Re: [mod-security-users] Positive security
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Positive security
|
From: Terry D. <tdo...@na...> - 2005-06-15 14:57:30
|
Ivan Ristic wrote:
>
>
> <Location /user_view.php>
> # This script only accepts GET
> SecFilterSelective REQUEST_METHOD !^GET$
> # Accept only one parameter: id
> SecFilterSelective ARGS_NAMES !^id$
> # Parameter id is mandatory, and it must be
> # a number, 4-14 digits long
> SecFilterSelective ARG_id !^[[:digit:]]{4,14}$
> </Location>
Just an aside about the above filters: I'm using a similar model to protect a
a small service that talks to a custom application. Only POST, only one arg
(m) and the parameter must at least _look_ like an md5 hash. My method uses
just one regexp on the payload:
SecFilterSelective REQUEST_METHOD "!^(POST)$
SecFilterSelective POST_PAYLOAD "!^m=[0-9a-f]{32}$"
This works, but am I losing something important by using this one regexp
instead of specific references to ARGS_NAMES and ARG_m?
Cheers,
Terry.
|
