10000
HTTP header injection: move ARGS_GET check to PL2 to mitigate FP · Issue #633 · coreruleset/coreruleset · GitHub
More Web Proxy on the site http://driver.im/
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue for tracking original pull request created by user lifeforms on date 2016-10-31 12:29:38.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#633.
HEAD is: 3908f9d
BASE is: 18020a8
Resolves #623 false positives when a newline is used in GET parameter value.
I've been experimented a bit with XSS this week and consider this check more useful than I did originally. So especially since I'm the only one who complained about this FP, I am going for a compromise and move it to PL2 instead of my proposal of PL3.
Super-complex query parameters and free-form GET forms should be sufficiently rare nowadays that my impression is that PL2 users will be able to handle the FP. If it turns out to still be a dog, we can change it in a later release.
The text was updated successfully, but these errors were encountered:
Issue for tracking original pull request created by user lifeforms on date 2016-10-31 12:29:38.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#633.
HEAD is: 3908f9d
BASE is: 18020a8
Resolves #623 false positives when a newline is used in GET parameter value.
I've been experimented a bit with XSS this week and consider this check more useful than I did originally. So especially since I'm the only one who complained about this FP, I am going for a compromise and move it to PL2 instead of my proposal of PL3.
Super-complex query parameters and free-form GET forms should be sufficiently rare nowadays that my impression is that PL2 users will be able to handle the FP. If it turns out to still be a dog, we can change it in a later release.
The text was updated successfully, but these errors were encountered: