ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

`REQUEST_FILENAME` variable is not getting correctly set

Open PrajwalKrishna opened this issue 2 years ago • 2 comments

Describe the bug

REQUEST_FILENAME variable is not getting correctly set in Transaction::processURI()

To Reproduce

Steps to reproduce the behavior:

  1. Create a new Transaction variable, define in transaction.h
  2. Call Transaction::processURI("https://fruits.com/mango/apple.txt", "GET", 2.0)
  3. Print the value of Transaction::m_variableRequestFilename::m_value

We are get the value as https://fruits.com/mango/apple.txt, instead of /mango/apple.txt.

Expected behavior

REQUEST_FILENAME variable to be the relative path of the file (without domain name). This can be seen in the definition of the variable as per docs - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#request_filename.

Additional context

Solving this issue should be pretty simple, we do later parse the URI to remove the domain information, we should use the parsed URI. Happy to put up the fix, if this indeed is a bug.

PrajwalKrishna avatar Dec 30 '22 04:12 PrajwalKrishna

Hello @PrajwalKrishna ,

Do you have a use case where REQUEST_FILENAME includes the domain when running with nginx and the Connector (ModSecurity-nginx)?

martinhsv avatar Dec 30 '22 18:12 martinhsv

Hey @martinhsv my use-case is more general where I use it as an edge firewall, I see some false positive when using core-rule sets which can be resolved if the domain name was not there.

PrajwalKrishna avatar Jan 02 '23 04:01 PrajwalKrishna

Bug is fixed in the by - https://github.com/owasp-modsecurity/ModSecurity/pull/3048

PrajwalKrishna avatar Mar 12 '24 12:03 PrajwalKrishna