Re: [mod-security-users] Problems with @inspectFile not escaping arguments
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problems with @inspectFile not escaping arguments
|
From: Felipe C. <FC...@tr...> - 2015-12-08 17:24:23
|
Hi, On 12/8/15, 11:10 AM, "Reindl Harald" <h.r...@th...> wrote: > >> >> I always look to that script integration to something easy to be be deployed and >> tested, but later to be transformed into an operator and/or variables for >> performance boost. It does not means that you cannot use in production, just saying >> that it opens the possibility for a fast prototyping. > >clear, hence my hint that something like @inspectMimeType and a >configureable whitelist of allowed upload-mimetypes would be a nice thing That seems to be a good feature to have. Opened the issue #993 to add this new feature. There is a link to that discussion on the issue body. https://github.com/SpiderLabs/ModSecurity/issues/993 >> I understand your need with the `file' example, but, do you think you can achieve >> the same level of “functionality” by using a python script? >> >> In python it will be something like (not tested): >> >> import magic >> mime = magic.Magic(mime=True) >> allowed = ["text/plain", "text/something"] >> >> for i in modsec.transaction.file_tmpnames: >> mime_type = mime.from_file(i) >> if not mime_type in allowed: >> return [0, "upload mime-type ‘…’ not allowed"] >> >> What do you think? > >surely, the reason for PHP is that all our internal developments like >cms-systems, frameworks, admin-backends and deployment/automation are >written in PHP and so after 13 years there is a fat library of well >tested and on all servers deployed code > >so when i have tomorrow an idea that it makes sense to include some >database content in that check-script it's 5 lines code to marry it with >whatever admin tool or internal webservice :-) Yeah, I understand. I could say that I can add PHP to the list of supported scripts, even so, in the end of the day it is about the possibility to execute anything executable versus the possibility to execute some types of scripts. Most certainly the right path to follow is to keep the @inspectFile and provide a better integration for the most popular scripts languages, that way we can keep the best of the two alternatives (@inspectFile and SecScriptRule). Basically keep it the way it is plus add the proper warnings for good utilization of the operator @inspectFile. Br., Felipe “Zimmerle” Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
