Merge 2.5.x (2.5.12) changes into trunk.

2025-09-29 19:24:29 +03:00 · 2010-02-05 19:05:20 +00:00
parent ed11e27e0f
commit 08edc0c26f
54 changed files with 3170 additions and 330 deletions
--- a/modsecurity.conf-minimal
+++ b/modsecurity.conf-minimal
@@ -4,10 +4,15 @@ SecRuleEngine On
 SecRequestBodyAccess On
 SecResponseBodyAccess Off

+# PCRE Tuning
+SecPcreMatchLimit 1000
+SecPcreMatchLimitRecursion 1000
+
 # Handling of file uploads
 # TODO Choose a folder private to Apache.
 # SecUploadDir /opt/apache-frontend/tmp/
 SecUploadKeepFiles Off
+SecUploadFileLimit 10

 # Debug log
 SecDebugLog logs/modsec_debug.log
@@ -53,8 +58,19 @@ DA %{MULTIPART_DATA_AFTER}, \
 HF %{MULTIPART_HEADER_FOLDING}, \
 LF %{MULTIPART_LF_LINE}, \
 SM %{MULTIPART_SEMICOLON_MISSING}, \
-IQ %{MULTIPART_INVALID_QUOTING}'"
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

 # Did we see anything that might be a boundary?
 SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
 "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+# Some internal errors will set flags in TX and we will need to look for these.
+# All of these are prefixed with "MSC_".  The following flags currently exist:
+#
+# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
+#
+SecRule TX:/^MSC_/ "!@streq 0" \
+        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+