Re: [Mod-security-developers] Macro expansion in operators
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Macro expansion in operators
|
From: Marc S. <mar...@ap...> - 2019-02-07 13:59:56
|
The main goal is to be able to extend a pattern incrementally. This is especially useful in shared environments, but not limited to this case.
Example: you define you general policy to accept only certain characters
SecRule ARGS "@validateByteRange 32-90"
In a location, you want an exception to accept some additional characters (CR/LF):
<Location /...>
SecRule ARGS "@validateByteRange 10,13,32-90"
</Location>
In case you extend your global policy (let's say 32-95), your exception doesn't follow it. You are obliged to keep them aligned (you'll forget to do this if they are disseminated in several files).
The solution could be:
SecAction "phase:1,setvar:tx.allowedRange=32-90"
<Location /...>
SecAction "phase:2,setvar:tx.allowedRange=%{tx.allowedRange},10,13"
</Location>
SecRule ARGS "@validateByteRange %{tx.allowedRange}" "phase:2,..."
Same for ipMatch
Marc
On 05-02-19 17:54, Felipe Costa wrote:
Hi Marc,
There is no specific reason. As there is a computational cost for macro expansion, we may have it only where/when it is extremely necessary. Do you have a specific use case?
Br.,
Felipe "Zimmerle" Costa
Security Researcher, Lead Developer ModSecurity
________________________________
From: Marc Stern <mar...@ap...><mailto:mar...@ap...>
Sent: Friday, February 1, 2019 12:16:20 PM
To: mod...@li...<mailto:mod...@li...>
Subject: [Mod-security-developers] Macro expansion in operators
Can somebody explain me why the operators below don't perform macro
expansion; they're using plain strings, not pre-calculated patterns:
- ipMatch
- validateByteRange
Would a pull request implementing this be accepted?
Marc Stern
_______________________________________________
mod-security-developers mailing list
mod...@li...<mailto:mod...@li...>
https://scanmail.trustwave.com/?c=4062&d=3bHU3PIPIuUQrzOmOziiUcqWOyJFIV2loAPuiTrUlA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php
|
