Accept partial epilogue in body larger than limit for ProcessPartial

hnakamur · hnakamur · commit 0e4728f46c01 · 2025-12-31T22:00:07.000+09:00
But reject incomplete epilogue when body fits in limit.
diff --git a/apache2/msc_multipart.c b/apache2/msc_multipart.c
@@ -1023,13 +1023,44 @@ int multipart_complete(modsec_rec *msr, char **error_msg) {
              * processed yet) in the buffer.
              */
             if (msr->mpd->buf_contains_line) {
-                if ( ((unsigned int)(MULTIPART_BUF_SIZE - msr->mpd->bufleft) == (4 + strlen(msr->mpd->boundary)))
+                /*
+                 * Note that the buffer may end with the final boundary followed by only CR,
+                 * coming from the [CRLF epilogue], when allow_process_partial == 1 (which is
+                 * set when SecRequestBodyLimitAction is ProcessPartial and the request body
+                 * length exceeds SecRequestBodyLimit).
+                 *
+                 * The following definitions are copied from RFC 2046:
+                 *
+                 * dash-boundary := "--" boundary
+                 *
+                 * delimiter := CRLF dash-boundary
+                 *
+                 * close-delimiter := delimiter "--"
+                 *
+                 * multipart-body := [preamble CRLF]
+                 *                   dash-boundary transport-padding CRLF
+                 *                   body-part *encapsulation
+                 *                   close-delimiter transport-padding
+                 *                   [CRLF epilogue]
+                 */
+                unsigned int buf_data_len = (unsigned int)(MULTIPART_BUF_SIZE - msr->mpd->bufleft);
+                size_t final_boundary_len = 4 + strlen(msr->mpd->boundary);
+                if ( (buf_data_len >= final_boundary_len)
                     && (*(msr->mpd->buf) == '-')
                     && (*(msr->mpd->buf + 1) == '-')
                     && (strncmp(msr->mpd->buf + 2, msr->mpd->boundary, strlen(msr->mpd->boundary)) == 0)
                     && (*(msr->mpd->buf + 2 + strlen(msr->mpd->boundary)) == '-')
                     && (*(msr->mpd->buf + 2 + strlen(msr->mpd->boundary) + 1) == '-') )
                 {
+                    /* If body fits in limit and ends with final boundary plus just CR, reject it. */
+                    if ( (msr->mpd->allow_process_partial == 0)
+                        && (buf_data_len == final_boundary_len + 1)
+                        && (*(msr->mpd->buf + final_boundary_len) == '\r') )
+                    {
+                        *error_msg = apr_psprintf(msr->mp, "Multipart: Invalid epilogue after final boundary.");
+                        return -1;
+                    }
+
                     if ((msr->mpd->crlf_state_buf_end == 2) && (msr->mpd->flag_lf_line != 1)) {
                         msr->mpd->flag_lf_line = 1;
                         if (msr->mpd->flag_crlf_line) {
diff --git a/tests/regression/config/10-request-directives.t b/tests/regression/config/10-request-directives.t
@@ -643,7 +643,283 @@
 #	),
 #},
 
+# SecRequestBodyLimitAction ProcessPartial
+{
+	type => "config",
+	comment => "SecRequestBodyLimitAction ProcessPartial (multipart/just limit - bad_name)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRequestBodyLimitAction ProcessPartial
+		SecRequestBodyLimit 296
+		SecRule REQBODY_ERROR "!\@eq 0" "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+		SecRule MULTIPART_NAME "bad_name" "id:'200002',phase:2,t:none,deny
+	),
+	match_log => {
+		-error => [ qr/Multipart parsing error: Multipart: Final boundary missing./, 1],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+    request => new HTTP::Request(
+        POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+        [
+            "Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+        ],
+        normalize_raw_request_data(
+            q(
+                -----------------------------69343412719991675451336310646
+                Content-Disposition: form-data; name="name1"
+
+                value1
+                -----------------------------69343412719991675451336310646
+                Content-Disposition: form-data; name="bad_name2"
 
+                value2
+                -----------------------------69343412719991675451336310646--),
+        ),
+    ),
+},
+{
+	type => "config",
+	comment => "SecRequestBodyLimitAction ProcessPartial (multipart/greater - bad_name)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRequestBodyLimitAction ProcessPartial
+		SecRequestBodyLimit 295
+		SecRule REQBODY_ERROR "!\@eq 0" "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+		SecRule MULTIPART_NAME "bad_name" "id:'200002',phase:2,t:none,deny
+	),
+	match_log => {
+		-error => [ qr/Multipart parsing error: Multipart: Final boundary missing./, 1],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+    request => new HTTP::Request(
+        POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+        [
+            "Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+        ],
+        normalize_raw_request_data(
+            q(
+                -----------------------------69343412719991675451336310646
+                Content-Disposition: form-data; name="name1"
+
+                value1
+                -----------------------------69343412719991675451336310646
+                Content-Disposition: form-data; name="bad_name2"
+
+                value2
+                -----------------------------69343412719991675451336310646--),
+        ),
+    ),
+},
+{
+	type => "config",
+	comment => "SecRequestBodyLimitAction ProcessPartial (multipart/no epilogue)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRequestBodyLimitAction ProcessPartial
+		SecRequestBodyLimit 176
+		SecRule REQBODY_ERROR "!\@eq 0" "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+	),
+	match_log => {
+		-error => [ qr/Multipart parsing error: Multipart: Final boundary missing./, 1],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+    request => new HTTP::Request(
+        POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+        [
+            "Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+        ],
+        normalize_raw_request_data(
+            q(
+                -----------------------------69343412719991675451336310646
+                Content-Disposition: form-data; name="name1"
+
+                value1
+                -----------------------------69343412719991675451336310646--),
+        ),
+    ),
+},
+{
+	type => "config",
+	comment => "SecRequestBodyLimitAction ProcessPartial (multipart/CR after limit)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRequestBodyLimitAction ProcessPartial
+		SecRequestBodyLimit 176
+		SecRule REQBODY_ERROR "!\@eq 0" "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+	),
+	match_log => {
+		-error => [ qr/Multipart parsing error: Multipart: Final boundary missing./, 1],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+    request => new HTTP::Request(
+        POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+        [
+            "Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+        ],
+        normalize_raw_request_data(
+            q(
+                -----------------------------69343412719991675451336310646
+                Content-Disposition: form-data; name="name1"
+
+                value1
+                -----------------------------69343412719991675451336310646--) . "\r",
+        ),
+    ),
+},
+{
+	type => "config",
+	comment => "SecRequestBodyLimitAction ProcessPartial (multipart/CR just in limit)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRequestBodyLimitAction ProcessPartial
+		SecRequestBodyLimit 177
+		SecRule REQBODY_ERROR "!\@eq 0" "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+	),
+	match_log => {
+		-error => [ qr/"Multipart: Invalid epilogue after final boundary."/, 1],
+	},
+	match_response => {
+		status => qr/^400$/,
+	},
+    request => new HTTP::Request(
+        POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+        [
+            "Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+        ],
+        normalize_raw_request_data(
+            q(
+                -----------------------------69343412719991675451336310646
+                Content-Disposition: form-data; name="name1"
+
+                value1
+                -----------------------------69343412719991675451336310646--) . "\r",
+        ),
+    ),
+},
+{
+	type => "config",
+	comment => "SecRequestBodyLimitAction ProcessPartial (multipart/CRLF across limit)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRequestBodyLimitAction ProcessPartial
+		SecRequestBodyLimit 177
+		SecRule REQBODY_ERROR "!\@eq 0" "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+	),
+	match_log => {
+		-error => [ qr/Multipart parsing error: Multipart: Final boundary missing./, 1],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+    request => new HTTP::Request(
+        POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+        [
+            "Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+        ],
+        normalize_raw_request_data(
+            q(
+                -----------------------------69343412719991675451336310646
+                Content-Disposition: form-data; name="name1"
+
+                value1
+                -----------------------------69343412719991675451336310646--
+			),
+        ),
+    ),
+},
+{
+	type => "config",
+	comment => "SecRequestBodyLimitAction ProcessPartial (multipart/CR before limit, non-LF after)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRequestBodyLimitAction ProcessPartial
+		SecRequestBodyLimit 177
+		SecRule REQBODY_ERROR "!\@eq 0" "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+	),
+	match_log => {
+		-error => [ qr/Multipart parsing error: Multipart: Final boundary missing./, 1],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+    request => new HTTP::Request(
+        POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+        [
+            "Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+        ],
+        normalize_raw_request_data(
+            q(
+                -----------------------------69343412719991675451336310646
+                Content-Disposition: form-data; name="name1"
+
+                value1
+                -----------------------------69343412719991675451336310646--) . "\rbad epilogue after just CR",
+        ),
+    ),
+},
+{
+	type => "config",
+	comment => "SecRequestBodyLimitAction ProcessPartial (multipart/empty epilogue just in limit)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRequestBodyLimitAction ProcessPartial
+		SecRequestBodyLimit 178
+		SecRule REQBODY_ERROR "!\@eq 0" "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+	),
+	match_log => {
+		-error => [ qr/Multipart parsing error: Multipart: Final boundary missing./, 1],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+    request => new HTTP::Request(
+        POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+        [
+            "Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+        ],
+        normalize_raw_request_data(
+            q(
+                -----------------------------69343412719991675451336310646
+                Content-Disposition: form-data; name="name1"
+
+                value1
+                -----------------------------69343412719991675451336310646--
+			),
+        ),
+    ),
+},
 
 
 
