github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Added ability to use ctl:requestBodyAccess=off in phase:1 to avoid limit check.

Browse Source 
Added regression tests for this as well.
This commit is contained in:
brectanus 2008-09-10 19:45:13 +00:00
parent c5e258f0ba
commit 67c48bfdfb
2 changed files with 224 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
apache2/mod_security2.c
View File

@ -577,7 +577,10 @@ static int hook_request_early(request_rec *r) {
rc = perform_interception(msr);
}
if ((msr->txcfg->is_enabled != MODSEC_DISABLED) && (rc == DECLINED)) {
if ( (msr->txcfg->is_enabled != MODSEC_DISABLED)
&& (msr->txcfg->reqbody_access == 1)
&& (rc == DECLINED))
{
/* Check request body limit (non-chunked requests only). */
if (msr->request_content_length > msr->txcfg->reqbody_limit) {
msr_log(msr, 1, "Request body (Content-Length) is larger than the "

220
apache2/t/regression/config/10-request-directives.t
View File

@ -179,6 +179,226 @@
"a=1&b=2",
),
},
{
type => "config",
comment => "SecRequestBodyLimit (equal - chunked)",
conf => qq(
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 276
),
match_log => {
-error => [ qr/Request body is larger than the configured limit/, 1 ],
},
match_response => {
status => qr/^200$/,
},
request => normalize_raw_request_data(
qq(
POST /test.txt HTTP/1.1
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
User-Agent: $ENV{USER_AGENT}
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
Transfer-Encoding: chunked
),
)
.encode_chunked(
normalize_raw_request_data(
q(
-----------------------------69343412719991675451336310646
Content-Disposition: form-data; name="a"
1
-----------------------------69343412719991675451336310646
Content-Disposition: form-data; name="b"
2
-----------------------------69343412719991675451336310646--
)
),
1024
),
},
{
type => "config",
comment => "SecRequestBodyLimit (greater - chunked)",
conf => qq(
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 256
),
match_log => {
error => [ qr/Request body .*is larger than the configured limit \(256\)\./, 1 ],
},
match_response => {
status => qr/^413$/,
},
request => normalize_raw_request_data(
qq(
POST /test.txt HTTP/1.1
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
User-Agent: $ENV{USER_AGENT}
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
Transfer-Encoding: chunked
),
)
.encode_chunked(
normalize_raw_request_data(
q(
-----------------------------69343412719991675451336310646
Content-Disposition: form-data; name="a"
1
-----------------------------69343412719991675451336310646
Content-Disposition: form-data; name="b"
2
-----------------------------69343412719991675451336310646--
)
),
1024
),
},
{
type => "config",
comment => "SecRequestBodyLimit (ctl:ruleEngine=off)",
conf => qq(
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 5
SecAction "phase:1,pass,nolog,ctl:ruleEngine=off"
SecRule REQUEST_BODY "." "phase:2,deny"
),
match_log => {
-error => [ qr/Request body .*is larger than the configured limit/, 1 ],
},
match_response => {
status => qr/^200$/,
},
request => new HTTP::Request(
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
[
"Content-Type" => "application/x-www-form-urlencoded",
],
"a=1&b=2",
),
},
{
type => "config",
comment => "SecRequestBodyLimit (ctl:requestBodyAccess=off)",
conf => qq(
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 5
SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off"
SecRule REQUEST_BODY "." "phase:2,deny"
),
match_log => {
-error => [ qr/Request body .*is larger than the configured limit/, 1 ],
},
match_response => {
status => qr/^200$/,
},
request => new HTTP::Request(
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
[
"Content-Type" => "application/x-www-form-urlencoded",
],
"a=1&b=2",
),
},
{
type => "config",
comment => "SecRequestBodyLimit (ctl:ruleEngine=off - chunked)",
conf => qq(
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 256
SecAction "phase:1,pass,nolog,ctl:ruleEngine=off"
SecRule REQUEST_BODY "." "phase:2,deny"
),
match_log => {
-error => [ qr/Request body .*is larger than the configured limit/, 1 ],
},
match_response => {
status => qr/^200$/,
},
request => normalize_raw_request_data(
qq(
POST /test.txt HTTP/1.1
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
User-Agent: $ENV{USER_AGENT}
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
Transfer-Encoding: chunked
),
)
.encode_chunked(
normalize_raw_request_data(
q(
-----------------------------69343412719991675451336310646
Content-Disposition: form-data; name="a"
1
-----------------------------69343412719991675451336310646
Content-Disposition: form-data; name="b"
2
-----------------------------69343412719991675451336310646--
)
),
1024
),
},
{
type => "config",
comment => "SecRequestBodyLimit (ctl:requestBodyAccess=off - chunked)",
conf => qq(
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 256
SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off"
SecRule REQUEST_BODY "." "phase:2,deny"
),
match_log => {
-error => [ qr/Request body .*is larger than the configured limit \(256\)\./, 1 ],
},
match_response => {
status => qr/^200$/,
},
request => normalize_raw_request_data(
qq(
POST /test.txt HTTP/1.1
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
User-Agent: $ENV{USER_AGENT}
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
Transfer-Encoding: chunked
),
)
.encode_chunked(
normalize_raw_request_data(
q(
-----------------------------69343412719991675451336310646
Content-Disposition: form-data; name="a"
1
-----------------------------69343412719991675451336310646
Content-Disposition: form-data; name="b"
2
-----------------------------69343412719991675451336310646--
)
),
1024
),
},
# SecRequestBodyInMemoryLimit
{