Is this a valid Set-Cookie syntax - ssl

I find a Set-Cookie header which I need to know if it is valid syntax or not.
SessionId=ccc; path=/; HttpOnly, Secure; HttpOnly
My questions mainly are:
1) Is it valid to use comma before the directive Secure?
2) Is the directive Secure always preceded by a cookie value in the form of x=y? I mean the order. Can the directive Secure comes before the equation? or without equation?
I am at loss and either the above header is misconfigured or I am wrong. From my understanding of the Set-Cookie header syntax in Mozilla site here the directive Secure should always be preceded by a semicolon, then space, as in: ; Secure after the word Secure, there can be either a semicolon ; or it is the end of line. Please, clearify, I need accurate answer to write a regexp.

In this RFC document you will find detailed information on the grammar set cookie: https://www.rfc-editor.org/rfc/rfc6265#page-8

Related

What does "!" (exclamation mark) means in http header "Cache-Control: !no-store, !bypass-cache"?

I noticed that the page http://www.r7.com has the following http reponse header:
Cache-Control:!no-store,!bypass-cache,max-age=22s
What does the "!" exclamation mark character mean?
Is that a negated expression?
The specification for Cache-Control (RFC 7234) doesn't include any exclamation marks.
This is unspecified behaviour. Only the operators of that website know what they mean, but general clients are unlikely to support it.

What's the opposite of "Header append Vary User-Agent", how to remove the "User-Agent" string from "Vary"?

I know that I can add the User-Agent to the Vary http header with this line in my .htacess:
Header append Vary User-Agent
But how can I remove the User-Agent from the Vary header if it is already set?
According to the mod_headers doc there is an append option, but no equivalent "remove" option.
Simple answer below, but you need some shenanigans to avoid sending an empty Vary: header (try to avoid it out of paranoia)
Header edit Vary (.*)User-Agent(.*) $1$2
# Remove leading or trailing ',' without making things complex above
Header edit Vary ^,?(.*),?$ $1
# 2.4-only: remove empty Vary header
Header unset Vary "expr=resp('Vary') =~ /^$/"
x-never-match can be any unlikely-to-ever-be-used header name.
Though this is not as generic as being able to remove the specific User-Agent keyword, it gets the job done:
Header set Vary "Accept-Encoding"
This will overwrite your existing header so that the vary header will only have Accept-Encoding

How to whitelist foreign characters in folder or file name with apache/mod_security?

I have some image files with foreign characters in their dir and file name, like Á or ü, and apache/mod_security is answering with Error 406 - Not acceptable when pointing a browser to those files.
Is there a way to let the server show those files, without making the site insecure?
edit: after checking error_log and modsec2.user.conf, the rule being triggered is
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer
"#validateUtf8Encoding"
"deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'1234123439',severity:'4'
Thanks
Can you give some more information as to what the log file says. Which rule is blocking the request?
Edit:
#validateUtf8Encoding ensures that everything being checked (in you case: REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer) is valid UTF-8.
Also see: Modsecurity Handbook
Now I assume that a parameter in your request is not UTF-8 encoded but maybe ISO-Latin-1. For example see this post where the parameter "con" (id=9&con=m%FCllrose&x=0&y=0) contains %FC which is the valid code for ISO-8859-1, but not UTF-8. In this case the answer was "This rule is wrongly assuming UTF-8 and causing a false positive. It should be disabled."
I guess you can either disable the rule or modify your request to make sure that it only contains UTF-8 characters.
Note: It would have been even better if you had posted the entry from the error log. Then we could have seen which part of the request actually violates the rule.

Apache config read header value

Is there a way to read the value of a request header in Apache config? I want to avoid going into the .htaccess file and even better if I could avoid using SetEnvIf.
I'm trying to implement the suggestion here: https://stackoverflow.com/a/1850482/138228
I can't really find much on this topic outside of using regex. What I'm looking for is something like :
Header set NAME = %{value_of_different_header}%
Reading answer from : https://serverfault.com/questions/136428/header-set-access-control-allow-origin-not-working-with-mod-rewrite-mod-jk
It seems the solution is:
SetEnvIf Origin "http(s)?://(domaine1\.com|domain2\.com)$" AccessControlAllowOrigin=$0
Header always set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
But this has nothing to do with .htaccess, you can put such lines in regular apache configuration file (virtualhost?) without using the bad .htaccess dynamic configuration files.
The value part of the Header instruction is:
value may be a character string, a string containing format specifiers or a combination of both
But the only format specifiers available are %% (for %), %t for a timestamp, %D (idem), %{foo}e and %{foo}s for environments variables.
SetenvIf is a good apache tool to read a request header, here reading the Origin header. Then, using environment variables is the classical way of writing complex things in Apache (I mean the way to store some sort of variables).
So I don't know why you would like another solution.
I couldn't find a away of doing this without SetEnvIf but other than that just copying a different header can be done with the following, I was doing this as part of a ReverseProxy (hence using RequestHeader instead of Header) but the two appear to be interchangeable
###This reads the value of OldHeader into TempValue
SetEnvIf OldHeader ".+" TempValue=$0
###This will overwrite the value of "NewHeader" if it was already set
RequestHeader set NewHeader %{TempValue}e env=TempValue
###Optionally remove the original
RequestHeader unset OldHeader

Regex rule to match % sign in url for apache mod rewrite

Hello my rewrite rule is failling sometimes because my urls have % signs in them.
For example this url:
http://www.chillisource.co.uk/product/Grocery/Dr.%20Burnoriums%20Psycho%20Juice/1/B005MSE5KG/Psycho_Juice_70%_Ghost_Pepper
This is my rewrite rule:
RewriteRule ^product/([a-zA-Z]+)/([\sa-zA-Z0-9\-\+\.]+)/([0-9]+)/([A-Z0-9]+)/([a-zA-Z0-9]+) /product?&cat=$1&q=$2&page=$3&prod=$4&prodName=$5
How can I modify the 5th rule ([a-zA-Z0-9]+) to not fail on when there is a % in the product name ?
Thanks in advance.
Perhaps, it's not %20, but space. That is, the URL passed to rewrite adter urldecoding. If not, then just add percent sign to the range. (if yes — space).
---- Forget this part, I misunderstood the question ----
From what I get from the mod_rewrite documentation (http://httpd.apache.org/docs/current/mod/mod_rewrite.html), you should not have to deal with hex encoded characters (I assume that from the following statement:
THE_REQUEST
The full HTTP request line sent by the browser to the server (e.g., "GET /index.html HTTP/1.1"). This does not include any additional headers sent by the browser. This value has not been unescaped (decoded), unlike most other variables below.
In fact, using mod_rewrite would be practically impossible since you'd have to deal with that EVERYWHERE, e.g., you can always write %41 instead of 'A'.
--- But the following still is true ---
But your rewrite rule can't work, at least not with the request URL you posted: The last part of the regex "([a-zA-Z0-9]+)" is FAR too strict. In this case, it fails for the following reasons:
It lacks a treatment of the percent sign, as in "70%"
You forgot to include the underscore "_"
Try adding at least these two characters ("[a-zA-Z0-9%_]+") and it should work.