From 402f942d54084fa537ca7b00cafe4a3077f694b7 Mon Sep 17 00:00:00 2001
From: Jonathan Berrewaerts <jonathan.berrewaerts@approach-cyber.com>
Date: Wed, 18 Mar 2026 16:06:19 +0100
Subject: [PATCH 1/2] Return 400 in case of parsing error

---
 apache2/apache2_io.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apache2/apache2_io.c b/apache2/apache2_io.c
index 8deeb01c9a..33788ab531 100644
--- a/apache2/apache2_io.c
+++ b/apache2/apache2_io.c
@@ -354,6 +354,9 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
     if (rcbe == -5) {
         return HTTP_REQUEST_ENTITY_TOO_LARGE;
     }
+    if (rcbe == -2) {
+        return HTTP_BAD_REQUEST;
+    }
     if (rcbe < 0) {
         return HTTP_INTERNAL_SERVER_ERROR;
     }

From 46ad3cf9b092cd8f1a1753417cc6420e8fc68b50 Mon Sep 17 00:00:00 2001
From: Jonathan Berrewaerts <jonathan.berrewaerts@approach-cyber.com>
Date: Thu, 23 Apr 2026 09:51:46 +0200
Subject: [PATCH 2/2] return -2 when leads to status 400, -1 when leads to
 status 500

---
 apache2/msc_reqbody.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/apache2/msc_reqbody.c b/apache2/msc_reqbody.c
index e00a4fc3fb..71f0a65045 100644
--- a/apache2/msc_reqbody.c
+++ b/apache2/msc_reqbody.c
@@ -710,7 +710,7 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) {
                 if (msr->txcfg->debuglog_level >= 4) {
                     msr_log(msr, 4, "%s", *error_msg);
                 }
-                return -1;
+                return -2;
             }
 
             if (multipart_get_arguments(msr, "BODY", msr->arguments) < 0) {
@@ -718,7 +718,7 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) {
                 msr->msc_reqbody_error = 1;
                 msr->msc_reqbody_error_msg = *error_msg;
                 msr_log(msr, 2, "%s", *error_msg);
-                return -1;
+                return -2;
             }
         }
         else if (strcmp(msr->msc_reqbody_processor, "JSON") == 0) {
@@ -728,7 +728,7 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) {
                 msr->msc_reqbody_error = 1;
                 msr->msc_reqbody_error_msg = *error_msg;
                 msr_log(msr, 2, "%s", *error_msg);
-                 return -1;
+                return -2;
              }
 #else
             *error_msg = apr_psprintf(msr->mp, "JSON support was not enabled");
@@ -748,7 +748,7 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) {
                 msr->msc_reqbody_error = 1;
                 msr->msc_reqbody_error_msg = *error_msg;
                 msr_log(msr, 2, "%s", *error_msg);
-                return -1;
+                return -2;
             }
         }
     } else if (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_OFF) {