Closed Punamu closed 4 years ago
Hey @Punamu thanks for the issue, gonna have a quick look into it :)
I did some tests and can confirm the issue. I will keep you posted as soon as I have time to work on it.
In the meanwhile, if you feel diving into the json parser, feel free to do so, the code is in a separate file and rather trivial naxsi_json.c
Hello, I found another bug in the same file, it seems that it also cause blocking valid JSON, file was naxsi_json.c
, in my case it was Number inside JSON sent from an Android app, the Number had values like 1.2E-10
, it seems that the code checks only for 'e' and not 'E', the fix in my case was changing this line *(js->src + js->off) == 'e') &&
to *(js->src + js->off) == 'e' || *(js->src + js->off) == 'E') &&
nice find. i will fix it!
@phoenixstudiodz this has been fixed here: https://github.com/wargio/naxsi/commit/a96f12ca914ae5e5ab55845a92c49ae89ddae67b Please beware that if you are using this repo, the current code is very broken and abandoned. If you want to keep receiving support and bugfixes please use my fork/repo.
OK, great, Thank you @wargio
Hi,
I have noticed, that the internal rule ID 15 blocks valid JSON bodies.
The following POST-bodies were tested on naxsi version 0.56 (nginx 1.10.3):
null
,true
,1337
,"some string"
,["array", "of", "strings"]
,[{"test":123},{"test":123}]
It seems that only JSON objects like
{"test":123}
are passed through.