Re: [Mod-security-developers] Directive Names in NginX and IIS
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Directive Names in NginX and IIS
|
From: Christian F. <chr...@ne...> - 2016-09-05 19:31:37
|
Great. Thanks. As I stated in my first message, the sourcecode says it's SecGeoLookupDB and SecGsbLookupDB, while the documentation consistently speaks of ...Db. Db would also be consistent with the naming schema used throughout the other directives, operators, actions etc. So I wonder if the sourcecode should not follow the schema. Not that it would really matter as long as the parser is case insensitive... ;) Ahoj, Christian On Mon, Sep 05, 2016 at 03:51:57PM +0000, Felipe Costa wrote: > > Hi Christian, > > > > On 9/5/16, 11:14 AM, "Christian Folini" <chr...@ne...> wrote: > > (…) > > >With Apache, it is the Apache directive parser which guarantees that > >directives are case insensitive. So I was not sure for the other > >cases. But you confirm it's the same with IIS and nginX (and > >libmodsec, where you made sure it works consitently)? > > > > > For the apache version, like you cited, we use the Apache parser. For the standalone > modules (2.x family) we use standalone parser which is basically the same thing as > Apache does: [1]. The libmodsecurity implementation is the most different one, that > involves a grammar. > > I would say that if one specific version is acting different from the others we have a bug. > Since the Apache is the first one, we have to respect what we have there. > > [1] https://github.com/SpiderLabs/ModSecurity/blob/master/standalone/config.c > > > > Br., > Felipe “Zimmerle” Costa > Security Researcher, Lead Developer ModSecurity. > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com <http://www.trustwave.com/> > > > > > > ________________________________ > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > ------------------------------------------------------------------------------ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php -- https://www.feistyduck.com/training/modsecurity-training-course mailto:chr...@ne... twitter: @ChrFolini |
