|20| is seen as word separator in @pm

[marcstern]

We expect "@pm this|20|is|20|a|20|sentence" to not choke on "this is me", but it does because |20| is replaced by a space before parsing for the token delimiter

[victorhora]

I believe you could workaround the behaviour of the @pm with spaces by using some of the transformations.

For instance, if you use t:urlEncode:

[153843572027.656732] [] [4] Starting phase URI. (SecRules 0 + 1/2)
[153843572027.656732] [/?pm=this%20is%20me] [4] Adding request argument (GET): name "pm", value "this is me"
[153843572027.656732] [/?pm=this%20is%20me] [4] Starting phase REQUEST_HEADERS.  (SecRules 1)
[153843572027.656732] [/?pm=this%20is%20me] [9] This phase consists of 1 rule(s).
[153843572027.656732] [/?pm=this%20is%20me] [4] (Rule: 25) Executing operator "Pm" with param "this+is+a+sentence" against ARGS:pm.
[153843572027.656732] [/?pm=this%20is%20me] [9]  T (0) t:urlEncode: "this+is+me"
[153843572027.656732] [/?pm=this%20is%20me] [9] Target value: "this+is+me" (Variable: ARGS:pm)
[153843572027.656732] [/?pm=this%20is%20me] [4] Rule returned 0.
[153843572027.656732] [/?pm=this%20is%20me] [9] Matched vars cleaned.
[153843572027.656732] [/?pm=this%20is%20me] [4] Starting phase REQUEST_BODY. (SecRules 2)
[153843572027.656732] [/?pm=this%20is%20me] [9] This phase consists of 0 rule(s).
[153843572027.656732] [/?pm=this%20is%20me] [4] Starting phase RESPONSE_HEADERS. (SecRules 3)
[153843572027.656732] [/?pm=this%20is%20me] [9] This phase consists of 0 rule(s).
[153843572027.656732] [/?pm=this%20is%20me] [9] Appending response body: 8 bytes. Limit set to: 524288.000000
[153843572027.656732] [/?pm=this%20is%20me] [4] Starting phase RESPONSE_BODY. (SecRules 4)
[153843572027.656732] [/?pm=this%20is%20me] [9] This phase consists of 0 rule(s).
[153843572027.656732] [/?pm=this%20is%20me] [4] Starting phase LOGGING. (SecRules 5)
[153843572027.656732] [/?pm=this%20is%20me] [9] This phase consists of 0 rule(s).
[153843572027.656732] [/?pm=this%20is%20me] [8] Checking if this request is suitable to be saved as an audit log.
[153843572027.656732] [/?pm=this%20is%20me] [8] Checking if this request is relevant to be part of the audit logs.
[153843572027.656732] [/?pm=this%20is%20me] [5] Saving this request as part of the audit logs.
[153843572027.656732] [/?pm=this%20is%20me] [8] Request was relevant to be saved. Parts: 6014


[153843572787.646925] [] [4] Initializing transaction
[153843572787.646925] [] [4] Transaction context created.
[153843572787.646925] [] [4] Starting phase CONNECTION. (SecRules 0)
[153843572787.646925] [] [9] This phase consists of 0 rule(s).
[153843572787.646925] [] [4] Starting phase URI. (SecRules 0 + 1/2)
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [4] Adding request argument (GET): name "pm", value "this is a sentence"
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [4] Starting phase REQUEST_HEADERS.  (SecRules 1)
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [9] This phase consists of 1 rule(s).
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [4] (Rule: 25) Executing operator "Pm" with param "this+is+a+sentence" against ARGS:pm.
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [9]  T (0) t:urlEncode: "this+is+a+sentence"
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [9] Target value: "this+is+a+sentence" (Variable: ARGS:pm)
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [9] Matched vars updated.
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [4] Running [independent] (non-disruptive) action: log
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [9] Saving transaction to logs
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [4] Rule returned 1.
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [4] Running (disruptive)     action: deny
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [8] Running action deny
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [4] Running (non-disruptive) action: auditlog
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [8] Skipping this phase as this request was already intercepted.
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [4] Starting phase RESPONSE_HEADERS. (SecRules 3)
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [9] This phase consists of 0 rule(s).
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [9] Appending response body: 116 bytes. Limit set to: 524288.000000
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [9] Appending response body: 170 bytes. Limit set to: 524288.000000
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [4] Starting phase RESPONSE_BODY. (SecRules 4)
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [9] This phase consists of 0 rule(s).
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [4] Starting phase LOGGING. (SecRules 5)
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [9] This phase consists of 0 rule(s).
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [8] Checking if this request is suitable to be saved as an audit log.
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [8] Checking if this request is relevant to be part of the audit logs.
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [5] Saving this request as part of the audit logs.
[153843572787.646925] [/?pm=this%20is%20a%20sentence] [8] Request was relevant to be saved. Parts: 6014

Anyways I will be closing this one in favour of #682 and #1167.

Thanks for the report.