[Owasp-modsecurity-core-rule-set] restricted extensions

Ryan Barnett ryan.barnett at breach.com
Tue May 25 17:50:28 EDT 2010


On Tuesday 25 May 2010 11:25:47 James Muse wrote:
> Moderator,
> 
> I am having an issue with the restricted_extensions variable and core rule
> file modsecurity_crs_30_http_policy.conf line 87.  One of my applications
> uses the file extension .do and there appears to be a .dos in the
> restricted extensions list.. The audit log shows the extension as [data
> ".do"]  do is not in the restricted_extension list .dos is.  When I remove
> .dos from the restricted extensions I no longer have this issue.  May be I
> don't understand the within operator but do is no the same as dos.  Is
> there a bug here or am I doing something wrong?  I think I would like to
> keep dos and an extension I would like to block but it appears to be
> causing and issue with my application which uses .do
> 
> James

This seems to be a byproduct of using the @within operator in the 30 file to check the 
current file extension against the deny variable listing from the 10 file.  The problem is 
that ".do" is shorter than ".dos" and it matches the beginning.  I will put in a fix in the 
v2.0.7.

-Ryan


More information about the Owasp-modsecurity-core-rule-set mailing list