From 789abd48f7b36e643cebbb474b3bc8d9d061ddf6 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Thu, 9 Nov 2023 17:44:04 +0000
Subject: [PATCH] Disable Accept: charset mod_security checks

These interfere with JSON-LD activitypub requests because
apparently the '; profile="..."' part is matched by that humongous
rule 920600 regexp and ModSecurity thinks it's a charset.
---
 .../crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf           | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docker/conf/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf b/docker/conf/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
index f2e9c3ee..609a3083 100644
--- a/docker/conf/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
+++ b/docker/conf/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
@@ -17,6 +17,10 @@ SecRuleRemoveById 950130
 SecRuleRemoveById 941160
 SecRuleRemoveById 941180
 
+# The Accept: charset check gets confused by some ActivityPub
+# headers (that specify a JSON-LD profile), just disable it.
+SecRuleRemoveById 920600
+
 # ModSec Rule Exclusion: 920273 : Invalid character in request (outside of very strict set)
 # ModSec Rule Exclusion: 942432 : Restricted SQL Character Anomaly Detection (args): 
 # number of special characters exceeded (2) (severity:  NONE/UNKOWN)
-- 
GitLab