owasp-modsecurity-crs icon indicating copy to clipboard operation
owasp-modsecurity-crs copied to clipboard
verified publisher icon SpiderLabs

Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf

Open azurit opened this issue 6 years ago • 2 comments

According to SOAP 1.2 specification, the optional 'action' parameter is allowed for 'Content-Type' header, see RFC3902: https://www.ietf.org/rfc/rfc3902.txt

Also, the original regexp was invalid as it was allowing only one parameter to 'Content-Type' header (there were two possible parameters which can be set at once: charset and boundary [now they are three]).

Finally, i added a hashtag character into allowed ones, real-world example: Content-Type: application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions"

azurit avatar Feb 14 '20 13:02 azurit

Travis passing now. Thank you.

dune73 avatar Feb 14 '20 14:02 dune73

Here is a more elaborate explanation (taken from https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1688#issuecomment-586267561):

According to RFCs, all of these 'Content-Type' headers are valid:

Content-Type: application/soap+xml
Content-Type: application/soap+xml; charset=utf-8
Content-Type: application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions"
Content-Type: application/soap+xml; action="urn:localhost-hwh#getQuestions"
Content-Type: application/soap+xml; charset=utf-8; boundary="something"
Content-Type: application/soap+xml; boundary="something"

Your original regexp was able to match only these:

Content-Type: application/soap+xml
Content-Type: application/soap+xml; charset=utf-8
Content-Type: application/soap+xml; boundary="something"

dune73 avatar Feb 14 '20 14:02 dune73