Hi,
> I remember I already tried with latest, still same as there is no diff actually.
To be clear: the point is that the rule set you're quoting and linking
to is quite old and unsupported.
If you're working with a real world (e.g. internet facing) CRS
deployment then you really want to be using an up-to-date CRS release,
which brings bug fixes, security patches, and more.
Splitting or modifying CRS rules is a bad idea. That effectively
creates a fork of the rule set, which you then need to maintain
yourself in the future.
It sounds like you need a conditional runtime rule exclusion to
exclude the specific variable you're having trouble with from rule
920120, but only *if* a specific condition is met (it sounds like you
want to look into using a regular expression to do pattern matching).
We have some advice on that here:
https://coreruleset.org/docs/configuring/false_positives_tuning/
(search for the 'Tip' block that starts: "It’s possible to write a
conditional rule exclusion").
If you're still having trouble then share an error log line of the
problem you're having with rule 920120 so that we can see precisely
what the issue is you're facing. (If you do, *make sure to remove any
sensitive information* before posting a log entry here in public.)
Thanks,
Andrew