php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58970 Incompatible with mod_security2
Submitted: 2009-12-02 13:54 UTC Modified: 2020-01-26 01:03 UTC
From: blepore at igniteworldwide dot com Assigned: ramsey (profile)
Status: Assigned Package: uploadprogress (PECL)
PHP Version: 5.2.6 OS: CentOs
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2009-12-02 13:54 UTC] blepore at igniteworldwide dot com
Description:
------------
No temp file is created when mod_security2 is enabled.

Possible cause that I have found is that PHP writes to a different file name in the user's temp directory when mod_security is enabled compared to when it is not.

Sample temp files created when mod_security is disabled:
phpENU1wg
upt_805677.1259779397.txt

where "805677.1259779397" is the UPLOAD_IDENTIFIER.

Sample temp files created when mod_security is enabled:
20091202-144325-SxbDWkU8c54AACEoQmIAAAAF-request_body-TgkMtk




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-12-02 15:06 UTC] blepore at igniteworldwide dot com
If this cannot be accomplished, it is worth adding to the documentation that setting SecRequestBodyAccess to Off will work around the issue (though leave the site more vulnerable).
 [2010-01-08 03:14 UTC] leahy_rich at hotmail dot com
Has there been any progress or work arounds to this isssue without changing mod_security2 yet as i am having this problem?
 [2010-01-08 05:06 UTC] chregu@php.net
The current workaround is mentioned by "blepore at 
igniteworldwide dot com" in the comment above...

I don't have the time nor the intend to dig into that problem 
as I'm not using mod_security
 [2010-02-21 12:47 UTC] php at gileskennedy dot com
The problem is recognised over at 
https://www.modsecurity.org/tracker/browse/MODSEC-17:

"In order to block 100% reliably we need to buffer; there's 
no 
question about that. However, buffering is not always the 
best, or 
even desired, approach. Some mechanisms (such as file upload 
progress bars) rely on having a free flow of data..."

But that won't be addressed until mod_security 3 and I've 
not found 
any info on when mod_security 3 is likely to be 
released. Very unlikely this year I'd have thought; a 2.6 
release is 
planned first and there's been very little activity on v3 as 
yet. 
https://www.modsecurity.org/tracker/browse/MODSEC?
report=com.atlassian.jira.plugin.system.project:roadmap-
panel
 [2011-08-18 13:04 UTC] 1041963598 at qq dot com
Whoever wrote this, you know how to make a good atricle.
 [2011-08-29 21:43 UTC] dean at khmin dot org
<a href="http://www.searchmedsonline.com/">valtrex</a> >:( <a href="http://www.medicprix.com/">buy lexapro mg online</a> zxoq
 [2017-10-24 09:01 UTC] kalle@php.net
-Status: Open +Status: Suspended
 [2017-10-24 09:01 UTC] kalle@php.net
This package has not had any releases for 6 years, so I'm gonna suspend it, any new maintainer that decides to pick this up can re-open this ticket.
 [2020-01-26 01:03 UTC] ramsey@php.net
-Assigned To: +Assigned To: ramsey
 [2020-01-26 01:03 UTC] ramsey@php.net
-Status: Suspended +Status: Assigned
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Jul 04 15:01:26 2020 UTC