[mod-security-users] REQUEST_URI decodes URI before running checks
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] REQUEST_URI decodes URI before running checks
|
From: Eli <eli...@ex...> - 2005-02-18 16:39:58
|
I didn't notice this in the documentation at first, but just ran in to =
the
outcome of not knowing about it...
I have this in my config:
SecFilterEngine On
SecFilterScanPOST Off
SecFilterCheckURLEncoding Off
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies Off
SecFilterCheckCookieFormat Off
SecFilterDefaultAction "log,deny,status:403"
SecFilterSelective "REQUEST_URI" "!^[\x20-\x7E]+$"
"log,deny,status:403"
The REQUEST_URI check was my attempt to limit the characters in the URI =
(GET
requests) only, and at first it seemed just fine (restricts you to using
ASCII 32 to ASCII 126), however I just found out that mod_security =
decodes
the URI before checking it:
[Fri Feb 18 11:19:26 2005] [error] [client 216.209.84.151] mod_security:
Access denied with code 403. Pattern match "!^[\x20-\x7E]+$" at =
REQUEST_URI
[hostname "xxx"] [uri "/search.php?q=3D%A9"]
I tested and it is being caused by the "%A9" in the URI.
Now, I couldn't find out if there's a way to disable this URI decoding =
so it
instead will check exactly what the client types in as is, nor could I
figure out if there's another CGI paramater that has the same info as
REQUEST_URI but would not have it decoded before checking.
Any pointers to what I'd need? I'm sure it's in the manual somewhere =
but I
haven't found it yet...
Oh, I'm using the dev version, so I can use all the new features in the
reference manual.
Eli.
|
