Description
Describe the bug
ModSecurity is processing a HTTP/3 request header as HTTP/1.0
Logs and dumps
==> /var/log/nginx/access.log <==
1.1.1.1 - - [04/Aug/2020:20:09:34 -0400] "GET / HTTP/3" 200 157 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15"
==> /var/log/modsec_audit.log <==
---EYVYJtD9---A--
[04/Aug/2020:20:09:34 -0400] 1596586174 0x30200e0 59617 0x3020110 443
---EYVYJtD9---B--
GET / HTTP/1.0
host: hquest.pro.br
accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
priority: u=0, i
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15
accept-language: en-us
accept-encoding: gzip, deflate, br
---EYVYJtD9---D--
---EYVYJtD9---E--
\x0a\x0a\x0a<title>HQuest.pro.br</title>\x0a\x0a\x0a\x0a\x0a\x0a---EYVYJtD9---F--
HTTP/1.0 200
X-Frame-Options: SAMEORIGIN
Access-Control-Max-Age: 86400
ETag: "5f25b1e2-b3"
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Last-Modified: Sat, 01 Aug 2020 18:18:10 GMT
Cache-control: no-cache, no-store, must-revalidate
Alt-Svc: h3-29=":443"; ma=86400
Connection: close
Public-Key-Pins: pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; max-age=5184000; includeSubDomains
Content-Security-Policy: default-src 'self'; script-src 'self' 'report-sample' 'unsafe-inline' 'unsafe-eval' https://*.hquest.pro.br:443/ https://coronabar-53eb.kxcdn.com/; style-src 'unsafe-inline' https://hquest.pro.br/; frame-src 'self'; frame-ancestors 'self'; object-src 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; font-src data: *; img-src ; require-trusted-types-for 'script'; connect-src https://hquest.pro.br/ https://.amazonaws.com/;
Content-Type: text/html
Content-Length: 179
Date: Wed, 05 Aug 2020 00:09:34 GMT
Feature-Policy: vibrate 'self'; sync-xhr 'self' https://www.hquest.pro.br
Access-Control-Allow-Methods: POST, GET, OPTIONS
Server: nginx
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: master-only
Referrer-Policy: strict-origin
Expect-CT: max-age=300, report-uri="https://hquest.report-uri.com/r/d/ct/enforce"
Expect-Staple: max-age=300, report-uri="https://hquest.report-uri.com/r/d/staple/enforce"
Access-Control-Allow-Origin: https://www.hquest.pro.br
---EYVYJtD9---H--
ModSecurity: Warning. Matched "Operator Within' with parameter HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3' against variable REQUEST_PROTOCOL' (Value: HTTP/1.0' ) [file "/etc/nginx/crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "993"] [id "920430"] [rev ""] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.0"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "1.1.1.1"] [uri "/"] [unique_id "1596586174"] [ref "v6,8"]
---EYVYJtD9---I--
---EYVYJtD9---J--
---EYVYJtD9---Z--
To Reproduce
curl --http3 https://hquest.pro.br/
Expected behavior
ModSecurity should process the HTTP/3 header as HTTP/3 and not as HTTP/1.0
Server (please complete the following information):
- ModSecurity version (and connector): ModSecurity-nginx 3.4.1 (from master branch as of 2020-08-04)
- WebServer: # nginx/1.19.0 with quiche-72cc605 and BoringSSL (from master branches as of 2020-08-04)
- OS (and distro): Linux Slackware64 -current (updated as of 2020-08-04)
Rule Set (please complete the following information):
- Running any public or commercial rule set? Public OWASP CRS
- What is the version number? OWASP_CRS/3.3.0
Additional context