diff --git a/CHANGES b/CHANGES
index 201288ce..64d472cd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -10,7 +10,8 @@
* No longer log the query portion of the URI in the error log as
it may contain sensitive data.
- * There are no longer any default transformations performed.
+ * The default action is now a minimal "phase:2,log,pass" with no default
+ transformations performed.
* Implemented SecRuleUpdateActionById.
diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
index d2bd4d76..637b3e5f 100644
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@@ -708,6 +708,9 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
apr_table_unset(dcfg->tmp_rule_placeholders, rule->actionset->id);
}
+ /* Update the unparsed rule */
+ rule->unparsed = msre_rule_generate_unparsed(dcfg->ruleset->mp, rule, NULL, NULL, NULL);
+
return NULL;
}
@@ -790,7 +793,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,
/* Create a new actionset */
new_actionset = msre_actionset_create(modsecurity->msre, p2, &my_error_msg);
- if (dcfg->tmp_default_actionset == NULL) return FATAL_ERROR;
+ if (new_actionset == NULL) return FATAL_ERROR;
if (my_error_msg != NULL) return my_error_msg;
/* Must NOT change an id */
@@ -1098,11 +1101,13 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg, const char *p
}
/* Must specify a disruptive action. */
+ /* ENH: Remove this requirement? */
if (dcfg->tmp_default_actionset->intercept_action == NOT_SET) {
return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must specify a disruptive action.");
}
/* Must specify a phase. */
+ /* ENH: Remove this requirement? */
if (dcfg->tmp_default_actionset->phase == NOT_SET) {
return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must specify a phase.");
}
@@ -1131,6 +1136,12 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg, const char *p
"contain a skip action.");
}
+ /* Must not use skipAfter. */
+ if (dcfg->tmp_default_actionset->skip_after != NOT_SET_P) {
+ return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must not "
+ "contain a skipAfter action.");
+ }
+
return NULL;
}
diff --git a/apache2/re.c b/apache2/re.c
index 7c54b490..1cd986d5 100644
--- a/apache2/re.c
+++ b/apache2/re.c
@@ -645,7 +645,7 @@ msre_actionset *msre_actionset_merge(msre_engine *engine, msre_actionset *parent
msre_actionset *msre_actionset_create_default(msre_engine *engine) {
char *my_error_msg = NULL;
return msre_actionset_create(engine,
- "log,auditlog,deny,status:403,phase:2",
+ "phase:2,log,pass",
&my_error_msg);
}
@@ -677,7 +677,7 @@ void msre_actionset_set_defaults(msre_actionset *actionset) {
if (actionset->intercept_pause == NOT_SET) actionset->intercept_pause = 0;
/* Other */
- if (actionset->auditlog == NOT_SET) actionset->auditlog = 1;
+ if (actionset->auditlog == NOT_SET) actionset->auditlog = 0;
if (actionset->log == NOT_SET) actionset->log = 1;
}
diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml
index 8ae73c52..eed12f8a 100644
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@@ -1118,9 +1118,9 @@ SecAuditLogStorageDir logs/audit
disruptive actions are not allowed, but this can inadvertently be
inherited using a disruptive action in SecDefaultAction.
- The default value is:
+ The default value is minimal (differing from previous versions):
- SecDefaultAction log,auditlog,deny,status:403,phase:2,t:none
+ SecDefaultAction phase:2,log,pass
Note
@@ -5721,4 +5721,4 @@ Server: Apache/2.x.x
-
\ No newline at end of file
+