Hi all,
A long time ago, I had the requirement of NOT wanting mod_security to
normalize/decode the URL before applying filters on it (so I could =
filter
out urls with ";" and other characters unencoded, but leave URLs that =
were
properly encoded alone), so I made a simple little patch to add an =
option to
mod_security that prevented it from decoding encoded URLs so that the
down-stream filters would have an unmodified URL to match against.
I've been successfully using this patch on production servers since I
created it (at least 6 months), and it's working very well. I haven't
however tried to break it, so I don't know if it would work for everyone =
-
HOWEVER, since I *do* find this extremely useful, and there is still no =
way
to do this in mod_security, I was hoping that someone may take this =
work,
extend it for apache2 (this patch modifies the apache1/mod_security.c =
file
only - not the apache2 file... Well, if it does, it's untested.) and
hopefully get it included in to the official mod_security release.
http://www.hoktar.com/downloads/other/mod_security-1.9RC1-no_decoding.pat=
ch
I accept all criticism - I've made many other "useless" patches for =
programs
before :)
Thanks,
Eli.
|
