How to whitelist foreign characters in folder or file name with apache/mod_security?

Question

I have some image files with foreign characters in their dir and file name, like Á or ü, and apache/mod_security is answering with Error 406 - Not acceptable when pointing a browser to those files.

Is there a way to let the server show those files, without making the site insecure?

edit: after checking error_log and modsec2.user.conf, the rule being triggered is

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer 
"@validateUtf8Encoding" 
"deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'1234123439',severity:'4'

Thanks

Answer 1

Can you give some more information as to what the log file says. Which rule is blocking the request?

Edit:

@validateUtf8Encoding ensures that everything being checked (in you case: REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer) is valid UTF-8.

Also see: Modsecurity Handbook

Now I assume that a parameter in your request is not UTF-8 encoded but maybe ISO-Latin-1. For example see this post where the parameter "con" (id=9&con=m%FCllrose&x=0&y=0) contains %FC which is the valid code for ISO-8859-1, but not UTF-8. In this case the answer was "This rule is wrongly assuming UTF-8 and causing a false positive. It should be disabled."

I guess you can either disable the rule or modify your request to make sure that it only contains UTF-8 characters.

Note: It would have been even better if you had posted the entry from the error log. Then we could have seen which part of the request actually violates the rule.