On Tue, 2011-09-06 at 22:42 -0700, Philip Prindeville wrote: > I had configured and installed subversion (SVN) to run over HTTP as the transport, but when I tried to use it I got: > > [Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): Method is not allowed by policy"] [hostname "localhost"] [uri "/svn/astlinux/trunk/package/linux-atm"] [unique_id "TmUFkcCoAQoAABnnJF8AAAAD"] > [Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): Method is not allowed by policy"] [hostname "localhost"] [uri "/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c"] [unique_id "TmUFkcCoAQoAABnlI-4AAAAB"] > [Mon Sep 05 11:23:29 2011] [error] [client ::1] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 15, SQLi=, XSS=): Method is not allowed by policy"] [hostname "localhost"] [uri "/svn/astlinux/!svn/act/709637a8-16ca-40eb-8008-8cb9d5bd189c"] [unique_id "TmUFkcCoAQoAABnkI6QAAAAA"] > > when doing commits, etc. I was thinking it would be nice if mod_security out-of-the-box supported SVN... > > I'm looking at the supposed offending rule: > > SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \ > "chain,phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'" > SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_level}" "skipAfter:END_CORRELATION" > > and thinking "Wha.....t?" > > If the .conf files out-of-the-box can't support SVN by default, how about at least having a post-install script that modifies the rules to accommodate SVN? > > Or what about SVN installing its own rules if it detects mod_security is installed and enabled? > > But less abstractly: does anyone know what's required to make SVN-over-HTTP work with mod_security? ---- This might help... http://dawelbeit.info/2009/09/26/subversion-and-mod_security/ I don't think SVN and mod_security is a commonly used configuration. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines