SVN over HTTP and mod_security

Tue, 06 Sep 2011 22:43:24 -0700 

I had configured and installed subversion (SVN) to run over HTTP as the 
transport, but when I tried to use it I got:

[Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator 
LT matched 20 at TX:inbound_anomaly_score. [file 
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] 
[line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): 
Method is not allowed by policy"] [hostname "localhost"] [uri 
"/svn/astlinux/trunk/package/linux-atm"] [unique_id "TmUFkcCoAQoAABnnJF8AAAAD"]
[Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator 
LT matched 20 at TX:inbound_anomaly_score. [file 
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] 
[line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): 
Method is not allowed by policy"] [hostname "localhost"] [uri 
"/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c"] [unique_id 
"TmUFkcCoAQoAABnlI-4AAAAB"]
[Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator 
LT matched 20 at TX:inbound_anomaly_score. [file 
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] 
[line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): 
Method is not allowed by policy"] [hostname "localhost"] [uri 
"/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c"] [unique_id 
"TmUFkcCoAQoAABnkI6QAAAAA"]

when doing commits, etc. I was thinking it would be nice if mod_security 
out-of-the-box supported SVN...

I'm looking at the supposed offending rule:

SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \
    "chain,phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score (Total 
Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQLI_SCORE}, 
XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
        SecRule TX:INBOUND_ANOMALY_SCORE "@lt 
%{tx.inbound_anomaly_score_level}" "skipAfter:END_CORRELATION"

and thinking "Wha.....t?"

If the .conf files out-of-the-box can't support SVN by default, how about at 
least having a post-install script that modifies the rules to accommodate SVN?

Or what about SVN installing its own rules if it detects mod_security is 
installed and enabled?

But less abstractly: does anyone know what's required to make SVN-over-HTTP 
work with mod_security?

Thanks,

-Philip
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Reply via email to