Max Leske

@lifeforms here's where we were talking about it: https://owasp.slack.com/archives/CBKGH8A5P/p1640034126356900. You said something about having a dump from Reddit.

Thanks @karelorigin for the work! I've been thinking about how to avoid the whole look-ahead issue. We've only recently gotten rid of a script that would generate a look-ahead-free expression...

@karelorigin Link to the script in the commit before I removed it: https://github.com/coreruleset/coreruleset/blob/98590c959a477f58dc7c4cc090ca41118ba6a491/util/regexp-assemble/lib/negativelookbehind.py. To find out whether there's more than one `charset` you could do the following: 1. match the...

@karelorigin You're right... I'm currently wrapping my head around the issue and trying to come up with a different solution. I _really_ want to avoid having to use any look-around...

I think I have a working solution. The idea is to match the entire header value and expect it to be valid, then block when no match is found, using...

You're right, it is more complicated, although only as long as you don't account for the complexity of the script you wrote. Thanks for the bypass hint. I was able...

> So while we try to improve security, we make HTTP more complicated for everybody else (and force people to burn more CO2 from here going forward). That's a good...

What a brainfuck. How about I add another symbol for suffix evasion without space? Then you could add `python~` and `ruby~` and it would mean the same thing as with...

5 and 6 fail because you forgot to update the rule ;) This issue appears to be older than the PR where I've added the lint step for rule generation....

> Ugh, sorry I don't have my laptop till the weekend. Why did we removed the !$ on 932300? It's an empty suffix comment. The regex is exactly the same...