Ivan
Our target platform is Windows server.
Given the download page states testing has stopped for Windows would you
advise on deploying 1.9 codebase on Windows? I am very interesting in
deploying your suggested enhancement "SecFilterExternal".
Ian Spence
-----Original Message-----
From: Ivan Ristic [mailto:iv...@we...]
Sent: 01 March 2005 15:04
To: Spence, Ian (ELS-CAM)
Cc: mod...@li...
Subject: Re: Mod_security question
Spence, Ian (ELS-CAM) wrote:
> Ivan
>
> Can mod_security check on a token parameter in the URL?
>
> E.g. _http://server/app?token=digestTokenValue_
>
> I want the receiving web server to check the token value against an
> agreed algorithm, for a start it will be MD5 digested.
>
> I notice with the mod_security rules you can trap on certain parameter
> values i.e. regex, but given a match can you run a script and then
> depending on the result of the script, either reject or accept the
> http request.
Yes, mod_security can do that. I've added that functionality
to the 1.9.x branch, so far only in the Apache 1.x version of
the module. The new directive is called SecFilterExternal and it
takes only one parameter - the name of the script to execute.
The script will get the path to the file containing request
parameters (only that at the moment) as its first parameter.
Here's an example of a script that uses this feature to interface
to SpamAssassin:
http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/filter_
spamc.pl?rev=1.1&view=auto
This functionality is still rough and I plan to change the
data exchange format before the final 1.9.x. version (e.g. to
include the request headers). But it works and you can play with
it in the meantime.
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web
application firewall - http://www.modsecurity.org
|
