Skip to content

Add SecUploadFileMode validation to rules_set_properties and regressi…#3583

Open
Diamagnetic wants to merge 1 commit into
owasp-modsecurity:v3/masterfrom
Diamagnetic:fix-secuploadfilemode-octal
Open

Add SecUploadFileMode validation to rules_set_properties and regressi…#3583
Diamagnetic wants to merge 1 commit into
owasp-modsecurity:v3/masterfrom
Diamagnetic:fix-secuploadfilemode-octal

Conversation

@Diamagnetic

@Diamagnetic Diamagnetic commented Jun 22, 2026

Copy link
Copy Markdown

what

  • Updated SecUploadFileMode handling to preserve octal file permissions.
  • Added a regression test that verifies uploaded temporary files preserve the configured octal permissions (0600).
  • Added a Lua helper used by @inspectFile to validate the file mode of temporary upload files.

why

  • SecUploadFileMode values represent Unix permission masks and must be interpreted as octal values.
  • The reported issue occurred because file mode 0600 was interpreted as decimal 600, resulting in uploaded temporary files being created with file mode 01130 (decimal 600) instead of octal 0600.
  • Ensure uploaded files created via multipart uploads remain readable by @inspectFile and other FILES_TMPNAMES consumers.
  • Prevent future regressions by adding automated test coverage.

references

@sonarqubecloud

sonarqubecloud Bot commented Jun 22, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SecUploadFileMode parsed as decimal instead of octal; temp files have no read permission

1 participant

@Diamagnetic