Re: [mod-security-users] Filter question
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Filter question
|
From: Ivan R. <iv...@we...> - 2006-02-23 16:32:59
|
Jim McCullars wrote: > I'm running mod_security 1.9.2 > under Apache 1.3.34 and here is the complete config: > > ... > > SecFilterSelective SCRIPT_FILENAME "formmail\.pl" skip > SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@" > SecFilterSelective SCRIPT_FILENAME "contactus\.php" "auditlog,pass" > > ... > > Note that part of the request reads, "%0Abcc%3A+StarlaK8099%40aol.com", so > why didn't the second rule block the request? Not sure what I'm doing > wrong here. Thanks... I think this is because the regex library used by Apache (and thus used by ModSecurity) is not very capable - it does not understand "\n". I tried replacing "\n" with \x0a (this is a ModSecurity extension) and with "[[:cntrl:]]". Both worked. Note that it is possible (and recommended) to compile ModSecurity with PCRE (http://www.pcre.org) and thus work with a much better regex library (not to mention the performance increase). -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
