@@ -292,21 +292,20 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
292292
293293
294294#
295- # Require Content-Length to be provided with every POST request.
295+ # Require Content-Length or Transfer-Encoding to be provided with
296+ # every POST request.
296297#
297298# -=[ Rule Logic ]=-
298- # This chained rule checks if the request method is POST, if so, it checks that a Content-Length
299- # header is also present.
300- #
301- # -=[ References ]=-
302- # https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5
299+ # This chained rule checks if the request method is POST, if so,
300+ # it checks that a Content-Length or Transfer-Encoding headers are
301+ # also present.
303302#
304303SecRule REQUEST_METHOD "@rx ^POST$" \
305304 "id:920180,\
306305 phase:2,\
307306 block,\
308307 t:none,\
309- msg:'POST request missing Content-Length Header .',\
308+ msg:'POST without Content-Length or Transfer-Encoding headers .',\
310309 logdata:'%{matched_var}',\
311310 tag:'application-multi',\
312311 tag:'language-multi',\
@@ -319,10 +318,11 @@ SecRule REQUEST_METHOD "@rx ^POST$" \
319318 severity:'WARNING',\
320319 chain"
321320 SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \
322- "t:none,\
323- setvar:'tx.msg=%{rule.msg}',\
324- setvar:'tx.anomaly_score=+%{tx.notice_anomaly_score}',\
325- setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
321+ "chain"
322+ SecRule &REQUEST_HEADERS:Transfer-Encoding "@eq 0" \
323+ "setvar:'tx.msg=%{rule.msg}',\
324+ setvar:'tx.anomaly_score=+%{tx.notice_anomaly_score}',\
325+ setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
326326
327327
328328#
@@ -988,7 +988,7 @@ SecRule REQUEST_METHOD "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
988988 chain"
989989 SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
990990 "capture,\
991- chain"
991+ chain"
992992 SecRule TX:0 "!@rx ^%{tx.allowed_request_content_type}$" \
993993 "t:none,\
994994 ctl:forceRequestBodyVariable=On,\
0 commit comments