diff --git a/CHANGES b/CHANGES
index de1386f2..12f1f9d7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,34 +1,18 @@
-14 Feb 2008 - 2.5.0-rc4
------------------------
+19 Feb 2008 - 2.5.0
+-------------------
- * Cleaned up build process for unit tests.
+ * Updated included Core Ruleset to version 1.6.0 which uses 2.5 features.
+
+ * Cleaned up and clarified some documentation.
* Updated code to be more portable so it builds with MS VC++.
-
-11 Feb 2008 - 2.5.0-rc3
------------------------
-
- * Updated included Core Ruleset to version 1.6.0-rc3 using 2.5 features.
-
- * Update some more unit tests.
-
- * Fixed new string operators not matching with an empty string pattern.
-
- * Cleaned up some string formatters as to not generate compile warnings.
-
- * Fixed crash on startup when using "none" transformation in Lua rule.
+ * Added unit tests for most operators and transformations.
* Fixed crash on startup when ENV is improperly used without a parameter.
* Allow macro resolution in setenv action.
- * Cleaned up the configure process.
-
-
-29 Jan 2008 - 2.5.0-rc2
------------------------
-
* The default action is now a minimal "phase:2,log,pass" with no default
transformations performed.
@@ -38,30 +22,18 @@
* Implemented SecRuleUpdateActionById.
- * Fixed removal of chained rules via ctl:ruleRemoveById.
-
* Fixed removal of phase 5 rules via SecRuleRemoveBy* directives.
* No longer log the query portion of the URI in the error log as
it may contain sensitive data.
- * Cleanup documentation.
-
* Build is now 'configure' based: ./configure && make && make install
-
-21 Dec 2007 - 2.5.0-rc1
------------------------
-
-Changes since 2.5.0-dev2:
-
* Added support for Lua scripting in the following ways: SecRuleScript
can be used to specify a script to execute as a rule, the exec
- action processes Lua scripts internally, and does the @inspectFile
+ action processes Lua scripts internally, as does the @inspectFile
operator. Refer to the documentation for more details.
- * Updated included Core Ruleset to version 1.5.1.
-
* Changed how allow works. Used on its own it now allows phases 1-4. Used
with parameter "phase" (e.g. SecAction allow:phase) it only affects
the current phase. Used with parameter "request" it allows phases
@@ -70,9 +42,6 @@ Changes since 2.5.0-dev2:
* Fixed issue where only the first phase 5 rule would run when the
request was intercepted in an earlier phase.
- * Updated included Core Ruleset to version 1.5 and noted in the docs that
- XML support is required to use the rules without modification.
-
* Stricter configuration parsing. Disruptive actions, meta actions and
phases are no longer allowed in a chained rule. Disruptive actions,
are no longer allowed in a logging phase (phase 5) rule, including
@@ -93,8 +62,6 @@ Changes since 2.5.0-dev2:
* Enhance handling of the case where we run out of disk space while
writing to audit log entry.
- * Renamed SecGeoLookupsDb to SecGeoLookupDB.
-
* Added SecComponentSignature to allow other components the ability
to append to the logged signature.
@@ -126,7 +93,7 @@ Changes since 2.5.0-dev2:
as documented instead of decrementing by a rate.
* Enable ModSecurity to look at partial response bodies. In previous
- versions ModSecurity would respond with status code 500 when the
+ versions, ModSecurity would respond with status code 500 when the
response body was too long. Now, if SecResponseBodyLimitAction is
set to "ProcessPartial", it will process the part of the response
body received up until that point but send the rest without buffering.
@@ -151,28 +118,114 @@ Changes since 2.5.0-dev2:
* Added ARGS_GET, ARGS_POST, ARGS_GET_NAMES, ARGS_POST_NAMES variables to
allow seperation of GET and POST arguments.
+ * Added an Apache define (MODSEC_2.5) so that you can conditionally include
+ directives based on the ModSecurity major/minor versions with IfDefine.
+
* Added MODSEC_BUILD variable that contains the numeric build value based
on the ModSecurity version.
* Enhanced debug logging by displaying more data on rule execution. All
invoked rules are now logged in the debug log at level 5.
- * Cleaned up and clarified some documentation.
-
- * Performance improvements and greater control over caching transformations.
-
* Stricter validation for @validateUtf8Encoding.
- * Now capture the match in TX:0 when using "capture" action in phrase match
- operators.
-
- * No longer process internal subrequests.
+ * No longer process Apache internal subrequests.
* Fixed warnings on Solaris and/or 64bit builds.
- * Added Cygwin to the list of platforms not supporting the hidden
+ * Added @within string comparison operator with support for macro expansion.
+
+ * Do not trigger "pause" action for internal requests.
+
+ * Added matching rule filename and line number to audit log.
+
+ * Added new phrase matching operators, @pm and @pmFromFile. These use
+ an alternate set based matching engine (Aho-Corasick) to perform faster
+ phrase type matches such as black/white lists, spam keywords, etc.
+
+ * Allow caching transformations per-request/phase so they are not repeated.
+
+ * Added Solaris and Cygwin to the list of platforms not supporting the hidden
visibility attribute.
+ * Fixed decoding full-width unicode in t:urlDecodeUni.
+
+ * Add SecGeoLookupDB, @geoLookups and GEO collection to support
+ geographical lookups by IP/host.
+
+ * Do not try to intercept a request after a failed rule. This fixes the
+ issue associated with an "Internal Error: Asked to intercept request
+ but was_intercepted is zero" error message.
+
+ * Removed extraneous exported symbols.
+
+ * Merged the PDF XSS protection functionality into ModSecurity.
+
+ * Exported API for registering custom variables. Example in api directory.
+
+ * Added experimental support for content injection. Directive
+ SecContentInjection (On|Off) controls whether injection is taking place.
+ Actions "prepend" and "append" inject content when executed. Do note that
+ it is your responsibility to make sure the response is of the appropriate
+ content type (e.g. HTML, plain text, etc).
+
+ * Added string comparison operators with support for macro expansion:
+ @contains, @streq, @beginsWith and @endsWith.
+
+ * Enhanced debug log output to log macro expansion, quote values and
+ correctly display values that contained NULs.
+
+ * Removed support for %0 - %9 capture macros as they were incorrectly
+ expanding url encoded values. Use %{TX.0} - %{TX.9} instead.
+
+ * Added t:length to transform a value to its character length.
+
+ * Added t:trimLeft, t:trimRight, t:trim to remove whitespace
+ from a value on the left, right or both.
+
+ * Added SecAuditLog2 directive to allow redundent concurrent audit log
+ index files. This will allow sending audit data to two consoles, etc.
+
+ * Removed CGI style HTTP_* variables in favor of REQUEST_HEADERS:Header-Name.
+
+ * Store filename/line for each rule and display it and the ID (if available)
+ in the debug log when invoking a rule. Thanks to Christian Bockermann
+ for the idea.
+
+ * Do not log 'allow' action as intercepted in the debug log.
+
+ * Fixed some collection variable names not printing with the parameter
+ and/or counting operator in the debug log.
+
+
+19 Feb 2008 - 2.1.6
+-------------------
+
+ * Fixed crash on startup when ENV is improperly used without a parameter.
+
+ * Allow macro resolution in setenv action.
+
+ * Implemented SecUploadFileMode to allow setting the mode for uploaded files.
+
+ * No longer log the query portion of the URI in the error log as
+ it may contain sensitive data.
+
+
+10 Jan 2008 - 2.1.5
+-------------------
+
+ * Updated included Core Ruleset to version 1.5.1.
+
+ * Phase 5 rules can now be removed via SecRuleRemoveBy* directives.
+
+ * Fixed issue where only the first phase 5 rule would run when the
+ request was intercepted in an earlier phase.
+
+ * Fixed configuration parsing so that disruptive actions, meta actions
+ and phases are not allowed in a chained rule (as originally intended).
+
+ * Fixed t:escapeSeqDecode to better follow ANSI C escapes.
+
27 Nov 2007 - 2.1.4
-------------------
@@ -236,131 +289,6 @@ Changes since 2.5.0-dev2:
* Small performance improvement in memory management for rule execution.
-21 June 2007 - 2.5.0-dev2
--------------------------
-
- * Reversioned from 2.2.0 base version to 2.5.0 because of the large changeset.
-
- * Added @within string comparison operator with support for macro expansion.
-
- * Removed experimental variable RESPONSE_CONTENT_ENCODING which was not
- working as intended.
-
- * Update included core rules to latest version.
-
- * Do not trigger "pause" action for internal requests.
-
- * Added matching rule filename and line number to audit log.
-
- * Added new phrase matching operators, @pm and @pmFromFile. These use
- an alternate set based matching engine (Aho-Corasick) to perform faster
- phrase type matches such as black/white lists, spam keywords, etc.
-
- * Cache transformations per-request/phase so they are not repeated.
-
- * Fixed issue with requests that use internal requests. These had the
- potential to be intercepted incorrectly when other Apache httpd modules
- that used internal requests were used with mod_security.
-
- * Added Solaris to the list of platforms not supporting the hidden
- visibility attribute.
-
- * Removed excessive debug log entries about "capture" action.
-
- * Fixed decoding full-width unicode in t:urlDecodeUni.
-
- * Lessen some overhead of debugging messages and calculations.
-
- * Removed strnlen() calls for non-GNU platforms.
-
-
-14 June 2007 - 2.1.2-rc1
-------------------------
-
- * Update included core rules to latest version.
-
- * Do not trigger "pause" action for internal requests.
-
- * Fixed issue with requests that use internal requests. These had the
- potential to be intercepted incorrectly when other Apache httpd modules
- that used internal requests were used with mod_security.
-
- * Added Solaris to the list of platforms not supporting the hidden
- visibility attribute.
-
- * Fixed decoding full-width unicode in t:urlDecodeUni.
-
- * Lessen some overhead of debugging messages and calculations.
-
- * Do not try to intercept a request after a failed rule. This fixes the
- issue associated with an "Internal Error: Asked to intercept request
- but was_intercepted is zero" error message.
-
- * Added SecAuditLog2 directive to allow redundent concurrent audit log
- index files. This will allow sending audit data to two consoles, etc.
-
- * Small performance improvement in memory management for rule execution.
-
-
-11 May 2007 - 2.2.0-dev1
--------------------------
-
- * Add SecGeoLookupsDb, @geoLookups and GEO collection to support
- geographical lookups by IP/host.
-
- * Do not try to intercept a request after a failed rule. This fixes the
- issue associated with an "Internal Error: Asked to intercept request
- but was_intercepted is zero" error message.
-
- * Removed extraneous exported symbols.
-
- * Merged the PDF XSS protection functionality into ModSecurity.
-
- * Exported API for registering custom variables. Example in api directory.
-
- * Added experimental variables RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE,
- and RESPONSE_CONTENT_ENCODING.
-
- * Added experimental support for content injection. Directive
- SecContentInjection (On|Off) controls whether injection is taking place.
- Actions "prepend" and "append" inject content when executed. Do note that
- it is your responsibility to make sure the response is of the appropriate
- content type (e.g. HTML, plain text, etc).
-
- * Added string comparison operators with support for macro expansion:
- @contains, @streq, @beginsWith and @endsWith.
-
- * Enhanced debug log output to log macro expansion, quote values and
- correctly display values that contained NULs.
-
- * Removed support for %0 - %9 capture macros as they were incorrectly
- expanding url encoded values. Use %{TX.0} - %{TX.9} instead.
-
- * Added t:length to transform a value to its character length.
-
- * Added t:trimLeft, t:trimRight, t:trim to remove whitespace
- from a value on the left, right or both.
-
- * Added SecAuditLog2 directive to allow redundent concurrent audit log
- index files. This will allow sending audit data to two consoles, etc.
-
- * Removed CGI style HTTP_* variables in favor of REQUEST_HEADERS:Header-Name.
-
- * Store filename/line for each rule and display it and the ID (if available)
- in the debug log when invoking a rule. Thanks to Christian Bockermann
- for the idea.
-
- * Do not log 'allow' action as intercepted in the debug log.
-
- * Write debug log messages when "capture" is set, but the regex does not
- capture and vice-versa.
-
- * Small performance improvement in memory management for rule execution.
-
- * Fixed some collection variable names not printing with the parameter
- and/or counting operator in the debug log.
-
-
11 Apr 2007 - 2.1.1
-------------------
diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
index 8b15300d..38fcc53c 100644
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -63,8 +63,8 @@ extern DSOLOCAL modsec_build_type_rec modsec_build_type[];
#define MODSEC_VERSION_MAJOR "2"
#define MODSEC_VERSION_MINOR "5"
#define MODSEC_VERSION_MAINT "0"
-#define MODSEC_VERSION_TYPE "rc"
-#define MODSEC_VERSION_RELEASE "4"
+#define MODSEC_VERSION_TYPE ""
+#define MODSEC_VERSION_RELEASE ""
#define MODULE_NAME "ModSecurity for Apache"
#define MODULE_RELEASE \
diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml
index f5da1d40..53f627fe 100644
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@@ -3,7 +3,7 @@
ModSecurity Reference Manual
- Version 2.5.0-rc4 (February 14, 2008)
+ Version 2.5.0 (February 19, 2008)
2004-2008
@@ -5912,4 +5912,4 @@ Server: Apache/2.x.x
-
\ No newline at end of file
+