CRS3 Rule 950100 (RESPONSE_STATUS checking) must be phase 3 #3936
Labels
🐛 bug
Something isn't working
Comments
|
Hi @rainerjung, thanks for this report - well, I think you're definitely right, rule 950100 correct phase is PR #1941 was sent by me, I hope I still have the script which collected the rules. I try to run that against Thanks again. |
8000
|
FYI: #3941 is prepared. |
|
PR was merged, closing. Will be available in our next release! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In CRS 3 rule 950100 in file RESPONSE-950-DATA-LEAKAGES.conf checks RESPONSE_STATUS against 5xx. Such a response should lead to a 403 forbidden. Since the rule is running in Phase 4, the response body is already being sent to the client, before at the end of phase 4 the denial kicks in.
This is observable when the response is sent with chunked encoding, for instance it comes from a proxied backend and its size is bigger than 8KB. Or it comes from a CGI script.
In fact, the status code is known in phase 3, response headers, so it is better to run the rule there and this also leads to correct behavior.
In CRS 4 some rules have been moved to more appropriate earlier phases. One of them is this rule 950100.
Maybe one can backport the whole of 5a47465, but if this is to risky, at least fixing rule 950100 would be nice.
Trivial change: "phase:4" => "phase:3".
Thanks a lot for providing the CRS!
Best regards,
Rainer
The text was updated successfully, but these errors were encountered: