I think this rule should match only in cases where the matching patternĀ is a part of a value but not the *entire* value. e.g. ".+application/x-shockwave-flash|image/svg\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript)).+" instead of "application/x-shockwave-flash|image/svg\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript))"
if one wants to provide a mime type as an arg, the current rule will block it, however as in my suggestion it will not. in case of an attack, "text/javascript" or any other combination will always be a part of a tag, hence. never the entire arg. ARGS_POST:attachment[params][links][2][type] = "text/css" _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
