MODSEC-312

apache2/msc_multipart.c

@@ -20,6 +20,31 @@
 #include "msc_util.h"
 #include "msc_parsers.h"
 
+void validate_quotes(modsec_rec *msr, unsigned char *data)  {
+    int i, len;
+
+    if(msr == NULL)
+        return;
+
+    if(msr->mpd == NULL)
+        return;
+
+    if(data == NULL)
+        return;
+
+    len = strlen(data);
+
+    for(i = 0; i < len; i++)   {
+
+        if(data[i] == '\'' && (data[0] != '\"' || data[len-1] != '\"'))
+            msr->mpd->flag_invalid_quoting = 1;
+        else if (data[i] == '\"')   {
+            if(i != 0 && i != len-1)
+                msr->mpd->flag_invalid_quoting = 1;
+        }
+
+    }
+}
 
 #if 0
 static char *multipart_construct_filename(modsec_rec *msr) {
@@ -97,6 +122,9 @@ static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value)
          * technically "'" is invalid and so flag_invalid_quoting is
          * set so the user can deal with it in the rules if they so wish.
          */
+
+        validate_quotes(msr, p);
+
         if ((*p == '"') || (*p == '\'')) {
             /* quoted */
             char quote = *p;

modsecurity.conf-recommended

@@ -68,7 +68,7 @@ DB %{MULTIPART_DATA_BEFORE}, \
 DA %{MULTIPART_DATA_AFTER}, \
 HF %{MULTIPART_HEADER_FOLDING}, \
 LF %{MULTIPART_LF_LINE}, \
-SM %{MULTIPART_SEMICOLON_MISSING}, \
+SM %{MULTIPART_MISSING_SEMICOLON}, \
 IQ %{MULTIPART_INVALID_QUOTING}, \
 IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
 IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
@@ -202,4 +202,3 @@ SecArgumentSeparator &
 # evasion attacks (against the rules that examine named cookies).
 #
 SecCookieFormat 0
-