SpiderLabs
diff --git a/‎crs-setup.conf.example‎
Lines changed: 11 additions & 1 deletion b/‎crs-setup.conf.example‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎rules/REQUEST-901-INITIALIZATION.conf‎
Lines changed: 3 additions & 1 deletion b/‎rules/REQUEST-901-INITIALIZATION.conf‎
Lines changed: 3 additions & 1 deletion
@@ -425,6 +425,16 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #  t:none,\
 #  setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
 
+# Locations that will be inspected to enforce only images and documents uploads.
+# Default: /wp-admin/upload.php /wp-admin/media-new.php
+# Uncomment this rule to change the default set in 901180
+#SecAction \
+# "id:900270,\
+#  phase:1,\
+#  nolog,\
+#  pass,\
+#  t:none,\
+#  setvar:'tx.protected_uploads=#/wp-admin/upload.php# #/wp-admin/media-new.php#'"
 
 #
 # -- [[ HTTP Argument/Upload Limits ]] -----------------------------------------
@@ -802,4 +812,4 @@ SecAction \
   nolog,\
   pass,\
   t:none,\
-  setvar:tx.crs_setup_version=302"
+  setvar:tx.crs_setup_version=310"
@@ -202,7 +202,9 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
     nolog,\
     setvar:'tx.enforce_bodyproc_urlencoded=0'"
 
-SecAction \
+# If a default protected_uploads variable is not set in crs-setup rule 900270
+# then a generic default will be set here.
+SecRule &TX:protected_uploads "@eq 0" \
     "id:901180,\
     phase:1,\
     pass,\