Upload content encoding about neostumbler HOT 4 CLOSED

Hi,

MLS accepts gzipped requests, see https://github.com/mozilla/ichnaea/blob/efe73300296436f1b6a8d10db9739ffc3711ba94/ichnaea/api/views.py#L106

Ideally we want to compress the data submissions, because the amount of data can be quite large. I guess there could be an option to disable compression, but maybe you can configure your server to accept gzipped requests?

from neostumbler.

This content-encoding header is valid, the framework I'm using for my server automatically decompresses the data for me because of this header.

from neostumbler.

It is not a problem to transmit the data in a compressed way; and indeed the header content-encoding will be useful on the server side for decoding.

So I modified the modsecurity detection rules to bypass the blocking.

For info, the extracts from the error log:
Warning. String match within "/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/" at TX:header_name_content-encoding. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1128"] [id "920450"] [msg "HTTP header is restricted by policy (/content-encoding/)"]

Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname

from neostumbler.

Closing this because the problem should be fixed on server side

from neostumbler.