coreruleset · theseion · Jan 23, 2022 · Jan 26, 2022 · Jan 27, 2022 · Jan 29, 2022
diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -81,58 +81,31 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::
 #
 # -=[ Rule Logic ]=-
 # These rules check for the existence of the ' " ; = meta-characters in
-# either the file or file name variables.
-# HTML entities may lead to false positives, why they are allowed on PL1.
-# Frequently used HTML entities such as &auml; are allowed.
+# either the "name" (FILES) and "filename" (FILES_NAMES) variables.
+# HTML entities may lead to false positives, which is why
+# frequently used ones, such as "&auml;", are allowed at PL1.
 #
 # -=[ Targets, characters and html entities ]=-
 #
-# 920120: PL1 : FILES_NAMES, FILES
-#    ['\";=] or any of the following entities:
-#    &[aeiouclnrszg]acute;
-#    &[cdelnrstz]caron;
-#    &[cgklnrst]cedil;
-#    &[aeioucghjswy]circ;
-#    &[aeiou]grave;
-#    &[au]ring;
-#    &[anoi]tilde;
-#    &[aeiouy]uml;
-#    &amp;
-#    &apos;
-#    &nbsp;
-#    &oslash;
+# 920120 + 920122: PL1 : FILES_NAMES, FILES
+#    Disallow ['\";=], except for frequently used HTML entities (see 920120.data).
 #
 # 920121: PL2 : FILES_NAMES, FILES
-#                ['\";=] : ' " ; = meta-characters
+#    Disallow ['\";=]
 #
 # -=[ References ]=-
 # https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-96000
 # http://www.ietf.org/rfc/rfc2183.txt
 #
-# The regular expression in the active rule 920120 demands a PCRE-compatible
-# regular expression engine. If you are using a non-PCRE engine, you can generate
-# an equivalent regular expression by generating the expression (the resulting
-# expression will not use negative lookbehind):
-#   cd util/regexp-assemble
-#   ./regexp-assemble.py 920120-no-backtracking
-#
-# This alternative regex is not the default one, since it comes with a severe
-# performance impact, namely for larger files.
-#
-# Caution: The performance impact of the alternative regex can lead to
-# a DoS for larger files.
-#
-# Please see https://coreruleset.org/20210106/introducing-msc_retest/ for
-# a thorough discussion and detailed performance data.
-#
-# The regex in the following enabled rule is not supported by non-PCRE
-# regular expression engines (?<!re).
+# This rule used to use negative look-behind.
+# See https://github.com/coreruleset/coreruleset/wiki/Technical-Decisions-and-Best-Practices#avoiding-negative-look-behind-in-regular-expressions
+# for an explanation of why it now uses `!@rx` instead to avoid look-around.
 #
 # To rebuild the regular expression:
 #   cd util/regexp-assemble
 #   ./regexp-assemble.py 920120
 #
-SecRule FILES_NAMES|FILES "@rx (?i)(?:(?<!&[aeiouy]uml|&[aeioucghjswy]circ|&[aeiouclnrszg]acute|&[aeiou]grave|&[cgklnrst]cedil|&[anoi]tilde|&[cdelnrstz]caron|&oslash|&amp|&nbsp|&apos|&[au]ring);|['\"=])" \
+SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[aeiouclnrszg]acut|[aeiou]grav|[anoi]tild)e|(?:[cgklnrst]cedi|[aeiouy]um)l|[aeioucghjswy]circ|[cdelnrstz]caron|a(?:pos|mp)|[au]ring|oslash|nbsp);|[^'\";=])*$" \
     "id:920120,\
     phase:2,\
     block,\