Skip to content

About SecRequestBodyAccess Off and SecResponseBodyAccess Off #1531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
f2ex opened this issue Aug 10, 2017 · 4 comments
Closed

About SecRequestBodyAccess Off and SecResponseBodyAccess Off #1531

f2ex opened this issue Aug 10, 2017 · 4 comments
Assignees
@victorhora
Labels
3.x Related to ModSecurity version 3.x bug It is a confirmed bug pending feedback pr available RIP - libmodsecurity
Milestone
v3.0.3

Comments

@f2ex
Copy link

f2ex commented Aug 10, 2017

If SecRequestBodyAccess Off and SecResponseBodyAccess Off are set ,then the other defensive rules will have a defensive effect ? thank u
@victorhora
Copy link
Contributor

It would depend on the remaining defensive rules that are enabled. If the other rules are for example looking for matches on Phase Request Headers (query string, cookies and other headers) it will work fine.

If you look at the description for SecRequestBodyAccess on the reference manual you will see the following:

"This directive is required if you want to inspect the data transported request bodies (e.g., POST parameters). Request buffering is also required in order to make reliable blocking possible."

Meaning that variables like ARGS_POST, REQUEST_BODY and STREAM_INPUT_BODY will be empty and you wont be able to match on them. See also Phase Request Body.

The same concept applies to SecResponseBodyAccess.

@defanator
Copy link
Contributor

@victorhora @zimmerle seems like this one is still working incorrectly with libmodsecurity: ARGS_POST and ARGS_POST_NAMES are still being evaluated when SecRequestBodyAccess set to off.

@victorhora victorhora self-assigned this Aug 27, 2018
@victorhora victorhora added RIP - libmodsecurity 3.x Related to ModSecurity version 3.x labels Aug 27, 2018
@victorhora victorhora reopened this Aug 27, 2018
@victorhora victorhora added this to the v3.0.3 milestone Aug 30, 2018
@victorhora victorhora added the bug It is a confirmed bug label Aug 30, 2018
@victorhora victorhora mentioned this issue Aug 30, 2018
Closed
@victorhora
Copy link
Contributor

#1886 should fix this. Please confirm if it works for you ;)

defanator added a commit to owasp-modsecurity/ModSecurity-nginx that referenced this issue Sep 3, 2018
@defanator
Extend request body tests with ARGS_POST case
23e6467 
See the following issues for details:
owasp-modsecurity/ModSecurity#1531
owasp-modsecurity/ModSecurity#1886
@defanator defanator mentioned this issue Sep 3, 2018
Closed
@zimmerle
Copy link
Contributor

Merged! Thanks!

victorhora pushed a commit to owasp-modsecurity/ModSecurity-nginx that referenced this issue Sep 20, 2018
@defanator @victorhora
Extend request body tests with ARGS_POST case
c577c68 
See the following issues for details:
owasp-modsecurity/ModSecurity#1531
owasp-modsecurity/ModSecurity#1886
@zimmerle zimmerle mentioned this issue Dec 7, 2020
Open
pracj3am pushed a commit to cdn77/ModSecurity-nginx that referenced this issue Nov 4, 2022
@defanator @victorhora
Extend request body tests with ARGS_POST case
db797e9 
See the following issues for details:
owasp-modsecurity/ModSecurity#1531
owasp-modsecurity/ModSecurity#1886
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@victorhora victorhora

Labels
3.x Related to ModSecurity version 3.x bug It is a confirmed bug pending feedback pr available RIP - libmodsecurity
Projects
None yet
Milestone
v3.0.3
Development

Successfully merging a pull request may close this issue.

Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
4 participants
@zimmerle @defanator @f2ex @victorhora