ModSecurity/CHANGES

12 Dec 2007 - 2.5.0-rc1
-----------------------

 * Added t:jsDecodeUni to decode JavScript \uXXXX encoding.

 * Added IS_NEW and IS_EXPIRED built-in collection variables.

 * Added SecMarker <id> directive to allow a fixed target for skipAfter.

 * The invoked rule is now logged in the debug log at level 5.

 * New audit log part 'K' logs all matching rules.

 * Implemented SecRequestBodyNoFilesLimit.

 * Enhance handling of the case where we run out of disk space while
   writing to audit log entry.

 * Renamed SecGeoLookupsDb to SecGeoLookupDB.

 * Implement SecComponentSignature.

 * Fix warnings on Solaris and/or 64bit builds.

 * Added skipAfter:<id> action to allow skipping all rules until a rule
   with a specified ID is reached.  Rule execution then continues after
   the specified rule.

 * Added ctl:ruleRemoveById action to allow rule removal on a match.

 * Added a @containsWord operator that will match a given string anywhere in
   the target value, but only on word boundaries.

 * New MATCHED_VAR variable to store the last matched variable name
   so that it can be more easily used by rules.

 * Fixed expansion of macros when using relative changes with setvar.  In
   addition, added support for expanding macros in the variable name.

 * Situations where ModSecurity will intercept, generate an error or log
   a level 1-3 message to the debug log are now marked as 'relevant' and may
   generate an audit log entry.

 * Do not process subrequests in phase 2-4, but do hand off the request data.

 * Fixed deprecatevar:var=N/S action so that it decrements N every S seconds
   as documented instead of decrementing by a rate.

 * Enable ModSecurity to look at partial response bodies. In previous
   versions ModSecurity would respond with status code 500 when the
   response body was too long. Now, if SecResponseBodyLimitAction is
   set to "ProcessPartial", it will process the part of the response
   body received up until that point but send the rest without buffering.

 * ModSecurity will now process phases 3 and 4 even when request processing
   is interrupted (either by Apache - e.g. by responding with 400, 401
   or 403, or by ModSecurity itself).

 * Fixed the base64decode transformation function to not return extra
   characters at the end.

 * Removed potential for extra characters to be appended to the value when
   using base64Decode.

 * Return from the output filter with an error in addition to setting
   up the HTTP error status in the output data.

 * Used new API calls to get the server version/banner when available.

 * Added "logdata" meta action to allow safe logging of raw transaction data.

 * Added TX_SEVERITY that keeps track of the highest severity
   for any matched rules so far.

 * Added ARGS_GET, ARGS_POST, ARGS_GET_NAMES, ARGS_POST_NAMES variables to
   allow seperation of GET and POST arguments.

 * Added MODSEC_BUILD variable that contains the numeric build value based
   on the ModSecurity version.

 * Enhanced debug logging.

 * Cleaned up and clarified some documentation.

 * Performance improvements and greater control over caching transformations.

 * Stricter validation for @validateUtf8Encoding.

 * Capture the match in TX:0 when using "capture" action in phrase match
   operators.

 * Added Cygwin to the list of platforms not supporting the hidden
   visibility attribute.


11 Sep 2007 - 2.1.3
-------------------

 * Updated multipart parsing code adding variables to allow checking
   for various parsing issues (request body abnormalities).

 * Allow mod_rpaf and mod_extract_forwarded2 to work before ModSecurity.

 * Quiet some compiler warnings.

 * Do not block internal ErrorDocument requests after blocking request.

 * Added ability to compile without an external API (use -DNO_MODSEC_API).


27 Jul 2007 - 2.1.2
-------------------

 * Cleaned up and clarified some documentation.

 * Update included core rules to latest version (1.4.3).

 * Enhanced ability to alert/audit failed requests.

 * Do not trigger "pause" action for internal requests.

 * Fixed issue with requests that use internal requests.  These had the
   potential to be intercepted incorrectly when other Apache httpd modules
   that used internal requests were used with mod_security.

 * Added Solaris and Cygwin to the list of platforms not supporting the hidden
   visibility attribute.

 * Fixed decoding full-width unicode in t:urlDecodeUni.

 * Lessen some overhead of debugging messages and calculations.

 * Do not try to intercept a request after a failed rule.  This fixes the
   issue associated with an "Internal Error: Asked to intercept request
   but was_intercepted is zero" error message.

 * Added SecAuditLog2 directive to allow redundent concurrent audit log
   index files.  This will allow sending audit data to two consoles, etc.

 * Small performance improvement in memory management for rule execution.


21 June 2007 - 2.5.0-dev2
-------------------------

 * Reversioned from 2.2.0 base version to 2.5.0 because of the large changeset.

 * Added @within string comparison operator with support for macro expansion.

 * Removed experimental variable RESPONSE_CONTENT_ENCODING which was not
   working as intended.

 * Update included core rules to latest version.

 * Do not trigger "pause" action for internal requests.

 * Added matching rule filename and line number to audit log.

 * Added new phrase matching operators, @pm and @pmFromFile.  These use
   an alternate set based matching engine (Aho-Corasick) to perform faster
   phrase type matches such as black/white lists, spam keywords, etc.

 * Cache transformations per-request/phase so they are not repeated.

 * Fixed issue with requests that use internal requests.  These had the
   potential to be intercepted incorrectly when other Apache httpd modules
   that used internal requests were used with mod_security.

 * Added Solaris to the list of platforms not supporting the hidden
   visibility attribute.

 * Removed excessive debug log entries about "capture" action.

 * Fixed decoding full-width unicode in t:urlDecodeUni.

 * Lessen some overhead of debugging messages and calculations 
   TODO: more to come

 * Removed strnlen() calls for non-GNU platforms.


14 June 2007 - 2.1.2-rc1
------------------------

 * Update included core rules to latest version.

 * Do not trigger "pause" action for internal requests.

 * Fixed issue with requests that use internal requests.  These had the
   potential to be intercepted incorrectly when other Apache httpd modules
   that used internal requests were used with mod_security.

 * Added Solaris to the list of platforms not supporting the hidden
   visibility attribute.

 * Fixed decoding full-width unicode in t:urlDecodeUni.

 * Lessen some overhead of debugging messages and calculations.

 * Do not try to intercept a request after a failed rule.  This fixes the
   issue associated with an "Internal Error: Asked to intercept request
   but was_intercepted is zero" error message.

 * Added SecAuditLog2 directive to allow redundent concurrent audit log
   index files.  This will allow sending audit data to two consoles, etc.

 * Small performance improvement in memory management for rule execution.


11 May 2007 - 2.2.0-dev1
-------------------------

 * Add SecGeoLookupsDb, @geoLookups and GEO collection to support
   geographical lookups by IP/host.

 * Do not try to intercept a request after a failed rule.  This fixes the
   issue associated with an "Internal Error: Asked to intercept request
   but was_intercepted is zero" error message.

 * Removed extraneous exported symbols.

 * Merged the PDF XSS protection functionality into ModSecurity.

 * Exported API for registering custom variables.  Example in api directory.

 * Added experimental variables RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE,
   and RESPONSE_CONTENT_ENCODING.

 * Added experimental support for content injection. Directive
   SecContentInjection (On|Off) controls whether injection is taking place.
   Actions "prepend" and "append" inject content when executed. Do note that
   it is your responsibility to make sure the response is of the appropriate
   content type (e.g. HTML, plain text, etc).

 * Added string comparison operators with support for macro expansion:
   @contains, @streq, @beginsWith and @endsWith.

 * Enhanced debug log output to log macro expansion, quote values and
   correctly display values that contained NULs.

 * Removed support for %0 - %9 capture macros as they were incorrectly
   expanding url encoded values.  Use %{TX.0} - %{TX.9} instead.

 * Added t:length to transform a value to its character length.

 * Added t:trimLeft, t:trimRight, t:trim to remove whitespace
   from a value on the left, right or both.

 * Added SecAuditLog2 directive to allow redundent concurrent audit log
   index files.  This will allow sending audit data to two consoles, etc.

 * Removed CGI style HTTP_* variables in favor of REQUEST_HEADERS:Header-Name.

 * Store filename/line for each rule and display it and the ID (if available)
   in the debug log when invoking a rule.  Thanks to Christian Bockermann
   for the idea.

 * Do not log 'allow' action as intercepted in the debug log.

 * Write debug log messages when "capture" is set, but the regex does not
   capture and vice-versa.

 * Small performance improvement in memory management for rule execution.

 * Fixed some collection variable names not printing with the parameter
   and/or counting operator in the debug log.


11 Apr 2007 - 2.1.1
-------------------

 * Add the PCRE_DOLLAR_ENDONLY option when compiling regular expression
   for the @rx operator and variables.
 
 * Really set PCRE_DOTALL option when compiling the regular expression
   for the @rx operator as the docs state.
 
 * Fixed potential memory corruption when expanding macros.

 * Fixed error when a collection was retrieved from storage in the same second
   as creation by setting the rate to zero.

 * Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms.

 * Fixed the faulty REQUEST_FILENAME variable, which used to change
   the internal Apache structures by mistake.

 * Updates to quiet some compiler warnings.

 * Fixed some casting issues for compiling on NetWare (patch from Guenter Knauf).


23 Feb 2007 - 2.1.0
-------------------

 * Removed the "Connection reset by peer" message, which has nothing
   to do with us. Actually the message was downgraded from ERROR to
   NOTICE so it will still appear in the debug log.

 * Removed the (harmless) message mentioning LAST_UPDATE_TIME missing.

 * It was not possible to remove a rule placed in phase 4 using
   SecRuleRemoveById or SecRuleRemoveByMsg. Fixed.

 * Fixed a problem with incorrectly setting requestBodyProcessor using
   the ctl action.

 * Bundled Core Rules 2.1-1.3.2b4.

 * Updates to the reference manual.

 * Reversed the return values of @validateDTD and @validateSchema, to
   make them consistent with other operators.

 * Added a few helpful debug messages in the XML validation area.

 * Updates to the reference manual.

 * Fixed the validateByteRange operator.

 * Default value for the status action is now 403 (as it was supposed to
   be but it was effectively 500).

 * Rule exceptions (removing using an ID range or an regular expression)
   is now applied to the current context too. (Previously it only worked
   on rules that are inherited from the parent context.)

 * Fix of a bug with expired variables.

 * Fixed regular expression variable selectors for many collections.

 * Performance improvements - up to two times for real-life work loads!

 * Memory consumption improvements (not measured but significant).

 * The allow action did not work in phases 3 and 4. Fixed.

 * Unlocked collections GLOBAL and RESOURCE.

 * Added support for variable expansion in the msg action.

 * New feature: It is now possible to make relative changes to the
   audit log parts with the ctl action. For example: "ctl:auditLogParts=+E".

 * New feature: "tag" action. To be used for event categorisation.

 * XML parser was not reporting errors that occured at the end
   of XML payload.

 * Files were not extracted from request if SecUploadKeepFiles was
   Off. Fixed.

 * Regular expressions that are too long are truncated to 256
   characters before used in error messages. (In order to keep
   the error messages in the log at a reasonable size.)

 * Fixed the sha1 transformation function.

 * Fixed the skip action.

 * Fixed REQUEST_PROTOCOL, REMOTE_USER, and AUTH_TYPE.

 * SecRuleEngine did not work in child configuration contexts
   (e.g. <Location>).

 * Fixed base64Decode and base64Encode.


15 Nov 2006 - 2.0.4
-------------------

 * Fixed the "deprecatevar" action.

 * Decreasing variable values did not work.

 * Made "nolog" do what it is supposed to do - cause a rule match to
   not be logged. Also "nolog" now implies "noauditlog" but it's
   possible to follow "nolog" with "auditlog" and have the match
   not logged to the error log but logged to the auditlog. (Not
   something that strikes me as useful but it's possible.)

 * Relative paths given to SecDataDir will now be treated as relative
   to the Apache server root.

 * Added checks to make sure only correct actions are specified in
   SecDefaultAction (some actions are required, some don't make any
   sense) and in rules that are not chain starters (same). This should
   make the unhelpful "Internal Error: Failed to add rule to the ruleset"
   message go away.

 * Fixed the problem when "SecRuleInheritance Off" is used in a context
   with no rules defined.

 * Fixed a problem of lost input (request body) data on some redirections,
   for example when mod_rewrite is used.


26 Oct 2006 - 2.0.3
-------------------

 * Fixed a memory leak (all platforms) and a concurrency control
   problem that could cause a crash (multithreaded platforms only).

 * Fixed a SecAuditLogRelevantStatus problem, which would not work
   properly unless the regular expression contained a subexpression.


19 Oct 2006 - 2.0.2
-------------------

 * Fixed incorrect permissions on the global mutex, which prevented
   the mutex from working properly.

 * Fixed incorrect actionset merging where the status was copied from
   the child actionset even though it was not defined.

 * Fixed missing metadata information (in the logs) for warnings.


16 Oct 2006 - 2.0.1
-------------------

 * Rules that used operator negation did not work. Fixed.

 * Fixed bug that prevented invalid regular expressions from being reported.


16 Oct 2006 - 2.0.0
-------------------

 * First stable 2.x release.