8000 Fix false positive, issue number #2434 by vandanrohatgi · Pull Request #2505 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Fix false positive, issue number #2434 #2505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 20, 2022
Merged

Fix false positive, issue number #2434 #2505

merged 1 commit into from
Apr 20, 2022

Conversation

vandanrohatgi
Copy link
Contributor

Fix for rule 920470, Modified rule regex to allow Content-Type of the pattern text/calendar; charset=utf-8; component=vevent

@dune73
Copy link
Member
dune73 commented Apr 20, 2022

Thank you for this contribution @vandanrohatgi. Can you please link some info (RFC perhaps?) where the component item for the CT header is defined?

@lifeforms lifeforms added this to the CRS v4.0.0 milestone Apr 20, 2022
@lifeforms
Copy link
Member
lifeforms commented Apr 20, 2022
edited
Loading

I find a lot of hits for it, so it seems legit to me! https://duckduckgo.com/?q=%22text%2Fcalendar%3B+charset%3Dutf-8%3B+component%3Dvevent%22&t=osx&ia=web

Thank you for creating this PR, we will include it in the next release. The first release candidate will be out for testing soon!

@lifeforms lifeforms merged commit cdf4049 into coreruleset:v3.4/dev Apr 20, 2022
@lifeforms lifeforms mentioned this pull request Apr 20, 2022
Closed
@dune73
Copy link
Member
dune73 commented Apr 20, 2022

Do you see anything else than component=VEVENT @lifeforms? The PR now allows for other items too (which might be legit since this is paranoia level 1, but I would like to know where we stand).

@lifeforms
Copy link
Member
lifeforms commented Apr 20, 2022
edited
Loading

When I search "text/calendar; charset=utf-8; component=" I find:

  • component=vevent (very common)
  • component=vtodo (more rare)

To prevent protocol ossification we might not want to whitelist those, but we could do it, it just would be more work.

@dune73
Copy link
Member
dune73 commented Apr 20, 2022

Thank you.

@vandanrohatgi
Copy link
Contributor Author

Here is a document about CalDAV mentioning a little bit about the component types and a list of all IANA registered content-types.

For any future purposes.

@lifeforms
Copy link
Member

That's interesting. I guess we could also see two more:

       <C:comp name="VEVENT" />
       <C:comp name="VFREEBUSY" />
       <C:comp name="VJOURNAL" />
       <C:comp name="VTODO" />

@dune73
Copy link
Member
dune73 commented Apr 20, 2022

I see a strict sibling at PL3 ... :)

(But probably only useful once attacks start to appear.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
CRS v4.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@vandanrohatgi @dune73 @lifeforms
0