Katsuharu Watanabe wrote:
> Hi all,
>
> I have some trouble.
>
> (1) I want to block some meta-characters on request paramaters except that named test1, but I can't filter "&" and "=" well.
>
> --- My configuration ---
> SecFilterSelective "ARGS_NAMES|ARGS_VALUES|!ARG_test1" "[&]" deny,log
> SecFilterSelective "ARGS_NAMES|ARGS_VALUES|!ARG_test1" "[=]" deny,log
>
> In detail, when the request have a paramater only test1, it's work fine. But the paramaters are more, any requests are blocked. For example, I access bellow URL.
>
> http://www.example.com/index.html?test1=111&test2=222&test3=333
>
> This case is checking against "test2=222&test3=333". (found this from debug-log.)
> I want to evaluate "222" and "333", but I have no idea.
That's not possible at the moment. However, it makes sense and I'll
make it possible in 1.9. (The "!ARG_xyz" syntax only works with
"ARGS" at the moment.)
> (2) How do SecFilterSelective's location match the whole request including headers?
>
> That's maybe,
>
> SecFilterSelective "THE_REQUEST|POST_PAYLOAD|HTTP_Host|HTTP_User-Agent|(...more and more headers context)" foo deny,log
>
> But this is very hard... I want more easy and simple configuration like Output filter,
>
> SecFilterSelective INPUT foo deny,log
>
> What do you think?
In 1.9 it's:
SecFilterSelective THE_REQUEST|POST_PAYLOAD|HEADERS foo deny,log
I can add EVERYWHERE to make it even simpler :)
Although do note OUTPUT only covers the response body at this time.
It doesn't include the response headers.
--
Ivan Ristic (http://www.modsecurity.org)
|
