Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change REQUEST_FILENAME behavior #3048

Merged
merged 1 commit into from
Jan 30, 2024
Merged

Change REQUEST_FILENAME behavior #3048

merged 1 commit into from
Jan 30, 2024

Conversation

airween
Copy link
Member

@airween airween commented Jan 30, 2024

No description provided.

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jan 30, 2024

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@airween airween merged commit d648a44 into owasp-modsecurity:v3/master Jan 30, 2024
41 checks passed
@liudongmiao
Copy link
Contributor

I don't know why I didn't make a pr, even make a issue. However, our version is patched in 2022:

// It's patched just the use of path_info.

--- src/transaction.cc  2022-03-19 13:59:14.000000000 +0800
+++ /tmp/transaction.cc 2024-02-02 17:46:05.000000000 +0800
@@ -463,6 +463,14 @@ int Transaction::processURI(const char *

     size_t pos_raw_query = uri_s.find("?");

+    std::string path_info_raw;
+    if (pos_raw_query == std::string::npos) {
+        path_info_raw = std::string(uri_s, 0);
+    } else {
+        path_info_raw = std::string(uri_s, 0, pos_raw_query);
+    }
+    std::string path_info = utils::uri_decode(path_info_raw);
+
     m_uri_decoded = utils::uri_decode(uri_s);

     size_t var_size = pos_raw_query;
@@ -477,14 +485,6 @@ int Transaction::processURI(const char *
     m_variableRequestProtocol.set("HTTP/" + std::string(http_version),
         m_variableOffset + requestLine.size() + 1);

-
-    std::string path_info;
-    if (pos_raw_query == std::string::npos) {
-        path_info = std::string(uri_s, 0);
-    } else {
-        path_info = std::string(uri_s, 0, pos_raw_query);
-    }
-    path_info = utils::uri_decode(path_info);
     m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
             new std::string(path_info));

@@ -496,6 +496,7 @@ int Transaction::processURI(const char *

Should I review all our changes, and try to make PR or issue?

@airween
Copy link
Member Author

airween commented Feb 2, 2024

I don't know why I didn't make a pr, even make a issue. However, our version is patched in 2022:

Well, there are a few of us who walk this path :)

Should I review all our changes, and try to make PR or issue?

Sure, let's see and discuss it. Also, there is a channel on OWASP's Slack where you can join to - the name is #project-modsecurity.

@airween airween mentioned this pull request Feb 27, 2024
Closed
@PrajwalKrishna PrajwalKrishna mentioned this pull request Mar 12, 2024
Closed
@Rayhutch7007

This comment was marked as spam.

Sign in to view
@marcstern marcstern added the 3.x Related to ModSecurity version 3.x label Aug 19, 2024
@airween airween mentioned this pull request Sep 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Damiengourdin1664 Damiengourdin1664 Damiengourdin1664 approved these changes

@Mmagkooo Mmagkooo Mmagkooo approved these changes

Assignees
No one assigned
Labels
3.x Related to ModSecurity version 3.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@airween @liudongmiao @Rayhutch7007 @Damiengourdin1664 @Mmagkooo @marcstern