Skip to content

Fix SecRequestBody(NoFiles)Limit overflow #3419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: v3/master
Choose a base branch
from
Open

Fix SecRequestBody(NoFiles)Limit overflow #3419

wants to merge 4 commits into from

Conversation

airween
Copy link
Member

@airween airween commented Jul 14, 2025

what

This PR fixes the possible overflow of SecRequestBodyLimit and SecRequestBodyNoFilesLimit directives.

why

There are two reported issues:

There are a few problems in handling these config variables:

  • the type of variables were double before this patch - this makes no sense, there is no 1234.6 bytes...
  • the type of variables were signed - also makes sense, there is no negative value
  • the parser converted the read value with atoi(), which gives an integer with different bitsize

Therefore if a user gave an extra high value, then the atoi() converted it into a negative value.

references

Fixes #3356 and #3352

side note

Now there is no hardcoded limit for these values. Beside of that if the admin gives 0 (zero) value then the engine allows unlimited bytes.

I want to stop this, which means if the value of these variables aren't set or set to 0, that means the value is 0 and engine will allow only 0 byte. Hopefully this will force the admin to set an explicit value.

@airween airween self-assigned this Jul 14, 2025
@airween airween added 3.x Related to ModSecurity version 3.x WIP labels Jul 14, 2025
@airween
Copy link
Member Author

airween commented Jul 14, 2025

This PR is working in progress.

@jonathansmith9485, @SonNgo2211, @EsadCetiner - please take a review this.

@EsadCetiner
Copy link

@airween I just tested your PR and I'm still getting blocked by 200002, however this time the value is reported as 0 in the debug log

[175253424070.699027] [/remote.php/dav/files/esadc/] [5] Request body excluding files is bigger than the maximum expected. Limit: 0

@airween
Copy link
Member Author

airween commented Jul 15, 2025

@airween I just tested your PR and I'm still getting blocked by 200002, however this time the value is reported as 0 in the debug log

[175253424070.699027] [/remote.php/dav/files/esadc/] [5] Request body excluding files is bigger than the maximum expected. Limit: 0

Thanks, I can check this soon.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@airween airween

Labels
3.x Related to ModSecurity version 3.x WIP
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

libModSecurity3: requests are blocked when SecRequestBodyNoFilesLimit is set to a very high value
2 participants
@airween @EsadCetiner