Protocol enforcement 920180 does have problems with HTTP/2
mirkodziadzka-avi opened this issue · comments
Description
When using HTTP/2, a valid request may have neither a content-length header nor a transfer-encoding header (because HTTP/2 is implicitly chunking on protocol level)
To reproduce this, issue a
$ curl -k --http2 -H "Accept: text/html" -H "Content-Type: application/json" -H "Transfer-Encoding: chunked" -d '{}' https://server
against a http2 enabled backend.
This will trigger rule 920180 (because no content-length is set and no transfer-encoding header is set.
Your Environment
- CRS version: 3.2
- Paranoia level setting: 1
- ModSecurity version: own modified version, derived from 3.x
- Web Server and version: own server
- Operating System and version: linux
if needed, I will try to reproduce this with nginx setup
Workaround
The following additional rule fixed this for me:
SecRule REQUEST_PROTOCOL "@rx http/2" "phase:1,id:42,t:none,t:lowercase,pass,ctl:ruleRemoveById=920180"
I would propose to add this condition to 920180
Well observed. Thank you!