From f9d446bdb90b54ed3215c4b90ea2aab2f4c7892e Mon Sep 17 00:00:00 2001
From: Ervin Hegedus <airween@gmail.com>
Date: Fri, 1 Feb 2019 23:11:56 +0000
Subject: [PATCH 1/2] Fixed data collecting in multipart parsing

---
 src/request_body_processor/multipart.cc     |  4 +-
 test/test-cases/regression/rule-920120.json | 65 +++++++++++++++++++++
 2 files changed, 67 insertions(+), 2 deletions(-)
 create mode 100644 test/test-cases/regression/rule-920120.json

diff --git a/src/request_body_processor/multipart.cc b/src/request_body_processor/multipart.cc
index f302720aeb..37919128ad 100644
--- a/src/request_body_processor/multipart.cc
+++ b/src/request_body_processor/multipart.cc
@@ -1080,8 +1080,8 @@ int Multipart::multipart_complete(std::string *error) {
             m_transaction->m_variableFiles.set(m->m_filename,
                 m->m_filename, m->m_filenameOffset);
 
-            m_transaction->m_variableFilesNames.set(m->m_filename,
-                m->m_filename, m->m_filenameOffset);
+            m_transaction->m_variableFilesNames.set(m->m_name,
+                m->m_name, m->m_nameOffset);
 
             m_transaction->m_variableFilesSizes.set(m->m_name,
                 std::to_string(m->m_tmp_file_size.first),
diff --git a/test/test-cases/regression/rule-920120.json b/test/test-cases/regression/rule-920120.json
new file mode 100644
index 0000000000..cdc437074f
--- /dev/null
+++ b/test/test-cases/regression/rule-920120.json
@@ -0,0 +1,65 @@
+[
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Variables :: OWASP CRS id:920120",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept-Language":"en-us,en;q=0.5",
+        "Accept":"*/*",
+        "Content-Length":"411",
+        "Content-Type":"multipart/form-data; boundary=---------------------------265001916915724",
+        "Proxy-Connection":"keep-alive",
+        "Keep-Alive":"300"
+      },
+      "uri":"/",
+      "method":"POST",
+      "body": [
+        "-----------------------------265001916915724\r",
+        "Content-Disposition: form-data; name=\"fi;le\"; filename=\"test\"\r",
+        "Content-Type: application/octet-stream\r",
+        "\r",
+        "Rotem & Ayala\r",
+        "\r",
+        "-----------------------------265001916915724\r",
+        "Content-Disposition: form-data; name=\"name\"\r",
+        "\r",
+        "tt2\r",
+        "-----------------------------265001916915724\r",
+        "Content-Disposition: form-data; name=\"B1\"\r",
+        "\r",
+        "Submit\r",
+        "-----------------------------265001916915724--\r"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "http_code":400
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecDefaultAction \"phase:2,deny,block,status:400,log\"",
+      "SecRule FILES_NAMES|FILES \"@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:[eEiIoOuUyY]acute)|&(?:[aAeEiIoOuU]grave)|&(?:[cC]cedil)|&(?:[aAnNoO]tilde)|&(?:amp)|&(?:apos));|['\\\"=]\" \"id:920120,phase:2,block,t:none,t:urlDecodeUni,msg:'Attempted multipart/form-data bypass',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',tag:'CAPEC-272',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',setvar:'tx.msg=%{rule.msg}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\""
+    ]
+  }
+]
+

From 7c6c610e2d6470b9b4eb8c9d768d710c6f55df0d Mon Sep 17 00:00:00 2001
From: Ervin Hegedus <airween@gmail.com>
Date: Sat, 2 Feb 2019 11:30:22 +0000
Subject: [PATCH 2/2] Modified affected test cases, which checked wrong
 variables

---
 test/test-cases/regression/offset-variable.json      | 4 ++--
 test/test-cases/regression/variable-FILES_NAMES.json | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/test/test-cases/regression/offset-variable.json b/test/test-cases/regression/offset-variable.json
index 257dac198a..99c9e19a71 100644
--- a/test/test-cases/regression/offset-variable.json
+++ b/test/test-cases/regression/offset-variable.json
@@ -1511,11 +1511,11 @@
       ]
     },
     "expected":{
-      "error_log":"o0,15v512,20t:trim"
+      "error_log":"o0,8o0,8v491,8t:trimo0,16o0,16v709,16t:trim"
     },
     "rules":[
       "SecRequestBodyAccess On",
-      "SecRule FILES_NAMES \"small_text_file\" \"id:1,phase:3,pass,t:trim,msg:'s'\""
+      "SecRule FILES_NAMES \"(fiasdfasdfledata|filedata)\" \"id:1,phase:3,pass,t:trim,msg:'s'\""
     ]
   },
   {
diff --git a/test/test-cases/regression/variable-FILES_NAMES.json b/test/test-cases/regression/variable-FILES_NAMES.json
index ef19575d34..fcf95ed972 100644
--- a/test/test-cases/regression/variable-FILES_NAMES.json
+++ b/test/test-cases/regression/variable-FILES_NAMES.json
@@ -51,11 +51,11 @@
       ]
     },
     "expected":{  
-      "debug_log":"T \\(0\\) t:trim: \"small_text"
+      "debug_log":"T \\(0\\) t:trim: \"filedata"
     },
     "rules":[  
       "SecRuleEngine On",
-      "SecRule FILES_NAMES \"@contains small_text_file.txt\" \"id:1,phase:3,pass,t:trim\""
+      "SecRule FILES_NAMES \"@contains filedata\" \"id:1,phase:3,pass,t:trim\""
     ]
   }
 ]