Thread: [Mod-security-developers] [JIRA] Closed: (MODSEC-226) Pb with environment variables set by SetEnv
Brought to you by:
victorhora,
zimmerletw
From: Breno S. P. (JIRA) <no...@mo...> - 2012-11-12 13:36:49
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-226?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Breno Silva Pinto closed MODSEC-226. ------------------------------------ Resolution: Fixed > Pb with environment variables set by SetEnv > ------------------------------------------- > > Key: MODSEC-226 > URL: https://www.modsecurity.org/tracker/browse/MODSEC-226 > Project: ModSecurity > Issue Type: Bug > Security Level: Normal > Components: Core > Affects Versions: 2.5.13 > Environment: All > Reporter: Marc Stern > Assignee: Breno Silva Pinto > Fix For: 2.7.0 > > > Inconsistent behaviour with environment variables set by SetEnv: > Setenv var SETENV > SecAction "phase:3,pass,auditlog,msg:'phase 3: var=<%{ENV.var}>'" > shows the value "SETENV", thus var is in the collection > Adding the following directive to use it: > SecAction "phase:2,pass,nolog,setenv:var=%{ENV.var}/MS" > shows the value "/MS" > same result in phase 1, but works Ok in phase 3 > The behaviour is inconsistent: either the rule runs before setEnv and var should be overwritten, or it runs after and it should use it. In no case we expect to have only "/MS". > Note that this is probably linked to a strange behaviour of SetEnv which runs, for instance, before mod_rewrite & mod_ setenvif, but the values are not seen by these modules either. > Although the problem may lie in mod_env, it is strange that %{ENV.var} works in logging but not in a setenv: (I did not test with setvar:). > Note that everything works correctly when setting the variable with SetEnvIf. > Maybe the best solution would be to push for a fix in mod_env ... -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |