Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Commit

Permalink
Update KNOWN_BUGS with SOAP-XML Data
Browse files Browse the repository at this point in the history 
Updated KNOWN_BUGS as suggested by @dune73 dealing with a better home for the details surrounding ModSecurity implementation compliance with SOAP-XML.
  • Loading branch information
@csanders-git
csanders-git committed May 10, 2017
1 parent 57baca5 commit 156341e
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions KNOWN_BUGS
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,17 @@ or the CRS mailinglist at
JSON support was enabled in Debian's package version 2.8.0-4 (Nov 2014).
You can either use backports.debian.org to install the latest ModSecurity
release or disable rule id 200001.
* As of CRS version 3.0.1, support has been added for the application/soap+xml MIME
type by default, as specified in RFC 3902. OF IMPORTANCE, application/soap+xml is
indicative that XML will be provided. In accordance with this, ModSecurity's XML
Request Body Processor should also be configured to support this MIME type. Within
the ModSecurity project, commit 5e4e2af
(https://github.com/SpiderLabs/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e)
has been merged to support this endevour. However, if you are running a modified or
preexisting version of the modsecurity.conf provided by this repository, you may
wish to upgrade rule '200000' accordingly. The rule now appears as follows:

```
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
```

0 comments on commit 156341e

Please sign in to comment.