Thread: [mod-security-users] Patch: ARGS -> HEADER_ARGS | BODY_ARGS
Brought to you by:
victorhora,
zimmerletw
From: Christian B. <ch...@jw...> - 2007-05-29 12:58:28
Attachments:
origin_args.patch
|
Hi All, attached to this mail is a small patch which adds two new collections HEADER_ARGS and BODY_ARGS. They can be used to distinguish arguments with the same name specified in the QUERY_STRING and in the request- body. I tested it with modsecurity-2.1.0 and 2.2.0-dev1. (The patch is against the dev-version, but also works with 2.1.0). After applying the patch you can test parameters by SecRule BODY_ARGS:text "evil" some-actions and SecRule HEADER_ARGS:text !^(A|B)$ some-actions The first rule will check only arguments which are placed in the body of a request, whereas the second one will only apply to QUERY_STRING arguments. Perhaps this might be useful for someone. @Brian: There is still no CVS/SVN available for ModSecurity, right? Regards, Chris |
From: Brian R. <Bri...@br...> - 2007-05-29 15:23:30
|
Christian Bockermann wrote: > Hi All, > > attached to this mail is a small patch which adds two new collections > HEADER_ARGS and BODY_ARGS. They can be used to distinguish arguments > with the same name specified in the QUERY_STRING and in the request-body. > > I tested it with modsecurity-2.1.0 and 2.2.0-dev1. (The patch is against > the dev-version, but also works with 2.1.0). > > After applying the patch you can test parameters by > > SecRule BODY_ARGS:text "evil" some-actions > and > SecRule HEADER_ARGS:text !^(A|B)$ some-actions > > The first rule will check only arguments which are placed in the body > of a request, whereas the second one will only apply to QUERY_STRING > arguments. > > Perhaps this might be useful for someone. > > @Brian: There is still no CVS/SVN available for ModSecurity, right? > > > Regards, > Chris Nope, no public SVN. Patch looks good. However, for HEADER_ARGS you call var_generic_args_generate with an origin="QUERY_STRING" which sets the var name to "QUERY_STRING_ARGS:foo", but it is really "HEADER_ARGS:foo". Reason? Or just a typo? thanks, -B -- Brian Rectanus Breach Security |
From: Christian B. <ch...@jw...> - 2007-05-29 18:25:39
|
Am 29.05.2007 um 17:23 schrieb Brian Rectanus: > Christian Bockermann wrote: >> Hi All, >> >> attached to this mail is a small patch which adds two new collections >> HEADER_ARGS and BODY_ARGS. They can be used to distinguish arguments >> with the same name specified in the QUERY_STRING and in the >> request-body. >> >> I tested it with modsecurity-2.1.0 and 2.2.0-dev1. (The patch is >> against >> the dev-version, but also works with 2.1.0). >> >> After applying the patch you can test parameters by >> >> SecRule BODY_ARGS:text "evil" some-actions >> and >> SecRule HEADER_ARGS:text !^(A|B)$ some-actions >> >> The first rule will check only arguments which are placed in the body >> of a request, whereas the second one will only apply to QUERY_STRING >> arguments. >> >> Perhaps this might be useful for someone. >> >> @Brian: There is still no CVS/SVN available for ModSecurity, right? >> >> >> Regards, >> Chris > > > Nope, no public SVN. > > Patch looks good. However, for HEADER_ARGS you call > var_generic_args_generate with an origin="QUERY_STRING" which sets the > var name to "QUERY_STRING_ARGS:foo", but it is really > "HEADER_ARGS:foo". > Reason? Or just a typo? I am not that much into the source of ModSec (it took me quite a long time to figure out where I had to insert my code). As I understand the code, the use of origin="QUERY_STRING" sets an internal variable to the name "QUERY_STRING_ARGS:foo". However, this variable seems to be accessed through var_generic_args_generate only, so it should have no effect. But I might be wrong with that. (The whole code could need some more documentation ;-)) However - after spoken to the other Christian - I will post another version of the patch which will have the collection renamed to QUERY_STRING_ARGS instead of HEADER_ARGS which will then be consistent with the above (internal-only?) naming. Do you plan public SVN (even read-only would be a help for creating patches)? Regards, Chris |
From: Brian R. <Bri...@br...> - 2007-05-29 19:47:40
|
Christian Bockermann wrote: > > Am 29.05.2007 um 17:23 schrieb Brian Rectanus: > >> Christian Bockermann wrote: >>> Hi All, >>> >>> attached to this mail is a small patch which adds two new collections >>> HEADER_ARGS and BODY_ARGS. They can be used to distinguish arguments >>> with the same name specified in the QUERY_STRING and in the >>> request-body. >>> >>> I tested it with modsecurity-2.1.0 and 2.2.0-dev1. (The patch is against >>> the dev-version, but also works with 2.1.0). >>> >>> After applying the patch you can test parameters by >>> >>> SecRule BODY_ARGS:text "evil" some-actions >>> and >>> SecRule HEADER_ARGS:text !^(A|B)$ some-actions >>> >>> The first rule will check only arguments which are placed in the body >>> of a request, whereas the second one will only apply to QUERY_STRING >>> arguments. >>> >>> Perhaps this might be useful for someone. >>> >>> @Brian: There is still no CVS/SVN available for ModSecurity, right? >>> >>> >>> Regards, >>> Chris >> >> >> Nope, no public SVN. >> >> Patch looks good. However, for HEADER_ARGS you call >> var_generic_args_generate with an origin="QUERY_STRING" which sets the >> var name to "QUERY_STRING_ARGS:foo", but it is really "HEADER_ARGS:foo". >> Reason? Or just a typo? > > I am not that much into the source of ModSec (it took me quite a long > time to figure out where I had to insert my code). As I understand the > code, the use of origin="QUERY_STRING" sets an internal variable to the > name "QUERY_STRING_ARGS:foo". However, this variable seems to be accessed > through var_generic_args_generate only, so it should have no effect. > > But I might be wrong with that. (The whole code could need some more > documentation ;-)) Agreed. Working on that :) > > However - after spoken to the other Christian - I will post another > version of the patch which will have the collection renamed to > QUERY_STRING_ARGS instead of HEADER_ARGS which will then be consistent > with the above (internal-only?) naming. Consistency is better. It will show up in the debug log and that might get confusing. > > Do you plan public SVN (even read-only would be a help for creating > patches)? Not anytime soon (lack of time), sorry. > > Regards, > Chris -B -- Brian Rectanus Breach Security |