >> >> that script get called for each uploaded file with the full, sanitized >> path as param by modsec > I already know that, but in my case I wanted to inspect part of the > request, I gave the example with FULL_REQUEST, but it could be anything > (ARGS, REQUEST_BODY ...etc). > >> and it's not needed at all to inspect upload-files > As I say earlier, in my case I'm not talking about scanning uploaded > files, which we already know to be working well, there is a rason why it is called @inspectFile and not @inspectSomething :-) |
