Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set correct line end in case of MULTIPART_PART_HEADER variable #2870

Merged
merged 5 commits into from
Apr 24, 2023
Merged

Set correct line end in case of MULTIPART_PART_HEADER variable #2870

merged 5 commits into from
Apr 24, 2023

Conversation

airween
Copy link
Member

@airween airween commented Jan 28, 2023
edited
Loading

Looks like variable MULTIPART_PART_HEADER variable contains the EOL characters.

This can lead false positive, and we (CRS team) discovered with help of an issue 3046. There is a full detail of the unexpected behavior, with many examples.

Here is what I get in the debug.log:

Multipart: Added part header "Content-Disposition" "form-data; name="file"; filename="New Text Document.txt"".
Multipart: Added part header "Content-Type" "text/plain; charset=utf-8".
Multipart: Content-Disposition name: file.
Multipart: Content-Disposition filename: New Text Document.txt.
MultipartPartTmpFile: Create filename= /tmp/20230128-212401-16749374418.382181-file-uEZjC1
Multipart: Created temporary file 1 (mode o0): /tmp/20230128-212401-16749374418.382181-file-uEZjC1
Multipart: Added part header line:Content-Disposition: form-data; name="file"; filename="New Text Document.txt"

Multipart: Added part header line:Content-Type: text/plain; charset=utf-8

As it seems, the log contains the Added part header line: with the header of the part of multipart payload. Both lines ended with EOL - but not as like in case of Added part header.

After the fix, the same part of debug log is this:

Multipart: Added part header "Content-Disposition" "form-data; name="file"; filename="New Text Document.txt"".
Multipart: Added part header "Content-Type" "text/plain; charset=utf-8".
Multipart: Content-Disposition name: file.
Multipart: Content-Disposition filename: New Text Document.txt.
MultipartPartTmpFile: Create filename= /tmp/20230128-213008-167493780825.319085-file-89EDD6
Multipart: Created temporary file 1 (mode o0): /tmp/20230128-213008-167493780825.319085-file-89EDD6
Multipart: Added part header line:Content-Disposition: form-data; name="file"; filename="New Text Document.txt"
Multipart: Added part header line:Content-Type: text/plain; charset=utf-8

The lines are without \r\n, and both variables (part header and part header line) are the same. This is the same behavior as in case of mod_security2 (this is why I thought it's an unexpected behavior).

I added a new test case, anyone can check the regression test if picks up that commit.

@airween airween requested a review from martinhsv April 23, 2023 15:31
martinhsv
martinhsv approved these changes Apr 24, 2023
View reviewed changes
Copy link
Contributor

@martinhsv martinhsv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This all looks fine now. Thanks @airween

@martinhsv martinhsv merged commit 7cf0445 into owasp-modsecurity:v3/master Apr 24, 2023
@airween airween mentioned this pull request Apr 24, 2023
Closed
@theseion theseion mentioned this pull request Oct 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinhsv martinhsv martinhsv approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@airween @martinhsv