Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required

[dwreski]

Describe the bug
For unknown reasons, we're see "access denied" errors with mod_security-2.9.2-5 on fedora28

A clear and concise description of what the bug is.
[Fri Feb 08 22:06:50.144344 2019] [:error] [pid 11255:tid 140146947102464] [client 151.106.0.210:54982] [client 151.106.0.210] ModSecurity: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "35"] [id "200003"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "linuxsecurity.com"] [uri "/index.php"] [unique_id "XF5Dyf3kxTYC2M5TGQgxsAAAANU"], referer: https://linuxsecurity.com/index.php?option=com_content&task=new&sectionid=9&itemid=0

Logs and dumps

Output of:

1. DebugLogs (level 9)
2. AuditLogs
3. Error logs
4. If there is a crash, the core dump file.

Notice: Be carefully to not leak any confidential information.

To Reproduce
I don't know how to reproduce.

Steps to reproduce the behavior:

A curl command line that mimics the original request and reproduces the problem. Or a ModSecurity v3 test case.

[e.g: curl "modsec-full/ca/..\..\..\..\..\..\/\etc/\passwd" or issue-394.json]

Expected behavior
This appears to be related to issue #1804 but that was reported to be fixed

A clear and concise description of what you expected to happen.

Server (please complete the following information):

• ModSecurity version (and connector): [e.g. ModSecurity v3.0.1 with nginx-connector v1.0.0]
• WebServer: [e.g. nginx-1.15.5]
• OS (and distro): [e.g. Linux, archlinux]

Rule Set (please complete the following information):

• Running any public or commercial rule set? [e.g. SpiderLabs commercial rules]
• What is the version number? [e.g. 2018-08-11]

Additional context

Add any other context about the problem here.

A clear and concise description of what you expected to happen.

Server (please complete the following information):

• ModSecurity version (and connector): [e.g. ModSecurity v3.0.1 with nginx-connector v1.0.0]
• WebServer: [e.g. nginx-1.15.5]
• OS (and distro): [e.g. Linux, archlinux]

mod_security-2.9.2-5.fc28.x86_64
httpd-2.4.34-3.fc28.x86_64
Fedora release 28 (Twenty Eight)
Linux defiant.example.com 4.20.5-100.fc28.x86_64 #1 SMP Mon Jan 28 19:29:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Rule Set (please complete the following information):

• Running any public or commercial rule set? [e.g. SpiderLabs commercial rules]
• What is the version number? [e.g. 2018-08-11]
  Only default configuration

Additional context
The lines from my current mod_security that appear to be related:

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

Add any other context about the problem here.
This is with httpd-2.4.34-3.fc28.x86_64

[victorhora]

@dwreski this seems like a false positive or maybe a request that doesn't follow the RFC. This should not be an issue with libModSecurity (aka v3.0). 7def498 Please consider upgrading or disabling the rule.

If the issue persists, please provide the exact request (request line, request headers, request body) that triggers the issue and let us know and we can reopen it for further investigation. Thanks.