Using @rsub adds garbage at the end of the page

[rcbarnett-zz]

MODSEC-284: Using @rsec cause additional grabage on the page (at the end of the page)

Even with a rule which does nothing like the below, it adds that garbage SecRule STREAM_OUTPUT_BODY "@rsub s/html/html/" "phase:4,t:none,nolog,pass"

It seems that the buffer is not initialized properly or not used correctly, which causing binary strings or page parts to appear at the end of the string (after the tag

Two examples First - repeat of a javascript segment appeared earlier in the page

(this);'> "); document.write("No"); document.write("Yes"); document.write(""); }
<tr ID="divt6" style="visibil

Second: Just gybrish binary codes after the :

����$9Of~���

[rcbarnett-zz]

Original reporter: muttley79

[rcbarnett-zz]

muttley79: Sometimes even adds some log data to the page itself:

les/modsecurity_crs_16_session_hijacking.conf"] [line "47"]�����981063�������������������������� [id "981063"]�� [file "/etc/httpd/conf/crs/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "47"] [id "981063"]�licati [file "/etc/httpd/conf/crs/activated_rules/modsecurity_crs_16_sessionhijacking.conf"] [line "47"] [id "981063"] Warning. Pattern match "." at TX:1.��HA���_���f*

[rcbarnett-zz]

bpinto: Hey Arnon,

I have a patch for this issue. Looks like it is fixed. Any chance i send it for you to test in your side too ?

Thanks

Breno

[rcbarnett-zz]

muttley79: No problem. But I cannot compile it on my system due to some restrictions, so you will need to send a binary arnon [at] morethantechnical.com

Thanks

[rcbarnett-zz]

bpinto: Humm. I can't send you a binary. So i will close this, fixed in my Box. If necessary we can reopen. Thanks

[rcbarnett-zz]

muttley79: OK. I'll take your word for it :) If you can send me the patch anyway I would appreciate it (unless you plan the next release soon)