Operator validateurlencoding does not handle IIS url encoding "%uXXXX"

[tailianos]

The operator validateurlencoding does not handle IIS url encoding "%uXXXX" creating false positives with core ruleset 2.2.9 rule id 950107.
The issue is identified on re_operators.c in the function "static int validate_url_encoding(const char *input, long int input_length)" which does not handle IIS url encoding.

[zimmerle]

Hi @tailianos, thanks for the report.

The link to the function that @tailianos is referring to:
https://github.com/SpiderLabs/ModSecurity/blob/master/apache2/re_operators.c#L3922-L3956

Are you running our latest release? 2.8.0?

[tailianos]

I'm currently using 2.7.7 nevertheless i have validated the issue looking in the source code of both 2.7.7 and 2.8. The function is validating only %XX url encoding and not %uXXXX formats.