[mod-security-users] No URL Decoding patch - updated for 1.9RC1
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] No URL Decoding patch - updated for 1.9RC1
|
From: Eli <eli...@ex...> - 2005-10-27 15:24:44
|
Hi all, A long time ago, I had the requirement of NOT wanting mod_security to normalize/decode the URL before applying filters on it (so I could = filter out urls with ";" and other characters unencoded, but leave URLs that = were properly encoded alone), so I made a simple little patch to add an = option to mod_security that prevented it from decoding encoded URLs so that the down-stream filters would have an unmodified URL to match against. I've been successfully using this patch on production servers since I created it (at least 6 months), and it's working very well. I haven't however tried to break it, so I don't know if it would work for everyone = - HOWEVER, since I *do* find this extremely useful, and there is still no = way to do this in mod_security, I was hoping that someone may take this = work, extend it for apache2 (this patch modifies the apache1/mod_security.c = file only - not the apache2 file... Well, if it does, it's untested.) and hopefully get it included in to the official mod_security release. http://www.hoktar.com/downloads/other/mod_security-1.9RC1-no_decoding.pat= ch I accept all criticism - I've made many other "useless" patches for = programs before :) Thanks, Eli. |
