coreruleset · fzipi · Mar 10, 2026 · Mar 1, 2026 · Mar 1, 2026 · Mar 1, 2026
diff --git a/regex-assembly/931100.ra b/regex-assembly/931100.ra
@@ -0,0 +1,9 @@
+##! Please refer to the documentation at
+##! https://coreruleset.org/docs/development/regex_assembly/.
+
+##!+ i
+
+##!^ ^(file|ftps?|https?|ssh)
+##!^ ://
+\[?[a-f0-9]+:[a-f0-9:]+\]?
+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
diff --git a/regex-assembly/931110.ra b/regex-assembly/931110.ra
@@ -0,0 +1,15 @@
+##! Please refer to the documentation at
+##! https://coreruleset.org/docs/development/regex_assembly/.
+
+##!+ i
+
+##!$ =(?:file|ftps?|https?)://
+
+\binclude\s*\([^)]*
+mosConfig_absolute_path
+_CONF\[path\]
+_SERVER\[DOCUMENT_ROOT\]
+GALLERY_BASEDIR
+path\[docroot\]
+appserv_root
+config\[root_dir\]
diff --git a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
@@ -39,7 +39,12 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'O
 # http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
 # https://datatracker.ietf.org/doc/html/rfc2732
 #
-SecRule ARGS|XML:/* "@rx (?i)^(file|ftps?|https?|ssh)://(?:\[?[a-f0-9]+:[a-f0-9:]+\]?|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
+# Regular expression generated from regex-assembly/931100.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 931100
+#
+SecRule ARGS|XML:/* "@rx (?i)^(f(?:ile|tps?)|https?|ssh)://(?:\[?[0-9a-f]+:[0-:a-f]+\]?|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" \
     "id:931100,\
     phase:2,\
     block,\
@@ -60,7 +65,12 @@ SecRule ARGS|XML:/* "@rx (?i)^(file|ftps?|https?|ssh)://(?:\[?[a-f0-9]+:[a-f0-9:
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
-SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?)://" \
+# Regular expression generated from regex-assembly/931110.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 931110
+#
+SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude[\s\x0b]*\([^\)]*|mosConfig_absolute_path|(?:_(?:CONF\[path|SERVER\[DOCUMENT_ROOT)|path\[docroot|config\[root_dir)\]|GALLERY_BASEDIR|appserv_root)=(?:f(?:ile|tps?)|https?)://" \
     "id:931110,\
     phase:2,\
     block,\