diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c
index bd927be9..3e718cd1 100644
--- a/apache2/modsecurity.c
+++ b/apache2/modsecurity.c
@@ -304,6 +304,9 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
msr->tcache = apr_hash_make(msr->mp);
if (msr->tcache == NULL) return -1;
+ msr->matched_var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ if (msr->matched_var == NULL) return -1;
+
msr->highest_severity = 255; /* high, invalid value */
return 1;
diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
index a7470676..17662b12 100644
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -324,7 +324,7 @@ struct modsec_rec {
apr_time_t time_checkpoint_2;
apr_time_t time_checkpoint_3;
- const char *matched_var;
+ msc_string *matched_var;
int highest_severity;
/* upload */
diff --git a/apache2/re.c b/apache2/re.c
index e043a002..6b60e406 100644
--- a/apache2/re.c
+++ b/apache2/re.c
@@ -1342,7 +1342,11 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
log_escape(msr->mp, full_varname));
}
- msr->matched_var = apr_pstrdup(msr->mp, var->name);
+ /* Save the last matched var data */
+ msr->matched_var->name = apr_pstrdup(msr->mp, var->name);
+ msr->matched_var->name_len = strlen(msr->matched_var->name);
+ msr->matched_var->value = apr_pmemdup(msr->mp, var->value, var->value_len);
+ msr->matched_var->value_len = var->value_len;
/* Keep track of the highest severity matched so far */
if ((acting_actionset->severity > 0) && (acting_actionset->severity < msr->highest_severity))
diff --git a/apache2/re_actions.c b/apache2/re_actions.c
index fb9220ba..8bd034c9 100644
--- a/apache2/re_actions.c
+++ b/apache2/re_actions.c
@@ -769,39 +769,40 @@ static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_poo
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
int i, type = 0;
+ msc_string *mvar = msr->matched_var;
- if (msr->matched_var == NULL) return 0;
+ if (mvar->name_len == 0) return 0;
/* IMP1 We need to extract the variable name properly here,
* taking into account it may have been escaped.
*/
- if (strncmp(msr->matched_var, "ARGS:", 5) == 0) {
- sargname = apr_pstrdup(msr->mp, msr->matched_var + 5);
+ if ((mvar->name_len > 5) && (strncmp(mvar->name, "ARGS:", 5) == 0)) {
+ sargname = apr_pstrdup(msr->mp, mvar->name + 5);
type = SANITISE_ARG;
} else
- if (strncmp(msr->matched_var, "ARGS_NAMES:", 11) == 0) {
- sargname = apr_pstrdup(msr->mp, msr->matched_var + 11);
+ if ((mvar->name_len > 11) && (strncmp(mvar->name, "ARGS_NAMES:", 11) == 0)) {
+ sargname = apr_pstrdup(msr->mp, mvar->name + 11);
type = SANITISE_ARG;
} else
- if (strncmp(msr->matched_var, "REQUEST_HEADERS:", 16) == 0) {
- sargname = apr_pstrdup(msr->mp, msr->matched_var + 16);
+ if ((mvar->name_len > 16) && (strncmp(mvar->name, "REQUEST_HEADERS:", 16) == 0)) {
+ sargname = apr_pstrdup(msr->mp, mvar->name + 16);
type = SANITISE_REQUEST_HEADER;
} else
- if (strncmp(msr->matched_var, "REQUEST_HEADERS_NAMES:", 22) == 0) {
- sargname = apr_pstrdup(msr->mp, msr->matched_var + 22);
+ if ((mvar->name_len > 22) && (strncmp(mvar->name, "REQUEST_HEADERS_NAMES:", 22) == 0)) {
+ sargname = apr_pstrdup(msr->mp, mvar->name + 22);
type = SANITISE_REQUEST_HEADER;
} else
- if (strncmp(msr->matched_var, "RESPONSE_HEADERS:", 17) == 0) {
- sargname = apr_pstrdup(msr->mp, msr->matched_var + 17);
+ if ((mvar->name_len > 17) && (strncmp(mvar->name, "RESPONSE_HEADERS:", 17) == 0)) {
+ sargname = apr_pstrdup(msr->mp, mvar->name + 17);
type = SANITISE_RESPONSE_HEADER;
} else
- if (strncmp(msr->matched_var, "RESPONSE_HEADERS_NAMES:", 23) == 0) {
- sargname = apr_pstrdup(msr->mp, msr->matched_var + 23);
+ if ((mvar->name_len > 23) && (strncmp(mvar->name, "RESPONSE_HEADERS_NAMES:", 23) == 0)) {
+ sargname = apr_pstrdup(msr->mp, mvar->name + 23);
type = SANITISE_RESPONSE_HEADER;
}
else {
msr_log(msr, 3, "sanitiseMatched: Don't know how to handle variable: %s",
- msr->matched_var);
+ mvar->name);
return 0;
}
diff --git a/apache2/re_variables.c b/apache2/re_variables.c
index 2b41c57b..d75afafa 100644
--- a/apache2/re_variables.c
+++ b/apache2/re_variables.c
@@ -843,8 +843,23 @@ static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_matched_var_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
- return var_simple_generate(var, vartab, mptmp,
- apr_pstrdup(mptmp, msr->matched_var));
+ return var_simple_generate_ex(var, vartab, mptmp,
+ apr_pmemdup(mptmp,
+ msr->matched_var->value,
+ msr->matched_var->value_len),
+ msr->matched_var->value_len);
+}
+
+/* MATCHED_VAR_NAME */
+
+static int var_matched_var_name_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+ apr_table_t *vartab, apr_pool_t *mptmp)
+{
+ return var_simple_generate_ex(var, vartab, mptmp,
+ apr_pmemdup(mptmp,
+ msr->matched_var->name,
+ msr->matched_var->name_len),
+ msr->matched_var->name_len);
}
/* SESSION */
@@ -2312,6 +2327,17 @@ void msre_engine_register_default_variables(msre_engine *engine) {
PHASE_REQUEST_HEADERS
);
+ /* MATCHED_VAR_NAME */
+ msre_engine_variable_register(engine,
+ "MATCHED_VAR_NAME",
+ VAR_SIMPLE,
+ 0, 0,
+ NULL,
+ var_matched_var_name_generate,
+ VAR_DONT_CACHE,
+ PHASE_REQUEST_HEADERS
+ );
+
/* MODSEC_BUILD */
msre_engine_variable_register(engine,
"MODSEC_BUILD",
diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml
index 4302ee2a..40c19d5d 100644
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@@ -2025,9 +2025,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1The following variables are supported in ModSecurity 2.x:
-
- <literal moreinfo="none">ARGS</literal>
-
+ <literal moreinfo="none">ARGS</literal>
ARGS is a collection and can be used on its own
(means all arguments including the POST Payload), with a static
@@ -2072,9 +2070,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1
-
- <literal moreinfo="none">ARGS_COMBINED_SIZE</literal>
-
+ <literal moreinfo="none">ARGS_COMBINED_SIZE</literal>
This variable allows you to set more targeted evaluations on the
total size of the Arguments as compared with normal Apache LimitRequest
@@ -2088,9 +2084,7 @@ SecRule ARGS_COMBINED_SIZE "@gt 25"
-
- <literal moreinfo="none">ARGS_NAMES</literal>
-
+ <literal moreinfo="none">ARGS_NAMES</literal>
Is a collection of the argument names. You can search for specific
argument names that you want to block. In a positive policy scenario,
@@ -2104,18 +2098,14 @@ SecRule ARGS_NAMES "!^(p|a)$"
-
- <literal moreinfo="none">ARGS_GET</literal>
-
+ <literal moreinfo="none">ARGS_GET</literal>
ARGS_GET is similar to ARGS,
but only contains arguments from the query string.
-
- <literal moreinfo="none">ARGS_GET_NAMES</literal>
-
+ <literal moreinfo="none">ARGS_GET_NAMES</literal>
ARGS_GET_NAMES is similar to
ARGS_NAMES, but only contains argument names from the
@@ -2123,9 +2113,7 @@ SecRule ARGS_NAMES "!^(p|a)$"
-
- <literal moreinfo="none">ARGS_POST</literal>
-
+ <literal moreinfo="none">ARGS_POST</literal>
ARGS_POST is similar to
ARGS, but only contains arguments from the POST
@@ -2133,9 +2121,7 @@ SecRule ARGS_NAMES "!^(p|a)$"
-
- <literal moreinfo="none">ARGS_POST_NAMES</literal>
-
+ <literal moreinfo="none">ARGS_POST_NAMES</literal>
ARGS_POST_NAMES is similar to
ARGS_NAMES, but only contains argument names from the
@@ -2143,18 +2129,14 @@ SecRule ARGS_NAMES "!^(p|a)$"
-
- <literal moreinfo="none">AUTH_TYPE</literal>
-
+ <literal moreinfo="none">AUTH_TYPE</literal>
This variable holds the authentication method used to validate a
user. Example:
SecRule AUTH_TYPE "basic" log,deny,status:403,phase:1,t:lowercase
-
- Note
-
+ Note
This data will not be available in a proxy-mode deployment as the
authentication is not local. In a proxy-mode deployment, you would need
@@ -2163,9 +2145,7 @@ SecRule ARGS_NAMES "!^(p|a)$"
-
- <literal moreinfo="none">ENV</literal>
-
+ <literal moreinfo="none">ENV</literal>
Collection, requires a single parameter (after a colon character).
The ENV variable is set with setenv and does not give access to the CGI
@@ -2177,9 +2157,7 @@ SecRule ENV:tag "suspicious"
-
- <literal moreinfo="none">FILES</literal>
-
+ <literal moreinfo="none">FILES</literal>
Collection. Contains a collection of original file names (as they
were called on the remote user's file system). Note: only available if
@@ -2189,9 +2167,7 @@ SecRule ENV:tag "suspicious"
-
- <literal moreinfo="none">FILES_COMBINED_SIZE</literal>
-
+ <literal moreinfo="none">FILES_COMBINED_SIZE</literal>
Single value. Total size of the uploaded files. Note: only
available if files were extracted from the request body. Example:
@@ -2200,9 +2176,7 @@ SecRule ENV:tag "suspicious"
-
- <literal moreinfo="none">FILES_NAMES</literal>
-
+ <literal moreinfo="none">FILES_NAMES</literal>
Collection w/o parameter. Contains a list of form fields that were
used for file upload. Note: only available if files were extracted from
@@ -2212,9 +2186,7 @@ SecRule ENV:tag "suspicious"
-
- <literal moreinfo="none">FILES_SIZES</literal>
-
+ <literal moreinfo="none">FILES_SIZES</literal>
Collection. Contains a list of file sizes. Useful for implementing
a size limitation on individual uploaded files. Note: only available if
@@ -2224,9 +2196,7 @@ SecRule ENV:tag "suspicious"
-
- <literal moreinfo="none">FILES_TMPNAMES</literal>
-
+ <literal moreinfo="none">FILES_TMPNAMES</literal>
Collection. Contains a collection of temporary files' names on the
disk. Useful when used together with ENV:tag "suspicious"
-
- <literal moreinfo="none">GEO</literal>
-
+ <literal moreinfo="none">GEO</literal>
GEO is a collection populated by the @geoLookups operator. It can be used to match
@@ -2313,9 +2281,7 @@ SecRule GEO:COUNTRY_CODE "!@streq UK"
-
- <literal moreinfo="none">HIGHEST_SEVERITY</literal>
-
+ <literal moreinfo="none">HIGHEST_SEVERITY</literal>
This variable holds the highest severity of any rules that have
matched so far. Severities are numeric values and thus can be used with
@@ -2332,22 +2298,31 @@ SecRule GEO:COUNTRY_CODE "!@streq UK"
-
- <literal moreinfo="none">MATCHED_VAR</literal>
-
+ <literal moreinfo="none">MATCHED_VAR</literal>
+
+ This variable holds the value of the variable that was matched
+ against. It is similar to the TX:0, except it can be used for all
+ operators and does not require that the capture action be specified.
+
+ SecRule ARGS pattern chain,deny
+...
+SecRule MATCHED_VAR "further scrutiny"
+
+
+
+ <literal moreinfo="none">MATCHED_VAR_NAME</literal>
This variable holds the full name of the variable that was matched
against.
- SecRule ARGS pattern setvar:tx.mymatch=%{MATCHED_VAR}
+ SecRule ARGS pattern setvar:tx.mymatch=%{MATCHED_VAR_NAME}
...
SecRule TX:MYMATCH "@eq ARGS:param" deny
-
- <literal moreinfo="none">MODSEC_BUILD</literal>
-
+ <literal moreinfo="none">MODSEC_BUILD</literal>
This variable holds the ModSecurity build number. This variable is
intended to be used to check the build number prior to using a feature
@@ -2358,9 +2333,7 @@ SecRule ARGS "@pm some key words" deny,status:500
-
- <literal>MULTIPART_STRICT_ERROR</literal>
-
+ <literal>MULTIPART_STRICT_ERROR</literal>
MULTIPART_STRICT_ERROR will be set to
1 when any of the following variables is also set to
@@ -2407,9 +2380,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
-
- <literal>MULTIPART_UNMATCHED_BOUNDARY</literal>
-
+ <literal>MULTIPART_UNMATCHED_BOUNDARY</literal>
Set to 1 when, during the parsing phase of a
multipart/request-body, ModSecurity encounters what
@@ -2427,9 +2398,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
-
- <literal moreinfo="none">PATH_INFO</literal>
-
+ <literal moreinfo="none">PATH_INFO</literal>
Besides passing query information to a script/handler, you can
also pass additional data, known as extra path information, as part of
@@ -2439,9 +2408,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
-
- <literal moreinfo="none">QUERY_STRING</literal>
-
+ <literal moreinfo="none">QUERY_STRING</literal>
This variable holds form data passed to the script/handler by
appending data after a question mark. Warning: Not URL-decoded.
@@ -2451,9 +2418,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
-
- <literal moreinfo="none">REMOTE_ADDR</literal>
-
+ <literal moreinfo="none">REMOTE_ADDR</literal>
This variable holds the IP address of the remote client.
Example:
@@ -2462,9 +2427,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
-
- <literal moreinfo="none">REMOTE_HOST</literal>
-
+ <literal moreinfo="none">REMOTE_HOST</literal>
If HostnameLookUps are set to On, then this variable will hold the
DNS resolved remote host name. If it is set to Off, then it will hold
@@ -2476,9 +2439,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
-
- <literal moreinfo="none">REMOTE_PORT</literal>
-
+ <literal moreinfo="none">REMOTE_PORT</literal>
This variable holds information on the source port that the client
used when initiating the connection to our web server. Example: in this
@@ -2490,9 +2451,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
-
- <literal moreinfo="none">REMOTE_USER</literal>
-
+ <literal moreinfo="none">REMOTE_USER</literal>
This variable holds the username of the authenticated user. If
there are no password (basic|digest) access controls in place, then this
@@ -2500,18 +2459,14 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
SecRule REMOTE_USER "admin"
-
- Note
-
+ Note
This data will not be available in a proxy-mode deployment as the
authentication is not local.
-
- <literal moreinfo="none">REQBODY_PROCESSOR</literal>
-
+ <literal moreinfo="none">REQBODY_PROCESSOR</literal>
Built-in processors are URLENCODED,
@@ -2523,9 +2478,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQBODY_PROCESSOR_ERROR</literal>
-
+ <literal
+ moreinfo="none">REQBODY_PROCESSOR_ERROR</literal>
Possible values are 0 (no error) or 1 (error). This variable will
be set by request body processors (typically the
@@ -2550,9 +2504,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQBODY_PROCESSOR_ERROR_MSG</literal>
-
+ <literal
+ moreinfo="none">REQBODY_PROCESSOR_ERROR_MSG</literal>
Empty, or contains the error message from the processor.
Example:
@@ -2561,9 +2514,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQUEST_BASENAME</literal>
-
+ <literal moreinfo="none">REQUEST_BASENAME</literal>
This variable holds just the filename part of
REQUEST_FILENAME (e.g. index.php). Warning: not
@@ -2573,9 +2524,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQUEST_BODY</literal>
-
+ <literal moreinfo="none">REQUEST_BODY</literal>
This variable holds the data in the request body (including
POST_PAYLOAD data). REQUEST_BODY should be used if the original order of
@@ -2584,18 +2533,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule REQUEST_BODY "^username=\w{25,}\&password=\w{25,}\&Submit\=login$"
-
- Note
-
+ Note
This variable is only available if the content type is
application/x-www-form-urlencoded.
-
- <literal moreinfo="none">REQUEST_COOKIES</literal>
-
+ <literal moreinfo="none">REQUEST_COOKIES</literal>
This variable is a collection of all of the cookie data. Example:
the following example is using the Ampersand special operator to count
@@ -2606,9 +2551,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQUEST_COOKIES_NAMES</literal>
-
+ <literal moreinfo="none">REQUEST_COOKIES_NAMES</literal>
This variable is a collection of the cookie names in the request
headers. Example: the following rule will trigger if the JSESSIONID
@@ -2618,9 +2561,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQUEST_FILENAME</literal>
-
+ <literal moreinfo="none">REQUEST_FILENAME</literal>
This variable holds the relative REQUEST_URI minus the
QUERY_STRING part (e.g. /index.php). Example:
@@ -2629,9 +2570,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQUEST_HEADERS</literal>
-
+ <literal moreinfo="none">REQUEST_HEADERS</literal>
This variable can be used as either a collection of all of the
Request Headers or can be used to specify indivudual headers (by using
@@ -2649,9 +2588,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQUEST_HEADERS_NAMES</literal>
-
+ <literal moreinfo="none">REQUEST_HEADERS_NAMES</literal>
This variable is a collection of the names of all of the Request
Headers. Example:
@@ -2661,9 +2598,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQUEST_LINE</literal>
-
+ <literal moreinfo="none">REQUEST_LINE</literal>
This variable holds the complete request line sent to the server
(including the REQUEST_METHOD and HTTP version data). Example: this
@@ -2673,9 +2608,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule REQUEST_LINE "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)"
-
- Note
-
+ Note
Due to the default action transformation function lowercase, the
regex strings should be in lowercase as well unless the t:none
@@ -2683,9 +2616,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQUEST_METHOD</literal>
-
+ <literal moreinfo="none">REQUEST_METHOD</literal>
This variable holds the Request Method used by the client.
Example: the following example will trigger if the Request Method is
@@ -2693,9 +2624,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule REQUEST_METHOD "^((?:connect|trace))$"
-
- Note
-
+ Note
Due to the default action transformation function lowercase, the
regex strings should be in lowercase as well unless the t:none
@@ -2703,18 +2632,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQUEST_PROTOCOL</literal>
-
+ <literal moreinfo="none">REQUEST_PROTOCOL</literal>
This variable holds the Request Protocol Version information.
Example:
SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$"
-
- Note
-
+ Note
Due to the default action transformation function lowercase, the
regex strings should be in lowercase as well unless the t:none
@@ -2722,9 +2647,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQUEST_URI</literal>
-
+ <literal moreinfo="none">REQUEST_URI</literal>
This variable holds the full URL including the QUERY_STRING data
(e.g. /index.php?p=X), however it will never contain a domain name, even
@@ -2736,9 +2659,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">REQUEST_URI_RAW</literal>
-
+ <literal moreinfo="none">REQUEST_URI_RAW</literal>
Same as REQUEST_URI but will contain the domain name if it was
provided on the request line (e.g.
@@ -2749,9 +2670,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">RESPONSE_BODY</literal>
-
+ <literal moreinfo="none">RESPONSE_BODY</literal>
This variable holds the data for the response payload.
Example:
@@ -2760,9 +2679,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal>RESPONSE_CONTENT_LENGTH</literal>
-
+ <literal>RESPONSE_CONTENT_LENGTH</literal>
Response body length in bytes. Can be available starting with
phase 3 but it does not have to be (as the length of response body is
@@ -2778,18 +2695,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal>RESPONSE_CONTENT_TYPE</literal>
-
+ <literal>RESPONSE_CONTENT_TYPE</literal>
Response content type. Only available starting with phase
3.
-
- <literal moreinfo="none">RESPONSE_HEADERS</literal>
-
+ <literal moreinfo="none">RESPONSE_HEADERS</literal>
This variable is similar to the REQUEST_HEADERS variable and can
be used in the same manner. Example:
@@ -2797,9 +2710,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule RESPONSE_HEADERS:X-Cache "MISS"
-
- Note
-
+ Note
This variable may not have access to some headers when running in
embedded-mode. Headers such as Server, Date, Connection and Content-Type
@@ -2809,27 +2720,21 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">RESPONSE_HEADERS_NAMES</literal>
-
+ <literal moreinfo="none">RESPONSE_HEADERS_NAMES</literal>
This variable is a collection of the response header names.
Example:
SecRule RESPONSE_HEADERS_NAMES "Set-Cookie"
-
- Note
-
+ Note
Same limitations as RESPONSE_HEADERS with regards to access to
some headers in embedded-mode.
-
- <literal moreinfo="none">RESPONSE_PROTOCOL</literal>
-
+ <literal moreinfo="none">RESPONSE_PROTOCOL</literal>
This variable holds the HTTP Response Protocol information.
Example:
@@ -2838,18 +2743,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">RESPONSE_STATUS</literal>
-
+ <literal moreinfo="none">RESPONSE_STATUS</literal>
This variable holds the HTTP Response Status Code generated by
Apache. Example:
SecRule RESPONSE_STATUS "^[45]"
-
- Note
-
+ Note
This directive may not work as expected in embedded-mode as Apache
handles many of the stock response codes (404, 401, etc...) earlier in
@@ -2858,9 +2759,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">RULE</literal>
-
+ <literal moreinfo="none">RULE</literal>
This variable provides access to the id, rev,
@@ -2875,77 +2774,59 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">SCRIPT_BASENAME</literal>
-
+ <literal moreinfo="none">SCRIPT_BASENAME</literal>
This variable holds just the local filename part of
SCRIPT_FILENAME. Example:
SecRule SCRIPT_BASENAME "^login\.php$"
-
- Note
-
+ Note
This variable is not available in proxy mode.
-
- <literal moreinfo="none">SCRIPT_FILENAME</literal>
-
+ <literal moreinfo="none">SCRIPT_FILENAME</literal>
This variable holds the full path on the server to the requested
script. (e.g. SCRIPT_NAME plus the server path). Example:
SecRule SCRIPT_FILENAME "^/usr/local/apache/cgi-bin/login\.php$"
-
- Note
-
+ Note
This variable is not available in proxy mode.
-
- <literal moreinfo="none">SCRIPT_GID</literal>
-
+ <literal moreinfo="none">SCRIPT_GID</literal>
This variable holds the groupid (numerical value) of the group
owner of the script. Example:
SecRule SCRIPT_GID "!^46$"
-
- Note
-
+ Note
This variable is not available in proxy mode.
-
- <literal moreinfo="none">SCRIPT_GROUPNAME</literal>
-
+ <literal moreinfo="none">SCRIPT_GROUPNAME</literal>
This variable holds the group name of the group owner of the
script. Example:
SecRule SCRIPT_GROUPNAME "!^apache$"
-
- Note
-
+ Note
This variable is not available in proxy mode.
-
- <literal moreinfo="none">SCRIPT_MODE</literal>
-
+ <literal moreinfo="none">SCRIPT_MODE</literal>
This variable holds the script's permissions mode data (numerical
- 1=execute, 2=write, 4=read and 7=read/write/execute). Example: will
@@ -2953,17 +2834,13 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule SCRIPT_MODE "^(2|3|6|7)$"
-
- Note
-
+ Note
This variable is not available in proxy mode.
-
- <literal moreinfo="none">SCRIPT_UID</literal>
-
+ <literal moreinfo="none">SCRIPT_UID</literal>
This variable holds the userid (numerical value) of the owner of
the script. Example: the example rule below will trigger if the UID is
@@ -2971,34 +2848,26 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule SCRIPT_UID "!^46$"
-
- Note
-
+ Note
This variable is not available in proxy mode.
-
- <literal moreinfo="none">SCRIPT_USERNAME</literal>
-
+ <literal moreinfo="none">SCRIPT_USERNAME</literal>
This variable holds the username of the owner of the script.
Example:
SecRule SCRIPT_USERNAME "!^apache$"
-
- Note
-
+ Note
This variable is not available in proxy mode.
-
- <literal moreinfo="none">SERVER_ADDR</literal>
-
+ <literal moreinfo="none">SERVER_ADDR</literal>
This variable contains the IP address of the server.
Example:
@@ -3007,27 +2876,21 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">SERVER_NAME</literal>
-
+ <literal moreinfo="none">SERVER_NAME</literal>
This variable contains the server's hostname or IP address.
Example:
SecRule SERVER_NAME "hostname\.com$"
-
- Note
-
+ Note
This data is taken from the Host header submitted in the client
request.
-
- <literal moreinfo="none">SERVER_PORT</literal>
-
+ <literal moreinfo="none">SERVER_PORT</literal>
This variable contains the local port that the web server is
listening on. Example:
@@ -3036,9 +2899,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
-
- <literal moreinfo="none">SESSION</literal>
-
+ <literal moreinfo="none">SESSION</literal>
This variable is a collection, available only after setsid is executed. Example: the following
@@ -3056,9 +2917,7 @@ SecRule SESSION:BLOCKED "@eq 1" "log,deny,statu
-
- <literal moreinfo="none">SESSIONID</literal>
-
+ <literal moreinfo="none">SESSIONID</literal>
This variable is the value set with setsid. Example:
@@ -3069,9 +2928,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
-
- <literal moreinfo="none">TIME</literal>
-
+ <literal moreinfo="none">TIME</literal>
This variable holds a formatted string representing the time
(hour:minute:second). Example:
@@ -3080,9 +2937,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
-
- <literal moreinfo="none">TIME_DAY</literal>
-
+ <literal moreinfo="none">TIME_DAY</literal>
This variable holds the current date (1-31). Example: this rule
would trigger anytime between the 10th and 20th days of the
@@ -3092,9 +2947,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
-
- <literal moreinfo="none">TIME_EPOCH</literal>
-
+ <literal moreinfo="none">TIME_EPOCH</literal>
This variable holds the time in seconds since 1970.
Example:
@@ -3103,9 +2956,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
-
- <literal moreinfo="none">TIME_HOUR</literal>
-
+ <literal moreinfo="none">TIME_HOUR</literal>
This variable holds the current hour (0-23). Example: this rule
would trigger during "off hours".
@@ -3114,9 +2965,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
-
- <literal moreinfo="none">TIME_MIN</literal>
-
+ <literal moreinfo="none">TIME_MIN</literal>
This variable holds the current minute (0-59). Example: this rule
would trigger during the last half hour of every hour.
@@ -3125,9 +2974,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
-
- <literal moreinfo="none">TIME_MON</literal>
-
+ <literal moreinfo="none">TIME_MON</literal>
This variable holds the current month (0-11). Example: this rule
would match if the month was either November (10) or December
@@ -3137,9 +2984,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
-
- <literal moreinfo="none">TIME_SEC</literal>
-
+ <literal moreinfo="none">TIME_SEC</literal>
This variable holds the current second count (0-59).
Example:
@@ -3148,9 +2993,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
-
- <literal moreinfo="none">TIME_WDAY</literal>
-
+ <literal moreinfo="none">TIME_WDAY</literal>
This variable holds the current weekday (0-6). Example: this rule
would trigger only on week-ends (Saturday and Sunday).
@@ -3159,9 +3002,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
-
- <literal moreinfo="none">TIME_YEAR</literal>
-
+ <literal moreinfo="none">TIME_YEAR</literal>
This variable holds the current four-digit year data.
Example:
@@ -3170,9 +3011,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
-
- <literal moreinfo="none">TX</literal>
-
+ <literal moreinfo="none">TX</literal>
Transaction Collection. This is used to store pieces of data,
create a transaction anomaly score, and so on. Transaction variables are
@@ -3208,9 +3047,7 @@ SecRule TX:SCORE "@gt 20" deny,log
-
- <literal moreinfo="none">USERID</literal>
-
+ <literal moreinfo="none">USERID</literal>
This variable is the value set with setuid. Example:
@@ -3220,9 +3057,7 @@ SecRule USERID "Admin"
-
- <literal moreinfo="none">WEBAPPID</literal>
-
+ <literal moreinfo="none">WEBAPPID</literal>
This variable is the value set with SecWebAppId. Example:
@@ -3233,9 +3068,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"
-
- <literal moreinfo="none">WEBSERVER_ERROR_LOG</literal>
-
+ <literal moreinfo="none">WEBSERVER_ERROR_LOG</literal>
Contains zero or more error messages produced by the web server.
Access to this variable is in phase:5 (logging). Example:
@@ -3244,9 +3077,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"
-
- <literal moreinfo="none">XML</literal>
-
+ <literal moreinfo="none">XML</literal>
Can be used standalone (as a target for validateDTD and
validateSchema) or with an XPath expression parameter (which makes it a
@@ -3317,17 +3148,14 @@ SecRule XML:/xq:employees/employee/name/text()
-
- XPath Standard
-
+ XPath
+ Standard
-
- XPath
- Tutorial
-
+ XPath
+ Tutorial
@@ -5264,4 +5092,4 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}
-
+
\ No newline at end of file