1v3.0.5 - 2021-Jul-07
2--------------------
3
4  - Handle URI received with uri-fragment
5    [@martinhsv]
6  - Having ARGS_NAMES, variables proxied
7    [@zimmerle, @martinhsv, @KaNikita]
8  - Use explicit path for cross-compile environments.
9    [Issue #2485 - @dtoubelis]
10  - Fix: FILES variable does not use multipart part name for key
11    [Issue #2377 - @martinhsv]
12  - Replaces put with setenv in SetEnv action
13    [Issue #2469 - @martinhsv, @WGH-, @zimmerle]
14  - Regression: Mark the test as failed in case of segfault.
15    [@zimmerle]
16  - Regex key selection should not be case-sensitive
17    [Issue #2296, #2107, #2297 - @michaelgranzow-avi, @victorhora,
18                                 @airween, @martinhsv, @zimmerle]
19  - Fix: Only delete Multipart tmp files after rules have run
20    [Issue #2427 - @martinhsv]
21  - Fixed MatchedVar on chained rules
22    [Issue #2423, #2435, #2436 - @michaelgranzow-avi]
23  - Add support for new operator rxGlobal
24    [@martinhsv]
25  - Fix maxminddb link on FreeBSD
26    [Issue #2131 - @granalberto, @zimmerle]
27  - Fix IP address logging in Section A
28    [Issue #2300 - @inaratech, @zavazingo, @martinhsv]
29  - Adds support to lua 5.4
30    [@zimmerle]
31  - GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
32    [Issues #2378, #2186 - @defanator]
33  - rx: exit after full match (remove /g emulation); ensure capture
34    groups occuring after unused groups still populate TX vars
35    [Issue #2336 - @martinhsv]
36  - Correct CHANGES file entry for #2234
37  - Add support to test framework for audit log content verification
38    and add regression tests for issues #2000, #2196
39  - Support configurable limit on number of arguments processed
40    [Issue #2234 - @jleproust, @martinhsv]
41  - Multipart Content-Dispostion should allow field: filename*=
42    [@martinhsv]
43  - Fix rule-update-target for non-regex
44    [Issue 2251 - @martinhsv]
45  - Fix configure script when packaging for Buildroot
46    [Issue 2235 - @frankvanbever]
47  - modsecurity.pc.in: add Libs.private
48    [Issue #1918, #2253 - @ffontaine, @Dridi, @victorhora]
49
50v3.0.4 - 2020-Jan-13
51--------------------
52
53 - Fix: audit log data omitted when nolog,auditlog
54   [@martinhsv]
55 - Fix: ModSecurity 3.x inspectFile operator does not pass
56   FILES_TMPNAMES parameter to lua engine
57   [Issue #2204, #2205 - @kadirerdogan]
58 - XML: Remove error messages from stderr
59   [Issue #2010 - @JaiHarpalani, @zimmerle]
60 - Filter comment or blank line for pmFromFile operator
61   [Issue #1645 - @LeeShan87, @victorhora, @tdoubley]
62 - Additional adjustment to Cookie header parsing
63   [@martinhsv]
64 - Restore chained rule part H logging to be more like 2.9 behaviour
65   [Issue #2196 - @martinhsv]
66 - Small fixes in log messages to help debugging the file upload
67   [Issue #2130 - @airween]
68 - Fix Cookie header parsing issues
69   [Issue #2201 - @airween, @martinhsv]
70 - Fix rules with nolog are logging to part H
71   [Issue #2196 - @martinhsv]
72 - Fix argument key-value pair parsing cases
73   [Issue #1904 - @martinhsv]
74 - Fix: audit log part for response body for JSON format to be E
75   [Issue #2066 - @martinhsv, @zimmerle]
76 - Make sure m_rulesMessages is filled after successfull match
77   [Issue #2000, #2048 - @victorhora, @defanator]
78 - Fix @pm lookup for possible matches on offset zero.
79   [@zimmerle, @afoxdavidi, @martinhsv, @marshal09]
80 - Regex lookup on the key name instead of COLLECTION:key
81   [@rdiperri-yottaa, @danbiagini-work, @mmelo-yottaa, @zimmerle]
82 - Missing throw in Operator::instantiate
83   [Issue #2106 - @marduone]
84 - Making block action execution dependent of the SecEngine status
85   [Issue #2113, #2111 - @theMiddleBlue, @airween]
86 - Making block action execution dependent of the SecEngine status
87   [Issue #1960 - @theMiddleBlue, @zimmerle, @airween, @victorhora]
88 - Having body limits to respect the rule engine state
89   [@zimmerle]
90 - Fix SecRuleUpdateTargetById does not match regular expressions
91   [Issue #1872 - @zimmerle, @anush-cr, @victorhora, @j0k2r]
92 - Adds missing check for runtime ctl:ruleRemoveByTag
93   [Issue #2102, #2099 - @airween]
94 - Adds a new operator verifySVNR that checks for Austrian social
95   security numbers.
96   [Issue #2063 - @Rufus125]
97 - Fix variables output in debug logs
98   [Issue #2057 - @jleproust]
99 - Correct typo validade in log output
100   [Issue #2059 - @nerrehmit]
101 - fix/minor: Error encoding hexa decimal.
102   [Issue #2068 - @tech-ozon-io]
103 - Limit more log variables to 200 characters.
104   [Issue #2073 - @jleproust]
105 - parser: fix parsed file names
106   [@zimmerle]
107 - Allow empty anchored variable
108   [Issue #2024 - @airween]
109 - Fixed FILES_NAMES collection after the end of multipart parsing
110   [Issue #2016 - @airween]
111 - Fixed validateByteRange parsing method
112   [Issue #2017 - @airween]
113 - Removes a memory leak on the JSON parser
114   [@zimmerle]
115 - Enables LMDB on the regression tests.
116   [Issue #2011, #2008 - @WGH-, @mdunc]
117 - Fix: Extra whitespace in some configuration directives causing error
118   [Issue #2006 - @porjo, @zimmerle]
119 - Refactoring on Regex and SMatch classes.
120   [@WGH-]
121 - Fixed buffer overflow in Utils::Md5::hexdigest()
122   [Issue #2002 - @defanator]
123 - Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
124   [Issue #1990 - @defanator]
125 - Adds initially support to the drop action.
126   [@zimmerle]
127 - Complete merging of particular rule properties
128   [Issue #1978 - @defanator]
129 - Replaces AC_CHECK_FILE with 'test -f'
130   [Issue #1984 - @chuckwolber]
131 - Fix inet addr handling on 64 bit big endian systems
132   [Issue #1980 - @airween]
133 - Fix tests on FreeBSD
134   [Issue #1973 - @defanator]
135 - Changes ENV test case to read the default MODSECURTIY env var
136   [Issue #1969 - @zimmerle, @airween, @inittab]
137 - Regression: Sets MODSECURITY env var during the tests execution
138   [Issue #1969 - @zimmerle, @airween, @inittab]
139 - Fix setenv action to strdup key=variable
140   [@zimmerle]
141 - Allow 0 length JSON requests.
142   [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
143 - Fix "make dist" target to include default configuration
144   [Issue #1966 - @defanator]
145 - Replaced log locking using mutex with fcntl lock
146   [Issue #1949, #1927 - @Cloaked9000]
147 - Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES
148   [Issue #1959 - @weliu]
149 - Adds support to multiple ranges in ctl:ruleRemoveById
150   [Issue #1956 - @theseion, @victorhora, @zimmerle]
151 - Rule variable interpolation broken
152   [Issue #1961 - @soonum, @zimmerle]
153 - Make the boundary check less strict as per RFC2046
154   [Issue #1943 - @victorhora, @allanbomsft]
155 - Fix buffer size for utf8toUnicode transformation
156   [Issue #1208 - @katef, @victorhora]
157
158
159v3.0.3 - 2018-Nov-05
160--------------------
161
162 - Fix double macros bug
163   [Issue #1943 - @supplient, @zimmerle]
164 - Override the default status code if not suitable to redirect action
165   [Issue #1850 - @zimmerle, @victorhora]
166 - parser: Fix the support for CRLF configuration files
167   [Issue #1945 - @zimmerle, @defanator, @kjakub]
168 - Organizes the server logs
169   [0xb7c36 and 0x5ac20 - @zimmerle, @steven-j-wojcik]
170 - m_lineNumber in Rule not mapping with the correct line number in file
171   [Issue #1844 - @zimmerle, @victorhora, @xizeng]
172 - Using shared_ptr instead of unique_ptr on rules exceptions
173   [Issue #1697 - @zimmerle, @brianp9906, @victorhora, @LeSwiss, @defanator]
174 - Changes debuglogs schema to avoid unecessary str allocation
175   [0xb2840 - @zimmerle]
176 - Fix the SecUnicodeMapFile and SecUnicodeCodePage
177   [0x3094d - @zimmerle, @victorhora]
178 - Changes the timing to save the rule message
179   [0xca270 - @zimmerle]
180 - Fix crash in msc_rules_add_file() when using disruptive action in chain
181   [Issue #1849 - @victorhora, @zimmerle, @rperper]
182 - Fix memory leak in AuditLog::init()
183   [Issue #1897 - @weliu]
184 - Fix RulesProperties::appendRules()
185   [Issue #1901 - @steven-j-wojcik]
186 - Fix RULE lookup in chained rules
187   [0x3077c - @zimmerle]
188 - @ipMatch "Could not add entry" on slash/32 notation in 2.9.0
189   [Issue #849 - @zimmerle, @dune73]
190 - Using values after transformation at MATCHED_VARS
191   [0x14316 - @zimmerle]
192 - Adds support to UpdateActionById.
193   [Issue #1800 - @zimmerle, @victorhora, @NisariAIT]
194 - Add correct C function prototypes for msc_init and msc_create_rule_set
195   [Issue #1922 - @steven-j-wojcik]
196 - Allow LuaJIT 2.1 to be used
197   [Issue #1909 - @victorhora, @mdunc]
198 - Match m_id JSON log with RuleMessage and v2 format
199   [Issue #1185 - @victorhora]
200 - Adds support to setenv action.
201   [Issue #1044 - @zimmerle]
202 - Adds new transaction constructor that accepts the transaction id
203   as parameter.
204   [Issue #1627 - @defanator, @zimmerle]
205 - Adds request IDs and URIs to the debug log
206   [Issue #1627 - @defanator, @zimmerle]
207 - Treating variables exception on load-time instead of run time.
208   [0x028e0 and 0x275a1 - @zimmerle]
209 - Fix: function m.setvar in Lua scripts and add testcases
210   [Issue #1859 - @nowaits, @victorhora]
211 - Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
212   [Issue #1531 - @victorhora, @defanator]
213 - Fix OpenBSD build
214   [Issue #1841 - @victorhora, @zimmerle, @juanfra684]
215 - Fix parser to support GeoLookup with MaxMind
216   [Issue #1884, #1895 - @victorhora, @everping]
217 - parser: Fix simple quote setvar in the end of the line
218   [Issue #1831 - @zimmerle, @csanders-git]
219 - Fix pc file
220   [Issue #1847 - @gquintard]
221 - modsec_rules_check: uses the gnu `.la' instead of `.a' file
222   [Issue #1853 - @ste7677, @victorhora, @zimmerle]
223 - good practices: Initialize variables before use it
224   [Issue #1889 - Marc Stern]
225 - Fix utf-8 character encoding conversion
226   [Issue #1794 - @tinselcity, @zimmerle]
227 - Adds support for ctl:requestBodyProcessor=URLENCODED
228   [Issue #1797 - @victorhora]
229 - Add LUA compatibility for CentOS and try to use LuaJIT first if available
230   [Issue #1622 - @victorhora, @dmitryzykov]
231 - Allow LuaJIT to be used
232   [Issue #1809 - @victorhora, @p0pr0ck5]
233 - Implement support for Lua 5.1
234   [Issue #1809 - @p0pr0ck5, @victorhora]
235 - Variable names must match fully, not partially. Match should be case
236   insensitive.
237   [Issue #1818, #1820, #1810, #1808 - @michaelgranzow-avi, @victorhora,
238                                       @theMiddleBlue, @airween, @zimmerle,
239                                       @LeeShan87]
240 - Improves the performance while loading the rules
241   [Issue #1735 - @zimmerle, @p0pr0ck5, @victorhora]
242 - Allow empty strings to be evaluated by regex::searchAll
243   [Issue #1799, #1785 - @victorhora, @XuanHuyDuong, @zimmerle]
244 - Adds basic pkg-config info
245   [Issue #1790 - @gquintard, @zimmerle]
246 - Fixed LMDB collection errors
247   [Issue #1787 - @airween, @zimmerle]
248 - Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors
249   [Issue #1747, #1924 - @airween, @victorhora, @defanator, @zimmerle]
250 - Fix ip tree lookup on netmask content
251   [Issue #1793 - @tinselcity, @zimmerle]
252 - Changes the behavior of the default sec actions
253   [Issue #1629 - @mirkodziadzka-avi, @zimmerle, @victorhora]
254 - Refactoring on {global,ip,resources,session,tx,user} collections
255   [Issue #1754, #1778 - @LeeShan87, @zimmerle, @victorhora, @wwd5613,
256                         @sobigboy]
257 - Fix race condition in UniqueId::uniqueId()
258   [Issue #1786 - @weliu]
259 - Fix memory leak in error message for msc_rules_merge C APIs
260   [Issue #1765 - @weliu]
261 - Return false in SharedFiles::open() when an error happens
262   [Issue #1783 - @weliu]
263 - Use rvalue reference in ModSecurity::serverLog
264   [Issue #1769 - @weliu]
265 - Build System: Fix when multiple lines for curl version.
266   [Issue #1771 - @Artistan]
267 - Checks if response body inspection is enabled before process it
268   [Issue #1643 - @zoltan-fedor, @dennus, @defanator, @zimmerle]
269 - Code Cleanup.
270   [Issue #1757, #1755, #1756, #1761 - @p0pr0ck5]
271 - Fix setvar parsing of quoted data
272   [Issue #1733, #1759, #1775 - @victorhora, @JaiHarpalani, @defanator]
273 - Fix LDFLAGS for unit tests.
274   [Issue #1758 - @smlx]
275 - Adds time stamp back to the audit logs
276   [Issue #1762 - @Pjack, @zimmerle]
277 - Disables skip counter if debug log is disabled
278   [@zimmerle]
279 - Cosmetics: Represents amount of skipped rules without decimal
280   [Issue #1737 - @p0pr0ck5]
281 - Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser
282   [Issue #1752 - @victorhora]
283 - Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.
284   [Issue #1738 - @victorhora]
285 - Fix memory leak in modsecurity::utils::expandEnv()
286   [Issue #1750 - @defanator]
287 - Initialize m_dtd member in ValidateDTD class as NULL
288   [Issue #1751 - @airween]
289 - Fix broken @detectxss operator regression test case
290   [Issue #1739 - @p0pr0ck5]
291 - Fix utils::string::ssplit() to handle delimiter in the end of string
292   [Issue #1743, #1744 - @defanator]
293 - Fix variable FILES_TMPNAMES
294   [Issue #1646, #1610 - @victorhora, @zimmerle, @defanator]
295 - Fix memory leak in Collections
296   [Issue #1729, #1730 - @defanator]
297
298
299v3.0.2 - 2018-Apr-03
300--------------------
301
302 - Fix lib version information while generating the .so file
303   [@gl1f1v21, @zimmerle]
304
305v3.0.1 - 2018-Apr-02
306--------------------
307
308 - Adds support for ctl:ruleRemoveByTag
309   [@zimmerle, @weliu]
310 - Fix SecUploadDir configuration merge
311   [Issue #1720 - @zimmerle, @gjvanetten]
312 - Include all prerequisites for "make check" into dist archive
313   [Issue #1716 - @defanator]
314 - Fix: Reverse logic of checking output in @inspectFile
315   [Issue #1715 - @defanator]
316 - Adds support to libMaxMind
317   [Issue #1307 - @zimmerle, @defanator]
318 - Adds capture action to detectXSS
319   [Issue #1698 - @victorhora]
320 - Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator
321   [Issue #1701 - @victorhora]
322 - Adds capture action to detectSQLi
323   [Issue #1698 - @zimmerle]
324 - Adds capture action to rbl
325   [Issue #1698 - @zimmerle]
326 - Adds capture action to verifyCC
327   [Issue #1698 - @michaelgranzow-avi, @zimmerle]
328 - Adds capture action to verifySSN
329   [Issue #1698 - @zimmerle]
330 - Adds capture action to verifyCPF
331   [Issue #1698 - @zimmerle]
332 - Prettier error messages for unsupported configurations (UX)
333   [@victorhora]
334 - Add missing verify*** transformation statements to parser
335   [Issue #1006 and #1007 - @victorhora]
336 - Fix a set of compilation warnings
337   [Issue #1650 - @zimmerle, @JayCase]
338 - Check for disruptive action on SecDefaultAction.
339   [Issue #1614 - @zimmerle, @michaelgranzow-avi]
340 - Fix block-block infinite loop.
341   [Issue #1614 - @zimmerle, @michaelgranzow-avi]
342 - Correction remove_by_tag and remove_by_msg logic.
343   [Issue #1636 - @Minasu]
344 - Fix LMDB compile error
345   [Issue #1691 - @airween]
346 - Fix msc_who_am_i() to return pointer to a valid C string
347   [Issue #1640 - @defanator]
348 - Added some cosmetics to autoconf related code
349   [Issue #1652 - @airween]
350 - Fix "make dist" target to include necessary headers for Lua
351   [Issue #1678 - @defanator]
352 - Fix "include /foo/*.conf" for single matched object in directory
353   [Issue #1677 - @defanator, @zimmerle]
354 - Add missing Base64 transformation statements to parser
355   [Issue #1632 - @victorhora, @zimmerle]
356 - Fixed resource load on ip match from file
357   [#1674 - @zimmerle, @StefaanSeys]
358 - Fixed examples compilation while using disable-shared
359   [#1670 - @zimmerle, @ivanbaldo]
360 - Fixed compilation issue while xml is disabled
361   [0x243028 - @zimmerle]
362 - Having LDADD and LDFLAGS organized on Makefile.am
363   [0xd0e85e - @zimmerle]
364 - Checking std::deque size before use it
365   [0x217cbf - @zimmerle, Yaron Dayagi]
366 - perf improvement: Added the concept of RunTimeString and removed
367   all run time parser.
368   [0x3eae51 0x0320e0 0xb5688f 0xfe47a9 0xfa9842 0x1affc3 0x079de4
369    0xc7c04f 0x5262ea 0x01974a 0xd5ee1e - @zimmerle]
370 - perf improvement: Checks debuglog level before format debug msg
371   [0x42ee9 - @zimmerle]
372 - perf. improvement/rx: Only compute dynamic regex in case of macro
373   [0x91ff3 - @zimmerle]
374 - Fix uri on the benchmark utility
375   [0x63bec - @zimmerle]
376 - disable Lua on systems with liblua5.1
377   [Issue #1639 - @victorhora, @defanator]
378
379v3.0.0 - 2017-Dec-13
380--------------------
381
382 - Improvements on LUA build scripts and support for LUA 5.2.
383   [Issue #1617 and #1622 - @victorhora, @zimmerle]
384 - Fix compilation error with disable_debug_log flag
385   [0xfd84e - Izik Abramov]
386 - Improvements on the benchmark tool.
387   [Issue #1615 - @zimmerle]
388 - Fix lua headers on the build scripts
389   [Issue #1621 - @Minasu]
390 - Refactoring on the JSON parser.
391   [Issue #1576, #1577 - Tobias Gutknecht, @zimmerle, @victorhora, @marcstern]
392 - Adds support to WEBAPPID variable.
393   [Issue #1027 - @zimmerle, @victorhora]
394 - Adds support for SecWebAppId.
395   [Issue #1442 - @zimmerle, @victorhora]
396 - Adds support for SecRuleRemoveByTag.
397   [Issue #1476 - @zimmerle, @victorhora]
398 - Adds support for update target by message.
399   [Issue #1474 - @zimmerle, @victorhora]
400 - Adds support to SecRuleScript directive.
401   [Issue #994 - @zimmerle]
402 - Adds support for the exec action.
403   [Issue #1050 - @zimmerle]
404 - Adds support for transformations inside Lua engine
405   [Issue #994 - @zimmerle]
406 - Adds initial support for Lua engine.
407   [Issue #994 - @zimmerle]
408 - Adds support for @inspectFile operator.
409   [Issue #999 - @zimmerle, @victorhora]
410 - Adds support for RESOURCE variable collection.
411   [Issue #1014 - @zimmerle, @victorhora]
412 - Adds support for @fuzzyHash operator.
413   [Issue #997 - @zimmerle]
414 - Fix build on non x86 arch build
415   [Issue #1598 - @athmane]
416 - Fix memory issue while changing rule target dynamic
417   [Issue #1590 - @zimmerle, @slabber]
418 - Fix log while displaying the name of a dict selection by regex.
419   [@zimmerle]
420 - Setting http response code on the auditlog.
421   [Issue #1592 - @zimmerle]
422 - Refactoring on RuleMessage class, now accepting http code as parameter.
423   [@zimmerle]
424 - Having disruptive msgs as disruptive [instead of warnings] on audit log
425   [Issue #1592 - @zimmerle, @nobodysz]
426 - Parser: Pipes are no longer welcomed inside regex dict element selection.
427   [Issue #1591 - @zimmerle, @slabber]
428 - Avoids unicode initialization on every rules object
429   [Issue #1563 - @zimmerle, @Tiki-God, @sethinsd, @Cloaked9000, @AnoopAlias,
430                  @intelbg]
431 - Makes clear to the user whenever the audit log is empty due to missing
432   JSON support.
433   [Issue #1585 - @zimmerle]
434 - Makes auditlog more verbose on debug logs
435   [Issue: #1559 - @zimmerle]
436 - Enable support for AuditLogFormat
437   Issue: #1583, #1493 and #1453 - @victorhora]
438 - Adds macro expansion for @rx operator
439   [Issue: #1528, #1536 - @asterite3, @zimmerle]
440 - Consideres under quoted variable while loading the rules.
441   [Felipe Zimmerle/@zimmerle, Victor Hora/@victorhora]
442 - Store the connection and url parameters in std::string
443   [Issue: #1571 - @majordaw]
444 - Eliminate some reorder and sign warnings
445   [Issue: #1572 - Dávid Major/@majordaw]
446 - Makes parallel logging to work when SELinux is enabled.
447   [Issue: #1562 - David Buckle/@met3or]
448 - Adds possibility to run the pm operator inside a mutex to avoid concurrent
449   access while working on a thread environment. This option is a compilation
450   flag.
451   [Felipe Zimmerle/@zimmerle]
452
453
454v3.0.0-rc1 - 2017-Aug-28
455------------------------
456
457 Very first public version.
458
459