ModSecurity 3.0 fails with ctl:requestBodyProcessor=URLENCODED

Created on 5 Jun 2018  路  10Comments  路  Source: SpiderLabs/ModSecurity

Enforcing URLENCODED body processor results in startup failure:

Expecting an action, got: ctl:requestBodyProcessor=URLENCODED"

Enforcing JSON body processor works alright.

CRS 3.1 is going to have a rule that enforces the URLENCODED body processor when there is a body, but no content-type. Eventually, we would like to have this rule in the recommended-rules, but for the time being, we plan to introduce it into CRS 3.1 as a bypass prevention.

With this bug / missing feature, modsec 3.0 fails to load the upcoming CRS 3.1.

3.x RIP - libmodsecurity libmodsec - missing features

All 10 comments

Solved as of f999f54 and aa158ce

Thank you. Any plans when you will release?

Is there any workaround for this? I am running version 3.0.2.

hey @HazCod,

This is already fixed as of f999f54 and aa158ce. You can merge these commits to your code to get the fix. It will be merged prior to 3.0.3 release.

EDIT: Sorry, these commits are actually already merged into the main branch! :P So yes, cloning from master should give you the fix :)

Hey @dune73 we are working on some important issues to cook the release. Should be soon :)

Have a look at https://github.com/SpiderLabs/ModSecurity/issues/1892#issuecomment-420063705.

Cheers

So 3.0.3 is imminent? We would hate to release CRS 3.1 with ModSec3 listed under KNOWN_BUGS.

So 3.0.3 is imminent?

No, not really imminent as @zimmerle pointed out at https://github.com/SpiderLabs/ModSecurity/issues/1892#issuecomment-420063705 we would like to fix/close most (if not all) issues under https://github.com/SpiderLabs/ModSecurity/milestone/12 prior to 3.0.3 release, which can take a couple of weeks.

We would hate to release CRS 3.1 with ModSec3 listed under KNOWN_BUGS

This shouldn't be the case. From what I can tell, CRS 3.0, 3.1 and 3.2 should all be supported since commits f999f54 and 764a2e4. See https://github.com/SpiderLabs/ModSecurity/issues/1876#issuecomment-420425635

So 3.0.3 is imminent? We would hate to release CRS 3.1 with ModSec3 listed under KNOWN_BUGS.

If the bugs are opened in the community and within the milestone tag, it is likely to be closed.

You have merged the fix for this issue here. But the 3.0.3 release is pending.

CRS 3.1 is meant to come out in a couple of weeks. It depends on this fix when running ModSec3. So CRS 3.1 will not run with the latest stable release of ModSec3. It will depend on a fix in dev. And we will need to cover this under KNOWN_BUGS in CRS 3.1. And I would rather avoid this.

Just a heads up, I'm still encountering an issue with latest CRS and v3/master modsecurity in the DDOS ruleset: https://github.com/SpiderLabs/ModSecurity/issues/1742#issuecomment-420235737

Was this page helpful?
0 / 5 - 0 ratings