Re: [mod-security-users] SecRuleUpdateTargetById in 3.0.4
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] SecRuleUpdateTargetById in 3.0.4
|
From: Jose R R <jos...@me...> - 2021-01-05 19:54:36
|
On Tue, Jan 5, 2021 at 9:21 AM Henri Cook <he...@pr...> wrote: > > Hi everyone, > > I attempted an upgrade to 3.0.4 today from 3.0.3. Unfortunately I can't get over a hurdle. > > I have an existing rule: > > ``` > # Rule 930110 matches "..\u003e" in body (HTML escaped JSON value "..<") > # Replacing REQUEST_BODY with ARGS_NAMES|ARGS fixes the issue as the rule see > # the value after Unicode decoding '\u003e' => '>'. > SecRuleUpdateTargetById 930110 "!REQUEST_BODY" > SecRuleUpdateTargetById 930110 ARGS_NAMES,ARGS > ``` > > Due to modsec issue https://github.com/SpiderLabs/ModSecurity/issues/2251 it seems i'm using the 'non-regex' form of the rule that's fixed in master but not yet released. > > First I tried a patch, which failed to apply (any advice on how to patch this from the 3.0.4 tag would be appreciated) with this in my build process: > > ``` > curl -fSL https://github.com/SpiderLabs/ModSecurity/commit/1b1fdc055b8071ad3b24573abfe9b96e546c7abf.patch | patch -p1 && \ > ``` > > When that didn't apply CHANGES.rej is the only (non-)issue as the patch effectively applies (inside your modsecurity-v3.0.4 directory) to all other files as .. | patch --fuzz=0 -p1 . As far as I can tell, you may edit CHANGES file manually by adding the content inside CHANGES.rej and then removing the latter. > I tried (as a temporary workaround) removing the rule, but for some reason it was still triggering in my unit tests. For that I used: > > ``` > SecRuleRemoveById 930110 > ``` > > I don't really know where to go from here, i'm using the CRS 3.2.0 ruleset. > > Best Regards, > > Henri > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ Best Professional Regards. -- Jose R R http://metztli.it --------------------------------------------------------------------------------------------- Download Metztli Reiser4: Debian Buster w/ Linux 5.9.15 AMD64 --------------------------------------------------------------------------------------------- feats ZSTD compression https://sf.net/projects/metztli-reiser4/ --------------------------------------------------------------------------------------------- or SFRN 5.1.3, Metztli Reiser5 https://sf.net/projects/debian-reiser4/ ------------------------------------------------------------------------------------------- Official current Reiser4 resources: https://reiser4.wiki.kernel.org/ ------------------------------------------------------------------------------------------- Build Engine X 1.19.6 with built-in Nginx connector v1.0.1 module: ------------------------------------------------------------------------------------------ https://github.com/Metztli/debian-modsecurity-nginx-connector ------------------------------------------------------------------------------------------ |
