Protocol enforcement 920180 does have problems with HTTP/2

Question

Protocol enforcement 920180 does have problems with HTTP/2

mirkodziadzka-avi opened this issue 4 years ago · comments

Description

When using HTTP/2, a valid request may have neither a content-length header nor a transfer-encoding header (because HTTP/2 is implicitly chunking on protocol level)

To reproduce this, issue a

$ curl -k  --http2 -H "Accept: text/html" -H "Content-Type: application/json" -H "Transfer-Encoding: chunked" -d '{}' https://server

against a http2 enabled backend.

This will trigger rule 920180 (because no content-length is set and no transfer-encoding header is set.

Your Environment

CRS version: 3.2
Paranoia level setting: 1
ModSecurity version: own modified version, derived from 3.x
Web Server and version: own server
Operating System and version: linux

if needed, I will try to reproduce this with nginx setup

Workaround

The following additional rule fixed this for me:

SecRule REQUEST_PROTOCOL "@rx http/2" "phase:1,id:42,t:none,t:lowercase,pass,ctl:ruleRemoveById=920180"

I would propose to add this condition to 920180

Christian Folini · Answer 1 · Wed Feb 19 2020 04:00:28 GMT+0800 (China Standard Time)

Well observed. Thank you!