Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handling & correctly #73

Open
airween opened this issue Apr 11, 2024 · 4 comments
Open

Handling & correctly #73

airween opened this issue Apr 11, 2024 · 4 comments

Comments

@airween
Copy link
Contributor

airween commented Apr 11, 2024

Based on this PR it seems that some engines (libmodsecurity3) allow the & sign with each variables (eg. REQUEST_BODY_LENGTH) even it makes no sense (what about Coraza?). Apache2 reports a weird message: Error creating rule: The & modificator does not apply to non-collection variables. but allows & in front of REQUEST_BODY although it's not a collection either.

We should decide what way do we want to follow: keep the parser as is now or need some modification to make it more strict.

@theseion, @fzipi, @dune73 - what do you think about?

@M4tteoP, @jptosso - how Coraza handles this syntax?

@jptosso
Copy link
Member

jptosso commented Apr 11, 2024

In coraza it will compile but it will return 1. Because it counts the matched variables and single value variables are a single match

https://github.com/corazawaf/coraza/blob/650f02d4cd8087d1e32ff37fd171fe3ed6b1761f/internal/corazawaf/transaction.go#L603

@theseion
Copy link
Contributor

As @jptosso says, it should return 1. We use it on collections to mean "does this variable exist", so all variables should follow the same semantics.

@airween
Copy link
Contributor Author

airween commented Apr 12, 2024

As @jptosso says, it should return 1. We use it on collections to mean "does this variable exist", so all variables should follow the same semantics.

Thanks guys. @theseion do you think we should change this behavior in mod_security2?

@theseion
Copy link
Contributor

Not sure. Maybe with a grace period. Add the new behavior with a compilation flag, log a warning (with deprecation message) when the old behavior is in effect and such a rule is parsed, then, at a later point drop the old behavior and the compilation flag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants