diff --git a/src/transaction.cc b/src/transaction.cc index 6bbf17b4..edb02f30 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -1622,7 +1622,7 @@ std::string Transaction::toJSON(int parts) { m_variableRequestHeaders.resolve(&l); for (auto &h : l) { - LOGFY_ADD(h->getKey().c_str(), h->getValue()); + LOGFY_ADD(utils::string::toHexIfNeeded(h->getKey().c_str()).c_str(), utils::string::toHexIfNeeded(h->getValue())); delete h; } diff --git a/test/test-cases/regression/auditlog.json b/test/test-cases/regression/auditlog.json index 03c58732..417f9950 100644 --- a/test/test-cases/regression/auditlog.json +++ b/test/test-cases/regression/auditlog.json @@ -541,7 +541,7 @@ "enabled": 1, "version_min": 300000, "version_max": 0, - "title": "auditlog : Binary char from input", + "title": "auditlog : Binary char from input, check message", "client": { "ip": "200.249.12.31", "port": 2313 @@ -595,5 +595,132 @@ "SecAuditLogType Serial", "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\"" ] + }, + { + "enabled": 1, + "version_min": 300000, + "version_max": 0, + "title": "auditlog : Binary char from input, check body", + "client": { + "ip": "200.249.12.31", + "port": 2313 + }, + "server": { + "ip": "200.249.12.31", + "port": 80 + }, + "request": { + "headers": { + "Host": "www.modsecurity.org", + "User-Agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)", + "Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8", + "Accept-Language": "en-us,en;q=0.5", + "Accept-Encoding": "gzip,deflate", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Keep-Alive": "300", + "Connection": "keep-alive", + "Pragma": "no-cache", + "Cache-Control": "no-cache", + "Content-Type": "application/x-www-form-urlencoded", + "Content-Length": "3" + }, + "uri": "\/?attack=true", + "method": "POST", + "http_version": 1.1, + "body": [ + "\u00ad=\u00ad" + ] + }, + "response": { + "headers": { + "Content-Type": "plain\/text\n\r" + }, + "body": [ + "test" + ] + }, + "expected": { + "audit_log": "\"body\":\"\\\\\\\\xc2\\\\\\\\xad=\\\\\\\\xc2\\\\\\\\xad\\\\\\\\x0a", + "debug_log": "", + "error_log": "", + "http_code": 403 + }, + "rules": [ + "SecRuleEngine On", + "SecRule ARGS_NAMES \"@rx attack\" \"id:1,phase:2,deny,t:none", + "SecAuditEngine RelevantOnly", + "SecAuditLogParts ABCHJZ", + "SecAuditLogFormat JSON", + "SecAuditLogStorageDir /tmp/test", + "SecAuditLog /tmp/audit_test_prefix.log", + "SecAuditLogDirMode 0766", + "SecAuditLogFileMode 0600", + "SecAuditLogType Serial", + "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\"" + ] + }, + { + "enabled": 1, + "version_min": 300000, + "version_max": 0, + "title": "auditlog : Binary char from input, check header", + "client": { + "ip": "200.249.12.31", + "port": 2313 + }, + "server": { + "ip": "200.249.12.31", + "port": 80 + }, + "request": { + "headers": { + "Host": "www.modsecurity.org", + "User-Agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)", + "Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8", + "Accept-Language": "en-us,en;q=0.5", + "Accept-Encoding": "gzip,deflate", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Keep-Alive": "300", + "Connection": "keep-alive", + "Pragma": "no-cache", + "Cache-Control": "no-cache", + "Content-Type": "application/x-www-form-urlencoded", + "Content-Length": "3", + "X-\u00ad-custom": "Some \u00ad value" + }, + "uri": "\/?attack=true", + "method": "POST", + "http_version": 1.1, + "body": [ + "\u00ad=\u00ad" + ] + }, + "response": { + "headers": { + "Content-Type": "plain\/text\n\r" + }, + "body": [ + "test" + ] + }, + "expected": { + "audit_log": "\"X-\\\\\\\\xc2\\\\\\\\xad-custom\":\"Some \\\\\\\\xc2\\\\\\\\xad value\"", + "debug_log": "", + "error_log": "", + "http_code": 403 + }, + "rules": [ + "SecRuleEngine On", + "SecRule ARGS|ARGS_NAMES \"@rx attack\" \"id:1,phase:2,deny,t:none", + "SecAuditEngine RelevantOnly", + "SecAuditLogParts ABHJZ", + "SecAuditLogFormat JSON", + "SecAuditLogStorageDir /tmp/test", + "SecAuditLog /tmp/audit_test_prefix.log", + "SecAuditLogDirMode 0766", + "SecAuditLogFileMode 0600", + "SecAuditLogType Serial", + "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\"" + ] } ]