Skip to content

v2: Accept requests whose body length is exactly equal to SecRequestBodyNoFilesLimit #3480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
airween merged 1 commit into from
Jan 22, 2026
Merged

v2: Accept requests whose body length is exactly equal to SecRequestBodyNoFilesLimit #3480

airween merged 1 commit into from
Jan 22, 2026
+41 −2

Conversation

@hnakamur
Copy link
Contributor

@hnakamur hnakamur commented Dec 26, 2025

what

Accept requests whose body length is exactly equal to SecRequestBodyNoFilesLimit.

why

The current implementation rejects requests when their body length is equal to SecRequestBodyNoFilesLimit.
However, according to the documented behavior, requests up to and including this limit should be accepted.

references

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 26, 2025
edited
Loading

Quality Gate Passed Quality Gate passed

Issues
0 New issues
2 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@airween airween requested a review from Copilot January 22, 2026 14:39
Copilot AI reviewed Jan 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an off-by-one error in the SecRequestBodyNoFilesLimit implementation to correctly accept requests whose body length is exactly equal to the configured limit, aligning with documented behavior and v3 implementation.

Changes:

  • Changed comparison operator from >= to > in two locations in apache2/msc_reqbody.c to allow bodies exactly equal to the limit
  • Added comprehensive regression tests to verify both the boundary case (body length equals limit) and the rejection case (body length exceeds limit)

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
apache2/msc_reqbody.c Fixed two comparison checks to use > instead of >= for SecRequestBodyNoFilesLimit validation
tests/regression/config/10-request-directives.t Added test cases to verify requests with body length equal to and exceeding the limit are handled correctly

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@airween
Copy link
Member

airween commented Jan 22, 2026

Hi @hnakamur,

nice catch, thank you! I'm surprised this operational anomaly has remained hidden until now.

Special thanks for new tests.

@airween airween merged commit 50620aa into owasp-modsecurity:v2/master Jan 22, 2026
96 checks passed
@hnakamur hnakamur deleted the v2/allow_no_files_limit_sized_reqbody branch January 23, 2026 01:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@airween airween airween approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hnakamur @airween