Closed hex2a closed 11 months ago
It seems to be a pcre issue no ?
This issue comes due to flag issue with pcre_compile and pcre_exec.
%0d%0a
becomes /r/n
when un-escaped. Newlines are not matched by pcre_exec. Hence you see start_offset stuck at 13.
PCRE_DOTALL
can be added to pcre_compile
rgc->options = PCRE_CASELESS|PCRE_MULTILINE|PCRE_DOTALL;
and PCRE_NOTEMPTY
to pcre_exec
match = pcre_exec(rl->br->rx->regex->code, 0, (const char *) str->data, str->len, tmp_idx, PCRE_NOTEMPTY, captures, 30)) >= 0
It may or may not affect your whitelisting.
Reference: https://www.pcre.org/original/doc/html/pcre_exec.html https://www.pcre.org/original/doc/html/pcre_compile.html
the following requests/rules seem to trigger an infinite loop (calling
pcre_exec
) inngx_http_process_basic_rule_buffer
.HTTP request:
GET /favicon.ico%0d%0aBCC%weiphohgh5chez5ukachaipiPuPooH8oor6wuv0du7@test.example.com%0d%0afffl%3a%20b
decoded request evaluated by naxsi:
/favicon.ico\r\nBCC:weiphohgh5chez5ukachaipiPuPooH8oor6wuv0du7@test.example.com\r\nfff: b
rule:
BasicRule "msg:block All URLs" "rx:.*" "mz:URL" "s:$GENERIC:3" id:2000;
gdb and ltrace show that the
start_offset
argument forpcre_exec
remains13
(\r) and is not increased.https://github.com/nbs-system/naxsi/blob/6a0378ee7cf0c53df719a1895717c5fa5278a660/naxsi_src/naxsi_runtime.c#L181