Re: [mod-security-users] REQUEST_URI decodes URI before running checks
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] REQUEST_URI decodes URI before running checks
|
From: Ivan R. <iv...@we...> - 2005-02-18 18:28:31
|
> Ok, the reason for not having this yet and not having it until v2.x - is it
> because of time required to work on development? I don't mind helping...
Two reasons: 1) it will break backward compatibility and 2) a lot of
work is needed to do it right. No 2 is not a problem by itself but
v2 is going to be a complete rewrite: I would much rather put that
effort into v2 in the first place.
> I hacked in a flag called "SecFilterDoURLDecoding" (I think - haven't test
> compiled yet) and hopefully added all the required entries for the
> "dcfg->check_decoding" config paramater. My only question is:
>
>
> char *normalise(request_rec *r, sec_dir_config *dcfg, char *_uri, char
> **error_msg) {
> char *uri;
>
> if (_uri == NULL) return NULL;
> uri = ap_pstrdup(r->pool, _uri);
> if (uri == NULL) return NULL;
>
> if (dcfg->check_decoding) return uri; // is this correct?
>
> return normalise_inplace(r, dcfg, uri, error_msg);
> }
>
> I don't know if the "return uri" is the right way to do it or not. Will
> this cause a memory leak at all, or return something the user wouldn't
> expect?
It's fine. You can also move the line to the beginning of the
function.
> to hack this up so I'm sure you've got something much better planned.
I'd like to be able to configure individual anti-evasion methods on
the per-rule basis. Some methods are appropriate for some things and
not for others.
--
Ivan Ristic (http://www.modsecurity.org)
|
