Apache Security - Ivan Ristic [191]
HTTP_ headername
Value of the header headername. The prefix HEADER_ (in place of HTTP_) will also work.
ENV_ envname
Value of the environment variable envname.
ARG_ varname
Value of the parameter varname.
ARGS
Gives direct access to a single string containing all parameters and their values, which is equal to the combined value of QUERY_STRING and POST_PAYLOAD. (The request body will be faked if necessary, as discussed above.)
ARGS_COUNT
Number of parameters in the request.
ARGS_NAMES
List of the names of all parameters given to the script.
ARGS_VALUES
List of the values of all parameters given to the script.
FILE_NAME_ varname
The filesystem name of the file contained in the request and associated with the script parameter varname.
FILE_SIZE_ varname
The size of file uploaded in the parameter varname.
FILES_COUNT
Number of files contained in the request.
FILES_NAMES
List of the filesystem names of all files contained in the request.
FILES_SIZES
List of the sizes of all files.
HEADERS
List of all request headers, in the form "Name: Value".
HEADERS_COUNT
Number of headers in the request.
HEADERS_NAMES
List of the names of all headers in the request.
HEADERS_VALUES
List of the values of all headers in the request.
SCRIPT_UID
The uid of the owner of the script that will handle the request.
SCRIPT_GID
The gid of the group of the script that will handle the request.
SCRIPT_USERNAME
The username equivalent to the uid. Using a username is slower than using a uid since mod_security needs to perform a lookup every time.
SCRIPT_GROUPNAME
The group name equivalent to the gid. Using a group name is slower than using a gid as well.
SCRIPT_MODE
Script permissions, in the standard Unix format, with four digits with a leading zero (e.g., 0755).
COOKIE_ cookiename
Value of the cookie cookiename.
COOKIES_COUNT
Number of cookies in the request.
COOKIES_NAMES
List of the names of all cookies given to the script.
COOKIES_VALUES
List of the values of all cookies given to the script.
When using selective rules, you are not limited to examining one field at a time. You can separate multiple variable names with a pipe. The following rule demonstrates how to access named parts of the request, in this example, a parameter and a cookie:
# Look for the keyword in the parameter "authorized"
# and in the cookie "authorized". A match in either of
# them will trigger the rule.
SecFilterSelective ARG_authorized|COOKIE_authorized KEYWORD
If a variable is absent in the current request the variable will be treated as empty. For example, to detect the presence of a variable, use the following format, which triggers execution of the default action list if the variable is not empty:
SecFilterSelective ARG_authorized !^$
A special syntax allows you to create exceptions. The following applies the rule to all parameters except the parameter html:
SecFilterSelective ARGS|!ARG_html KEYWORD
Finally, single rules can be combined to create more complex expressions. In my favorite example, I once had to deploy an application that had to be publicly available because our users were located anywhere on the Internet. The application has a powerful, potentially devastating administration account, and the login page for users and for the administrator was the same. It was impossible to use other access control methods to restrict administrative logins to an IP address range. Modifying the source code was not an option because we had no access to it. I came up with the following two rules:
SecFilterSelective ARG_username ^admin$ chain
SecFilterSelective REMOTE_ADDR !^192\.168\.254\.125$
The first rule triggers whenever someone tries to log in as an administrator (it looks for a parameter username with value admin). Without the optional action chain being specified, the default action list would be executed. Since chain is specified,