[mod-security-users] =?utf-8?q?FILES=5FTMPNAMES=3AattachFile_chan?= =?utf-8?q?ges_capital_letters_i
Brought to you by:
victorhora,
zimmerletw
From: Arthur F. <per...@gm...> - 2006-10-31 14:40:25
|
Hi, Using ModSecurity 2.0.3 with Apache 2.2.3 as a reverse proxy on SuSE Linux ES9 I want to scan uploaded files for viruses with the modsec-clamscan.pl script. When viewing the logs below, you will see that ModSecurity2 will give an uploaded file a filename with both small and capital letters. However, when ModSecurity2 executes the modsec-clamscan.pl script it will use the "same" filename, except that is totally written in small letters. The result of that is that the virusscanner can't find the file, as expected on case-sensitive operating systems. To me this looks like a bug, but perhaps you can convince me that I did something wrong. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No%20Subject-5.EML/][4] Starting phase REQUEST_HEADERS. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Second phase starting (dcfg 81aa1f8). [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Input filter: Reading request body. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Multipart: Created temporary file: /tmp/webfiles/20061031-145340-trd7x6wQBEYAAHxCSm0AAAAA-file- jjWlI9 [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Input filter: Completed receiving request body (length 309). [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Time #1: 541 [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Starting phase REQUEST_BODY. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Time #2: 581 [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Hook insert_filter: Adding output filter (r 82482e8). [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Input filter: Forwarding input: mode=0, block=0, nbytes=16384 (f 82499d0, r 82482e8). [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Input filter: Forwarded 309 bytes. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Input filter: Sent EOS. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Input filter: Input forwarding complete. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Output filter: Receiving output (f 8249b50, r 82482e8). [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Starting phase RESPONSE_HEADERS. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Recipe: Invoking rule 81269c0. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Executing operator inspectFile with param "/usr/local/apache2/cgi-bin/modsec-clamscan.pl" against FILES_TMPNAMES:attachFile. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Executing /usr/local/apache2/cgi-bin/modsec-clamscan.pl to inspect /tmp/webfiles/20061031-145340-trd7x6wqbeyaahxcsm0aaaaa-file-jjwli9. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Exec: First line from script output: "0 Unable to parse clamscan output [ERROR: Can't access file /tmp/webfiles/20061031-145340-trd7x6wqbeyaahxcsm0aaaaa-file-jjwli9]" [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Operator completed in 9087 usec. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Rule returned 1. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][1] Access denied with code 500 (phase 3). File "/tmp/webfiles/20061031-145340-trd7x6wqbeyaahxcsm0aaaaa- file-jjwli9" rejected by the approver script "/usr/local/apache2/cgi- bin/modsec-clamscan.pl": 0 Unable to parse clamscan output [ERROR: Can't access file /tmp/webfiles/20061031-145340-trd7x6wqbeyaahxcsm0aaaaa-file-jjwli9] [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Initialising logging. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Starting phase LOGGING. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Audit log: Logging this transaction. [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Multipart: Cleanup started (remove files 0). [31/Oct/2006:14:53:40 +0100] [somedomain.com/sid#81b0ff0][rid#82482e8] [/exchange/someuser/Concepten/No Subject-5.EML/][4] Input filter: Moved file from "/tmp/webfiles/20061031-145340-trd7x6wQBEYAAHxCSm0AAAAA-file-jjWlI9" to "/tmp/webfiles/20061031-145340-trd7x6wQBEYAAHxCSm0AAAAA-file-jjWlI9". Regards, Arthur Fonzarelli |