Thread: [mod-security-users] Umlauts in Request
Brought to you by:
victorhora,
zimmerletw
From: Ulf S. <ste...@ze...> - 2003-11-05 12:00:47
|
Apache 1.3.29, mod_security 1.7.2 Whenever there's an "umlaut" (äöü) or another non-ASCII character in the request mod_securtiy strikes with "Invalid character detected". This gives me some trouble because some of our customers use "umlauts" in GET parameters (although correctly URLencoded). Changing the "SecFilterForceByteRange" directive hasn't had any effect and so I'm wondering if it is possible to tell mod_security not to filter those requests. Regards, Ulf -- Ulf Stegemann zeitform Internet Dienste Fraunhoferstr. 5 64283 Darmstadt, Germany http://www.zeitform.de Tel: +49 (0)6151 155-636 mailto:ste...@ze... Fax: +49 (0)6151 155-634 GnuPG/PGP Key-ID: 0x8862250A |
From: Ivan R. <iv...@we...> - 2003-11-05 13:10:25
|
Ulf Stegemann wrote: > Apache 1.3.29, mod_security 1.7.2 > > Whenever there's an "umlaut" (äöü) or another non-ASCII character in the > request mod_securtiy strikes with "Invalid character detected". > > This gives me some trouble because some of our customers use "umlauts" in GET > parameters (although correctly URLencoded). > > Changing the "SecFilterForceByteRange" directive hasn't had any effect and so > I'm wondering if it is possible to tell mod_security not to filter those > requests. Try "SecFilterCheckURLEncoding Off". Does that help? -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
From: Ulf S. <ste...@ze...> - 2003-11-05 13:36:28
|
Ivan Ristic <iv...@we...> wrote: > Ulf Stegemann wrote: > >> Apache 1.3.29, mod_security 1.7.2 >> Whenever there's an "umlaut" (äöü) or another non-ASCII character in the >> request mod_securtiy strikes with "Invalid character detected". [...] > Try "SecFilterCheckURLEncoding Off". Does that help? No, unfortunately that does not stop mod_security from blocking the requests. Regards, Ulf -- Ulf Stegemann zeitform Internet Dienste Fraunhoferstr. 5 64283 Darmstadt, Germany http://www.zeitform.de Tel: +49 (0)6151 155-636 mailto:ste...@ze... Fax: +49 (0)6151 155-634 GnuPG/PGP Key-ID: 0x8862250A |
From: Ivan R. <iv...@we...> - 2003-11-05 14:13:35
|
Ulf Stegemann wrote: > Ivan Ristic <iv...@we...> wrote: > > >>Ulf Stegemann wrote: >> >> >>>Apache 1.3.29, mod_security 1.7.2 >>>Whenever there's an "umlaut" (äöü) or another non-ASCII character in the >>>request mod_securtiy strikes with "Invalid character detected". > > > [...] > > >> Try "SecFilterCheckURLEncoding Off". Does that help? > > > No, unfortunately that does not stop mod_security from blocking the requests. Ooops, sorry. I actually ment to write: SecFilterCheckUnicodeEncoding Off ^^^^^^^ Unicode There's a bug in 1.7.2 and Unicode encoding validation if On by default. If that does not resolve your problem please send me as many of these as you can: * mod_security configuration * the URL you want to go through * the message you get in your error log * the fragment from the debug log (set log level to 9) * the fragment from the audit log Then I'll debug the issue and resolve it. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
From: Ulf S. <ste...@ze...> - 2003-11-05 14:50:20
|
Ivan Ristic <iv...@we...> wrote: > SecFilterCheckUnicodeEncoding Off > ^^^^^^^ Unicode > > There's a bug in 1.7.2 and Unicode encoding validation if On by > default. Yes, that did the trick. Now everything works as expected. Thanks a lot for your help and the short response time :) Regards, Ulf -- Ulf Stegemann zeitform Internet Dienste Fraunhoferstr. 5 64283 Darmstadt, Germany http://www.zeitform.de Tel: +49 (0)6151 155-636 mailto:ste...@ze... Fax: +49 (0)6151 155-634 GnuPG/PGP Key-ID: 0x8862250A |