From b4f53c7d74e312da590b44073aef65300b1e329e Mon Sep 17 00:00:00 2001
From: "Federico G. Schwindt" <fgsch@lodoss.net>
Date: Fri, 15 Feb 2019 17:19:06 +0000
Subject: [PATCH] Rule to check if both C-L and T-E are present

---
 rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf   | 27 ++++++++++++++
 .../920181.yaml                               | 35 +++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100755 util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml

diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
index 8f03164fd..d8df218ae 100644
--- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -237,6 +237,33 @@ SecRule REQUEST_METHOD "@rx ^POST$" \
             "setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
 
 
+#
+# As per RFC7230 3.3.2: A sender MUST NOT send a Content-Length
+# header field in any message that contains a Transfer-Encoding header
+# field.
+#
+# Related to 920170, 920171 and 920180.
+#
+SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
+    "id:920181,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'Content-Length and Transfer-Encoding headers present.',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
+    tag:'CAPEC-272',\
+    ver:'OWASP_CRS/3.3.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
+        "t:none,\
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
 #
 # Range Header Checks
 #
diff --git a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml
new file mode 100755
index 000000000..d02a1b675
--- /dev/null
+++ b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml
@@ -0,0 +1,35 @@
+---
+  meta:
+    author: "fgsch"
+    enabled: true
+    name: "920181.yaml"
+    description: "Description"
+  tests:
+    -
+      test_title: 920181-1
+      stages:
+        -
+          stage:
+            input:
+              dest_addr: "127.0.0.1"
+              port: 80
+              method: "POST"
+              uri: "/"
+              headers:
+                Host: "localhost"
+                Accept: "*/*"
+                Content-Length: 7
+                Content-Type: "application/x-www-form-urlencoded"
+                Transfer-Encoding: "chunked"
+                User-Agent: "ModSecurity CRS 3 Tests"
+              data:
+                - "7"
+                - "foo=bar"
+                - "0"
+                - ""
+                - ""
+              stop_magic: true
+            output:
+              # Apache unsets the Content-Length header if
+              # Transfer-Encoding is found!
+              no_log_contains: id "920181"