This regex was modified a long time ago to help prevent false positives when the @validateUrlEncoding operator was used - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#validateUrlEncoding
Without this – the operator would throw errors when it saw any % sign with other chars after it other than the normal ranges. We will look to improve it for CRS v3.0.0. Ryan Barnett Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Ty <ty733...@gmail.com<mailto:ty733...@gmail.com>> Date: Tuesday, April 1, 2014 11:17 AM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] "multiple URL encoding" matching unexpectedly I know this rule (950109) has been brought up on this list before because posters were confused by its behavior for various reasons. I'm also by something very specific about it and so I'll get right to the point: If this string (before URL encoding) appears in a parameter, the rule matches: hello%0dworld Which is expected, and I understand (percent followed by two potentially hex characters). What I don't understand is why this string: hello%world also causes the rule to match, and I don't understand that (the following characters are not hexadecimal). Looking at the regex, it would appear it's been written to look specifically for hex characters (and their unicode equivalent): SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \ But clearly it matches non-hex characters as well. Am I misunderstanding how the rule should work, or is there a problem with the rule's regex? Thanks, Ty ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
