HEX
Server: Apache
System: Linux pdx1-shared-a4-02 6.6.104-grsec-jammy+ #3 SMP Tue Sep 16 00:28:11 UTC 2025 x86_64
User: niched (5283231)
PHP: 7.4.33
Disabled: NONE
Upload Files
File: //etc/modsecurity/mod_sec3_CRS/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
#
# ------------------------------------------------------------------------

# These exclusions remedy false positives in a default NextCloud install.
# They will likely work with OwnCloud too, but you may have to modify them.
# The exclusions are only active if crs_exclusions_nextcloud=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# To relax upload restrictions for only the php files that need it,
# you put something like this in crs-setup.conf:
#
# SecRule REQUEST_FILENAME "@rx /(?:remote.php|index.php)/" \
#   "id:9003330,\
#   phase:1,\
#   t:none,\
#   nolog,\
#   pass,\
#   tx.restricted_extensions='.bak/ .config/ .conf/'"
#
# Large uploads can be modified with SecRequestBodyLimit. Or they
# can be more controlled by using the following:
#
# SecRule REQUEST_URI "@endsWith /index.php/apps/files/ajax/upload.php" \
#    "id:9003610,\
#    phase:1,\
#    t:none,\
#    nolog,\
#    ctl:requestBodyLimit=1073741824"
#
# ---------------------


SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
    "id:9003000,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    skipAfter:END-NEXTCLOUD"

SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
    "id:9003001,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    skipAfter:END-NEXTCLOUD"


#
# [ File Manager ]
#
#
# The web interface uploads files, and interacts with the user.

SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
    "id:9003100,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveByTag=attack-injection-php,\
    ctl:ruleRemoveById=941000-942999,\
    ctl:ruleRemoveById=951000-951999,\
    ctl:ruleRemoveById=953100-953130,\
    ctl:ruleRemoveById=920420,\
    ctl:ruleRemoveById=920440,\
    ver:'OWASP_CRS/3.3.2'"

# Skip PUT parsing for invalid encoding / protocol violations in binary files.

SecRule REQUEST_METHOD "@streq PUT" \
    "id:9003105,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    chain"
    SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
        "t:none,\
        ctl:ruleRemoveById=920000-920999,\
        ctl:ruleRemoveById=932000-932999,\
        ctl:ruleRemoveById=921150,\
        ctl:ruleRemoveById=930110,\
        ctl:ruleRemoveById=930120"

# Allow the data type 'text/vcard'

SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
    "id:9003110,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"

# Allow the data type 'application/octet-stream'

SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \
    "id:9003115,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    chain"
    SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
        "setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'"

# Allow data types like video/mp4

SecRule REQUEST_METHOD "@streq PUT" \
    "id:9003116,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    chain"
    SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \
        "ctl:ruleRemoveById=920340,\
        ctl:ruleRemoveById=920420"


# Allow characters like /../ in files.
# Allow all kind of filetypes.
# Allow source code.

SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
    "id:9003120,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveById=930100-930110,\
    ctl:ruleRemoveById=951000-951999,\
    ctl:ruleRemoveById=953100-953130,\
    ctl:ruleRemoveById=920440,\
    ver:'OWASP_CRS/3.3.2'"

# Allow REPORT requests without Content-Type header (at least the iOS app does this)

SecRule REQUEST_METHOD "@streq REPORT" \
    "id:9003121,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    chain"
    SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
        "t:none,\
        ctl:ruleRemoveById=920340"


# [ Searchengine ]
#
# NexCloud uses a search field for filename or content queries.

SecRule REQUEST_FILENAME "@contains /index.php/core/search" \
    "id:9003125,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\
    ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\
    ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\
    ver:'OWASP_CRS/3.3.2'"


# [ DAV ]
#
# NextCloud uses DAV methods with index.php and remote.php to do many things
# The default ones in ModSecurity are: GET HEAD POST OPTIONS
#
# Looking through the code, and via testing, I found these:
#
# File manager: PUT DELETE MOVE PROPFIND PROPPATCH
# Calendars: REPORT
# Others in the code or js files: PATCH MKCOL MOVE TRACE
# Others that I added just in case, and they seem related:
#   CHECKOUT COPY LOCK MERGE MKACTIVITY UNLOCK.

SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \
    "id:9003130,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'"


# We need to allow DAV methods for sharing files, and removing shares
# DELETE - when the share is removed
# PUT - when setting a password / expiration time

SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \
    "id:9003140,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"


# [ Preview and Thumbnails ]

SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \
    "id:9003150,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=932150;ARGS:file,\
    ver:'OWASP_CRS/3.3.2'"

# Filepreview for trashbin

SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.php" \
    "id:9003155,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=932150;ARGS:file,\
    ctl:ruleRemoveTargetById=942190;ARGS:file,\
    ver:'OWASP_CRS/3.3.2'"

SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
    "id:9003160,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\
    ver:'OWASP_CRS/3.3.2'"


# [ Ownnote ]

SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \
    "id:9003300,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveById=941150,\
    ver:'OWASP_CRS/3.3.2'"


# [ Text Editor ]
#
# This file can save anything, and it's name could be lots of things.

SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
    "id:9003310,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filecontents,\
    ctl:ruleRemoveTargetById=921110-921160;ARGS:filecontents,\
    ctl:ruleRemoveTargetById=932150;ARGS:filename,\
    ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\
    ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\
    ver:'OWASP_CRS/3.3.2'"


# [ Address Book ]
#
# Allow the data type 'text/vcard'

SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
    "id:9003320,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"

# Allow modifying contacts via the web interface
SecRule REQUEST_METHOD "@streq PUT" \
    "id:9003321,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    chain"
    SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
        "t:none,\
        ctl:ruleRemoveById=200002"


# [ Calendar ]
#
# Allow the data type 'text/calendar'

SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
    "id:9003330,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'"

# Allow modifying calendar events via the web interface
SecRule REQUEST_METHOD "@streq PUT" \
    "id:9003331,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    chain"
    SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
        "t:none,\
        ctl:ruleRemoveById=200002"


# [ Notes ]
#
# We want to allow a lot of things as the user is
# allowed to note on anything.

SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \
    "id:9003340,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveByTag=attack-injection-php,\
    ver:'OWASP_CRS/3.3.2'"


# [ Bookmarks ]
#
# Allow urls in data.

SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \
    "id:9003350,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveById=931130,\
    ver:'OWASP_CRS/3.3.2'"


#
# [ Login forms ]
#

# This removes checks on the 'password' and related fields:

# User login password.

SecRule REQUEST_FILENAME "@contains /index.php/login" \
    "id:9003400,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
    ver:'OWASP_CRS/3.3.2'"

# Reset password.

SecRule REQUEST_FILENAME "@endsWith /index.php/login" \
    "id:9003410,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ver:'OWASP_CRS/3.3.2',\
    chain"
    SecRule ARGS:action "@streq resetpass" \
        "t:none,\
        chain"
        SecRule &ARGS:action "@eq 1" \
            "t:none,\
            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"

# Change Password and Setting up a new user/password

SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
    "id:9003500,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
    ver:'OWASP_CRS/3.3.2'"


SecMarker "END-NEXTCLOUD-ADMIN"

SecMarker "END-NEXTCLOUD"