|
From: <az...@po...> - 2024-02-05 11:35:18
|
Hi, for others: this was answered on github, see: https://github.com/coreruleset/coreruleset/issues/3527 azurit Citát Beckert via mod-security-users <mod...@li...>: > Hello, > > we are running nginx with ModSecurity 3.0.9 and rule set 3.2.0. > > Our user are sending POST requests with content-type > application/fhir+json > application/fhir+json; charset=utf-8 > application/fhir+json; charset=iso8859-1 > > To enable the Json request body parser we added this rule > # Enable JSON request body parser for application/fhir+json. > SecRule REQUEST_HEADERS:Content-Type "^application/.+[+]json.*$" \ > > "id:'100',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" > > But somehow the charset is not considered by the Json parser. > If a POST is done with > content-type: application/fhir+json; charset=iso8859-1 > and with some iso8859-1 characters in the json body, ModSecurity > can't parse the requests and returns an error > > [14] tcp.0: [[1706742332.054460688, {}], {"date"=>1706742329.475638, > "log"=>"2024/01/31 23:05:29 [error] > 3588367#3588367: *26426370 [client 128.65.209.32] ModSecurity: > Access denied with code 400 (phase 2). Matched "Operator > `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' > ) [file "/etc/nginx/modsec/modsecurity.conf"] [line > "54"] [id "200002"] [rev ""] [msg "Failed to parse request body."] > [data "JSON parsing error: lexical error: invalid > bytes in UTF8 string.\x0a"] [severity "2"] [ver ""] [maturity "0"] > [accuracy "0"] > > ModSecurity considers the body as UTF8. > > How to convince the Json parser to parse it as ido8859-1 as stated > in the content-type? > > Uwe > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
