Magnolia and the Apache module mod-security
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
Magnolia and the Apache module mod-security
by Maurizio Müller
::
Rate this Message:
Hi every body I have a little problem with Magnolia and the Apache module mod-security. If a user uploads a binary file with some disallowed characters and two disallowed characters are consecutively like this file: "my picture (1).jpg" Magnolia will substitute the disallowed characters with a dash (-) and the file (url) change as follow "my-picture--1-.jpg". The problem is that the Apache module mod-security blocks the double dash with these errors: 1) Comment Evasion Attempt 2) Detects common comment types 3) Anomaly Score Exceeded (score 40): Detects common comment types 4) Transactional Anomaly Score (score 40): Detects common comment types It is possible in Magnolia change the substitution character from dash (-) to the underscore (_) character? I know that a file name like "my picture (1).jpg" is bad for the web but sometime a content editor uses it. Best regards Maurizio ---------------------------------------------------------------- For list details see http://www.magnolia-cms.com/home/community/mailing-lists.html To unsubscribe, E-mail to: <user-list-unsubscribe@...> ---------------------------------------------------------------- |
|
|
Re: Magnolia and the Apache module mod-security
by Matteo Pelucco
::
Rate this Message:
Maurizio Müller (Tinext) ha scritto: > I have a little problem with Magnolia and the Apache module mod-security. > ... In my opinion, there is no advantages on changing Magnolia behaviour, for 2 main reasons: 1) an url like http://mysite/my-picture--1.jpg is a valid url 2) the substitution is performed either at Java level either at JavaScript level, deeply on core modules. Since the problem is only related to "double dash" (or more than one instance dash sequence) why not add a rule to mod-security, with the SecRule directive, in order to ignore them and make them pass to container? I think it is the easy and more correct way to let Magnolia be itself :-) M. ---------------------------------------------------------------- For list details see http://www.magnolia-cms.com/home/community/mailing-lists.html To unsubscribe, E-mail to: <user-list-unsubscribe@...> ---------------------------------------------------------------- |
|
|
Re: Magnolia and the Apache module mod-security
by Nils Breunese-2
::
Rate this Message:
Maurizio Müller (Tinext) wrote: > I have a little problem with Magnolia and the Apache module mod-security. > > If a user uploads a binary file with some disallowed characters and two disallowed characters are consecutively like this file: "my picture (1).jpg" Magnolia will substitute the disallowed characters with a dash (-) and the file (url) change as follow "my-picture--1-.jpg". > > The problem is that the Apache module mod-security blocks the double dash with these errors: > 1) Comment Evasion Attempt > 2) Detects common comment types > 3) Anomaly Score Exceeded (score 40): Detects common comment types > 4) Transactional Anomaly Score (score 40): Detects common comment types > > It is possible in Magnolia change the substitution character from dash (-) to the underscore (_) character? > > I know that a file name like "my picture (1).jpg" is bad for the web but sometime a content editor uses it. I think you should be able to modify your mod_security ruleset to not block on the double dashes. Nils Breunese. ---------------------------------------------------------------- For list details see http://www.magnolia-cms.com/home/community/mailing-lists.html To unsubscribe, E-mail to: <user-list-unsubscribe@...> ---------------------------------------------------------------- |
|
|
Re: Magnolia and the Apache module mod-security
by Maurizio Müller
::
Rate this Message:
Hi Matteo Our future customer (I hope) is very exigent in the security domain... So if there is a possibility to change the dash in an underscore and maintain the rule in the mod-security module for me this is the best solution. Of course I won't modify the source code and recompile it. Regards Maurizio Matteo Pelucco wrote: > > Maurizio Müller (Tinext) ha scritto: >> I have a little problem with Magnolia and the Apache module mod-security. >> ... > > In my opinion, there is no advantages on changing Magnolia behaviour, > for 2 main reasons: > > 1) an url like http://mysite/my-picture--1.jpg is a valid url > 2) the substitution is performed either at Java level either at > JavaScript level, deeply on core modules. > > Since the problem is only related to "double dash" (or more than one > instance dash sequence) why not add a rule to mod-security, with the > SecRule directive, in order to ignore them and make them pass to container? > I think it is the easy and more correct way to let Magnolia be itself :-) > > M. > > > ---------------------------------------------------------------- > For list details see > http://www.magnolia-cms.com/home/community/mailing-lists.html > To unsubscribe, E-mail to: > <user-list-unsubscribe@...> > ---------------------------------------------------------------- > > ---------------------------------------------------------------- For list details see http://www.magnolia-cms.com/home/community/mailing-lists.html To unsubscribe, E-mail to: <user-list-unsubscribe@...> ---------------------------------------------------------------- |
|
|
Re: Magnolia and the Apache module mod-security
by Matteo Pelucco
::
Rate this Message:
Maurizio Müller ha scritto: > > So if there is a possibility to change the dash in an underscore and > maintain the rule in the mod-security module for me this is the best > solution. Ok, so let's consider something related to virtual uri mapping (1) or or a custom save handler (2). 1) You can define a custom virtual uri mapping that try to match mod-security allowed URLs in order to get JCR paths 2) You can define a custom save handler on DMS upload dialog. In this case you can drive the name of the file as you like, avoiding undesired names / pattern. This is in my opinion the more efficient choice. What do you think? Matteo ---------------------------------------------------------------- For list details see http://www.magnolia-cms.com/home/community/mailing-lists.html To unsubscribe, E-mail to: <user-list-unsubscribe@...> ---------------------------------------------------------------- |
|
|
Re: Magnolia and the Apache module mod-security
by Maurizio Müller
::
Rate this Message:
Thanks Matteo the second solution I think that is the best one for me too. I will try to implement it. Maurizio Matteo Pelucco wrote: > > Maurizio Müller ha scritto: >> >> So if there is a possibility to change the dash in an underscore and >> maintain the rule in the mod-security module for me this is the best >> solution. > > Ok, so let's consider something related to virtual uri mapping (1) or or > a custom save handler (2). > > 1) You can define a custom virtual uri mapping that try to match > mod-security allowed URLs in order to get JCR paths > > 2) You can define a custom save handler on DMS upload dialog. In this > case you can drive the name of the file as you like, avoiding undesired > names / pattern. This is in my opinion the more efficient choice. > > What do you think? > Matteo > > > ---------------------------------------------------------------- > For list details see > http://www.magnolia-cms.com/home/community/mailing-lists.html > To unsubscribe, E-mail to: > <user-list-unsubscribe@...> > ---------------------------------------------------------------- > > ---------------------------------------------------------------- For list details see http://www.magnolia-cms.com/home/community/mailing-lists.html To unsubscribe, E-mail to: <user-list-unsubscribe@...> ---------------------------------------------------------------- |
| Free embeddable forum powered by Nabble | Forum Help |
