4 * Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
5 set true if any invalid quoting is found during multipart parsing.
7 * Fixed parsing quoted strings in multipart Content-Disposition headers.
8 Discovered by Stefan Esser.
10 * Cleanup persistence database locking code.
12 * Added warning during configure if libcurl is found linked against
13 gnutls for SSL. The openssl lib is recommended as gnutls has
14 proven to cause issues with mutexes and may crash.
16 * Cleanup some mlogc (over)logging.
18 * Do not log output filter errors in the error log.
20 * Moved output filter to run before other stock filters (mod_deflate,
21 mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
22 in the response. Patch originally submitted by Ivan Ristic.
28 * Cleanup mlogc so that it builds on Windows.
30 * Added more detailed messages to replace "Unknown error" in filters.
32 * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
33 auditlog permissions (especially with mpm-itk).
35 * Cleanup SecUploadFileMode implementation.
37 * Cleanup build scripts.
39 * Fixed crash on configuration if SecMarker is used before any rules.
41 * Fixed SecRuleUpdateActionById so that it will work on chain starters.
43 * Cleanup build system for mlogc.
45 * Allow mlogc to periodically flush memory pools.
47 * Using nolog,auditlog will now log the "Message:" line to the auditlog, but
48 nothing to the error log. Prior versions dropped the "Message:" line from
49 both logs. To do this now, just use "nolog" or "nolog,noauditlog".
51 * Forced mlogc to use SSLv3 to avoid some potential auto negotiation
52 issues with some libcurl versions.
54 * Fixed mlogc issue seen on big endian machines where content type
55 could be listed as zero.
57 * Removed extra newline from audit log message line when logging XML errors.
58 This was causing problems parsing audit logs.
60 * Fixed @pm/@pmFromFile case insensitivity.
62 * Truncate long parameters in log message for "Match of ... against ...
65 * Correctly resolve chained rule actions in logs.
67 * Cleanup some code for portability.
69 * AIX does not support hidden visibility with xlc compiler.
71 * Allow specifying EXTRA_CFLAGS during configure to override gcc specific
72 values for non-gcc compilers.
74 * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.
76 * Handle a newer geo database more gracefully, avoiding a potential crash for
77 new countries that ModSecurity is not yet aware.
79 * Allow checking &GEO "@eq 0" for a failed @geoLookup.
81 * Fixed mlogc global mutex locking issue and added more debugging output.
83 * Cleaned up build dependencies and configure options.
89 * Fixed parsing multipart content with a missing part header name which
90 would crash Apache. Discovered by "Internet Security Auditors"
93 * Added ability to specify the config script directly using --with-apr
96 * Updated copyright year to 2009.
98 * Added macro expansion for append/prepend action.
100 * Fixed race condition in concurrent updates of persistent counters. Updates
103 * Cleaned up build, adding an option for verbose configure output and making
104 the mlogc build more portable.
110 * Fixed PDF XSS issue where a non-GET request for a PDF file would crash the
111 Apache httpd process. Discovered by Steve Grubb at Red Hat.
113 * Removed an invalid "Internal error: Issuing "%s" for unspecified error."
114 message that was logged when denying with nolog/noauditlog set and
115 causing the request to be audited.
121 * Fixed XML DTD/Schema validation which will now fail after request body
122 processing errors, even if the XML parser returns a document tree.
124 * Added ctl:forceRequestBodyVariable=on|off which, when enabled, will force
125 the REQUEST_BODY variable to be set when a request body processor is not set.
126 Previously the REQUEST_BODY target was only populated by the URLENCODED
127 request body processor.
129 * Integrated mlogc source.
131 * Fixed logging the hostname in the error_log which was logging the
132 request hostname instead of the Apache resolved hostname.
134 * Allow for disabling request body limit checks in phase:1.
136 * Added transformations for processing parity for legacy protocols ported
137 to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit
139 * Added t:cssDecode transformation to decode CSS escapes.
141 * Now log XML parsing/validation warnings and errors to be in the debug log
142 at levels 3 and 4, respectivly.
148 * Transformation caching has been deprecated, and is now off by default. We
149 now advise against using transformation caching in production.
151 * Fixed two separate transformation caching issues that could cause incorrect
152 content inspection in some circumstances.
154 * Fixed an issue with the transformation cache using too much RAM, potentially
155 crashing Apache with a large number of cache entries. Two new configuration
156 options have been added to allow for a finer control of caching:
158 maxitems: Max number of items to cache (default 1024)
159 incremental: Whether to cache incrementally (default off)
161 * Added an experimental regression testing suite. The regression suite may
162 be executed via "make test-regression", however it is strongly advised
163 to only be executed on a non-production machine as it will startup the
164 Apache web server that ModSecurity is compiled against with various
165 configurations in which it will run tests.
167 * Added a licensing exception so that ModSecurity can be used in a derivative
168 work when that derivative is also under an approved open source license.
170 * Updated mlogc to version 1.4.5 which adds a LockFile directive and fixes an
171 issue in which the configuration file may be deleted.
177 * Fixed an issue where an alert was not logged in the error log
178 unless "auditlog" was used.
180 * Enable the "auditlog" action by default to help prevent a misconfiguration.
181 The new default is now: "phase:2,log,auditlog,pass"
183 * Improve request body processing error messages.
185 * Handle lack of a new line after the final boundary in a multipart request.
186 This fixes the reported WordPress Flash file uploader problem.
188 * Fixed issue with multithreaded servers where concurrent XML processing
189 could crash the web server (at least under Windows).
191 * Fixed blocking in phase 3.
193 * Force modules "mod_rpaf-2.0.c" and "mod_custom_header.c" to run before
194 ModSecurity so that the correct IP is used.
200 * Fixed issue where transformation cache was using the SecDefaultAction
201 value even when t:none was used within a rule.
207 * Fixed issue where the exec action may not be able to execute shell scripts.
209 * Macros are now expanded in expirevar and deprecatevar.
211 * Fixed crash if a persistent variable name was more than 126 characters.
213 * Updated included Core Ruleset to version 1.6.1 which fixes some
214 false negative issues in the migration to using some 2.5 features.
220 * Allow HTTP_* targets as an alias for REQUEST_HEADERS:*.
222 * Make sure temporary filehandles are closed after a transaction.
224 * Make sure the apache include directory is included during build.
230 * Make sure temporary filehandles are closed after a transaction.
236 * Fixed an issue where a match would not occur if transformation caching
239 * Using "severity" in a default action is now just a warning.
241 * Cleaned up the "make test" target to better locate headers/libraries.
243 * Now search /usr/lib64 and /usr/lib32 for lua libs.
245 * No longer treat warnings as errors by default (use --enable-strict-compile).
251 * Updated included Core Ruleset to version 1.6.0 which uses 2.5 features.
253 * Cleaned up and clarified some documentation.
255 * Updated code to be more portable so it builds with MS VC++.
257 * Added unit tests for most operators and transformations.
259 * Fixed crash on startup when ENV is improperly used without a parameter.
261 * Allow macro resolution in setenv action.
263 * The default action is now a minimal "phase:2,log,pass" with no default
264 transformations performed.
266 * Implemented SecUploadFileMode to allow setting the mode for uploaded files.
268 * Implemented "block" action.
270 * Implemented SecRuleUpdateActionById.
272 * Fixed removal of phase 5 rules via SecRuleRemoveBy* directives.
274 * No longer log the query portion of the URI in the error log as
275 it may contain sensitive data.
277 * Build is now 'configure' based: ./configure && make && make install
279 * Added support for Lua scripting in the following ways: SecRuleScript
280 can be used to specify a script to execute as a rule, the exec
281 action processes Lua scripts internally, as does the @inspectFile
282 operator. Refer to the documentation for more details.
284 * Changed how allow works. Used on its own it now allows phases 1-4. Used
285 with parameter "phase" (e.g. SecAction allow:phase) it only affects
286 the current phase. Used with parameter "request" it allows phases
289 * Fixed issue where only the first phase 5 rule would run when the
290 request was intercepted in an earlier phase.
292 * Stricter configuration parsing. Disruptive actions, meta actions and
293 phases are no longer allowed in a chained rule. Disruptive actions,
294 are no longer allowed in a logging phase (phase 5) rule, including
295 inheriting from SecDefaultAction.
297 * More efficient collection persistance.
299 * Fixed t:escapeSeqDecode to better follow ANSI C escapes.
301 * Added t:jsDecode to decode JavScript escape sequences.
303 * Added IS_NEW built-in collection variables.
305 * New audit log part 'K' logs all matching rules.
307 * Implemented SecRequestBodyNoFilesLimit.
309 * Enhance handling of the case where we run out of disk space while
310 writing to audit log entry.
312 * Added SecComponentSignature to allow other components the ability
313 to append to the logged signature.
315 * Added skipAfter:<id> action to allow skipping all rules until a rule
316 with a specified ID is reached. Rule execution then continues after
319 * Added SecMarker <id> directive to allow a fixed target for skipAfter.
321 * Added ctl:ruleRemoveById action to allow rule removal on a match.
323 * Added a @containsWord operator that will match a given string anywhere in
324 the target value, but only on word boundaries.
326 * Added a MATCHED_VAR_NAME variable to store the last matched variable name
327 so that it can be more easily used by rules.
329 * Added a MATCHED_VAR variable to store the last matched variable value
330 so that it can be more easily used by rules.
332 * Fixed expansion of macros when using relative changes with setvar. In
333 addition, added support for expanding macros in the variable name.
335 * Situations where ModSecurity will intercept, generate an error or log
336 a level 1-3 message to the debug log are now marked as 'relevant' and may
337 generate an audit log entry.
339 * Fixed deprecatevar:var=N/S action so that it decrements N every S seconds
340 as documented instead of decrementing by a rate.
342 * Enable ModSecurity to look at partial response bodies. In previous
343 versions, ModSecurity would respond with status code 500 when the
344 response body was too long. Now, if SecResponseBodyLimitAction is
345 set to "ProcessPartial", it will process the part of the response
346 body received up until that point but send the rest without buffering.
348 * ModSecurity will now process phases 3 and 4 even when request processing
349 is interrupted (either by Apache - e.g. by responding with 400, 401
350 or 403, or by ModSecurity itself).
352 * Fixed the base64decode transformation function to not return extra
353 characters at the end.
355 * Return from the output filter with an error in addition to setting
356 up the HTTP error status in the output data.
358 * Used new Apache API calls to get the server version/banner when available.
360 * Added "logdata" meta action to allow logging of raw transaction data.
362 * Added TX_SEVERITY that keeps track of the highest severity
363 for any matched rules so far.
365 * Added ARGS_GET, ARGS_POST, ARGS_GET_NAMES, ARGS_POST_NAMES variables to
366 allow seperation of GET and POST arguments.
368 * Added an Apache define (MODSEC_2.5) so that you can conditionally include
369 directives based on the ModSecurity major/minor versions with IfDefine.
371 * Added MODSEC_BUILD variable that contains the numeric build value based
372 on the ModSecurity version.
374 * Enhanced debug logging by displaying more data on rule execution. All
375 invoked rules are now logged in the debug log at level 5.
377 * Stricter validation for @validateUtf8Encoding.
379 * No longer process Apache internal subrequests.
381 * Fixed warnings on Solaris and/or 64bit builds.
383 * Added @within string comparison operator with support for macro expansion.
385 * Do not trigger "pause" action for internal requests.
387 * Added matching rule filename and line number to audit log.
389 * Added new phrase matching operators, @pm and @pmFromFile. These use
390 an alternate set based matching engine (Aho-Corasick) to perform faster
391 phrase type matches such as black/white lists, spam keywords, etc.
393 * Allow caching transformations per-request/phase so they are not repeated.
395 * Added Solaris and Cygwin to the list of platforms not supporting the hidden
396 visibility attribute.
398 * Fixed decoding full-width unicode in t:urlDecodeUni.
400 * Add SecGeoLookupDB, @geoLookups and GEO collection to support
401 geographical lookups by IP/host.
403 * Do not try to intercept a request after a failed rule. This fixes the
404 issue associated with an "Internal Error: Asked to intercept request
405 but was_intercepted is zero" error message.
407 * Removed extraneous exported symbols.
409 * Merged the PDF XSS protection functionality into ModSecurity.
411 * Exported API for registering custom variables. Example in api directory.
413 * Added experimental support for content injection. Directive
414 SecContentInjection (On|Off) controls whether injection is taking place.
415 Actions "prepend" and "append" inject content when executed. Do note that
416 it is your responsibility to make sure the response is of the appropriate
417 content type (e.g. HTML, plain text, etc).
419 * Added string comparison operators with support for macro expansion:
420 @contains, @streq, @beginsWith and @endsWith.
422 * Enhanced debug log output to log macro expansion, quote values and
423 correctly display values that contained NULs.
425 * Removed support for %0 - %9 capture macros as they were incorrectly
426 expanding url encoded values. Use %{TX.0} - %{TX.9} instead.
428 * Added t:length to transform a value to its character length.
430 * Added t:trimLeft, t:trimRight, t:trim to remove whitespace
431 from a value on the left, right or both.
433 * Added SecAuditLog2 directive to allow redundent concurrent audit log
434 index files. This will allow sending audit data to two consoles, etc.
436 * Removed CGI style HTTP_* variables in favor of REQUEST_HEADERS:Header-Name.
438 * Store filename/line for each rule and display it and the ID (if available)
439 in the debug log when invoking a rule. Thanks to Christian Bockermann
442 * Do not log 'allow' action as intercepted in the debug log.
444 * Fixed some collection variable names not printing with the parameter
445 and/or counting operator in the debug log.
451 * Fixed crash on startup when ENV is improperly used without a parameter.
453 * Allow macro resolution in setenv action.
455 * Implemented SecUploadFileMode to allow setting the mode for uploaded files.
457 * No longer log the query portion of the URI in the error log as
458 it may contain sensitive data.
464 * Updated included Core Ruleset to version 1.5.1.
466 * Phase 5 rules can now be removed via SecRuleRemoveBy* directives.
468 * Fixed issue where only the first phase 5 rule would run when the
469 request was intercepted in an earlier phase.
471 * Fixed configuration parsing so that disruptive actions, meta actions
472 and phases are not allowed in a chained rule (as originally intended).
474 * Fixed t:escapeSeqDecode to better follow ANSI C escapes.
480 * Updated included Core Ruleset to version 1.5 and noted in the docs that
481 XML support is required to use the rules without modification.
483 * Fixed an evasion FP, mistaking a multipart non-boundary for a boundary.
485 * Fixed multiple warnings on Solaris and/or 64bit builds.
487 * Do not process subrequests in phase 2-4, but do hand off the request data.
489 * Fixed a blocking FP in the multipart parser, which affected Safari.
495 * Updated multipart parsing code adding variables to allow checking
496 for various parsing issues (request body abnormalities).
498 * Allow mod_rpaf and mod_extract_forwarded2 to work before ModSecurity.
500 * Quiet some compiler warnings.
502 * Do not block internal ErrorDocument requests after blocking request.
504 * Added ability to compile without an external API (use -DNO_MODSEC_API).
510 * Cleaned up and clarified some documentation.
512 * Update included core rules to latest version (1.4.3).
514 * Enhanced ability to alert/audit failed requests.
516 * Do not trigger "pause" action for internal requests.
518 * Fixed issue with requests that use internal requests. These had the
519 potential to be intercepted incorrectly when other Apache httpd modules
520 that used internal requests were used with mod_security.
522 * Added Solaris and Cygwin to the list of platforms not supporting the hidden
523 visibility attribute.
525 * Fixed decoding full-width unicode in t:urlDecodeUni.
527 * Lessen some overhead of debugging messages and calculations.
529 * Do not try to intercept a request after a failed rule. This fixes the
530 issue associated with an "Internal Error: Asked to intercept request
531 but was_intercepted is zero" error message.
533 * Added SecAuditLog2 directive to allow redundent concurrent audit log
534 index files. This will allow sending audit data to two consoles, etc.
536 * Small performance improvement in memory management for rule execution.
542 * Add the PCRE_DOLLAR_ENDONLY option when compiling regular expression
543 for the @rx operator and variables.
545 * Really set PCRE_DOTALL option when compiling the regular expression
546 for the @rx operator as the docs state.
548 * Fixed potential memory corruption when expanding macros.
550 * Fixed error when a collection was retrieved from storage in the same second
551 as creation by setting the rate to zero.
553 * Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms.
555 * Fixed the faulty REQUEST_FILENAME variable, which used to change
556 the internal Apache structures by mistake.
558 * Updates to quiet some compiler warnings.
560 * Fixed some casting issues for compiling on NetWare (patch from Guenter Knauf).
566 * Removed the "Connection reset by peer" message, which has nothing
567 to do with us. Actually the message was downgraded from ERROR to
568 NOTICE so it will still appear in the debug log.
570 * Removed the (harmless) message mentioning LAST_UPDATE_TIME missing.
572 * It was not possible to remove a rule placed in phase 4 using
573 SecRuleRemoveById or SecRuleRemoveByMsg. Fixed.
575 * Fixed a problem with incorrectly setting requestBodyProcessor using
578 * Bundled Core Rules 2.1-1.3.2b4.
580 * Updates to the reference manual.
582 * Reversed the return values of @validateDTD and @validateSchema, to
583 make them consistent with other operators.
585 * Added a few helpful debug messages in the XML validation area.
587 * Updates to the reference manual.
589 * Fixed the validateByteRange operator.
591 * Default value for the status action is now 403 (as it was supposed to
592 be but it was effectively 500).
594 * Rule exceptions (removing using an ID range or an regular expression)
595 is now applied to the current context too. (Previously it only worked
596 on rules that are inherited from the parent context.)
598 * Fix of a bug with expired variables.
600 * Fixed regular expression variable selectors for many collections.
602 * Performance improvements - up to two times for real-life work loads!
604 * Memory consumption improvements (not measured but significant).
606 * The allow action did not work in phases 3 and 4. Fixed.
608 * Unlocked collections GLOBAL and RESOURCE.
610 * Added support for variable expansion in the msg action.
612 * New feature: It is now possible to make relative changes to the
613 audit log parts with the ctl action. For example: "ctl:auditLogParts=+E".
615 * New feature: "tag" action. To be used for event categorisation.
617 * XML parser was not reporting errors that occured at the end
620 * Files were not extracted from request if SecUploadKeepFiles was
623 * Regular expressions that are too long are truncated to 256
624 characters before used in error messages. (In order to keep
625 the error messages in the log at a reasonable size.)
627 * Fixed the sha1 transformation function.
629 * Fixed the skip action.
631 * Fixed REQUEST_PROTOCOL, REMOTE_USER, and AUTH_TYPE.
633 * SecRuleEngine did not work in child configuration contexts
636 * Fixed base64Decode and base64Encode.
642 * Fixed the "deprecatevar" action.
644 * Decreasing variable values did not work.
646 * Made "nolog" do what it is supposed to do - cause a rule match to
647 not be logged. Also "nolog" now implies "noauditlog" but it's
648 possible to follow "nolog" with "auditlog" and have the match
649 not logged to the error log but logged to the auditlog. (Not
650 something that strikes me as useful but it's possible.)
652 * Relative paths given to SecDataDir will now be treated as relative
653 to the Apache server root.
655 * Added checks to make sure only correct actions are specified in
656 SecDefaultAction (some actions are required, some don't make any
657 sense) and in rules that are not chain starters (same). This should
658 make the unhelpful "Internal Error: Failed to add rule to the ruleset"
661 * Fixed the problem when "SecRuleInheritance Off" is used in a context
662 with no rules defined.
664 * Fixed a problem of lost input (request body) data on some redirections,
665 for example when mod_rewrite is used.
671 * Fixed a memory leak (all platforms) and a concurrency control
672 problem that could cause a crash (multithreaded platforms only).
674 * Fixed a SecAuditLogRelevantStatus problem, which would not work
675 properly unless the regular expression contained a subexpression.
681 * Fixed incorrect permissions on the global mutex, which prevented
682 the mutex from working properly.
684 * Fixed incorrect actionset merging where the status was copied from
685 the child actionset even though it was not defined.
687 * Fixed missing metadata information (in the logs) for warnings.
693 * Rules that used operator negation did not work. Fixed.
695 * Fixed bug that prevented invalid regular expressions from being reported.
701 * First stable 2.x release.
projects / libapache-mod-security.git / blob