nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Internal rule 13 triggers on certain multipart data #553

Closed vvvllll closed 11 months ago

vvvllll commented 3 years ago

I think there's a possible parsing issue of multipart requests; if we have a textarea in a multipart form and input something like:

--dfssfdsfdsf
--

This will be like this in raw in my request

-----------------------------delimiterishere
Content-Disposition: form-data; name="myinput"

--dfssfdsfdsf
--
-----------------------------delimiterishere--

This will trigger rule 13 which is "invalid POST format" (doesn't matter if it's the last field or not)

So i wonder if it's getting properly the boundary delimiter in the request headers

I'm using the master version

wargio commented 3 years ago

it's possible that there is a bug.