Summary: | www-apache/mod_security - false positive alarm on 'ls' | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | David Sommerseth <sourceforge> |
Component: | Current packages | Assignee: | Diego Elio Pettenò (RETIRED) <flameeyes> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | apache-bugs, chtekk, flameeyes |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
David Sommerseth
2008-05-27 09:45:05 UTC
Maintainers, please advise. this is not a security issue Actually! I see I can deepen this one a little bit more. The specific scenario this one hits is when you have 2 html escaped letter (f.ex. å and ø) and with some data which hits this rule. the pattern which should be *allowed* (pseudo regexp, since I'm not a regexp guru): &(aring|oslash|aelig|u-umlaut|...etc...);(<reg_exp rule above>)&(aring|oslash|aelig.....) I hope this could help you narrow it down somewhat ... for more html entities, have a look here: http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references Is anyone looking into this? ... I would like to do it, but I'm not strong enough with regexp, unfortunately ... The core rule set is _quite_ messy; I'm sincerely tempted to just make it optional even though enabled by default, for any problem with that I think you'd be better reporting it upstream. To be honest I disabled quite a few of them because it stopped me from blogging about Unix standard file paths =_= I've added a postinst message in 2.5.9-r1. I must say, I'm rather disappointed by this solution. This is not FIXED ... the right status in this should rather be WONTFIX, because it is not fixed. A lame message saying "disable this check" in the ebuild do not solve this issue. But I see I need to go to more competent places to get this fixed. |