2012-10-09 17:36:16 +04:00
|
|
|
15 Oct 2012 - 2.7.0
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed Pause action should work as a disruptive action (MODSEC-297).
|
|
|
|
|
|
|
|
* Fixed Problem loading mod_env variables in phase 2 (MODSEC-226).
|
|
|
|
|
|
|
|
* Fixed Detect cookie v0 separator and use it for parsing (MODSEC-261).
|
|
|
|
|
|
|
|
* Fixed Variable REMOTE_ADDR with wrong IP address in NGINX version (MODSEC-337).
|
|
|
|
|
|
|
|
* Fixed Errors compiling NGINX version.
|
|
|
|
|
2012-10-15 03:56:31 +04:00
|
|
|
* Added Include directive into standalone module. IIS and NGINX module should
|
|
|
|
support Include directive like Apache2.
|
|
|
|
|
|
|
|
* Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for multipart strict
|
|
|
|
validation.
|
|
|
|
|
2012-10-09 17:36:16 +04:00
|
|
|
* Updated Reference Manual.
|
|
|
|
|
2012-09-25 18:02:50 +04:00
|
|
|
25 Sep 2012 - 2.6.8
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed ctl:ruleRemoveTargetByID order issue (MODSEC-333). Thanks to Armadillo Dasypodidae.
|
|
|
|
|
|
|
|
* Fixed variable HIGHEST_SEVERITY incorrectly gets reset in a chain rule (MODSEC-315). Thanks to Valery Reznic.
|
|
|
|
|
|
|
|
10 Sep 2012 - 2.7.0-rc3
|
2012-08-23 21:17:32 +04:00
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed requests bigger than SecRequestBodyNoFilesLimit were truncated even engine mode was detection only.
|
|
|
|
|
|
|
|
* Fixed double close() for multipart temporary files (Thanks Seema Deepak).
|
|
|
|
|
|
|
|
* Fixed many small issues reported by Coverity Scanner (Thanks Peter Vrabek).
|
|
|
|
|
2012-08-29 22:22:22 +04:00
|
|
|
* Fixed format string issue in ngnix experimental code. (Thanks Eldar Zaitov).
|
|
|
|
|
2012-09-10 23:25:27 +04:00
|
|
|
* Added ctl:ruleRemoveTargetByTag/Msg and removed ctl:ruleUpdateTargetByTag/Msg.
|
2012-08-23 21:17:32 +04:00
|
|
|
|
|
|
|
* Added IIS and Ngnix platform code.
|
|
|
|
|
2012-08-24 21:02:13 +04:00
|
|
|
* Added new transformation utf8toUnicode.
|
|
|
|
|
2012-07-23 22:02:29 +04:00
|
|
|
23 Jul 2012 - 2.6.7
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed explicit target replacement using SecUpdateTargetById was broken.
|
|
|
|
|
|
|
|
* The ctl:ruleUpdateTargetById is deprecated and will be removed for future versions since
|
|
|
|
there is no safe way to use it per-request.
|
|
|
|
|
|
|
|
* Added ctl:ruleRemoveTargetById that can be used to exclude targets to be processed per-request.
|
|
|
|
|
2012-06-22 07:15:49 +04:00
|
|
|
22 Jun 2012 - 2.7.0-rc2
|
2012-06-16 00:58:35 +04:00
|
|
|
-------------------
|
|
|
|
|
2012-06-22 07:15:49 +04:00
|
|
|
* Fixed compilation errors and warnings under Windows platform.
|
2012-06-16 00:58:35 +04:00
|
|
|
|
2012-06-22 07:15:49 +04:00
|
|
|
* Fixed SecEncryptionKey was not working as expected.
|
2012-06-16 00:58:35 +04:00
|
|
|
|
2012-06-08 19:29:11 +04:00
|
|
|
08 Jun 2012 - 2.7.0-rc1
|
2012-05-11 03:18:39 +04:00
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Added SecEncryptionEngine. Initial crypt engine support, at the momment it will sign some Html
|
|
|
|
and Response Header options.
|
|
|
|
|
|
|
|
* Added SecEncryptionKey to define the a rand or static key for crypt engine.
|
|
|
|
|
|
|
|
* Added SecEncryptionParam to define the new parameter name.
|
|
|
|
|
|
|
|
* Added SecEncryptionMethodRx used with a regular expression to inspect the html in response
|
|
|
|
body/header and decide what to protect.
|
|
|
|
|
|
|
|
* Added SecEncryptionMethodPm used with multiple or single strings to inspect the html in response
|
|
|
|
body/header and decide what to protect.
|
|
|
|
|
|
|
|
* Added ctl encryptionEngine as a per transaction version of SecEncryptionEgine diretive.
|
|
|
|
|
|
|
|
* Added ctl encryptionEnforcement that will allow the engine to sign the data but the enforcement is
|
|
|
|
disabled.
|
|
|
|
|
|
|
|
* Added validateEncryption operator to enforce the signed elements.
|
|
|
|
|
|
|
|
* Added rsub operator supports the syntax |hex| allowing users to use special chars like \n \r.
|
|
|
|
|
|
|
|
* Added SecRuleUpdateTargetById now supports id range.
|
|
|
|
|
|
|
|
* Added SecRuleUpdateTargetByMsg and its ctl version (Thanks Scott Gifford).
|
|
|
|
|
|
|
|
* Added SecRuleUpdateTargetByTag and its ctl version (Thanks Scott Gifford).
|
|
|
|
|
|
|
|
* Added SecRulePerfTime when greater than zero it will fill rule id's execution time into PERF_RULE
|
2012-06-02 00:52:19 +04:00
|
|
|
and log id=usec information in the new Perf-rule-info: line in part H.
|
2012-05-11 03:18:39 +04:00
|
|
|
|
|
|
|
* Added PERF_RULES variable that contains rule execution time.
|
|
|
|
|
|
|
|
* Added Engine-mode: section in part H.
|
|
|
|
|
|
|
|
* Added ruleRemoveByMsg ctl version.
|
|
|
|
|
|
|
|
* Added removeCommentsChar and removeComments now can work with <!-- --> style.
|
|
|
|
|
|
|
|
* Added SecArgumentSeparator and SecCookieFormat can be used in different scope locations.
|
|
|
|
|
|
|
|
* Added Rules must have ID action and must be numeric.
|
|
|
|
|
|
|
|
* Added The use of tfns are deprecated in SecDefaultAction. Should be forbid in the future.
|
|
|
|
|
|
|
|
* Added Macro expansion support to the action pause.
|
|
|
|
|
|
|
|
* Added IpmatchFromFile/IpmatchF operator.
|
|
|
|
|
|
|
|
* Added New setrsc action, the RESOURCE collection used SecWebAppId Name Space
|
|
|
|
|
|
|
|
* Added Configure option --enable-cache-lua that allows reuse of Lua VM per transaction.
|
|
|
|
It will only take any effect when ModSecurity has multiple scripts to run per transaction.
|
|
|
|
|
|
|
|
* Added Configure option --enable-pcre-jit that allows ModSecurity regex engine to use PCRE Jit support.
|
|
|
|
|
|
|
|
* Added Configure option --enable-request-early that allows ModSecurity run phase 1 in post_read_request hook.
|
|
|
|
|
|
|
|
* Added RBL operator now support the httpBl api (http://www.projecthoneypot.org/httpbl_api.php).
|
|
|
|
|
|
|
|
* Added SecHttpBlKey to be used with httpBl api.
|
|
|
|
|
|
|
|
* Added SecSensorId will specify the modsecurity sensor name into audit log part H.
|
|
|
|
|
|
|
|
* Added aliases to phase:2 (phase:request), phase:4 (phase:response) and phase:5 (phase:logging).
|
|
|
|
|
|
|
|
* Added USERAGENT_IP variable. Created when Apache24 is used with mod_remoteip to know the real
|
|
|
|
client ip address.
|
|
|
|
|
2012-06-04 19:29:51 +04:00
|
|
|
^ Added new rule metadata actions ver, maturity and accuracy. Also included into RULE collection.
|
|
|
|
|
2012-06-08 16:41:42 +04:00
|
|
|
* Updated Reference manual into doc/ directory.
|
|
|
|
|
2012-05-11 03:18:39 +04:00
|
|
|
* Fixed Variable DURATION contains the elapsed time in microseconds for compatible reasons with apache and
|
2012-06-02 00:52:19 +04:00
|
|
|
other variables.
|
2012-05-11 03:18:39 +04:00
|
|
|
|
|
|
|
* Fixed Preserve names/identity of the variables going into MATCHED_VARS.
|
|
|
|
|
|
|
|
* Fixed Redirect macro expansion does not work in SecDefaultAction when SecRule uses block action.
|
|
|
|
|
|
|
|
* Fixed rsub operator does not work as expect if regex contains parentheses (Thanks Jerome Freilinger).
|
|
|
|
|
|
|
|
* Current Google Safe Browsing implementation is deprecated. Google changed the API and does not allow
|
2012-06-02 00:52:19 +04:00
|
|
|
anymore the malware database for download.
|
|
|
|
|
2012-06-08 19:29:11 +04:00
|
|
|
08 Jun 2012 - 2.6.6
|
|
|
|
-------------------
|
|
|
|
|
2012-06-08 19:39:17 +04:00
|
|
|
* Added build system support for KfreeBSD and HURD.
|
|
|
|
|
2012-06-14 17:54:05 +04:00
|
|
|
* Fixed a multipart bypass issue related to quote parsing
|
|
|
|
Credits to Qualys Vulnerability & Malware Research Labs (VMRL).
|
2012-05-11 03:18:39 +04:00
|
|
|
|
|
|
|
20 Mar 2012 - 2.6.5
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed increased a specific message debug level in SBDM code (MODSEC-293).
|
|
|
|
|
|
|
|
* Cleanup build system.
|
|
|
|
|
|
|
|
09 Mar 2012 - 2.6.4
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed Mlogc 100% CPU consume (Thanks Klaubert Herr and Ebrahim Khalilzadeh).
|
|
|
|
|
|
|
|
* Fixed ModSecurity cannot load session and user sdbm data.
|
|
|
|
|
|
|
|
* Fixed updateTargetById was creating rule unparsed content making apache memory grow.
|
|
|
|
|
|
|
|
* Code cleanup.
|
|
|
|
|
|
|
|
23 Feb 2012 - 2.6.4-rc1
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed @rsub adding garbage data into stream variables.
|
|
|
|
|
|
|
|
* Fixed regex for section A into mlogc-batch-load.pl (Thanks Ebrahim Khalilzadeh).
|
|
|
|
|
|
|
|
* Fixed logdata cuts message without closing it with final chars.
|
|
|
|
|
|
|
|
* Added sanitizeMatchedBytes support to verifyCPF, verifyCC and verifySSN.
|
|
|
|
|
|
|
|
|
2011-12-05 22:39:50 +04:00
|
|
|
06 Dec 2011 - 2.6.3-rc1
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed MATCHED_VARS does not correctly handle multiple VARS with the same name.
|
|
|
|
|
|
|
|
* Fixed SDBM garbage collection was not working as expected, increasing the size of files.
|
|
|
|
|
|
|
|
* Fixed wrong timestamp calculation for some time zones in log files.
|
|
|
|
|
|
|
|
* Fixed SecUpdateTargetById failed to load multiple VARS (MODSEC-270).
|
|
|
|
|
|
|
|
* Fixed Reverted hexDecode for hexEncode compatibility reason.
|
|
|
|
|
2011-12-07 15:41:21 +04:00
|
|
|
* Added SecCollectionTimeout to set collection timeout, default is 3600.
|
2011-12-05 22:39:50 +04:00
|
|
|
|
|
|
|
* Added sqlHexDecode transformation to decode sql hex data. Thanks Marc Stern.
|
|
|
|
|
2011-10-01 01:04:21 +04:00
|
|
|
30 Sep 2011 - 2.6.2
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed hexDecode test during make.
|
|
|
|
|
|
|
|
* Updated the reference manual into doc/ directory.
|
|
|
|
|
2011-09-15 17:11:07 +04:00
|
|
|
5 Sep 2011 - 2.6.2-rc1
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Added support to macro expansion for rx operator.
|
|
|
|
|
|
|
|
* Added new transformations removeComments and removeCommentsChars
|
|
|
|
|
2012-05-11 03:18:39 +04:00
|
|
|
* Fixed colletion names are not case-sensitive anymore.
|
2011-09-15 17:11:07 +04:00
|
|
|
|
|
|
|
* Fixed compilation errors with apache 2.0.
|
|
|
|
|
|
|
|
* Fixed build system was not using some libraries CFLAGS.
|
|
|
|
|
|
|
|
* Fixed check for valid hex values into hexDecode transformation.
|
|
|
|
|
|
|
|
* Fixed ctl:ruleUpdateTargetById appending multiple targets.
|
|
|
|
|
2011-07-18 21:33:20 +04:00
|
|
|
18 Jun 2011 - 2.6.1
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Updated the reference manual into doc/ directory.
|
|
|
|
|
2011-07-12 01:09:28 +04:00
|
|
|
11 Jul 2011 - trunk
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Add HttpBl support to rbl operator.
|
|
|
|
|
2011-06-30 20:38:47 +04:00
|
|
|
30 Jun 2011 - 2.6.1-rc1
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed SecUploadFileMode doesn't work with the new build system.
|
|
|
|
|
|
|
|
* Fixed building with Lua library (Thanks Diego Elio).
|
|
|
|
|
|
|
|
* Fixed some ./configure --enable* features not being enabled in compilation time.
|
|
|
|
|
|
|
|
* Improvements on GSB database add/search operations.
|
|
|
|
|
|
|
|
* Log part K was removed from modsecurity.conf-recommended.
|
|
|
|
|
|
|
|
* Added SecUnicodeMapFile directive. Must be use to load the unicode.mapping file.
|
|
|
|
|
|
|
|
* Added SecUnicodeCodePage directive. Used to define the unicode code page. There are a few already available:
|
|
|
|
|
|
|
|
1250 (ANSI - Central Europe)
|
|
|
|
1251 (ANSI - Cyrillic)
|
|
|
|
1252 (ANSI - Latin I)
|
|
|
|
1253 (ANSI - Greek)
|
|
|
|
1254 (ANSI - Turkish)
|
|
|
|
1255 (ANSI - Hebrew)
|
|
|
|
1256 (ANSI - Arabic)
|
|
|
|
1257 (ANSI - Baltic)
|
|
|
|
1258 (ANSI/OEM - Viet Nam)
|
|
|
|
20127 (US-ASCII)
|
|
|
|
20261 (T.61)
|
|
|
|
20866 (Russian - KOI8)
|
|
|
|
28591 (ISO 8859-1 Latin I)
|
|
|
|
28592 (ISO 8859-2 Central Europe)
|
|
|
|
28605 (ISO 8859-15 Latin 9)
|
|
|
|
37 (IBM EBCDIC - U.S./Canada)
|
|
|
|
437 (OEM - United States)
|
|
|
|
500 (IBM EBCDIC - International)
|
|
|
|
850 (OEM - Multilingual Latin I)
|
|
|
|
860 (OEM - Portuguese)
|
|
|
|
861 (OEM - Icelandic)
|
|
|
|
863 (OEM - Canadian French)
|
|
|
|
865 (OEM - Nordic)
|
|
|
|
874 (ANSI/OEM - Thai)
|
|
|
|
932 (ANSI/OEM - Japanese Shift-JIS)
|
|
|
|
936 (ANSI/OEM - Simplified Chinese GBK)
|
|
|
|
949 (ANSI/OEM - Korean)
|
|
|
|
950 (ANSI/OEM - Traditional Chinese Big5)
|
|
|
|
|
|
|
|
Also mapping some extra unicode chars defined at http://tools.ietf.org/html/rfc3490#section-3.1
|
|
|
|
|
|
|
|
* Fixed SecRequestBodyLimit was truncating the real request body.
|
|
|
|
|
2011-05-18 22:33:45 +04:00
|
|
|
18 May 2011 - 2.6.0
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Added SecWriteStateLimit for Slow Post DoS mitigation.
|
|
|
|
|
|
|
|
* Fix problem when buffering in input filter.
|
|
|
|
|
|
|
|
* Fix memory leak when use MATCHED_VAR_NAMES.
|
|
|
|
|
|
|
|
|
2011-05-02 17:33:28 +04:00
|
|
|
2 May 2011 - 2.6.0-rc2
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Added code optimizations - thanks Diego Elio.
|
|
|
|
|
|
|
|
* Added support to AIX and HPUX in the build system (untested).
|
|
|
|
|
|
|
|
* Renamed decodeBase64Ext to base64DecodeExt.
|
|
|
|
|
|
|
|
* Build system improvements - thanks Diego Elio.
|
|
|
|
|
|
|
|
* Improvements on gsblookup parser.
|
|
|
|
|
|
|
|
* Fixed input filter bug when upload files and SecStreamInBodyInspect is enabled.
|
|
|
|
|
|
|
|
* Logging improvements and bug fix.
|
|
|
|
|
|
|
|
* Remove extra useless files when make clean and maintainer-clean
|
|
|
|
|
2011-04-18 18:19:30 +04:00
|
|
|
18 Apr 2011 - 2.6.0-rc1
|
|
|
|
-------------------
|
|
|
|
|
2011-05-02 17:33:28 +04:00
|
|
|
* Replaced previous GPLv2 License to Apachev2.
|
2011-04-18 18:19:30 +04:00
|
|
|
|
|
|
|
* Added Google Safe Browsing lookups operator and directive. It should be
|
|
|
|
used to extract and lookup urls from http packets.
|
|
|
|
|
|
|
|
* Added Data Modification operator. It must be used with STREAM_* variables
|
|
|
|
to replace/add/edit any data from http bodies.
|
|
|
|
|
|
|
|
* Added STREAM_OUPUT_BODY and STREAM_INPUT_BODY variables to work with data
|
|
|
|
modification operators.
|
|
|
|
|
|
|
|
* Added fast ip address operator. It supports partial ip address, cidr for
|
|
|
|
IPv4 and IPv6. Thanks Tom Donovan.
|
|
|
|
|
|
|
|
* Added new sensitive data tracking verifyCPF and verifySSN.
|
|
|
|
|
|
|
|
* Added MATCHED_VARS and MATCHED_VARS_NAMES. It is similiar to MATCHED_VAR,
|
|
|
|
but now we should see all matched variables.
|
|
|
|
|
|
|
|
* Added UNIQUE_ID variable. It holds the data created my mod_unique_id.
|
|
|
|
|
2011-05-24 18:53:57 +04:00
|
|
|
* Added new tranformation cmdline. Thanks Marc Stern.
|
2011-04-18 18:19:30 +04:00
|
|
|
|
|
|
|
* Added new exception handling operators and directives. It should help users
|
|
|
|
reduce FN and FPs. The directives SecRuleUpdateTargetById, SecRuleRemoveByTag
|
|
|
|
and its ctl actions were included.
|
|
|
|
|
|
|
|
* Added SecStreamOutBodyInspection and SecStreamInBodyInspection to enable STREAM_*
|
|
|
|
variables.
|
|
|
|
|
|
|
|
* Added SecGsbLookupDB used to load Google Safe Browsing malware databse into
|
|
|
|
memory.
|
|
|
|
|
|
|
|
* Added the directive SecInterceptOnError to control what to do if a rule returns
|
|
|
|
values less than zero.
|
|
|
|
|
|
|
|
* Improvements in DetectionOnly engine mode. Also added SecRequestBodyLimitAction
|
|
|
|
to control what to do if the engine receive a http request over a hard limit.
|
|
|
|
Note that there is now many combinations with SecRuleEngine and the limit action
|
|
|
|
directives for response and request data. Please see the reference manual.
|
|
|
|
|
|
|
|
* Improvements under RBL operator. It now will parse return code values for some
|
|
|
|
RBL lists.
|
|
|
|
|
|
|
|
* Added new Log Part J. It should log some informations about uploaded files.
|
|
|
|
|
|
|
|
* Added new sanitizeMatchedBytes action. It will give more flexibilty for user to sanitize
|
|
|
|
logged data, also improving peformance when sanitize big amount of data.
|
|
|
|
|
|
|
|
* Improvements on Logging phase. It is possible now see full chains, distinguish between
|
|
|
|
simple rules, chain starters and chain nodes.
|
|
|
|
|
|
|
|
* Improvements on AutoTools usage.
|
|
|
|
|
|
|
|
* Improvements on pattern matching operators, pmf, pm and strmatch now supports more flexible
|
|
|
|
input data allowing any kind of special char.
|
|
|
|
|
|
|
|
* Improvements on SecRuleUpdateActionById to update chain nodes.
|
|
|
|
|
|
|
|
* Many bugs were fixed. Please see the ModSecurity Jira for more details
|
|
|
|
|
|
|
|
|
2010-03-19 23:00:59 +03:00
|
|
|
19 Mar 2010 - trunk
|
2009-08-13 03:03:11 +04:00
|
|
|
-------------------
|
|
|
|
|
2010-03-19 23:00:59 +03:00
|
|
|
* Added SecDisableBackendCompression, which disabled backend compression
|
|
|
|
while keeping the frontend compression enabled (assuming mod_deflate
|
|
|
|
in installed and configured in the proxy). [Ivan Ristic]
|
|
|
|
|
|
|
|
* Added REQUEST_BODY_LENGTH, which contains the number of request body
|
2010-02-02 16:48:30 +03:00
|
|
|
bytes read. [Ivan Ristic]
|
|
|
|
|
2010-02-02 15:45:28 +03:00
|
|
|
* Integrate with mod_log_config using the %{VARNAME}M format string.
|
2010-02-01 14:01:17 +03:00
|
|
|
(MODSEC-108) [Ivan Ristic]
|
|
|
|
|
2010-02-01 12:42:23 +03:00
|
|
|
* Replaced the previous time-measuring mechanism with a new one, which
|
|
|
|
provides the following information: request time, request duration,
|
|
|
|
phase duration (for all 5 phases), time spent dealing with persistent
|
|
|
|
storage, and time spent on audit logging. The new information is now
|
|
|
|
available in the Stopwatch2 audit log header. The Stopwatch header
|
|
|
|
remains for backward compatiblity, although it now only includes
|
2010-02-01 14:44:32 +03:00
|
|
|
the request time and request duration values. Added the following
|
|
|
|
variables: PERF_COMBINED, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3,
|
2010-02-11 23:09:14 +03:00
|
|
|
PERF_PHASE4, PERF_PHASE5, PERF_SREAD, PERF_SWRITE, PERF_LOGGING,
|
|
|
|
PERF_GC. [Ivan Ristic]
|
2010-02-01 12:42:23 +03:00
|
|
|
|
2010-01-27 17:11:33 +03:00
|
|
|
* Added DURATION, which contains the time ellapsed since the beginning
|
|
|
|
of the current transaction, in milliseconds. [Ivan Ristic]
|
|
|
|
|
2010-01-27 00:59:57 +03:00
|
|
|
* Adjusted phase 5 to execute just prior to mod_log_config. This should
|
|
|
|
allow phase 5 rules to to implement conditional logging, as well as
|
|
|
|
pave support for allowing access to all ModSecurity variables from
|
|
|
|
mog_log_config. [Ivan Ristic]
|
|
|
|
|
2010-02-05 22:11:38 +03:00
|
|
|
* Added the URLENCODED_ERROR flag, which is raised whenever invalid URL
|
|
|
|
encoding is encountered in the query string or in the request body
|
|
|
|
(but only if URLENCODED request body processor is used). (MODSEC-111)
|
|
|
|
[Ivan Ristic]
|
|
|
|
|
|
|
|
* Removed the obsolete PDF UXSS functionality. (MODSEC-96) [Ivan Ristic]
|
|
|
|
|
|
|
|
* Renamed normalisePath to normalizePath and normalisePathWin to
|
|
|
|
normalizePathWin. Kept the previous names for backward compatibility.
|
|
|
|
(MODSEC-103) [Ivan Ristic]
|
|
|
|
|
|
|
|
* Moved phase 1 to be run in the same Apache hook as phase 2. This means
|
|
|
|
that you can now have phase 1 rules in <Location> tags and, more
|
|
|
|
importantly, override server configuration in <Location> and others.
|
|
|
|
(MODSEC-98) [Ivan Ristic]
|
|
|
|
|
2012-01-06 12:45:35 +04:00
|
|
|
* Renamed the sanitise family of actions to sanitize. Kept the old variants
|
2010-02-05 22:11:38 +03:00
|
|
|
for backward compatibility. (MODSEC-95) [Ivan Ristic]
|
|
|
|
|
|
|
|
* Improve the logging of the ctl action. (MODSEC-99) [Ivan Ristic]
|
|
|
|
|
|
|
|
* Cleanup build files that were from the Apache source.
|
|
|
|
|
2010-02-05 22:05:20 +03:00
|
|
|
|
2010-02-15 01:46:42 +03:00
|
|
|
14 Feb 2010 - 2.5.13-dev1
|
|
|
|
-------------------------
|
|
|
|
|
|
|
|
* Cleaned up some mlogc code and debugging output.
|
|
|
|
|
|
|
|
* Remove the ability to use a relative path to a piped audit logger
|
|
|
|
(i.e. mlogc) as Apache does not support it in their piped loggers
|
|
|
|
and it was breaking Windows and probably other platforms that
|
|
|
|
use spaces in filesystem paths. Discovered by Tom Donovan.
|
|
|
|
|
|
|
|
* Fix memory leak freeing regex. Discovered by Tom Donovan.
|
|
|
|
|
|
|
|
* Fix some portability issues on Windows.
|
|
|
|
|
|
|
|
|
2010-02-05 22:05:20 +03:00
|
|
|
04 Feb 2010 - 2.5.12
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
* Fixed SecUploadFileMode to set the correct mode.
|
|
|
|
|
|
|
|
* Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
|
|
|
|
|
|
|
|
* Added additional file info definitions introduced in APR 0.9.5 so that
|
|
|
|
build will work with older APRs (IBM HTTP Server v6).
|
|
|
|
|
|
|
|
* Added SecUploadFileLimit to limit the number of uploaded file parts that
|
|
|
|
will be processed in a multipart POST. The default is 100.
|
|
|
|
|
|
|
|
* Fixed path normalization to better handle backreferences that extend
|
|
|
|
above root directories. Reported by Sogeti/ESEC R&D.
|
|
|
|
|
|
|
|
* Trim whitespace around phrases used with @pmFromFile and allow
|
|
|
|
for both LF and CRLF terminated lines.
|
|
|
|
|
|
|
|
* Allow for more robust parsing for multipart header folding. Reported
|
|
|
|
by Sogeti/ESEC R&D.
|
|
|
|
|
|
|
|
* Fixed failure to match internally set TX variables with regex
|
|
|
|
(TX:/.../) syntax.
|
|
|
|
|
|
|
|
* Fixed failure to log full internal TX variable names and populate
|
|
|
|
MATCHED_VAR* vars.
|
|
|
|
|
|
|
|
* Enabled PCRE "studying" by default. This is now a configure-time option.
|
|
|
|
|
|
|
|
* Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
|
|
|
|
aide in REDoS type attacks. A rule that goes over the limits will set
|
|
|
|
TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release
|
|
|
|
of ModSecurity (2.6.x) will move these flags to a dedicated collection.
|
|
|
|
|
|
|
|
* Reduced default PCRE match limits reducing impact of REDoS on poorly
|
|
|
|
written regex rules. Reported by Sogeti/ESEC R&D.
|
|
|
|
|
|
|
|
* Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.
|
|
|
|
|
|
|
|
* Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
|
|
|
|
|
|
|
|
* Update copyright to 2010.
|
|
|
|
|
2009-12-21 19:38:21 +03:00
|
|
|
* Reserved 700,000-799,999 IDs for Ivan Ristic.
|
|
|
|
|
2009-12-14 21:48:35 +03:00
|
|
|
* Fixed SecAction not working when CONNECT request method is used
|
|
|
|
(MODSEC-110). [Ivan Ristic]
|
|
|
|
|
2009-11-07 03:06:26 +03:00
|
|
|
* Do not escape quotes in macro resolution and only escape NUL in setenv
|
|
|
|
values.
|
|
|
|
|
2009-10-21 22:32:52 +04:00
|
|
|
|
2009-11-06 21:38:15 +03:00
|
|
|
04 Nov 2009 - 2.5.11
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
* Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
|
|
|
|
set true if any invalid quoting is found during multipart parsing.
|
|
|
|
|
|
|
|
* Fixed parsing quoted strings in multipart Content-Disposition headers.
|
|
|
|
Discovered by Stefan Esser.
|
|
|
|
|
|
|
|
* Cleanup persistence database locking code.
|
|
|
|
|
|
|
|
* Added warning during configure if libcurl is found linked against
|
|
|
|
gnutls for SSL. The openssl lib is recommended as gnutls has
|
|
|
|
proven to cause issues with mutexes and may crash.
|
|
|
|
|
|
|
|
* Cleanup some mlogc (over)logging.
|
|
|
|
|
|
|
|
* Do not log output filter errors in the error log.
|
|
|
|
|
|
|
|
* Moved output filter to run before other stock filters (mod_deflate,
|
|
|
|
mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
|
2009-12-12 17:20:22 +03:00
|
|
|
in the response. Patch originally submitted by Ivan Ristic.
|
2009-11-06 21:38:15 +03:00
|
|
|
|
|
|
|
|
2009-09-24 23:11:16 +04:00
|
|
|
18 Sep 2009 - 2.5.10
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
* Cleanup mlogc so that it builds on Windows.
|
|
|
|
|
|
|
|
* Added more detailed messages to replace "Unknown error" in filters.
|
|
|
|
|
2009-08-26 02:19:33 +04:00
|
|
|
* Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
|
|
|
|
auditlog permissions (especially with mpm-itk).
|
|
|
|
|
2009-09-24 23:11:16 +04:00
|
|
|
* Cleanup SecUploadFileMode implementation.
|
2009-08-26 02:19:33 +04:00
|
|
|
|
|
|
|
* Cleanup build scripts.
|
|
|
|
|
2009-08-13 03:03:11 +04:00
|
|
|
* Fixed crash on configuration if SecMarker is used before any rules.
|
|
|
|
|
|
|
|
* Fixed SecRuleUpdateActionById so that it will work on chain starters.
|
|
|
|
|
|
|
|
* Cleanup build system for mlogc.
|
2009-07-24 09:11:45 +04:00
|
|
|
|
|
|
|
* Allow mlogc to periodically flush memory pools.
|
|
|
|
|
|
|
|
* Using nolog,auditlog will now log the "Message:" line to the auditlog, but
|
|
|
|
nothing to the error log. Prior versions dropped the "Message:" line from
|
|
|
|
both logs. To do this now, just use "nolog" or "nolog,noauditlog".
|
|
|
|
|
|
|
|
* Forced mlogc to use SSLv3 to avoid some potential auto negotiation
|
|
|
|
issues with some libcurl versions.
|
2009-03-31 21:25:47 +04:00
|
|
|
|
2009-06-16 01:14:30 +04:00
|
|
|
* Fixed mlogc issue seen on big endian machines where content type
|
|
|
|
could be listed as zero.
|
|
|
|
|
2009-05-31 12:45:50 +04:00
|
|
|
* Removed extra newline from audit log message line when logging XML errors.
|
|
|
|
This was causing problems parsing audit logs.
|
|
|
|
|
|
|
|
* Fixed @pm/@pmFromFile case insensitivity.
|
|
|
|
|
2009-05-21 10:26:26 +04:00
|
|
|
* Truncate long parameters in log message for "Match of ... against ...
|
|
|
|
required" messages.
|
|
|
|
|
2009-05-21 10:18:18 +04:00
|
|
|
* Correctly resolve chained rule actions in logs.
|
|
|
|
|
2009-05-16 14:42:32 +04:00
|
|
|
* Cleanup some code for portability.
|
|
|
|
|
|
|
|
* AIX does not support hidden visibility with xlc compiler.
|
|
|
|
|
|
|
|
* Allow specifying EXTRA_CFLAGS during configure to override gcc specific
|
|
|
|
values for non-gcc compilers.
|
|
|
|
|
2009-05-16 11:54:17 +04:00
|
|
|
* Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.
|
|
|
|
|
|
|
|
* Handle a newer geo database more gracefully, avoiding a potential crash for
|
|
|
|
new countries that ModSecurity is not yet aware.
|
|
|
|
|
|
|
|
* Allow checking &GEO "@eq 0" for a failed @geoLookup.
|
|
|
|
|
2009-05-16 08:51:25 +04:00
|
|
|
* Fixed mlogc global mutex locking issue and added more debugging output.
|
|
|
|
|
2009-04-22 21:41:33 +04:00
|
|
|
* Cleaned up build dependencies and configure options.
|
|
|
|
|
2009-03-31 21:25:47 +04:00
|
|
|
|
|
|
|
05 Mar 2009 - 2.5.9
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed parsing multipart content with a missing part header name which
|
|
|
|
would crash Apache. Discovered by "Internet Security Auditors"
|
|
|
|
(isecauditors.com).
|
|
|
|
|
|
|
|
* Added ability to specify the config script directly using --with-apr
|
|
|
|
and --with-apu.
|
|
|
|
|
|
|
|
* Updated copyright year to 2009.
|
|
|
|
|
|
|
|
* Added macro expansion for append/prepend action.
|
|
|
|
|
|
|
|
* Fixed race condition in concurrent updates of persistent counters. Updates
|
|
|
|
are now atomic.
|
|
|
|
|
|
|
|
* Cleaned up build, adding an option for verbose configure output and making
|
|
|
|
the mlogc build more portable.
|
|
|
|
|
|
|
|
|
2009-03-06 00:50:55 +03:00
|
|
|
21 Nov 2008 - 2.5.8
|
2008-10-21 21:45:18 +04:00
|
|
|
-------------------
|
|
|
|
|
2009-03-06 00:50:55 +03:00
|
|
|
* Fixed PDF XSS issue where a non-GET request for a PDF file would crash the
|
|
|
|
Apache httpd process. Discovered by Steve Grubb at Red Hat.
|
|
|
|
|
2008-10-21 21:45:18 +04:00
|
|
|
* Removed an invalid "Internal error: Issuing "%s" for unspecified error."
|
|
|
|
message that was logged when denying with nolog/noauditlog set and
|
|
|
|
causing the request to be audited.
|
|
|
|
|
|
|
|
|
|
|
|
24 Sep 2008 - 2.5.7
|
2008-08-16 00:25:27 +04:00
|
|
|
-------------------
|
|
|
|
|
2008-09-04 02:16:42 +04:00
|
|
|
* Fixed XML DTD/Schema validation which will now fail after request body
|
|
|
|
processing errors, even if the XML parser returns a document tree.
|
|
|
|
|
2008-09-10 21:11:20 +04:00
|
|
|
* Added ctl:forceRequestBodyVariable=on|off which, when enabled, will force
|
2008-09-17 14:59:11 +04:00
|
|
|
the REQUEST_BODY variable to be set when a request body processor is not set.
|
|
|
|
Previously the REQUEST_BODY target was only populated by the URLENCODED
|
|
|
|
request body processor.
|
2008-09-04 00:42:28 +04:00
|
|
|
|
|
|
|
* Integrated mlogc source.
|
2008-09-03 03:10:36 +04:00
|
|
|
|
2008-09-03 22:06:14 +04:00
|
|
|
* Fixed logging the hostname in the error_log which was logging the
|
|
|
|
request hostname instead of the Apache resolved hostname.
|
|
|
|
|
2008-08-16 00:25:27 +04:00
|
|
|
* Allow for disabling request body limit checks in phase:1.
|
|
|
|
|
|
|
|
* Added transformations for processing parity for legacy protocols ported
|
|
|
|
to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit
|
|
|
|
|
|
|
|
* Added t:cssDecode transformation to decode CSS escapes.
|
2008-07-16 17:08:12 +04:00
|
|
|
|
2008-08-16 00:25:27 +04:00
|
|
|
* Now log XML parsing/validation warnings and errors to be in the debug log
|
|
|
|
at levels 3 and 4, respectivly.
|
2008-08-01 02:36:24 +04:00
|
|
|
|
2008-07-16 17:08:12 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
31 Jul 2008 - 2.5.6
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Transformation caching has been deprecated, and is now off by default. We
|
|
|
|
now advise against using transformation caching in production.
|
|
|
|
|
|
|
|
* Fixed two separate transformation caching issues that could cause incorrect
|
|
|
|
content inspection in some circumstances.
|
|
|
|
|
|
|
|
* Fixed an issue with the transformation cache using too much RAM, potentially
|
|
|
|
crashing Apache with a large number of cache entries. Two new configuration
|
|
|
|
options have been added to allow for a finer control of caching:
|
|
|
|
|
|
|
|
maxitems: Max number of items to cache (default 1024)
|
|
|
|
incremental: Whether to cache incrementally (default off)
|
|
|
|
|
|
|
|
* Added an experimental regression testing suite. The regression suite may
|
|
|
|
be executed via "make test-regression", however it is strongly advised
|
|
|
|
to only be executed on a non-production machine as it will startup the
|
|
|
|
Apache web server that ModSecurity is compiled against with various
|
|
|
|
configurations in which it will run tests.
|
|
|
|
|
|
|
|
* Added a licensing exception so that ModSecurity can be used in a derivative
|
|
|
|
work when that derivative is also under an approved open source license.
|
|
|
|
|
|
|
|
* Updated mlogc to version 1.4.5 which adds a LockFile directive and fixes an
|
|
|
|
issue in which the configuration file may be deleted.
|
2008-07-07 19:47:49 +04:00
|
|
|
|
|
|
|
|
|
|
|
05 Jun 2008 - 2.5.5
|
2008-05-09 19:50:17 +04:00
|
|
|
-------------------
|
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Fixed an issue where an alert was not logged in the error log
|
|
|
|
unless "auditlog" was used.
|
2008-06-03 03:34:31 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Enable the "auditlog" action by default to help prevent a misconfiguration.
|
|
|
|
The new default is now: "phase:2,log,auditlog,pass"
|
2008-06-03 03:31:27 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Improve request body processing error messages.
|
2008-05-31 00:16:34 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Handle lack of a new line after the final boundary in a multipart request.
|
|
|
|
This fixes the reported WordPress Flash file uploader problem.
|
2008-05-31 00:07:47 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Fixed issue with multithreaded servers where concurrent XML processing
|
|
|
|
could crash the web server (at least under Windows).
|
2008-05-31 00:01:44 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Fixed blocking in phase 3.
|
2008-05-30 23:31:22 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Force modules "mod_rpaf-2.0.c" and "mod_custom_header.c" to run before
|
|
|
|
ModSecurity so that the correct IP is used.
|
2008-05-09 19:50:17 +04:00
|
|
|
|
|
|
|
|
2008-05-09 19:48:57 +04:00
|
|
|
07 May 2008 - 2.5.4
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed issue where transformation cache was using the SecDefaultAction
|
|
|
|
value even when t:none was used within a rule.
|
|
|
|
|
|
|
|
|
2008-04-24 20:23:35 +04:00
|
|
|
24 Apr 2008 - 2.5.3
|
2008-03-28 23:00:37 +03:00
|
|
|
-------------------
|
2008-03-28 20:06:44 +03:00
|
|
|
|
2008-04-24 20:30:58 +04:00
|
|
|
* Fixed issue where the exec action may not be able to execute shell scripts.
|
|
|
|
|
2008-04-24 20:23:35 +04:00
|
|
|
* Macros are now expanded in expirevar and deprecatevar.
|
2008-04-12 00:05:44 +04:00
|
|
|
|
2008-04-24 20:40:14 +04:00
|
|
|
* Fixed crash if a persistent variable name was more than 126 characters.
|
|
|
|
|
2008-04-24 20:48:08 +04:00
|
|
|
* Updated included Core Ruleset to version 1.6.1 which fixes some
|
|
|
|
false negative issues in the migration to using some 2.5 features.
|
|
|
|
|
2008-03-28 20:06:44 +03:00
|
|
|
|
2008-04-12 00:10:27 +04:00
|
|
|
02 Apr 2008 - 2.5.2
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Allow HTTP_* targets as an alias for REQUEST_HEADERS:*.
|
|
|
|
|
|
|
|
* Make sure temporary filehandles are closed after a transaction.
|
|
|
|
|
|
|
|
* Make sure the apache include directory is included during build.
|
|
|
|
|
|
|
|
|
|
|
|
02 Apr 2008 - 2.1.7
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Make sure temporary filehandles are closed after a transaction.
|
|
|
|
|
|
|
|
|
2008-03-28 20:06:44 +03:00
|
|
|
14 Mar 2008 - 2.5.1
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed an issue where a match would not occur if transformation caching
|
|
|
|
was enabled.
|
|
|
|
|
|
|
|
* Using "severity" in a default action is now just a warning.
|
|
|
|
|
|
|
|
* Cleaned up the "make test" target to better locate headers/libraries.
|
|
|
|
|
|
|
|
* Now search /usr/lib64 and /usr/lib32 for lua libs.
|
|
|
|
|
|
|
|
* No longer treat warnings as errors by default (use --enable-strict-compile).
|
|
|
|
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
19 Feb 2008 - 2.5.0
|
|
|
|
-------------------
|
2008-02-12 01:57:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated included Core Ruleset to version 1.6.0 which uses 2.5 features.
|
2008-02-08 04:24:46 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Cleaned up and clarified some documentation.
|
2008-02-08 04:24:46 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated code to be more portable so it builds with MS VC++.
|
2008-02-05 03:55:16 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added unit tests for most operators and transformations.
|
2008-02-05 03:55:16 +03:00
|
|
|
|
|
|
|
* Fixed crash on startup when ENV is improperly used without a parameter.
|
|
|
|
|
|
|
|
* Allow macro resolution in setenv action.
|
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* The default action is now a minimal "phase:2,log,pass" with no default
|
|
|
|
transformations performed.
|
2008-01-25 01:39:13 +03:00
|
|
|
|
2008-01-25 01:10:37 +03:00
|
|
|
* Implemented SecUploadFileMode to allow setting the mode for uploaded files.
|
|
|
|
|
2008-01-24 08:16:35 +03:00
|
|
|
* Implemented "block" action.
|
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* Implemented SecRuleUpdateActionById.
|
2008-01-23 21:12:59 +03:00
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* Fixed removal of phase 5 rules via SecRuleRemoveBy* directives.
|
2008-01-19 05:23:41 +03:00
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* No longer log the query portion of the URI in the error log as
|
|
|
|
it may contain sensitive data.
|
2008-01-22 09:59:06 +03:00
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* Build is now 'configure' based: ./configure && make && make install
|
2008-01-03 00:32:10 +03:00
|
|
|
|
2007-12-21 15:50:03 +03:00
|
|
|
* Added support for Lua scripting in the following ways: SecRuleScript
|
|
|
|
can be used to specify a script to execute as a rule, the exec
|
2008-02-16 01:51:01 +03:00
|
|
|
action processes Lua scripts internally, as does the @inspectFile
|
2007-12-21 15:50:03 +03:00
|
|
|
operator. Refer to the documentation for more details.
|
|
|
|
|
2007-12-17 14:22:47 +03:00
|
|
|
* Changed how allow works. Used on its own it now allows phases 1-4. Used
|
|
|
|
with parameter "phase" (e.g. SecAction allow:phase) it only affects
|
|
|
|
the current phase. Used with parameter "request" it allows phases
|
|
|
|
1-2.
|
|
|
|
|
2007-12-15 03:57:21 +03:00
|
|
|
* Fixed issue where only the first phase 5 rule would run when the
|
|
|
|
request was intercepted in an earlier phase.
|
|
|
|
|
2007-12-15 01:50:01 +03:00
|
|
|
* Stricter configuration parsing. Disruptive actions, meta actions and
|
|
|
|
phases are no longer allowed in a chained rule. Disruptive actions,
|
2007-12-15 01:52:29 +03:00
|
|
|
are no longer allowed in a logging phase (phase 5) rule, including
|
|
|
|
inheriting from SecDefaultAction.
|
2007-12-15 01:50:01 +03:00
|
|
|
|
2007-12-14 22:53:23 +03:00
|
|
|
* More efficient collection persistance.
|
|
|
|
|
2007-12-14 03:30:25 +03:00
|
|
|
* Fixed t:escapeSeqDecode to better follow ANSI C escapes.
|
|
|
|
|
2007-12-14 03:19:46 +03:00
|
|
|
* Added t:jsDecode to decode JavScript escape sequences.
|
2007-12-13 03:58:02 +03:00
|
|
|
|
2008-01-22 09:59:06 +03:00
|
|
|
* Added IS_NEW built-in collection variables.
|
2007-12-13 01:52:08 +03:00
|
|
|
|
2007-12-01 00:31:12 +03:00
|
|
|
* New audit log part 'K' logs all matching rules.
|
2007-11-30 03:52:21 +03:00
|
|
|
|
2007-11-29 14:41:48 +03:00
|
|
|
* Implemented SecRequestBodyNoFilesLimit.
|
|
|
|
|
2007-11-27 13:52:14 +03:00
|
|
|
* Enhance handling of the case where we run out of disk space while
|
|
|
|
writing to audit log entry.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added SecComponentSignature to allow other components the ability
|
|
|
|
to append to the logged signature.
|
2007-11-03 01:31:47 +03:00
|
|
|
|
2007-10-17 23:59:28 +04:00
|
|
|
* Added skipAfter:<id> action to allow skipping all rules until a rule
|
|
|
|
with a specified ID is reached. Rule execution then continues after
|
|
|
|
the specified rule.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added SecMarker <id> directive to allow a fixed target for skipAfter.
|
|
|
|
|
2007-10-17 23:11:47 +04:00
|
|
|
* Added ctl:ruleRemoveById action to allow rule removal on a match.
|
|
|
|
|
2007-10-02 22:50:35 +04:00
|
|
|
* Added a @containsWord operator that will match a given string anywhere in
|
|
|
|
the target value, but only on word boundaries.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added a MATCHED_VAR_NAME variable to store the last matched variable name
|
|
|
|
so that it can be more easily used by rules.
|
|
|
|
|
|
|
|
* Added a MATCHED_VAR variable to store the last matched variable value
|
2007-10-02 02:35:52 +04:00
|
|
|
so that it can be more easily used by rules.
|
|
|
|
|
2007-10-01 21:24:10 +04:00
|
|
|
* Fixed expansion of macros when using relative changes with setvar. In
|
|
|
|
addition, added support for expanding macros in the variable name.
|
|
|
|
|
2007-09-28 01:18:23 +04:00
|
|
|
* Situations where ModSecurity will intercept, generate an error or log
|
2007-09-29 00:02:02 +04:00
|
|
|
a level 1-3 message to the debug log are now marked as 'relevant' and may
|
|
|
|
generate an audit log entry.
|
2007-09-28 01:18:23 +04:00
|
|
|
|
2007-09-26 01:40:04 +04:00
|
|
|
* Fixed deprecatevar:var=N/S action so that it decrements N every S seconds
|
|
|
|
as documented instead of decrementing by a rate.
|
|
|
|
|
2007-09-22 03:23:11 +04:00
|
|
|
* Enable ModSecurity to look at partial response bodies. In previous
|
2008-02-16 01:51:01 +03:00
|
|
|
versions, ModSecurity would respond with status code 500 when the
|
2007-09-22 03:23:11 +04:00
|
|
|
response body was too long. Now, if SecResponseBodyLimitAction is
|
|
|
|
set to "ProcessPartial", it will process the part of the response
|
|
|
|
body received up until that point but send the rest without buffering.
|
|
|
|
|
|
|
|
* ModSecurity will now process phases 3 and 4 even when request processing
|
2007-09-22 02:15:12 +04:00
|
|
|
is interrupted (either by Apache - e.g. by responding with 400, 401
|
|
|
|
or 403, or by ModSecurity itself).
|
|
|
|
|
2007-09-27 01:39:45 +04:00
|
|
|
* Fixed the base64decode transformation function to not return extra
|
2007-09-22 02:15:12 +04:00
|
|
|
characters at the end.
|
|
|
|
|
2007-09-15 03:01:58 +04:00
|
|
|
* Return from the output filter with an error in addition to setting
|
|
|
|
up the HTTP error status in the output data.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Used new Apache API calls to get the server version/banner when available.
|
2007-09-11 22:01:28 +04:00
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added "logdata" meta action to allow logging of raw transaction data.
|
2007-08-10 04:44:20 +04:00
|
|
|
|
2007-08-09 02:11:02 +04:00
|
|
|
* Added TX_SEVERITY that keeps track of the highest severity
|
|
|
|
for any matched rules so far.
|
|
|
|
|
2007-08-09 00:53:00 +04:00
|
|
|
* Added ARGS_GET, ARGS_POST, ARGS_GET_NAMES, ARGS_POST_NAMES variables to
|
2007-08-09 00:49:51 +04:00
|
|
|
allow seperation of GET and POST arguments.
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added an Apache define (MODSEC_2.5) so that you can conditionally include
|
|
|
|
directives based on the ModSecurity major/minor versions with IfDefine.
|
|
|
|
|
2007-08-08 22:25:03 +04:00
|
|
|
* Added MODSEC_BUILD variable that contains the numeric build value based
|
|
|
|
on the ModSecurity version.
|
2007-07-02 18:49:56 +04:00
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Enhanced debug logging by displaying more data on rule execution. All
|
|
|
|
invoked rules are now logged in the debug log at level 5.
|
2007-08-08 18:48:49 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Stricter validation for @validateUtf8Encoding.
|
2007-08-03 00:40:37 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* No longer process Apache internal subrequests.
|
2007-08-03 00:40:37 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed warnings on Solaris and/or 64bit builds.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added @within string comparison operator with support for macro expansion.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not trigger "pause" action for internal requests.
|
2007-12-14 23:20:18 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added matching rule filename and line number to audit log.
|
2007-12-14 23:20:18 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added new phrase matching operators, @pm and @pmFromFile. These use
|
|
|
|
an alternate set based matching engine (Aho-Corasick) to perform faster
|
|
|
|
phrase type matches such as black/white lists, spam keywords, etc.
|
|
|
|
|
|
|
|
* Allow caching transformations per-request/phase so they are not repeated.
|
|
|
|
|
|
|
|
* Added Solaris and Cygwin to the list of platforms not supporting the hidden
|
2007-07-02 18:49:56 +04:00
|
|
|
visibility attribute.
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed decoding full-width unicode in t:urlDecodeUni.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Add SecGeoLookupDB, @geoLookups and GEO collection to support
|
|
|
|
geographical lookups by IP/host.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not try to intercept a request after a failed rule. This fixes the
|
|
|
|
issue associated with an "Internal Error: Asked to intercept request
|
|
|
|
but was_intercepted is zero" error message.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Removed extraneous exported symbols.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Merged the PDF XSS protection functionality into ModSecurity.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Exported API for registering custom variables. Example in api directory.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added experimental support for content injection. Directive
|
|
|
|
SecContentInjection (On|Off) controls whether injection is taking place.
|
|
|
|
Actions "prepend" and "append" inject content when executed. Do note that
|
|
|
|
it is your responsibility to make sure the response is of the appropriate
|
|
|
|
content type (e.g. HTML, plain text, etc).
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added string comparison operators with support for macro expansion:
|
|
|
|
@contains, @streq, @beginsWith and @endsWith.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Enhanced debug log output to log macro expansion, quote values and
|
|
|
|
correctly display values that contained NULs.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Removed support for %0 - %9 capture macros as they were incorrectly
|
|
|
|
expanding url encoded values. Use %{TX.0} - %{TX.9} instead.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added t:length to transform a value to its character length.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added t:trimLeft, t:trimRight, t:trim to remove whitespace
|
|
|
|
from a value on the left, right or both.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added SecAuditLog2 directive to allow redundent concurrent audit log
|
|
|
|
index files. This will allow sending audit data to two consoles, etc.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Removed CGI style HTTP_* variables in favor of REQUEST_HEADERS:Header-Name.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Store filename/line for each rule and display it and the ID (if available)
|
|
|
|
in the debug log when invoking a rule. Thanks to Christian Bockermann
|
|
|
|
for the idea.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not log 'allow' action as intercepted in the debug log.
|
|
|
|
|
|
|
|
* Fixed some collection variable names not printing with the parameter
|
|
|
|
and/or counting operator in the debug log.
|
|
|
|
|
|
|
|
|
|
|
|
19 Feb 2008 - 2.1.6
|
2007-09-15 01:41:34 +04:00
|
|
|
-------------------
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed crash on startup when ENV is improperly used without a parameter.
|
2007-08-04 00:25:30 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Allow macro resolution in setenv action.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Implemented SecUploadFileMode to allow setting the mode for uploaded files.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* No longer log the query portion of the URI in the error log as
|
|
|
|
it may contain sensitive data.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
10 Jan 2008 - 2.1.5
|
|
|
|
-------------------
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated included Core Ruleset to version 1.5.1.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Phase 5 rules can now be removed via SecRuleRemoveBy* directives.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed issue where only the first phase 5 rule would run when the
|
|
|
|
request was intercepted in an earlier phase.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed configuration parsing so that disruptive actions, meta actions
|
|
|
|
and phases are not allowed in a chained rule (as originally intended).
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed t:escapeSeqDecode to better follow ANSI C escapes.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
27 Nov 2007 - 2.1.4
|
|
|
|
-------------------
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated included Core Ruleset to version 1.5 and noted in the docs that
|
|
|
|
XML support is required to use the rules without modification.
|
2007-06-21 19:45:21 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed an evasion FP, mistaking a multipart non-boundary for a boundary.
|
2007-06-21 06:21:06 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed multiple warnings on Solaris and/or 64bit builds.
|
2007-06-20 23:58:01 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not process subrequests in phase 2-4, but do hand off the request data.
|
2007-06-14 22:48:35 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed a blocking FP in the multipart parser, which affected Safari.
|
2007-05-31 19:42:42 +04:00
|
|
|
|
2007-06-01 19:32:08 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
11 Sep 2007 - 2.1.3
|
|
|
|
-------------------
|
2007-05-31 02:02:35 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated multipart parsing code adding variables to allow checking
|
|
|
|
for various parsing issues (request body abnormalities).
|
2007-05-30 20:13:22 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Allow mod_rpaf and mod_extract_forwarded2 to work before ModSecurity.
|
2007-05-30 18:14:00 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Quiet some compiler warnings.
|
2007-05-23 20:04:25 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not block internal ErrorDocument requests after blocking request.
|
2007-05-17 16:02:59 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added ability to compile without an external API (use -DNO_MODSEC_API).
|
2007-05-17 00:09:28 +04:00
|
|
|
|
2007-05-16 23:48:21 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
27 Jul 2007 - 2.1.2
|
|
|
|
-------------------
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Cleaned up and clarified some documentation.
|
2007-05-17 00:09:28 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Update included core rules to latest version (1.4.3).
|
2007-06-20 23:58:01 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Enhanced ability to alert/audit failed requests.
|
2007-06-20 23:58:01 +04:00
|
|
|
|
|
|
|
* Do not trigger "pause" action for internal requests.
|
|
|
|
|
|
|
|
* Fixed issue with requests that use internal requests. These had the
|
|
|
|
potential to be intercepted incorrectly when other Apache httpd modules
|
|
|
|
that used internal requests were used with mod_security.
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added Solaris and Cygwin to the list of platforms not supporting the hidden
|
2007-06-20 23:58:01 +04:00
|
|
|
visibility attribute.
|
|
|
|
|
|
|
|
* Fixed decoding full-width unicode in t:urlDecodeUni.
|
|
|
|
|
|
|
|
* Lessen some overhead of debugging messages and calculations.
|
|
|
|
|
|
|
|
* Do not try to intercept a request after a failed rule. This fixes the
|
|
|
|
issue associated with an "Internal Error: Asked to intercept request
|
|
|
|
but was_intercepted is zero" error message.
|
|
|
|
|
|
|
|
* Added SecAuditLog2 directive to allow redundent concurrent audit log
|
|
|
|
index files. This will allow sending audit data to two consoles, etc.
|
|
|
|
|
|
|
|
* Small performance improvement in memory management for rule execution.
|
|
|
|
|
|
|
|
|
2007-05-16 23:37:27 +04:00
|
|
|
11 Apr 2007 - 2.1.1
|
|
|
|
-------------------
|
2007-04-05 19:13:22 +04:00
|
|
|
|
|
|
|
* Add the PCRE_DOLLAR_ENDONLY option when compiling regular expression
|
|
|
|
for the @rx operator and variables.
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2007-04-05 19:13:22 +04:00
|
|
|
* Really set PCRE_DOTALL option when compiling the regular expression
|
|
|
|
for the @rx operator as the docs state.
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed potential memory corruption when expanding macros.
|
2007-03-08 19:15:45 +03:00
|
|
|
|
2007-05-16 23:37:27 +04:00
|
|
|
* Fixed error when a collection was retrieved from storage in the same second
|
|
|
|
as creation by setting the rate to zero.
|
2007-03-07 18:56:22 +03:00
|
|
|
|
2007-05-16 23:37:27 +04:00
|
|
|
* Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms.
|
2007-03-06 19:14:54 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the faulty REQUEST_FILENAME variable, which used to change
|
|
|
|
the internal Apache structures by mistake.
|
2007-03-01 14:34:13 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Updates to quiet some compiler warnings.
|
2007-03-01 14:49:56 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed some casting issues for compiling on NetWare (patch from Guenter Knauf).
|
2007-03-06 19:14:54 +03:00
|
|
|
|
2007-03-01 14:34:13 +03:00
|
|
|
|
|
|
|
23 Feb 2007 - 2.1.0
|
2007-02-22 16:20:17 +03:00
|
|
|
-------------------
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Removed the "Connection reset by peer" message, which has nothing
|
|
|
|
to do with us. Actually the message was downgraded from ERROR to
|
|
|
|
NOTICE so it will still appear in the debug log.
|
2007-02-22 15:14:10 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Removed the (harmless) message mentioning LAST_UPDATE_TIME missing.
|
2007-02-22 14:40:48 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* It was not possible to remove a rule placed in phase 4 using
|
|
|
|
SecRuleRemoveById or SecRuleRemoveByMsg. Fixed.
|
2007-02-22 13:44:01 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a problem with incorrectly setting requestBodyProcessor using
|
|
|
|
the ctl action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Bundled Core Rules 2.1-1.3.2b4.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Updates to the reference manual.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Reversed the return values of @validateDTD and @validateSchema, to
|
|
|
|
make them consistent with other operators.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Added a few helpful debug messages in the XML validation area.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Updates to the reference manual.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the validateByteRange operator.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Default value for the status action is now 403 (as it was supposed to
|
|
|
|
be but it was effectively 500).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Rule exceptions (removing using an ID range or an regular expression)
|
|
|
|
is now applied to the current context too. (Previously it only worked
|
|
|
|
on rules that are inherited from the parent context.)
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fix of a bug with expired variables.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed regular expression variable selectors for many collections.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Performance improvements - up to two times for real-life work loads!
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Memory consumption improvements (not measured but significant).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* The allow action did not work in phases 3 and 4. Fixed.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Unlocked collections GLOBAL and RESOURCE.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Added support for variable expansion in the msg action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* New feature: It is now possible to make relative changes to the
|
|
|
|
audit log parts with the ctl action. For example: "ctl:auditLogParts=+E".
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* New feature: "tag" action. To be used for event categorisation.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* XML parser was not reporting errors that occured at the end
|
|
|
|
of XML payload.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Files were not extracted from request if SecUploadKeepFiles was
|
|
|
|
Off. Fixed.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Regular expressions that are too long are truncated to 256
|
|
|
|
characters before used in error messages. (In order to keep
|
|
|
|
the error messages in the log at a reasonable size.)
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the sha1 transformation function.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the skip action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed REQUEST_PROTOCOL, REMOTE_USER, and AUTH_TYPE.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* SecRuleEngine did not work in child configuration contexts
|
|
|
|
(e.g. <Location>).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed base64Decode and base64Encode.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
15 Nov 2006 - 2.0.4
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the "deprecatevar" action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Decreasing variable values did not work.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Made "nolog" do what it is supposed to do - cause a rule match to
|
|
|
|
not be logged. Also "nolog" now implies "noauditlog" but it's
|
|
|
|
possible to follow "nolog" with "auditlog" and have the match
|
|
|
|
not logged to the error log but logged to the auditlog. (Not
|
|
|
|
something that strikes me as useful but it's possible.)
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Relative paths given to SecDataDir will now be treated as relative
|
|
|
|
to the Apache server root.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Added checks to make sure only correct actions are specified in
|
|
|
|
SecDefaultAction (some actions are required, some don't make any
|
|
|
|
sense) and in rules that are not chain starters (same). This should
|
|
|
|
make the unhelpful "Internal Error: Failed to add rule to the ruleset"
|
|
|
|
message go away.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the problem when "SecRuleInheritance Off" is used in a context
|
|
|
|
with no rules defined.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a problem of lost input (request body) data on some redirections,
|
|
|
|
for example when mod_rewrite is used.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
26 Oct 2006 - 2.0.3
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a memory leak (all platforms) and a concurrency control
|
|
|
|
problem that could cause a crash (multithreaded platforms only).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a SecAuditLogRelevantStatus problem, which would not work
|
|
|
|
properly unless the regular expression contained a subexpression.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
19 Oct 2006 - 2.0.2
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed incorrect permissions on the global mutex, which prevented
|
|
|
|
the mutex from working properly.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed incorrect actionset merging where the status was copied from
|
|
|
|
the child actionset even though it was not defined.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed missing metadata information (in the logs) for warnings.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
16 Oct 2006 - 2.0.1
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Rules that used operator negation did not work. Fixed.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed bug that prevented invalid regular expressions from being reported.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
16 Oct 2006 - 2.0.0
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* First stable 2.x release.
|
2007-02-06 15:29:22 +03:00
|
|
|
|