github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-11-21 03:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Remove references to long-obsolete SecPdf directives

martinhsv
2022-05-11 09:36:09 -04:00
parent 824f22bf1a
commit 3093b7f378
1 changed files with 1 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
Reference-Manual-(v2.x).mediawiki

@@ -1,5 +1,5 @@
= ModSecurity® Reference Manual = = ModSecurity® Reference Manual =
== Current as of v2.5.13 v2.6 v2.7 v2.8 v2.9 v3.0 == == Current as of v2.6 v2.7 v2.8 v2.9 v3.0 ==
=== Copyright © 2004-2018 [https://www.trustwave.com/ Trustwave Holdings, Inc.] === === Copyright © 2004-2018 [https://www.trustwave.com/ Trustwave Holdings, Inc.] ===
= Table of Contents = = Table of Contents =
@@ -990,87 +990,6 @@ For more information, refer to the pcre_extra field in the pcreapi man page.
; Note : This directive is not allowed inside VirtualHosts. If enabled, it must be placed in a global server-wide configuration file such as your default modsecurity.conf. ; Note : This directive is not allowed inside VirtualHosts. If enabled, it must be placed in a global server-wide configuration file such as your default modsecurity.conf.
== SecPdfProtect ==
'''Description:''' Enables the PDF XSS protection functionality.
'''Syntax:''' <code>SecPdfProtect On|Off </code>
'''Example Usage:''' <code>SecPdfProtect On </code>
'''Scope:''' Any
'''Version:''' 2.5.0; removed from trunk
'''Supported on libModSecurity:''' No (Deprecated)
Once enabled access to PDF files is tracked. Direct access attempts are redirected to links that contain one-time tokens. Requests with valid tokens are allowed through, unmodified. Requests with invalid tokens are also allowed through, but with forced download of the PDF files. This implementation uses response headers to detect PDF files and thus can be used with dynamically generated PDF files that do not have the .pdf extension in the request URI.
== SecPdfProtectMethod ==
'''Description''': Configure desired protection method to be used when requests for PDF files are detected.
'''Syntax:''' <code>SecPdfProtectMethod method </code>
'''Example Usage''': <code>SecPdfProtectMethod TokenRedirection </code>
'''Scope''': Any
'''Version:''' 2.5.0; removed from trunk
'''Supported on libModSecurity:''' No (Deprecated)
'''Default:''' TokenRedirection
Possible values are TokenRedirection and ForcedDownload. The token redirection approach will attempt to redirect with tokens where possible. This allows PDF files to continue to be opened inline but works only for GET requests. Forced download always causes PDF files to be delivered as opaque binaries and attachments. The latter will always be used for non-GET requests. Forced download is considered to be more secure but may cause usability problems for users (“This PDF wont open anymore!”).
== SecPdfProtectSecret ==
'''Description:''' Defines the secret that will be used to construct one-time tokens.
'''Syntax:''' <code>SecPdfProtectSecret secret </code>
'''Example Usage:''' <code>SecPdfProtectSecret MyRandomSecretString</code>
'''Scope:''' Any
'''Version:''' 2.5.0; removed from trunk
'''Supported on libModSecurity:''' No (Deprecated)
You should use a reasonably long value for the secret (e.g., 16 characters is good). Once selected, the secret should not be changed, as it will break the tokens that were sent prior to change. But its not a big deal even if you change it. It will just force download of PDF files with tokens that were issued in the last few seconds.
== SecPdfProtectTimeout ==
'''Description''': Defines the token timeout.
'''Syntax:''' <code>SecPdfProtectTimeout timeout </code>
'''Example Usage''': <code>SecPdfProtectTimeout 10 </code>
'''Scope:''' Any
'''Version:''' 2.5.0; removed from trunk
'''Supported on libModSecurity:''' No (Deprecated)
'''Default:''' 10
After token expires, it can no longer be used to allow access to a PDF file. Request will be allowed through but the PDF will be delivered as an attachment.
== SecPdfProtectTokenName ==
'''Description''': Defines the name of the token.
'''Syntax''': <code>SecPdfProtectTokenName name </code>
'''Example Usage''': <code>SecPdfProtectTokenName PDFTOKEN </code>
'''Scope''': Any
'''Version''': 2.5.0; removed from trunk
'''Supported on libModSecurity:''' No (Deprecated)
'''Default:''' PDFTOKEN
The only reason you would want to change the name of the token is if you wanted to hide the fact that you are running ModSecurity. Its a good reason, but it wont really help, as the adversary can look into the algorithm used for PDF protection and figure it out anyway. It does raise the bar slightly, so go ahead if you want to.
== SecReadStateLimit == == SecReadStateLimit ==
'''Description:''' Establishes a per-IP address limit of how many connections are allowed to be in SERVER_BUSY_READ state. '''Description:''' Establishes a per-IP address limit of how many connections are allowed to be in SERVER_BUSY_READ state.