[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: ModSecurity v2 Apache rules for directory servers



On Tue, 14 Aug 2007, Kyle Williams wrote:

>>   SecRule REQUEST_URI "!^/tor/server/authority$"                                       "chain,msg:'Badly formed uri'"
>>   SecRule REQUEST_URI "!^/tor/status/all$"                                             "chain"
>>   SecRule REQUEST_URI "!^/tor/running-routers$"                                        "chain"
>>   SecRule REQUEST_URI "!^/tor/dir\.z$"                                                 "chain"
>>   SecRule REQUEST_URI "!^/tor/server/(?>d|fp)/(?>[A-F0-9]{40})(?>\+[A-F0-9]{40})*\.z$" "chain"
>>   SecRule REQUEST_URI "!^/tor/status/fp/[A-F0-9]{40}(?>\+[A-F0-9]{40})*\.z$"

> Nice!  Thank you for that helpful information.
> I will definitely take note of that with the next version of JanusVM.
> Strict rules such as these are a very good idea, because it never hurts to
> check your  input  before processing it.

Actually they are horrible.  They already are out of date and would
reject proper directory requests.  Please don't do stuff like this.

-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/