Update CHANGES.

Reversion from 2.2. to 2.5.
Update @pmFromFile to base relative filenames off of rule file path.

CHANGES

@@ -1,7 +1,10 @@
 
-?? ??? 2007 - 2.2.0-trunk
+?? ??? 2007 - 2.5.0-trunk
 -------------------------
 
+ * Removed experimental variable RESPONSE_CONTENT_ENCODING which was not
+   working as intended.
+
  * Update included core rules to latest version.
 
  * Do not trigger "pause" action for internal requests.
@@ -9,8 +12,8 @@
  * Added matching rule filename and line number to audit log.
 
  * Added new phrase matching operators, @pm and @pmFromFile.  These use
-   an alternate set based matching engine to perform faster phrase
-   type matches such as black/white lists, spam keywords, etc.
+   an alternate set based matching engine (Aho-Corasick) to perform faster
+   phrase type matches such as black/white lists, spam keywords, etc.
 
  * Cache transformations per-request/phase so they are not repeated.
 
@@ -31,6 +34,34 @@
  * Removed strnlen() calls for non-GNU platforms.
 
 
+14 June 2007 - 2.1.2-rc1
+------------------------
+
+ * Update included core rules to latest version.
+
+ * Do not trigger "pause" action for internal requests.
+
+ * Fixed issue with requests that use internal requests.  These had the
+   potential to be intercepted incorrectly when other Apache httpd modules
+   that used internal requests were used with mod_security.
+
+ * Added Solaris to the list of platforms not supporting the hidden
+   visibility attribute.
+
+ * Fixed decoding full-width unicode in t:urlDecodeUni.
+
+ * Lessen some overhead of debugging messages and calculations.
+
+ * Do not try to intercept a request after a failed rule.  This fixes the
+   issue associated with an "Internal Error: Asked to intercept request
+   but was_intercepted is zero" error message.
+
+ * Added SecAuditLog2 directive to allow redundent concurrent audit log
+   index files.  This will allow sending audit data to two consoles, etc.
+
+ * Small performance improvement in memory management for rule execution.
+
+
 11 May 2007 - 2.2.0-dev1
 -------------------------
 

apache2/modsecurity.h

@@ -50,7 +50,7 @@ typedef struct msc_string msc_string;
 #include "http_protocol.h"
 
 #define MODULE_NAME "ModSecurity"
-#define MODULE_RELEASE "2.2.0-trunk"
+#define MODULE_RELEASE "2.5.0-trunk"
 #define MODULE_NAME_FULL (MODULE_NAME " v" MODULE_RELEASE " (Apache 2.x)")
 
 #define PHASE_REQUEST_HEADERS       1

apache2/re_operators.c

@@ -190,16 +190,18 @@ static int msre_op_pm_param_init(msre_rule *rule, char **error_msg) {
     ACMP *p = acmp_create(0, rule->ruleset->mp);
     if (p == NULL) return 0;
 
-    const char *s = rule->op_param;
-    const char *e = rule->op_param + strlen(rule->op_param);
+    const char *phrase = apr_pstrdup(rule->ruleset->mp, rule->op_param);
+    const char *next = rule->op_param + strlen(rule->op_param);
     
+    /* Loop through phrases */
+    /* ENH: Need to allow quoted phrases w/space */
     for (;;) {
-        while((isspace(*s) != 0) && (*s != 0)) s++;
-        if (*s == 0) break;
-        e = s;
-        while((isspace(*e) == 0) && (*e != 0)) e++;
-        acmp_add_pattern(p, s, NULL, NULL, e - s);
-        s = e;
+        while((isspace(*phrase) != 0) && (*phrase != '\0')) phrase++;
+        if (*phrase == '\0') break;
+        next = phrase;
+        while((isspace(*next) == 0) && (*next != 0)) next++;
+        acmp_add_pattern(p, phrase, NULL, NULL, next - phrase);
+        phrase = next;
     }
     acmp_prepare(p);
     rule->op_param_data = p;
@@ -211,7 +213,10 @@ static int msre_op_pm_param_init(msre_rule *rule, char **error_msg) {
 static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
     char errstr[1024];
     char buf[HUGE_STRING_LEN + 1];
-    char *ptr = NULL;
+    char *fn;
+    char *next;
+    char *ptr;
+    const char *rulefile_path;
     apr_status_t rc;
     apr_file_t *fd;
 
@@ -223,20 +228,38 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
     ACMP *p = acmp_create(0, rule->ruleset->mp);
     if (p == NULL) return 0;
 
-    char *fn = apr_pstrdup(rule->ruleset->mp, rule->op_param);
-    char *next = fn + strlen(rule->op_param);
+    fn = apr_pstrdup(rule->ruleset->mp, rule->op_param);
+    next = fn + strlen(rule->op_param);
     
+    /* Get the path of the rule filename to use as a base */
+    rulefile_path = apr_pstrndup(rule->ruleset->mp, rule->filename, strlen(rule->filename) - strlen(apr_filepath_name_get(rule->filename)));
+
+    #ifdef DEBUG_CONF
+    fprintf(stderr, "Rulefile path: \"%s\"\n", rulefile_path);
+    #endif
+
     /* Loop through filenames */
+    /* ENH: Need to allow quoted filenames w/space */
     for (;;) {
+        const char *rootpath = NULL;
+        const char *filepath = NULL;
         int line = 0;
 
         /* Trim whitespace */
-        while((isspace(*fn) != 0) && (*fn != 0)) fn++;
+        while((isspace(*fn) != 0) && (*fn != '\0')) fn++;
         if (*fn == '\0') break;
         next = fn;
         while((isspace(*next) == 0) && (*next != '\0')) next++;
         while((isspace(*next) != 0) && (*next != '\0')) *next++ = '\0';
 
+        /* Add path of the rule filename for a relative phrase filename */
+        filepath = fn;
+        if (apr_filepath_root(&rootpath, &filepath, APR_FILEPATH_TRUENAME, rule->ruleset->mp) != APR_SUCCESS) {
+            /* We are not an absolute path.  It could mean an error, but
+             * let that pass through to the open call for a better error */
+            apr_filepath_merge(&fn, rulefile_path, fn, APR_FILEPATH_TRUENAME, rule->ruleset->mp);
+        }
+
         /* Open file and read */
         rc = apr_file_open(&fd, fn, APR_READ | APR_FILE_NOCLEANUP, 0, rule->ruleset->mp);
         if (rc != APR_SUCCESS) {

doc/modsecurity2-apache-reference.xml

@@ -4409,17 +4409,35 @@ SecRule ARGS:route "!<emphasis role="bold">@endsWith %{REQUEST_ADDR}</emphasis>"
       for faster matches of keyword lists. This operator is the same as
       <literal>@pm</literal> except that it takes a list of files as
       arguments. It will match any one of the phrases listed in the file(s)
-      anywhere in the target value. The contents of the files should be one
-      phrase per line. End of line markers will be stripped from the phrases,
-      however, whitespace will not be trimmed from phrases in the file.</para>
+      anywhere in the target value.</para>
+
+      <para>Notes:</para>
+
+      <orderedlist continuation="restarts" inheritnum="ignore">
+        <listitem>
+          <para>The contents of the files should be one phrase per line. End
+          of line markers will be stripped from the phrases, however,
+          whitespace will not be trimmed from phrases in the file. Empty lines
+          and comment lines (beginning with a '#') are ignored.</para>
+        </listitem>
+
+        <listitem>
+          <para>To allow easier inclusion of phrase files with rulesets,
+          relative paths may be used to the phrase files. In this case, the
+          path of the file containing the rule is prepended to the phrase file
+          path.</para>
+        </listitem>
+      </orderedlist>
 
       <para>Example:</para>
 
       <programlisting format="linespecific">SecRule REQUEST_HEADERS:User-Agent "<emphasis
-          role="bold">@pm</emphasis> /path/to/blacklist1 /path/to/blacklist2" "deny,status:403</programlisting>
+          role="bold">@pm</emphasis> /path/to/blacklist1 blacklist2" "deny,status:403</programlisting>
 
       <para>The above would deny access with 403 if any of the patterns in the
-      two files matched within the User-Agent HTTP header value.</para>
+      two files matched within the User-Agent HTTP header value. The
+      <literal>blacklist2</literal> file would need to be placed in the same
+      path as the file containing the rule.</para>
     </section>
 
     <section>