Re: [mod-security-users] checking single parameter value

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

AFAIK, md5 are only hexa values... So yours (with other chars) aren't
md5... but it's not really your problem there...

I think this should work :
SecFilterSelective REQUEST_URI "^/mls_verifyemail.php"     chain
SecFilterSelective ARGS_hash "^[0-9a-zA-Z]*"        allow

Alex

On Jeu 13 avril 2006 3:56, joe barbish a =E9crit :
> Hello list;
>   In my debug log I see this:
>
>   Normalised REQUEST_URI: /mls_verifyemail.php?hash=3DbGF5YmFja2ppbW15
> Parsing arguments...
> Adding parameter: [hash][bGF5YmFja2ppbW15]
> Checking signature "^/mls_verifyemail.php" at REQUEST_URI
> Checking against "/mls_verifyemail.php?hash=3DbGF5YmFja2ppbW15"
> Signature check returned -1
> Access allowed based on pattern match "^/mls_verifyemail.php" at
> REQUEST_URI
>
>   This is the rule which allows the above to pass
>   SecFilterSelective REQUEST_URI "^/mls_verifyemail.php"             al=
low
>
>   I want to tighten this up by checking that there is only a single
> parameter value and that its a md5 hash with no bogus stuff inserted
>   SecFilterSelective REQUEST_URI "^/mls_verifyemail.php"     chain
>   SecFilterSelective QUERY_STRING "^?hash=3D"                     chain
> SecFilterSelective ARGS_VALUES "^hash=3D[0-9a-zA-Z]"        allow
>
>   This errors out. What am I doing wrong?
>
>
> ---------------------------------
> New Yahoo! Messenger with Voice. Call regular phones from your PC and s=
ave
> big.