[dokuwiki] Re: AJAX Request content-type

> It's not a problem of POST or GET. The mod_security rule forbids
> access to requests using POST together with a certain Content-Type
> header. It's clearly a fault of that rule but might point to a
> problem in DokuWiki, which seems to send requests which aren't as
> RFC/standards compliant as they could be. Thats why I asked for a bug
> report (to be sure the problem is tracked and not forgotten).

Okay I had a look at the headers and the rules you posted. There is a
problem with the second rule:

SecFilterSelective HTTP_Content-Type
"!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

The problem is the end-of-string anchor after
application/x-www-form-urlencoded - DokiWiki sends a valid header
there, specifiying the used character encoding:

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

The rule above does not allow anything after the initial type which is
simply too strict. Forward this to your IT guys and ask them honour the
HTTP specs when writing security rules. Their rule should be modified to

SecFilterSelective HTTP_Content-Type
"!(^$|^application/x-www-form-urlencoded|^multipart/form-data)"


Andi

-- 
http://www.splitbrain.org

Other related posts: