Allow REQUEST_BODY to be populated for an unparsable request body type about modsecurity HOT 8 CLOSED

Original reporter: brectanus

from modsecurity.

brectanus: Changeset: 1185

from modsecurity.

ivanr: The code is all right, but I don't think the name of the ctl option is adequate, especially in the light of MODSEC-17. There are two different features here: one is request buffering from an external point of view, and the other is the same but from the internal point of view. I think most users would take request buffering to refer to the former. For example, ModSecurity 2.5.6 always buffers requests, but what we are adding with this ticket is having request data in a continuous buffer.

Being practical, I think we should only change the name of the directive at this point to, say, haveRequestBodyVariable, purely from the perspective that this feature is going to be used by 2.5.x users to inspect traffic that they wouldn't otherwise be able to inspect.

from modsecurity.

brectanus: I agree, but I am not sure that haveRequestBodyVariable makes much sense to the user either. What we are doing is forcing the creation and allowing use of REQUEST_BODY. Some other choices:

• setRequestBodyVariable
• forceRequestBodyVariable
• allowRequestBodyVariable

Any preference?

from modsecurity.

ivanr: I think forceRequestBodyVariable is the best choice.

from modsecurity.

brectanus: Ivan,

I am just waiting a review on this before closing.

Thanks,
-B

from modsecurity.

brectanus: The attached patch adds support for ctl:requestBodyBuffering=on|off to force request body buffering in memory and populating REQUEST_BODY.

from modsecurity.

brectanus: Changed in #1201.

from modsecurity.