Monthly Chat Agenda January (2020-01-06)

[fzipi]

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, January 6, at 20:30 CET.

Items on the Agenda:

PRs

• Rule to check if both C-L and T-E are present #1310 : Rule to check if both C-L and T-E are present [idling, needs work]
• 932200: PL1 RCE bypass uninitialized variable (DRAFT) #1602 : 932200: PL1 RCE bypass uninitialized variable (DRAFT) [idling, needs work]
• Revert #578 #1616 : Revert Add urlDecodeUni() operation to ARG/ARGS_NAMES #578 [idling, needs work]
• XenForo: additional exclusions #1656 : XenForo: additional exclusions [fresh, needs work]

Open Issues

• Large number of open false positives.

Other items

• Upcoming release of ModSecurity 3.1
• Demo site on coreruleset.org (In the making by @csanders-git)
• First look at sponsoring crs-sponsoring-presentation-draft-2020-01-04.txt
• CAPEC project at University of Montevideo?

Feel free to add items as you see fit either above, or below as comments.

If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM .
Everybody is welcome to join our community chat.

[dune73]

Decisions

PRs

• Rule to check if both C-L and T-E are present #1310 is assigned to @theMiddleBlue.
• A meta-issue is generated to cover all the request smuggling stuff, assgined to @theMiddleBlue.
• Revert #578 #1616 will be finished by @fgs during the week and then merged.
• 932200: PL1 RCE bypass uninitialized variable (DRAFT) #1602 is a work in progres by @theMiddleBlue. It will take more time to get into a mergeable state.
• XenForo: additional exclusions #1656 will be merged as is. Afterwards, @lifeforms will come up with a 2nd PR to remove all the unnecessary chained rules that double-check /admin.php. [UPDATE: The new issue is XenForo: Remove unnecessary chains #1658]

Other stuff and Issues

• ModSec 3.1 will be released within two weeks or so. It's going to be a feature release, but also a security release.
• @csanders-git did not provide any update on the CRS demo site side-project in a long time. @dune73 will ping him again. If we do not hear from him, then @airween will start to work on something.
• Sponsoring: Draft presentation by @dune73 is welcome. He promises to invest a lot of time into this this year. It is likely OWASP HQ will ask for a share of the money. And the project agrees he should get a share too (-> fundraising share).
• pmf and case-sensitive matching #998: @dune73 will look into this and push it forward [UPDATE: Comment in issue 998 ]
• @franbuehler volunteers to fix open FP issues Rule 942230: False positive #1598, Rule 942230: False positive #1607 and Rule 942360: False positive #1605.
• We decide to schedule 10 open issues at every chat. But only after the "Various items" have been covered. So order will be PRs, other stuff, Issues.