This repository has been archived by the owner on May 14, 2020. It is now read-only.
Suppress rule 200002 when editing contacts in Nextcloud #1742
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pyllyukko
commented
Apr 21, 2020
| chain" | ||
| SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ | ||
| "t:none,\ | ||
| ctl:ruleRemoveById=200002" | ||
|
|
There was a problem hiding this comment.
Just noticed that there should be additional newline here to end the "section" to be consistent with the rest of this file.
|
In the monthly chat meeting from May 4 we decided to merge this PR: |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue
Modifying contacts triggers an XML parsing error (rule 200002 in modsecurity.conf) which can be whitelisted in REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf.
Background
Reproduction
This will trigger a HTTP PUT request into
/remote.php/dav/addressbooks/users/<username>/contacts/<some-uuid>.vcfthat hasContent-Type: application/xmland has the contact vCard (which of course isn't XML) in it's body.Fix
This PR disables 200002 with PUT requests into
addressbooks.