You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Send data with content-length 47 (configured)
I have HTTP server wrapped with Coraza running on localhost:9000.
curl -v -X POST http://localhost:9000/ --data 'This is my test-data having content-length: 47.'
Trying [::1]:9000...
Connected to localhost (::1) port 9000
POST / HTTP/1.1
Host: localhost:9000
User-Agent: curl/7.71.1-DEV
Accept: /
Content-Length: 47
Content-Type: application/x-www-form-urlencoded
HTTP/1.1 413 Request Entity Too Large
Date: Mon, 22 Apr 2024 12:18:11 GMT
Content-Length: 0
It is getting blocked. Current condition checks if tx.reqBodyBuffer.length == tx.RequestBodyLimit, creates interruption.
It should succeed with 200 OK.
The text was updated successfully, but these errors were encountered:
// We should skip checking this: requestBodyBuffer.length+writingBytes is already checked against tx.RequestBodyLimit.
// if tx.requestBodyBuffer.length == tx.RequestBodyLimit {
// if tx.WAF.RequestBodyLimitAction == types.BodyLimitActionReject {
// return setAndReturnBodyLimitInterruption(tx)
// }
Description
SecRequestBodyLimitAction Reject should reject TX if it has request body content-length greater than configured SecRequestBodyLimit.
Steps to reproduce
Set below configuration:
Send data with content-length 47 (configured)
I have HTTP server wrapped with Coraza running on localhost:9000.
Expected result
It should interrupt only if content-length is more than configured SecRequestBodyLimit. Anything over the limit should be rejected. Ref: https://coraza.io/docs/seclang/directives/#secrequestbodylimit
Actual result
It is getting blocked. Current condition checks if tx.reqBodyBuffer.length == tx.RequestBodyLimit, creates interruption.
It should succeed with 200 OK.
The text was updated successfully, but these errors were encountered: