Skip to content

libModSecurity3: REQUEST_HEADERS names are treated as case sensitive #3441

@EsadCetiner

Description

@EsadCetiner

Describe the bug

libModSecurity3 treats REQUEST_HEADERS names as case sensitive when they are supposed to be treaten as case insensitive. This is not the case for ModSecurity2.

Logs and dumps

N/A

To Reproduce

Create the following rules, the first is meant to simulate a rule exclusion and the second a blocking rule:

SecRule REQUEST_FILENAME "@unconditionalMatch" \
    "id:1,\
    phase:1,\
    pass,\
    t:none,\
    ctl:ruleRemoveTargetById=2;REQUEST_HEADERS:referer"

SecRule REQUEST_HEADERS:Referer "@contains <evil-string>" \
    "id:2,\
    phase:1,\
    deny,\
    t:none,\
    log"

Then run this curl command, you'll be blocked by the WAF when you should've be allowed:
curl -H "Referer: <evil-string>" localhost

If I match the exact case in my rule exclusion then the request is allowed as expected:

SecRule REQUEST_FILENAME "@unconditionalMatch" \
    "id:1,\
    phase:1,\
    pass,\
    t:none,\
    ctl:ruleRemoveTargetById=2;REQUEST_HEADERS:Referer"

SecRule REQUEST_HEADERS:Referer "@contains <evil-string>" \
    "id:2,\
    phase:1,\
    deny,\
    t:none,\
    log"

Expected behavior

Request header names should be treated as case insensitive, just like ModSecurity2.

Server (please complete the following information):

  • OS: Ubuntu 24.04
  • ModSecurity Version: 3.0.14
  • NGINX Connector Version: v1.0.4
  • NGINX Version: 1.24.0

Rule Set (please complete the following information):

  • N/A

Additional context

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.xRelated to ModSecurity version 3.x

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions