From dcef82b79793ff381df061193a712414c594d230 Mon Sep 17 00:00:00 2001
From: Adrian Chuck <adrian.chuck@4teamwork.ch>
Date: Wed, 22 May 2024 10:03:57 +0200
Subject: [PATCH 1/6] fix: split restricted headers to work with crs 4.2

---
 README.md                             |  3 ++-
 docker-compose.yaml                   |  3 ++-
 src/opt/modsecurity/activate-rules.sh | 11 ++++++++---
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index faf9e3f3..631bd3b9 100644
--- a/README.md
+++ b/README.md
@@ -297,7 +297,8 @@ All these variables impact in configuration directives in the modsecurity engine
 | MAX_NUM_ARGS | An integer indicating the max_num_args (Default: `unlimited`) |
 | PARANOIA | An integer indicating the paranoia level (Default: `1`)               |
 | RESTRICTED_EXTENSIONS | A string indicating the restricted_extensions (Default: `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/`) |
-| RESTRICTED_HEADERS | A string indicating the restricted_headers (Default: `/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/`) |
+| RESTRICTED_HEADERS_BASIC | A string indicating the restricted_headers_basic (Default: `/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/`) |
+| RESTRICTED_HEADERS_EXTENDED | A string indicating the restricted_headers_extended (Default: `/accept-charset/`) |
 | STATIC_EXTENSIONS | A string indicating the static_extensions (Default: `/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/`) |
 | TOTAL_ARG_LENGTH | An integer indicating the total_arg_length (Default: `unlimited`) |
 | VALIDATE_UTF8_ENCODING | A boolean indicating the crs_validate_utf8_encoding (Default: `0`) |
diff --git a/docker-compose.yaml b/docker-compose.yaml
index e1bd73ee..26951aa8 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -50,7 +50,8 @@ x-defaults: &default-settings
     # ALLOWED_REQUEST_CONTENT_TYPE_CHARSET: 'utf-8|iso-8859-1|iso-8859-15|windows-1252'
     # ALLOWED_HTTP_VERSIONS: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
     # RESTRICTED_EXTENSIONS: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
-    # RESTRICTED_HEADERS: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/
+    # RESTRICTED_HEADERS_BASIC: /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/
+    # RESTRICTED_HEADERS_EXTENDED: /accept-charset/
     # STATIC_EXTENSIONS: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/
 
     #######################################################
diff --git a/src/opt/modsecurity/activate-rules.sh b/src/opt/modsecurity/activate-rules.sh
index 3dc797ba..a88e1509 100755
--- a/src/opt/modsecurity/activate-rules.sh
+++ b/src/opt/modsecurity/activate-rules.sh
@@ -59,9 +59,14 @@ if [ -n "${RESTRICTED_EXTENSIONS}" ]; then
   sed -z -E -i 's|#SecAction[^"]+"id:900240.*\x27tx\.restricted_extensions=[[:lower:][:space:]./]*\/\x27\"|SecAction \\\n  \"id:900240, \\\n   phase:1, \\\n   nolog, \\\n   pass, \\\n   t:none, \\\n   setvar:\x27tx.restricted_extensions='"${RESTRICTED_EXTENSIONS}"'\x27\"|' "${setup_conf_path}"
 fi
 
-# Forbidden request headers.
-if [ -n "${RESTRICTED_HEADERS}" ]; then
-  sed -z -E -i 's|#SecAction[^"]+"id:900250.*\x27tx\.restricted_headers=[[:lower:][:space:]/-]*\x27\"|SecAction \\\n  \"id:900250, \\\n   phase:1, \\\n   nolog, \\\n   pass, \\\n   t:none, \\\n   setvar:\x27tx.restricted_headers='"${RESTRICTED_HEADERS}"'\x27\"|' "${setup_conf_path}"
+# Forbidden request headers basic.
+if [ -n "${RESTRICTED_HEADERS_BASIC}" ]; then
+  sed -z -E -i 's|#SecAction[^"]+"id:900250.*\x27tx\.restricted_headers_basic=[[:lower:][:space:]/-]*\x27\"|SecAction \\\n  \"id:900250, \\\n   phase:1, \\\n   nolog, \\\n   pass, \\\n   t:none, \\\n   setvar:\x27tx.restricted_headers_basic='"${RESTRICTED_HEADERS_BASIC}"'\x27\"|' "${setup_conf_path}"
+fi
+
+# Forbidden request headers extended.
+if [ -n "${RESTRICTED_HEADERS_EXTENDED}" ]; then
+  sed -z -E -i 's|#SecAction[^"]+"id:900255.*\x27tx\.restricted_headers_extended=[[:lower:][:space:]/-]*\x27\"|SecAction \\\n  \"id:900255, \\\n   phase:1, \\\n   nolog, \\\n   pass, \\\n   t:none, \\\n   setvar:\x27tx.restricted_headers_extended='"${RESTRICTED_HEADERS_EXTENDED}"'\x27\"|' "${setup_conf_path}"
 fi
 
 # File extensions considered static files.

From 18fc671cc15959c34b436eeeb2919bbae452ac0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?=
 <3012076+fzipi@users.noreply.github.com>
Date: Wed, 22 May 2024 09:33:08 -0300
Subject: [PATCH 2/6] fix: use correct branch for tests

---
 .github/workflows/verifyimage.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml
index c7b6bea7..2abe4c04 100644
--- a/.github/workflows/verifyimage.yml
+++ b/.github/workflows/verifyimage.yml
@@ -3,9 +3,7 @@ name: Verify Images
 on:
   pull_request:
     branches:
-      - master
-      - develop
-
+      - main
 env:
   REPO: "owasp/modsecurity-crs"
   # sha256sum format: <hash><space><format (space for text)><file name>

From 462594b67fe41896e5385616b1cfc466f020c957 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 24 May 2024 17:55:33 +0000
Subject: [PATCH 3/6] chore(deps): update dependency coreruleset/coreruleset to
 v4.3.0 in readme.md

---
 README.md       | 6 +++---
 docker-bake.hcl | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 631bd3b9..05dba6af 100644
--- a/README.md
+++ b/README.md
@@ -44,12 +44,12 @@ Examples:
 
 ## OS Variants
 
-* nginx – *latest stable ModSecurity v3 on Nginx 1.26.0 official stable base image, and latest stable OWASP CRS 4.2.0*
+* nginx – *latest stable ModSecurity v3 on Nginx 1.26.0 official stable base image, and latest stable OWASP CRS 4.3.0*
    * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)
    * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine)
-* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.2.0*
+* Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.3.0*
    * [openresty-alpine-fat](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/openresty/Dockerfile-alpine)
-* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.2.0*
+* Apache httpd – *last stable ModSecurity v2 on Apache 2.4.59 official stable base image, and latest stable OWASP CRS 4.3.0*
    * [apache](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile)
    * [apache-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/apache/Dockerfile-alpine)
 
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 7bd0a9ac..bbbc6dfa 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -11,7 +11,7 @@ variable "modsec2-version" {
 
 variable "crs-version" {
     # renovate: depName=coreruleset/coreruleset datasource=github-releases
-    default = "4.2.0"
+    default = "4.3.0"
 }
 
 variable "nginx-version" {

From 6f64ccd9a87403f38b26684ee45510121734b703 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 3 Jun 2024 00:25:41 +0000
Subject: [PATCH 4/6] chore(deps): update nginxinc/nginx-unprivileged docker
 tag to v1.27.0 in readme.md

---
 README.md       | 2 +-
 docker-bake.hcl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 05dba6af..e20f3503 100644
--- a/README.md
+++ b/README.md
@@ -44,7 +44,7 @@ Examples:
 
 ## OS Variants
 
-* nginx – *latest stable ModSecurity v3 on Nginx 1.26.0 official stable base image, and latest stable OWASP CRS 4.3.0*
+* nginx – *latest stable ModSecurity v3 on Nginx 1.27.0 official stable base image, and latest stable OWASP CRS 4.3.0*
    * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)
    * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine)
 * Openresty - *last stable ModSecurity v3 on OpenResty 1.25.3.1 official stable base image, and latest stable OWASP CRS 4.3.0*
diff --git a/docker-bake.hcl b/docker-bake.hcl
index bbbc6dfa..f937e67a 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -16,7 +16,7 @@ variable "crs-version" {
 
 variable "nginx-version" {
     # renovate: depName=nginxinc/nginx-unprivileged datasource=docker
-    default = "1.26.0"
+    default = "1.27.0"
 }
 
 variable "httpd-version" {

From 1bbc582947e8c0c54cbc33e2689e4b9195f421f7 Mon Sep 17 00:00:00 2001
From: Jean-Kevin KPADEY <kpadeyjk@gmail.com>
Date: Sat, 8 Jun 2024 14:37:45 +0200
Subject: [PATCH 5/6] Fix permissions on /tmp/modsecurity directory on Apache
 image

Following #227, http user cannot read or write /tmp/modsecurity.
Added /tmp/modsecurity to the list of directories owned by httpd
---
 apache/Dockerfile        | 1 +
 apache/Dockerfile-alpine | 1 +
 2 files changed, 2 insertions(+)

diff --git a/apache/Dockerfile b/apache/Dockerfile
index 91a6f4a0..93854e84 100644
--- a/apache/Dockerfile
+++ b/apache/Dockerfile
@@ -216,6 +216,7 @@ RUN set -eux; \
         /var/log/ \
         /usr/local/apache2/ \
         /etc/modsecurity.d \
+        /tmp/modsecurity \
         /opt/owasp-crs
 
 USER httpd
diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine
index ce031a5e..b8ac444b 100644
--- a/apache/Dockerfile-alpine
+++ b/apache/Dockerfile-alpine
@@ -220,6 +220,7 @@ RUN set -eux; \
         /var/log/ \
         /usr/local/apache2/ \
         /etc/modsecurity.d \
+        /tmp/modsecurity \
         /opt/owasp-crs
 
 USER httpd

From ac7882ab1e855d06912dc4b773f47dff9d1b10df Mon Sep 17 00:00:00 2001
From: Jean-Kevin KPADEY <kpadeyjk@gmail.com>
Date: Sun, 9 Jun 2024 08:06:51 +0200
Subject: [PATCH 6/6] Remove `chown` setting `www-data` owner of
 `/tmp/modsecurity`

---
 apache/Dockerfile        | 1 -
 apache/Dockerfile-alpine | 1 -
 2 files changed, 2 deletions(-)

diff --git a/apache/Dockerfile b/apache/Dockerfile
index 93854e84..d37ed8ac 100644
--- a/apache/Dockerfile
+++ b/apache/Dockerfile
@@ -186,7 +186,6 @@ RUN set -eux; \
     mkdir -p /tmp/modsecurity/data; \
     mkdir -p /tmp/modsecurity/upload; \
     mkdir -p /tmp/modsecurity/tmp; \
-    chown -R $(awk '/^User/ { print $2;}' /usr/local/apache2/conf/httpd.conf) /tmp/modsecurity; \
     mkdir -p /var/log/apache2/; \
     ln -s /opt/owasp-crs /etc/modsecurity.d/; \
     sed -i -E 's|(Listen) [0-9]+|\1 ${PORT}|' /usr/local/apache2/conf/httpd.conf; \
diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine
index b8ac444b..22c2daf4 100644
--- a/apache/Dockerfile-alpine
+++ b/apache/Dockerfile-alpine
@@ -215,7 +215,6 @@ RUN set -eux; \
     mkdir -p /tmp/modsecurity/data; \
     mkdir -p /tmp/modsecurity/upload; \
     mkdir -p /tmp/modsecurity/tmp; \
-    chown -R $(awk '/^User/ { print $2;}' /usr/local/apache2/conf/httpd.conf) /tmp/modsecurity /var/log/apache2; \
     chown -R httpd:httpd \
         /var/log/ \
         /usr/local/apache2/ \