Issue in default WordPress with `x-http-method-override` header at PL 1

[Xhoenix]

I created a PR (#11) in March fixing this issue, but due to ongoing discussion about the header I'd to later close the PR. This header x-http-method-override still causes FP in default WordPress at PL 1.

Update:- Issue is in CRS 4.0

[Sat Oct 14 00:35:11.891548 2023] [:error] [pid 19341] [client 127.0.0.1:56236] [client 127.0.0.1] ModSecurity: Warning. String match within "/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/" at TX:header_name_920450_x-http-method-override. [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1167"] [id "920450"] [msg "HTTP header is restricted by policy (/x-http-method-override/)"] [data "Restricted header detected: /x-http-method-override/"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/12.1"] [hostname "localhost"] [uri "/wp-json/wp/v2/users/me"] [unique_id "ZSmU56gix_dBFGBF5VZBbQAAAAA"], referer: http://localhost/wp-admin/post.php?post=1&action=edit

[Xhoenix]

@azurit This is still an issue.

[theseion]

@Xhoenix the discussion led to an improved mechanism for specifying restricted headers. For the WordPress plugin this means that we would simply duplicate the default rule and remove the x-http-method-override header from the list (https://github.com/coreruleset/coreruleset/pull/3152#issuecomment-1557621730).

Here's the rule you need to duplicate: https://github.com/coreruleset/coreruleset/blob/ffb120e727b6a4932d9a17f2fd84792cde7fc91a/crs-setup.conf.example#L565. Do you want to try and create the PR?

[Xhoenix]

I should've read that. I pinged azurit unnecessarily.

Will think about the FPs and the necessary PR. :)