On Mon, Apr 04, 2011 at 09:27:24AM -0500, Ryan Barnett wrote: > Current setting: > > # Maximum request body size we will accept for buffering. If you support > # file uploads then the value given on the first line has to be as large > # as the largest file you are willing to accept. The second value refers > # to the size of data, with files excluded. You want to keep that value as > # low as practical. > # > SecRequestBodyLimit 13107200 > SecRequestBodyNoFilesLimit 131072 > > Rationale: > These two settings are highly dependent upon the local application's purpose. > The first directive – SecRequestBodyLimit – includes file attachments > (multi-part Content-Type). This setting translates to 12.5MB. The second > directive – SecRequestBodyNoFilesLimit – is for > application/x-www-form-urlencoded request bodies passing ARGS. This setting > is 128K. >
Agreed. But the file "modsecurity.conf-minimal" in the tarball comes with this: SecRequestBodyLimit 131072 Maybe it should be updated to 13107200? Cheers, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
