Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Op 08-09-11 17:24, Hugo Vazquez Carames schreef:
> has anyone tryed to implement a "Regular Expression" Rule Type that
> matches the POST payload of a request?
>
> I would like to give a try to such kind of rule, to inspect only
> the POST payload and allow only a predefined subset of characters
> on it.

Characters sounds pretty scary. But I could imagine that a form
encoded post could be validated by cherokee so it contains something
specific. If it should be part of the webserver is questionable...

The problem here seems to be that you want to match: ^[YoUrCharS]*$


Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEAREKAAYFAk5o5gIACgkQYH1+F2Rqwn0rVgCfbhjtPlH1X0KeW42Iqc7dJZ76
JPcAn0oAO0XqlKZPObuaQ/OlEivwKS73
=HOtb
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee

Hi Stefan,

thanks for your response. Anyway, the regex you propose:

^[YoUrCharS]*$

will match the entire request...isn't it? I want to match only the
submitted payload -variables and their values- that is, I don't want to
look in the headers...

So the regex should look the for the presence of "POST " in the five first
characters in the first line of the request, and ignore everything else in
that line, and ignore the rests of headers, and then match only the posted
data...-which I think comes after two <CR><LF>-... Is now more clear...?
:-(

How can I do it?

Regards,

On Thu, 08 Sep 2011 17:57:55 +0200, Stefan de Konink <stefan@konink.de>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Op 08-09-11 17:24, Hugo Vazquez Carames schreef:
>> has anyone tryed to implement a "Regular Expression" Rule Type that
>> matches the POST payload of a request?
>>
>> I would like to give a try to such kind of rule, to inspect only
>> the POST payload and allow only a predefined subset of characters
>> on it.
>
> Characters sounds pretty scary. But I could imagine that a form
> encoded post could be validated by cherokee so it contains something
> specific. If it should be part of the webserver is questionable...
>
> The problem here seems to be that you want to match: ^[YoUrCharS]*$
>
>
> Stefan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.18 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEAREKAAYFAk5o5gIACgkQYH1+F2Rqwn0rVgCfbhjtPlH1X0KeW42Iqc7dJZ76
> JPcAn0oAO0XqlKZPObuaQ/OlEivwKS73
> =HOtb
> -----END PGP SIGNATURE-----
> _______________________________________________
> Cherokee mailing list
> Cherokee@lists.octality.com
> http://lists.octality.com/listinfo/cherokee
>


--
---------------------

Hugo Vázquez Caramés

"El trabajo que nunca se empieza es el que tarda más en finalizarse" (J.
R. R. Tolkien)

"La mayoría de las personas gastan más tiempo y energías en hablar de los
problemas que en afrontarlos" (Henry Ford)

"Lo imposible es el fantasma de los tímidos y el refugio de los cobardes"
(N. Bonaparte)

========================================================
PENTEST Consultores
Tel: 93 3962070 / Fax: 93 3962001
e-mail: hvazquez@pentest.es
========================================================
Gane credibilidad y confianza, visite http://www.pentest.es


Este e-mail es confidencial y destinado únicamente a la persona a la cual
va dirigido. Si Ud. no es el destinatario al cual va dirigido este e-mail
o lo recibe por error, queda advertido que cualquier uso,
difusión,impresión o copia de este mensaje está estrictamente prohibido.
Si lo ha recibido por error, por favor, notifíquelo al remitente del
mensaje

This email is confidential and intended solely for the use of the
individual to whom it is addressed. If you are not the intended
recipient,be advised that you have received this email in error and that
any use,dissemination, forwarding, printing or copying of this email is
strictly prohibited. If you have received this email in error please
notify it to sender.

_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee

Hello Hugo,

I'm afraid that sort of matching rules cannot be implemented because of
functional restrictions.

There are handlers that should receive the POST information on-the-fly (as
the client sends it). Therefore, there must be a handler instanced by the
time the POST is being received from the client. That implies that the
Behavior rule list must have been already evaluated in order to instance the
handler.

Basically, the behavior rule list must be evaluated before the POST is
received.

Cheers!



On Thu, Sep 8, 2011 at 5:24 PM, Hugo Vazquez Carames <hvazquez@pentest.es>wrote:

> Hi,
>
> has anyone tryed to implement a "Regular Expression" Rule Type that matches
> the POST payload of a request?
>
> I would like to give a try to such kind of rule, to inspect only the POST
> payload and allow only a predefined subset of characters on it.
>
> I'm not familiar with regex syntax, so I can't figure out how to build a
> regex expression to match only the POST payload...
>
> Anyone can help on this?
>
> --
> ---------------------
>
> Hugo Vázquez Caramés
>
> "El trabajo que nunca se empieza es el que tarda más en finalizarse" (J. R.
> R. Tolkien)
>
> "La mayoría de las personas gastan más tiempo y energías en hablar de los
> problemas que en afrontarlos" (Henry Ford)
>
> "Lo imposible es el fantasma de los tímidos y el refugio de los cobardes"
> (N. Bonaparte)
>
> ==============================**==========================
> PENTEST Consultores
> Tel: 93 3962070 / Fax: 93 3962001
> e-mail: hvazquez@pentest.es
> ==============================**==========================
> Gane credibilidad y confianza, visite http://www.pentest.es
>
>
> Este e-mail es confidencial y destinado únicamente a la persona a la cual
> va dirigido. Si Ud. no es el destinatario al cual va dirigido este e-mail o
> lo recibe por error, queda advertido que cualquier uso, difusión,impresión o
> copia de este mensaje está estrictamente prohibido. Si lo ha recibido por
> error, por favor, notifíquelo al remitente del mensaje
>
> This email is confidential and intended solely for the use of the
> individual to whom it is addressed. If you are not the intended recipient,be
> advised that you have received this email in error and that any
> use,dissemination, forwarding, printing or copying of this email is strictly
> prohibited. If you have received this email in error please notify it to
> sender.
>
> ______________________________**_________________
> Cherokee mailing list
> Cherokee@lists.octality.com
> http://lists.octality.com/**listinfo/cherokee<http://lists.octality.com/listinfo/cherokee>
>



--
Greetings, alo
http://www.octality.com/

Ok, that have sense... Thanks Alvaro.

On Thu, 08 Sep 2011 18:50:16 +0200, Alvaro Lopez Ortega
<alvaro@octality.com> wrote:

> Hello Hugo,
>
> I'm afraid that sort of matching rules cannot be implemented because of
> functional restrictions.
>
> There are handlers that should receive the POST information on-the-fly
> (as
> the client sends it). Therefore, there must be a handler instanced by the
> time the POST is being received from the client. That implies that the
> Behavior rule list must have been already evaluated in order to instance
> the
> handler.
>
> Basically, the behavior rule list must be evaluated before the POST is
> received.
>
> Cheers!
>
>
>
> On Thu, Sep 8, 2011 at 5:24 PM, Hugo Vazquez Carames
> <hvazquez@pentest.es>wrote:
>
>> Hi,
>>
>> has anyone tryed to implement a "Regular Expression" Rule Type that
>> matches
>> the POST payload of a request?
>>
>> I would like to give a try to such kind of rule, to inspect only the
>> POST
>> payload and allow only a predefined subset of characters on it.
>>
>> I'm not familiar with regex syntax, so I can't figure out how to build a
>> regex expression to match only the POST payload...
>>
>> Anyone can help on this?
>>
>> --
>> ---------------------
>>
>> Hugo Vázquez Caramés
>>
>> "El trabajo que nunca se empieza es el que tarda más en finalizarse"
>> (J. R.
>> R. Tolkien)
>>
>> "La mayoría de las personas gastan más tiempo y energías en hablar de
>> los
>> problemas que en afrontarlos" (Henry Ford)
>>
>> "Lo imposible es el fantasma de los tímidos y el refugio de los
>> cobardes"
>> (N. Bonaparte)
>>
>> ==============================**==========================
>> PENTEST Consultores
>> Tel: 93 3962070 / Fax: 93 3962001
>> e-mail: hvazquez@pentest.es
>> ==============================**==========================
>> Gane credibilidad y confianza, visite http://www.pentest.es
>>
>>
>> Este e-mail es confidencial y destinado únicamente a la persona a la
>> cual
>> va dirigido. Si Ud. no es el destinatario al cual va dirigido este
>> e-mail o
>> lo recibe por error, queda advertido que cualquier uso,
>> difusión,impresión o
>> copia de este mensaje está estrictamente prohibido. Si lo ha recibido
>> por
>> error, por favor, notifíquelo al remitente del mensaje
>>
>> This email is confidential and intended solely for the use of the
>> individual to whom it is addressed. If you are not the intended
>> recipient,be
>> advised that you have received this email in error and that any
>> use,dissemination, forwarding, printing or copying of this email is
>> strictly
>> prohibited. If you have received this email in error please notify it to
>> sender.
>>
>> ______________________________**_________________
>> Cherokee mailing list
>> Cherokee@lists.octality.com
>> http://lists.octality.com/**listinfo/cherokee<http://lists.octality.com/listinfo/cherokee>
>>
>
>
>


--
---------------------

Hugo Vázquez Caramés

"El trabajo que nunca se empieza es el que tarda más en finalizarse" (J.
R. R. Tolkien)

"La mayoría de las personas gastan más tiempo y energías en hablar de los
problemas que en afrontarlos" (Henry Ford)

"Lo imposible es el fantasma de los tímidos y el refugio de los cobardes"
(N. Bonaparte)

========================================================
PENTEST Consultores
Tel: 93 3962070 / Fax: 93 3962001
e-mail: hvazquez@pentest.es
========================================================
Gane credibilidad y confianza, visite http://www.pentest.es


Este e-mail es confidencial y destinado únicamente a la persona a la cual
va dirigido. Si Ud. no es el destinatario al cual va dirigido este e-mail
o lo recibe por error, queda advertido que cualquier uso,
difusión,impresión o copia de este mensaje está estrictamente prohibido.
Si lo ha recibido por error, por favor, notifíquelo al remitente del
mensaje

This email is confidential and intended solely for the use of the
individual to whom it is addressed. If you are not the intended
recipient,be advised that you have received this email in error and that
any use,dissemination, forwarding, printing or copying of this email is
strictly prohibited. If you have received this email in error please
notify it to sender.

_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee

OK, that has sense... Thanks Alvaro.

On Thu, 08 Sep 2011 18:50:16 +0200, Alvaro Lopez Ortega
<alvaro@octality.com> wrote:

> Hello Hugo,
>
> I'm afraid that sort of matching rules cannot be implemented because of
> functional restrictions.
>
> There are handlers that should receive the POST information on-the-fly
> (as
> the client sends it). Therefore, there must be a handler instanced by the
> time the POST is being received from the client. That implies that the
> Behavior rule list must have been already evaluated in order to instance
> the
> handler.
>
> Basically, the behavior rule list must be evaluated before the POST is
> received.
>
> Cheers!
>
>
>
> On Thu, Sep 8, 2011 at 5:24 PM, Hugo Vazquez Carames
> <hvazquez@pentest.es>wrote:
>
>> Hi,
>>
>> has anyone tryed to implement a "Regular Expression" Rule Type that
>> matches
>> the POST payload of a request?
>>
>> I would like to give a try to such kind of rule, to inspect only the
>> POST
>> payload and allow only a predefined subset of characters on it.
>>
>> I'm not familiar with regex syntax, so I can't figure out how to build a
>> regex expression to match only the POST payload...
>>
>> Anyone can help on this?
>>
>> --
>> ---------------------
>>
>> Hugo Vázquez Caramés
>>
>> "El trabajo que nunca se empieza es el que tarda más en finalizarse"
>> (J. R.
>> R. Tolkien)
>>
>> "La mayoría de las personas gastan más tiempo y energías en hablar de
>> los
>> problemas que en afrontarlos" (Henry Ford)
>>
>> "Lo imposible es el fantasma de los tímidos y el refugio de los
>> cobardes"
>> (N. Bonaparte)
>>
>> ==============================**==========================
>> PENTEST Consultores
>> Tel: 93 3962070 / Fax: 93 3962001
>> e-mail: hvazquez@pentest.es
>> ==============================**==========================
>> Gane credibilidad y confianza, visite http://www.pentest.es
>>
>>
>> Este e-mail es confidencial y destinado únicamente a la persona a la
>> cual
>> va dirigido. Si Ud. no es el destinatario al cual va dirigido este
>> e-mail o
>> lo recibe por error, queda advertido que cualquier uso,
>> difusión,impresión o
>> copia de este mensaje está estrictamente prohibido. Si lo ha recibido
>> por
>> error, por favor, notifíquelo al remitente del mensaje
>>
>> This email is confidential and intended solely for the use of the
>> individual to whom it is addressed. If you are not the intended
>> recipient,be
>> advised that you have received this email in error and that any
>> use,dissemination, forwarding, printing or copying of this email is
>> strictly
>> prohibited. If you have received this email in error please notify it to
>> sender.
>>
>> ______________________________**_________________
>> Cherokee mailing list
>> Cherokee@lists.octality.com
>> http://lists.octality.com/**listinfo/cherokee<http://lists.octality.com/listinfo/cherokee>
>>
>
>
>


--
---------------------

Hugo Vázquez Caramés

"El trabajo que nunca se empieza es el que tarda más en finalizarse" (J.
R. R. Tolkien)

"La mayoría de las personas gastan más tiempo y energías en hablar de los
problemas que en afrontarlos" (Henry Ford)

"Lo imposible es el fantasma de los tímidos y el refugio de los cobardes"
(N. Bonaparte)

========================================================
PENTEST Consultores
Tel: 93 3962070 / Fax: 93 3962001
e-mail: hvazquez@pentest.es
========================================================
Gane credibilidad y confianza, visite http://www.pentest.es


Este e-mail es confidencial y destinado únicamente a la persona a la cual
va dirigido. Si Ud. no es el destinatario al cual va dirigido este e-mail
o lo recibe por error, queda advertido que cualquier uso,
difusión,impresión o copia de este mensaje está estrictamente prohibido.
Si lo ha recibido por error, por favor, notifíquelo al remitente del
mensaje

This email is confidential and intended solely for the use of the
individual to whom it is addressed. If you are not the intended
recipient,be advised that you have received this email in error and that
any use,dissemination, forwarding, printing or copying of this email is
strictly prohibited. If you have received this email in error please
notify it to sender.

_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee