2010-02-15 01:46:42 +03:00
|
|
|
14 Feb 2010 - trunk
|
2009-08-13 03:03:11 +04:00
|
|
|
-------------------
|
|
|
|
|
2010-02-02 16:48:30 +03:00
|
|
|
* Add REQUEST_BODY_LENGTH, which contains the number of request body
|
|
|
|
bytes read. [Ivan Ristic]
|
|
|
|
|
2010-02-02 15:45:28 +03:00
|
|
|
* Integrate with mod_log_config using the %{VARNAME}M format string.
|
2010-02-01 14:01:17 +03:00
|
|
|
(MODSEC-108) [Ivan Ristic]
|
|
|
|
|
2010-02-01 12:42:23 +03:00
|
|
|
* Replaced the previous time-measuring mechanism with a new one, which
|
|
|
|
provides the following information: request time, request duration,
|
|
|
|
phase duration (for all 5 phases), time spent dealing with persistent
|
|
|
|
storage, and time spent on audit logging. The new information is now
|
|
|
|
available in the Stopwatch2 audit log header. The Stopwatch header
|
|
|
|
remains for backward compatiblity, although it now only includes
|
2010-02-01 14:44:32 +03:00
|
|
|
the request time and request duration values. Added the following
|
|
|
|
variables: PERF_COMBINED, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3,
|
2010-02-11 23:09:14 +03:00
|
|
|
PERF_PHASE4, PERF_PHASE5, PERF_SREAD, PERF_SWRITE, PERF_LOGGING,
|
|
|
|
PERF_GC. [Ivan Ristic]
|
2010-02-01 12:42:23 +03:00
|
|
|
|
2010-01-27 17:11:33 +03:00
|
|
|
* Added DURATION, which contains the time ellapsed since the beginning
|
|
|
|
of the current transaction, in milliseconds. [Ivan Ristic]
|
|
|
|
|
2010-01-27 00:59:57 +03:00
|
|
|
* Adjusted phase 5 to execute just prior to mod_log_config. This should
|
|
|
|
allow phase 5 rules to to implement conditional logging, as well as
|
|
|
|
pave support for allowing access to all ModSecurity variables from
|
|
|
|
mog_log_config. [Ivan Ristic]
|
|
|
|
|
2010-02-05 22:11:38 +03:00
|
|
|
* Added the URLENCODED_ERROR flag, which is raised whenever invalid URL
|
|
|
|
encoding is encountered in the query string or in the request body
|
|
|
|
(but only if URLENCODED request body processor is used). (MODSEC-111)
|
|
|
|
[Ivan Ristic]
|
|
|
|
|
|
|
|
* Removed the obsolete PDF UXSS functionality. (MODSEC-96) [Ivan Ristic]
|
|
|
|
|
|
|
|
* Renamed normalisePath to normalizePath and normalisePathWin to
|
|
|
|
normalizePathWin. Kept the previous names for backward compatibility.
|
|
|
|
(MODSEC-103) [Ivan Ristic]
|
|
|
|
|
|
|
|
* Moved phase 1 to be run in the same Apache hook as phase 2. This means
|
|
|
|
that you can now have phase 1 rules in <Location> tags and, more
|
|
|
|
importantly, override server configuration in <Location> and others.
|
|
|
|
(MODSEC-98) [Ivan Ristic]
|
|
|
|
|
|
|
|
* Renamed the sanitise family of actiont to sanitize. Kept the old variants
|
|
|
|
for backward compatibility. (MODSEC-95) [Ivan Ristic]
|
|
|
|
|
|
|
|
* Improve the logging of the ctl action. (MODSEC-99) [Ivan Ristic]
|
|
|
|
|
|
|
|
* Cleanup build files that were from the Apache source.
|
|
|
|
|
2010-02-05 22:05:20 +03:00
|
|
|
|
2010-02-15 01:46:42 +03:00
|
|
|
14 Feb 2010 - 2.5.13-dev1
|
|
|
|
-------------------------
|
|
|
|
|
|
|
|
* Cleaned up some mlogc code and debugging output.
|
|
|
|
|
|
|
|
* Remove the ability to use a relative path to a piped audit logger
|
|
|
|
(i.e. mlogc) as Apache does not support it in their piped loggers
|
|
|
|
and it was breaking Windows and probably other platforms that
|
|
|
|
use spaces in filesystem paths. Discovered by Tom Donovan.
|
|
|
|
|
|
|
|
* Fix memory leak freeing regex. Discovered by Tom Donovan.
|
|
|
|
|
|
|
|
* Fix some portability issues on Windows.
|
|
|
|
|
|
|
|
|
2010-02-05 22:05:20 +03:00
|
|
|
04 Feb 2010 - 2.5.12
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
* Fixed SecUploadFileMode to set the correct mode.
|
|
|
|
|
|
|
|
* Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
|
|
|
|
|
|
|
|
* Added additional file info definitions introduced in APR 0.9.5 so that
|
|
|
|
build will work with older APRs (IBM HTTP Server v6).
|
|
|
|
|
|
|
|
* Added SecUploadFileLimit to limit the number of uploaded file parts that
|
|
|
|
will be processed in a multipart POST. The default is 100.
|
|
|
|
|
|
|
|
* Fixed path normalization to better handle backreferences that extend
|
|
|
|
above root directories. Reported by Sogeti/ESEC R&D.
|
|
|
|
|
|
|
|
* Trim whitespace around phrases used with @pmFromFile and allow
|
|
|
|
for both LF and CRLF terminated lines.
|
|
|
|
|
|
|
|
* Allow for more robust parsing for multipart header folding. Reported
|
|
|
|
by Sogeti/ESEC R&D.
|
|
|
|
|
|
|
|
* Fixed failure to match internally set TX variables with regex
|
|
|
|
(TX:/.../) syntax.
|
|
|
|
|
|
|
|
* Fixed failure to log full internal TX variable names and populate
|
|
|
|
MATCHED_VAR* vars.
|
|
|
|
|
|
|
|
* Enabled PCRE "studying" by default. This is now a configure-time option.
|
|
|
|
|
|
|
|
* Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
|
|
|
|
aide in REDoS type attacks. A rule that goes over the limits will set
|
|
|
|
TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release
|
|
|
|
of ModSecurity (2.6.x) will move these flags to a dedicated collection.
|
|
|
|
|
|
|
|
* Reduced default PCRE match limits reducing impact of REDoS on poorly
|
|
|
|
written regex rules. Reported by Sogeti/ESEC R&D.
|
|
|
|
|
|
|
|
* Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.
|
|
|
|
|
|
|
|
* Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
|
|
|
|
|
|
|
|
* Update copyright to 2010.
|
|
|
|
|
2009-12-21 19:38:21 +03:00
|
|
|
* Reserved 700,000-799,999 IDs for Ivan Ristic.
|
|
|
|
|
2009-12-14 21:48:35 +03:00
|
|
|
* Fixed SecAction not working when CONNECT request method is used
|
|
|
|
(MODSEC-110). [Ivan Ristic]
|
|
|
|
|
2009-11-07 03:06:26 +03:00
|
|
|
* Do not escape quotes in macro resolution and only escape NUL in setenv
|
|
|
|
values.
|
|
|
|
|
2009-10-21 22:32:52 +04:00
|
|
|
|
2009-11-06 21:38:15 +03:00
|
|
|
04 Nov 2009 - 2.5.11
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
* Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
|
|
|
|
set true if any invalid quoting is found during multipart parsing.
|
|
|
|
|
|
|
|
* Fixed parsing quoted strings in multipart Content-Disposition headers.
|
|
|
|
Discovered by Stefan Esser.
|
|
|
|
|
|
|
|
* Cleanup persistence database locking code.
|
|
|
|
|
|
|
|
* Added warning during configure if libcurl is found linked against
|
|
|
|
gnutls for SSL. The openssl lib is recommended as gnutls has
|
|
|
|
proven to cause issues with mutexes and may crash.
|
|
|
|
|
|
|
|
* Cleanup some mlogc (over)logging.
|
|
|
|
|
|
|
|
* Do not log output filter errors in the error log.
|
|
|
|
|
|
|
|
* Moved output filter to run before other stock filters (mod_deflate,
|
|
|
|
mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
|
2009-12-12 17:20:22 +03:00
|
|
|
in the response. Patch originally submitted by Ivan Ristic.
|
2009-11-06 21:38:15 +03:00
|
|
|
|
|
|
|
|
2009-09-24 23:11:16 +04:00
|
|
|
18 Sep 2009 - 2.5.10
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
* Cleanup mlogc so that it builds on Windows.
|
|
|
|
|
|
|
|
* Added more detailed messages to replace "Unknown error" in filters.
|
|
|
|
|
2009-08-26 02:19:33 +04:00
|
|
|
* Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
|
|
|
|
auditlog permissions (especially with mpm-itk).
|
|
|
|
|
2009-09-24 23:11:16 +04:00
|
|
|
* Cleanup SecUploadFileMode implementation.
|
2009-08-26 02:19:33 +04:00
|
|
|
|
|
|
|
* Cleanup build scripts.
|
|
|
|
|
2009-08-13 03:03:11 +04:00
|
|
|
* Fixed crash on configuration if SecMarker is used before any rules.
|
|
|
|
|
|
|
|
* Fixed SecRuleUpdateActionById so that it will work on chain starters.
|
|
|
|
|
|
|
|
* Cleanup build system for mlogc.
|
2009-07-24 09:11:45 +04:00
|
|
|
|
|
|
|
* Allow mlogc to periodically flush memory pools.
|
|
|
|
|
|
|
|
* Using nolog,auditlog will now log the "Message:" line to the auditlog, but
|
|
|
|
nothing to the error log. Prior versions dropped the "Message:" line from
|
|
|
|
both logs. To do this now, just use "nolog" or "nolog,noauditlog".
|
|
|
|
|
|
|
|
* Forced mlogc to use SSLv3 to avoid some potential auto negotiation
|
|
|
|
issues with some libcurl versions.
|
2009-03-31 21:25:47 +04:00
|
|
|
|
2009-06-16 01:14:30 +04:00
|
|
|
* Fixed mlogc issue seen on big endian machines where content type
|
|
|
|
could be listed as zero.
|
|
|
|
|
2009-05-31 12:45:50 +04:00
|
|
|
* Removed extra newline from audit log message line when logging XML errors.
|
|
|
|
This was causing problems parsing audit logs.
|
|
|
|
|
|
|
|
* Fixed @pm/@pmFromFile case insensitivity.
|
|
|
|
|
2009-05-21 10:26:26 +04:00
|
|
|
* Truncate long parameters in log message for "Match of ... against ...
|
|
|
|
required" messages.
|
|
|
|
|
2009-05-21 10:18:18 +04:00
|
|
|
* Correctly resolve chained rule actions in logs.
|
|
|
|
|
2009-05-16 14:42:32 +04:00
|
|
|
* Cleanup some code for portability.
|
|
|
|
|
|
|
|
* AIX does not support hidden visibility with xlc compiler.
|
|
|
|
|
|
|
|
* Allow specifying EXTRA_CFLAGS during configure to override gcc specific
|
|
|
|
values for non-gcc compilers.
|
|
|
|
|
2009-05-16 11:54:17 +04:00
|
|
|
* Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.
|
|
|
|
|
|
|
|
* Handle a newer geo database more gracefully, avoiding a potential crash for
|
|
|
|
new countries that ModSecurity is not yet aware.
|
|
|
|
|
|
|
|
* Allow checking &GEO "@eq 0" for a failed @geoLookup.
|
|
|
|
|
2009-05-16 08:51:25 +04:00
|
|
|
* Fixed mlogc global mutex locking issue and added more debugging output.
|
|
|
|
|
2009-04-22 21:41:33 +04:00
|
|
|
* Cleaned up build dependencies and configure options.
|
|
|
|
|
2009-03-31 21:25:47 +04:00
|
|
|
|
|
|
|
05 Mar 2009 - 2.5.9
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed parsing multipart content with a missing part header name which
|
|
|
|
would crash Apache. Discovered by "Internet Security Auditors"
|
|
|
|
(isecauditors.com).
|
|
|
|
|
|
|
|
* Added ability to specify the config script directly using --with-apr
|
|
|
|
and --with-apu.
|
|
|
|
|
|
|
|
* Updated copyright year to 2009.
|
|
|
|
|
|
|
|
* Added macro expansion for append/prepend action.
|
|
|
|
|
|
|
|
* Fixed race condition in concurrent updates of persistent counters. Updates
|
|
|
|
are now atomic.
|
|
|
|
|
|
|
|
* Cleaned up build, adding an option for verbose configure output and making
|
|
|
|
the mlogc build more portable.
|
|
|
|
|
|
|
|
|
2009-03-06 00:50:55 +03:00
|
|
|
21 Nov 2008 - 2.5.8
|
2008-10-21 21:45:18 +04:00
|
|
|
-------------------
|
|
|
|
|
2009-03-06 00:50:55 +03:00
|
|
|
* Fixed PDF XSS issue where a non-GET request for a PDF file would crash the
|
|
|
|
Apache httpd process. Discovered by Steve Grubb at Red Hat.
|
|
|
|
|
2008-10-21 21:45:18 +04:00
|
|
|
* Removed an invalid "Internal error: Issuing "%s" for unspecified error."
|
|
|
|
message that was logged when denying with nolog/noauditlog set and
|
|
|
|
causing the request to be audited.
|
|
|
|
|
|
|
|
|
|
|
|
24 Sep 2008 - 2.5.7
|
2008-08-16 00:25:27 +04:00
|
|
|
-------------------
|
|
|
|
|
2008-09-04 02:16:42 +04:00
|
|
|
* Fixed XML DTD/Schema validation which will now fail after request body
|
|
|
|
processing errors, even if the XML parser returns a document tree.
|
|
|
|
|
2008-09-10 21:11:20 +04:00
|
|
|
* Added ctl:forceRequestBodyVariable=on|off which, when enabled, will force
|
2008-09-17 14:59:11 +04:00
|
|
|
the REQUEST_BODY variable to be set when a request body processor is not set.
|
|
|
|
Previously the REQUEST_BODY target was only populated by the URLENCODED
|
|
|
|
request body processor.
|
2008-09-04 00:42:28 +04:00
|
|
|
|
|
|
|
* Integrated mlogc source.
|
2008-09-03 03:10:36 +04:00
|
|
|
|
2008-09-03 22:06:14 +04:00
|
|
|
* Fixed logging the hostname in the error_log which was logging the
|
|
|
|
request hostname instead of the Apache resolved hostname.
|
|
|
|
|
2008-08-16 00:25:27 +04:00
|
|
|
* Allow for disabling request body limit checks in phase:1.
|
|
|
|
|
|
|
|
* Added transformations for processing parity for legacy protocols ported
|
|
|
|
to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit
|
|
|
|
|
|
|
|
* Added t:cssDecode transformation to decode CSS escapes.
|
2008-07-16 17:08:12 +04:00
|
|
|
|
2008-08-16 00:25:27 +04:00
|
|
|
* Now log XML parsing/validation warnings and errors to be in the debug log
|
|
|
|
at levels 3 and 4, respectivly.
|
2008-08-01 02:36:24 +04:00
|
|
|
|
2008-07-16 17:08:12 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
31 Jul 2008 - 2.5.6
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Transformation caching has been deprecated, and is now off by default. We
|
|
|
|
now advise against using transformation caching in production.
|
|
|
|
|
|
|
|
* Fixed two separate transformation caching issues that could cause incorrect
|
|
|
|
content inspection in some circumstances.
|
|
|
|
|
|
|
|
* Fixed an issue with the transformation cache using too much RAM, potentially
|
|
|
|
crashing Apache with a large number of cache entries. Two new configuration
|
|
|
|
options have been added to allow for a finer control of caching:
|
|
|
|
|
|
|
|
maxitems: Max number of items to cache (default 1024)
|
|
|
|
incremental: Whether to cache incrementally (default off)
|
|
|
|
|
|
|
|
* Added an experimental regression testing suite. The regression suite may
|
|
|
|
be executed via "make test-regression", however it is strongly advised
|
|
|
|
to only be executed on a non-production machine as it will startup the
|
|
|
|
Apache web server that ModSecurity is compiled against with various
|
|
|
|
configurations in which it will run tests.
|
|
|
|
|
|
|
|
* Added a licensing exception so that ModSecurity can be used in a derivative
|
|
|
|
work when that derivative is also under an approved open source license.
|
|
|
|
|
|
|
|
* Updated mlogc to version 1.4.5 which adds a LockFile directive and fixes an
|
|
|
|
issue in which the configuration file may be deleted.
|
2008-07-07 19:47:49 +04:00
|
|
|
|
|
|
|
|
|
|
|
05 Jun 2008 - 2.5.5
|
2008-05-09 19:50:17 +04:00
|
|
|
-------------------
|
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Fixed an issue where an alert was not logged in the error log
|
|
|
|
unless "auditlog" was used.
|
2008-06-03 03:34:31 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Enable the "auditlog" action by default to help prevent a misconfiguration.
|
|
|
|
The new default is now: "phase:2,log,auditlog,pass"
|
2008-06-03 03:31:27 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Improve request body processing error messages.
|
2008-05-31 00:16:34 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Handle lack of a new line after the final boundary in a multipart request.
|
|
|
|
This fixes the reported WordPress Flash file uploader problem.
|
2008-05-31 00:07:47 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Fixed issue with multithreaded servers where concurrent XML processing
|
|
|
|
could crash the web server (at least under Windows).
|
2008-05-31 00:01:44 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Fixed blocking in phase 3.
|
2008-05-30 23:31:22 +04:00
|
|
|
|
2008-08-01 02:36:24 +04:00
|
|
|
* Force modules "mod_rpaf-2.0.c" and "mod_custom_header.c" to run before
|
|
|
|
ModSecurity so that the correct IP is used.
|
2008-05-09 19:50:17 +04:00
|
|
|
|
|
|
|
|
2008-05-09 19:48:57 +04:00
|
|
|
07 May 2008 - 2.5.4
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed issue where transformation cache was using the SecDefaultAction
|
|
|
|
value even when t:none was used within a rule.
|
|
|
|
|
|
|
|
|
2008-04-24 20:23:35 +04:00
|
|
|
24 Apr 2008 - 2.5.3
|
2008-03-28 23:00:37 +03:00
|
|
|
-------------------
|
2008-03-28 20:06:44 +03:00
|
|
|
|
2008-04-24 20:30:58 +04:00
|
|
|
* Fixed issue where the exec action may not be able to execute shell scripts.
|
|
|
|
|
2008-04-24 20:23:35 +04:00
|
|
|
* Macros are now expanded in expirevar and deprecatevar.
|
2008-04-12 00:05:44 +04:00
|
|
|
|
2008-04-24 20:40:14 +04:00
|
|
|
* Fixed crash if a persistent variable name was more than 126 characters.
|
|
|
|
|
2008-04-24 20:48:08 +04:00
|
|
|
* Updated included Core Ruleset to version 1.6.1 which fixes some
|
|
|
|
false negative issues in the migration to using some 2.5 features.
|
|
|
|
|
2008-03-28 20:06:44 +03:00
|
|
|
|
2008-04-12 00:10:27 +04:00
|
|
|
02 Apr 2008 - 2.5.2
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Allow HTTP_* targets as an alias for REQUEST_HEADERS:*.
|
|
|
|
|
|
|
|
* Make sure temporary filehandles are closed after a transaction.
|
|
|
|
|
|
|
|
* Make sure the apache include directory is included during build.
|
|
|
|
|
|
|
|
|
|
|
|
02 Apr 2008 - 2.1.7
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Make sure temporary filehandles are closed after a transaction.
|
|
|
|
|
|
|
|
|
2008-03-28 20:06:44 +03:00
|
|
|
14 Mar 2008 - 2.5.1
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
* Fixed an issue where a match would not occur if transformation caching
|
|
|
|
was enabled.
|
|
|
|
|
|
|
|
* Using "severity" in a default action is now just a warning.
|
|
|
|
|
|
|
|
* Cleaned up the "make test" target to better locate headers/libraries.
|
|
|
|
|
|
|
|
* Now search /usr/lib64 and /usr/lib32 for lua libs.
|
|
|
|
|
|
|
|
* No longer treat warnings as errors by default (use --enable-strict-compile).
|
|
|
|
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
19 Feb 2008 - 2.5.0
|
|
|
|
-------------------
|
2008-02-12 01:57:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated included Core Ruleset to version 1.6.0 which uses 2.5 features.
|
2008-02-08 04:24:46 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Cleaned up and clarified some documentation.
|
2008-02-08 04:24:46 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated code to be more portable so it builds with MS VC++.
|
2008-02-05 03:55:16 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added unit tests for most operators and transformations.
|
2008-02-05 03:55:16 +03:00
|
|
|
|
|
|
|
* Fixed crash on startup when ENV is improperly used without a parameter.
|
|
|
|
|
|
|
|
* Allow macro resolution in setenv action.
|
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* The default action is now a minimal "phase:2,log,pass" with no default
|
|
|
|
transformations performed.
|
2008-01-25 01:39:13 +03:00
|
|
|
|
2008-01-25 01:10:37 +03:00
|
|
|
* Implemented SecUploadFileMode to allow setting the mode for uploaded files.
|
|
|
|
|
2008-01-24 08:16:35 +03:00
|
|
|
* Implemented "block" action.
|
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* Implemented SecRuleUpdateActionById.
|
2008-01-23 21:12:59 +03:00
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* Fixed removal of phase 5 rules via SecRuleRemoveBy* directives.
|
2008-01-19 05:23:41 +03:00
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* No longer log the query portion of the URI in the error log as
|
|
|
|
it may contain sensitive data.
|
2008-01-22 09:59:06 +03:00
|
|
|
|
2008-01-29 19:36:36 +03:00
|
|
|
* Build is now 'configure' based: ./configure && make && make install
|
2008-01-03 00:32:10 +03:00
|
|
|
|
2007-12-21 15:50:03 +03:00
|
|
|
* Added support for Lua scripting in the following ways: SecRuleScript
|
|
|
|
can be used to specify a script to execute as a rule, the exec
|
2008-02-16 01:51:01 +03:00
|
|
|
action processes Lua scripts internally, as does the @inspectFile
|
2007-12-21 15:50:03 +03:00
|
|
|
operator. Refer to the documentation for more details.
|
|
|
|
|
2007-12-17 14:22:47 +03:00
|
|
|
* Changed how allow works. Used on its own it now allows phases 1-4. Used
|
|
|
|
with parameter "phase" (e.g. SecAction allow:phase) it only affects
|
|
|
|
the current phase. Used with parameter "request" it allows phases
|
|
|
|
1-2.
|
|
|
|
|
2007-12-15 03:57:21 +03:00
|
|
|
* Fixed issue where only the first phase 5 rule would run when the
|
|
|
|
request was intercepted in an earlier phase.
|
|
|
|
|
2007-12-15 01:50:01 +03:00
|
|
|
* Stricter configuration parsing. Disruptive actions, meta actions and
|
|
|
|
phases are no longer allowed in a chained rule. Disruptive actions,
|
2007-12-15 01:52:29 +03:00
|
|
|
are no longer allowed in a logging phase (phase 5) rule, including
|
|
|
|
inheriting from SecDefaultAction.
|
2007-12-15 01:50:01 +03:00
|
|
|
|
2007-12-14 22:53:23 +03:00
|
|
|
* More efficient collection persistance.
|
|
|
|
|
2007-12-14 03:30:25 +03:00
|
|
|
* Fixed t:escapeSeqDecode to better follow ANSI C escapes.
|
|
|
|
|
2007-12-14 03:19:46 +03:00
|
|
|
* Added t:jsDecode to decode JavScript escape sequences.
|
2007-12-13 03:58:02 +03:00
|
|
|
|
2008-01-22 09:59:06 +03:00
|
|
|
* Added IS_NEW built-in collection variables.
|
2007-12-13 01:52:08 +03:00
|
|
|
|
2007-12-01 00:31:12 +03:00
|
|
|
* New audit log part 'K' logs all matching rules.
|
2007-11-30 03:52:21 +03:00
|
|
|
|
2007-11-29 14:41:48 +03:00
|
|
|
* Implemented SecRequestBodyNoFilesLimit.
|
|
|
|
|
2007-11-27 13:52:14 +03:00
|
|
|
* Enhance handling of the case where we run out of disk space while
|
|
|
|
writing to audit log entry.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added SecComponentSignature to allow other components the ability
|
|
|
|
to append to the logged signature.
|
2007-11-03 01:31:47 +03:00
|
|
|
|
2007-10-17 23:59:28 +04:00
|
|
|
* Added skipAfter:<id> action to allow skipping all rules until a rule
|
|
|
|
with a specified ID is reached. Rule execution then continues after
|
|
|
|
the specified rule.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added SecMarker <id> directive to allow a fixed target for skipAfter.
|
|
|
|
|
2007-10-17 23:11:47 +04:00
|
|
|
* Added ctl:ruleRemoveById action to allow rule removal on a match.
|
|
|
|
|
2007-10-02 22:50:35 +04:00
|
|
|
* Added a @containsWord operator that will match a given string anywhere in
|
|
|
|
the target value, but only on word boundaries.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added a MATCHED_VAR_NAME variable to store the last matched variable name
|
|
|
|
so that it can be more easily used by rules.
|
|
|
|
|
|
|
|
* Added a MATCHED_VAR variable to store the last matched variable value
|
2007-10-02 02:35:52 +04:00
|
|
|
so that it can be more easily used by rules.
|
|
|
|
|
2007-10-01 21:24:10 +04:00
|
|
|
* Fixed expansion of macros when using relative changes with setvar. In
|
|
|
|
addition, added support for expanding macros in the variable name.
|
|
|
|
|
2007-09-28 01:18:23 +04:00
|
|
|
* Situations where ModSecurity will intercept, generate an error or log
|
2007-09-29 00:02:02 +04:00
|
|
|
a level 1-3 message to the debug log are now marked as 'relevant' and may
|
|
|
|
generate an audit log entry.
|
2007-09-28 01:18:23 +04:00
|
|
|
|
2007-09-26 01:40:04 +04:00
|
|
|
* Fixed deprecatevar:var=N/S action so that it decrements N every S seconds
|
|
|
|
as documented instead of decrementing by a rate.
|
|
|
|
|
2007-09-22 03:23:11 +04:00
|
|
|
* Enable ModSecurity to look at partial response bodies. In previous
|
2008-02-16 01:51:01 +03:00
|
|
|
versions, ModSecurity would respond with status code 500 when the
|
2007-09-22 03:23:11 +04:00
|
|
|
response body was too long. Now, if SecResponseBodyLimitAction is
|
|
|
|
set to "ProcessPartial", it will process the part of the response
|
|
|
|
body received up until that point but send the rest without buffering.
|
|
|
|
|
|
|
|
* ModSecurity will now process phases 3 and 4 even when request processing
|
2007-09-22 02:15:12 +04:00
|
|
|
is interrupted (either by Apache - e.g. by responding with 400, 401
|
|
|
|
or 403, or by ModSecurity itself).
|
|
|
|
|
2007-09-27 01:39:45 +04:00
|
|
|
* Fixed the base64decode transformation function to not return extra
|
2007-09-22 02:15:12 +04:00
|
|
|
characters at the end.
|
|
|
|
|
2007-09-15 03:01:58 +04:00
|
|
|
* Return from the output filter with an error in addition to setting
|
|
|
|
up the HTTP error status in the output data.
|
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Used new Apache API calls to get the server version/banner when available.
|
2007-09-11 22:01:28 +04:00
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Added "logdata" meta action to allow logging of raw transaction data.
|
2007-08-10 04:44:20 +04:00
|
|
|
|
2007-08-09 02:11:02 +04:00
|
|
|
* Added TX_SEVERITY that keeps track of the highest severity
|
|
|
|
for any matched rules so far.
|
|
|
|
|
2007-08-09 00:53:00 +04:00
|
|
|
* Added ARGS_GET, ARGS_POST, ARGS_GET_NAMES, ARGS_POST_NAMES variables to
|
2007-08-09 00:49:51 +04:00
|
|
|
allow seperation of GET and POST arguments.
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added an Apache define (MODSEC_2.5) so that you can conditionally include
|
|
|
|
directives based on the ModSecurity major/minor versions with IfDefine.
|
|
|
|
|
2007-08-08 22:25:03 +04:00
|
|
|
* Added MODSEC_BUILD variable that contains the numeric build value based
|
|
|
|
on the ModSecurity version.
|
2007-07-02 18:49:56 +04:00
|
|
|
|
2007-12-14 23:20:18 +03:00
|
|
|
* Enhanced debug logging by displaying more data on rule execution. All
|
|
|
|
invoked rules are now logged in the debug log at level 5.
|
2007-08-08 18:48:49 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Stricter validation for @validateUtf8Encoding.
|
2007-08-03 00:40:37 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* No longer process Apache internal subrequests.
|
2007-08-03 00:40:37 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed warnings on Solaris and/or 64bit builds.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added @within string comparison operator with support for macro expansion.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not trigger "pause" action for internal requests.
|
2007-12-14 23:20:18 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added matching rule filename and line number to audit log.
|
2007-12-14 23:20:18 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added new phrase matching operators, @pm and @pmFromFile. These use
|
|
|
|
an alternate set based matching engine (Aho-Corasick) to perform faster
|
|
|
|
phrase type matches such as black/white lists, spam keywords, etc.
|
|
|
|
|
|
|
|
* Allow caching transformations per-request/phase so they are not repeated.
|
|
|
|
|
|
|
|
* Added Solaris and Cygwin to the list of platforms not supporting the hidden
|
2007-07-02 18:49:56 +04:00
|
|
|
visibility attribute.
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed decoding full-width unicode in t:urlDecodeUni.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Add SecGeoLookupDB, @geoLookups and GEO collection to support
|
|
|
|
geographical lookups by IP/host.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not try to intercept a request after a failed rule. This fixes the
|
|
|
|
issue associated with an "Internal Error: Asked to intercept request
|
|
|
|
but was_intercepted is zero" error message.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Removed extraneous exported symbols.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Merged the PDF XSS protection functionality into ModSecurity.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Exported API for registering custom variables. Example in api directory.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added experimental support for content injection. Directive
|
|
|
|
SecContentInjection (On|Off) controls whether injection is taking place.
|
|
|
|
Actions "prepend" and "append" inject content when executed. Do note that
|
|
|
|
it is your responsibility to make sure the response is of the appropriate
|
|
|
|
content type (e.g. HTML, plain text, etc).
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added string comparison operators with support for macro expansion:
|
|
|
|
@contains, @streq, @beginsWith and @endsWith.
|
2007-12-14 23:22:54 +03:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Enhanced debug log output to log macro expansion, quote values and
|
|
|
|
correctly display values that contained NULs.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Removed support for %0 - %9 capture macros as they were incorrectly
|
|
|
|
expanding url encoded values. Use %{TX.0} - %{TX.9} instead.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added t:length to transform a value to its character length.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added t:trimLeft, t:trimRight, t:trim to remove whitespace
|
|
|
|
from a value on the left, right or both.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added SecAuditLog2 directive to allow redundent concurrent audit log
|
|
|
|
index files. This will allow sending audit data to two consoles, etc.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Removed CGI style HTTP_* variables in favor of REQUEST_HEADERS:Header-Name.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Store filename/line for each rule and display it and the ID (if available)
|
|
|
|
in the debug log when invoking a rule. Thanks to Christian Bockermann
|
|
|
|
for the idea.
|
2007-09-15 01:41:34 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not log 'allow' action as intercepted in the debug log.
|
|
|
|
|
|
|
|
* Fixed some collection variable names not printing with the parameter
|
|
|
|
and/or counting operator in the debug log.
|
|
|
|
|
|
|
|
|
|
|
|
19 Feb 2008 - 2.1.6
|
2007-09-15 01:41:34 +04:00
|
|
|
-------------------
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed crash on startup when ENV is improperly used without a parameter.
|
2007-08-04 00:25:30 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Allow macro resolution in setenv action.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Implemented SecUploadFileMode to allow setting the mode for uploaded files.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* No longer log the query portion of the URI in the error log as
|
|
|
|
it may contain sensitive data.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
10 Jan 2008 - 2.1.5
|
|
|
|
-------------------
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated included Core Ruleset to version 1.5.1.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Phase 5 rules can now be removed via SecRuleRemoveBy* directives.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed issue where only the first phase 5 rule would run when the
|
|
|
|
request was intercepted in an earlier phase.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed configuration parsing so that disruptive actions, meta actions
|
|
|
|
and phases are not allowed in a chained rule (as originally intended).
|
2007-07-31 23:04:07 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed t:escapeSeqDecode to better follow ANSI C escapes.
|
2007-07-31 23:04:07 +04:00
|
|
|
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
27 Nov 2007 - 2.1.4
|
|
|
|
-------------------
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated included Core Ruleset to version 1.5 and noted in the docs that
|
|
|
|
XML support is required to use the rules without modification.
|
2007-06-21 19:45:21 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed an evasion FP, mistaking a multipart non-boundary for a boundary.
|
2007-06-21 06:21:06 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed multiple warnings on Solaris and/or 64bit builds.
|
2007-06-20 23:58:01 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not process subrequests in phase 2-4, but do hand off the request data.
|
2007-06-14 22:48:35 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Fixed a blocking FP in the multipart parser, which affected Safari.
|
2007-05-31 19:42:42 +04:00
|
|
|
|
2007-06-01 19:32:08 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
11 Sep 2007 - 2.1.3
|
|
|
|
-------------------
|
2007-05-31 02:02:35 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Updated multipart parsing code adding variables to allow checking
|
|
|
|
for various parsing issues (request body abnormalities).
|
2007-05-30 20:13:22 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Allow mod_rpaf and mod_extract_forwarded2 to work before ModSecurity.
|
2007-05-30 18:14:00 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Quiet some compiler warnings.
|
2007-05-23 20:04:25 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Do not block internal ErrorDocument requests after blocking request.
|
2007-05-17 16:02:59 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added ability to compile without an external API (use -DNO_MODSEC_API).
|
2007-05-17 00:09:28 +04:00
|
|
|
|
2007-05-16 23:48:21 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
27 Jul 2007 - 2.1.2
|
|
|
|
-------------------
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Cleaned up and clarified some documentation.
|
2007-05-17 00:09:28 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Update included core rules to latest version (1.4.3).
|
2007-06-20 23:58:01 +04:00
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Enhanced ability to alert/audit failed requests.
|
2007-06-20 23:58:01 +04:00
|
|
|
|
|
|
|
* Do not trigger "pause" action for internal requests.
|
|
|
|
|
|
|
|
* Fixed issue with requests that use internal requests. These had the
|
|
|
|
potential to be intercepted incorrectly when other Apache httpd modules
|
|
|
|
that used internal requests were used with mod_security.
|
|
|
|
|
2008-02-16 01:51:01 +03:00
|
|
|
* Added Solaris and Cygwin to the list of platforms not supporting the hidden
|
2007-06-20 23:58:01 +04:00
|
|
|
visibility attribute.
|
|
|
|
|
|
|
|
* Fixed decoding full-width unicode in t:urlDecodeUni.
|
|
|
|
|
|
|
|
* Lessen some overhead of debugging messages and calculations.
|
|
|
|
|
|
|
|
* Do not try to intercept a request after a failed rule. This fixes the
|
|
|
|
issue associated with an "Internal Error: Asked to intercept request
|
|
|
|
but was_intercepted is zero" error message.
|
|
|
|
|
|
|
|
* Added SecAuditLog2 directive to allow redundent concurrent audit log
|
|
|
|
index files. This will allow sending audit data to two consoles, etc.
|
|
|
|
|
|
|
|
* Small performance improvement in memory management for rule execution.
|
|
|
|
|
|
|
|
|
2007-05-16 23:37:27 +04:00
|
|
|
11 Apr 2007 - 2.1.1
|
|
|
|
-------------------
|
2007-04-05 19:13:22 +04:00
|
|
|
|
|
|
|
* Add the PCRE_DOLLAR_ENDONLY option when compiling regular expression
|
|
|
|
for the @rx operator and variables.
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2007-04-05 19:13:22 +04:00
|
|
|
* Really set PCRE_DOTALL option when compiling the regular expression
|
|
|
|
for the @rx operator as the docs state.
|
2007-05-16 23:37:27 +04:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed potential memory corruption when expanding macros.
|
2007-03-08 19:15:45 +03:00
|
|
|
|
2007-05-16 23:37:27 +04:00
|
|
|
* Fixed error when a collection was retrieved from storage in the same second
|
|
|
|
as creation by setting the rate to zero.
|
2007-03-07 18:56:22 +03:00
|
|
|
|
2007-05-16 23:37:27 +04:00
|
|
|
* Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms.
|
2007-03-06 19:14:54 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the faulty REQUEST_FILENAME variable, which used to change
|
|
|
|
the internal Apache structures by mistake.
|
2007-03-01 14:34:13 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Updates to quiet some compiler warnings.
|
2007-03-01 14:49:56 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed some casting issues for compiling on NetWare (patch from Guenter Knauf).
|
2007-03-06 19:14:54 +03:00
|
|
|
|
2007-03-01 14:34:13 +03:00
|
|
|
|
|
|
|
23 Feb 2007 - 2.1.0
|
2007-02-22 16:20:17 +03:00
|
|
|
-------------------
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Removed the "Connection reset by peer" message, which has nothing
|
|
|
|
to do with us. Actually the message was downgraded from ERROR to
|
|
|
|
NOTICE so it will still appear in the debug log.
|
2007-02-22 15:14:10 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Removed the (harmless) message mentioning LAST_UPDATE_TIME missing.
|
2007-02-22 14:40:48 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* It was not possible to remove a rule placed in phase 4 using
|
|
|
|
SecRuleRemoveById or SecRuleRemoveByMsg. Fixed.
|
2007-02-22 13:44:01 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a problem with incorrectly setting requestBodyProcessor using
|
|
|
|
the ctl action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Bundled Core Rules 2.1-1.3.2b4.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Updates to the reference manual.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Reversed the return values of @validateDTD and @validateSchema, to
|
|
|
|
make them consistent with other operators.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Added a few helpful debug messages in the XML validation area.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Updates to the reference manual.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the validateByteRange operator.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Default value for the status action is now 403 (as it was supposed to
|
|
|
|
be but it was effectively 500).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Rule exceptions (removing using an ID range or an regular expression)
|
|
|
|
is now applied to the current context too. (Previously it only worked
|
|
|
|
on rules that are inherited from the parent context.)
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fix of a bug with expired variables.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed regular expression variable selectors for many collections.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Performance improvements - up to two times for real-life work loads!
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Memory consumption improvements (not measured but significant).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* The allow action did not work in phases 3 and 4. Fixed.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Unlocked collections GLOBAL and RESOURCE.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Added support for variable expansion in the msg action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* New feature: It is now possible to make relative changes to the
|
|
|
|
audit log parts with the ctl action. For example: "ctl:auditLogParts=+E".
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* New feature: "tag" action. To be used for event categorisation.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* XML parser was not reporting errors that occured at the end
|
|
|
|
of XML payload.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Files were not extracted from request if SecUploadKeepFiles was
|
|
|
|
Off. Fixed.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Regular expressions that are too long are truncated to 256
|
|
|
|
characters before used in error messages. (In order to keep
|
|
|
|
the error messages in the log at a reasonable size.)
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the sha1 transformation function.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the skip action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed REQUEST_PROTOCOL, REMOTE_USER, and AUTH_TYPE.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* SecRuleEngine did not work in child configuration contexts
|
|
|
|
(e.g. <Location>).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed base64Decode and base64Encode.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
15 Nov 2006 - 2.0.4
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the "deprecatevar" action.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Decreasing variable values did not work.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Made "nolog" do what it is supposed to do - cause a rule match to
|
|
|
|
not be logged. Also "nolog" now implies "noauditlog" but it's
|
|
|
|
possible to follow "nolog" with "auditlog" and have the match
|
|
|
|
not logged to the error log but logged to the auditlog. (Not
|
|
|
|
something that strikes me as useful but it's possible.)
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Relative paths given to SecDataDir will now be treated as relative
|
|
|
|
to the Apache server root.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Added checks to make sure only correct actions are specified in
|
|
|
|
SecDefaultAction (some actions are required, some don't make any
|
|
|
|
sense) and in rules that are not chain starters (same). This should
|
|
|
|
make the unhelpful "Internal Error: Failed to add rule to the ruleset"
|
|
|
|
message go away.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed the problem when "SecRuleInheritance Off" is used in a context
|
|
|
|
with no rules defined.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a problem of lost input (request body) data on some redirections,
|
|
|
|
for example when mod_rewrite is used.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
26 Oct 2006 - 2.0.3
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a memory leak (all platforms) and a concurrency control
|
|
|
|
problem that could cause a crash (multithreaded platforms only).
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed a SecAuditLogRelevantStatus problem, which would not work
|
|
|
|
properly unless the regular expression contained a subexpression.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
19 Oct 2006 - 2.0.2
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed incorrect permissions on the global mutex, which prevented
|
|
|
|
the mutex from working properly.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed incorrect actionset merging where the status was copied from
|
|
|
|
the child actionset even though it was not defined.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed missing metadata information (in the logs) for warnings.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
16 Oct 2006 - 2.0.1
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Rules that used operator negation did not work. Fixed.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* Fixed bug that prevented invalid regular expressions from being reported.
|
2007-02-06 15:29:22 +03:00
|
|
|
|
|
|
|
|
|
|
|
16 Oct 2006 - 2.0.0
|
|
|
|
-------------------
|
|
|
|
|
2007-04-05 21:43:22 +04:00
|
|
|
* First stable 2.x release.
|
2007-02-06 15:29:22 +03:00
|
|
|
|