specify a floating point range using regular expression

Question

I need an regular expression to check whether a particular argument is in a floating point range.For ex i want the Param only in the range 0.01 to 999.9 . I have configured the below rule ,but it fails to work .

SecRule ARGS:Param "![0.01-999.9]" "deny,id:2200"

If the value of param is say 1000 it gets rejected which is correct , if the value of Param is 0 then its being accepted which should not be the case .Please let me know the exact way of configuring the regular expression for the same.

Regexs weren't designed to solve such problems, unfortunately! — devnull, Sep 17 '13 at 10:08
BTW, `1-9` is interpreted as a character class. `.` is interpreted as a single character. So it's not tough to figure why something is working. — devnull, Sep 17 '13 at 10:09
mod_security does pattern matching with regexes , and the action is performed after matching the regex . — Santhosh Pai, Sep 17 '13 at 10:13

score 2 · Accepted Answer · answered Sep 17 '13 at 10:31

this sounds like a buisness logic rule - something that should be done in the server logic, not by mod_security, but anyways:

Floating point numbers in the range [0..999.9] are numbers that

start with an optional sequence of zeroes (you may or may not allow that)
followed by at most three digits, first of which is not zero
optionally followed by a dot and nothing but digits (you may require there be at least one digit the last digit to be nonzero)
except numbers that start with 999.9 and said optional zeroes
except 999.9 itself is allowed (if the range is inclusive from the right)

the least restrictive variant, compiled into a regex:

^0*(?:(?!999\.9\d*$)\d{0,3}(?:\.\d*)?|999\.0*)$

^ - start of string (not sure if it's added by mod-security)
0* - 0-n zeroes
(?:...) - non-capturing group
- (?!...) - if not followed by...
  - 999.\9 - the literal 999.9,
  - \d* - 0-n digits and
  - $ - the end of string
- \d - digit
- {0,3} - zero to three times
- (?:...) - non-capturing group
  - \. - literal .
  - \d* - 0-n digits
- ? - optional
- | - or
- 999\.9 - 999.9 itself
- 0* - optional zeroes
$ - the end of string

score 1 · Answer 2 · answered Sep 17 '13 at 10:32

(^0\.0?[1-9]\d*|^[1-9]{1,3}\.\d+)

The first match alternative matches wanted numbers smaller one, the second if one or larger but smaller than one thousand. Does not match numbers not containing a dot, and does match numbers like 999.999, but only if smaller than one thousand (that's what you need I guess).

specify a floating point range using regular expression

2 Answers2