Quote in file name violates SecRule FILES_NAMES|FILES

[Phan Thanh Bình]

Hi,

When uploading file with name: user's data.docx, it violates this rule SecRule FILES_NAMES|FILES:  https://github.com/coreruleset/coreruleset/blob/v3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L100

So as owasp the file name should not include the quote ', right?

And with this fix: https://github.com/SpiderLabs/ModSecurity/pull/2661 , will able to allow this file: user's data.docx or not?

Thanks.

[Andrew Howe]

Hi,

> And with this fix: https://github.com/SpiderLabs/ModSecurity/pull/2661 , will able to allow this file: user's data.docx or not?

The comment added to CHANGES says:
"Multipart names/filenames may include single quote if double-quote enclosed".

From that, I think it would depend whether your file name arrives as
user's data.docx
which would not work, or
"user's data.docx"
which should be okay.

> When uploading file with name: user's data.docx, it violates this rule SecRule FILES_NAMES|FILES: https://github.com/coreruleset/coreruleset/blob/v3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L100
> So as owasp the file name should not include the quote ', right?

That's CRS version 3.0.2: it's almost 5 years old and no longer
supported. You should seriously consider using the latest stable CRS
release, v3.3.2:
https://github.com/coreruleset/coreruleset/releases/tag/v3.3.2

Rule 920120 should match on a single quote ( ' ) in a file name.

If you're encountering *false positives* with rule 920120 then you
will need to tune your CRS installation by using rule exclusions. We
have extensive documentation to help with that, which you can find
here: https://coreruleset.org/docs/configuring/false_positives_tuning/

Thanks,
Andrew

[Phan Thanh Bình]

I remember I already tried with latest, still same as there is no diff actually.

Related to false positive, exclusion: can we like split this rule: https://github.com/coreruleset/coreruleset/blob/v3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L100 and if the file name contains single quote and that one exactly is user's, make it passes?

[Andrew Howe]

Hi,

> I remember I already tried with latest, still same as there is no diff actually.

To be clear: the point is that the rule set you're quoting and linking
to is quite old and unsupported.

If you're working with a real world (e.g. internet facing) CRS
deployment then you really want to be using an up-to-date CRS release,
which brings bug fixes, security patches, and more.

> Related to false positive, exclusion: can we like split this rule: https://github.com/coreruleset/coreruleset/blob/v3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L100 and if the file name contains single quote and that one exactly is user's, make it passes?

Splitting or modifying CRS rules is a bad idea. That effectively
creates a fork of the rule set, which you then need to maintain
yourself in the future.

It sounds like you need a conditional runtime rule exclusion to
exclude the specific variable you're having trouble with from rule
920120, but only *if* a specific condition is met (it sounds like you
want to look into using a regular expression to do pattern matching).

We have some advice on that here:
https://coreruleset.org/docs/configuring/false_positives_tuning/
(search for the 'Tip' block that starts: "It’s possible to write a
conditional rule exclusion").

If you're still having trouble then share an error log line of the
problem you're having with rule 920120 so that we can see precisely
what the issue is you're facing. (If you do, *make sure to remove any
sensitive information* before posting a log entry here in public.)

Thanks,
Andrew