Variable names should be case sensitive per RFC 3986

[fzipi]

Description

Related to #1028, and in general, on HTTP request argument keys: The specification for URIs (Uniform Resource Identifiers), defined in RFC 3986: https://tools.ietf.org/html/rfc3986, states that all components of a URI after the domain name are case-sensitive. This includes the query string and its parameters (variables and values).

We are using the variable name as key in several collection. The key is specifically lowercased, for example here:

coraza/internal/corazawaf/rule.go

Line 531 in 21c1deb

KeyStr: strings.ToLower(key),

and in the same method it is lowewcased in other places. This change came from 998cc14, and we also have tests that check that things are case insensitive (see

coraza/internal/corazawaf/rule_test.go

Line 260 in 21c1deb

func TestVariableKeysAreCaseInsensitive(t *testing.T) {

).

Looks like this was done somehow to be compatible with CRS tests. Now, it this is true, then we should do the right implementation ™️ , and file a bug report with CRS so they can fix whatever is broken there.

Steps to reproduce

See related issue #1028.

Expected result

ARGS should be case sensitive.

Actual result

They are not.

CC @jptosso @jcchavezs

[fzipi]

To add more information, modsec2 uses an apr_table to store headers for example, and when using apr_table_get to obtain variables back again, the key to search for says "(case does not matter)".

[fzipi]

For args, modsec2 uses apr_table_addn, and it will Add data to a table, regardless of whether there is another element with the same key (see https://apr.apache.org/docs/apr/1.5/group__apr__tables.html#gaff9fdbd8f499f0dfb07123230e19ea54).

[M4tteoP]

Implemented in #1059, and tracked in #945 to make it the default behavior in the next major version