Problem with OWASP CRS rule 920160 when msc_process_request_headers called

[dennus]

Hello!
I'm try to call msc_process_request_header for this request:

POST http://localhost:8081/xml_request_wrap HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 1539
Host: localhost:8081
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

But debug log contains this records:

[4] (Rule: 920160) Executing operator "Rx" with param "^\d+$" against REQUEST_HEADERS:Content-Length.
[6] Resolving: matched_var to: NULL
[9] Target value: "1539" (Variable: REQUEST_HEADERS:Content-Length)
[9] Matched vars updated.
[4] Running [independent] (non-disruptive) action: msg
[9] Saving msg: Content-Length HTTP header is not numeric.
[4] Running [independent] (non-disruptive) action: setvar
[6] Resolving: rule.msg to: Content-Length HTTP header is not numeric.
[8] Saving variable: TX:msg with value: Content-Length HTTP header is not numeric.
[4] Running [independent] (non-disruptive) action: setvar
[6] Resolving: tx.critical_anomaly_score to: 5
[8] Saving variable: TX:anomaly_score with value: 5
[4] Running [independent] (non-disruptive) action: setvar
[6] Resolving: rule.id to: 920160
[6] Resolving: matched_var_name to: REQUEST_HEADERS:Content-Length
[6] Resolving: matched_var to: 1539
[8] Saving variable: TX:920160-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-REQUEST_HEADERS:Content-Length with value: 1539

But 1539 is numeric value, what's wrong?

[zimmerle]

Hi @dennus,

A while ago we fixed an issue related to negation on Rx [free text input] operator. Are you running an up-to-date version?

I've managed to create an specific test case for this issue and it went well. Here: 1518c43

Do you mind to update your libModSecurity code and perform another test? In the process you may want to run a make check, just to make sure that this test is really passing.