Walter Hop

icon indicating a website link https://lifeforms.nl/

icon company @SlikNL icon location The Netherlands icon location Slik CTO / OWASP Core Rule Set co-lead

Results 65 comments of Walter Hop

LFI path traversal rules using REQUEST_BODY cannot be excluded

As predicted I've got some FP complaints in CRS3 about this one, and it's impossible to write `ARGS` exclusions for it, except for disabling the whole rule :(

LFI path traversal rules using REQUEST_BODY cannot be excluded

Another false positive popped up in #783 which underscores that we really should check `ARGS` and not the whole `REQUEST_BODY`. Edit: if there are good reasons for scanning `REQUEST_BODY`, which...

LFI path traversal rules using REQUEST_BODY cannot be excluded

Another person was bitten by this problem in #1264. One big problem is the rule running on `REQUEST_BODY` instead of `ARGS`. Another problem with the rule is that `../` is...

LFI path traversal rules using REQUEST_BODY cannot be excluded

I wish I knew, BUT my patience with this rule is getting thin. Let's fix it in the next release.

Asynchronous Order Finalization: will this require a change?

I tested the current version out on LE's staging environment when it was enabled there, and found no problems with it - although I don't know if they actually forced...