ModSecurity/CHANGES

25 Sep 2012 - 2.6.8
-------------------

  * Fixed ctl:ruleRemoveTargetByID order issue (MODSEC-333). Thanks to Armadillo Dasypodidae.

  * Fixed variable HIGHEST_SEVERITY incorrectly gets reset in a chain rule (MODSEC-315). Thanks to Valery Reznic.

10 Sep 2012 - 2.7.0-rc3
-------------------

 * Fixed requests bigger than SecRequestBodyNoFilesLimit were truncated even engine mode was detection only.

 * Fixed double close() for multipart temporary files (Thanks Seema Deepak).

 * Fixed many small issues reported by Coverity Scanner (Thanks Peter Vrabek).

 * Fixed format string issue in ngnix experimental code. (Thanks Eldar Zaitov).

 * Added ctl:ruleRemoveTargetByTag/Msg and removed ctl:ruleUpdateTargetByTag/Msg.

 * Added IIS and Ngnix platform code.

 * Added new transformation utf8toUnicode.

23 Jul 2012 - 2.6.7
-------------------

 * Fixed explicit target replacement using SecUpdateTargetById was broken.

 * The ctl:ruleUpdateTargetById is deprecated and will be removed for future versions since
   there is no safe way to use it per-request.

 * Added ctl:ruleRemoveTargetById that can be used to exclude targets to be processed per-request.

22 Jun 2012 - 2.7.0-rc2
-------------------

 * Fixed compilation errors and warnings under Windows platform.

 * Fixed SecEncryptionKey was not working as expected.

08 Jun 2012 - 2.7.0-rc1
-------------------

 * Added SecEncryptionEngine. Initial crypt engine support, at the momment it will sign some Html
   and Response Header options.

 * Added SecEncryptionKey to define the a rand or static key for crypt engine.

 * Added SecEncryptionParam to define the new parameter name.

 * Added SecEncryptionMethodRx used with a regular expression to inspect the html in response
   body/header and decide what to protect.

 * Added SecEncryptionMethodPm used with multiple or single strings to inspect the html in response
   body/header and decide what to protect.

 * Added ctl encryptionEngine as a per transaction version of SecEncryptionEgine diretive.

 * Added ctl encryptionEnforcement that will allow the engine to sign the data but the enforcement is
   disabled.

 * Added validateEncryption operator to enforce the signed elements.

 * Added rsub operator supports the syntax |hex| allowing users to use special chars like \n \r.

 * Added SecRuleUpdateTargetById now supports id range.

 * Added SecRuleUpdateTargetByMsg and its ctl version (Thanks Scott Gifford).

 * Added SecRuleUpdateTargetByTag and its ctl version (Thanks Scott Gifford).

 * Added SecRulePerfTime when greater than zero it will fill rule id's execution time into PERF_RULE
   and log id=usec information in the new Perf-rule-info: line in part H.

 * Added PERF_RULES variable that contains rule execution time.

 * Added Engine-mode: section in part H.

 * Added ruleRemoveByMsg ctl version.

 * Added removeCommentsChar and removeComments now can work with <!-- --> style.

 * Added SecArgumentSeparator and SecCookieFormat can be used in different scope locations.

 * Added Rules must have ID action and must be numeric.

 * Added The use of tfns are deprecated in SecDefaultAction. Should be forbid in the future.

 * Added Macro expansion support to the action pause.

 * Added IpmatchFromFile/IpmatchF operator.

 * Added New setrsc action, the RESOURCE collection used SecWebAppId Name Space

 * Added Configure option --enable-cache-lua that allows reuse of Lua VM per transaction.
   It will only take any effect when ModSecurity has multiple scripts to run per transaction.

 * Added Configure option --enable-pcre-jit that allows ModSecurity regex engine to use PCRE Jit support.

 * Added Configure option --enable-request-early that allows ModSecurity run phase 1 in post_read_request hook.

 * Added RBL operator now support the httpBl api (http://www.projecthoneypot.org/httpbl_api.php).

 * Added SecHttpBlKey to be used with httpBl api.

 * Added SecSensorId will specify the modsecurity sensor name into audit log part H.

 * Added aliases to phase:2 (phase:request), phase:4 (phase:response) and phase:5 (phase:logging).

 * Added USERAGENT_IP variable. Created when Apache24 is used with mod_remoteip to know the real
   client ip address.

 ^ Added new rule metadata actions ver, maturity and accuracy. Also included into RULE collection.

 * Updated Reference manual into doc/ directory.

 * Fixed Variable DURATION contains the elapsed time in microseconds for compatible reasons with apache and
   other variables.

 * Fixed Preserve names/identity of the variables going into MATCHED_VARS.

 * Fixed Redirect macro expansion does not work in SecDefaultAction when SecRule uses block action.

 * Fixed rsub operator does not work as expect if regex contains parentheses (Thanks Jerome Freilinger).

 * Current Google Safe Browsing implementation is deprecated. Google changed the API and does not allow
   anymore the malware database for download.

08 Jun 2012 - 2.6.6
-------------------

 * Added build system support for KfreeBSD and HURD.

 * Fixed a multipart bypass issue related to quote parsing
   Credits to  Qualys Vulnerability & Malware Research Labs (VMRL).

20 Mar 2012 - 2.6.5
-------------------

 * Fixed increased a specific message debug level in SBDM code (MODSEC-293).

 * Cleanup build system.

09 Mar 2012 - 2.6.4
-------------------

 * Fixed Mlogc 100% CPU consume (Thanks Klaubert Herr and Ebrahim Khalilzadeh).

 * Fixed ModSecurity cannot load session and user sdbm data.

 * Fixed updateTargetById was creating rule unparsed content making apache memory grow.

 * Code cleanup.

23 Feb 2012 - 2.6.4-rc1
-------------------

 * Fixed @rsub adding garbage data into stream variables.

 * Fixed regex for section A into mlogc-batch-load.pl (Thanks Ebrahim Khalilzadeh).

 * Fixed logdata cuts message without closing it with final chars.

 * Added sanitizeMatchedBytes support to verifyCPF, verifyCC and verifySSN.


06 Dec 2011 - 2.6.3-rc1
-------------------

* Fixed MATCHED_VARS does not correctly handle multiple VARS with the same name.

* Fixed SDBM garbage collection was not working as expected, increasing the size of files.

* Fixed wrong timestamp calculation for some time zones in log files.

* Fixed SecUpdateTargetById failed to load multiple VARS (MODSEC-270).

* Fixed Reverted hexDecode for hexEncode compatibility reason.

* Added SecCollectionTimeout to set collection timeout, default is 3600.

* Added sqlHexDecode transformation to decode sql hex data. Thanks Marc Stern.

30 Sep 2011 - 2.6.2
-------------------

 * Fixed hexDecode test during make.

 * Updated the reference manual into doc/ directory.

5 Sep 2011 - 2.6.2-rc1
-------------------

 * Added support to macro expansion for rx operator.

 * Added new transformations removeComments and removeCommentsChars

 * Fixed colletion names are not case-sensitive anymore.

 * Fixed compilation errors with apache 2.0.

 * Fixed build system was not using some libraries CFLAGS.

 * Fixed check for valid hex values into hexDecode transformation.

 * Fixed ctl:ruleUpdateTargetById appending multiple targets.

18 Jun 2011 - 2.6.1
-------------------

 * Updated the reference manual into doc/ directory.

11 Jul 2011 - trunk
-------------------

 * Add HttpBl support to rbl operator.

30 Jun 2011 - 2.6.1-rc1
-------------------

 * Fixed SecUploadFileMode doesn't work with the new build system.

 * Fixed building with Lua library (Thanks Diego Elio).

 * Fixed some ./configure --enable* features not being enabled in compilation time.

 * Improvements on GSB database add/search operations.

 * Log part K was removed from modsecurity.conf-recommended.

 * Added SecUnicodeMapFile directive. Must be use to load the unicode.mapping file.

 * Added SecUnicodeCodePage directive. Used to define the unicode code page. There are a few already available:

    1250  (ANSI - Central Europe)
    1251  (ANSI - Cyrillic)
    1252  (ANSI - Latin I)
    1253  (ANSI - Greek)
    1254  (ANSI - Turkish)
    1255  (ANSI - Hebrew)
    1256  (ANSI - Arabic)
    1257  (ANSI - Baltic)
    1258  (ANSI/OEM - Viet Nam)
    20127 (US-ASCII)
    20261 (T.61)
    20866 (Russian - KOI8)
    28591 (ISO 8859-1 Latin I)
    28592 (ISO 8859-2 Central Europe)
    28605 (ISO 8859-15 Latin 9)
    37    (IBM EBCDIC - U.S./Canada)
    437   (OEM - United States)
    500   (IBM EBCDIC - International)
    850   (OEM - Multilingual Latin I)
    860   (OEM - Portuguese)
    861   (OEM - Icelandic)
    863   (OEM - Canadian French)
    865   (OEM - Nordic)
    874   (ANSI/OEM - Thai)
    932   (ANSI/OEM - Japanese Shift-JIS)
    936   (ANSI/OEM - Simplified Chinese GBK)
    949   (ANSI/OEM - Korean)
    950   (ANSI/OEM - Traditional Chinese Big5)

    Also mapping some extra unicode chars defined at http://tools.ietf.org/html/rfc3490#section-3.1

 * Fixed SecRequestBodyLimit was truncating the real request body.

18 May 2011 - 2.6.0
-------------------

 * Added SecWriteStateLimit for Slow Post DoS mitigation.

 * Fix problem when buffering in input filter.

 * Fix memory leak when use MATCHED_VAR_NAMES.


2 May 2011 - 2.6.0-rc2
-------------------

 * Added code optimizations - thanks Diego Elio.

 * Added support to AIX and HPUX in the build system (untested).

 * Renamed decodeBase64Ext to base64DecodeExt.

 * Build system improvements - thanks Diego Elio.

 * Improvements on gsblookup parser.

 * Fixed input filter bug when upload files and SecStreamInBodyInspect is enabled.

 * Logging improvements and bug fix.

 * Remove extra useless files when make clean and maintainer-clean

18 Apr 2011 - 2.6.0-rc1
-------------------

 * Replaced previous GPLv2 License to Apachev2.

 * Added Google Safe Browsing lookups operator and directive. It should be
   used to extract and lookup urls from http packets.

 * Added Data Modification operator. It must be used with STREAM_* variables
   to replace/add/edit any data from http bodies.

 * Added STREAM_OUPUT_BODY and STREAM_INPUT_BODY variables to work with data
   modification operators.

 * Added fast ip address operator. It supports partial ip address, cidr for
   IPv4 and IPv6. Thanks Tom Donovan.

 * Added new sensitive data tracking verifyCPF and verifySSN.

 * Added MATCHED_VARS and MATCHED_VARS_NAMES. It is similiar to MATCHED_VAR,
   but now we should see all matched variables.

 * Added UNIQUE_ID variable. It holds the data created my mod_unique_id.

 * Added new tranformation cmdline. Thanks Marc Stern.

 * Added new exception handling operators and directives. It should help users
   reduce FN and FPs. The directives SecRuleUpdateTargetById, SecRuleRemoveByTag
   and its ctl actions were included.

 * Added SecStreamOutBodyInspection and SecStreamInBodyInspection to enable STREAM_*
   variables.

 * Added SecGsbLookupDB used to load Google Safe Browsing malware databse into
   memory.

 * Added the directive SecInterceptOnError to control what to do if a rule returns
   values less than zero.

 * Improvements in DetectionOnly engine mode. Also added SecRequestBodyLimitAction
   to control what to do if the engine receive a http request over a hard limit.
   Note that there is now many combinations with SecRuleEngine and the limit action
   directives for response and request data. Please see the reference manual.

 * Improvements under RBL operator. It now will parse return code values for some
   RBL lists.

 * Added new Log Part J. It should log some informations about uploaded files.

 * Added new sanitizeMatchedBytes action. It will give more flexibilty for user to sanitize
   logged data, also improving peformance when sanitize big amount of data.

 * Improvements on Logging phase. It is possible now see full chains, distinguish between
   simple rules, chain starters and chain nodes.

 * Improvements on AutoTools usage.

 * Improvements on pattern matching operators, pmf, pm and strmatch now supports more flexible
   input data allowing any kind of special char.

 * Improvements on SecRuleUpdateActionById to update chain nodes.

 * Many bugs were fixed. Please see the ModSecurity Jira for more details


19 Mar 2010 - trunk
-------------------

 * Added SecDisableBackendCompression, which disabled backend compression
   while keeping the frontend compression enabled (assuming mod_deflate
   in installed and configured in the proxy). [Ivan Ristic]

 * Added REQUEST_BODY_LENGTH, which contains the number of request body
   bytes read. [Ivan Ristic]

 * Integrate with mod_log_config using the %{VARNAME}M format string.
   (MODSEC-108) [Ivan Ristic]

 * Replaced the previous time-measuring mechanism with a new one, which
   provides the following information: request time, request duration,
   phase duration (for all 5 phases), time spent dealing with persistent
   storage, and time spent on audit logging. The new information is now
   available in the Stopwatch2 audit log header. The Stopwatch header
   remains for backward compatiblity, although it now only includes
   the request time and request duration values. Added the following
   variables: PERF_COMBINED, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3,
   PERF_PHASE4, PERF_PHASE5, PERF_SREAD, PERF_SWRITE, PERF_LOGGING,
   PERF_GC. [Ivan Ristic]

 * Added DURATION, which contains the time ellapsed since the beginning
   of the current transaction, in milliseconds. [Ivan Ristic]

 * Adjusted phase 5 to execute just prior to mod_log_config. This should
   allow phase 5 rules to to implement conditional logging, as well as
   pave support for allowing access to all ModSecurity variables from
   mog_log_config. [Ivan Ristic]

 * Added the URLENCODED_ERROR flag, which is raised whenever invalid URL
   encoding is encountered in the query string or in the request body
   (but only if URLENCODED request body processor is used). (MODSEC-111)
   [Ivan Ristic]

 * Removed the obsolete PDF UXSS functionality. (MODSEC-96) [Ivan Ristic]

 * Renamed normalisePath to normalizePath and normalisePathWin to
   normalizePathWin. Kept the previous names for backward compatibility.
   (MODSEC-103) [Ivan Ristic]

 * Moved phase 1 to be run in the same Apache hook as phase 2. This means
   that you can now have phase 1 rules in <Location> tags and, more
   importantly, override server configuration in <Location> and others.
   (MODSEC-98) [Ivan Ristic]

 * Renamed the sanitise family of actions to sanitize. Kept the old variants
   for backward compatibility. (MODSEC-95) [Ivan Ristic]

 * Improve the logging of the ctl action. (MODSEC-99) [Ivan Ristic]

 * Cleanup build files that were from the Apache source.


14 Feb 2010 - 2.5.13-dev1
-------------------------

 * Cleaned up some mlogc code and debugging output.

 * Remove the ability to use a relative path to a piped audit logger
   (i.e. mlogc) as Apache does not support it in their piped loggers
   and it was breaking Windows and probably other platforms that
   use spaces in filesystem paths.  Discovered by Tom Donovan.

 * Fix memory leak freeing regex.  Discovered by Tom Donovan.

 * Fix some portability issues on Windows.


04 Feb 2010 - 2.5.12
--------------------

 * Fixed SecUploadFileMode to set the correct mode.

 * Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.

 * Added additional file info definitions introduced in APR 0.9.5 so that
   build will work with older APRs (IBM HTTP Server v6).

 * Added SecUploadFileLimit to limit the number of uploaded file parts that
   will be processed in a multipart POST.  The default is 100.

 * Fixed path normalization to better handle backreferences that extend
   above root directories.  Reported by Sogeti/ESEC R&D.

 * Trim whitespace around phrases used with @pmFromFile and allow
   for both LF and CRLF terminated lines.

 * Allow for more robust parsing for multipart header folding.  Reported
   by Sogeti/ESEC R&D.

 * Fixed failure to match internally set TX variables with regex
   (TX:/.../) syntax.
 
 * Fixed failure to log full internal TX variable names and populate
   MATCHED_VAR* vars.

 * Enabled PCRE "studying" by default.  This is now a configure-time option.

 * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
   aide in REDoS type attacks.  A rule that goes over the limits will set
   TX:MSC_PCRE_LIMITS_EXCEEDED.  It is intended that the next major release
   of ModSecurity (2.6.x) will move these flags to a dedicated collection.

 * Reduced default PCRE match limits reducing impact of REDoS on poorly
   written regex rules.  Reported by Sogeti/ESEC R&D.

 * Fixed memory leak in v1 cookie parser.  Reported by Sogeti/ESEC R&D.

 * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)

 * Update copyright to 2010.

 * Reserved 700,000-799,999 IDs for Ivan Ristic.

 * Fixed SecAction not working when CONNECT request method is used
   (MODSEC-110). [Ivan Ristic]

 * Do not escape quotes in macro resolution and only escape NUL in setenv
   values.


04 Nov 2009 - 2.5.11
--------------------

 * Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
   set true if any invalid quoting is found during multipart parsing.

 * Fixed parsing quoted strings in multipart Content-Disposition headers.
   Discovered by Stefan Esser.

 * Cleanup persistence database locking code.

 * Added warning during configure if libcurl is found linked against
   gnutls for SSL.  The openssl lib is recommended as gnutls has
   proven to cause issues with mutexes and may crash.

 * Cleanup some mlogc (over)logging.

 * Do not log output filter errors in the error log.

 * Moved output filter to run before other stock filters (mod_deflate,
   mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
   in the response. Patch originally submitted by Ivan Ristic.


18 Sep 2009 - 2.5.10
--------------------

 * Cleanup mlogc so that it builds on Windows.

 * Added more detailed messages to replace "Unknown error" in filters.

 * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
   auditlog permissions (especially with mpm-itk).

 * Cleanup SecUploadFileMode implementation.

 * Cleanup build scripts.

 * Fixed crash on configuration if SecMarker is used before any rules.

 * Fixed SecRuleUpdateActionById so that it will work on chain starters.

 * Cleanup build system for mlogc.

 * Allow mlogc to periodically flush memory pools.

 * Using nolog,auditlog will now log the "Message:" line to the auditlog, but
   nothing to the error log.  Prior versions dropped the "Message:" line from
   both logs.  To do this now, just use "nolog" or "nolog,noauditlog".

 * Forced mlogc to use SSLv3 to avoid some potential auto negotiation
   issues with some libcurl versions.

 * Fixed mlogc issue seen on big endian machines where content type
   could be listed as zero.

 * Removed extra newline from audit log message line when logging XML errors.
   This was causing problems parsing audit logs.

 * Fixed @pm/@pmFromFile case insensitivity.

 * Truncate long parameters in log message for "Match of ... against ...
   required" messages.

 * Correctly resolve chained rule actions in logs.

 * Cleanup some code for portability.

 * AIX does not support hidden visibility with xlc compiler.

 * Allow specifying EXTRA_CFLAGS during configure to override gcc specific
   values for non-gcc compilers.

 * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.

 * Handle a newer geo database more gracefully, avoiding a potential crash for
   new countries that ModSecurity is not yet aware.

 * Allow checking &GEO "@eq 0" for a failed @geoLookup.

 * Fixed mlogc global mutex locking issue and added more debugging output.

 * Cleaned up build dependencies and configure options.


05 Mar 2009 - 2.5.9
-------------------

 * Fixed parsing multipart content with a missing part header name which
   would crash Apache.  Discovered by "Internet Security Auditors"
   (isecauditors.com).

 * Added ability to specify the config script directly using --with-apr
   and --with-apu.

 * Updated copyright year to 2009.

 * Added macro expansion for append/prepend action.

 * Fixed race condition in concurrent updates of persistent counters.  Updates
   are now atomic.

 * Cleaned up build, adding an option for verbose configure output and making
   the mlogc build more portable.

 
21 Nov 2008 - 2.5.8
-------------------

 * Fixed PDF XSS issue where a non-GET request for a PDF file would crash the
   Apache httpd process.  Discovered by Steve Grubb at Red Hat.

 * Removed an invalid "Internal error: Issuing "%s" for unspecified error."
   message that was logged when denying with nolog/noauditlog set and
   causing the request to be audited.
 
  
24 Sep 2008 - 2.5.7
-------------------

 * Fixed XML DTD/Schema validation which will now fail after request body
   processing errors, even if the XML parser returns a document tree.

 * Added ctl:forceRequestBodyVariable=on|off which, when enabled, will force
   the REQUEST_BODY variable to be set when a request body processor is not set.
   Previously the REQUEST_BODY target was only populated by the URLENCODED
   request body processor.

 * Integrated mlogc source.

 * Fixed logging the hostname in the error_log which was logging the
   request hostname instead of the Apache resolved hostname.

 * Allow for disabling request body limit checks in phase:1.

 * Added transformations for processing parity for legacy protocols ported
   to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit

 * Added t:cssDecode transformation to decode CSS escapes.

 * Now log XML parsing/validation warnings and errors to be in the debug log
   at levels 3 and 4, respectivly.


31 Jul 2008 - 2.5.6
-------------------
  
 * Transformation caching has been deprecated, and is now off by default. We
   now advise against using transformation caching in production.
   
 * Fixed two separate transformation caching issues that could cause incorrect
   content inspection in some circumstances.
   
 * Fixed an issue with the transformation cache using too much RAM, potentially
   crashing Apache with a large number of cache entries. Two new configuration
   options have been added to allow for a finer control of caching:
   
     maxitems: Max number of items to cache (default 1024)
     incremental: Whether to cache incrementally (default off)

 * Added an experimental regression testing suite. The regression suite may
   be executed via "make test-regression", however it is strongly advised 
   to only be executed on a non-production machine as it will startup the
   Apache web server that ModSecurity is compiled against with various
   configurations in which it will run tests.

 * Added a licensing exception so that ModSecurity can be used in a derivative
   work when that derivative is also under an approved open source license.

 * Updated mlogc to version 1.4.5 which adds a LockFile directive and fixes an
   issue in which the configuration file may be deleted.


05 Jun 2008 - 2.5.5
-------------------

 * Fixed an issue where an alert was not logged in the error log
   unless "auditlog" was used.

 * Enable the "auditlog" action by default to help prevent a misconfiguration.
   The new default is now: "phase:2,log,auditlog,pass"

 * Improve request body processing error messages.

 * Handle lack of a new line after the final boundary in a multipart request.
   This fixes the reported WordPress Flash file uploader problem.

 * Fixed issue with multithreaded servers where concurrent XML processing
   could crash the web server (at least under Windows).

 * Fixed blocking in phase 3.

 * Force modules "mod_rpaf-2.0.c" and "mod_custom_header.c" to run before
   ModSecurity so that the correct IP is used.


07 May 2008 - 2.5.4
-------------------

 * Fixed issue where transformation cache was using the SecDefaultAction
   value even when t:none was used within a rule.


24 Apr 2008 - 2.5.3
-------------------

 * Fixed issue where the exec action may not be able to execute shell scripts.

 * Macros are now expanded in expirevar and deprecatevar.

 * Fixed crash if a persistent variable name was more than 126 characters.

 * Updated included Core Ruleset to version 1.6.1 which fixes some
   false negative issues in the migration to using some 2.5 features.


02 Apr 2008 - 2.5.2
-------------------

 * Allow HTTP_* targets as an alias for REQUEST_HEADERS:*.

 * Make sure temporary filehandles are closed after a transaction.

 * Make sure the apache include directory is included during build.


02 Apr 2008 - 2.1.7
-------------------

 * Make sure temporary filehandles are closed after a transaction.


14 Mar 2008 - 2.5.1
-------------------

 * Fixed an issue where a match would not occur if transformation caching
   was enabled.

 * Using "severity" in a default action is now just a warning.

 * Cleaned up the "make test" target to better locate headers/libraries.

 * Now search /usr/lib64 and /usr/lib32 for lua libs.

 * No longer treat warnings as errors by default (use --enable-strict-compile).


19 Feb 2008 - 2.5.0
-------------------

 * Updated included Core Ruleset to version 1.6.0 which uses 2.5 features.

 * Cleaned up and clarified some documentation.

 * Updated code to be more portable so it builds with MS VC++.

 * Added unit tests for most operators and transformations.

 * Fixed crash on startup when ENV is improperly used without a parameter.

 * Allow macro resolution in setenv action.

 * The default action is now a minimal "phase:2,log,pass" with no default
   transformations performed.

 * Implemented SecUploadFileMode to allow setting the mode for uploaded files.

 * Implemented "block" action.

 * Implemented SecRuleUpdateActionById.

 * Fixed removal of phase 5 rules via SecRuleRemoveBy* directives.

 * No longer log the query portion of the URI in the error log as
   it may contain sensitive data.

 * Build is now 'configure' based: ./configure && make && make install

 * Added support for Lua scripting in the following ways: SecRuleScript
   can be used to specify a script to execute as a rule, the exec
   action processes Lua scripts internally, as does the @inspectFile
   operator. Refer to the documentation for more details.

 * Changed how allow works. Used on its own it now allows phases 1-4. Used
   with parameter "phase" (e.g. SecAction allow:phase) it only affects
   the current phase. Used with parameter "request" it allows phases
   1-2.

 * Fixed issue where only the first phase 5 rule would run when the
   request was intercepted in an earlier phase.

 * Stricter configuration parsing.  Disruptive actions, meta actions and
   phases are no longer allowed in a chained rule.  Disruptive actions,
   are no longer allowed in a logging phase (phase 5) rule, including
   inheriting from SecDefaultAction.

 * More efficient collection persistance.

 * Fixed t:escapeSeqDecode to better follow ANSI C escapes.

 * Added t:jsDecode to decode JavScript escape sequences.

 * Added IS_NEW built-in collection variables.

 * New audit log part 'K' logs all matching rules.

 * Implemented SecRequestBodyNoFilesLimit.

 * Enhance handling of the case where we run out of disk space while
   writing to audit log entry.

 * Added SecComponentSignature to allow other components the ability
   to append to the logged signature.

 * Added skipAfter:<id> action to allow skipping all rules until a rule
   with a specified ID is reached.  Rule execution then continues after
   the specified rule.

 * Added SecMarker <id> directive to allow a fixed target for skipAfter.

 * Added ctl:ruleRemoveById action to allow rule removal on a match.

 * Added a @containsWord operator that will match a given string anywhere in
   the target value, but only on word boundaries.

 * Added a MATCHED_VAR_NAME variable to store the last matched variable name
   so that it can be more easily used by rules.

 * Added a MATCHED_VAR variable to store the last matched variable value
   so that it can be more easily used by rules.

 * Fixed expansion of macros when using relative changes with setvar.  In
   addition, added support for expanding macros in the variable name.

 * Situations where ModSecurity will intercept, generate an error or log
   a level 1-3 message to the debug log are now marked as 'relevant' and may
   generate an audit log entry.

 * Fixed deprecatevar:var=N/S action so that it decrements N every S seconds
   as documented instead of decrementing by a rate.

 * Enable ModSecurity to look at partial response bodies. In previous
   versions, ModSecurity would respond with status code 500 when the
   response body was too long. Now, if SecResponseBodyLimitAction is
   set to "ProcessPartial", it will process the part of the response
   body received up until that point but send the rest without buffering.

 * ModSecurity will now process phases 3 and 4 even when request processing
   is interrupted (either by Apache - e.g. by responding with 400, 401
   or 403, or by ModSecurity itself).

 * Fixed the base64decode transformation function to not return extra
   characters at the end.

 * Return from the output filter with an error in addition to setting
   up the HTTP error status in the output data.

 * Used new Apache API calls to get the server version/banner when available.

 * Added "logdata" meta action to allow logging of raw transaction data.

 * Added TX_SEVERITY that keeps track of the highest severity
   for any matched rules so far.

 * Added ARGS_GET, ARGS_POST, ARGS_GET_NAMES, ARGS_POST_NAMES variables to
   allow seperation of GET and POST arguments.

 * Added an Apache define (MODSEC_2.5) so that you can conditionally include
   directives based on the ModSecurity major/minor versions with IfDefine.

 * Added MODSEC_BUILD variable that contains the numeric build value based
   on the ModSecurity version.

 * Enhanced debug logging by displaying more data on rule execution.  All
   invoked rules are now logged in the debug log at level 5.

 * Stricter validation for @validateUtf8Encoding.

 * No longer process Apache internal subrequests.

 * Fixed warnings on Solaris and/or 64bit builds.

 * Added @within string comparison operator with support for macro expansion.

 * Do not trigger "pause" action for internal requests.

 * Added matching rule filename and line number to audit log.

 * Added new phrase matching operators, @pm and @pmFromFile.  These use
   an alternate set based matching engine (Aho-Corasick) to perform faster
   phrase type matches such as black/white lists, spam keywords, etc.

 * Allow caching transformations per-request/phase so they are not repeated.

 * Added Solaris and Cygwin to the list of platforms not supporting the hidden
   visibility attribute.

 * Fixed decoding full-width unicode in t:urlDecodeUni.

 * Add SecGeoLookupDB, @geoLookups and GEO collection to support
   geographical lookups by IP/host.

 * Do not try to intercept a request after a failed rule.  This fixes the
   issue associated with an "Internal Error: Asked to intercept request
   but was_intercepted is zero" error message.

 * Removed extraneous exported symbols.

 * Merged the PDF XSS protection functionality into ModSecurity.

 * Exported API for registering custom variables.  Example in api directory.

 * Added experimental support for content injection. Directive
   SecContentInjection (On|Off) controls whether injection is taking place.
   Actions "prepend" and "append" inject content when executed. Do note that
   it is your responsibility to make sure the response is of the appropriate
   content type (e.g. HTML, plain text, etc).

 * Added string comparison operators with support for macro expansion:
   @contains, @streq, @beginsWith and @endsWith.

 * Enhanced debug log output to log macro expansion, quote values and
   correctly display values that contained NULs.

 * Removed support for %0 - %9 capture macros as they were incorrectly
   expanding url encoded values.  Use %{TX.0} - %{TX.9} instead.

 * Added t:length to transform a value to its character length.

 * Added t:trimLeft, t:trimRight, t:trim to remove whitespace
   from a value on the left, right or both.

 * Added SecAuditLog2 directive to allow redundent concurrent audit log
   index files.  This will allow sending audit data to two consoles, etc.

 * Removed CGI style HTTP_* variables in favor of REQUEST_HEADERS:Header-Name.

 * Store filename/line for each rule and display it and the ID (if available)
   in the debug log when invoking a rule.  Thanks to Christian Bockermann
   for the idea.

 * Do not log 'allow' action as intercepted in the debug log.

 * Fixed some collection variable names not printing with the parameter
   and/or counting operator in the debug log.


19 Feb 2008 - 2.1.6
-------------------

 * Fixed crash on startup when ENV is improperly used without a parameter.

 * Allow macro resolution in setenv action.

 * Implemented SecUploadFileMode to allow setting the mode for uploaded files.

 * No longer log the query portion of the URI in the error log as
   it may contain sensitive data.


10 Jan 2008 - 2.1.5
-------------------

 * Updated included Core Ruleset to version 1.5.1.

 * Phase 5 rules can now be removed via SecRuleRemoveBy* directives.

 * Fixed issue where only the first phase 5 rule would run when the
   request was intercepted in an earlier phase.

 * Fixed configuration parsing so that disruptive actions, meta actions
   and phases are not allowed in a chained rule (as originally intended).

 * Fixed t:escapeSeqDecode to better follow ANSI C escapes.


27 Nov 2007 - 2.1.4
-------------------

 * Updated included Core Ruleset to version 1.5 and noted in the docs that
   XML support is required to use the rules without modification.

 * Fixed an evasion FP, mistaking a multipart non-boundary for a boundary.

 * Fixed multiple warnings on Solaris and/or 64bit builds.

 * Do not process subrequests in phase 2-4, but do hand off the request data.

 * Fixed a blocking FP in the multipart parser, which affected Safari.


11 Sep 2007 - 2.1.3
-------------------

 * Updated multipart parsing code adding variables to allow checking
   for various parsing issues (request body abnormalities).

 * Allow mod_rpaf and mod_extract_forwarded2 to work before ModSecurity.

 * Quiet some compiler warnings.

 * Do not block internal ErrorDocument requests after blocking request.

 * Added ability to compile without an external API (use -DNO_MODSEC_API).


27 Jul 2007 - 2.1.2
-------------------

 * Cleaned up and clarified some documentation.

 * Update included core rules to latest version (1.4.3).

 * Enhanced ability to alert/audit failed requests.

 * Do not trigger "pause" action for internal requests.

 * Fixed issue with requests that use internal requests.  These had the
   potential to be intercepted incorrectly when other Apache httpd modules
   that used internal requests were used with mod_security.

 * Added Solaris and Cygwin to the list of platforms not supporting the hidden
   visibility attribute.

 * Fixed decoding full-width unicode in t:urlDecodeUni.

 * Lessen some overhead of debugging messages and calculations.

 * Do not try to intercept a request after a failed rule.  This fixes the
   issue associated with an "Internal Error: Asked to intercept request
   but was_intercepted is zero" error message.

 * Added SecAuditLog2 directive to allow redundent concurrent audit log
   index files.  This will allow sending audit data to two consoles, etc.

 * Small performance improvement in memory management for rule execution.


11 Apr 2007 - 2.1.1
-------------------

 * Add the PCRE_DOLLAR_ENDONLY option when compiling regular expression
   for the @rx operator and variables.
 
 * Really set PCRE_DOTALL option when compiling the regular expression
   for the @rx operator as the docs state.
 
 * Fixed potential memory corruption when expanding macros.

 * Fixed error when a collection was retrieved from storage in the same second
   as creation by setting the rate to zero.

 * Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms.

 * Fixed the faulty REQUEST_FILENAME variable, which used to change
   the internal Apache structures by mistake.

 * Updates to quiet some compiler warnings.

 * Fixed some casting issues for compiling on NetWare (patch from Guenter Knauf).


23 Feb 2007 - 2.1.0
-------------------

 * Removed the "Connection reset by peer" message, which has nothing
   to do with us. Actually the message was downgraded from ERROR to
   NOTICE so it will still appear in the debug log.

 * Removed the (harmless) message mentioning LAST_UPDATE_TIME missing.

 * It was not possible to remove a rule placed in phase 4 using
   SecRuleRemoveById or SecRuleRemoveByMsg. Fixed.

 * Fixed a problem with incorrectly setting requestBodyProcessor using
   the ctl action.

 * Bundled Core Rules 2.1-1.3.2b4.

 * Updates to the reference manual.

 * Reversed the return values of @validateDTD and @validateSchema, to
   make them consistent with other operators.

 * Added a few helpful debug messages in the XML validation area.

 * Updates to the reference manual.

 * Fixed the validateByteRange operator.

 * Default value for the status action is now 403 (as it was supposed to
   be but it was effectively 500).

 * Rule exceptions (removing using an ID range or an regular expression)
   is now applied to the current context too. (Previously it only worked
   on rules that are inherited from the parent context.)

 * Fix of a bug with expired variables.

 * Fixed regular expression variable selectors for many collections.

 * Performance improvements - up to two times for real-life work loads!

 * Memory consumption improvements (not measured but significant).

 * The allow action did not work in phases 3 and 4. Fixed.

 * Unlocked collections GLOBAL and RESOURCE.

 * Added support for variable expansion in the msg action.

 * New feature: It is now possible to make relative changes to the
   audit log parts with the ctl action. For example: "ctl:auditLogParts=+E".

 * New feature: "tag" action. To be used for event categorisation.

 * XML parser was not reporting errors that occured at the end
   of XML payload.

 * Files were not extracted from request if SecUploadKeepFiles was
   Off. Fixed.

 * Regular expressions that are too long are truncated to 256
   characters before used in error messages. (In order to keep
   the error messages in the log at a reasonable size.)

 * Fixed the sha1 transformation function.

 * Fixed the skip action.

 * Fixed REQUEST_PROTOCOL, REMOTE_USER, and AUTH_TYPE.

 * SecRuleEngine did not work in child configuration contexts
   (e.g. <Location>).

 * Fixed base64Decode and base64Encode.


15 Nov 2006 - 2.0.4
-------------------

 * Fixed the "deprecatevar" action.

 * Decreasing variable values did not work.

 * Made "nolog" do what it is supposed to do - cause a rule match to
   not be logged. Also "nolog" now implies "noauditlog" but it's
   possible to follow "nolog" with "auditlog" and have the match
   not logged to the error log but logged to the auditlog. (Not
   something that strikes me as useful but it's possible.)

 * Relative paths given to SecDataDir will now be treated as relative
   to the Apache server root.

 * Added checks to make sure only correct actions are specified in
   SecDefaultAction (some actions are required, some don't make any
   sense) and in rules that are not chain starters (same). This should
   make the unhelpful "Internal Error: Failed to add rule to the ruleset"
   message go away.

 * Fixed the problem when "SecRuleInheritance Off" is used in a context
   with no rules defined.

 * Fixed a problem of lost input (request body) data on some redirections,
   for example when mod_rewrite is used.


26 Oct 2006 - 2.0.3
-------------------

 * Fixed a memory leak (all platforms) and a concurrency control
   problem that could cause a crash (multithreaded platforms only).

 * Fixed a SecAuditLogRelevantStatus problem, which would not work
   properly unless the regular expression contained a subexpression.


19 Oct 2006 - 2.0.2
-------------------

 * Fixed incorrect permissions on the global mutex, which prevented
   the mutex from working properly.

 * Fixed incorrect actionset merging where the status was copied from
   the child actionset even though it was not defined.

 * Fixed missing metadata information (in the logs) for warnings.


16 Oct 2006 - 2.0.1
-------------------

 * Rules that used operator negation did not work. Fixed.

 * Fixed bug that prevented invalid regular expressions from being reported.


16 Oct 2006 - 2.0.0
-------------------

 * First stable 2.x release.