4 Sep 17:01
Re: Has anyone ever used multiMatch?
Ivan Ristic <ivan.ristic <at> gmail.com>
2009-09-04 15:01:01 GMT
2009-09-04 15:01:01 GMT
I don't know, I haven't thought about it. I prefer not to take shortcuts. That way, I don't have to consider undesired consequences. On Fri, Sep 4, 2009 at 11:53 AM, Nick Gearls<nickgearls <at> gmail.com> wrote: > What's the exact problem of using only > t:none,t:htmlEntityDecode,t:cssDecode,t:jsDecode > > Do you see a possibility of missing an attack, or getting a false positive? > > Nick > > > Ivan Ristic wrote: >> To respond to my own email, I've never used multiMatch. I did >> encounter a situation where multiMatch would be useful, but it didn't >> quite do what I needed. As an example, below is an extract from some >> work that I never finished (it might have gone into the new Core >> Rules, though). >> >> ------------------------ >> # Do not allow control characters apart from horizontal tab (9/0x09), >> # line feed (10/0x0a) and carriage return (13/0x10). >> # >> # Ref: http://en.wikipedia.org/wiki/Control_character >> # Ref: http://www.w3.org/MarkUp/html3/specialchars.html >> # >> SecRule ARGS "@validateByteRange 9,10,13,32-255" \ >> t:none >> >> # Verify for invalid bytes in HTML content.(Continue reading)
RSS Feed