github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 13:26:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Replace Cookie parsing method

Browse Source
This commit is contained in:
Ervin Hegedus 2019-11-12 20:57:33 +00:00 committed by Felipe Zimmerle
parent 199a9db3e2
commit 7ba77631f9
3 changed files with 170 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
src/transaction.cc
View File

@ -548,20 +548,53 @@ int Transaction::addRequestHeader(const std::string& key,
if (keyl == "cookie") {
size_t localOffset = m_variableOffset;
size_t pos;
std::vector<std::string> cookies = utils::string::ssplit(value, ';');
for (const std::string &c : cookies) {
std::vector<std::string> s = utils::string::split(c,
'=');
if (s.size() > 1) {
if (s[0].at(0) == ' ') {
s[0].erase(0, 1);
}
m_variableRequestCookiesNames.set(s[0],
s[0], localOffset);
// skip empty substring, eg "Cookie: ;;foo=bar"
if (c.empty() == true) {
localOffset++; // add length of ';'
continue;
}
localOffset = localOffset + s[0].size() + 1;
m_variableRequestCookies.set(s[0], s[1], localOffset);
localOffset = localOffset + s[1].size() + 2;
// find the first '='
pos = c.find_first_of("=", 0);
std::string ckey = "";
std::string cval = "";
// if the cookie doesn't contains '=', its just a key
if (pos == std::string::npos) {
ckey = c;
}
// else split to two substrings by first =
else {
ckey = c.substr(0, pos);
// value will contains the next '=' chars if exists
// eg. foo=bar=baz -> key: foo, value: bar=baz
cval = c.substr(pos+1);
}
// ltrim the key - following the modsec v2 way
while (ckey.empty() == false && ckey.at(0) == ' ') {
ckey.erase(0, 1);
localOffset++;
}
// if the key is empty (eg: "Cookie: =bar;") skip it
if (ckey.empty() == true) {
localOffset = localOffset + c.length() + 1;
continue;
}
else {
// handle cookie only if the key is not empty
// set cookie name
m_variableRequestCookiesNames.set(ckey,
ckey, localOffset);
localOffset = localOffset + ckey.size() + 1;
// set cookie value
m_variableRequestCookies.set(ckey, cval,
localOffset);
localOffset = localOffset + cval.size() + 1;
}
}
}

86
test/test-cases/regression/variable-REQUEST_COOKIES.json
View File

@ -2,7 +2,7 @@
{
"enabled":1,
"version_min":300000,
"title":"Testing Variables :: REQUEST_COOKIES (1/3)",
"title":"Testing Variables :: REQUEST_COOKIES (1/5)",
"client":{
"ip":"200.249.12.31",
"port":123
@ -42,7 +42,7 @@
{
"enabled":1,
"version_min":300000,
"title":"Testing Variables :: REQUEST_COOKIES (2/3)",
"title":"Testing Variables :: REQUEST_COOKIES (2/5)",
"client":{
"ip":"200.249.12.31",
"port":123
@ -82,7 +82,7 @@
{
"enabled":1,
"version_min":300000,
"title":"Testing Variables :: REQUEST_COOKIES (3/3)",
"title":"Testing Variables :: REQUEST_COOKIES (3/5)",
"client":{
"ip":"200.249.12.31",
"port":123
@ -118,6 +118,86 @@
"SecRuleEngine On",
"SecRule REQUEST_COOKIES \"@contains test \" \"id:1,pass,t:trim\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing Variables :: REQUEST_COOKIES (4/5)",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie":"USER_TOKEN=Yes; a=z; t=b; foo= bar"
},
"uri":"/?key=value&key=other_value",
"method":"GET"
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Target value: \"bar\""
},
"rules":[
"SecRuleEngine On",
"SecRule REQUEST_COOKIES \"@contains test \" \"id:1,pass,t:trim\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing Variables :: REQUEST_COOKIES (5/5)",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie":"USER_TOKEN=Yes; a=z; t=b; foo= bar; = ; = = ; baz=value1=insert here something"
},
"uri":"/?key=value&key=other_value",
"method":"GET"
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Target value: \"value1=insert here something\""
},
"rules":[
"SecRuleEngine On",
"SecRule REQUEST_COOKIES \"@contains test \" \"id:1,pass,t:trim\""
]
}
]

46
test/test-cases/regression/variable-REQUEST_COOKIES_NAMES.json
View File

@ -2,7 +2,7 @@
{
"enabled":1,
"version_min":300000,
"title":"Testing Variables :: REQUEST_COOKIES_NAMES (1/3)",
"title":"Testing Variables :: REQUEST_COOKIES_NAMES (1/4)",
"client":{
"ip":"200.249.12.31",
"port":123
@ -42,7 +42,7 @@
{
"enabled":1,
"version_min":300000,
"title":"Testing Variables :: REQUEST_COOKIES_NAMES (2/3)",
"title":"Testing Variables :: REQUEST_COOKIES_NAMES (2/4)",
"client":{
"ip":"200.249.12.31",
"port":123
@ -82,7 +82,7 @@
{
"enabled":1,
"version_min":300000,
"title":"Testing Variables :: REQUEST_COOKIES_NAMES (3/3)",
"title":"Testing Variables :: REQUEST_COOKIES_NAMES (3/4)",
"client":{
"ip":"200.249.12.31",
"port":123
@ -118,6 +118,46 @@
"SecRuleEngine On",
"SecRule REQUEST_COOKIES_NAMES \"@contains test \" \"id:1,pass,t:trim\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing Variables :: REQUEST_COOKIES_NAMES (4/4)",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie":"USER_TOKEN=Yes; a=z; t=b; foobar"
},
"uri":"/?key=value&key=other_value",
"method":"GET"
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Target value: \"foobar\""
},
"rules":[
"SecRuleEngine On",
"SecRule REQUEST_COOKIES_NAMES \"@contains foobar \" \"id:1,pass,t:trim\""
]
}
]