# Do not inspect the 'pwd' arg of wp-login.php requests (disable all
# CRS rules).
#
# Already included in the set of exceptions when tx.crs_exclusions_wordpress=1
# is set in crs-setup.conf.
#SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
#    "id:1000,\
#    phase:2,\
#    pass,\
#    nolog,\
#    ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"

SecRule REQUEST_URI "@beginsWith /wp-admin/site-health.php" \
    "id:1001,\
    pass,\
    nolog,\
    ctl:ruleEngine=Off"

SecRule REQUEST_FILENAME "@endsWith /wp-admin/themes.php" \
    "id:1002,\
    phase:2,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newcontent"

# Make the eventlist plugin work (SIGH for the lack of regexps).
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
    "id:1004,\
    phase:2,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][title],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][cat_filter],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][num_events],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][location_length],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][title],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][cat_filter],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][num_events],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][location_length],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][title],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][cat_filter],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][num_events],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][location_length],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][title],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][cat_filter],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][num_events],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][location_length],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][title],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][cat_filter],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][num_events],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][location_length]"

# More eventlist plugin workarounds.
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
    "id:1005,\
    phase:2,\
    pass,\
    nolog,\
    ctl:ruleRemoveByTag=language-powershell"

# Filter out certain args (all URIs) for the pgp email plugin.
SecRule REQUEST_URI "@beginsWith /" \
    "id:1006,\
    phase:2,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:message_from_name,\
    ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:message_from_mail,\
    ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:message_body,\
    ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:text"

# Gutenberg-related requests.
SecRule REQUEST_URI "@beginsWith /wp-json/batch/v1" \
    "id:1007,\
    phase:2,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:requests.requests.body.instance.raw.content"
SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/widget-types/text/encode" \
    "id:1008,\
    pass,\
    nolog,\
    ctl:ruleEngine=Off"

SecRule REQUEST_URI "@beginsWith /wp-admin/network/site-settings.php" \
    "id:1009,\
    phase:2,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:option[wp-piwik-tracking_code],\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:option[wp-piwik-noscript_code]"