Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Varnish: Bugs

#1121: Escaped double quote mark within a regex is not recognized

 

 

Varnish bugs RSS feed   Index | Next | Previous | View Threaded


varnish-bugs at varnish-cache

Apr 2, 2012, 11:40 PM

Post #1 of 4 (365 views)
Permalink
#1121: Escaped double quote mark within a regex is not recognized

#1121: Escaped double quote mark within a regex is not recognized
----------------------+-----------------------------------------------------
Reporter: gnotaras | Type: defect
Status: new | Priority: normal
Milestone: | Component: build
Version: 3.0.2 | Severity: normal
Keywords: |
----------------------+-----------------------------------------------------
I tried to use the following check (taken from the mod_security's core
ruleset) to detect command injection attacks. The vcl compiler throws an
error.

default.vcl:
{{{
if (req.url ~
"(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))") {
error 403 "Forbidden";
}
}}}

vcl compiler error:

{{{
# varnishd -f default.vcl -d
Message from VCC-compiler:
Syntax error at
('input' Line 124 Pos 72)
if (req.url ~
"(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))") {
-----------------------------------------------------------------------#------------------

Running VCC-compiler failed, exit 1

VCL compilation failed
}}}

If I remove the escaped double quote from within the regex, the rule
becomes:

{{{
req.url ~
"(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\|\;\`\-\s]|$))"
}}}

And the vcl compiler validates it properly without errors.

--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1121>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs


varnish-bugs at varnish-cache

Apr 3, 2012, 6:41 AM

Post #2 of 4 (345 views)
Permalink
Re: #1121: Escaped double quote mark within a regex is not recognized [In reply to]

#1121: Escaped double quote mark within a regex is not recognized
----------------------+-----------------------------------------------------
Reporter: gnotaras | Type: defect
Status: new | Priority: normal
Milestone: | Component: build
Version: 3.0.2 | Severity: normal
Keywords: |
----------------------+-----------------------------------------------------

Comment(by ruben):

@gnotaras

You should try and see if Security VCL doesn't already do what you are
trying to achieve:
https://github.com/comotion/security.vcl

Good luck!

--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1121#comment:1>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs


varnish-bugs at varnish-cache

Apr 3, 2012, 7:32 AM

Post #3 of 4 (344 views)
Permalink
Re: #1121: Escaped double quote mark within a regex is not recognized [In reply to]

#1121: Escaped double quote mark within a regex is not recognized
----------------------+-----------------------------------------------------
Reporter: gnotaras | Type: defect
Status: new | Priority: normal
Milestone: | Component: build
Version: 3.0.2 | Severity: normal
Keywords: |
----------------------+-----------------------------------------------------

Comment(by gnotaras):

@ruben, thanks for your suggestion. It is an excellent project!

--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1121#comment:2>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs


varnish-bugs at varnish-cache

Apr 23, 2012, 9:39 AM

Post #4 of 4 (308 views)
Permalink
Re: #1121: Escaped double quote mark within a regex is not recognized [In reply to]

#1121: Escaped double quote mark within a regex is not recognized
-------------------------+--------------------------------------------------
Reporter: gnotaras | Type: defect
Status: closed | Priority: normal
Milestone: | Component: build
Version: 3.0.2 | Severity: normal
Resolution: worksforme | Keywords:
-------------------------+--------------------------------------------------
Changes (by phk):

* status: new => closed
* resolution: => worksforme


Comment:

In general: use "long-strings" in VCL: they don't need quoting for magic
chars.

{{{
if (req.url ~ {"No Quote Problem "foobar" -- See ? "}) {
}}}

--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1121#comment:3>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs

Varnish bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.