I know this rule (950109) has been brought up on this list before because
posters were confused by its behavior for various reasons. I'm also by
something very specific about it and so I'll get right to the point:
If this string (before URL encoding) appears in a parameter, the rule
matches:
hello%0dworld
Which is expected, and I understand (percent followed by two potentially
hex characters). What I don't understand is why this string:
hello%world
also causes the rule to match, and I don't understand that (the following
characters are not hexadecimal). Looking at the regex, it would appear
it's been written to look specifically for hex characters (and their
unicode equivalent):
SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
But clearly it matches non-hex characters as well. Am I misunderstanding
how the rule should work, or is there a problem with the rule's regex?
Thanks,
Ty
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
