Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.

Suppress rule 200002 when editing contacts in Nextcloud #1742

Merged
merged 1 commit into from
May 5, 2020
Merged

Suppress rule 200002 when editing contacts in Nextcloud #1742

merged 1 commit into from
May 5, 2020

Conversation

@pyllyukko
Copy link
Contributor

@pyllyukko pyllyukko commented Apr 21, 2020

Issue

Modifying contacts triggers an XML parsing error (rule 200002 in modsecurity.conf) which can be whitelisted in REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf.

Background

Sofware Version
CRS 3.2.0
ModSecurity 3.0.4
Nextcloud 18.0.3

Reproduction

  • Open contacts app in Nextcloud
  • Select some contact
  • Click on some contact detail (like phone number) to edit it
  • Change the value
  • "Exit" the contact detail field editing by clicking elsewhere

This will trigger a HTTP PUT request into /remote.php/dav/addressbooks/users/<username>/contacts/<some-uuid>.vcf that has Content-Type: application/xml and has the contact vCard (which of course isn't XML) in it's body.

Fix

This PR disables 200002 with PUT requests into addressbooks.

pyllyukko
pyllyukko commented Apr 21, 2020
View reviewed changes
rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
"t:none,\
ctl:ruleRemoveById=200002"

Copy link
Contributor Author

@pyllyukko pyllyukko Apr 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noticed that there should be additional newline here to end the "section" to be consistent with the rest of this file.

@franbuehler franbuehler mentioned this pull request Apr 29, 2020
Closed
@franbuehler
Copy link
Contributor

franbuehler commented May 5, 2020

In the monthly chat meeting from May 4 we decided to merge this PR:
#1749 (comment)

@franbuehler franbuehler merged commit e988d3e into SpiderLabs:v3.3/dev May 5, 2020
@CRS-migration-bot CRS-migration-bot mentioned this pull request May 13, 2020
Closed
@pyllyukko pyllyukko deleted the fix-nextcloud-vcard-put branch June 4, 2020 13:58
@pyllyukko pyllyukko mentioned this pull request Jun 4, 2020
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pyllyukko @franbuehler