From e0866e885c6a57f117aa99aaac67422f839fec22 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sat, 25 Nov 2023 08:11:52 +0000
Subject: [PATCH] Relax mod_security rules for CSS customization plugin

---
 .../crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf         | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docker/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf b/docker/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
index 673aef72..9495f7be 100644
--- a/docker/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
+++ b/docker/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
@@ -71,12 +71,14 @@ SecRule REQUEST_URI "@beginsWith /wp-admin/network/settings.php" \
     ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:wp-piwik[tracking_code],\
     ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:wp-piwik[noscript_code]"
 
-# Gutenberg comments are misinterpreted.
-SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/template-parts" \
+# Gutenberg comments are misinterpreted, and CSS customizations trigger
+# noisy SQL injection rules.
+SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/" \
     "id:1011,\
     phase:2,\
     pass,\
     nolog,\
+    ctl:ruleRemoveById=942100,\
     ctl:ruleRemoveTargetByID=932105;ARGS:content,\
     ctl:ruleRemoveTargetByID=941100;ARGS:content"
 
-- 
GitLab