Description

I'm experiencing lots of false positives with rule 956110, which is blocking strings #{...}. This format is used by various JavaScript templating engines (for example Pug) and is adopted by lots of custom JavaScript software (for example Horde/IMP or Zabbix GUI).

How to reproduce the misbehavior (-> curl call)

Put one of thse into output:

#{usrgrpid}
#{time}

Your Environment

• CRS version (e.g., v3.3.4): 4.20.0
• Paranoia level setting (e.g. PL1) : PL1
• ModSecurity version (e.g., 2.9.6): 2.9
• Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Apache
• Operating System and version: Debian 11

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.