Drop the translate header from the restricted list

Fixes #1410.

Author: fgsch

crs-setup.conf.example

@@ -431,15 +431,15 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # Forbidden request headers.
 # Header names should be lowercase, enclosed by /slashes/ as delimiters.
 # Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
-# Default: /proxy/ /lock-token/ /content-range/ /translate/ /if/
+# Default: /proxy/ /lock-token/ /content-range/ /if/
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900250,\
 #  phase:1,\
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"
+#  setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
 
 # File extensions considered static files.
 # Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.

rules/REQUEST-901-INITIALIZATION.conf

@@ -200,7 +200,7 @@ SecRule &TX:restricted_headers "@eq 0" \
     phase:1,\
     pass,\
     nolog,\
-    setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"
+    setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
 
 # Default HTTP policy: static_extensions (rule 900260)
 SecRule &TX:static_extensions "@eq 0" \

util/docker/README.md

@@ -28,7 +28,7 @@ The following environment variables are available to configure the CRS container
 | ALLOWED_REQUEST_CONTENT_TYPE_CHARSET | A string indicating the allowed_request_content_type_charset (Default: utf-8\|iso-8859-1\|iso-8859-15\|windows-1252) |
 | ALLOWED_HTTP_VERSIONS | A string indicating the allowed_http_versions (Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0) |
 | RESTRICTED_EXTENSIONS | A string indicating the restricted_extensions (Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/) |
-| RESTRICTED_HEADERS | A string indicating the restricted_headers (Default: /proxy/ /lock-token/ /content-range/ /translate/ /if/) |
+| RESTRICTED_HEADERS | A string indicating the restricted_headers (Default: /proxy/ /lock-token/ /content-range/ /if/) |
 | STATIC_EXTENSIONS | A string indicating the static_extensions (Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/) |
 | MAX_NUM_ARGS | An integer indicating the max_num_args (Default: unlimited) |
 | ARG_NAME_LENGTH | An integer indicating the arg_name_length (Default: unlimited) |

util/docker/docker-compose.yaml

@@ -53,7 +53,7 @@ services:
       #- ALLOWED_REQUEST_CONTENT_TYPE_CHARSET=utf-8|iso-8859-1|iso-8859-15|windows-1252
       #- ALLOWED_HTTP_VERSIONS=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
       #- RESTRICTED_EXTENSIONS=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
-      #- RESTRICTED_HEADERS=/proxy/ /lock-token/ /content-range/ /translate/ /if/
+      #- RESTRICTED_HEADERS=/proxy/ /lock-token/ /content-range/ /if/
       #- STATIC_EXTENSIONS=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/
 
       #######################################################

util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml

@@ -7,20 +7,6 @@
   tests:
     -
       test_title: 920450-1
-      stages:
-        -
-          stage:
-            input:
-              dest_addr: "127.0.0.1"
-              port: 80
-              headers:
-                  User-Agent: "ModSecurity CRS 3 Tests"
-                  Host: "localhost"
-                  translate: "test"
-            output:
-              log_contains: "id \"920450\""
-    -
-      test_title: 920450-2
       stages:
         -
           stage:
@@ -34,7 +20,7 @@
             output:
               log_contains: "id \"920450\""
     -
-      test_title: 920450-3
+      test_title: 920450-2
       stages:
         -
           stage:
@@ -48,7 +34,7 @@
             output:
               log_contains: "id \"920450\""
     -
-      test_title: 920450-4
+      test_title: 920450-3
       stages:
         -
           stage:
@@ -63,7 +49,7 @@
               log_contains: "id \"920450\""
 
     -
-      test_title: 920450-5
+      test_title: 920450-4
       desc: HTTP header is restricted by policy (920450) from old modsec regressions, we no longer block proxy-connection in 3.0
       stages:
       -
@@ -87,32 +73,7 @@
             no_log_contains: id "920450"
 
     -
-      test_title: 920450-6
-      desc: HTTP header is restricted by policy (920450) from old modsec regressions
-      stages:
-      -
-        stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-              Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
-              Accept-Encoding: gzip,deflate
-              Accept-Language: en-us,en;q=0.5
-              Host: localhost
-              Keep-Alive: '300'
-              Proxy-Connection: keep-alive
-              Translate: f
-              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
-            method: GET
-            port: 80
-            uri: /
-            version: HTTP/1.1
-          output:
-            log_contains: id "920450"
-
-    -
-      test_title: 920450-7
+      test_title: 920450-5
       desc: HTTP header is restricted by policy (920450) from old modsec regressions
       stages:
       -
@@ -136,7 +97,7 @@
           output:
             log_contains: id "920450"
     -
-      test_title: 920450-8
+      test_title: 920450-6
       stages:
         -
           stage: