search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.24k stars 1.61k forks source link

Allow usage of Content-Disposition modification-date (for Jersey libraries) #1134

Closed jfiala closed 3 years ago

jfiala commented 8 years ago

I'm using the Java Jersey client libraries (using current latest version 1.19.1) to send a Http Multipart Request including a file.

Currently the Content-Disposition is assembled this way:

Content-Disposition: form-data; filename="myfile.txt"; modification-date="Mon, 25 Apr 2016 10:40:18 GMT"; size=46; name="file"

This sould be conforming to RFC 2183 (https://tools.ietf.org/html/rfc2183).

However, the Content-Disposition Header is currently rejected by Apache Mod Security with 400 Bad Request:

ModSecurity: Multipart parsing error: Multipart: Invalid Content-Disposition header (-11): form-data; filename="myfile.txt"; modification-date="Mon, 25 Apr 2016 10:40:18 GMT"; size=46; name="file". ...

Currently there doesn't seem to be a way to suppress the assembling of the Content-Disposition-header in the Jersey libraries (see FileDataBodyPart.java, ContentDisposition.java).

Will there be a future update of Mod Security allowing for this Content-Disposition header format? Or should the modification-date parameter better be added as an configuration option at the Jersey libraries?

Thank you & best regards, Johannes

zimmerle commented 3 years ago

No longer an issue in v3/master.