github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-11-21 11:36:40 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adding statement regarding potential issues with file upload with SecStreamInBodyInspection by @bostrt (#1366)

Victor Hora
2017-06-06 15:16:36 -04:00
parent a7ed9cb673
commit a9f9a59e39
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Reference-Manual.mediawiki

@@ -1707,6 +1707,8 @@ This feature enables the creation of the STREAM_INPUT_BODY variable and is usefu
; Note : This directive is NOT supported for libModSecurity (v3). Naturally, STREAM_INPUT_BODY is also NOT supported on libModSecurity. ; Note : This directive is NOT supported for libModSecurity (v3). Naturally, STREAM_INPUT_BODY is also NOT supported on libModSecurity.
; Note : This directive may significantly impact file upload times. The impact depends on server resources and the nature of operations being performed on the request bodies being streamed in.
== SecStreamOutBodyInspection == == SecStreamOutBodyInspection ==
'''Description:''' Configures the ability to use stream inspection for outbound request data in a re-allocable buffer. For security reasons we are still buffering the stream. '''Description:''' Configures the ability to use stream inspection for outbound request data in a re-allocable buffer. For security reasons we are still buffering the stream.
@@ -2587,9 +2589,9 @@ This variable holds the full status line sent by the server (including the reque
SecRule STATUS_LINE "@contains 500" "phase:3,id:49,log,pass,logdata:'Application error detected!,t:none" SecRule STATUS_LINE "@contains 500" "phase:3,id:49,log,pass,logdata:'Application error detected!,t:none"
</pre> </pre>
'''Version:''' 2.6.0-2.9.x '''Version:''' 2.x
'''Supported on libModSecurity:''' No '''Supported on libModSecurity:''' TBI
== STREAM_INPUT_BODY == == STREAM_INPUT_BODY ==
'''Version:''' 2.6.0-2.9.x '''Version:''' 2.6.0-2.9.x
@@ -4468,4 +4470,4 @@ While we will continue to enhance ModSecurity to deal with various evasion techn
#The order in which parameters are taken from the request and the environment is EGPCS (environment, GET, POST, Cookies, built-in variables). This means that a POST parameter will overwrite the parameters transported on the request line (in QUERY_STRING). #The order in which parameters are taken from the request and the environment is EGPCS (environment, GET, POST, Cookies, built-in variables). This means that a POST parameter will overwrite the parameters transported on the request line (in QUERY_STRING).
#When "magic_quotes_gpc" is set to "On" PHP will use backslash to escape the following characters: single quote, double quote, backslash, and the nul byte. #When "magic_quotes_gpc" is set to "On" PHP will use backslash to escape the following characters: single quote, double quote, backslash, and the nul byte.
#If "magic_quotes_sybase" is set to "On" only the single quote will be escaped using another single quote. In this case the "magic_quotes_gpc" setting becomes irrelevant. The "magic_quotes_sybase" setting completely overrides the "magic_quotes_gpc" behaviour but "magic_quotes_gpc" still must be set to "On" for the Sybase-specific quoting to be work. #If "magic_quotes_sybase" is set to "On" only the single quote will be escaped using another single quote. In this case the "magic_quotes_gpc" setting becomes irrelevant. The "magic_quotes_sybase" setting completely overrides the "magic_quotes_gpc" behaviour but "magic_quotes_gpc" still must be set to "On" for the Sybase-specific quoting to be work.
#PHP will also automatically create nested arrays for you. For example "p[x][y]=1" results in a total of three variables. #PHP will also automatically create nested arrays for you. For example "p[x][y]=1" results in a total of three variables.