github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2026-01-16 00:17:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

Added PCRE limits and studying by default to help alleviate REDoS reported by Sogeti/ESEC R&D (MODSEC-119).

Browse Source
This commit is contained in:
b1v1r
2010-02-05 18:09:19 +00:00
parent d66760d09c
commit 589274903d
13 changed files with 544 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
CHANGES
View File

@@ -1,6 +1,16 @@
14 Jan 2010 - 2.5.12
--------------------
* Enabled PCRE "studying" by default. This is now a configure-time option.
* Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
aide in REDoS type attacks. A rule that goes over the limits will set
TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release
of ModSecurity (2.6.x) will move these flags to a dedicated collection.
* Reduced default PCRE match limits reducing impact of REDoS on poorly
written regex rules. Reported by Sogeti/ESEC R&D.
* Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.
* Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)