Comments (8)
Original reporter: brectanus
from modsecurity.
brectanus: Changeset: 1185
from modsecurity.
ivanr: The code is all right, but I don't think the name of the ctl option is adequate, especially in the light of MODSEC-17. There are two different features here: one is request buffering from an external point of view, and the other is the same but from the internal point of view. I think most users would take request buffering to refer to the former. For example, ModSecurity 2.5.6 always buffers requests, but what we are adding with this ticket is having request data in a continuous buffer.
Being practical, I think we should only change the name of the directive at this point to, say, haveRequestBodyVariable, purely from the perspective that this feature is going to be used by 2.5.x users to inspect traffic that they wouldn't otherwise be able to inspect.
from modsecurity.
brectanus: I agree, but I am not sure that haveRequestBodyVariable makes much sense to the user either. What we are doing is forcing the creation and allowing use of REQUEST_BODY. Some other choices:
- setRequestBodyVariable
- forceRequestBodyVariable
- allowRequestBodyVariable
Any preference?
from modsecurity.
ivanr: I think forceRequestBodyVariable is the best choice.
from modsecurity.
brectanus: Ivan,
I am just waiting a review on this before closing.
Thanks,
-B
from modsecurity.
brectanus: The attached patch adds support for ctl:requestBodyBuffering=on|off to force request body buffering in memory and populating REQUEST_BODY.
from modsecurity.
brectanus: Changed in #1201.
from modsecurity.
Related Issues (20)
- Debian package dependencies are broken HOT 10
- base64decode behaviour HOT 3
- NULL pointer checks & compiler warnings HOT 1
- SecGeoLookupDb /etc/nginx/geoip/GeoLite2-City.mmdb crashes ingress-controller if it cannot be read HOT 9
- Enhancement: Improve log statement for SecArgumentsLimit issue instead of JSON parsing error HOT 4
- SecRuleScript actions always considered disruptive HOT 1
- libmodsecurity3: Request body is not logged HOT 10
- How to disable some logs? HOT 27
- Annoying DNS queries with @rbl operator HOT 18
- Feature request: Limit the number of rules processed per request HOT 3
- SecAuditLogPart 'E' is logged even if it is not configured HOT 7
- Error: Could not set variable "ip.brute_force_counter" and Could not set variable "ip.xmlrpc_counter" as the collection does not exist. HOT 6
- Is it possible to change the SecAuditLogStorageDir variable so that the logs are sorted by vhost?
- Lua installed, but Modsecurity still dont work with it HOT 2
- Phasing out SecStatusEngine HOT 2
- Regular Expression Failure Triggers `!@rx` HOT 1
- Incorrect utf8toUnicode transformation for 00xx
- docs, contributing: shorten description to improve flow for GitHub contributors, rewrite for owasp HOT 6
- @rbl operator does not support IPv6
- [Idea] Add variable support for SecAuditLog HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from modsecurity.