From 334735bc9897939ff0daf5c3dd81c8b749e5e663 Mon Sep 17 00:00:00 2001
From: franbuehler <franbuehler@gmail.com>
Date: Sat, 25 Apr 2020 10:19:17 +0000
Subject: [PATCH 1/3] Fix FP issue 1615 and add word chars after header

---
 rules/REQUEST-921-PROTOCOL-ATTACK.conf        |  2 +-
 .../REQUEST-921-PROTOCOL-ATTACK/921120.yaml   | 21 ++++++++++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
index 68593633a..549cab436 100644
--- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf
+++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
@@ -63,7 +63,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|
 # [ References ]
 # http://projects.webappsec.org/HTTP-Response-Splitting
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s\w+" \
     "id:921120,\
     phase:2,\
     block,\
diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml
index f8ce06a5e..40a4e45e1 100644
--- a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml
+++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml
@@ -1,6 +1,6 @@
 ---
   meta:
-    author: csanders-git
+    author: csanders-git, Franziska Bühler
     description: None
     enabled: true
     name: 921120.yaml
@@ -49,3 +49,22 @@
           version: HTTP/1.1
         output:
           log_contains: id "921120"
+  -
+    test_title: 921120-3
+    desc: "Fix FP issue 1615. Header followed by word chars."
+    stages:
+    -
+      stage:
+        input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            Proxy-Connection: keep-alive
+            Referer: http
+            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
+          method: GET
+          port: 80
+          uri: "/file.jsp?somevar=%0A%0Dlocation:%0A%0D"
+          version: HTTP/1.1
+        output:
+          no_log_contains: id "921120"

From 839f84d8afdbf3941cb31b0d6c423284572ee689 Mon Sep 17 00:00:00 2001
From: franbuehler <franbuehler@gmail.com>
Date: Sat, 25 Apr 2020 10:23:45 +0000
Subject: [PATCH 2/3] Fix FP issue 1615 and add word chars after header

---
 rules/REQUEST-921-PROTOCOL-ATTACK.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
index 549cab436..2247bc5cf 100644
--- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf
+++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
@@ -63,7 +63,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|
 # [ References ]
 # http://projects.webappsec.org/HTTP-Response-Splitting
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s\w+" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w+" \
     "id:921120,\
     phase:2,\
     block,\

From fb476562f248cb7faadad7e3298e47fe8964685a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franziska=20B=C3=BChler?=
 <franziska.buehler.schmocker@gmail.com>
Date: Tue, 5 May 2020 10:57:41 +0200
Subject: [PATCH 3/3] Delete + sign after word character

---
 rules/REQUEST-921-PROTOCOL-ATTACK.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
index 2247bc5cf..41f857b4b 100644
--- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf
+++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
@@ -63,7 +63,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|
 # [ References ]
 # http://projects.webappsec.org/HTTP-Response-Splitting
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w+" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" \
     "id:921120,\
     phase:2,\
     block,\