Allow \ in setvar

[JonathanBerrew]

This is a Marc Stern modification, I don't have much more insight on the code he made. To be reviewed with caution and check if this is still relevant

[sonarqubecloud]

Quality Gate failed

Failed conditions
E Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[airween]

Hi @JonathanBerrew,

it would be nice to explain the reason with an example, why it is necessary and in which case is it useful to allow \ in setvar action.

[JonathanBerrew]

Sadly I don't know why Marc made those modifications, I wasn't working on the project at the time. If this seem unnecessary, you can close the PR

[airween]

Sadly I don't know why Marc made those modifications, I wasn't working on the project at the time. If this seem unnecessary, you can close the PR

I see. I don't want to close this PR without any reason. If Marc made this modification, that means it's possible useful, but I would like to understand it. Beside of that, we need to documentation the behavior, and give examples to users, so this is why it would be good.

[fzipi]

No tests, and no use cases. 🤷 I'll close.

[JonathanBerrew]

This could be useful to have a setvar with a windows path for example or any regex. This keep the previous behaviour that was working for the escaping of the single quote

[airween]

This could be useful to have a setvar with a windows path for example or any regex. This keep the previous behaviour that was working for the escaping of the single quote

Thanks for this explanation. Anyway, it could be very good to add a real-world example. Eg. if you use this feature, just a small part any of your rule where you use that.

[JonathanBerrew]

In our rules, we have:

<Macro SecObsolete_ @target $pattern $msg>
 Use NotInsideLocation
 Use SecRule ENV:PathToIgnore @unconditionalMatch  "phase:1,t:none,tag:specific,~{skipAfter}:AfterObsoleteLocation"
  Use SecRule @target  "(?i)$pattern"  "phase:1,t:none,tag:specific,setvar:'TX.obsolete_$pattern',ctl:auditLogParts=-CEGI,~{localFile}=/SecError/obsolete.html,~{noErrorHeader},msg:'Obsolete $msg'"
  Use RuleLogSome IP "obsolete_$pattern" 100
 Use SecMarker AfterObsoleteLocation
</Macro>

<Macro SecObsoleteLocation @pattern>
 Use SecObsolete_ TX:url   @pattern location
</Macro>

<Macro SecObsoleteHost                 @pattern>
 Use SecObsolete_ REQUEST_HEADERS:Host @pattern location
</Macro>

Here we have setvar:'TX.obsolete_$pattern'
Where pattern could be any regex for a locationMatch for example.
Is this a good example? If not I'll try to look if we have other better ones

[airween]

Is this a good example? If not I'll try to look if we have other better ones

Uhm, without the mentioned <Location> syntax, I think this is hard to understand. Could you get a more exact example?

[JonathanBerrew]

Here is another example:

<Macro GetJSONValue @target $key $var>
 Use SecAction "phase:2,~{nosecaction},setvar:!TX.$var"
 Use CheckJSONSyntax @target
 Use SecRule @target "\x22$key\x22\s*+:\s*+\x22([^\x22]*+)\x22"   "phase:2,t:none,capture,setvar:TX.$var=%{TX.1},~{skip}:1"
 Use SecRule @target "\x22$key\x22\s*+:\s*+([^,\s}]*+)[,\s}]"     "phase:2,t:none,capture,setvar:TX.$var=%{TX.1},~{nosecaction}"
 Use ExtendedHeaderSec $var "$var=%{TX.$var}"
</Macro>

setvar:TX.$var
A JSON var could have "\" in the name of the variable.

We also have:

 <Macro SecDisableTagConditionallyVar_ $phase $(target) $tag @condition $tfn $disabled>
  Use SecAction                                         "phase:$phase,~{nosecaction},tag:security,tag:$tag,setvar:!tx.optim$(target)$tag"
  Use SecRule $(target) @condition                      "phase:$phase,~{nosecaction},tag:security,tag:$tag,pass,t:none,$tfn,multiMatch,setvar:'tx.optim$(target)$tag=$(target)'"
  Use SecRule &TX:optim$(target)$tag "@eq 0"            "phase:$phase,~{nosecaction},tag:security,tag:$tag,t:none,ctl:'ruleRemoveTargetByTag=^(?i:$disabled)$;$(target)'"
 </Macro>

setvar:!tx.optim$(target)$tag
The tag we're giving is "t:none,t:urlDecode,t:htmlEntityDecode". But this could potentially have a msg containing a "\"

Another example:

<Macro BlockMultipleParams $max>
 Use AllowMultipleParams
 Use SecRule ENV:req_json|ENV:req_xml @unconditionalMatch "phase:2,id:2000020,t:none,tag:Parano,tag:security,~{skipAfter}:AfterMultipleParams"
  Use SecRule ARGS_NAMES @unconditionalMatch              "phase:2,id:2000020,t:none,tag:Parano,tag:security,~{nosecaction},setvar:'TX.%{MATCHED_VAR_NAME}=+1'"
  Use SecRuleDeny TX:/^ARGS_NAMES:.*/ "@gt $max"          "phase:2,id:2000020,t:none,tag:Parano,msg:'Multiple Parameters with same name'"
 Use SecMarker AfterMultipleParams,tag:Parano,tag:security
</Macro>

setvar:'TX.%{MATCHED_VAR_NAME}=+1'
I guess the ARGS_NAMES could contains a "\" as well

[Copilot]

Pull request overview

This PR relaxes quoted-string parsing in ModSecurity’s generic parser to allow literal backslashes inside quoted parameters (instead of treating them as an invalid escape unless followed by ' or \). This is intended to support inputs such as Windows-style paths and other strings containing backslashes.

Changes:

• Update msre_parse_generic() so a backslash in a quoted value is only treated as an escape for ' and \; otherwise it’s preserved as a literal character.
• Keep backward compatibility for the previously-supported quoted pairs (\' and \\).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This change is in msre_parse_generic() (used for both target and action parsing), so it relaxes backslash handling for all quoted parameters—not just setvar. If the intent is setvar-only, consider moving this logic into the setvar parser; otherwise please update the PR title/description to reflect the broader behavioral change.

[Copilot]

There are regression tests covering setvar actions, but none appear to cover the newly-allowed case of a single backslash inside a quoted parameter (e.g. a Windows-style path like C:\temp written with single backslashes in the config). Please add a regression test that exercises a quoted action parameter containing an unescaped backslash to lock in this behavior and prevent accidental re-tightening of the parser.