forked from owasp-modsecurity/ModSecurity
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGES
1877 lines (1235 loc) · 73.6 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
DD MMM YYYY - 2.9.2 - To be released
------------------------------------
* nginx: Obtain port from r->connection->local_sockaddr.
[Commit 51314 - @defanator]
* Updates libinjection to v3.10.0
[Issue #1412 - @client9, @zimmerle and @bjdijk]
* Avoid log flood while using SecConnEngine
[Issue #1436 - @victorhora]
* Make url path absolute for SecHashEngine only when it is relative
in the first place.
[Issue #752, #1071 - @hideaki]
* Fix the hex digit size for SHA1 on msc_crypt implementation.
[Issue #1354 - @zimmerle and @parthasarathi204]
* Avoid to flush xml buffer while assembling the injected html.
[Issue #742 - @zimmerle]
* Avoid additional operator invokation if last transform of a multimatch
doesn't modify the input
[Issue #1086, #1087 - Daniel Stelter-Gliese]
* Adds a sanity check before use ctl:ruleRemoveTargetByTag.
[Issue #1353 - @LukeP21 and @zimmerle]
* Uses an optional global lock while manipulating collections.
[Issues #1224 - @mturk and @zimmerle]
* Fix collection naming problem while merging collections.
[Issue #1274 - Coty Sutherland and @zimmerle]
* Fix --enable-docs adding missing Makefile, modifying autoconf and filenames
[Issue #1322 - @victorhora]
* Change from using rand() to thread-safe ap_random_pick.
[Issue #1289 - Robert Bost]
* Cosmetics: added comments on odd looking code to prevent future
scrutiny
[Issue #1279 - Coty Sutherland]
* {dis|en}able-server-context-logging: Option to disable logging of
server info (log producer, sanitized objects, ...) in audit log.
[Issue #1069 - Marc Stern]
* Allow drop to work with mod_http2
[Issue #1308, #992 - @bazzadp]
* Fix SecConn(Read|Write)StateLimit on Apache 2.4
[Issue #1340, #1337, #786 - Sander Hoentjen]
* {dis|en}able-stopwatch-logging: Option to disable logging of stopwatches
in audit log.
[Issue #1067 - Marc Stern]
* {dis|en}able-dechunk-logging: Option to disable logging of
dechunking in audit log when log level < 9.
* Updates libinjection to: da027ab52f9cf14401dd92e34e6683d183bdb3b4
[ModSecurity team]
* {dis|en}able-handler-logging: Option to disable logging of Apache handler
in audit log
[Issue #1070, #1381 - Marc Stern]
* {dis|en}able-collection-delete-problem-logging: Option to disable logging of
collection delete problem in audit log when log level < 9.
[Issue #1380 - Marc Stern]
* Adds rule id in logs whenever a rule fail.
[Issue #1379, #391 - Marc Stern]
* {dis|en}able-server-logging: Option to disable logging of
"Server" in audit log when log level < 9.
[Issue #1070 - Marc Stern]
* {dis|en}able-filename-logging: Option to disable logging of filename
in audit log.
[Issue #1065 - Marc Stern]
* Reads fuzzy hash databases on init
[Issue #1339 - Robert Paprocki and @Rendername]
* Changes the configuration to recognize soap+xml as XML
[Issue #1374 - @emphazer and Chaim Sanders]
* Fix building with nginx >= 1.11.11
[Issue #1373, #1359 - Andrei Belov and Thomas Deutschmann]
* Using Czechia instea of Czech Republic
[Issue #1258 - Michael Kjeldsen]
* {dis|en}able-rule-id-validation: Option to disable rule id validation
[Issue #1150 - Marc Stern and ModSecurity team]
* JSON Log: Append a newline to concurrent JSON audit logs
[Issue #1233 - Robert Paprocki]
* JSON Log: Don't unnecessarily rename request body parts in cleanup
[Issue #1223 - Robert Paprocki]
* Fix error message inside audit logs
[Issue #1216 and #1073 - Armin Abfalterer]
* Remove port from IPV4 address when running under IIS.
[Issue #1220, #1109 and #734 - Robert Culyer]
* Remove logdata and msg fields from JSON audit log rule.
[Issue #1190 and #1174 - Robert Paprocki]
* Better handle the json parser cleanup
[Issue #1204 - Ephraim Vider]
* Fix status failing to report in Nginx auditlogs
[Issue #977, #1171 - @charlymps and Chaim Sanders]
* Fix file upload JSON audit log entry
[Issue #1181 and #1173 - Robert Paprocki and Christian Folini]
* configure: Fix detection whether libcurl is linked against gnutls and,
move verbose_output declaration up to the beginning.
[Issue #1158 - Thomas Deutschmann (@Whissi)]
* Treat APR_INCOMPLETE as APR_EOF while receiving the request body.
[Issue #1060, #334 - Alexey Sintsov]
09 Mar 2016 - 2.9.1
-------------------
* No changes.
03 Feb 2016 - 2.9.1-RC1
-----------------------
* Added support to generate audit logs in JSON format.
[Issue #914, #897, #656 - Robert Paprocki]
* Creating AuditLog serial file (or parallel index) respecting the
permission configured with SecAuditLogFileMode. Previously, it was
used only to save the transactions while in parallel mode.
[Issue #852 - @littlecho and ModSecurity team]
* Checking for hashing injection response, to report in case of failure.
[Issue #1041 - ModSecurity team]
* Stop buffering when the request is larger than SecRequestBodyLimit
in ProcessPartial mode
[Issue #709, #705, #728 - Justin Gerace and ModSecurity team]
* Extended Lua support to include version 5.3
[Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team]
* mlogc: Allows user to choose between TLS versions (TLSProtocol option
introduced).
[Issue #881 - Ishwor Gurung]
* Allows mod_proxy's "nocanon" behavior to be specified in proxy actions
[Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team]
* Refactoring conditional #if/#defs directives.
[Issue #996 - Wesley M and ModSecurity team]
* mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir
files with Apache 2.4
[Issue #775 - Elia Pinto]
* Understands IIS 10 as compatible on Windows installer.
[Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team]
* Fix apache logging limitation by using correct Apache call.
[Issue #840 - Christian Folini]
* Fix apr_crypto.h check on 32-bit Linux platform
[Issue #882, #883 - Kurt Newman]
* Fix variable resolution duration (Content of the DURATION variable).
[Issue #662 - Andrew Elble]
* Fix crash while adding empty keys to persistent collections.
[Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team]
* Remove misguided call to srand()
[Issues #778, #781 and #836 - Michael Bunk, @gilperon]
* Fix compilation problem while ssdeep is installed in non-standard
location.
[Issue #872 - Kurt Newman]
* Fix invalid storage reference by apr_psprintf at msc_crypt.c
[Issue #609 - Jeff Trawick]
12 Feb 2015 - 2.9.0
-------------------
* Fix apr_crypto.h include, now checking if apr_crypto.h is available by
checking the definition WITH_APU_CRYPTO.
[martinjina and ModSecurity team]
15 Dez 2014 - 2.9.0-RC2
-----------------------
* OpenSSL dependency was removed on MS Windows builds. ModSecurity is now using
the Windows certificate storage.
[Gregg Smith, Steffen and ModSecurity team]
* Informs about external resources loaded/failed while reloading Apache.
[ModSecurity team]
* Adds missing 'ModSecurity:' prefix in some warnings messages.
[Walter Hop and ModSecurity team]
* Refactoring external resources download warn messages. Holding the message
to be displayed when Apache is ready to write on the error_log.
[ModSecurity team]
* Remote resources loading process is now failing in case of HTTP error.
[Walter Hop and ModSecurity team]
* Fixed start up crash on Apache with mod_ssl configured. Crash was happening
during the download of remote resources.
[Christian Folini, Walter Hop and ModSecurity team]
* Curl is not a mandatory dependency to ModSecurity core anymore.
[Rainer Jung and ModSecurity team]
18 Nov 2014 - 2.9.0-RC1
-----------------------
* `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served
files as parameter.
* `SecRemoteRules' directive - allows you to specify a HTTPS served file that
may contain rules in the SecRule format to be loaded into your ModSecurity
instance.
* `SecRemoteRulesFailAction' directive - allows you to control whenever the
user wants to Abort or just Warn when there is a problem while downloading
rules specified with the directive: `SecRemoteRules'.
* `fuzzyHash' operator - allows to match contents using fuzzy hashes.
* `FILES_TMP_CONTENT' collection - make available the content of uploaded
files.
* InsecureNoCheckCert - option to validate or not a chain of SSL certificates
on mlogc connections.
* ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
[Issue #676 - Kris Kater and ModSecurity team]
* Fixed signature on "status call": ModSecurity is now using the original
server signature.
[Issues #702 - Linas and ModSecurity team]
* YAJL version is printed while ModSecurity initialization.
[Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
* Fixed subnet representation using slash notation on the @ipMatch operator.
[Issue #706 - Walter Hop and ModSecurity team]
* Limited the length of a status call.
[Issue #714 - 'cpanelkurt' and ModSecurity team]
* Added the missing -P option to nginx regression tests.
[Issue #720 - Paul Yang]
* Fixed automake scripts to do not use features which will be deprecated in
the upcoming releases of automake.
[Issue #760 - ModSecurity team]
* apr-utils's LDFALGS is now considered while building ModSecurity.
[Issue #782 - Daniel J. Luke]
* IIS installer is not considering IIS 6 as compatible anymore.
[Issue #790 - ModSecurity team]
* Fixed yajl build script: now looking for the correct header file.
[Issue #804 - 'rpfilomeno' and ModSecurity team]
* mlgoc is now forced to use TLS 1.x.
[Issue #806 - Josh Amishav-Zlatin and ModSecurity team]
14 Apr 2014 - 2.8.0
-------------------
Bug fix
* Build issue: Now using autotools to idenfiy if sys/utsname.h is present.
* Change configure.ac version to 2.8
31 Mar 2014 - 2.8.0-RC1
-----------------------
New features
* JSON Parser is no longer under tests. Now it is part of our mainline;
* Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list;
* New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request;
* ModSecurity status is now part of our mainline;
* New operator: @detectXSS was added. It makes usage of the newest libinjection XSS detection functionality;
* Append and prepend are now supported on nginx (Ref: #635);
* SecServerSignature is now available on nginx (Ref: #637).
Improvements
* Regression tests are not able to expect different values according to the platform;
* Visual C++ 12/10 runtime dependencies are now part of the IIS installer, no need to have it installed prior ModSecurity installation (Ref: #627);
* New script was added to the IIS versions to identify whenever there is a missing dependency (available through the Application Menu);
* Memory usage improvement: using correct memory pools according to the context (Ref: #618, #620, #619);
* Independent API call to free the connection allocations, independently from the request objects, improvements on Nginx performance, vide issue for more information (Ref: #620, #648);
* IIS installer is now using the correct 32/64bits folders to install;
* IIS Installer 32bits now refuses to install on 64bits environments;
* IIS: Using new WiX options to build the package in the correct architecture;
* While installing IIS version the installer will remove old ModSecurityIIS configuration or files before proceed with the installation, avoiding further errors;
* CRS from IIS version was upgraded to 2.2.9;
* IIS installer does not support repair anymore, in fact it was not working already and it is now disabled;
* ModSecurity now warns the user who tries to use "proxy" in IIS or Nginx. Proxy is Apache only;
* Remove warnings from the build process (Ref: #617);
* Apache configuration in regression tests was changed making it more platform independent;
* Reduced the amount of warnings during the compilation (Ref: #385a2828e87897bd611bd2a519727ef88dc6d632, #1e63e49db4a592d28e08a33fc60750c37a3886fe);
* Regression tests were refactored to be more Nginx friendly;
* Fixed some regression tests that were not being flexible to handle multiple platforms: (Ref #636)
- Fixed config/00-load-modsec.t test case. Now it expects for Nginx loaded message as it does for Apache. (Ref: #643);
- Fixed mixed/10-misc-directives.t. Now it does not expect for SecServerSignature on the logs, just in the headers as the Nginx does in silence.
- Fixed tnf/10-tfn-cache.t, action/10-logging.t, config/10-misc-directives.t, config/10-request-directives.t, misc/00-multipart-parser.t , misc/10-tfn-cache.t, rule/20-exceptions.t, rule/00-basics.t, rule/10-xml.t;
- Increased the timeout while reading the auditlog;
- SecAuditLogType Concurrent was removed from the regression test case, not compatible with all ports yet;
- Regression tests were speeded up, as the number of tests are growing it is impossible to have it slow;
- Fixed regression tests scripts paths, to make it MacOS friendly;
- Avoiding dead locks on Nginx regression tests by enforcing a timeout whenever a request appears to fail;
* Updates to fix errors found by Parfait static code analysis (Ref: #612);
* Cleaning up on the repository, by removing unused files;
* IIS installer now supports to perform the installation without register the DLL on the system. It means that the user can download our MSI installer as it was a tarball archive (Ref #629, #624);
* IIS now support 32bits and 64bits pools, both are registered on IIS (Ref #628).
Bug fix
* Correctly handling inet_pton in IIS version;
* Nginx was missing a terminator while the charset string was mounted (Ref: #148);
* Added mod_extract_forwarded.c to run before mod_security2.c (Ref: #594);
* Added missing environment variables to regression tests;
* Build system is now more flexible by looking at liblua at: /usr/local/lib;
* Fixed typo in README file.
* Removed the non standard compliant HTTP response status code 44 from modsecurity recommended file (Ref: #665);
* Fixed segmentation fault if it fails to write on the audit log (Ref: #668);
* Not rejecting a larger request with ProcessPartial. Regression tests were also added (Ref: #597);
* Fixed UF8 to unicode conversion. Regression tests were also added(Ref: #672);
* Avoiding segmentation fault by checking if a structure is null before access its members;
* Removed double charset-header that used happen due a hardcoded charset in Nginx implementation (Ref: #650);
* Now alerting the users that there is no memory to proceed loading the configuration instead of just die;
* If SecRuleEngine is set to Off and SecRequestBodyAccess On Nginx returns error 500. Standalone is now capable to identify whenever ModSecurity is enabled or disabled, independently of ModSecurity core (Ref: #645);
* Fixed missing headers on Nginx whenever SecResponseBodyAccess was set to On and happens to be a filter on phase equals or over 3. (Ref #634);
* IIS is now picking the correct version of AppCmd while uninstalling or installing ModSecurityISS. (Ref #632).
17 Dec 2013 - 2.7.7
-------------------
Fixes:
- Changed release version to 2.7.7
- Got the configure scripts inside the release tarball
16 Dec 2013 - 2.7.6
-------------------
Improvements:
- Organizes all Makefile.am - 1cde4d2dd9d96747536c1c25d06ba0677069477f
Now using one file per line (sorted). This is the better way to handle it, since it reduces the possibility of merge conflicts.
- nginx: generates config file using configure input. - 351b9cc357d439e30ebd61d89a9e38ecf55c6827
The nginx config file was looking for depedencies by its own, by doing that it was ignoring the options that were passed to configure script. This commit deletes this config file and adds a meta-config which is populated by configure whenever the standalone-module is enabled.
- nginx: adds lua support - da16d9e5d51d4ef8734687514a4e1368e7fb4284
- iis: Cosmetics fixies on sqli. - 5046c8327ea21c69b4c0d0c0057c692b05b09fef
This is needed to get it compiled with VS2011 on Windows8
- Regression tests: makes configuration compatible with 2.2 and 2.4 (try 2) - ae252ee8767069363906e5a611dff487b799b839
- nginx: Trying apxs and apxs2 while compiling nginx module - 65d9272fdc353e1263567b60604542d377d19672
- nginx: Trying apxs and apxs2 while compiling nginx module - 35fd75d859e4a8873b8843da1db13e04a1b08140
- macos: Using glibtoolize instead of libtoolize - 751a9f4e45213cd69f00c62c71edc9d7ad99b82d
- regression-tests: makes configuration compatible with 2.2 and 2.4 - 6fc4cac37ab1be8d1232140042b58fe4bd93ee17
- Regression test: get it working with apache 2.4 - e9813cd0d9bfc5b0c9aa5832634ec1b39b805108
Changes in httpd.conf.in to get it working with apache 2.4
- Code cosmetics. - 7366f35c1d80772d739b35da8faa972f92a72b97
Changed to reduce the number of possible fails during Build Bot compilation.
- iis: Waiting for 5 seconds before move curl directory - 9bf2959c919587ebc63f5a1b8c0785da8927bff5
Testing buildbot.
- Redefines unixd_set_global_mutex_perms on tests - f70f6f4281b806627e0cf0dbb9c84ae5864bdb16
Avoding conflicts with the standalone implementation
- Adds verbose quality check - 388943440cc9b8c6fdea09f5e365a2e5a3e792e2
Vera++ and ccpcheck are not outputing to the stderr instead stdout allowing the buildbot to extract some numbers about it.
- Adds support for coding style and quality check - b77e90152d119609ac78a7028383c3b79898b2cf
Initial effort to get the code on shape. This will be executed by the buildbots as soon as they get ready for it.
- iis: New improvements on the Wix installer - 2ea5a74a7bfb00f21312e51e48aa6dac03d84600
* Now the installation is divided in modules: ModSecurity and CRS.
* Added default configuration
* Configuration was moved to "Program Files" folder
* Build_msi script now using candle available in %PATH%
- iis: Removes the installer helper dependency - 1a12648c9f6028f251af0f03c889397c7954b74c
Now using appcmd directly with WiX instead of calling the installer helper.
- iis: Remove readme.html - 550d5aae21cba696cac1ce75ab8113e5255d5a59
This HTML is about "Creating a Native Module for IIS7" not straight related to ModSecurity itself.
- iis: Adds batch script to compile Wix - a2c5fc831baf0b324ebb66b0f878dacf1ec2f808
This batch script can be used to generate our msi installer.
- iis: Adds Wix installer resources - 3604763e15a665eb7a6ecae1f7e7c65cebbb1d17
This is all about cosmetic changes.
- iss: Removes Post-Build event. - 28bbde1bb218b004654cb865fc8563d69b848dc2
There was a copy on Post-Build event using a hard coded path. This patch removes this Post-Build event.
- iis: Relative paths on the VS project file - 368617ddb2443f9b6036f80a648d467d07c9a054
There are a ModSecurityIIS solution and project files, those were using hard coded paths to meet the dependencies. As consequence of the last update in our build scripts, now we are able to built the dependencies and load it to our Visual Studio project using relative paths.
- iis: Adds release script - 9477118903861ce80c4c27cb581bf3462315e98e
- iis: fixies the Installer.cpp coding style - 79875b1af8e8571098345b91557bab9c06eb7c88
- iis: Removes AppWizard remade file - 91738f93bcc82b6ab756c550a66b6cf6af2fa9f8
Apparently the AppWizard was used to generate part of this Installer, the ReadMe.txt created by the AppWizard was removed by this commit
- iss: Removes pre-compiled headers - adfbeb85dcfa9466b72eebb8d1bd8eb7728bab79
No need to use the pre-compiled headers in InstallerHelper, removing it, in order to keep the project lean.
- iis: Moves installer to InstallerHelper - 6adf25667dd4bfa33010bd6d8ae3d35046a69967
To organize the folder the Installer application was renamed to installer helper. It is not the real installer, it is just an helper which is executed during the installation phase.
- iss: Removes fart dependencies - 8c3b8d81b613aaa38f28472af1eb26c90c7fc9da
This commit removes the dependency of the fart.exe utility. The utility was responsible to rename contents inside some dependencies build files. Those modifications are not longer needed.
- iss: Better err handling in build scripts. - 192599bf63b6ae5aa08e4536a90d5d0a17f969f7
Now checking for errors in every step of the build phase
- iis: Moves build_module.bat to build_modsecurity.bat - e25c6b2e85ced7beba4d41867dbdf30e9c1286d3
The build_modsecurity.bat is now on the iis sub-directory, not in the dependencies anymore. Its content was also changed fixing all the paths.
- iis: Identifies arch before unzip apache - cf5de78dfb9fffd21edf17af9e1db8f2fd83c804
Currently we need the Apache binary which could be used in 32 or 64 bits. This patch makes usage of 'cl' to identify which architecture is set.
- iis: Renamves winbuild to dependencies - 1447766e816a896e88c9c8f053fcc3f62797bac1
Since the directory becomes all about dependencies there is no need to call it winbuild anymore.
- iis: Removes unnecessary files from winbuild dir - 9f8cbf6ed8034ba42aa4967699308df09864fd18
Those .mak files seems to be part of an old build system. Since the script are now working fine, this commit removes all those .mac files and also a CMakeList.txt and the Makefile.win.
- iis: Improves the iis build system - b277e538f28c87c81c1b50925dd8b82996b88294
Now checking for common errors while building. Refactoring on the build scripts, now there is this build_dependencies.bat script on the iis sub-folder. By calling this script all the dependencies should be build under the winbuild/. This commit also removes build scripts that were not needed anymore.
- iis: Fixes the vcxproj file - a946a163f0ad822c760af80ca32dda61f0e6b2a9
Versions of the dependencies were changed, as long as the version of the Visual Studio, now 12.
- iis: Removes unecessary files from the build system - 26738d2e34bcc7620047bd23180e0e26a64c71ee
The following files were removed:
* VCVarsQueryRegistry.bat
* vcvars64.bat
* vsvars32.bat
The visual studio files can be called direcltly, not necessary to distribute those files, at least in VS12.
- iss: Changes httpd version 2.4.6 - 0a772cb0748aa51a01800e0473309b9de792b456
Apache version was changed to 2.4.6 to sync with the current apache lounge version.
- iis: Changes the version of the dependencies - 3e6fb41d36b7a5e98a55d8f52b88b29d1bd50b64
* pcre from 8.30 to 8.33
* zlib from 1.2.7 to 1.2.8
* libxml2 from 2.7.7 to 2.9.1
* curl from 7.24 to 7.33.0
- Removes standalone/Makefile.in - e3c19d53d23c48fea337aae76a87b2a85c36a1f1
Makefile.in is recommended to be in the repository whenever it is edit manually, in our case the automatically generated Makefile.in is ok.
Bug Fixes:
- test: Avoids conflict of fuctions definition - cef72855e4106ce29e1d39103ebf9eb9ab28f17e
- test: Makes the unit tests to work again - cc982ae42ec86c79a67be1a01c6ee35fb06c272c
The unit tests was not working due to lack update. This patch adds the necessary stuff to have it work again.
- iis: Avoids directory link while building - ad330a44bfa39430cf6340cb52971568cccdf1d6
Build scripts was creating links allowing the project to be loaded into Visual Studio without care about the dependencies versions. Sometimes windows refuse to delete those links leading the script to fail. This patch moves the sources directories instead of create links to it.
- QA: Avoids the utilization of 3rd filedescriptor - 69c5ccac662f4e11a6eefd54a3e912583c067b9d
No need to use a 3rd description on the quality check scripts. Stderr is now redirected to stdout and filtered as needed.
- Supports WarningCountingShellCommand in cppcheck and vera - baaf502363e68c3240b60adb7f7c91f5b4f0ba03
WarningCountingShellCommand allow us to have some measurements on the buildbot waterfall.
- iis: Using base_rules instead of activated_rules - 7b1537058fa451e0df7098cd907ef19f04102f9d
- iis: Fix inet_pton build problem - a4202146b8d26b6615bbab986383fe0afae60d77
There is a function named inet_pton on windows API, with different signature. This patch just override the windows function and point the inet_pton to our implementation.
- iis: Adds Wix installer xml file.c - b32cb7d9ab397160f0154aa4bd4e9638658b41e6
This commit adds the Wix template to our git repository.
- iis: build_modsecurity.bat fixies - 7e03e3f840375ed682c35a5bb67932461cc77013
This commit enable a cleanup on the mod_security build directory avoiding symbols with different architectures.
- iis: Fix mlogc build on windows - 9b7663fa79377a0685130a019916d810f31e7478
The libcurl path was not pointing to the correct directory
- Fix #154, Uses addn instead of apr_table_setn - 1734221d9d3a78f9aafd68e35717da9ee1a4fe51
The headers are represented in the format of an apr_table, which is able to handle elements with the same key, however the function apr_table_setn checks if the key exists before add the element, if so it replaces the old value with the new one. This was making our implementation to just keep the last added Cookie. The apr_table_addn function, which is now used, just add a new item without check for olders one.
- Merge pull request #579 from zimmerle/revert_139 - 61e54f2067ae760808359926ff91d57275df1aac
Revert merge request #139
- Revert "Merge pull request #139 from chaizhenhua/remotes/trunk" - 7f7d00fa2c364716691df1b45779304b24a0debb
This reverts commit 10fd40fb0d06f6c577d870b6f15d2f6e2a3a5b1b, reversing changes made to 414033aafa94cd50c9b310afd3f164740caccc94.
- Merge pull request #578 from client9/remotes/trunk - b0c3977845f60747b15ae10531b7d20355a22627
libinjection sync to v3.8.0
- libinjection sync - a5f175d79fac1e69124da4e1e227b622e7e233d7
- Merge pull request #152 from client9/remotes/trunk - 88ebf8a0bdbc4db1be76f3a2e70df77cc52a5925
Sync to libinjection v3.7.1
- libinjection sync - fcb6dc13ed6efb066fb9b70405eecab8b83a2d96
- libinjection sync - f52242a013f301ca5c17e59b662124833cb7cc6d
- Merge pull request #148 from zimmerle/bugfix_charset_missing_string_terminator - b76e26d81ddafc2b99bffad53d1426f8fd33080a
Bugfix: missing string terminator while mounting the charset (nginx)
- Bugfix: missing string terminator while mounting the charset (nginx) - ff19dcd5c53d4af61d0a9397d4616f47f80ee207
The charset in headers is mounted using ngx_snprintf which does not place the string terminator. This patch adds the terminator at the end of the string. The size was correctly allocated, just missing the terminator.
- Merge pull request #141 from client9/remotes/trunk - 9a630eea23a7ead4e77617c86dc937fd7a421a57
libinjection sync to v3.6.0
- libinjection sync - 11217207e8f2e0cf15742273836399866971071a
- Merge pull request #139 from chaizhenhua/remotes/trunk - 10fd40fb0d06f6c577d870b6f15d2f6e2a3a5b1b
Fixed fd leackage after reload
- Merge pull request #138 from client9/remotes/trunk - 414033aafa94cd50c9b310afd3f164740caccc94
libinjection sync
- Fixed fd leackage after reload - e0993fcd7a166ce9e1a279a47d050af1311d9001
- libinjection sync - 2268626c20260e88cab9b7830f8a06101fa7172a
- Fix logical disjunction and conjunction issues - 7e0a9ecf7d492e85650671a0cfcfd53e5f15df2c
Security Issues:
- Fix Chunked string case sensitive issue - CVE-2013-5705 - f8d441cd25172fdfe5b613442fedfc0da3cc333d
(Thanks Martin Holst Swende - @mhswende)
- Revert "Fix Chuncked string case sensitive issue" - 3901128f17e0763ac1a260106b79859d2aad6d90
This reverts commit 16a815a3c2735f62238ef99af26090a2b8430d3d.
- Fix Chuncked string case sensitive issue - 16a815a3c2735f62238ef99af26090a2b8430d3d
23 Jul 2013 - 2.7.5
-------------------
Improvements:
* SecUnicodeCodePage is deprecated. SecUnicodeMapFile now accepts the code page as a second parameter.
* Updated Libinjection to version 3.4.1. Many improvements were made.
* Severity action now supports strings (emergency, alert, critical, error, warning, notice, info, debug).
Bug Fixes:
* Fixed utf8toUnicode tfn null byte conversion.
* Fixed NGINX crash when issue reload command.
* Fixed flush output buffer before inject modified hashed response body.
* Fixed url normalization for Hash Engine.
* Fixed NGINX ap_unixd_set_global_perms_mutex compilation error with apache 2.4 devel files.
Security Issues:
10 May 2013 - 2.7.4
-------------------
Improvements:
* Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).
* Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.
* NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches.
Bug Fixes:
* Fixed SecRulePerfTime storing unnecessary rules performance times.
* Fixed Possible SDBM deadlock condition.
* Fixed Possible @rsub memory leak.
* Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.
* Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID.
* Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body.
Security Issues:
* Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used,
mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI).
28 Mar 2013 - 2.7.3
-------------------
* Fixed IIS version race condition when module is initialized.
* Fixed IIS version failing config commands in libapr.
* Nginx version is now RC quality. The rule engine should works for all phases.
We fixed many issues and missing features (for more information please check jira).
Code is running well with latest Nginx 1.2.7 stable.
Thanks chaizhenhua for your help.
* Added MULTIPART_NAME and MULTIPART_FILENAME. Should be used soon by CRS
and will help prevent attacks using multipart data.
* Added --enable-htaccess-config configure option. It will allow the follow directives
to be used into .htaccess files when AllowOverride Options is set:
- SecAction
- SecRule
- SecRuleRemoveByMsg
- SecRuleRemoveByTag
- SecRuleRemoveById
- SecRuleUpdateActionById
- SecRuleUpdateTargetById
- SecRuleUpdateTargetByTag
- SecRuleUpdateTargetByMsg
* Improvements in the ID duplicate code checking. Should be faster now.
* SECURITY: Added SecXmlExternalEntity (On|Off - default it Off) that will disable
by default the external entity load task executed by LibXml2. This is a security issue
[CVE-2013-1915] reported by Timur Yunusov, Alexey Osipov (Positive Technologies).
21 Jan 2013 - 2.7.2
-------------------
* IIS version is now stable.
* Fixed IIS version does not pass through POST data to ASP.NET when SecRequestBodyAccess
is set to On (MODSEC-372).
* Fixed IIS version HTTP Request Smuggling protection does not work (MODSEC-344).
* Fixed IIS version PHP Injection Attack (958976) protection does not work (MODSEC-346).
* Fixed IIS version Request limit protections are not working (MODSEC-349).
* Fixed IIS version Outbound protections are not working (MODSEC-350).
* Added IIS version better installer.
* NGINX version removed ModSecurityPassCommand (Thanks chaizhenhua).
* Fixed NGINX version ngx_http_read_client_request_body returned unexpected buffer type (Thanks chaizhenhua).
* Fixed NGINX version INCS config directories on fedora (Thanks chaizhenhua).
* Added NGINX version Added drop action for nginx (Thanks chaizhenhua).
* Fixed bug in cpf_verify operator (Thanks Hideaki Hayashi).
* Fixed build modsecurity under Arch Linux.
* Fixed make test crashing when JIT pcre is enabled.
* Fixed better cookie separator detection code.
* Fixed mod_security displaying wrong ip address in error.log using apache 2.4 and mod_remoteip.
* Fixed mod_security was not compiling when use apr without ipv6 support.
* Fixed mod_security was not compiling when use lua 5.2.
* Fixed issue when execute make install under Solaris.
* Fixed ipmatchf operator was not working as expected.
01 Nov 2012 - 2.7.1
-------------------
* Changed "Encryption" name of directives and options related to hmac feature to "Hash".
SecEncryptionEngine to SecHashEngine
SecEncryptionKey to SecHashKey
SecEncryptionParam to SecHashParam
SecEncryptionMethodRx to SecHashMethodRx
SecEncryptionMethodPm to SecHashMethodPm
@validateEncryption to @validateHash
ctl:EncryptionEnforcement to ctl:HashEnforcement
ctl:EncryptionEngine to ctl:HashEngine
* Added a better random bytes generator using apr_generate_random_bytes() to create
the HMAC key.
* Fixed byte conversion issue during logging under Linux s390x platform.
* Fixed compilation bug with LibXML2 2.9.0 (Thanks Athmane Madjoudj).
* Fixed parsing error with modsecurity-recommended.conf and Apache 2.4.
* Fixed DROP action was disabled for Apache 2 module by mistake.
* Fixed bug when use ctl:ruleRemoveTargetByTag.
* Fixed IIS and NGINX modules bugs.
* Fixed bug when @strmatch patterns use invalid escape sequence (Thanks Hideaki Hayashi).
* Fixed bugs in @verifySSN (Thanks Hideaki Hayashi).
* The doc/ directory now contains the instructions to access online documentation.
15 Oct 2012 - 2.7.0
-------------------
* Fixed Pause action should work as a disruptive action (MODSEC-297).
* Fixed Problem loading mod_env variables in phase 2 (MODSEC-226).
* Fixed Detect cookie v0 separator and use it for parsing (MODSEC-261).
* Fixed Variable REMOTE_ADDR with wrong IP address in NGINX version (MODSEC-337).
* Fixed Errors compiling NGINX version.
* Added Include directive into standalone module. IIS and NGINX module should
support Include directive like Apache2.
* Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for multipart strict
validation. https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20121017-0_mod_security_ruleset_bypass.txt).
* Updated Reference Manual.
25 Sep 2012 - 2.6.8
-------------------
* Fixed ctl:ruleRemoveTargetByID order issue (MODSEC-333). Thanks to Armadillo Dasypodidae.
* Fixed variable HIGHEST_SEVERITY incorrectly gets reset in a chain rule (MODSEC-315). Thanks to Valery Reznic.
10 Sep 2012 - 2.7.0-rc3
-------------------
* Fixed requests bigger than SecRequestBodyNoFilesLimit were truncated even engine mode was detection only.
* Fixed double close() for multipart temporary files (Thanks Seema Deepak).
* Fixed many small issues reported by Coverity Scanner (Thanks Peter Vrabek).
* Fixed format string issue in ngnix experimental code. (Thanks Eldar Zaitov).
* Added ctl:ruleRemoveTargetByTag/Msg and removed ctl:ruleUpdateTargetByTag/Msg.
* Added IIS and Ngnix platform code.
* Added new transformation utf8toUnicode.
23 Jul 2012 - 2.6.7
-------------------
* Fixed explicit target replacement using SecUpdateTargetById was broken.
* The ctl:ruleUpdateTargetById is deprecated and will be removed for future versions since
there is no safe way to use it per-request.
* Added ctl:ruleRemoveTargetById that can be used to exclude targets to be processed per-request.
22 Jun 2012 - 2.7.0-rc2
-------------------
* Fixed compilation errors and warnings under Windows platform.
* Fixed SecEncryptionKey was not working as expected.
08 Jun 2012 - 2.7.0-rc1
-------------------
* Added SecEncryptionEngine. Initial crypt engine support, at the momment it will sign some Html
and Response Header options.
* Added SecEncryptionKey to define the a rand or static key for crypt engine.
* Added SecEncryptionParam to define the new parameter name.
* Added SecEncryptionMethodRx used with a regular expression to inspect the html in response
body/header and decide what to protect.
* Added SecEncryptionMethodPm used with multiple or single strings to inspect the html in response
body/header and decide what to protect.
* Added ctl encryptionEngine as a per transaction version of SecEncryptionEgine diretive.
* Added ctl encryptionEnforcement that will allow the engine to sign the data but the enforcement is
disabled.
* Added validateEncryption operator to enforce the signed elements.
* Added rsub operator supports the syntax |hex| allowing users to use special chars like \n \r.
* Added SecRuleUpdateTargetById now supports id range.
* Added SecRuleUpdateTargetByMsg and its ctl version (Thanks Scott Gifford).
* Added SecRuleUpdateTargetByTag and its ctl version (Thanks Scott Gifford).
* Added SecRulePerfTime when greater than zero it will fill rule id's execution time into PERF_RULE
and log id=usec information in the new Perf-rule-info: line in part H.
* Added PERF_RULES variable that contains rule execution time.
* Added Engine-mode: section in part H.
* Added ruleRemoveByMsg ctl version.
* Added removeCommentsChar and removeComments now can work with <!-- --> style.
* Added SecArgumentSeparator and SecCookieFormat can be used in different scope locations.
* Added Rules must have ID action and must be numeric.
* Added The use of tfns are deprecated in SecDefaultAction. Should be forbid in the future.
* Added Macro expansion support to the action pause.
* Added IpmatchFromFile/IpmatchF operator.
* Added New setrsc action, the RESOURCE collection used SecWebAppId Name Space
* Added Configure option --enable-cache-lua that allows reuse of Lua VM per transaction.
It will only take any effect when ModSecurity has multiple scripts to run per transaction.
* Added Configure option --enable-pcre-jit that allows ModSecurity regex engine to use PCRE Jit support.
* Added Configure option --enable-request-early that allows ModSecurity run phase 1 in post_read_request hook.
* Added RBL operator now support the httpBl api (http://www.projecthoneypot.org/httpbl_api.php).
* Added SecHttpBlKey to be used with httpBl api.
* Added SecSensorId will specify the modsecurity sensor name into audit log part H.
* Added aliases to phase:2 (phase:request), phase:4 (phase:response) and phase:5 (phase:logging).
* Added USERAGENT_IP variable. Created when Apache24 is used with mod_remoteip to know the real
client ip address.
^ Added new rule metadata actions ver, maturity and accuracy. Also included into RULE collection.
* Updated Reference manual into doc/ directory.
* Fixed Variable DURATION contains the elapsed time in microseconds for compatible reasons with apache and
other variables.
* Fixed Preserve names/identity of the variables going into MATCHED_VARS.
* Fixed Redirect macro expansion does not work in SecDefaultAction when SecRule uses block action.
* Fixed rsub operator does not work as expect if regex contains parentheses (Thanks Jerome Freilinger).
* Current Google Safe Browsing implementation is deprecated. Google changed the API and does not allow
anymore the malware database for download.
08 Jun 2012 - 2.6.6
-------------------
* Added build system support for KfreeBSD and HURD.
* Fixed a multipart bypass issue related to quote parsing
Credits to Qualys Vulnerability & Malware Research Labs (VMRL).
20 Mar 2012 - 2.6.5
-------------------
* Fixed increased a specific message debug level in SBDM code (MODSEC-293).
* Cleanup build system.
09 Mar 2012 - 2.6.4
-------------------
* Fixed Mlogc 100% CPU consume (Thanks Klaubert Herr and Ebrahim Khalilzadeh).
* Fixed ModSecurity cannot load session and user sdbm data.
* Fixed updateTargetById was creating rule unparsed content making apache memory grow.
* Code cleanup.
23 Feb 2012 - 2.6.4-rc1
-------------------
* Fixed @rsub adding garbage data into stream variables.
* Fixed regex for section A into mlogc-batch-load.pl (Thanks Ebrahim Khalilzadeh).
* Fixed logdata cuts message without closing it with final chars.
* Added sanitizeMatchedBytes support to verifyCPF, verifyCC and verifySSN.
06 Dec 2011 - 2.6.3-rc1
-------------------
* Fixed MATCHED_VARS does not correctly handle multiple VARS with the same name.
* Fixed SDBM garbage collection was not working as expected, increasing the size of files.
* Fixed wrong timestamp calculation for some time zones in log files.
* Fixed SecUpdateTargetById failed to load multiple VARS (MODSEC-270).
* Fixed Reverted hexDecode for hexEncode compatibility reason.
* Added SecCollectionTimeout to set collection timeout, default is 3600.
* Added sqlHexDecode transformation to decode sql hex data. Thanks Marc Stern.
30 Sep 2011 - 2.6.2
-------------------
* Fixed hexDecode test during make.
* Updated the reference manual into doc/ directory.
5 Sep 2011 - 2.6.2-rc1
-------------------
* Added support to macro expansion for rx operator.
* Added new transformations removeComments and removeCommentsChars
* Fixed colletion names are not case-sensitive anymore.
* Fixed compilation errors with apache 2.0.
* Fixed build system was not using some libraries CFLAGS.
* Fixed check for valid hex values into hexDecode transformation.
* Fixed ctl:ruleUpdateTargetById appending multiple targets.
18 Jun 2011 - 2.6.1
-------------------
* Updated the reference manual into doc/ directory.
11 Jul 2011 - trunk
-------------------
* Add HttpBl support to rbl operator.
30 Jun 2011 - 2.6.1-rc1
-------------------
* Fixed SecUploadFileMode doesn't work with the new build system.
* Fixed building with Lua library (Thanks Diego Elio).
* Fixed some ./configure --enable* features not being enabled in compilation time.
* Improvements on GSB database add/search operations.
* Log part K was removed from modsecurity.conf-recommended.
* Added SecUnicodeMapFile directive. Must be use to load the unicode.mapping file.
* Added SecUnicodeCodePage directive. Used to define the unicode code page. There are a few already available:
1250 (ANSI - Central Europe)
1251 (ANSI - Cyrillic)
1252 (ANSI - Latin I)
1253 (ANSI - Greek)
1254 (ANSI - Turkish)
1255 (ANSI - Hebrew)
1256 (ANSI - Arabic)
1257 (ANSI - Baltic)
1258 (ANSI/OEM - Viet Nam)
20127 (US-ASCII)
20261 (T.61)
20866 (Russian - KOI8)
28591 (ISO 8859-1 Latin I)
28592 (ISO 8859-2 Central Europe)
28605 (ISO 8859-15 Latin 9)
37 (IBM EBCDIC - U.S./Canada)
437 (OEM - United States)
500 (IBM EBCDIC - International)
850 (OEM - Multilingual Latin I)
860 (OEM - Portuguese)
861 (OEM - Icelandic)
863 (OEM - Canadian French)
865 (OEM - Nordic)
874 (ANSI/OEM - Thai)
932 (ANSI/OEM - Japanese Shift-JIS)
936 (ANSI/OEM - Simplified Chinese GBK)
949 (ANSI/OEM - Korean)
950 (ANSI/OEM - Traditional Chinese Big5)
Also mapping some extra unicode chars defined at http://tools.ietf.org/html/rfc3490#section-3.1
* Fixed SecRequestBodyLimit was truncating the real request body.
18 May 2011 - 2.6.0
-------------------
* Added SecWriteStateLimit for Slow Post DoS mitigation.
* Fix problem when buffering in input filter.
* Fix memory leak when use MATCHED_VAR_NAMES.
2 May 2011 - 2.6.0-rc2
-------------------
* Added code optimizations - thanks Diego Elio.
* Added support to AIX and HPUX in the build system (untested).
* Renamed decodeBase64Ext to base64DecodeExt.
* Build system improvements - thanks Diego Elio.
* Improvements on gsblookup parser.
* Fixed input filter bug when upload files and SecStreamInBodyInspect is enabled.
* Logging improvements and bug fix.
* Remove extra useless files when make clean and maintainer-clean
18 Apr 2011 - 2.6.0-rc1
-------------------
* Replaced previous GPLv2 License to Apachev2.
* Added Google Safe Browsing lookups operator and directive. It should be
used to extract and lookup urls from http packets.
* Added Data Modification operator. It must be used with STREAM_* variables
to replace/add/edit any data from http bodies.
* Added STREAM_OUPUT_BODY and STREAM_INPUT_BODY variables to work with data
modification operators.