Re: [mod-security-users] file upload error
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iv...@we...> - 2005-12-15 10:30:31
|
scOrpiOnn wrote: > hi all, one question :D > > i have a upload form -> upload.asp , and i put one gif image, and do > upload... (mozilla firefox) > > modsec.conf ------------- > <Location /asp/upload.asp> > SecFilterInheritance Off > SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)" > </Location> > --------------------------------- > > ... > > any ideas ? THX ALL :) It doesn't work the way you think it does :) You don't get to access the raw request payload for multipart/form-data requests. And even if you did, the content-type field is client-driven and thus easy to fake. To filter uploaded files you need to create a script and use SecUploadApproveScript. But you'll need to figure out the content types by yourself. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |