Operator @rx has different flags in two engines

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

https://www.modsecurity.org

Apache License 2.0

8.3k stars 1.61k forks source link

Operator @rx has different flags in two engines #3295

Open airween opened 2 weeks ago

airween commented 2 weeks ago

Describe the bug

It seems like the @rx operator has a different behavior in two engines (mod_security2 and libmodsecurity3)

mod_security2 has these PCRE flags:

PCRE2, PCRE

libmodsecurity3 has these ones:

PCRE2, PCRE

To Reproduce

https://github.com/coreruleset/coreruleset/issues/3277

We should discuss:

do we want to resolve this issue?
how?

airween commented 1 week ago

I think this is a good idea, I mean add a build flag to libmodsecurity3 (mod_security2 is not affected) which changes the flag, and not in the next release but after that we make it mandatory (and we can add an optional build flag to keep the old (current) one).

marcstern commented 1 week ago

PCRE2_DOTALL & PCRE2_DOLLAR_ENDONLY look the right way for me as we need to check multiline ARGS