Maybe you can have a rule before this to check &variable eq 0 and skip the rule but the cost of macro expansion in your @within against that very simple regex should be very low, especially if you compare it to other rules with multiple capturing +100 long regex ;)
Regards, Manuel -----Original Message----- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Christian Folini Sent: jeudi 18 février 2016 10:30 To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] Paranoia Mode: Forgotten controversial ... -> https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/284 I had to fix the GeoIP blocking rule as well. It would use @pm with macro expansion of tx.high_risk_country_codes but @pm does not perform macro expansion. Replaced with @within and placed a note in the reference manual. So it looks like people never complained about this rule because it never blocked anything. I also made sure that a GeoIPLookup is only performed on a defined and non-empty tx.high_risk_country_codes. I run this test with "!^$". It's the way the core rules check for empty headers as well. However, I wonder if there is not way to do this test without involving a (supposedly costly) regex. Feedback welcome. Ahoj, Christian -- It is curious that physical courage should be so common in the world, and moral courage so rare. -- Mark Twain _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
