search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.45k stars 726 forks source link

Allow REPORT requests without Content-Type header in Nextcloud #1743

Closed pyllyukko closed 4 years ago

pyllyukko commented 4 years ago

Issue

When the file list in the iOS app is refreshed, it triggers Missing Content-Type Header with Request Body rule with a REPORT request to /remote.php/dav/files/<username>

Background

Sofware Version
CRS 3.2.0
ModSecurity 3.0.4
Nextcloud 18.0.3
Nextcloud iOS app 2.25.9.2

Fix

This PR disables rule 920340 with REPORT requests to /remote.php/dav/files/

franbuehler commented 4 years ago

In the monthly chat meeting from May 4 we decided to merge this PR: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1749#issuecomment-623634756