ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard
verified publisher icon owasp-modsecurity

Updating RequestBodyNoFilesLimit at runtime (feature request)

Open welljsjs opened this issue 7 years ago • 7 comments

  • ModSecurity version: 2.9.2
  • Environment: Apache 2

The ctl action enables us to change ModSecurity configuration at runtime per transaction.

However, we're only able to update a limited number of configuration directives that are listed here.

This is a feature request to add ctl:requestBodyNoFilesLimit (see SecRequestBodyNoFilesLimit) to the editable configuration directives at runtime.

If there are several web services running under several sub-domains on the same server, some of them might need larger request body sizes than others. To optimize security and instead of changing the configuration directive globally, I'd prefer to be able to update this directive depending on (f.ex.) the request filename (or server name, ..., but at runtime).

welljsjs avatar Oct 21 '18 10:10 welljsjs

Thank you @welljsjs. It is queued to be reviewed.

zimmerle avatar Oct 23 '18 04:10 zimmerle

Any word on when this will be reviewed and merged? I could really use this feature.

cmschlenke avatar Jun 03 '21 02:06 cmschlenke

This would be extremely useful with Nextcloud.

Nextcloud needs a much higher SecRequestBodyNoFilesLimit value, as it seems to intend this as the size of data including the file.

Here they seem to suggest they have fixed the problem, back in 2019, but actually the problem persists to this day.

In an environment with many applications, it's obviously not ideal to extend the limit for all, when only one application needs this workaround.

unalignedcoder avatar Jan 13 '23 19:01 unalignedcoder

Hello @unalignedcoder ,

I'm not sure I understand your second sentence. The whole point of SecRequestBodyLimit vs. SecRequestBodyNoFilesLimit is that the latter excludes files. (The focus of the difference is on multipart/part request bodies where one or more parts may be files but other parts may represent non-file data.)

With such multipart requests, it shouldn't be necessary to set SecRequestBodyNoFilesLimit higher because of "including the file".

martinhsv avatar Jan 13 '23 19:01 martinhsv

Well, this is what Nextcloud seems to be doing. Unless I am misunderstanding something. The audit log says: ModSecurity: Request body no files data length is larger than the configured limit (1002400) But, as far as I can understand, it's really referring to the size of the file?

unalignedcoder avatar Jan 13 '23 20:01 unalignedcoder

The message does indeed point to the limit as defined by SecRequestBodyNoFilesLimit. But the comparison is against the size of the request excluding multipart parts with a 'filename=' parameter.

martinhsv avatar Jan 13 '23 21:01 martinhsv

This probably isn't subject for this thread, but I think it's possible Nextcloud is misusing that parameter... I don't see how the data when uploading can be so high as to trigger that limit, forcing the user to set SecRequestBodyNoFilesLimit ridiculously high.

unalignedcoder avatar Jan 14 '23 04:01 unalignedcoder