TW - Vincent

If we look at characters that are being URL-encoded even though there’s no legitimate reason for them to be (and noting that standard urlencode implementations don’t hex-encode these characters), I’d...

Here is what we have here : https://github.com/coreruleset/coreruleset/pull/4302

I’m not sure I understand your example with Google. This rule has been running here for years in high-traffic e-commerce environments, and it has never triggered a single false positive...

I honestly don’t see any request reaching the target site when I type site:www.XX.fr/abort foobar in Google. No call is made to the website in that case.

@RedXanadu The PR has been updated with both the old and new regex. I don’t have the energy to find the commit - it’s somewhere between branches 3 and 4....

Discussed on Slack yesterday.

Thank you, Christian, for your feedback. I’ve just opened an issue while trying to follow this approach. I’m fully aware that this is a chain of two interlocking problems. If...

In the older RFC 2616 https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html, it is stated: "The presence of a message-body in a request is signaled by the inclusion of a Content-Length or Transfer-Encoding header field in...

This must be blocked - which is not the case for the moment. `curl -v --http2 -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:4" "http://sandbox.coreruleset.org/" -d '{"id_order":"select(sleep(10));"}' -H 'Content-Type:' -H 'Content-Length:'` More details...

This test is wrong - rule 920180 does not catch this. It’s a bug of the sandbox to display a block - there is no block. It's the reason of...