From: Ryan Barnett (JIRA) <noreply@mo...> - 2011-03-02 15:41:31
[ https://www.modsecurity.org/tracker/browse/MODSEC-104?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ryan Barnett closed MODSEC-104.
> Never block in detection mode
> Key: MODSEC-104
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-104
> Project: ModSecurity
> Issue Type: Improvement
> Security Level: Normal
> Components: Core
> Reporter: Ivan Ristic
> Assignee: Breno Silva Pinto
> Fix For: 2.6.0
> It is counter-intuitive that ModSecurity blocks when the rule engine is configured with DetectionOnly (see MODSEC-36 for one user's opinion). ModSecurity will currently block if there's more inbound data that it is configured to handle, and if there is more outbound data than it is configured the handle and SecResponseBodyLimitAction is set to Reject. Here's what I propose:
> - Never block in detection mode
> - If SecResponseBodyLimitAction is set to Reject, in detection mode change that internally to ProcessPartial
> - If there's more inbound data than ModSecurity can handle, stop reading it and set a DATA_ERROR flag (we will probably need one flag for the inbound and another for the outbound, but that's a detail). The data already read will remain in a buffer so that it can be passed on later.
> - Future improvements that limit data processing in any way will not cause ModSecurity to block, but only to raise flags
> - Add one or more system rules to the default configuration to catch a raised DATA_ERROR flag
This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
Get latest updates about Open Source Projects, Conferences and News.