SVN over HTTP and mod_security

Craig White craigwhite at azapple.com
Sat Sep 10 01:47:34 UTC 2011 

On Fri, 2011-09-09 at 09:32 -0700, Philip Prindeville wrote:
> On 9/6/11 11:42 PM, Craig White wrote:
> > On Tue, 2011-09-06 at 22:42 -0700, Philip Prindeville wrote:
> >> I had configured and installed subversion (SVN) to run over HTTP as the transport, but when I tried to use it I got:
> >>
> >> [Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): Method is not allowed by policy"] [hostname "localhost"] [uri "/svn/astlinux/trunk/package/linux-atm"] [unique_id "TmUFkcCoAQoAABnnJF8AAAAD"]
> >> [Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): Method is not allowed by policy"] [hostname "localhost"] [uri "/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c"] [unique_id "TmUFkcCoAQoAABnlI-4AAAAB"]
> >> [Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): Method is not allowed by policy"] [hostname "localhost"] [uri "/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c"] [unique_id "TmUFkcCoAQoAABnkI6QAAAAA"]
> >>
> >> when doing commits, etc. I was thinking it would be nice if mod_security out-of-the-box supported SVN...
> >>
> >> I'm looking at the supposed offending rule:
> >>
> >> SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \
> >>     "chain,phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
> >>         SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_level}" "skipAfter:END_CORRELATION"
> >>
> >> and thinking "Wha.....t?"
> >>
> >> If the .conf files out-of-the-box can't support SVN by default, how about at least having a post-install script that modifies the rules to accommodate SVN?
> >>
> >> Or what about SVN installing its own rules if it detects mod_security is installed and enabled?
> >>
> >> But less abstractly: does anyone know what's required to make SVN-over-HTTP work with mod_security?
> > ----
> > This might help...
> > http://dawelbeit.info/2009/09/26/subversion-and-mod_security/
> > 
> > I don't think SVN and mod_security is a commonly used configuration.
> > 
> > Craig
> > 
> > 
> 
> Thanks, I looked at that and a couple of other things that also matched a similar search... like this:
> 
> http://www.waltercedric.com/component/content/article/329-apache/1565-subversion-and-mod-security.html
> 
> They suggest using:
> 
> SecRuleRemoveById ...
> 
> from within the <Directory> or <Location>.  Problem is I can't figure out how to identify the rule by "tag" or "id".
> 
> I know which rule it is, but not the "tag" or "id" associated with it:
> 
>     30	SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \
>     31	    "chain,phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
>     32		SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_level}" "skipAfter:END_CORRELATION"
> 
> 
> any suggestions?  The man page for "SecRule" calls it out as having 3 parts: VARIABLES, OPERATOR, [ ACTIONS ] ... nothing about tags or ids.
----
nada - don't use mod_security, know absolutely nothing about it.

I was going to suggest that you check and see if apache foundation has a
mail list for mod_security because you would get better answers there as
it appears no one on Fedora Users is actually using the SVN /
mod_security combo and that's really what you need.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the users mailing list