auto-comment[bot]
commented
4 years ago Thank your for raising your pull request. Please make sure you have followed our contributing guidelines. We will review it as soon as possible
Open duzun opened 4 years ago
auto-comment[bot]
commented
4 years ago Thank your for raising your pull request. Please make sure you have followed our contributing guidelines. We will review it as soon as possible
mitchellkrogza
commented
4 years ago Thanks for your PR @duzun introducing a new include and mapping can and will break many installations out there who update and have a missing include file. Multiple include files were added from the beginning to allow such customization. Your best approach this to your /bots.d/bad-referrer-words.conf include file as follows.
"~*(?:\b)phpunit(?:\b)" 1;
"~*(?:\b)eval-stdin(?:\b)" 1;This will work instead of having a complex regex.
duzun
commented
4 years ago I get your point.
But with the current configuration, there is no way to catch the spam words in the $request_uri, and the $http_referer is not enough.
Maybe it makes sense to add the new rule using the existing files, like bots.d/bad-referrer-words.conf?
Users who do not update their bots.d/blockbots.conf would not use the new rule, but it would not brack either.
mitchellkrogza
commented
4 years ago ah ok I get you, I'll have to think about how we could do this without breaking anything. Using the existing include files could work.
I have created a new rule to block some injection attempts by testing the incoming
$request_uri.I don't know how to correctly add these changes to the repo :(
Maybe it is worth adding a similar rule based on
$uri, which is a normalized version of$request_uri.