Description
Hi there,
I'm currently in the process to move from libmodsecurity v3.0.2 to v3.0.3. I'm also using the owasp-crs v3.0.2. I've notice after looking at the Modsecurity log file (level 8) that the interpolation of rule variable is broken for a specific case.
Let's take the rule 941100 for illustrating the purpose.
Here what's defined in the rule file : setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}
Here is the log output according to libmosecurity version:
- v3.0.2 :
Saving variable: TX:941100-OWASP_CRS/WEB_ATTACK/XSS-ARGS:param with value: "><script>alert(1);</script> - v3.0.3 :
Saving variable: TX:-OWASP_CRS/WEB_ATTACK/XSS-ARGS:param with value: "><script>alert(1);</script>
It's kinda annoying for me since I use, for my Python bindings, InMemoryPerProcess::resolveRegularExpression with the following pattern "<rule_id>-" to retrieve the parameter which has triggered a rule.
I'd be glad to make a fix, but I don't really know where does this parsing is performed. Could you please give me the file where I should look ?
Thanks