# ------------------------------------------------------------------------
# OWASP CRS ver.4.24.0-dev
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2026 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#

# This file is to address the 3UWMWA6W vulnerability.
# It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports
# of the security fixes in these versions) or a compatible engine supporting these changes.
#
# If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start.
# In that case, you can temporarily delete this file. However, you will be missing
# protection from these rules. Therefore, we recommend upgrading your engine instead.

# The rules in this file will be part of the 920 / 921 in the future.

# Only allow specific charsets when using "_charset_"
# Note: this is in phase:2 because these are headers that come in the body
SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
    "id:922100,\
    phase:2,\
    block,\
    t:none,\
    msg:'Multipart content type global _charset_ definition is not allowed by policy',\
    logdata:'Matched Data: %{ARGS._charset_}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-multipart-header',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/MULTIPART-ATTACK',\
    tag:'capec/1000/255/153',\
    ver:'OWASP_CRS/4.24.0-dev',\
    severity:'CRITICAL',\
    setvar:'tx.922100_charset=|%{ARGS._charset_}|',\
    chain"
    SecRule TX:922100_CHARSET "!@within %{tx.allowed_request_content_type_charset}" \
        "t:lowercase,\
        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"


# Only allow specific charsets same as Rule 920600
# Note: this is in phase:2 because these are headers that come in the body
#
# How do these rules work:
# * rule 922140 sets the multipart counter TX variable to 0
#   note that this is why does not matter if more parts have the same name - see rule's test
# * rule 922150 collects all multipart headers' 'Content-Type' value
#   eg. 'text/plain; charset=utf-8'
# * rule 922110 checks all the collected headers' content type and charset
#
SecRule &MULTIPART_PART_HEADERS "@gt 0" \
    "id:922140,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    tag:'attack-multipart-header',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/MULTIPART-ATTACK',\
    ver:'OWASP_CRS/4.24.0-dev',\
    setvar:'tx.multipart_headers_content_counter=0'"

SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
    "id:922150,\
    phase:2,\
    pass,\
    capture,\
    t:none,t:lowercase,\
    nolog,\
    tag:'attack-multipart-header',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/MULTIPART-ATTACK',\
    ver:'OWASP_CRS/4.24.0-dev',\
    setvar:'tx.multipart_headers_content_types_%{tx.multipart_headers_content_counter}=%{tx.1}',\
    setvar:'tx.multipart_headers_content_counter=+1'"

# Regular expression generated from regex-assembly/922110.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 922110
SecRule TX:/MULTIPART_HEADERS_CONTENT_TYPES_*/ "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
    "id:922110,\
    phase:2,\
    block,\
    capture,\
    t:none,t:lowercase,\
    msg:'Illegal MIME Multipart Header content-type: charset parameter',\
    logdata:'Matched Data: %{MATCHED_VAR} found within Content-Type multipart form',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-multipart-header',\
    tag:'attack-protocol',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/MULTIPART-ATTACK',\
    tag:'capec/272/220',\
    ver:'OWASP_CRS/4.24.0-dev',\
    severity:'CRITICAL',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7)
# Note: this is in phase:2 because these are headers that come in the body
SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
    "id:922120,\
    phase:2,\
    block,\
    capture,\
    t:none,t:lowercase,\
    msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\
    logdata:'Matched Data: %{TX.0}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-multipart-header',\
    tag:'attack-deprecated-header',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/MULTIPART-ATTACK',\
    tag:'capec/272/220',\
    ver:'OWASP_CRS/4.24.0-dev',\
    severity:'CRITICAL',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# Multipart header names can't contain any characters outside of range 33 and 126,
# excluding 58 (':') which is the separator.
# RFC 2045 refers RFC 822 about the header syntax.
# Note: this is in phase:2 because these are headers that come in the body
SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \
    "id:922130,\
    phase:2,\
    block,\
    capture,\
    t:none,t:lowercase,\
    msg:'Multipart header contains characters outside of valid range',\
    logdata:'Matched Data: %{TX.0}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-multipart-header',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/MULTIPART-ATTACK',\
    tag:'capec/272/220',\
    ver:'OWASP_CRS/4.24.0-dev',\
    severity:'CRITICAL',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"