Make multipart/mixed an OWASP-allowed content type
#2002
Assignees
Comments
|
@HeikoTheissen to approach OWASP |
@mikepizzo offered to ask a colleague at Microsoft, I'd like to await his response first so that I can better judge what impact the rule 901162 (which we want modified) actually has. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OWASP maintains a set of core rules which, among others, contains a list of "allowed content types for requests"
https://github.com/coreruleset/coreruleset/blob/a2f477d9d3171ac23cde3a3fc719356bc3db55db/rules/REQUEST-901-INITIALIZATION.conf#L200
which is then used in another rule
https://github.com/coreruleset/coreruleset/blob/a2f477d9d3171ac23cde3a3fc719356bc3db55db/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L1013.
This list is not set in stone, for example,
multipart/relatedwas added as a result of coreruleset/coreruleset#1721.To support OData multipart $batch requests, should the OData TC raise another issue to have
multipart/mixedincluded?The text was updated successfully, but these errors were encountered: