From a02d7270b5bde18699dc1c04df8da4ef3e406dba Mon Sep 17 00:00:00 2001
From: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Date: Thu, 11 Jul 2024 10:02:15 +1000
Subject: [PATCH] fix: use case insensitivity for public shares when entering
 passwords

---
 plugins/nextcloud-rule-exclusions-before.conf |  3 +-
 .../9508171.yaml                              | 45 +++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 tests/regression/nextcloud-rule-exclusions-plugin/9508171.yaml

diff --git a/plugins/nextcloud-rule-exclusions-before.conf b/plugins/nextcloud-rule-exclusions-before.conf
index c6abd0c..9156bd3 100644
--- a/plugins/nextcloud-rule-exclusions-before.conf
+++ b/plugins/nextcloud-rule-exclusions-before.conf
@@ -331,7 +331,8 @@ SecRule REQUEST_FILENAME "@rx /remote\.php/dav/trashbin/[^/]+/trash/" \
             setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/plain|'"
 
 # Entering a password for a password protected share
-SecRule REQUEST_FILENAME "@rx /s/[^/]+/authenticate/showShare$" \
+# Some Nextcloud versions have inconsistent case sensitivity
+SecRule REQUEST_FILENAME "@rx (?i)/s/[^/]+/authenticate/showshare$" \
     "id:9508171,\
     phase:1,\
     pass,\
diff --git a/tests/regression/nextcloud-rule-exclusions-plugin/9508171.yaml b/tests/regression/nextcloud-rule-exclusions-plugin/9508171.yaml
new file mode 100644
index 0000000..a625e1d
--- /dev/null
+++ b/tests/regression/nextcloud-rule-exclusions-plugin/9508171.yaml
@@ -0,0 +1,45 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "Nextcloud Rule Exclusions Plugin"
+  enabled: true
+  name: 9508171.yaml
+tests:
+  - test_title: 9508171-1
+    desc: Entering password on a public share
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS test agent
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Content-Type: application/x-www-form-urlencoded
+            port: 80
+            method: POST
+            uri: /s/random/authenticate/showshare
+            data: |
+              requesttoken=random&password=%3Cscript%3E&sharingToken=random&sharingType=3
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508171-2
+    desc: Entering password on a public share
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS test agent
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Content-Type: application/x-www-form-urlencoded
+            port: 80
+            method: POST
+            uri: /s/random/authenticate/showShare
+            data: |
+              requesttoken=random&password=%3Cscript%3E&sharingToken=random&sharingType=3
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "941101"