On 4/4/11 10:35 AM, "Alberto Gonzalez Iniesta" <[email protected]> wrote:
>On Mon, Apr 04, 2011 at 09:27:24AM -0500, Ryan Barnett wrote: >> Current setting: >> >> # Maximum request body size we will accept for buffering. If you support >> # file uploads then the value given on the first line has to be as large >> # as the largest file you are willing to accept. The second value refers >> # to the size of data, with files excluded. You want to keep that value >>as >> # low as practical. >> # >> SecRequestBodyLimit 13107200 >> SecRequestBodyNoFilesLimit 131072 >> >> Rationale: >> These two settings are highly dependent upon the local application's >>purpose. The first directive SecRequestBodyLimit includes file >>attachments (multi-part Content-Type). This setting translates to >>12.5MB. The second directive SecRequestBodyNoFilesLimit is for >>application/x-www-form-urlencoded request bodies passing ARGS. This >>setting is 128K. >> > >Agreed. But the file "modsecurity.conf-minimal" in the tarball comes >with this: >SecRequestBodyLimit 131072 > >Maybe it should be updated to 13107200? Exactly. That is the purpose of this community thread. Our goals is to develop a new modsecurity_main.conf file that we will distribute with the new v2.6 branch. -Ryan This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
