Only checking first variable?

[skmbr]

Hi There,

I am currently experimenting with VSF on a development server and am finding that it only catches malicious content if it was put in the first field of a form.

Something like this for example:

<script>alert(1);</script>

Causes a 403 to be returned if put in the very first element of any form that I have tested. If I put that in any other field, VSF ignores it.

Is anyone else seeing similar behaviour or have I just set something up wrong? Currently I have a completely out-of-the-box config and just followed the install instructions from here. No other changes have been made.

Any help of advice would be greatly appreciated! Thanks!

[skmbr]

Further to this, I have just discovered that this only occurs on forms that are multipart/form-data encoded.

[fgsch]

Long due update..

We had a discussion with @comotion today about this among other things.

Handling of form-data and multiple elements will be implemented in the vsf vmod.
Potential syntax:

• Iterating directly:

if (vsf.each(data, "..")) {
 ...
}

• Iterating via the form object:

form = new vsf.form(2048B);
...
if (form.each(data, "..")) {
  ...
}

Maybe others.

There are some outstanding details to close before deciding.

[hellracer]

Hi fgsch,

Good day, any progress on this you guys made so far?

[fgsch]

@hellracer Not really. I've been quite busy.

That said, the latest code won't try to parse the form so you can check the raw data.