-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Description
Describe the bug
libModSecurity3 treats REQUEST_HEADERS
names as case sensitive when they are supposed to be treaten as case insensitive. This is not the case for ModSecurity2.
Logs and dumps
N/A
To Reproduce
Create the following rules, the first is meant to simulate a rule exclusion and the second a blocking rule:
SecRule REQUEST_FILENAME "@unconditionalMatch" \
"id:1,\
phase:1,\
pass,\
t:none,\
ctl:ruleRemoveTargetById=2;REQUEST_HEADERS:referer"
SecRule REQUEST_HEADERS:Referer "@contains <evil-string>" \
"id:2,\
phase:1,\
deny,\
t:none,\
log"
Then run this curl command, you'll be blocked by the WAF when you should've be allowed:
curl -H "Referer: <evil-string>" localhost
If I match the exact case in my rule exclusion then the request is allowed as expected:
SecRule REQUEST_FILENAME "@unconditionalMatch" \
"id:1,\
phase:1,\
pass,\
t:none,\
ctl:ruleRemoveTargetById=2;REQUEST_HEADERS:Referer"
SecRule REQUEST_HEADERS:Referer "@contains <evil-string>" \
"id:2,\
phase:1,\
deny,\
t:none,\
log"
Expected behavior
Request header names should be treated as case insensitive, just like ModSecurity2.
Server (please complete the following information):
- OS: Ubuntu 24.04
- ModSecurity Version: 3.0.14
- NGINX Connector Version: v1.0.4
- NGINX Version: 1.24.0
Rule Set (please complete the following information):
- N/A
Additional context
N/A