diff --git a/CHANGES b/CHANGES index 82fd775764..9505c798b7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ v3.x.y - YYYY-MMM-DD (to be released) ------------------------------------- + - Adjust parser activation rules in modsecurity.conf-recommended + [Issue #2796 - @terjanq, @martinhsv] - Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [Issue #2795 - @terjanq, @martinhsv] - Prevent LMDB related segfault diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended index 42fdcfa7dd..395d82cedc 100644 --- a/modsecurity.conf-recommended +++ b/modsecurity.conf-recommended @@ -19,21 +19,21 @@ SecRequestBodyAccess On # Enable XML request body parser. # Initiate XML Processor in case of xml content-type # -SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ +SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" # Enable JSON request body parser. # Initiate JSON Processor in case of JSON content-type; change accordingly # if your application does not use 'application/json' # -SecRule REQUEST_HEADERS:Content-Type "application/json" \ +SecRule REQUEST_HEADERS:Content-Type "^application/json" \ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" # Sample rule to enable JSON request body parser for more subtypes. # Uncomment or adapt this rule if you want to engage the JSON # Processor for "+json" subtypes # -#SecRule REQUEST_HEADERS:Content-Type "^application/.+[+]json$" \ +#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \ # "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" # Maximum request body size we will accept for buffering. If you support diff --git a/test/test-cases/regression/secargumentslimit.json b/test/test-cases/regression/secargumentslimit.json index 85ec3b9f4d..8f556b3596 100644 --- a/test/test-cases/regression/secargumentslimit.json +++ b/test/test-cases/regression/secargumentslimit.json @@ -36,7 +36,7 @@ "rules":[ "SecRuleEngine On", "SecArgumentsLimit 6", - "SecRule REQUEST_HEADERS:Content-Type \"application/json\" \"id:'200001',phase:1,t:none,pass,nolog,ctl:requestBodyProcessor=JSON\"", + "SecRule REQUEST_HEADERS:Content-Type \"^application/json\" \"id:'200001',phase:1,t:none,pass,nolog,ctl:requestBodyProcessor=JSON\"", "SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}'\"", "SecRule ARGS:/k5/ \"@rx v5\" \"id:'1234',phase:2,deny,status:403,t:none,log,auditlog\"" ] @@ -78,7 +78,7 @@ "rules":[ "SecRuleEngine On", "SecArgumentsLimit 5", - "SecRule REQUEST_HEADERS:Content-Type \"application/json\" \"id:'200001',phase:1,t:none,pass,nolog,ctl:requestBodyProcessor=JSON\"", + "SecRule REQUEST_HEADERS:Content-Type \"^application/json\" \"id:'200001',phase:1,t:none,pass,nolog,ctl:requestBodyProcessor=JSON\"", "SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}'\"", "SecRule ARGS:/k5/ \"@rx v5\" \"id:'1234',phase:2,deny,status:403,t:none,log,auditlog\"" ] diff --git a/test/test-cases/regression/variable-REQBODY_PROCESSOR.json b/test/test-cases/regression/variable-REQBODY_PROCESSOR.json index 965128b29d..87f43facf4 100644 --- a/test/test-cases/regression/variable-REQBODY_PROCESSOR.json +++ b/test/test-cases/regression/variable-REQBODY_PROCESSOR.json @@ -73,7 +73,7 @@ }, "rules":[ "SecRuleEngine On", - "SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500005,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"", + "SecRule REQUEST_HEADERS:Content-Type \"^(?:application(?:/soap\+|/)|text/)xml\" \"id:500005,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"", "SecRule REQBODY_PROCESSOR \"@contains test\" \"id:1,pass,phase:2,t:trim\"" ] },