From 8eea142c6a4b1ba8defe7e8c763ebb422fbfee26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Fri, 2 Feb 2024 15:39:38 +0100
Subject: [PATCH] =?UTF-8?q?Resolves:=20RHEL-16358=20-=20A=20form=20data,?=
 =?UTF-8?q?=20"=E4=BC=9A=E7=A4=BE"(Company=20in=20Japanese)=20is=20forbade?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  with REQUEST-941-APPLICATION-ATTACK-XSS.conf of mod_security_crs
---
 ...rs-rule-941310-dont-match-japanese-word.patch | 16 ++++++++++++++++
 mod_security_crs.spec                            | 11 +++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 mod_security_crs-rule-941310-dont-match-japanese-word.patch

diff --git a/mod_security_crs-rule-941310-dont-match-japanese-word.patch b/mod_security_crs-rule-941310-dont-match-japanese-word.patch
new file mode 100644
index 0000000..d93a5d6
--- /dev/null
+++ b/mod_security_crs-rule-941310-dont-match-japanese-word.patch
@@ -0,0 +1,16 @@
+--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf	2020-07-01 18:38:19.000000000 +0200
++++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf	2023-02-16 09:14:52.151838881 +0100
+@@ -543,8 +543,11 @@
+     ctl:auditLogParts=+E,\
+     ver:'OWASP_CRS/3.3.4',\
+     severity:'CRITICAL',\
+-    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
++    chain"
++        SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx [^\xe4]\xbc[^\x9a][^\xbe>]*[^\xe7][^\xa4][\xbe>]|<[^\xbe]*[^\xe7][^\xa4]\xbe" \
++        "t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
++        setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
++        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+ 
+ #
+ # https://nedbatchelder.com/blog/200704/xss_with_utf7.html
diff --git a/mod_security_crs.spec b/mod_security_crs.spec
index 039e6af..a521bc4 100644
--- a/mod_security_crs.spec
+++ b/mod_security_crs.spec
@@ -1,7 +1,7 @@
 Summary: ModSecurity Rules
 Name: mod_security_crs
 Version: 3.3.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: ASL 2.0
 URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
 Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz
@@ -9,13 +9,16 @@ BuildArch: noarch
 Requires: mod_security >= 2.9.6
 Obsoletes: mod_security_crs-extras < 3.0.0
 Patch0: mod_security_crs-early-blocking.patch
+# https://issues.redhat.com/browse/RHEL-16358
+Patch1: mod_security_crs-rule-941310-dont-match-japanese-word.patch
 
 %description
 This package provides the base rules for mod_security.
 
 %prep
 %setup -q -n coreruleset-%{version}
-%patch0 -p1 -b.early_blocking
+%patch0 -p1 -b .early_blocking
+%patch1 -p1 -b .rule_941310
 
 %build
 
@@ -48,6 +51,10 @@ done
 %{_datarootdir}/mod_modsecurity_crs
 
 %changelog
+* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-2
+- Resolves: RHEL-16358 - A form data, "会社"(Company in Japanese) is forbade
+  with REQUEST-941-APPLICATION-ATTACK-XSS.conf of mod_security_crs
+
 * Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-1
 - new version 3.3.4
 - Resolves: #2143210 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x