[mod-security-users] RE: [Modsecurity] Access denied with code 406. Pattern match "\|\x20\x20*\|"

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> -----Original Message-----
> From: Sander Holthaus - Orange XL [mailto:in...@or...] 
> Sent: Friday, August 05, 2005 1:48 PM
> To: 'Bill Church'
> Cc: mod...@li...
> Subject: RE: [Modsecurity] Access denied with code 406. 
> Pattern match "\|*\x20*\x20*\|" atTHE_REQUEST
> > To me, this would be spelled out as
> > 
> >  \| (pipe) * (anything) \x20 (space) * (anything) \x20
> > (space) * (anything) \| (pipe)
> 
> Not entirely. It spells:
> 
> Zero to infinite (pipe) Zero to infinite (space) Zero to 
> infinite (space)
> (pipe)
> 
> Which will match anything with a single pipe in. Therefore it 
> also reads as:
> 
> SecFilterSelective THE_REQUEST "\|"
> 
> Use + instead of *.
> 
> Kind regards,
> Sander Holthaus
> 

You're right, that's actually what I meant by that, sorry. In any case I
think that rule is probably too catchy? I'm not sure of it's original
intention though, it me be acting as intended which is fine if it is.

-Bill

[mod-security-users] RE: [Modsecurity] Access denied with code 406. Pattern match "\|*\x20*\x20*\|"

[mod-security-users] RE: [Modsecurity] Access denied with code 406. Pattern match "\|*\x20*\x20*\|" atTHE_REQUEST

[mod-security-users] RE: [Modsecurity] Access denied with code 406. Pattern match "\|\x20\x20*\|"

[mod-security-users] RE: [Modsecurity] Access denied with code 406. Pattern match "\|\x20\x20*\|" atTHE_REQUEST