Closed EsadCetiner closed 5 months ago
@EsadCetiner What is the purpose of splitting exclusions into rules 9508311, 9508312, 9508313 and 9508314? Seems like all of them are matching the same URLs.
@azurit Those rule exclude rules for individual token used in Nextcloud's markdown text editor. All of these rule exclusions could be done in one rule, but then you won't be able to easily implement character whitelisting (which is currently the case).
@azurit everything good to merge?
@theseion I'm trying to use the REQUEST_BODY_LENGTH
variable to check if there's no response body then disable rule 200002 since that's causing the XML parser to fail, but the linter doesn't think that's a valid variable. It's supported on both ModSec v2/v3 and Coraza so I don't know why it's marked as invalid.
Wow, wouldn't have expected that. But your right, there's a mistake in the parser model.
I've opened an issue: https://github.com/coreruleset/secrules_parsing/issues/70. @airween, any idea how to fix that one? I wasn't able to.
There is still a workflow issue, but I'm afraid that's an ftw
problem. @theseion could you take a look at it?
All the checks are good now. @airween, you need to approve the changes, then we can merge.
Nextcloud 28 has made a fair few changes and some of these have resulted in new false positives. Most of these false positives are at PL-2 or higher or they they affect features that will only be used on occasion.