[mod-security-users] Decoding base64-xml request parameter

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

Apologies for flooding the list..

We are struggling with a national e-ID scheme - and other things - that require XML messages to be passed as HTTP POST parameters, base64-encoded - not as content-type */xml as one would expect. In order to inspect this XML we therefore need to urldecode|base64decode and possibly lowercase before we can have mod_security (3) parse the XML. However, from how I read the transformation and validation functions, I'm not certain I can use them.

The request content-type is application/x-www-form-urlencoded.

I was thinking something like this:
- SecRule looking for the parameter name in question and applying a regex to make sure it looks like base64, chained with
- SecRule transforming MATCHED_VAR with base64Decode
- SecRule setting requestBodyProcessor=XML
- SecRule validating DTD and/or schema

However, since the base64Decode cannot work on REQUEST_BODY (since it would see more than just the content of that parameter) and requestBodyProcessor should be set in phase:1, I can't see how I can do this.

Is there a way to create a "fake" REQUEST_BODY and child transaction that can be used to evaluate the XML? Or have I missed something obvious here?

Needless to say, any parameters we receive with base64-encoded content tends to trigger all sorts of false positives. What's an accepted way of dealing with this in an environment where we do not know which parameters we will be receiving (we know some, but by far not all)?

/Eirik