|
From: <ze...@vo...> - 2006-04-10 14:32:31
|
Thanks a lot Ivan and Alex,
You are right about the URL size. Mod Sec seems to block URL when the size =
is up to 483 characters. I think that even siteminder doesn't treat the end=
of the URL, but it blocks nothing.
I have changed "SecFilterForceByteRange" from the range "1 to 255" to "0 to=
255" but, of course, it doesn't resolve my problem.
=20
I will work on the application to have a smaller URL, or i will try to find=
a solution to enlarge the size imposed by the client.
Many thanks for yours investigations.
Christophe
> Message du 10/04/06 =C3=A0 12h26
> De : "Ivan Ristic" <iv...@we...>
> A : "Alex" <al...@bs...>
> Copie =C3=A0 : ze...@vo..., mod...@li...
> Objet : Re: [mod-security-users] Access denied with code 403. Error =
normalising REQUEST_URI: Invalid URL encoding detected: not enough cha=
racters
>=20
> Alex wrote:
> > Hi christophe
> >=20
> > IMHO (but Ivan will confirm) mod_security seems to truncate your url (s=
ee
> > Location:
> >> /siteminderagent/pwcgi/smpwservicescgi.exe?SMENC=3DUTF-8&SMTOKEN=3D{RC=
2}GuFcF7I/F5Sl03RqtNrPsMPlYiQZg/B1e2KFVDxfbVrnyC2MPyEDnDn1fDzHRadtrowaa0dtX=
RcvNGiN+cwPaCYlGkzRryxlqAMQ33n/JFc//j8GS51FTS31e00c0C0x4dszYnBMJfwIFO/TQ0vy=
WFW1RyszdoiTDAp8ZSwqgO0=3D&USERNAME=3Dtest_YM00&SMAUTHREASON=3D20&SMAGENTNA=
ME=3D-SM-fshUMrkQm%2fB7%2bk8CAU%2fak459pCXPADL1l0bEfFr6ZGrq3HJ%2fv720ACDphq=
n4Rhzb&TARGET=3D-SM-https%3a%2f%2fwww%2emyserver%2ecom%2fURI%2fhome%2ehtml%=
3
> > that is truncated before the end... (fSMLOCALE=3DFR-FR is missing) and =
cause
> > the %3f not beeing accepted... Changing the %3f to ? make the query a
> > little bit shorter and is then accepted (but without taking care of the
> > LOCALE I think.
>=20
> Thanks for pointing out the content of the "Location" header. You are r=
ight
> in that the content is truncated but it's not ModSecurity or Apache tha=
t's
> doing it. It is received that way so it's probably the client that is s=
ending
> it. There appears to be a limit of 432 bytes (imposed by the client).
>=20
> --=20
> Ivan Ristic, Technical Director
> Thinking Stone, http://www.thinkingstone.com
> ModSecurity: Open source Web Application Firewall
> Apache Security (O'Reilly): http://www.apachesecurity.net
>=20
>
|
