Thread: [mod-security-users] file upload error
Brought to you by:
victorhora,
zimmerletw
From: scOrpiOnn <sco...@gm...> - 2005-12-15 10:09:19
|
hi all, one question :D i have a upload form -> upload.asp , and i put one gif image, and do upload... (mozilla firefox) modsec.conf ------------- <Location /asp/upload.asp> SecFilterInheritance Off SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)" </Location> --------------------------------- error message: [Thu Dec 15 11:07:01 2005] [error] [client 10.10.5.14] mod_security: Access denied with code 403. Pattern match "!image/(jpeg|bmp|gif)" at POST_PAYLOAD [hostname "www.euromadi.es"] [uri "/asp/upload.asp"] i was tested lot of combinations for SecFilterSelective POST_PAYLOAD , like "!image/(gif)" , "(gif)" ... lots of tests, but never works. any ideas ? THX ALL :) <mod...@li...> |
From: Ivan R. <iv...@we...> - 2005-12-15 10:30:31
|
scOrpiOnn wrote: > hi all, one question :D > > i have a upload form -> upload.asp , and i put one gif image, and do > upload... (mozilla firefox) > > modsec.conf ------------- > <Location /asp/upload.asp> > SecFilterInheritance Off > SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)" > </Location> > --------------------------------- > > ... > > any ideas ? THX ALL :) It doesn't work the way you think it does :) You don't get to access the raw request payload for multipart/form-data requests. And even if you did, the content-type field is client-driven and thus easy to fake. To filter uploaded files you need to create a script and use SecUploadApproveScript. But you'll need to figure out the content types by yourself. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |