Andrew Howe

Is the issue that "nightly" on Apache is not up to date? That would be a nice and easy answer :smile: I spoke briefly to @theMiddleBlue about this the other...

``` # This value should be greater than or equal to any block durations or timeouts # set by plugins that make use of ModSecurity's persistent collections (e.g. the #...

As far as I know, the latest and greatest documentation we have regarding plugins is here: https://coreruleset.org/docs/configuring/plugins/ This is based on the CRS blog post announcing plugins and how to...

I'm not sure why the tests are failing… Should we add a back-reference to the associated rule in crs-setup.conf? Like: ``` # Default check for UTF8 encoding validation (rule 900950...

That request works fine for me. Tested successfully against ModSecurity2 on Apache and ModSecurity3 on nginx. This: `` Operator `Rx' with parameter `^\d+$' against variable `REQUEST_HEADERS:Content-Length' (Value: `542' ) [msg...

@fzipi But what about rule 933200? I've just updated rule 933200 where the wrappers are. See: #2723

``` # Forbidden file extensions. # Guards against unintended exposure of development/configuration files. ``` Are we arguing that anything ending in .tar and .bz2 are "development/configuration" files? Those are common,...

@fzipi I think there are a couple of common Linux-y formats missing here (e.g. xz). Is there a sensible way to add test cases here? The rule is commented-out by...

Actually, I see that the original bug bounty assessment said > - Tests (none or some or adequate) : N/A so I guess we already concluded that this is impossible...

Maybe this could be a useful source to use: https://en.wikipedia.org/wiki/List_of_archive_formats