headers
Christian Folini | 6 Mar 09:59
Picon

Character "+" in query strings

Hello everybody,

I am in the process of writing a (positive :) ruleset for the drupal css.

Drupal knows the following request:
GET /drupal-5.0/?q=admin/user/rules&sort=desc&order=Rule+type HTTP/1.1

My problem lies with the query string argument "order".
It has the "+" character in it.

I have written the following rule (ModSecurity 2.1) to check the validity of 
this parameter:

SecRule &ARGS:order "!@eq 0" "chain,t:none,deny,id:1,status:501,..."
SecRule ARGS:order "!^([\w+]{1,16})$" "t:none"

The ModSecurity debug log says:
... Executing operator !rx with param "^([\\w+]{1,16})$" against ARGS:order.
... /drupal-5.0/][9] Target value: Rule type

So the "+" character is gone. 

The SecArgumentSeparator is left to the default, btw.

What is the problem here?

regards,

Christian
(Continue reading)

Permalink | Reply |
headers
Ivan Ristic | 6 Mar 10:37
Picon

Re: Character "+" in query strings

There does not appear to be a problem; the "+" is supposed to be
converted to a space according to the specification. A "+" has the
same effect as "%20".

On 3/6/07, Christian Folini <christian.folini <at> time-machine.ch> wrote:
> Hello everybody,
>
> I am in the process of writing a (positive :) ruleset for the drupal css.
>
> Drupal knows the following request:
> GET /drupal-5.0/?q=admin/user/rules&sort=desc&order=Rule+type HTTP/1.1
>
> My problem lies with the query string argument "order".
> It has the "+" character in it.
>
> I have written the following rule (ModSecurity 2.1) to check the validity of
> this parameter:
>
> SecRule &ARGS:order "!@eq 0" "chain,t:none,deny,id:1,status:501,..."
> SecRule ARGS:order "!^([\w+]{1,16})$" "t:none"

If I am reading this right, you are first checking to see if the
parameter exists and, if it does, check its contents. You do not need
two rules for this. Just having:

SecRule ARGS:order "!^([\w+]{1,16})$" <actions>

would do. This is because, when the "order" parameter is not present,
ARGS:order evaluates to an empty collection and the operator is not
invoked. You still need to check &ARGS:varname if you want to detect a
(Continue reading)

Permalink | Reply |
headers
Christian Folini | 6 Mar 11:04
Picon

Re: Character "+" in query strings

On Tue, Mar 06, 2007 at 09:37:15AM +0000, Ivan Ristic wrote:
> There does not appear to be a problem; the "+" is supposed to be
> converted to a space according to the specification. A "+" has the
> same effect as "%20".

Thanks for pointing this out. Thought i was missing something here.
Which spec is this? It's not in rfc2616, is it?

> >SecRule &ARGS:order "!@eq 0" "chain,t:none,deny,id:1,status:501,..."
> >SecRule ARGS:order "!^([\w+]{1,16})$" "t:none"
> 
> If I am reading this right, you are first checking to see if the
> parameter exists and, if it does, check its contents. You do not need
> two rules for this. Just having:
> 
> SecRule ARGS:order "!^([\w+]{1,16})$" <actions>

Cool. That's saving 40% of my SecRule commands, as i have been doing
this with every header.

> would do. This is because, when the "order" parameter is not present,
> ARGS:order evaluates to an empty collection and the operator is not
> invoked. You still need to check &ARGS:varname if you want to detect a
> lack of parameter.

So far headers and query string arguments are optional; post arguments
are cookies are mandatory parameters. I am checking them the way
you pointed out.

> However, you may want to add a check that makes sure there is only one
(Continue reading)

Permalink | Reply |

Gmane