fix: requesting a static file at pl-2

coreruleset / nextcloud-rule-exclusions-plugin

Rule exclusion plugin for Nextcloud

Apache License 2.0

11 stars 7 forks source link

fix: requesting a static file at pl-2 #67

Closed EsadCetiner closed 3 months ago

EsadCetiner commented 5 months ago

Fixes false positives when requesting a static file at pl-2 or higher with the ver argument. I haven't done any character whitelisting since this is just used for static files, there's nothing to attack.

azurit commented 3 months ago

@EsadCetiner How are you enforing that this exclusion is used only for static files?

EsadCetiner commented 3 months ago

@azurit I'm not, the variable is only used for static files. Do you want me to write another rule that makes that check?

azurit commented 3 months ago

@EsadCetiner I would better do it. I suggest to restrict it based on file extension.

EsadCetiner commented 3 months ago

@azurit everything good to merge now?