-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handling &
correctly
#73
Comments
In coraza it will compile but it will return 1. Because it counts the matched variables and single value variables are a single match |
As @jptosso says, it should return 1. We use it on collections to mean "does this variable exist", so all variables should follow the same semantics. |
Not sure. Maybe with a grace period. Add the new behavior with a compilation flag, log a warning (with deprecation message) when the old behavior is in effect and such a rule is parsed, then, at a later point drop the old behavior and the compilation flag. |
Based on this PR it seems that some engines (libmodsecurity3) allow the
&
sign with each variables (eg.REQUEST_BODY_LENGTH
) even it makes no sense (what about Coraza?). Apache2 reports a weird message:Error creating rule: The & modificator does not apply to non-collection variables.
but allows&
in front ofREQUEST_BODY
although it's not a collection either.We should decide what way do we want to follow: keep the parser as is now or need some modification to make it more strict.
@theseion, @fzipi, @dune73 - what do you think about?
@M4tteoP, @jptosso - how Coraza handles this syntax?
The text was updated successfully, but these errors were encountered: