Re: [mod-security-users] I get requests like:
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] I get requests like:
|
From: Ivan R. <iv...@we...> - 2006-03-20 21:07:32
|
Sub Zero wrote:
>>> Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
>>> ARG("PHPSESSID")
>>>
>>> How do I add ; to the argument seperators?
>> Put in the character set "!^[0-9a-f;]*$"
>
> Is this an internal bug of mod_security? Can't I define ; as an argument
> seperator like &?
I wouldn't call it a bug. It's more like a missing feature.
> Tom Anderson wrote:
>
> I see. I hadn't realized semicolons were valid separators. It would
> seem that the mod_security argument parsing needs to be modified, as
> semicolons appear to be RFC-compliant and W3C-recommended separators.
>
> http://www.freesoft.org/CIE/RFC/1808/index.htm
BTW, the RFC you cited does not define the contents of the
query parameter. The semicolons refer to path parameters, which
are different (and, as far as I know, not used in HTTP).
> http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2
Recommendations like that are seldom helpful. Standards
need to be *very* clear about encodings, with no room
for interpretation. Otherwise we get in a mess, like,
for example, with the cookies specifications.
Tom Anderson wrote:
> 1.9.2 seems to hardcode the "&" character in a couple of places.
It does. I'll probably add support this feature in the
next release.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net
|
