Description
Feature:
libModSecurity3 currently does not support adjusting the requestBodyLimit and requestBodyNoFilesLimit values via a runtime rule, however this feature is supported in ModSecurity2. I should be able to adjust these values via a rule like so:
SecRule REQUEST_FILENAME "@streq /example" \
"id:9508030,\
phase:1,\
t:none,\
nolog,\
ctl:requestBodyLimit=1073741824,\
ctl:requestBodyNoFilesLimit=1073741824"
Use case:
The CRS Nextcloud plugin is a plugin designed to resolve false positives when running Nextcloud and CRS together, but it currently can't increase the max allowed file size due to the aforementioned feature missing. This plugin can't directly adjust these values via a configure-time rule as it can potentially conflict with other plugins or override a user's configuration. For now, a workaround is documented in the plugin's readme file, but this complicates the installation process especially for novices. If the instructions in the readme file need to change for whatever reason, there's no easy way to notify the end user they need to update their configuration.
With this feature, CRS would be able to include this functionality out of the box instead of documenting it in the readme file, reducing the complexity of the installation process and maintenance of the plugin for end users.