coreruleset: ModSec 3.0 fails on new rule 901350 (enforce body processor URLENCODED)

_Issue originally created by user dune73 on date 2018-06-05 13:22:02. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1120._

Houston, we have a problem.

ModSec 3.0 implements ctl:requestBodyProcessor=JSON, but fails to run with ctl:requestBodyProcessor=URLENCODED.

I have opened an issue over at ModSec: https://github.com/SpiderLabs/ModSecurity/issues/1797

This issue could mean, that we do not support ModSec 3.0 with our 3.1 release. I hope it gets fixed in ModSec 3.0, or ModSec and our project both are in a tricky situation.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 20

Most upvoted comments

User dune73 commented on date 2018-06-20 21:04:02:

Thank you for sharing your view. I agree that there are PROs and CONs. Having it in the recommended rules and if even as an option, would ease things for us, as it is a setting that changes the behavior of the engine and we would like CRS to have no side effects if possible.

If it is part of the recommended rules, then we can simply point to said rules in our documentation and tell people to enable it for a really secure setup.

I’ll open an issue.

User victorhora commented on date 2018-06-20 14:29:01:

I’m not sure about enforcing URLENCODED by default dune73. I see positive and negative aspects about it. But I’d say if it’s something that most would like to see, an issue about it should be opened for discussion and adding it to the file but leaving disabled by default can also be an option.

User victorhora commented on date 2018-06-19 14:42:22:

You’re welcome dune73. The buildbots suggests that the patch is fine and I also ran some tests here that tells me that should solve the issue. I’ll see about also adding a test case for this one to make it easier for others to test. Should be merged to master soon I think.

About 3.0.3, we have a public milestone set with a due date of June 25th. I’m not sure if we will make it as there’s some tricky issues there for fixing in such a short notice and we are also overly busy 😦

User dune73 commented on date 2018-06-19 08:48:20:

Thank you victorhora.

That’s quite a change set. Wish I had the time to test this, but I am too busy.

What is the time frame for ModSec 3.0.3?

User victorhora commented on date 2018-06-19 00:37:41:

Initial support for ctl:requestBodyProcessor=URLENCODED at PR https://github.com/SpiderLabs/ModSecurity/pull/1807

User emphazer commented on date 2018-06-13 13:38:49:

christiantreutler-avi PR for CRS

User dune73 commented on date 2018-06-12 21:04:23:

That would be helpful, #emphazer.

User csanders-git commented on date 2018-06-05 13:34:55:

I suppose i should just switch the NGINX Docker to be libmodsec 😉