-
Notifications
You must be signed in to change notification settings - Fork 725
According to the RFC 3902 (application/soap+xml) #721
Conversation
Thank you @emphazer. Looks good to me. It would make sense to include this for 3.0.1, I think. Tagging. |
@dune73 it would make no sense to keep allowing text/xml for SOAP 1.1 We had several false alerts with PHP 7 and the SOAP module. This RFC is the new SOAP standard since 2014. I guess it should be also a good idea to apply application/soap+xml content-type at the standard modsecurity xml processor rule 200000. :-) Are you with me? What do you think? |
@emphazer this looks good, before I merge it I should note that in order to process this as XML you'll need to add it to the ModSecurity.conf-recc file also, is it there? |
@csanders-git Well, i modified the rule 200000 on a test sxstem already. |
Alright i'll make a PR for the main project as well :) |
Thanks! |
@csanders-git |
As was talked about by @emphazer in SpiderLabs/owasp-modsecurity-crs#721, RFC 3902 adds support for the application/soap+xml header used by SOAP 1.2.
@emphazer you're famous -- owasp-modsecurity/ModSecurity#1374, but really thanks for the info and the suggested fix! At this point we should hold off merging this until modsecurity merges it because otherwise it can lead to all sorts of weirdness. Thoughts? |
Allowing soap+xml and parsing soap+xml are two different pairs of shoes if you ask me. If we hold off the merge, don't we have to hold off until our users have updated 200'000? However, if all you want is commitment by the ModSec project to follow suit, then that sounds acceptable. What we should definitely do is highlight the need to change 200'000 in the release notes. |
@dune73 I think updating the notes is necessarily, my main concern is if we add this and people think they are getting protection when they are not. At least if we just wait for @zimmerle to merge the change into the rolling branch we can say that it will work as expected with the latest modsecurity development build and you should manually add it if you're using an older branch (and since it's recommended modsecurity.conf, i don't see a problem) Thoughts? |
Agreed. |
As was talked about by @emphazer in SpiderLabs/owasp-modsecurity-crs#721, RFC 3902 adds support for the application/soap+xml header used by SOAP 1.2.
As was talked about by @emphazer in SpiderLabs/owasp-modsecurity-crs#721, RFC 3902 adds support for the application/soap+xml header used by SOAP 1.2.
This is ready to push pending a change to the documentation. Let me write up something quick and you can tell me if it makes sense |
remember that time I wrote something up and didn't paste it ... sorry. Note: As of CRS version 3.0.1 support has been added for the application/soap+xml MIME type by default, as specified in RFC 3902. OF IMPORTANCE, application/soap+xml is indicative that XML will be provided. In accordance with this, ModSecurity's XML Request Body Processor should also be configured to support this MIME type. Within the ModSecurity project, commit 5e4e2af (owasp-modsecurity/ModSecurity@5e4e2af) has been merged to support this endevour. However, if you are running a modified or preexisting version of the modsecurity.conf provided by this repository, you may wish to upgrade rule '200000' accordingly. The rule now appears as follows:
|
Sounds good to me. |
Sounds really good |
@csanders-git did you hear from @zimmerle with regards to rule id 200,000? I'd hate to miss 3.0.1 with this bugfix because the ModSec project is not committing. |
Hi @dune73, what @csanders-git should hear [or not] from me that cannot be discussed here? |
Hi @zimmerle. Good to have you join the conversation here. It's this remark from @csanders-git above. I only check ModSec issue 1374 just now and apparently you have committed the change last week. Thank you. So under the line, I conclude we are ready to merge. @csanders-git? |
We're good to merge, and i'll make a separate quick change to the docs. |
Good plan. Thanks for merging. |
According to the RFC 3902 (application/soap+xml) shoud be also allowed.
https://www.ietf.org/rfc/rfc3902.txt