Updating RequestBodyNoFilesLimit at runtime (feature request)

[welljsjs]

• ModSecurity version: 2.9.2
• Environment: Apache 2

The ctl action enables us to change ModSecurity configuration at runtime per transaction.

However, we're only able to update a limited number of configuration directives that are listed here.

This is a feature request to add ctl:requestBodyNoFilesLimit (see SecRequestBodyNoFilesLimit) to the editable configuration directives at runtime.

If there are several web services running under several sub-domains on the same server, some of them might need larger request body sizes than others. To optimize security and instead of changing the configuration directive globally, I'd prefer to be able to update this directive depending on (f.ex.) the request filename (or server name, ..., but at runtime).

[zimmerle]

Thank you @welljsjs. It is queued to be reviewed.

[cmschlenke]

Any word on when this will be reviewed and merged? I could really use this feature.

[unalignedcoder]

This would be extremely useful with Nextcloud.

Nextcloud needs a much higher SecRequestBodyNoFilesLimit value, as it seems to intend this as the size of data including the file.

Here they seem to suggest they have fixed the problem, back in 2019, but actually the problem persists to this day.

In an environment with many applications, it's obviously not ideal to extend the limit for all, when only one application needs this workaround.

[martinhsv]

Hello @unalignedcoder ,

I'm not sure I understand your second sentence. The whole point of SecRequestBodyLimit vs. SecRequestBodyNoFilesLimit is that the latter excludes files. (The focus of the difference is on multipart/part request bodies where one or more parts may be files but other parts may represent non-file data.)

With such multipart requests, it shouldn't be necessary to set SecRequestBodyNoFilesLimit higher because of "including the file".

[unalignedcoder]

Well, this is what Nextcloud seems to be doing. Unless I am misunderstanding something.
The audit log says: ModSecurity: Request body no files data length is larger than the configured limit (1002400)
But, as far as I can understand, it's really referring to the size of the file?

[martinhsv]

The message does indeed point to the limit as defined by SecRequestBodyNoFilesLimit. But the comparison is against the size of the request excluding multipart parts with a 'filename=' parameter.

[unalignedcoder]

This probably isn't subject for this thread, but I think it's possible Nextcloud is misusing that parameter... I don't see how the data when uploading can be so high as to trigger that limit, forcing the user to set SecRequestBodyNoFilesLimit ridiculously high.