2008-04-24 20:23:35 +04:00
|
|
|
24 Apr 2008 - 2.5.3
|
2008-03-28 23:00:37 +03:00
|
|
|
-------------------
|
2008-03-28 20:06:44 +03:00
|
|
|
|
2008-04-24 20:30:58 +04:00
|
|
|
* Fixed issue where the exec action may not be able to execute shell scripts.
|
|
|
|
|
2008-04-24 20:23:35 +04:00
|
|
|
* Macros are now expanded in expirevar and deprecatevar.
|
2008-04-12 00:05:44 +04:00
|
|
|
|
2008-04-24 20:40:14 +04:00
|
|
|
* Fixed crash if a persistent variable name was more than 126 characters.
|
|
|
|
|
2008-03-28 20:06:44 +03:00
|
|
|
|
2008-04-12 00:10:27 +04:00
|
|
|
02 Apr 2008 - 2.5.2
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Allow HTTP_* targets as an alias for REQUEST_HEADERS:*.
|
|
|
|
|
|
|
|
* Make sure temporary filehandles are closed after a transaction.
|
|
|
|
|
|
|
|
* Make sure the apache include directory is included during build.
|
|
|
|
|
|
|
|
|
|
|
|
02 Apr 2008 - 2.1.7
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Make sure temporary filehandles are closed after a transaction.
|
|
|
|
|
|
|
|
|
2008-03-28 20:06:44 +03:00
|
|
|
14 Mar 2008 - 2.5.1
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed an issue where a match would not occur if transformation caching
|
|
|
|
was enabled.
|
|
|
|
|
|
|
|
* Using "severity" in a default action is now just a warning.
|
|
|
|
|
|
|
|
* Cleaned up the "make test" target to better locate headers/libraries.
|
|
|
|
|
|
|
|
* Now search /usr/lib64 and /usr/lib32 for lua libs.
|
|
|
|
|
|
|
|
* No longer treat warnings as errors by default (use --enable-strict-compile).
|
|
|
|
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
19 Feb 2008 - 2.5.0
|
|
|
|
-------------------
|
2008-02-12 01:57:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated included Core Ruleset to version 1.6.0 which uses 2.5 features.
|
2008-02-08 04:24:46 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Cleaned up and clarified some documentation.
|
2008-02-08 04:24:46 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated code to be more portable so it builds with MS VC++.
|
2008-02-05 03:55:16 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added unit tests for most operators and transformations.
|
2008-02-05 03:55:16 +03:00
|
|
|
|
|
|
|
* Fixed crash on startup when ENV is improperly used without a parameter.
|
|
|
|
|
|
|
|
* Allow macro resolution in setenv action.
|
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* The default action is now a minimal "phase:2,log,pass" with no default
|
|
|
|
transformations performed.
|
2008-01-25 01:39:13 +03:00
|
|
|
|
2008-01-25 01:10:37 +03:00
|
|
|
* Implemented SecUploadFileMode to allow setting the mode for uploaded files.
|
|
|
|
|
2008-01-24 08:16:35 +03:00
|
|
|
* Implemented "block" action.
|
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* Implemented SecRuleUpdateActionById.
|
2008-01-23 21:12:59 +03:00
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* Fixed removal of phase 5 rules via SecRuleRemoveBy* directives.
|
2008-01-19 05:23:41 +03:00
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* No longer log the query portion of the URI in the error log as
|
|
|
|
it may contain sensitive data.
|
2008-01-22 09:59:06 +03:00
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* Build is now 'configure' based: ./configure && make && make install
|
2008-01-03 00:32:10 +03:00
|
|
|
|
2007-12-21 15:50:03 +03:00
|
|
|
* Added support for Lua scripting in the following ways: SecRuleScript
|
|
|
|
can be used to specify a script to execute as a rule, the exec
|
2008-02-16 01:51:01 +03:00
|
|
|
action processes Lua scripts internally, as does the @inspectFile
|
2007-12-21 15:50:03 +03:00
|
|
|
operator. Refer to the documentation for more details.
|
|
|
|
|
2007-12-17 14:22:47 +03:00
|
|
|
* Changed how allow works. Used on its own it now allows phases 1-4. Used
|
|
|
|
with parameter "phase" (e.g. SecAction allow:phase) it only affects
|
|
|
|
the current phase. Used with parameter "request" it allows phases
|
|
|
|
1-2.
|
|
|
|
|
2007-12-15 03:57:21 +03:00
|
|
|
* Fixed issue where only the first phase 5 rule would run when the
|
|
|
|
request was intercepted in an earlier phase.
|
|
|
|
|
2007-12-15 01:50:01 +03:00
|
|
|
* Stricter configuration parsing. Disruptive actions, meta actions and
|
|
|
|
phases are no longer allowed in a chained rule. Disruptive actions,
|
2007-12-15 01:52:29 +03:00
|
|
|
are no longer allowed in a logging phase (phase 5) rule, including
|
|
|
|
inheriting from SecDefaultAction.
|
2007-12-15 01:50:01 +03:00
|
|
|
|
2007-12-14 22:53:23 +03:00
|
|
|
* More efficient collection persistance.
|
|
|
|
|
2007-12-14 03:30:25 +03:00
|
|
|
* Fixed t:escapeSeqDecode to better follow ANSI C escapes.
|
|
|
|
|
2007-12-14 03:19:46 +03:00
|
|
|
* Added t:jsDecode to decode JavScript escape sequences.
|
2007-12-13 03:58:02 +03:00
|
|
|
|
2008-01-22 09:59:06 +03:00
|
|
|
* Added IS_NEW built-in collection variables.
|
2007-12-13 01:52:08 +03:00
|
|
|
|
2007-12-01 00:31:12 +03:00
|
|
|
* New audit log part 'K' logs all matching rules.
|
2007-11-30 03:52:21 +03:00
|
|
|
|
2007-11-29 14:41:48 +03:00
|
|
|
* Implemented SecRequestBodyNoFilesLimit.
|
|
|
|
|
2007-11-27 13:52:14 +03:00
|
|
|
* Enhance handling of the case where we run out of disk space while
|
|
|
|
writing to audit log entry.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added SecComponentSignature to allow other components the ability
|
|
|
|
to append to the logged signature.
|
2007-11-03 01:31:47 +03:00
|
|
|
|
2007-10-17 23:59:28 +04:00
|
|
|
* Added skipAfter:<id> action to allow skipping all rules until a rule
|
|
|
|
with a specified ID is reached. Rule execution then continues after
|
|
|
|
the specified rule.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added SecMarker <id> directive to allow a fixed target for skipAfter.
|
|
|
|
|
2007-10-17 23:11:47 +04:00
|
|
|
* Added ctl:ruleRemoveById action to allow rule removal on a match.
|
|
|
|
|
2007-10-02 22:50:35 +04:00
|
|
|
* Added a @containsWord operator that will match a given string anywhere in
|
|
|
|
the target value, but only on word boundaries.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added a MATCHED_VAR_NAME variable to store the last matched variable name
|
|
|
|
so that it can be more easily used by rules.
|
|
|
|
|
|
|
|
* Added a MATCHED_VAR variable to store the last matched variable value
|
2007-10-02 02:35:52 +04:00
|
|
|
so that it can be more easily used by rules.
|
|
|
|
|
2007-10-01 21:24:10 +04:00
|
|
|
* Fixed expansion of macros when using relative changes with setvar. In
|
|
|
|
addition, added support for expanding macros in the variable name.
|
|
|
|
|
2007-09-28 01:18:23 +04:00
|
|
|
* Situations where ModSecurity will intercept, generate an error or log
|
2007-09-29 00:02:02 +04:00
|
|
|
a level 1-3 message to the debug log are now marked as 'relevant' and may
|
|
|
|
generate an audit log entry.
|
2007-09-28 01:18:23 +04:00
|
|
|
|
2007-09-26 01:40:04 +04:00
|
|
|
* Fixed deprecatevar:var=N/S action so that it decrements N every S seconds
|
|
|
|
as documented instead of decrementing by a rate.
|
|
|
|
|
2007-09-22 03:23:11 +04:00
|
|
|
* Enable ModSecurity to look at partial response bodies. In previous
|
2008-02-16 01:51:01 +03:00
|
|
|
versions, ModSecurity would respond with status code 500 when the
|
2007-09-22 03:23:11 +04:00
|
|
|
response body was too long. Now, if SecResponseBodyLimitAction is
|
|
|
|
set to "ProcessPartial", it will process the part of the response
|
|
|
|
body received up until that point but send the rest without buffering.
|
|
|
|
|
|
|
|
* ModSecurity will now process phases 3 and 4 even when request processing
|
2007-09-22 02:15:12 +04:00
|
|
|
is interrupted (either by Apache - e.g. by responding with 400, 401
|
|
|
|
or 403, or by ModSecurity itself).
|
|
|
|
|
2007-09-27 01:39:45 +04:00
|
|
|
* Fixed the base64decode transformation function to not return extra
|
2007-09-22 02:15:12 +04:00
|
|
|
characters at the end.
|
|
|
|
|
2007-09-15 03:01:58 +04:00
|
|
|
* Return from the output filter with an error in addition to setting
|
|
|
|
up the HTTP error status in the output data.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Used new Apache API calls to get the server version/banner when available.
|
2007-09-11 22:01:28 +04:00
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added "logdata" meta action to allow logging of raw transaction data.
|
2007-08-10 04:44:20 +04:00
|
|
|
|
2007-08-09 02:11:02 +04:00
|
|
|
* Added TX_SEVERITY that keeps track of the highest severity
|
|
|
|
for any matched rules so far.
|
|
|
|
|
2007-08-09 00:53:00 +04:00
|
|
|
* Added ARGS_GET, ARGS_POST, ARGS_GET_NAMES, ARGS_POST_NAMES variables to
|
2007-08-09 00:49:51 +04:00
|
|
|
allow seperation of GET and POST arguments.
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added an Apache define (MODSEC_2.5) so that you can conditionally include
|
|
|
|
directives based on the ModSecurity major/minor versions with IfDefine.
|
|
|
|
|
2007-08-08 22:25:03 +04:00
|
|
|
* Added MODSEC_BUILD variable that contains the numeric build value based
|
|
|
|
on the ModSecurity version.
|
2007-07-02 18:49:56 +04:00
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Enhanced debug logging by displaying more data on rule execution. All
|
|
|
|
invoked rules are now logged in the debug log at level 5.
|
2007-08-08 18:48:49 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Stricter validation for @validateUtf8Encoding.
|
2007-08-03 00:40:37 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* No longer process Apache internal subrequests.
|
2007-08-03 00:40:37 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed warnings on Solaris and/or 64bit builds.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added @within string comparison operator with support for macro expansion.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not trigger "pause" action for internal requests.
|
2007-12-14 23:20:18 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added matching rule filename and line number to audit log.
|
2007-12-14 23:20:18 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added new phrase matching operators, @pm and @pmFromFile. These use
|
|
|
|
an alternate set based matching engine (Aho-Corasick) to perform faster
|
|
|
|
phrase type matches such as black/white lists, spam keywords, etc.
|
|
|
|
|
|
|
|
* Allow caching transformations per-request/phase so they are not repeated.
|
|
|
|
|
|
|
|
* Added Solaris and Cygwin to the list of platforms not supporting the hidden
|
2007-07-02 18:49:56 +04:00
|
|
|
visibility attribute.
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed decoding full-width unicode in t:urlDecodeUni.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Add SecGeoLookupDB, @geoLookups and GEO collection to support
|
|
|
|
geographical lookups by IP/host.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not try to intercept a request after a failed rule. This fixes the
|
|
|
|
issue associated with an "Internal Error: Asked to intercept request
|
|
|
|
but was_intercepted is zero" error message.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Removed extraneous exported symbols.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Merged the PDF XSS protection functionality into ModSecurity.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Exported API for registering custom variables. Example in api directory.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added experimental support for content injection. Directive
|
|
|
|
SecContentInjection (On|Off) controls whether injection is taking place.
|
|
|
|
Actions "prepend" and "append" inject content when executed. Do note that
|
|
|
|
it is your responsibility to make sure the response is of the appropriate
|
|
|
|
content type (e.g. HTML, plain text, etc).
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added string comparison operators with support for macro expansion:
|
|
|
|
@contains, @streq, @beginsWith and @endsWith.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Enhanced debug log output to log macro expansion, quote values and
|
|
|
|
correctly display values that contained NULs.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Removed support for %0 - %9 capture macros as they were incorrectly
|
|
|
|
expanding url encoded values. Use %{TX.0} - %{TX.9} instead.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added t:length to transform a value to its character length.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added t:trimLeft, t:trimRight, t:trim to remove whitespace
|
|
|
|
from a value on the left, right or both.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added SecAuditLog2 directive to allow redundent concurrent audit log
|
|
|
|
index files. This will allow sending audit data to two consoles, etc.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Removed CGI style HTTP_* variables in favor of REQUEST_HEADERS:Header-Name.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Store filename/line for each rule and display it and the ID (if available)
|
|
|
|
in the debug log when invoking a rule. Thanks to Christian Bockermann
|
|
|
|
for the idea.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not log 'allow' action as intercepted in the debug log.
|
|
|
|
|
|
|
|
* Fixed some collection variable names not printing with the parameter
|
|
|
|
and/or counting operator in the debug log.
|
|
|
|
|
|
|
|
|
|
|
|
19 Feb 2008 - 2.1.6
|
2007-09-15 01:41:34 +04:00
|
|
|
-------------------
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed crash on startup when ENV is improperly used without a parameter.
|
2007-08-04 00:25:30 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Allow macro resolution in setenv action.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Implemented SecUploadFileMode to allow setting the mode for uploaded files.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* No longer log the query portion of the URI in the error log as
|
|
|
|
it may contain sensitive data.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
10 Jan 2008 - 2.1.5
|
|
|
|
-------------------
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated included Core Ruleset to version 1.5.1.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Phase 5 rules can now be removed via SecRuleRemoveBy* directives.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed issue where only the first phase 5 rule would run when the
|
|
|
|
request was intercepted in an earlier phase.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed configuration parsing so that disruptive actions, meta actions
|
|
|
|
and phases are not allowed in a chained rule (as originally intended).
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed t:escapeSeqDecode to better follow ANSI C escapes.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
27 Nov 2007 - 2.1.4
|
|
|
|
-------------------
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated included Core Ruleset to version 1.5 and noted in the docs that
|
|
|
|
XML support is required to use the rules without modification.
|
2007-06-21 19:45:21 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed an evasion FP, mistaking a multipart non-boundary for a boundary.
|
2007-06-21 06:21:06 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed multiple warnings on Solaris and/or 64bit builds.
|
2007-06-20 23:58:01 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not process subrequests in phase 2-4, but do hand off the request data.
|
2007-06-14 22:48:35 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed a blocking FP in the multipart parser, which affected Safari.
|
2007-05-31 19:42:42 +04:00
|
|
|
|
2007-06-01 19:32:08 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
11 Sep 2007 - 2.1.3
|
|
|
|
-------------------
|
2007-05-31 02:02:35 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated multipart parsing code adding variables to allow checking
|
|
|
|
for various parsing issues (request body abnormalities).
|
2007-05-30 20:13:22 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Allow mod_rpaf and mod_extract_forwarded2 to work before ModSecurity.
|
2007-05-30 18:14:00 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Quiet some compiler warnings.
|
2007-05-23 20:04:25 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not block internal ErrorDocument requests after blocking request.
|
2007-05-17 16:02:59 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added ability to compile without an external API (use -DNO_MODSEC_API).
|
2007-05-17 00:09:28 +04:00
|
|
|
|
2007-05-16 23:48:21 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
27 Jul 2007 - 2.1.2
|
|
|
|
-------------------
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Cleaned up and clarified some documentation.
|
2007-05-17 00:09:28 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Update included core rules to latest version (1.4.3).
|
2007-06-20 23:58:01 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Enhanced ability to alert/audit failed requests.
|
2007-06-20 23:58:01 +04:00
|
|
|
|
|
|
|
* Do not trigger "pause" action for internal requests.
|
|
|
|
|
|
|
|
* Fixed issue with requests that use internal requests. These had the
|
|
|
|
potential to be intercepted incorrectly when other Apache httpd modules
|
|
|
|
that used internal requests were used with mod_security.
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added Solaris and Cygwin to the list of platforms not supporting the hidden
|
2007-06-20 23:58:01 +04:00
|
|
|
visibility attribute.
|
|
|
|
|
|
|
|
* Fixed decoding full-width unicode in t:urlDecodeUni.
|
|
|
|
|
|
|
|
* Lessen some overhead of debugging messages and calculations.
|
|
|
|
|
|
|
|
* Do not try to intercept a request after a failed rule. This fixes the
|
|
|
|
issue associated with an "Internal Error: Asked to intercept request
|
|
|
|
but was_intercepted is zero" error message.
|
|
|
|
|
|
|
|
* Added SecAuditLog2 directive to allow redundent concurrent audit log
|
|
|
|
index files. This will allow sending audit data to two consoles, etc.
|
|
|
|
|
|
|
|
* Small performance improvement in memory management for rule execution.
|
|
|
|
|
|
|
|
|
2007-05-16 23:37:27 +04:00
|
|
|
11 Apr 2007 - 2.1.1
|
|
|
|
-------------------
|
2007-04-05 19:13:22 +04:00
|
|
|
|
|
|
|
* Add the PCRE_DOLLAR_ENDONLY option when compiling regular expression
|
|
|
|
for the @rx operator and variables.
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2007-04-05 19:13:22 +04:00
|
|
|
* Really set PCRE_DOTALL option when compiling the regular expression
|
|
|
|
for the @rx operator as the docs state.
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed potential memory corruption when expanding macros.
|
2007-03-08 19:15:45 +03:00
|
|
|
|
2007-05-16 23:37:27 +04:00
|
|
|
* Fixed error when a collection was retrieved from storage in the same second
|
|
|
|
as creation by setting the rate to zero.
|
2007-03-07 18:56:22 +03:00
|
|
|
|
2007-05-16 23:37:27 +04:00
|
|
|
* Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms.
|
2007-03-06 19:14:54 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the faulty REQUEST_FILENAME variable, which used to change
|
|
|
|
the internal Apache structures by mistake.
|
2007-03-01 14:34:13 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Updates to quiet some compiler warnings.
|
2007-03-01 14:49:56 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed some casting issues for compiling on NetWare (patch from Guenter Knauf).
|
2007-03-06 19:14:54 +03:00
|
|
|
|
2007-03-01 14:34:13 +03:00
|
|
|
|
|
|
|
23 Feb 2007 - 2.1.0
|
2007-02-22 16:20:17 +03:00
|
|
|
-------------------
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Removed the "Connection reset by peer" message, which has nothing
|
|
|
|
to do with us. Actually the message was downgraded from ERROR to
|
|
|
|
NOTICE so it will still appear in the debug log.
|
2007-02-22 15:14:10 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Removed the (harmless) message mentioning LAST_UPDATE_TIME missing.
|
2007-02-22 14:40:48 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* It was not possible to remove a rule placed in phase 4 using
|
|
|
|
SecRuleRemoveById or SecRuleRemoveByMsg. Fixed.
|
2007-02-22 13:44:01 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a problem with incorrectly setting requestBodyProcessor using
|
|
|
|
the ctl action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Bundled Core Rules 2.1-1.3.2b4.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Updates to the reference manual.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Reversed the return values of @validateDTD and @validateSchema, to
|
|
|
|
make them consistent with other operators.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Added a few helpful debug messages in the XML validation area.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Updates to the reference manual.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the validateByteRange operator.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Default value for the status action is now 403 (as it was supposed to
|
|
|
|
be but it was effectively 500).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Rule exceptions (removing using an ID range or an regular expression)
|
|
|
|
is now applied to the current context too. (Previously it only worked
|
|
|
|
on rules that are inherited from the parent context.)
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fix of a bug with expired variables.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed regular expression variable selectors for many collections.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Performance improvements - up to two times for real-life work loads!
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Memory consumption improvements (not measured but significant).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* The allow action did not work in phases 3 and 4. Fixed.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Unlocked collections GLOBAL and RESOURCE.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Added support for variable expansion in the msg action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* New feature: It is now possible to make relative changes to the
|
|
|
|
audit log parts with the ctl action. For example: "ctl:auditLogParts=+E".
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* New feature: "tag" action. To be used for event categorisation.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* XML parser was not reporting errors that occured at the end
|
|
|
|
of XML payload.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Files were not extracted from request if SecUploadKeepFiles was
|
|
|
|
Off. Fixed.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Regular expressions that are too long are truncated to 256
|
|
|
|
characters before used in error messages. (In order to keep
|
|
|
|
the error messages in the log at a reasonable size.)
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the sha1 transformation function.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the skip action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed REQUEST_PROTOCOL, REMOTE_USER, and AUTH_TYPE.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* SecRuleEngine did not work in child configuration contexts
|
|
|
|
(e.g. <Location>).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed base64Decode and base64Encode.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
15 Nov 2006 - 2.0.4
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the "deprecatevar" action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Decreasing variable values did not work.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Made "nolog" do what it is supposed to do - cause a rule match to
|
|
|
|
not be logged. Also "nolog" now implies "noauditlog" but it's
|
|
|
|
possible to follow "nolog" with "auditlog" and have the match
|
|
|
|
not logged to the error log but logged to the auditlog. (Not
|
|
|
|
something that strikes me as useful but it's possible.)
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Relative paths given to SecDataDir will now be treated as relative
|
|
|
|
to the Apache server root.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Added checks to make sure only correct actions are specified in
|
|
|
|
SecDefaultAction (some actions are required, some don't make any
|
|
|
|
sense) and in rules that are not chain starters (same). This should
|
|
|
|
make the unhelpful "Internal Error: Failed to add rule to the ruleset"
|
|
|
|
message go away.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the problem when "SecRuleInheritance Off" is used in a context
|
|
|
|
with no rules defined.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a problem of lost input (request body) data on some redirections,
|
|
|
|
for example when mod_rewrite is used.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
26 Oct 2006 - 2.0.3
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a memory leak (all platforms) and a concurrency control
|
|
|
|
problem that could cause a crash (multithreaded platforms only).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a SecAuditLogRelevantStatus problem, which would not work
|
|
|
|
properly unless the regular expression contained a subexpression.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
19 Oct 2006 - 2.0.2
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed incorrect permissions on the global mutex, which prevented
|
|
|
|
the mutex from working properly.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed incorrect actionset merging where the status was copied from
|
|
|
|
the child actionset even though it was not defined.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed missing metadata information (in the logs) for warnings.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
16 Oct 2006 - 2.0.1
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Rules that used operator negation did not work. Fixed.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed bug that prevented invalid regular expressions from being reported.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
16 Oct 2006 - 2.0.0
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* First stable 2.x release.
|
2007-02-06 15:29:22 +03:00
|
|
|
|