Merge pull request #1703 from dune73/fix-fp-941130

Narrowing down subregex .*? in 941130
SpiderLabs · Feb 27, 2020 · 51a243d · 51a243d
2 parents 4b2ce79 + c63d2fc
commit 51a243d
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -131,7 +131,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 #   cd util/regexp-assemble
 #   ./regexp-assemble.pl regexp-941130.data
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:!ENTITY.*?(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\/html|pattern\b.*?=|formaction|\@import|;base64)\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:!ENTITY\s+(?:\S+|%\s+\S+)\s+(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\/html|pattern\b.*?=|formaction|\@import|;base64)\b" \
     "id:941130,\
     phase:2,\
     block,\

diff --git a/util/regexp-assemble/regexp-941130.data b/util/regexp-assemble/regexp-941130.data
@@ -1,8 +1,8 @@
 (?i)[\s\S]xlink:href\b
 (?i)[\s\S]xhtml\b
 (?i)[\s\S]xmlns\b
-(?i)[\s\S]!ENTITY.*?SYSTEM\b
-(?i)[\s\S]!ENTITY.*?PUBLIC\b
+(?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+SYSTEM\b
+(?i)[\s\S]!ENTITY\s+(?:\S+|%\s+\S+)\s+PUBLIC\b
 (?i)[\s\S]data:text/html\b
 (?i)[\s\S]formaction\b
 (?i)[\s\S]@import\b