Merge pull request #2799 from martinhsv/v2/master

martinhsv · web-flow · commit f034a3416465 · 2022-09-07T15:01:53.000-04:00
Adjust parser activation rules in modsecurity.conf-recommended
diff --git a/CHANGES b/CHANGES
@@ -1,6 +1,8 @@
 DD mmm YYYY - 2.9.x (to be released)
 -------------------
 
+ * Adjust parser activation rules in modsecurity.conf-recommended
+   [Issue #2799 - @terjanq, @martinhsv]
  * Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
    [Issue #2797 - @terjanq, @martinhsv]
  * Limit rsub null termination to where necessary
diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended
@@ -19,21 +19,21 @@ SecRequestBodyAccess On
 # Enable XML request body parser.
 # Initiate XML Processor in case of xml content-type
 #
-SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
+SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
      "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
 
 # Enable JSON request body parser.
 # Initiate JSON Processor in case of JSON content-type; change accordingly
 # if your application does not use 'application/json'
 #
-SecRule REQUEST_HEADERS:Content-Type "application/json" \
+SecRule REQUEST_HEADERS:Content-Type "^application/json" \
      "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
 
 # Sample rule to enable JSON request body parser for more subtypes.
 # Uncomment or adapt this rule if you want to engage the JSON
 # Processor for "+json" subtypes
 #
-#SecRule REQUEST_HEADERS:Content-Type "^application/.+[+]json$" \
+#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
 #     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
 
 # Maximum request body size we will accept for buffering. If you support
diff --git a/tests/regression/rule/10-xml.t b/tests/regression/rule/10-xml.t
@@ -394,7 +394,7 @@
         SecXmlExternalEntity On
 		SecDebugLog $ENV{DEBUG_LOG}
 		SecDebugLogLevel 9
-		SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" "id:500029, \\
+		SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" "id:500029, \\
 		        phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML"
 		SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500030
 		SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope-bad.dtd" "id:500031 \\
diff --git a/tests/regression/rule/15-json.t b/tests/regression/rule/15-json.t
@@ -236,7 +236,7 @@
                 SecAuditLog "$ENV{AUDIT_LOG}"
 		SecDebugLogLevel 9
 		SecRequestBodyJsonDepthLimit 3
-		SecRule REQUEST_HEADERS:Content-Type "application/json" \\
+		SecRule REQUEST_HEADERS:Content-Type "^application/json" \\
 		     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
 		SecRule REQBODY_ERROR "!\@eq 0" "id:'200444',phase:2,log,deny,status:403,msg:'Failed to parse request body'"
 		SecRule ARGS "\@streq 25" "id:'200445',phase:2,log,deny,status:403"
