483 строки
16 KiB
Plaintext
483 строки
16 KiB
Plaintext
02 Jan 2008 - 2.5.0-rc2
|
|
-----------------------
|
|
|
|
* Build is now 'configure' based (autotools).
|
|
|
|
|
|
21 Dec 2007 - 2.5.0-rc1
|
|
-----------------------
|
|
|
|
Changes since 2.5.0-dev2:
|
|
|
|
* Added support for Lua scripting in the following ways: SecRuleScript
|
|
can be used to specify a script to execute as a rule, the exec
|
|
action processes Lua scripts internally, and does the @inspectFile
|
|
operator. Refer to the documentation for more details.
|
|
|
|
* Updated included Core Ruleset to version 1.5.1.
|
|
|
|
* Changed how allow works. Used on its own it now allows phases 1-4. Used
|
|
with parameter "phase" (e.g. SecAction allow:phase) it only affects
|
|
the current phase. Used with parameter "request" it allows phases
|
|
1-2.
|
|
|
|
* Fixed issue where only the first phase 5 rule would run when the
|
|
request was intercepted in an earlier phase.
|
|
|
|
* Updated included Core Ruleset to version 1.5 and noted in the docs that
|
|
XML support is required to use the rules without modification.
|
|
|
|
* Stricter configuration parsing. Disruptive actions, meta actions and
|
|
phases are no longer allowed in a chained rule. Disruptive actions,
|
|
are no longer allowed in a logging phase (phase 5) rule, including
|
|
inheriting from SecDefaultAction.
|
|
|
|
* More efficient collection persistance.
|
|
|
|
* Fixed t:escapeSeqDecode to better follow ANSI C escapes.
|
|
|
|
* Added t:jsDecode to decode JavScript escape sequences.
|
|
|
|
* Added IS_NEW and IS_EXPIRED built-in collection variables.
|
|
|
|
* New audit log part 'K' logs all matching rules.
|
|
|
|
* Implemented SecRequestBodyNoFilesLimit.
|
|
|
|
* Enhance handling of the case where we run out of disk space while
|
|
writing to audit log entry.
|
|
|
|
* Renamed SecGeoLookupsDb to SecGeoLookupDB.
|
|
|
|
* Added SecComponentSignature to allow other components the ability
|
|
to append to the logged signature.
|
|
|
|
* Added skipAfter:<id> action to allow skipping all rules until a rule
|
|
with a specified ID is reached. Rule execution then continues after
|
|
the specified rule.
|
|
|
|
* Added SecMarker <id> directive to allow a fixed target for skipAfter.
|
|
|
|
* Added ctl:ruleRemoveById action to allow rule removal on a match.
|
|
|
|
* Added a @containsWord operator that will match a given string anywhere in
|
|
the target value, but only on word boundaries.
|
|
|
|
* Added a MATCHED_VAR_NAME variable to store the last matched variable name
|
|
so that it can be more easily used by rules.
|
|
|
|
* Added a MATCHED_VAR variable to store the last matched variable value
|
|
so that it can be more easily used by rules.
|
|
|
|
* Fixed expansion of macros when using relative changes with setvar. In
|
|
addition, added support for expanding macros in the variable name.
|
|
|
|
* Situations where ModSecurity will intercept, generate an error or log
|
|
a level 1-3 message to the debug log are now marked as 'relevant' and may
|
|
generate an audit log entry.
|
|
|
|
* Fixed deprecatevar:var=N/S action so that it decrements N every S seconds
|
|
as documented instead of decrementing by a rate.
|
|
|
|
* Enable ModSecurity to look at partial response bodies. In previous
|
|
versions ModSecurity would respond with status code 500 when the
|
|
response body was too long. Now, if SecResponseBodyLimitAction is
|
|
set to "ProcessPartial", it will process the part of the response
|
|
body received up until that point but send the rest without buffering.
|
|
|
|
* ModSecurity will now process phases 3 and 4 even when request processing
|
|
is interrupted (either by Apache - e.g. by responding with 400, 401
|
|
or 403, or by ModSecurity itself).
|
|
|
|
* Fixed the base64decode transformation function to not return extra
|
|
characters at the end.
|
|
|
|
* Return from the output filter with an error in addition to setting
|
|
up the HTTP error status in the output data.
|
|
|
|
* Used new Apache API calls to get the server version/banner when available.
|
|
|
|
* Added "logdata" meta action to allow logging of raw transaction data.
|
|
|
|
* Added TX_SEVERITY that keeps track of the highest severity
|
|
for any matched rules so far.
|
|
|
|
* Added ARGS_GET, ARGS_POST, ARGS_GET_NAMES, ARGS_POST_NAMES variables to
|
|
allow seperation of GET and POST arguments.
|
|
|
|
* Added MODSEC_BUILD variable that contains the numeric build value based
|
|
on the ModSecurity version.
|
|
|
|
* Enhanced debug logging by displaying more data on rule execution. All
|
|
invoked rules are now logged in the debug log at level 5.
|
|
|
|
* Cleaned up and clarified some documentation.
|
|
|
|
* Performance improvements and greater control over caching transformations.
|
|
|
|
* Stricter validation for @validateUtf8Encoding.
|
|
|
|
* Now capture the match in TX:0 when using "capture" action in phrase match
|
|
operators.
|
|
|
|
* No longer process internal subrequests.
|
|
|
|
* Fixed warnings on Solaris and/or 64bit builds.
|
|
|
|
* Added Cygwin to the list of platforms not supporting the hidden
|
|
visibility attribute.
|
|
|
|
|
|
27 Nov 2007 - 2.1.4
|
|
-------------------
|
|
|
|
* Updated included Core Ruleset to version 1.5 and noted in the docs that
|
|
XML support is required to use the rules without modification.
|
|
|
|
* Fixed an evasion FP, mistaking a multipart non-boundary for a boundary.
|
|
|
|
* Fixed multiple warnings on Solaris and/or 64bit builds.
|
|
|
|
* Do not process subrequests in phase 2-4, but do hand off the request data.
|
|
|
|
* Fixed a blocking FP in the multipart parser, which affected Safari.
|
|
|
|
|
|
11 Sep 2007 - 2.1.3
|
|
-------------------
|
|
|
|
* Updated multipart parsing code adding variables to allow checking
|
|
for various parsing issues (request body abnormalities).
|
|
|
|
* Allow mod_rpaf and mod_extract_forwarded2 to work before ModSecurity.
|
|
|
|
* Quiet some compiler warnings.
|
|
|
|
* Do not block internal ErrorDocument requests after blocking request.
|
|
|
|
* Added ability to compile without an external API (use -DNO_MODSEC_API).
|
|
|
|
|
|
27 Jul 2007 - 2.1.2
|
|
-------------------
|
|
|
|
* Cleaned up and clarified some documentation.
|
|
|
|
* Update included core rules to latest version (1.4.3).
|
|
|
|
* Enhanced ability to alert/audit failed requests.
|
|
|
|
* Do not trigger "pause" action for internal requests.
|
|
|
|
* Fixed issue with requests that use internal requests. These had the
|
|
potential to be intercepted incorrectly when other Apache httpd modules
|
|
that used internal requests were used with mod_security.
|
|
|
|
* Added Solaris and Cygwin to the list of platforms not supporting the hidden
|
|
visibility attribute.
|
|
|
|
* Fixed decoding full-width unicode in t:urlDecodeUni.
|
|
|
|
* Lessen some overhead of debugging messages and calculations.
|
|
|
|
* Do not try to intercept a request after a failed rule. This fixes the
|
|
issue associated with an "Internal Error: Asked to intercept request
|
|
but was_intercepted is zero" error message.
|
|
|
|
* Added SecAuditLog2 directive to allow redundent concurrent audit log
|
|
index files. This will allow sending audit data to two consoles, etc.
|
|
|
|
* Small performance improvement in memory management for rule execution.
|
|
|
|
|
|
21 June 2007 - 2.5.0-dev2
|
|
-------------------------
|
|
|
|
* Reversioned from 2.2.0 base version to 2.5.0 because of the large changeset.
|
|
|
|
* Added @within string comparison operator with support for macro expansion.
|
|
|
|
* Removed experimental variable RESPONSE_CONTENT_ENCODING which was not
|
|
working as intended.
|
|
|
|
* Update included core rules to latest version.
|
|
|
|
* Do not trigger "pause" action for internal requests.
|
|
|
|
* Added matching rule filename and line number to audit log.
|
|
|
|
* Added new phrase matching operators, @pm and @pmFromFile. These use
|
|
an alternate set based matching engine (Aho-Corasick) to perform faster
|
|
phrase type matches such as black/white lists, spam keywords, etc.
|
|
|
|
* Cache transformations per-request/phase so they are not repeated.
|
|
|
|
* Fixed issue with requests that use internal requests. These had the
|
|
potential to be intercepted incorrectly when other Apache httpd modules
|
|
that used internal requests were used with mod_security.
|
|
|
|
* Added Solaris to the list of platforms not supporting the hidden
|
|
visibility attribute.
|
|
|
|
* Removed excessive debug log entries about "capture" action.
|
|
|
|
* Fixed decoding full-width unicode in t:urlDecodeUni.
|
|
|
|
* Lessen some overhead of debugging messages and calculations
|
|
TODO: more to come
|
|
|
|
* Removed strnlen() calls for non-GNU platforms.
|
|
|
|
|
|
14 June 2007 - 2.1.2-rc1
|
|
------------------------
|
|
|
|
* Update included core rules to latest version.
|
|
|
|
* Do not trigger "pause" action for internal requests.
|
|
|
|
* Fixed issue with requests that use internal requests. These had the
|
|
potential to be intercepted incorrectly when other Apache httpd modules
|
|
that used internal requests were used with mod_security.
|
|
|
|
* Added Solaris to the list of platforms not supporting the hidden
|
|
visibility attribute.
|
|
|
|
* Fixed decoding full-width unicode in t:urlDecodeUni.
|
|
|
|
* Lessen some overhead of debugging messages and calculations.
|
|
|
|
* Do not try to intercept a request after a failed rule. This fixes the
|
|
issue associated with an "Internal Error: Asked to intercept request
|
|
but was_intercepted is zero" error message.
|
|
|
|
* Added SecAuditLog2 directive to allow redundent concurrent audit log
|
|
index files. This will allow sending audit data to two consoles, etc.
|
|
|
|
* Small performance improvement in memory management for rule execution.
|
|
|
|
|
|
11 May 2007 - 2.2.0-dev1
|
|
-------------------------
|
|
|
|
* Add SecGeoLookupsDb, @geoLookups and GEO collection to support
|
|
geographical lookups by IP/host.
|
|
|
|
* Do not try to intercept a request after a failed rule. This fixes the
|
|
issue associated with an "Internal Error: Asked to intercept request
|
|
but was_intercepted is zero" error message.
|
|
|
|
* Removed extraneous exported symbols.
|
|
|
|
* Merged the PDF XSS protection functionality into ModSecurity.
|
|
|
|
* Exported API for registering custom variables. Example in api directory.
|
|
|
|
* Added experimental variables RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE,
|
|
and RESPONSE_CONTENT_ENCODING.
|
|
|
|
* Added experimental support for content injection. Directive
|
|
SecContentInjection (On|Off) controls whether injection is taking place.
|
|
Actions "prepend" and "append" inject content when executed. Do note that
|
|
it is your responsibility to make sure the response is of the appropriate
|
|
content type (e.g. HTML, plain text, etc).
|
|
|
|
* Added string comparison operators with support for macro expansion:
|
|
@contains, @streq, @beginsWith and @endsWith.
|
|
|
|
* Enhanced debug log output to log macro expansion, quote values and
|
|
correctly display values that contained NULs.
|
|
|
|
* Removed support for %0 - %9 capture macros as they were incorrectly
|
|
expanding url encoded values. Use %{TX.0} - %{TX.9} instead.
|
|
|
|
* Added t:length to transform a value to its character length.
|
|
|
|
* Added t:trimLeft, t:trimRight, t:trim to remove whitespace
|
|
from a value on the left, right or both.
|
|
|
|
* Added SecAuditLog2 directive to allow redundent concurrent audit log
|
|
index files. This will allow sending audit data to two consoles, etc.
|
|
|
|
* Removed CGI style HTTP_* variables in favor of REQUEST_HEADERS:Header-Name.
|
|
|
|
* Store filename/line for each rule and display it and the ID (if available)
|
|
in the debug log when invoking a rule. Thanks to Christian Bockermann
|
|
for the idea.
|
|
|
|
* Do not log 'allow' action as intercepted in the debug log.
|
|
|
|
* Write debug log messages when "capture" is set, but the regex does not
|
|
capture and vice-versa.
|
|
|
|
* Small performance improvement in memory management for rule execution.
|
|
|
|
* Fixed some collection variable names not printing with the parameter
|
|
and/or counting operator in the debug log.
|
|
|
|
|
|
11 Apr 2007 - 2.1.1
|
|
-------------------
|
|
|
|
* Add the PCRE_DOLLAR_ENDONLY option when compiling regular expression
|
|
for the @rx operator and variables.
|
|
|
|
* Really set PCRE_DOTALL option when compiling the regular expression
|
|
for the @rx operator as the docs state.
|
|
|
|
* Fixed potential memory corruption when expanding macros.
|
|
|
|
* Fixed error when a collection was retrieved from storage in the same second
|
|
as creation by setting the rate to zero.
|
|
|
|
* Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms.
|
|
|
|
* Fixed the faulty REQUEST_FILENAME variable, which used to change
|
|
the internal Apache structures by mistake.
|
|
|
|
* Updates to quiet some compiler warnings.
|
|
|
|
* Fixed some casting issues for compiling on NetWare (patch from Guenter Knauf).
|
|
|
|
|
|
23 Feb 2007 - 2.1.0
|
|
-------------------
|
|
|
|
* Removed the "Connection reset by peer" message, which has nothing
|
|
to do with us. Actually the message was downgraded from ERROR to
|
|
NOTICE so it will still appear in the debug log.
|
|
|
|
* Removed the (harmless) message mentioning LAST_UPDATE_TIME missing.
|
|
|
|
* It was not possible to remove a rule placed in phase 4 using
|
|
SecRuleRemoveById or SecRuleRemoveByMsg. Fixed.
|
|
|
|
* Fixed a problem with incorrectly setting requestBodyProcessor using
|
|
the ctl action.
|
|
|
|
* Bundled Core Rules 2.1-1.3.2b4.
|
|
|
|
* Updates to the reference manual.
|
|
|
|
* Reversed the return values of @validateDTD and @validateSchema, to
|
|
make them consistent with other operators.
|
|
|
|
* Added a few helpful debug messages in the XML validation area.
|
|
|
|
* Updates to the reference manual.
|
|
|
|
* Fixed the validateByteRange operator.
|
|
|
|
* Default value for the status action is now 403 (as it was supposed to
|
|
be but it was effectively 500).
|
|
|
|
* Rule exceptions (removing using an ID range or an regular expression)
|
|
is now applied to the current context too. (Previously it only worked
|
|
on rules that are inherited from the parent context.)
|
|
|
|
* Fix of a bug with expired variables.
|
|
|
|
* Fixed regular expression variable selectors for many collections.
|
|
|
|
* Performance improvements - up to two times for real-life work loads!
|
|
|
|
* Memory consumption improvements (not measured but significant).
|
|
|
|
* The allow action did not work in phases 3 and 4. Fixed.
|
|
|
|
* Unlocked collections GLOBAL and RESOURCE.
|
|
|
|
* Added support for variable expansion in the msg action.
|
|
|
|
* New feature: It is now possible to make relative changes to the
|
|
audit log parts with the ctl action. For example: "ctl:auditLogParts=+E".
|
|
|
|
* New feature: "tag" action. To be used for event categorisation.
|
|
|
|
* XML parser was not reporting errors that occured at the end
|
|
of XML payload.
|
|
|
|
* Files were not extracted from request if SecUploadKeepFiles was
|
|
Off. Fixed.
|
|
|
|
* Regular expressions that are too long are truncated to 256
|
|
characters before used in error messages. (In order to keep
|
|
the error messages in the log at a reasonable size.)
|
|
|
|
* Fixed the sha1 transformation function.
|
|
|
|
* Fixed the skip action.
|
|
|
|
* Fixed REQUEST_PROTOCOL, REMOTE_USER, and AUTH_TYPE.
|
|
|
|
* SecRuleEngine did not work in child configuration contexts
|
|
(e.g. <Location>).
|
|
|
|
* Fixed base64Decode and base64Encode.
|
|
|
|
|
|
15 Nov 2006 - 2.0.4
|
|
-------------------
|
|
|
|
* Fixed the "deprecatevar" action.
|
|
|
|
* Decreasing variable values did not work.
|
|
|
|
* Made "nolog" do what it is supposed to do - cause a rule match to
|
|
not be logged. Also "nolog" now implies "noauditlog" but it's
|
|
possible to follow "nolog" with "auditlog" and have the match
|
|
not logged to the error log but logged to the auditlog. (Not
|
|
something that strikes me as useful but it's possible.)
|
|
|
|
* Relative paths given to SecDataDir will now be treated as relative
|
|
to the Apache server root.
|
|
|
|
* Added checks to make sure only correct actions are specified in
|
|
SecDefaultAction (some actions are required, some don't make any
|
|
sense) and in rules that are not chain starters (same). This should
|
|
make the unhelpful "Internal Error: Failed to add rule to the ruleset"
|
|
message go away.
|
|
|
|
* Fixed the problem when "SecRuleInheritance Off" is used in a context
|
|
with no rules defined.
|
|
|
|
* Fixed a problem of lost input (request body) data on some redirections,
|
|
for example when mod_rewrite is used.
|
|
|
|
|
|
26 Oct 2006 - 2.0.3
|
|
-------------------
|
|
|
|
* Fixed a memory leak (all platforms) and a concurrency control
|
|
problem that could cause a crash (multithreaded platforms only).
|
|
|
|
* Fixed a SecAuditLogRelevantStatus problem, which would not work
|
|
properly unless the regular expression contained a subexpression.
|
|
|
|
|
|
19 Oct 2006 - 2.0.2
|
|
-------------------
|
|
|
|
* Fixed incorrect permissions on the global mutex, which prevented
|
|
the mutex from working properly.
|
|
|
|
* Fixed incorrect actionset merging where the status was copied from
|
|
the child actionset even though it was not defined.
|
|
|
|
* Fixed missing metadata information (in the logs) for warnings.
|
|
|
|
|
|
16 Oct 2006 - 2.0.1
|
|
-------------------
|
|
|
|
* Rules that used operator negation did not work. Fixed.
|
|
|
|
* Fixed bug that prevented invalid regular expressions from being reported.
|
|
|
|
|
|
16 Oct 2006 - 2.0.0
|
|
-------------------
|
|
|
|
* First stable 2.x release.
|
|
|