Bug 769927

Summary: mod_security blocks legit content. (rpms)
Product: [Fedora] Fedora EPEL Reporter: JohnStanley <john.stanley>
Component: mod_securityAssignee: Othman Madjoudj <athmanem>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: el6CC: athmanem, john.stanley, mfleming+rpm
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-04 19:09:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
mod_sec_block none

Description JohnStanley 2011-12-22 18:48:19 UTC 
Description of problem:

Mod Security blocks any request by a machine requesting download content of any 'curl' RPM.

getenforce = 1 enabled httpd_sys_content_t:s0

Version-Release number of selected component (if applicable):

EL6.0
mod_security-2.5.12-2.el6.i686 / x86_64
httpd-2.2.15-5.el6.x86_64 /i686

How reproducible:

Any Apache server with mod_security-2.5.12-2.el6.i686 / x86_64 installed.
Steps to Reproduce:
1. Instal mod_security
2. SELinux Enabled
3. put the offending rpm into /var/www/html/$repo
4. Request the file  
Actual results:

The download gets blocked

Expected results:

It should not block rpm content of this nature.  A false positive?

Additional info:
Comment 1 JohnStanley 2011-12-22 18:55:29 UTC 
Created attachment 549231 [details]
mod_sec_block

mod_sec_log of request blockage.
Comment 2 JohnStanley 2011-12-26 15:08:30 UTC 
Cross Link BZ:

https://www.modsecurity.org/tracker/browse/CORERULES-78
Comment 3 Othman Madjoudj 2012-09-08 22:33:55 UTC 
Can you check if this issue is still reproducible with the latest mod_security and mod_security_crs from epel-testing.
Comment 4 JohnStanley 2012-09-14 19:32:28 UTC 
Please see:
https://www.modsecurity.org/tracker/browse/CORERULES-78

I will confirm the package in the EPEL Repo as soon as possible.

Thanks
Comment 5 Othman Madjoudj 2012-09-15 10:03:27 UTC 
Hi John,

I have a standard account in modsecurity jira which can not access to the report you posted:

Error message:

It seems that you have tried to perform an operation which you are not permitted to perform.
Comment 6 Othman Madjoudj 2015-02-14 19:52:06 UTC 
Any update on this issue ?

Thanks in advance.
Comment 7 JohnStanley 2015-03-04 19:03:47 UTC 
As far as I know this was fixed two years ago. The report on modsecs sight is no longer accessible either.
-----

Simple test for fix: create a site in httpd and place the curl.rpm into the directory tree and if it downloads it is fixed if not it is still broken
Comment 8 Othman Madjoudj 2015-03-04 19:09:22 UTC 
Thanks for your input.