Ryan Barnett
Ryan Barnett
Original reporter: brectanus
marcstern: About defining macros, does it worth to include this in ModSecurity when there is mod_define & mod_macro? Would it add something more?
brectanus: Yes: 1) They can use internal modsecurity values 2) They can be interpreted at runtime (not just config time)
rbarnett: It would be useful of macro expansion could support collections such as: %{matched_vars} %{args} %{request_headers}
Original reporter: marcstern
rbarnett: How about adding macro expansion to the + setvar action? So you could so something like this - setvar:tx.foo=+%{matched_var} So, if tx.foo already had data in it, it would...
marcstern: Macro expansion is already working inside setvar/setenv... I don't really see the point about expansion, except if you need to move the parsing at run-time instead of config time....
marcstern: Too bad we have to wait for 3.0, as this functionality can be used to block HTTP parameter pollution attacks :-(
bpinto: It can be changed Marc, we are hiring a new devel to the team :) Anyway i will reschedule this. Maybe for some 2.7.x.
bpinto: Marc, This is not clear to me. Could you please give me more details ? maybe some real situations and an example of SecRule. Thanks