conflict resolution

spartantri · web-flow · commit 4baf3446fc8c · 2019-08-27T10:42:38.000-04:00
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
@@ -354,11 +354,12 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #  nolog,\
 #  pass,\
 #  t:none,\
+#  setvar:tx.crs_exclusions_cpanel=1,\
 #  setvar:tx.crs_exclusions_drupal=1,\
-#  setvar:tx.crs_exclusions_wordpress=1,\
-#  setvar:tx.crs_exclusions_nextcloud=1,\
 #  setvar:tx.crs_exclusions_dokuwiki=1,\
-#  setvar:tx.crs_exclusions_cpanel=1"
+#  setvar:tx.crs_exclusions_nextcloud=1,\
+#  setvar:tx.crs_exclusions_wordpress=1,\
+#  setvar:tx.crs_exclusions_xenforo=1"
 
 #
 # -- [[ HTTP Policy Settings ]] ------------------------------------------------
@@ -389,7 +390,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # Content-Types that a client is allowed to send in a request.
 # Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\
 # application/xml|application/soap+xml|application/x-amf|application/json|\
-# application/octet-stream|text/plain
+# application/octet-stream|application/csp-report|\
+# application/xss-auditor-report|text/plain
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900220,\
@@ -399,19 +401,6 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #  t:none,\
 #  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'"
 
-# Content-Types charsets that a client is allowed to send in a request.
-# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
-# Uncomment this rule to change the default.
-# Use "|" to separate multiple charsets like in the rule defining
-# tx.allowed_request_content_type.
-#SecAction \
-# "id:900270,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
-
 # Allowed HTTP versions.
 # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
 # Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
@@ -428,16 +417,16 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 
 # Forbidden file extensions.
 # Guards against unintended exposure of development/configuration files.
-# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
-# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .sql/
+# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
+# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900240,\
 #  phase:1,\
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
+#  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
 
 # Forbidden request headers.
 # Header names should be lowercase, enclosed by /slashes/ as delimiters.
@@ -465,16 +454,18 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #  t:none,\
 #  setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
 
-# Locations that will be inspected to enforce only images and documents uploads.
-# Default: /wp-admin/upload.php /wp-admin/media-new.php
-# Uncomment this rule to change the default set in 901180
+# Content-Types charsets that a client is allowed to send in a request.
+# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
+# Uncomment this rule to change the default.
+# Use "|" to separate multiple charsets like in the rule defining
+# tx.allowed_request_content_type.
 #SecAction \
-# "id:900270,\
+# "id:900280,\
 #  phase:1,\
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.protected_uploads=#/wp-admin/upload.php# #/wp-admin/media-new.php#'"
+#  setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
 
 #
 # -- [[ HTTP Argument/Upload Limits ]] -----------------------------------------
@@ -789,52 +780,6 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 SecCollectionTimeout 600
 
 
-#
-# -- [[ Debug Mode ]] ----------------------------------------------------------
-#
-# To enable rule development and debugging, CRS has an optional debug mode
-# that does not block a request, but instead sends detection information
-# back to the HTTP client.
-#
-# This functionality is currently only supported with the Apache web server.
-# The Apache mod_headers module is required.
-#
-# In debug mode, the webserver inserts "X-WAF-Events" / "X-WAF-Score"
-# response headers whenever a debug client makes a request. Example:
-#
-#   # curl -v 'http://192.168.1.100/?foo=../etc/passwd'
-#   X-WAF-Events: TX:930110-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-REQUEST_URI,
-#                TX:930120-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-ARGS:foo,
-#                TX:932160-OWASP_CRS/WEB_ATTACK/RCE-ARGS:foo
-#   X-WAF-Score: Total=15; sqli=0; xss=0; rfi=0; lfi=10; rce=5; php=0; http=0; ses=0
-#
-# To enable debug mode, include the RESPONSE-981-DEBUG.conf file.
-# This file resides in a separate folder, as it is not compatible with
-# nginx and IIS.
-#
-# You must specify the source IP address/network where you will be running the
-# tests from. The source IP will BYPASS all CRS blocking, and will be sent the
-# response headers as specified above. Be careful to only list your private
-# IP addresses/networks here.
-#
-# Tip: for regression testing of CRS or your own ModSecurity rules, you may
-# be interested in using the OWASP CRS regression testing suite instead.
-# View the file util/regression-tests/README for more information.
-#
-# Uncomment these rules, filling in your CRS path and the source IP address,
-# to enable debug mode:
-#
-#Include /path/to/crs/util/debug/RESPONSE-981-DEBUG.conf
-#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
-# "id:900980,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  ctl:ruleEngine=DetectionOnly,\
-#  setvar:tx.crs_debug_mode=1"
-
-
 #
 # -- [[ End of setup ]] --------------------------------------------------------
 #
