1v3.0.5 - 2021-Jul-07 2-------------------- 3 4 - Handle URI received with uri-fragment 5 [@martinhsv] 6 - Having ARGS_NAMES, variables proxied 7 [@zimmerle, @martinhsv, @KaNikita] 8 - Use explicit path for cross-compile environments. 9 [Issue #2485 - @dtoubelis] 10 - Fix: FILES variable does not use multipart part name for key 11 [Issue #2377 - @martinhsv] 12 - Replaces put with setenv in SetEnv action 13 [Issue #2469 - @martinhsv, @WGH-, @zimmerle] 14 - Regression: Mark the test as failed in case of segfault. 15 [@zimmerle] 16 - Regex key selection should not be case-sensitive 17 [Issue #2296, #2107, #2297 - @michaelgranzow-avi, @victorhora, 18 @airween, @martinhsv, @zimmerle] 19 - Fix: Only delete Multipart tmp files after rules have run 20 [Issue #2427 - @martinhsv] 21 - Fixed MatchedVar on chained rules 22 [Issue #2423, #2435, #2436 - @michaelgranzow-avi] 23 - Add support for new operator rxGlobal 24 [@martinhsv] 25 - Fix maxminddb link on FreeBSD 26 [Issue #2131 - @granalberto, @zimmerle] 27 - Fix IP address logging in Section A 28 [Issue #2300 - @inaratech, @zavazingo, @martinhsv] 29 - Adds support to lua 5.4 30 [@zimmerle] 31 - GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE 32 [Issues #2378, #2186 - @defanator] 33 - rx: exit after full match (remove /g emulation); ensure capture 34 groups occuring after unused groups still populate TX vars 35 [Issue #2336 - @martinhsv] 36 - Correct CHANGES file entry for #2234 37 - Add support to test framework for audit log content verification 38 and add regression tests for issues #2000, #2196 39 - Support configurable limit on number of arguments processed 40 [Issue #2234 - @jleproust, @martinhsv] 41 - Multipart Content-Dispostion should allow field: filename*= 42 [@martinhsv] 43 - Fix rule-update-target for non-regex 44 [Issue 2251 - @martinhsv] 45 - Fix configure script when packaging for Buildroot 46 [Issue 2235 - @frankvanbever] 47 - modsecurity.pc.in: add Libs.private 48 [Issue #1918, #2253 - @ffontaine, @Dridi, @victorhora] 49 50v3.0.4 - 2020-Jan-13 51-------------------- 52 53 - Fix: audit log data omitted when nolog,auditlog 54 [@martinhsv] 55 - Fix: ModSecurity 3.x inspectFile operator does not pass 56 FILES_TMPNAMES parameter to lua engine 57 [Issue #2204, #2205 - @kadirerdogan] 58 - XML: Remove error messages from stderr 59 [Issue #2010 - @JaiHarpalani, @zimmerle] 60 - Filter comment or blank line for pmFromFile operator 61 [Issue #1645 - @LeeShan87, @victorhora, @tdoubley] 62 - Additional adjustment to Cookie header parsing 63 [@martinhsv] 64 - Restore chained rule part H logging to be more like 2.9 behaviour 65 [Issue #2196 - @martinhsv] 66 - Small fixes in log messages to help debugging the file upload 67 [Issue #2130 - @airween] 68 - Fix Cookie header parsing issues 69 [Issue #2201 - @airween, @martinhsv] 70 - Fix rules with nolog are logging to part H 71 [Issue #2196 - @martinhsv] 72 - Fix argument key-value pair parsing cases 73 [Issue #1904 - @martinhsv] 74 - Fix: audit log part for response body for JSON format to be E 75 [Issue #2066 - @martinhsv, @zimmerle] 76 - Make sure m_rulesMessages is filled after successfull match 77 [Issue #2000, #2048 - @victorhora, @defanator] 78 - Fix @pm lookup for possible matches on offset zero. 79 [@zimmerle, @afoxdavidi, @martinhsv, @marshal09] 80 - Regex lookup on the key name instead of COLLECTION:key 81 [@rdiperri-yottaa, @danbiagini-work, @mmelo-yottaa, @zimmerle] 82 - Missing throw in Operator::instantiate 83 [Issue #2106 - @marduone] 84 - Making block action execution dependent of the SecEngine status 85 [Issue #2113, #2111 - @theMiddleBlue, @airween] 86 - Making block action execution dependent of the SecEngine status 87 [Issue #1960 - @theMiddleBlue, @zimmerle, @airween, @victorhora] 88 - Having body limits to respect the rule engine state 89 [@zimmerle] 90 - Fix SecRuleUpdateTargetById does not match regular expressions 91 [Issue #1872 - @zimmerle, @anush-cr, @victorhora, @j0k2r] 92 - Adds missing check for runtime ctl:ruleRemoveByTag 93 [Issue #2102, #2099 - @airween] 94 - Adds a new operator verifySVNR that checks for Austrian social 95 security numbers. 96 [Issue #2063 - @Rufus125] 97 - Fix variables output in debug logs 98 [Issue #2057 - @jleproust] 99 - Correct typo validade in log output 100 [Issue #2059 - @nerrehmit] 101 - fix/minor: Error encoding hexa decimal. 102 [Issue #2068 - @tech-ozon-io] 103 - Limit more log variables to 200 characters. 104 [Issue #2073 - @jleproust] 105 - parser: fix parsed file names 106 [@zimmerle] 107 - Allow empty anchored variable 108 [Issue #2024 - @airween] 109 - Fixed FILES_NAMES collection after the end of multipart parsing 110 [Issue #2016 - @airween] 111 - Fixed validateByteRange parsing method 112 [Issue #2017 - @airween] 113 - Removes a memory leak on the JSON parser 114 [@zimmerle] 115 - Enables LMDB on the regression tests. 116 [Issue #2011, #2008 - @WGH-, @mdunc] 117 - Fix: Extra whitespace in some configuration directives causing error 118 [Issue #2006 - @porjo, @zimmerle] 119 - Refactoring on Regex and SMatch classes. 120 [@WGH-] 121 - Fixed buffer overflow in Utils::Md5::hexdigest() 122 [Issue #2002 - @defanator] 123 - Implemented merge() method for ConfigInt, ConfigDouble, ConfigString 124 [Issue #1990 - @defanator] 125 - Adds initially support to the drop action. 126 [@zimmerle] 127 - Complete merging of particular rule properties 128 [Issue #1978 - @defanator] 129 - Replaces AC_CHECK_FILE with 'test -f' 130 [Issue #1984 - @chuckwolber] 131 - Fix inet addr handling on 64 bit big endian systems 132 [Issue #1980 - @airween] 133 - Fix tests on FreeBSD 134 [Issue #1973 - @defanator] 135 - Changes ENV test case to read the default MODSECURTIY env var 136 [Issue #1969 - @zimmerle, @airween, @inittab] 137 - Regression: Sets MODSECURITY env var during the tests execution 138 [Issue #1969 - @zimmerle, @airween, @inittab] 139 - Fix setenv action to strdup key=variable 140 [@zimmerle] 141 - Allow 0 length JSON requests. 142 [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern] 143 - Fix "make dist" target to include default configuration 144 [Issue #1966 - @defanator] 145 - Replaced log locking using mutex with fcntl lock 146 [Issue #1949, #1927 - @Cloaked9000] 147 - Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES 148 [Issue #1959 - @weliu] 149 - Adds support to multiple ranges in ctl:ruleRemoveById 150 [Issue #1956 - @theseion, @victorhora, @zimmerle] 151 - Rule variable interpolation broken 152 [Issue #1961 - @soonum, @zimmerle] 153 - Make the boundary check less strict as per RFC2046 154 [Issue #1943 - @victorhora, @allanbomsft] 155 - Fix buffer size for utf8toUnicode transformation 156 [Issue #1208 - @katef, @victorhora] 157 158 159v3.0.3 - 2018-Nov-05 160-------------------- 161 162 - Fix double macros bug 163 [Issue #1943 - @supplient, @zimmerle] 164 - Override the default status code if not suitable to redirect action 165 [Issue #1850 - @zimmerle, @victorhora] 166 - parser: Fix the support for CRLF configuration files 167 [Issue #1945 - @zimmerle, @defanator, @kjakub] 168 - Organizes the server logs 169 [0xb7c36 and 0x5ac20 - @zimmerle, @steven-j-wojcik] 170 - m_lineNumber in Rule not mapping with the correct line number in file 171 [Issue #1844 - @zimmerle, @victorhora, @xizeng] 172 - Using shared_ptr instead of unique_ptr on rules exceptions 173 [Issue #1697 - @zimmerle, @brianp9906, @victorhora, @LeSwiss, @defanator] 174 - Changes debuglogs schema to avoid unecessary str allocation 175 [0xb2840 - @zimmerle] 176 - Fix the SecUnicodeMapFile and SecUnicodeCodePage 177 [0x3094d - @zimmerle, @victorhora] 178 - Changes the timing to save the rule message 179 [0xca270 - @zimmerle] 180 - Fix crash in msc_rules_add_file() when using disruptive action in chain 181 [Issue #1849 - @victorhora, @zimmerle, @rperper] 182 - Fix memory leak in AuditLog::init() 183 [Issue #1897 - @weliu] 184 - Fix RulesProperties::appendRules() 185 [Issue #1901 - @steven-j-wojcik] 186 - Fix RULE lookup in chained rules 187 [0x3077c - @zimmerle] 188 - @ipMatch "Could not add entry" on slash/32 notation in 2.9.0 189 [Issue #849 - @zimmerle, @dune73] 190 - Using values after transformation at MATCHED_VARS 191 [0x14316 - @zimmerle] 192 - Adds support to UpdateActionById. 193 [Issue #1800 - @zimmerle, @victorhora, @NisariAIT] 194 - Add correct C function prototypes for msc_init and msc_create_rule_set 195 [Issue #1922 - @steven-j-wojcik] 196 - Allow LuaJIT 2.1 to be used 197 [Issue #1909 - @victorhora, @mdunc] 198 - Match m_id JSON log with RuleMessage and v2 format 199 [Issue #1185 - @victorhora] 200 - Adds support to setenv action. 201 [Issue #1044 - @zimmerle] 202 - Adds new transaction constructor that accepts the transaction id 203 as parameter. 204 [Issue #1627 - @defanator, @zimmerle] 205 - Adds request IDs and URIs to the debug log 206 [Issue #1627 - @defanator, @zimmerle] 207 - Treating variables exception on load-time instead of run time. 208 [0x028e0 and 0x275a1 - @zimmerle] 209 - Fix: function m.setvar in Lua scripts and add testcases 210 [Issue #1859 - @nowaits, @victorhora] 211 - Fix SecResponseBodyAccess and ctl:requestBodyAccess directives 212 [Issue #1531 - @victorhora, @defanator] 213 - Fix OpenBSD build 214 [Issue #1841 - @victorhora, @zimmerle, @juanfra684] 215 - Fix parser to support GeoLookup with MaxMind 216 [Issue #1884, #1895 - @victorhora, @everping] 217 - parser: Fix simple quote setvar in the end of the line 218 [Issue #1831 - @zimmerle, @csanders-git] 219 - Fix pc file 220 [Issue #1847 - @gquintard] 221 - modsec_rules_check: uses the gnu `.la' instead of `.a' file 222 [Issue #1853 - @ste7677, @victorhora, @zimmerle] 223 - good practices: Initialize variables before use it 224 [Issue #1889 - Marc Stern] 225 - Fix utf-8 character encoding conversion 226 [Issue #1794 - @tinselcity, @zimmerle] 227 - Adds support for ctl:requestBodyProcessor=URLENCODED 228 [Issue #1797 - @victorhora] 229 - Add LUA compatibility for CentOS and try to use LuaJIT first if available 230 [Issue #1622 - @victorhora, @dmitryzykov] 231 - Allow LuaJIT to be used 232 [Issue #1809 - @victorhora, @p0pr0ck5] 233 - Implement support for Lua 5.1 234 [Issue #1809 - @p0pr0ck5, @victorhora] 235 - Variable names must match fully, not partially. Match should be case 236 insensitive. 237 [Issue #1818, #1820, #1810, #1808 - @michaelgranzow-avi, @victorhora, 238 @theMiddleBlue, @airween, @zimmerle, 239 @LeeShan87] 240 - Improves the performance while loading the rules 241 [Issue #1735 - @zimmerle, @p0pr0ck5, @victorhora] 242 - Allow empty strings to be evaluated by regex::searchAll 243 [Issue #1799, #1785 - @victorhora, @XuanHuyDuong, @zimmerle] 244 - Adds basic pkg-config info 245 [Issue #1790 - @gquintard, @zimmerle] 246 - Fixed LMDB collection errors 247 [Issue #1787 - @airween, @zimmerle] 248 - Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors 249 [Issue #1747, #1924 - @airween, @victorhora, @defanator, @zimmerle] 250 - Fix ip tree lookup on netmask content 251 [Issue #1793 - @tinselcity, @zimmerle] 252 - Changes the behavior of the default sec actions 253 [Issue #1629 - @mirkodziadzka-avi, @zimmerle, @victorhora] 254 - Refactoring on {global,ip,resources,session,tx,user} collections 255 [Issue #1754, #1778 - @LeeShan87, @zimmerle, @victorhora, @wwd5613, 256 @sobigboy] 257 - Fix race condition in UniqueId::uniqueId() 258 [Issue #1786 - @weliu] 259 - Fix memory leak in error message for msc_rules_merge C APIs 260 [Issue #1765 - @weliu] 261 - Return false in SharedFiles::open() when an error happens 262 [Issue #1783 - @weliu] 263 - Use rvalue reference in ModSecurity::serverLog 264 [Issue #1769 - @weliu] 265 - Build System: Fix when multiple lines for curl version. 266 [Issue #1771 - @Artistan] 267 - Checks if response body inspection is enabled before process it 268 [Issue #1643 - @zoltan-fedor, @dennus, @defanator, @zimmerle] 269 - Code Cleanup. 270 [Issue #1757, #1755, #1756, #1761 - @p0pr0ck5] 271 - Fix setvar parsing of quoted data 272 [Issue #1733, #1759, #1775 - @victorhora, @JaiHarpalani, @defanator] 273 - Fix LDFLAGS for unit tests. 274 [Issue #1758 - @smlx] 275 - Adds time stamp back to the audit logs 276 [Issue #1762 - @Pjack, @zimmerle] 277 - Disables skip counter if debug log is disabled 278 [@zimmerle] 279 - Cosmetics: Represents amount of skipped rules without decimal 280 [Issue #1737 - @p0pr0ck5] 281 - Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser 282 [Issue #1752 - @victorhora] 283 - Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp. 284 [Issue #1738 - @victorhora] 285 - Fix memory leak in modsecurity::utils::expandEnv() 286 [Issue #1750 - @defanator] 287 - Initialize m_dtd member in ValidateDTD class as NULL 288 [Issue #1751 - @airween] 289 - Fix broken @detectxss operator regression test case 290 [Issue #1739 - @p0pr0ck5] 291 - Fix utils::string::ssplit() to handle delimiter in the end of string 292 [Issue #1743, #1744 - @defanator] 293 - Fix variable FILES_TMPNAMES 294 [Issue #1646, #1610 - @victorhora, @zimmerle, @defanator] 295 - Fix memory leak in Collections 296 [Issue #1729, #1730 - @defanator] 297 298 299v3.0.2 - 2018-Apr-03 300-------------------- 301 302 - Fix lib version information while generating the .so file 303 [@gl1f1v21, @zimmerle] 304 305v3.0.1 - 2018-Apr-02 306-------------------- 307 308 - Adds support for ctl:ruleRemoveByTag 309 [@zimmerle, @weliu] 310 - Fix SecUploadDir configuration merge 311 [Issue #1720 - @zimmerle, @gjvanetten] 312 - Include all prerequisites for "make check" into dist archive 313 [Issue #1716 - @defanator] 314 - Fix: Reverse logic of checking output in @inspectFile 315 [Issue #1715 - @defanator] 316 - Adds support to libMaxMind 317 [Issue #1307 - @zimmerle, @defanator] 318 - Adds capture action to detectXSS 319 [Issue #1698 - @victorhora] 320 - Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator 321 [Issue #1701 - @victorhora] 322 - Adds capture action to detectSQLi 323 [Issue #1698 - @zimmerle] 324 - Adds capture action to rbl 325 [Issue #1698 - @zimmerle] 326 - Adds capture action to verifyCC 327 [Issue #1698 - @michaelgranzow-avi, @zimmerle] 328 - Adds capture action to verifySSN 329 [Issue #1698 - @zimmerle] 330 - Adds capture action to verifyCPF 331 [Issue #1698 - @zimmerle] 332 - Prettier error messages for unsupported configurations (UX) 333 [@victorhora] 334 - Add missing verify*** transformation statements to parser 335 [Issue #1006 and #1007 - @victorhora] 336 - Fix a set of compilation warnings 337 [Issue #1650 - @zimmerle, @JayCase] 338 - Check for disruptive action on SecDefaultAction. 339 [Issue #1614 - @zimmerle, @michaelgranzow-avi] 340 - Fix block-block infinite loop. 341 [Issue #1614 - @zimmerle, @michaelgranzow-avi] 342 - Correction remove_by_tag and remove_by_msg logic. 343 [Issue #1636 - @Minasu] 344 - Fix LMDB compile error 345 [Issue #1691 - @airween] 346 - Fix msc_who_am_i() to return pointer to a valid C string 347 [Issue #1640 - @defanator] 348 - Added some cosmetics to autoconf related code 349 [Issue #1652 - @airween] 350 - Fix "make dist" target to include necessary headers for Lua 351 [Issue #1678 - @defanator] 352 - Fix "include /foo/*.conf" for single matched object in directory 353 [Issue #1677 - @defanator, @zimmerle] 354 - Add missing Base64 transformation statements to parser 355 [Issue #1632 - @victorhora, @zimmerle] 356 - Fixed resource load on ip match from file 357 [#1674 - @zimmerle, @StefaanSeys] 358 - Fixed examples compilation while using disable-shared 359 [#1670 - @zimmerle, @ivanbaldo] 360 - Fixed compilation issue while xml is disabled 361 [0x243028 - @zimmerle] 362 - Having LDADD and LDFLAGS organized on Makefile.am 363 [0xd0e85e - @zimmerle] 364 - Checking std::deque size before use it 365 [0x217cbf - @zimmerle, Yaron Dayagi] 366 - perf improvement: Added the concept of RunTimeString and removed 367 all run time parser. 368 [0x3eae51 0x0320e0 0xb5688f 0xfe47a9 0xfa9842 0x1affc3 0x079de4 369 0xc7c04f 0x5262ea 0x01974a 0xd5ee1e - @zimmerle] 370 - perf improvement: Checks debuglog level before format debug msg 371 [0x42ee9 - @zimmerle] 372 - perf. improvement/rx: Only compute dynamic regex in case of macro 373 [0x91ff3 - @zimmerle] 374 - Fix uri on the benchmark utility 375 [0x63bec - @zimmerle] 376 - disable Lua on systems with liblua5.1 377 [Issue #1639 - @victorhora, @defanator] 378 379v3.0.0 - 2017-Dec-13 380-------------------- 381 382 - Improvements on LUA build scripts and support for LUA 5.2. 383 [Issue #1617 and #1622 - @victorhora, @zimmerle] 384 - Fix compilation error with disable_debug_log flag 385 [0xfd84e - Izik Abramov] 386 - Improvements on the benchmark tool. 387 [Issue #1615 - @zimmerle] 388 - Fix lua headers on the build scripts 389 [Issue #1621 - @Minasu] 390 - Refactoring on the JSON parser. 391 [Issue #1576, #1577 - Tobias Gutknecht, @zimmerle, @victorhora, @marcstern] 392 - Adds support to WEBAPPID variable. 393 [Issue #1027 - @zimmerle, @victorhora] 394 - Adds support for SecWebAppId. 395 [Issue #1442 - @zimmerle, @victorhora] 396 - Adds support for SecRuleRemoveByTag. 397 [Issue #1476 - @zimmerle, @victorhora] 398 - Adds support for update target by message. 399 [Issue #1474 - @zimmerle, @victorhora] 400 - Adds support to SecRuleScript directive. 401 [Issue #994 - @zimmerle] 402 - Adds support for the exec action. 403 [Issue #1050 - @zimmerle] 404 - Adds support for transformations inside Lua engine 405 [Issue #994 - @zimmerle] 406 - Adds initial support for Lua engine. 407 [Issue #994 - @zimmerle] 408 - Adds support for @inspectFile operator. 409 [Issue #999 - @zimmerle, @victorhora] 410 - Adds support for RESOURCE variable collection. 411 [Issue #1014 - @zimmerle, @victorhora] 412 - Adds support for @fuzzyHash operator. 413 [Issue #997 - @zimmerle] 414 - Fix build on non x86 arch build 415 [Issue #1598 - @athmane] 416 - Fix memory issue while changing rule target dynamic 417 [Issue #1590 - @zimmerle, @slabber] 418 - Fix log while displaying the name of a dict selection by regex. 419 [@zimmerle] 420 - Setting http response code on the auditlog. 421 [Issue #1592 - @zimmerle] 422 - Refactoring on RuleMessage class, now accepting http code as parameter. 423 [@zimmerle] 424 - Having disruptive msgs as disruptive [instead of warnings] on audit log 425 [Issue #1592 - @zimmerle, @nobodysz] 426 - Parser: Pipes are no longer welcomed inside regex dict element selection. 427 [Issue #1591 - @zimmerle, @slabber] 428 - Avoids unicode initialization on every rules object 429 [Issue #1563 - @zimmerle, @Tiki-God, @sethinsd, @Cloaked9000, @AnoopAlias, 430 @intelbg] 431 - Makes clear to the user whenever the audit log is empty due to missing 432 JSON support. 433 [Issue #1585 - @zimmerle] 434 - Makes auditlog more verbose on debug logs 435 [Issue: #1559 - @zimmerle] 436 - Enable support for AuditLogFormat 437 Issue: #1583, #1493 and #1453 - @victorhora] 438 - Adds macro expansion for @rx operator 439 [Issue: #1528, #1536 - @asterite3, @zimmerle] 440 - Consideres under quoted variable while loading the rules. 441 [Felipe Zimmerle/@zimmerle, Victor Hora/@victorhora] 442 - Store the connection and url parameters in std::string 443 [Issue: #1571 - @majordaw] 444 - Eliminate some reorder and sign warnings 445 [Issue: #1572 - Dávid Major/@majordaw] 446 - Makes parallel logging to work when SELinux is enabled. 447 [Issue: #1562 - David Buckle/@met3or] 448 - Adds possibility to run the pm operator inside a mutex to avoid concurrent 449 access while working on a thread environment. This option is a compilation 450 flag. 451 [Felipe Zimmerle/@zimmerle] 452 453 454v3.0.0-rc1 - 2017-Aug-28 455------------------------ 456 457 Very first public version. 458 459