|
Packit |
284210 |
### Tests for directives altering how a request is handled
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# SecArgumentSeparator
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecArgumentSeparator (get-pos)",
|
|
Packit |
284210 |
conf => q(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecArgumentSeparator ";"
|
|
Packit |
284210 |
SecRule ARGS:a "@streq 1" "phase:1,deny,chain,id:500215"
|
|
Packit |
284210 |
SecRule ARGS:b "@streq 2" ""
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
error => [ qr/Access denied with code 403 \(phase 1\)\. String match "2" at ARGS:b\./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^403$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt?a=1;b=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecArgumentSeparator (get-neg)",
|
|
Packit |
284210 |
conf => q(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRule ARGS:a "@streq 1" "phase:1,deny,chain,id:500217"
|
|
Packit |
284210 |
SecRule ARGS:b "@streq 2" ""
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-error => [ qr/Access denied/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt?a=1;b=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecArgumentSeparator (post-pos)",
|
|
Packit |
284210 |
conf => q(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecArgumentSeparator ";"
|
|
Packit |
284210 |
SecRule ARGS:a "@streq 1" "phase:2,deny,chain,id:500219"
|
|
Packit |
284210 |
SecRule ARGS:b "@streq 2" ""
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
error => [ qr/Access denied with code 403 \(phase 2\)\. String match "2" at ARGS:b\./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^403$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
"a=1;b=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecArgumentSeparator (post-neg)",
|
|
Packit |
284210 |
conf => q(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRule ARGS:a "@streq 1" "phase:2,deny,id:500221"
|
|
Packit |
284210 |
SecRule ARGS:b "@streq 2" "phase:2,deny,id:500222"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-error => [ qr/Access denied/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
"a=1;b=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# SecRequestBodyAccess
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyAccess (pos)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRule ARGS:a "\@streq 1" "phase:2,deny,chain,id:500223"
|
|
Packit |
284210 |
SecRule ARGS:b "\@streq 2" ""
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
error => [ qr/Access denied with code 403 \(phase 2\)\. String match "2" at ARGS:b\./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^403$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
"a=1&b=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyAccess (neg)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess Off
|
|
Packit |
284210 |
SecRule ARGS:a "\@streq 1" "phase:2,deny,id:500225"
|
|
Packit |
284210 |
SecRule ARGS:b "\@streq 2" "phase:2,deny,id:500226"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-error => [ qr/Access denied/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
"a=1&b=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# SecRequestBodyLimit
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyLimit (equal)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimit 7
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-error => [ qr/Request body is larger than the configured limit/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
"a=1&b=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyLimit (greater)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimit 5
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
error => [ qr/Request body .*is larger than the configured limit \(5\)\./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^413$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
"a=1&b=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyLimit (equal - chunked)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimit 276
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-error => [ qr/Request body is larger than the configured limit/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => normalize_raw_request_data(
|
|
Packit |
284210 |
qq(
|
|
Packit |
284210 |
POST /test.txt HTTP/1.1
|
|
Packit |
284210 |
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
|
|
Packit |
284210 |
User-Agent: $ENV{USER_AGENT}
|
|
Packit |
284210 |
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Transfer-Encoding: chunked
|
|
Packit |
284210 |
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
.encode_chunked(
|
|
Packit |
284210 |
normalize_raw_request_data(
|
|
Packit |
284210 |
q(
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="a"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
1
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="b"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
2
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646--
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
1024
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyLimit (greater - chunked)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimit 256
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
error => [ qr/Request body .*is larger than the configured limit \(256\)\./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^413$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => normalize_raw_request_data(
|
|
Packit |
284210 |
qq(
|
|
Packit |
284210 |
POST /test.txt HTTP/1.1
|
|
Packit |
284210 |
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
|
|
Packit |
284210 |
User-Agent: $ENV{USER_AGENT}
|
|
Packit |
284210 |
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Transfer-Encoding: chunked
|
|
Packit |
284210 |
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
.encode_chunked(
|
|
Packit |
284210 |
normalize_raw_request_data(
|
|
Packit |
284210 |
q(
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="a"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
1
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="b"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
2
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646--
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
1024
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyLimit (ctl:ruleEngine=off)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimit 5
|
|
Packit |
284210 |
|
|
Packit |
284210 |
SecAction "phase:1,pass,nolog,ctl:ruleEngine=off,id:500081"
|
|
Packit |
284210 |
SecRule REQUEST_BODY "." "phase:2,deny,id:500227"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-error => [ qr/Request body .*is larger than the configured limit/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
"a=1&b=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyLimit (ctl:requestBodyAccess=off)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimit 5
|
|
Packit |
284210 |
|
|
Packit |
284210 |
SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off,id:500082"
|
|
Packit |
284210 |
SecRule REQUEST_BODY "." "phase:2,deny,id:500228"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-error => [ qr/Request body .*is larger than the configured limit/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
"a=1&b=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyLimit (ctl:ruleEngine=off - chunked)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimit 256
|
|
Packit |
284210 |
|
|
Packit |
284210 |
SecAction "phase:1,pass,nolog,ctl:ruleEngine=off,id:500083"
|
|
Packit |
284210 |
SecRule REQUEST_BODY "." "phase:2,deny,id:500229"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-error => [ qr/Request body .*is larger than the configured limit/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => normalize_raw_request_data(
|
|
Packit |
284210 |
qq(
|
|
Packit |
284210 |
POST /test.txt HTTP/1.1
|
|
Packit |
284210 |
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
|
|
Packit |
284210 |
User-Agent: $ENV{USER_AGENT}
|
|
Packit |
284210 |
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Transfer-Encoding: chunked
|
|
Packit |
284210 |
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
.encode_chunked(
|
|
Packit |
284210 |
normalize_raw_request_data(
|
|
Packit |
284210 |
q(
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="a"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
1
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="b"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
2
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646--
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
1024
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyLimit (ctl:requestBodyAccess=off - chunked)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimit 256
|
|
Packit |
284210 |
|
|
Packit |
284210 |
SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off,id:500084"
|
|
Packit |
284210 |
SecRule REQUEST_BODY "." "phase:2,deny,id:500230"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-error => [ qr/Request body .*is larger than the configured limit \(256\)\./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => normalize_raw_request_data(
|
|
Packit |
284210 |
qq(
|
|
Packit |
284210 |
POST /test.txt HTTP/1.1
|
|
Packit |
284210 |
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
|
|
Packit |
284210 |
User-Agent: $ENV{USER_AGENT}
|
|
Packit |
284210 |
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Transfer-Encoding: chunked
|
|
Packit |
284210 |
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
.encode_chunked(
|
|
Packit |
284210 |
normalize_raw_request_data(
|
|
Packit |
284210 |
q(
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="a"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
1
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="b"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
2
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646--
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
1024
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# SecRequestBodyInMemoryLimit
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyInMemoryLimit (equal)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
SecDebugLogLevel 9
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimit 1000
|
|
Packit |
284210 |
SecRequestBodyInMemoryLimit 276
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-debug => [ qr/Input filter: Request too large to store in memory, switching to disk\./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => normalize_raw_request_data(
|
|
Packit |
284210 |
qq(
|
|
Packit |
284210 |
POST /test.txt HTTP/1.1
|
|
Packit |
284210 |
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
|
|
Packit |
284210 |
User-Agent: $ENV{USER_AGENT}
|
|
Packit |
284210 |
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Transfer-Encoding: chunked
|
|
Packit |
284210 |
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
.encode_chunked(
|
|
Packit |
284210 |
normalize_raw_request_data(
|
|
Packit |
284210 |
q(
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="a"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
1
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="b"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
2
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646--
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
1024
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyInMemoryLimit (greater)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
SecDebugLogLevel 9
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimit 1000
|
|
Packit |
284210 |
SecRequestBodyInMemoryLimit 16
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
debug => [ qr/Input filter: Request too large to store in memory, switching to disk\./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => normalize_raw_request_data(
|
|
Packit |
284210 |
qq(
|
|
Packit |
284210 |
POST /test.txt HTTP/1.1
|
|
Packit |
284210 |
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
|
|
Packit |
284210 |
User-Agent: $ENV{USER_AGENT}
|
|
Packit |
284210 |
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Transfer-Encoding: chunked
|
|
Packit |
284210 |
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
.encode_chunked(
|
|
Packit |
284210 |
normalize_raw_request_data(
|
|
Packit |
284210 |
q(
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="a"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
1
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="b"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
2
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646--
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
1024
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyLimitAction Reject (multipart/greater - chunked)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
SecDebugLogLevel 9
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimitAction Reject
|
|
Packit |
284210 |
SecRequestBodyLimit 20
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
debug => [ qr/Request body is larger than the configured limit \(20\).. Deny with code \(413\)/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^413$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => normalize_raw_request_data(
|
|
Packit |
284210 |
qq(
|
|
Packit |
284210 |
POST /test.txt HTTP/1.1
|
|
Packit |
284210 |
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
|
|
Packit |
284210 |
User-Agent: $ENV{USER_AGENT}
|
|
Packit |
284210 |
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Transfer-Encoding: chunked
|
|
Packit |
284210 |
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
.encode_chunked(
|
|
Packit |
284210 |
normalize_raw_request_data(
|
|
Packit |
284210 |
q(
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="a"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
1
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="b"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
2
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646--
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
1024
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyLimitAction Reject (plain/greater)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
SecDebugLogLevel 9
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimitAction Reject
|
|
Packit |
284210 |
SecRequestBodyLimit 131072
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-debug => [ qr/Request body is larger than the configured limit \(131072\).. Deny with code \(413\)/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^413$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/json",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
normalize_raw_request_data(
|
|
Packit |
284210 |
q(
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
) . "'abcdefghijlmnopq'='abcdefghijlmnopqrstuvxz',\\n" x 99000 . q(
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecRequestBodyLimitAction ProcessPartial (multipart/greater - chunked)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
SecDebugLogLevel 9
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecRequestBodyLimitAction ProcessPartial
|
|
Packit |
284210 |
SecRequestBodyLimit 131072
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-debug => [ qr/Request body is larger than the configured limit/, 1],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => normalize_raw_request_data(
|
|
Packit |
284210 |
qq(
|
|
Packit |
284210 |
POST /test.txt HTTP/1.1
|
|
Packit |
284210 |
Host: $ENV{SERVER_NAME}:$ENV{SERVER_PORT}
|
|
Packit |
284210 |
User-Agent: $ENV{USER_AGENT}
|
|
Packit |
284210 |
Content-Type: multipart/form-data; boundary=---------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Transfer-Encoding: chunked
|
|
Packit |
284210 |
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
.encode_chunked(
|
|
Packit |
284210 |
normalize_raw_request_data(
|
|
Packit |
284210 |
q(
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="a"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
1) . "a" x 131072 . q(
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646
|
|
Packit |
284210 |
Content-Disposition: form-data; name="b"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
2) . "b" x 131072 . q(
|
|
Packit |
284210 |
-----------------------------69343412719991675451336310646--
|
|
Packit |
284210 |
)
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
131072*3
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
# Known issue on nginx, disable it for now.
|
|
Packit |
284210 |
#{
|
|
Packit |
284210 |
# type => "config",
|
|
Packit |
284210 |
# comment => "SecRequestBodyLimitAction ProcessPartial (plain/greater)",
|
|
Packit |
284210 |
# conf => qq(
|
|
Packit |
284210 |
# SecRuleEngine On
|
|
Packit |
284210 |
# SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
# SecDebugLogLevel 9
|
|
Packit |
284210 |
# SecRequestBodyAccess On
|
|
Packit |
284210 |
# SecRequestBodyLimitAction ProcessPartial
|
|
Packit |
284210 |
# SecRequestBodyLimit 131072
|
|
Packit |
284210 |
# ),
|
|
Packit |
284210 |
# match_log => {
|
|
Packit |
284210 |
# -debug => [ qr/Request body is larger than the configured limit/, 1],
|
|
Packit |
284210 |
# },
|
|
Packit |
284210 |
# match_response => {
|
|
Packit |
284210 |
# status => qr/^200$/,
|
|
Packit |
284210 |
# },
|
|
Packit |
284210 |
# request => new HTTP::Request(
|
|
Packit |
284210 |
# POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
# [
|
|
Packit |
284210 |
# "Content-Type" => "application/json",
|
|
Packit |
284210 |
# ],
|
|
Packit |
284210 |
# normalize_raw_request_data(
|
|
Packit |
284210 |
# q(
|
|
Packit |
284210 |
# {
|
|
Packit |
284210 |
# ) . "'abcdefghijlmnopq'='abcdefghijlmnopqrstuvxz',\\n" x 99000 . q(
|
|
Packit |
284210 |
# },
|
|
Packit |
284210 |
# ),
|
|
Packit |
284210 |
# ),
|
|
Packit |
284210 |
# ),
|
|
Packit |
284210 |
#},
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# SecCookieFormat
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecCookieFormat (pos)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
SecDebugLogLevel 5
|
|
Packit |
284210 |
SecCookieFormat 1
|
|
Packit |
284210 |
SecRule REQUEST_COOKIES_NAMES "\@streq SESSIONID" "phase:1,deny,chain,id:500231"
|
|
Packit |
284210 |
SecRule REQUEST_COOKIES:\$SESSIONID_PATH "\@streq /" "chain"
|
|
Packit |
284210 |
SecRule REQUEST_COOKIES:SESSIONID "\@streq cookieval"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
error => [ qr/Access denied with code 403 \(phase 1\)\. String match "cookieval" at REQUEST_COOKIES:SESSIONID\./, 1 ],
|
|
Packit |
284210 |
debug => [ qr(Adding request cookie: name "\$SESSIONID_PATH", value "/"), 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^403$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Cookie" => q($Version="1"; SESSIONID="cookieval"; $PATH="/"),
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
undef,
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecCookieFormat (neg)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
SecDebugLogLevel 5
|
|
Packit |
284210 |
SecCookieFormat 0
|
|
Packit |
284210 |
SecRule REQUEST_COOKIES_NAMES "\@streq SESSIONID" "phase:1,deny,chain,id:500234"
|
|
Packit |
284210 |
SecRule REQUEST_COOKIES:\$SESSIONID_PATH "\@streq /" "chain"
|
|
Packit |
284210 |
SecRule REQUEST_COOKIES:SESSIONID "\@streq cookieval"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-error => [ qr/Access denied/, 1 ],
|
|
Packit |
284210 |
-debug => [ qr(Adding request cookie: name "\$SESSIONID_PATH", value "/"), 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Cookie" => q($Version="1"; SESSIONID="cookieval"; $PATH="/"),
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
undef,
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
|