diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended index d8224c2d8d..74f0730415 100644 --- a/modsecurity.conf-recommended +++ b/modsecurity.conf-recommended @@ -102,23 +102,22 @@ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" # is wrong, then parser returns with value 1 (also a non-zero). # # You can choose, which one is what you need. The example below contains the -# 'strict' mode, which means if there are any lines with start of "--", then -# ModSecurity blocked the content. But the next, commented example contains +# 'strict' logging mode, which means if there are any lines with start of "--", then +# ModSecurity warns about the request. But the next, example contains # the 'permissive' mode, then you check only if the necessary lines exists in # correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."), # or other text files, which contains eg. HTTP headers. # -# The difference is only the operator - in strict mode (first) the content blocked +# The difference is only the operator - in strict mode (first) the content logs # in case of any non-zero value. In permissive mode (second, commented) the # content blocked only if the value is explicit 1. If it 0 or 2, the content will # allowed. # SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ -"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" -#SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \ -#"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" - +"id:'200004',phase:2,t:none,log,pass,msg:'Multipart parser detected a possible unmatched boundary.'" +SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \ +"id:'200006',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" # PCRE Tuning # We want to avoid a potential RegEx DoS condition diff --git a/test/test-cases/regression/variable-MULTIPART_UNMATCHED_BOUNDARY.json b/test/test-cases/regression/variable-MULTIPART_UNMATCHED_BOUNDARY.json index 97b34d5552..d94a01c379 100644 --- a/test/test-cases/regression/variable-MULTIPART_UNMATCHED_BOUNDARY.json +++ b/test/test-cases/regression/variable-MULTIPART_UNMATCHED_BOUNDARY.json @@ -57,5 +57,66 @@ "SecRuleEngine On", "SecRule MULTIPART_UNMATCHED_BOUNDARY \"@contains small_text_file.txt\" \"id:1,phase:3,pass,t:trim\"" ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Testing Variables :: MULTIPART_UNMATCHED_BOUNDARY - DENY", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*", + "Content-Length":"330", + "Content-Type":"multipart/form-data; boundary=--------------------------756b6d74fa1a8ee2", + "Expect":"100-continue" + }, + "uri":"/", + "method":"POST", + "body":[ + "----------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"name\"", + "", + "test", + "----------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"", + "Content-Type: text/plain", + "", + "This is a very small test file..", + "A----------------------------756b6d74fa1a8ee2", + "Content-Disposition: form-data; name=\"filedata\"; filename=\"small_text_file.txt\"", + "Content-Type: text/plain", + "", + "This is another very small test file..", + "----------------------------756b6d74fa1a8ee2--", + "" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "debug_log":"Target value: \"1\" \\(Variable: MULTIPART_UNMATCHED_BOUNDARY\\)", + "http_code": 403 + }, + "rules":[ + "SecRuleEngine On", + "SecRule MULTIPART_UNMATCHED_BOUNDARY \"@eq 1\" \"id:1,phase:2,deny,t:none\"" + ] } ]