Skip to content

Change REQUEST_FILENAME behavior #3048

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
airween merged 1 commit into from
Jan 30, 2024
Merged

Change REQUEST_FILENAME behavior #3048

airween merged 1 commit into from
Jan 30, 2024

Conversation

@airween
Copy link
Member

@airween airween commented Jan 30, 2024

No description provided.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 30, 2024

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@airween airween merged commit d648a44 into owasp-modsecurity:v3/master Jan 30, 2024
@liudongmiao
Copy link
Contributor

liudongmiao commented Feb 2, 2024

I don't know why I didn't make a pr, even make a issue. However, our version is patched in 2022:

// It's patched just the use of path_info.

--- src/transaction.cc  2022-03-19 13:59:14.000000000 +0800
+++ /tmp/transaction.cc 2024-02-02 17:46:05.000000000 +0800
@@ -463,6 +463,14 @@ int Transaction::processURI(const char *

     size_t pos_raw_query = uri_s.find("?");

+    std::string path_info_raw;
+    if (pos_raw_query == std::string::npos) {
+        path_info_raw = std::string(uri_s, 0);
+    } else {
+        path_info_raw = std::string(uri_s, 0, pos_raw_query);
+    }
+    std::string path_info = utils::uri_decode(path_info_raw);
+
     m_uri_decoded = utils::uri_decode(uri_s);

     size_t var_size = pos_raw_query;
@@ -477,14 +485,6 @@ int Transaction::processURI(const char *
     m_variableRequestProtocol.set("HTTP/" + std::string(http_version),
         m_variableOffset + requestLine.size() + 1);

-
-    std::string path_info;
-    if (pos_raw_query == std::string::npos) {
-        path_info = std::string(uri_s, 0);
-    } else {
-        path_info = std::string(uri_s, 0, pos_raw_query);
-    }
-    path_info = utils::uri_decode(path_info);
     m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
             new std::string(path_info));

@@ -496,6 +496,7 @@ int Transaction::processURI(const char *

Should I review all our changes, and try to make PR or issue?

@airween
Copy link
Member Author

airween commented Feb 2, 2024

I don't know why I didn't make a pr, even make a issue. However, our version is patched in 2022:

Well, there are a few of us who walk this path :)

Should I review all our changes, and try to make PR or issue?

Sure, let's see and discuss it. Also, there is a channel on OWASP's Slack where you can join to - the name is #project-modsecurity.

@airween airween mentioned this pull request Feb 27, 2024
Closed
@PrajwalKrishna PrajwalKrishna mentioned this pull request Mar 12, 2024
Closed
@Rayhutch7007

This comment was marked as spam.

Sign in to view
@marcstern marcstern added the 3.x Related to ModSecurity version 3.x label Aug 19, 2024
@airween airween mentioned this pull request Sep 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Damiengourdin1664 Damiengourdin1664 Damiengourdin1664 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

3.x Related to ModSecurity version 3.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@airween @liudongmiao @Rayhutch7007 @Damiengourdin1664 @marcstern