Files: Open images in shared folder

[mhastu]

When accessing a publicly shared folder via link and trying to open an image inside, the following FP is produced: ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/modsecurity/crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1012"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|text/plain|"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [uri "/public.php/webdav/img.jpg"].

I was able to fix it with the following exclusion rule, without guarantee of safety:

# File manager: Public share
# Fix FP when opening photo
# Allow the data type 'text/plain'
# Since the content is actually XML, we switch on the XML parser
SecRule REQUEST_FILENAME "@beginsWith /public.php/webdav/" \
    "id:9508954,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ver:'nextcloud-rule-exclusions-plugin/1.1.0',\
    chain"
    SecRule REQUEST_HEADERS:Content-Type "@beginsWith text/plain" \
        "t:none,\
        ctl:requestBodyProcessor=XML,\
        setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/plain|'"

[theseion]

Thanks for sharing @mhastu. We'll see where we can integrate this.

[EsadCetiner]

@mhastu I've taken a look and I can confirm this is an issue on 27.1.0, and that rule should be perfectly safe, CRS blocks text/plain content mainly because ModSecurity can't parse it(since it doesn't know what the content is), you've enabled the appropriate parser (in this case xml parser) for text/plain so it should be perfectly fine. I opened a PR here #68