Allow for more robust parsing for multipart header folding. Reported by Sogeti/ESEC R&D (MODSEC-118). Added additional multipart regression tests.

2026-01-13 15:07:10 +03:00 · 2010-02-05 18:11:36 +00:00
parent f33137ea66
commit e6699ca7bf
7 changed files with 1315 additions and 6 deletions
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@@ -3173,7 +3173,8 @@ SecRule ARGS "@pm some key words" id:12345,deny,status:500</programlisting>
      <literal>MULTIPART_HEADER_FOLDING</literal>,
      <literal>MULTIPART_LF_LINE</literal>,
      <literal>MULTIPART_SEMICOLON_MISSING</literal>
-      <literal>MULTIPART_INVALID_QUOTING</literal>. Each of these variables
+      <literal>MULTIPART_INVALID_QUOTING</literal>
+      <literal>MULTIPART_INVALID_HEADER_FOLDING</literal>. Each of these variables
      covers one unusual (although sometimes legal) aspect of the request body
      in <literal>multipart/form-data format</literal>. Your policies should
      <emphasis>always</emphasis> contain a rule to check either this variable
@@ -3196,7 +3197,8 @@ DA %{MULTIPART_DATA_AFTER}, \
 HF %{MULTIPART_HEADER_FOLDING}, \
 LF %{MULTIPART_LF_LINE}, \
 SM %{MULTIPART_SEMICOLON_MISSING}, \
-IQ %{MULTIPART_INVALID_QUOTING}'"</programlisting>
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IQ %{MULTIPART_INVALID_HEADER_FOLDING}'"</programlisting>

      <para>The <literal>multipart/form-data</literal> parser was upgraded in
      ModSecurity v2.1.3 to actively look for signs of evasion. Many variables