Modsecurity: On big chuncked requests SecRequestBodyAccess sends one more zero

Created on 8 Mar 2017  路  4Comments  路  Source: SpiderLabs/ModSecurity

Environment:

  • Apache 2.2.15 on CentOS 6,
  • Mod_security 2.9.1
  • SecRequestBodyAccess On
  • ProxyPass

Scope:
Apache receives SOAP requests and then proxies them to a target server. In the meantime Mod_security logs the entire request and response sequentially, thanks to SecRequestBodyAccess.

Issue:
If the client sends a chunked request big enough to force Mod_security to store the chunks on disk (more than 128 kB by default), the webserver generates two final chunk with zero instead of one.
The destination server behave like it received two requests, but the second one is sintactically uncorrected because it contains only an empty chunk.
This issue happens only when flag _SecRequestBodyAccess_ is on, but I would like keep it enabled.
I tried to upgrade Apache to version 2.4, CentOS to version 7 but nothing changed.

Possible fix:
I checked out the code and I found the way to fix the problem:

In apache2_io.c at line 88 one more "if" is needed to prevent Mod_security to add an empty chunk in excess
if (chunk->length > 0){ if (chunk && (!msr->txcfg->stream_inbody_inspection || (msr->txcfg->stream_inbody_inspection && msr->if_stream_changed == 0))) { /* Copy the data we received in the chunk */ ..... } else if (msr->stream_input_data != NULL) { ..... } }
I applied this fix in master, v2.9.1 tag and v2/master and it always worked out.

I ran all tests after my fix, and none failed.

Most helpful comment

1446

All 4 comments

@gravagli Did you submit a pull request for this?

not yet, I'll do it now

1446

Fixed at #1446. Thanks!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

theMiddleBlue picture theMiddleBlue  路  6Comments

rainerjung picture rainerjung  路  4Comments

venkibits picture venkibits  路  4Comments

davidjrh picture davidjrh  路  5Comments

GustavoKatel picture GustavoKatel  路  6Comments