Re: [mod-security-users] checking single parameter value

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Jeu 13 avril 2006 14:31, joe barbish a =E9crit :
> Thanks Alex
>   That worked as shown by these debug log messages
>
>   Checking signature "^/mls_verifyemail.php" at REQUEST_URI
> Checking against "/mls_verifyemail.php?hash=3DYmFyYmlzaDI=3D"
> Signature check returned 403
> Chained rule with match, continue in the loop
> Checking signature "^[0-9a-zA-Z]*" at ARG(hash)
> Checking against "YmFyYmlzaDI=3D"
> Signature check returned -1
> Access allowed based on pattern match "^[0-9a-zA-Z]*" at CUSTOM
> Allow request to pass through
>
>   But I am concerned by the  asterisk at the end of "^[0-9a-zA-Z]*"
>   Is that a wildcard meaning anything else is accepted like the =3D in =
the
> hash value?
>
>   The hash value is created using this
>   $hash =3D base64_encode($logonid);
>
>   Does base64_encode create any other special characters?
>
>   Wouldn't "^[0-9a-zA-Z=3D]" be more secure?
>

No... It's not a security case, but it mean (as for all regexp), that you
can have only [0-9a-zA-Z] chars, but more than one !!

Here are examples :
^[0-9a-zA-Z] -> accept 1 char in this list (0-9a-zA-Z)
^[0-9a-zA-Z]? -> accept blank or 1 char in this list (0-9a-zA-Z)
^[0-9a-zA-Z]+ -> accept 1 or more char(s) in this list (0-9a-zA-Z)
^[0-9a-zA-Z]* -> accept 0 or more chars in this list (0-9a-zA-Z)