Added PCRE limits and studying by default to help alleviate REDoS reported by Sogeti/ESEC R&D (MODSEC-119).

CHANGES

@@ -1,6 +1,16 @@
 14 Jan 2010 - 2.5.12
 --------------------
 
+ * Enabled PCRE "studying" by default.  This is now a configure-time option.
+
+ * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
+   aide in REDoS type attacks.  A rule that goes over the limits will set
+   TX:MSC_PCRE_LIMITS_EXCEEDED.  It is intended that the next major release
+   of ModSecurity (2.6.x) will move these flags to a dedicated collection.
+
+ * Reduced default PCRE match limits reducing impact of REDoS on poorly
+   written regex rules.  Reported by Sogeti/ESEC R&D.
+
  * Fixed memory leak in v1 cookie parser.  Reported by Sogeti/ESEC R&D.
 
  * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)

apache2/apache2_config.c

@@ -34,7 +34,8 @@
 /**
  * Creates a fresh directory configuration.
  */
-void *create_directory_config(apr_pool_t *mp, char *path) {
+void *create_directory_config(apr_pool_t *mp, char *path)
+{
     directory_config *dcfg = (directory_config *)apr_pcalloc(mp, sizeof(directory_config));
     if (dcfg == NULL) return NULL;
 
@@ -130,8 +131,10 @@ void *create_directory_config(apr_pool_t *mp, char *path) {
  * Copies rules between one phase of two configuration contexts,
  * taking exceptions into account.
  */
-static void copy_rules_phase(apr_pool_t *mp, apr_array_header_t *parent_phase_arr,
+static void copy_rules_phase(apr_pool_t *mp,
-    apr_array_header_t *child_phase_arr, apr_array_header_t *exceptions_arr)
+                             apr_array_header_t *parent_phase_arr,
+                             apr_array_header_t *child_phase_arr,
+                             apr_array_header_t *exceptions_arr)
 {
     rule_exception **exceptions;
     msre_rule **rules;
@@ -199,7 +202,8 @@ static void copy_rules_phase(apr_pool_t *mp, apr_array_header_t *parent_phase_ar
  * Copies rules between two configuration contexts,
  * taking exceptions into account.
  */
-static int copy_rules(apr_pool_t *mp, msre_ruleset *parent_ruleset, msre_ruleset *child_ruleset,
+static int copy_rules(apr_pool_t *mp, msre_ruleset *parent_ruleset,
+                      msre_ruleset *child_ruleset,
                       apr_array_header_t *exceptions_arr)
 {
     copy_rules_phase(mp, parent_ruleset->phase_request_headers,
@@ -219,7 +223,8 @@ static int copy_rules(apr_pool_t *mp, msre_ruleset *parent_ruleset, msre_ruleset
 /**
  * Merges two directory configurations.
  */
-void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child) {
+void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
+{
     directory_config *parent = (directory_config *)_parent;
     directory_config *child = (directory_config *)_child;
     directory_config *merged = create_directory_config(mp, NULL);
@@ -484,7 +489,8 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child) {
  * the configuration phase. It can only be called on copies of those
  * (created fresh for every transaction).
  */
-void init_directory_config(directory_config *dcfg) {
+void init_directory_config(directory_config *dcfg)
+{
     if (dcfg == NULL) return;
 
     if (dcfg->is_enabled == NOT_SET) dcfg->is_enabled = 0;
@@ -562,6 +568,7 @@ void init_directory_config(directory_config *dcfg) {
     if (dcfg->cache_trans_maxitems == (apr_size_t)NOT_SET) dcfg->cache_trans_maxitems = 512;
 
     if (dcfg->request_encoding == NOT_SET_P) dcfg->request_encoding = NULL;
+
 }
 
 /**
@@ -755,8 +762,8 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
 /**
  *
  */
-static const char *add_marker(cmd_parms *cmd, directory_config *dcfg, const char *p1,
+static const char *add_marker(cmd_parms *cmd, directory_config *dcfg,
-    const char *p2, const char *p3)
+                              const char *p1, const char *p2, const char *p3)
 {
     char *my_error_msg = NULL;
     msre_rule *rule = NULL;
@@ -893,17 +900,21 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,
 
 /* -- Configuration directives -- */
 
-static const char *cmd_action(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_action(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_ACTION, SECACTION_TARGETS, SECACTION_ARGS, p1);
 }
 
-static const char *cmd_marker(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_marker(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     const char *action = apr_pstrcat(dcfg->mp, SECMARKER_BASE_ACTIONS, p1, NULL);
     return add_marker(cmd, (directory_config *)_dcfg, SECMARKER_TARGETS, SECMARKER_ARGS, action);
 }
 
-static const char *cmd_argument_separator(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_argument_separator(cmd_parms *cmd, void *_dcfg,
+                                          const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     if (strlen(p1) != 1) {
@@ -915,7 +926,8 @@ static const char *cmd_argument_separator(cmd_parms *cmd, void *_dcfg, const cha
     return NULL;
 }
 
-static const char *cmd_audit_engine(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_audit_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     directory_config *dcfg = _dcfg;
 
     if (strcasecmp(p1, "On") == 0) dcfg->auditlog_flag = AUDITLOG_ON;
@@ -930,7 +942,8 @@ static const char *cmd_audit_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
     return NULL;
 }
 
-static const char *cmd_audit_log(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_audit_log(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     directory_config *dcfg = _dcfg;
 
     dcfg->auditlog_name = (char *)p1;
@@ -963,7 +976,8 @@ static const char *cmd_audit_log(cmd_parms *cmd, void *_dcfg, const char *p1) {
     return NULL;
 }
 
-static const char *cmd_audit_log2(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_audit_log2(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     directory_config *dcfg = _dcfg;
 
     if (dcfg->auditlog_name == NOT_SET_P) {
@@ -1000,7 +1014,9 @@ static const char *cmd_audit_log2(cmd_parms *cmd, void *_dcfg, const char *p1) {
     return NULL;
 }
 
-static const char *cmd_audit_log_parts(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_audit_log_parts(cmd_parms *cmd, void *_dcfg,
+                                       const char *p1)
+{
     directory_config *dcfg = _dcfg;
 
     if (is_valid_parts_specification((char *)p1) != 1) {
@@ -1011,7 +1027,9 @@ static const char *cmd_audit_log_parts(cmd_parms *cmd, void *_dcfg, const char *
     return NULL;
 }
 
-static const char *cmd_audit_log_relevant_status(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_audit_log_relevant_status(cmd_parms *cmd, void *_dcfg,
+                                                 const char *p1)
+{
     directory_config *dcfg = _dcfg;
 
     dcfg->auditlog_relevant_regex = msc_pregcomp(cmd->pool, p1, PCRE_DOTALL, NULL, NULL);
@@ -1022,7 +1040,9 @@ static const char *cmd_audit_log_relevant_status(cmd_parms *cmd, void *_dcfg, co
     return NULL;
 }
 
-static const char *cmd_audit_log_type(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_audit_log_type(cmd_parms *cmd, void *_dcfg,
+                                      const char *p1)
+{
     directory_config *dcfg = _dcfg;
 
     if (strcasecmp(p1, "Serial") == 0) dcfg->auditlog_type = AUDITLOG_SERIAL;
@@ -1035,7 +1055,9 @@ static const char *cmd_audit_log_type(cmd_parms *cmd, void *_dcfg, const char *p
     return NULL;
 }
 
-static const char *cmd_audit_log_dirmode(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_audit_log_dirmode(cmd_parms *cmd, void *_dcfg,
+                                         const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     if (dcfg == NULL) return NULL;
@@ -1055,7 +1077,9 @@ static const char *cmd_audit_log_dirmode(cmd_parms *cmd, void *_dcfg, const char
     return NULL;
 }
 
-static const char *cmd_audit_log_filemode(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_audit_log_filemode(cmd_parms *cmd, void *_dcfg,
+                                          const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     if (dcfg == NULL) return NULL;
@@ -1075,7 +1099,9 @@ static const char *cmd_audit_log_filemode(cmd_parms *cmd, void *_dcfg, const cha
     return NULL;
 }
 
-static const char *cmd_audit_log_storage_dir(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_audit_log_storage_dir(cmd_parms *cmd, void *_dcfg,
+                                             const char *p1)
+{
     directory_config *dcfg = _dcfg;
 
     dcfg->auditlog_storage_dir = ap_server_root_relative(cmd->pool, p1);
@@ -1083,7 +1109,9 @@ static const char *cmd_audit_log_storage_dir(cmd_parms *cmd, void *_dcfg, const
     return NULL;
 }
 
-static const char *cmd_cookie_format(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_cookie_format(cmd_parms *cmd, void *_dcfg,
+                                     const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     if (strcmp(p1, "0") == 0) dcfg->cookie_format = COOKIES_V0;
@@ -1096,7 +1124,8 @@ static const char *cmd_cookie_format(cmd_parms *cmd, void *_dcfg, const char *p1
     return NULL;
 }
 
-static const char *cmd_chroot_dir(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_chroot_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     char cwd[1025] = "";
 
     if (cmd->server->is_virtual) {
@@ -1125,7 +1154,9 @@ static const char *cmd_chroot_dir(cmd_parms *cmd, void *_dcfg, const char *p1) {
 /**
  * Adds component signature to the list of signatures kept in configuration.
  */
-static const char *cmd_component_signature(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_component_signature(cmd_parms *cmd, void *_dcfg,
+                                           const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     /* ENH Enforce "Name/VersionX.Y.Z (comment)" format. */
@@ -1134,14 +1165,16 @@ static const char *cmd_component_signature(cmd_parms *cmd, void *_dcfg, const ch
     return NULL;
 }
 
-static const char *cmd_content_injection(cmd_parms *cmd, void *_dcfg, int flag) {
+static const char *cmd_content_injection(cmd_parms *cmd, void *_dcfg, int flag)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
     dcfg->content_injection_enabled = flag;
     return NULL;
 }
 
-static const char *cmd_data_dir(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_data_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     if (cmd->server->is_virtual) {
@@ -1153,7 +1186,8 @@ static const char *cmd_data_dir(cmd_parms *cmd, void *_dcfg, const char *p1) {
     return NULL;
 }
 
-static const char *cmd_debug_log(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_debug_log(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     apr_status_t rc;
 
@@ -1171,7 +1205,9 @@ static const char *cmd_debug_log(cmd_parms *cmd, void *_dcfg, const char *p1) {
     return NULL;
 }
 
-static const char *cmd_debug_log_level(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_debug_log_level(cmd_parms *cmd, void *_dcfg,
+                                       const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     dcfg->debuglog_level = atoi(p1);
@@ -1180,7 +1216,9 @@ static const char *cmd_debug_log_level(cmd_parms *cmd, void *_dcfg, const char *
     return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecDebugLogLevel: %s", p1);
 }
 
-static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg,
+                                      const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     extern msc_engine *modsecurity;
     char *my_error_msg = NULL;
@@ -1244,7 +1282,9 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg, const char *p
     return NULL;
 }
 
-static const char *cmd_guardian_log(cmd_parms *cmd, void *_dcfg, const char *p1, const char *p2) {
+static const char *cmd_guardian_log(cmd_parms *cmd, void *_dcfg,
+                                    const char *p1, const char *p2)
+{
     extern char *guardianlog_name;
     extern apr_file_t *guardianlog_fd;
     extern char *guardianlog_condition;
@@ -1293,7 +1333,9 @@ static const char *cmd_guardian_log(cmd_parms *cmd, void *_dcfg, const char *p1,
     return NULL;
 }
 
-static const char *cmd_request_body_inmemory_limit(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_request_body_inmemory_limit(cmd_parms *cmd, void *_dcfg,
+                                                   const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     long int limit;
 
@@ -1309,7 +1351,9 @@ static const char *cmd_request_body_inmemory_limit(cmd_parms *cmd, void *_dcfg,
     return NULL;
 }
 
-static const char *cmd_request_body_limit(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_request_body_limit(cmd_parms *cmd, void *_dcfg,
+                                          const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     long int limit;
 
@@ -1325,7 +1369,9 @@ static const char *cmd_request_body_limit(cmd_parms *cmd, void *_dcfg, const cha
     return NULL;
 }
 
-static const char *cmd_request_body_no_files_limit(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_request_body_no_files_limit(cmd_parms *cmd, void *_dcfg,
+                                                   const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     long int limit;
 
@@ -1341,7 +1387,9 @@ static const char *cmd_request_body_no_files_limit(cmd_parms *cmd, void *_dcfg,
     return NULL;
 }
 
-static const char *cmd_request_body_access(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_request_body_access(cmd_parms *cmd, void *_dcfg,
+                                           const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
 
@@ -1354,7 +1402,9 @@ static const char *cmd_request_body_access(cmd_parms *cmd, void *_dcfg, const ch
     return NULL;
 }
 
-static const char *cmd_request_encoding(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_request_encoding(cmd_parms *cmd, void *_dcfg,
+                                        const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
 
@@ -1365,7 +1415,9 @@ static const char *cmd_request_encoding(cmd_parms *cmd, void *_dcfg, const char
     return NULL;
 }
 
-static const char *cmd_response_body_access(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_response_body_access(cmd_parms *cmd, void *_dcfg,
+                                            const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
 
@@ -1378,7 +1430,9 @@ static const char *cmd_response_body_access(cmd_parms *cmd, void *_dcfg, const c
     return NULL;
 }
 
-static const char *cmd_response_body_limit(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_response_body_limit(cmd_parms *cmd, void *_dcfg,
+                                           const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     long int limit;
 
@@ -1396,7 +1450,9 @@ static const char *cmd_response_body_limit(cmd_parms *cmd, void *_dcfg, const ch
     return NULL;
 }
 
-static const char *cmd_response_body_limit_action(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_response_body_limit_action(cmd_parms *cmd, void *_dcfg,
+                                                  const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
 
@@ -1409,7 +1465,9 @@ static const char *cmd_response_body_limit_action(cmd_parms *cmd, void *_dcfg, c
     return NULL;
 }
 
-static const char *cmd_response_body_mime_type(cmd_parms *cmd, void *_dcfg, const char *_p1) {
+static const char *cmd_response_body_mime_type(cmd_parms *cmd, void *_dcfg,
+                                               const char *_p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     char *p1 = apr_pstrdup(cmd->pool, _p1);
 
@@ -1425,7 +1483,9 @@ static const char *cmd_response_body_mime_type(cmd_parms *cmd, void *_dcfg, cons
     return NULL;
 }
 
-static const char *cmd_response_body_mime_types_clear(cmd_parms *cmd, void *_dcfg) {
+static const char *cmd_response_body_mime_types_clear(cmd_parms *cmd,
+                                                      void *_dcfg)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
 
@@ -1438,13 +1498,14 @@ static const char *cmd_response_body_mime_types_clear(cmd_parms *cmd, void *_dcf
     return NULL;
 }
 
-static const char *cmd_rule(cmd_parms *cmd, void *_dcfg, const char *p1,
+static const char *cmd_rule(cmd_parms *cmd, void *_dcfg,
-    const char *p2, const char *p3)
+                            const char *p1, const char *p2, const char *p3)
 {
     return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_NORMAL, p1, p2, p3);
 }
 
-static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
 
@@ -1459,43 +1520,16 @@ static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
     return NULL;
 }
 
-/*
+static const char *cmd_rule_inheritance(cmd_parms *cmd, void *_dcfg, int flag)
-static const char *cmd_rule_import_by_id(cmd_parms *cmd, void *_dcfg, const char *p1) {
+{
-    directory_config *dcfg = (directory_config *)_dcfg;
-    rule_exception *re = apr_pcalloc(cmd->pool, sizeof(rule_exception));
-    if (dcfg == NULL) return NULL;
-
-    re->type = RULE_EXCEPTION_IMPORT_ID;
-    // TODO verify p1
-    re->param = p1;
-       *(rule_exception **)apr_array_push(dcfg->rule_exceptions) = re;
-
-    return NULL;
-}
-
-static const char *cmd_rule_import_by_msg(cmd_parms *cmd, void *_dcfg, const char *p1) {
-    directory_config *dcfg = (directory_config *)_dcfg;
-    rule_exception *re = apr_pcalloc(cmd->pool, sizeof(rule_exception));
-    if (dcfg == NULL) return NULL;
-
-    re->type = RULE_EXCEPTION_IMPORT_MSG;
-    // TODO verify p1
-    re->param = p1;
-    *(rule_exception **)apr_array_push(dcfg->rule_exceptions) = re;
-
-    return NULL;
-}
-*/
-
-static const char *cmd_rule_inheritance(cmd_parms *cmd, void *_dcfg, int flag) {
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
     dcfg->rule_inheritance = flag;
     return NULL;
 }
 
-static const char *cmd_rule_script(cmd_parms *cmd, void *_dcfg, const char *p1,
+static const char *cmd_rule_script(cmd_parms *cmd, void *_dcfg,
-    const char *p2)
+                                   const char *p1, const char *p2)
 {
     #if defined(WITH_LUA)
     const char *filename = resolve_relative_path(cmd->pool, cmd->directive->filename, p1);
@@ -1506,7 +1540,9 @@ static const char *cmd_rule_script(cmd_parms *cmd, void *_dcfg, const char *p1,
     #endif
 }
 
-static const char *cmd_rule_remove_by_id(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_rule_remove_by_id(cmd_parms *cmd, void *_dcfg,
+                                         const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     rule_exception *re = apr_pcalloc(cmd->pool, sizeof(rule_exception));
     if (dcfg == NULL) return NULL;
@@ -1521,7 +1557,9 @@ static const char *cmd_rule_remove_by_id(cmd_parms *cmd, void *_dcfg, const char
     return NULL;
 }
 
-static const char *cmd_rule_remove_by_msg(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_rule_remove_by_msg(cmd_parms *cmd, void *_dcfg,
+                                          const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     rule_exception *re = apr_pcalloc(cmd->pool, sizeof(rule_exception));
     if (dcfg == NULL) return NULL;
@@ -1550,7 +1588,9 @@ static const char *cmd_rule_update_action_by_id(cmd_parms *cmd, void *_dcfg,
     return update_rule_action(cmd, (directory_config *)_dcfg, p1, p2);
 }
 
-static const char *cmd_server_signature(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_server_signature(cmd_parms *cmd, void *_dcfg,
+                                        const char *p1)
+{
     if (cmd->server->is_virtual) {
         return "ModSecurity: SecServerSignature not allowed in VirtualHost";
     }
@@ -1558,7 +1598,8 @@ static const char *cmd_server_signature(cmd_parms *cmd, void *_dcfg, const char
     return NULL;
 }
 
-static const char *cmd_tmp_dir(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_tmp_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     if (dcfg == NULL) return NULL;
@@ -1569,7 +1610,8 @@ static const char *cmd_tmp_dir(cmd_parms *cmd, void *_dcfg, const char *p1) {
     return NULL;
 }
 
-static const char *cmd_upload_dir(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_upload_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     if (dcfg == NULL) return NULL;
@@ -1580,7 +1622,9 @@ static const char *cmd_upload_dir(cmd_parms *cmd, void *_dcfg, const char *p1) {
     return NULL;
 }
 
-static const char *cmd_upload_filemode(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_upload_filemode(cmd_parms *cmd, void *_dcfg,
+                                       const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     if (dcfg == NULL) return NULL;
@@ -1600,7 +1644,9 @@ static const char *cmd_upload_filemode(cmd_parms *cmd, void *_dcfg, const char *
     return NULL;
 }
 
-static const char *cmd_upload_keep_files(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_upload_keep_files(cmd_parms *cmd, void *_dcfg,
+                                         const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     if (dcfg == NULL) return NULL;
@@ -1620,7 +1666,8 @@ static const char *cmd_upload_keep_files(cmd_parms *cmd, void *_dcfg, const char
     return NULL;
 }
 
-static const char *cmd_web_app_id(cmd_parms *cmd, void *_dcfg, const char *p1) {
+static const char *cmd_web_app_id(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     /* ENH enforce format (letters, digits, ., _, -) */
@@ -1629,9 +1676,53 @@ static const char *cmd_web_app_id(cmd_parms *cmd, void *_dcfg, const char *p1) {
     return NULL;
 }
 
+
+/* PCRE Limits */
+
+static const char *cmd_pcre_match_limit(cmd_parms *cmd,
+                                        void *_dcfg, const char *p1)
+{
+    long val;
+
+    if (cmd->server->is_virtual) {
+        return "ModSecurity: SecPcreMatchLimit not allowed in VirtualHost";
+    }
+
+    val = atol(p1);
+    if (val <= 0) {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid setting for "
+                                       "SecPcreMatchLimit: %s", p1);
+    }
+    msc_pcre_match_limit = (unsigned long int)val;
+
+    return NULL;
+}
+
+static const char *cmd_pcre_match_limit_recursion(cmd_parms *cmd,
+                                        void *_dcfg, const char *p1)
+{
+    long val;
+
+    if (cmd->server->is_virtual) {
+        return "ModSecurity: SecPcreMatchLimitRecursion not allowed in VirtualHost";
+    }
+
+    val = atol(p1);
+    if (val <= 0) {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid setting for "
+                                       "SecPcreMatchLimitRecursion: %s", p1);
+    }
+    msc_pcre_match_limit_recursion = (unsigned long int)val;
+
+    return NULL;
+}
+
+
+
 /* -- PDF Protection configuration -- */
 
-static const char *cmd_pdf_protect(cmd_parms *cmd, void *_dcfg, int flag) {
+static const char *cmd_pdf_protect(cmd_parms *cmd, void *_dcfg, int flag)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
 
@@ -1673,8 +1764,8 @@ static const char *cmd_pdf_protect_token_name(cmd_parms *cmd, void *_dcfg,
     return NULL;
 }
 
-static const char *cmd_pdf_protect_intercept_get_only(cmd_parms *cmd, void *_dcfg,
+static const char *cmd_pdf_protect_intercept_get_only(cmd_parms *cmd,
-    int flag)
+                                                      void *_dcfg, int flag)
 {
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
@@ -1723,7 +1814,9 @@ static const char *cmd_geo_lookup_db(cmd_parms *cmd, void *_dcfg,
 
 /* -- Cache -- */
 
-static const char *cmd_cache_transformations(cmd_parms *cmd, void *_dcfg, const char *p1, const char *p2) {
+static const char *cmd_cache_transformations(cmd_parms *cmd, void *_dcfg,
+                                             const char *p1, const char *p2)
+{
     directory_config *dcfg = (directory_config *)_dcfg;
 
     if (dcfg == NULL) return NULL;
@@ -2016,6 +2109,22 @@ const command_rec module_directives[] = {
         "marker for a skipAfter target"
     ),
 
+    AP_INIT_TAKE1 (
+        "SecPcreMatchLimit",
+        cmd_pcre_match_limit,
+        NULL,
+        CMD_SCOPE_MAIN,
+        "PCRE match limit"
+    ),
+
+    AP_INIT_TAKE1 (
+        "SecPcreMatchLimitRecursion",
+        cmd_pcre_match_limit_recursion,
+        NULL,
+        CMD_SCOPE_MAIN,
+        "PCRE match limit recursion"
+    ),
+
     AP_INIT_FLAG (
         "SecPdfProtect",
         cmd_pdf_protect,

apache2/configure

@@ -694,6 +694,9 @@ SHELL'
 ac_subst_files=''
 ac_user_opts='
 enable_option_checking
+enable_pcre_study
+enable_pcre_match_limit
+enable_pcre_match_limit_recursion
 enable_errors
 enable_verbose_output
 enable_strict_compile
@@ -1328,6 +1331,12 @@ Optional Features:
   --disable-option-checking  ignore unrecognized --enable/--with options
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --enable-pcre-study     Enable PCRE regex studying during configure.
+  --enable-pcre-match-limit
+                          Enable PCRE regex match limit during configure.
+  --enable-pcre-match-limit-recursion
+                          Enable PCRE regex match limit recursion during
+                          configure.
   --disable-errors        Disable errors during configure.
   --enable-verbose-output Enable more verbose configure output.
   --enable-strict-compile Enable strict compilation (warnings are errors).
@@ -4221,6 +4230,62 @@ MSC_REGRESSION_DOCROOT_DIR="$MSC_REGRESSION_SERVERROOT_DIR/htdocs"
 
 ### Configure Options
 
+# Add PCRE Studying
+
+# Check whether --enable-pcre-study was given.
+if test "${enable_pcre_study+set}" = set; then :
+  enableval=$enable_pcre_study;
+  if test "$enableval" != "no"; then
+    pcre_study='-DWITH_PCRE_STUDY'
+  else
+    pcre_study=''
+  fi
+
+else
+
+  pcre_study='-DWITH_PCRE_STUDY'
+
+fi
+
+
+# Limit PCRE matching
+# Check whether --enable-pcre-match-limit was given.
+if test "${enable_pcre_match_limit+set}" = set; then :
+  enableval=$enable_pcre_match_limit;
+  if test "$enableval" = "yes"; then
+    as_fn_error "PCRE match limits require a numeric value" "$LINENO" 5
+  elif test "$enableval" = "no"; then
+    pcre_match_limit=''
+  else
+    pcre_match_limit="-DMODSEC_PCRE_MATCH_LIMIT=$enableval"
+  fi
+
+else
+
+  pcre_match_limit='-DMODSEC_PCRE_MATCH_LIMIT=1500'
+
+fi
+
+
+# Limit PCRE matching recursion
+# Check whether --enable-pcre-match-limit-recursion was given.
+if test "${enable_pcre_match_limit_recursion+set}" = set; then :
+  enableval=$enable_pcre_match_limit_recursion;
+  if test "$enableval" = "yes"; then
+    as_fn_error "PCRE match limits require a numeric value" "$LINENO" 5
+  elif test "$enableval" = "no"; then
+    pcre_match_limit_recursion=''
+  else
+    pcre_match_limit_recursion="-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=$enableval"
+  fi
+
+else
+
+  pcre_match_limit_recursion='-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500'
+
+fi
+
+
 # Ignore configure errors
 # Check whether --enable-errors was given.
 if test "${enable_errors+set}" = set; then :
@@ -4575,7 +4640,7 @@ else
     EXTRA_CFLAGS="-O2 -g -Wall $strict_compile"
   fi
 fi
-MODSEC_EXTRA_CFLAGS="$debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api"
+MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api"
 
 APXS_WRAPPER=build/apxs-wrapper
 APXS_EXTRA_CFLAGS=""

apache2/configure.in

@@ -63,6 +63,56 @@ AC_SUBST(MSC_REGRESSION_DOCROOT_DIR)
 
 ### Configure Options
 
+# Add PCRE Studying
+
+AC_ARG_ENABLE(pcre-study,
+              AS_HELP_STRING([--enable-pcre-study],
+                             [Enable PCRE regex studying during configure.]),
+[
+  if test "$enableval" != "no"; then
+    pcre_study='-DWITH_PCRE_STUDY'
+  else
+    pcre_study=''
+  fi
+],
+[
+  pcre_study='-DWITH_PCRE_STUDY'
+])
+
+# Limit PCRE matching
+AC_ARG_ENABLE(pcre-match-limit,
+              AS_HELP_STRING([--enable-pcre-match-limit],
+                             [Enable PCRE regex match limit during configure.]),
+[
+  if test "$enableval" = "yes"; then
+    AC_MSG_ERROR([PCRE match limits require a numeric value])
+  elif test "$enableval" = "no"; then
+    pcre_match_limit=''
+  else
+    pcre_match_limit="-DMODSEC_PCRE_MATCH_LIMIT=$enableval"
+  fi
+],
+[
+  pcre_match_limit='-DMODSEC_PCRE_MATCH_LIMIT=1500'
+])
+
+# Limit PCRE matching recursion
+AC_ARG_ENABLE(pcre-match-limit-recursion,
+              AS_HELP_STRING([--enable-pcre-match-limit-recursion],
+                             [Enable PCRE regex match limit recursion during configure.]),
+[
+  if test "$enableval" = "yes"; then
+    AC_MSG_ERROR([PCRE match limits require a numeric value])
+  elif test "$enableval" = "no"; then
+    pcre_match_limit_recursion=''
+  else
+    pcre_match_limit_recursion="-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=$enableval"
+  fi
+],
+[
+  pcre_match_limit_recursion='-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500'
+])
+
 # Ignore configure errors
 AC_ARG_ENABLE(errors,
               AS_HELP_STRING([--disable-errors],
@@ -325,7 +375,7 @@ else
     EXTRA_CFLAGS="-O2 -g -Wall $strict_compile"
   fi
 fi
-MODSEC_EXTRA_CFLAGS="$debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api"
+MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api"
 
 APXS_WRAPPER=build/apxs-wrapper
 APXS_EXTRA_CFLAGS=""

apache2/mod_security2.c

@@ -50,6 +50,9 @@ apr_file_t DSOLOCAL *guardianlog_fd = NULL;
 
 char DSOLOCAL *guardianlog_condition = NULL;
 
+unsigned long int DSOLOCAL msc_pcre_match_limit = 0;
+
+unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
 
 /* -- Miscellaneous functions -- */
 

apache2/modsecurity.h

@@ -127,6 +127,10 @@ extern module AP_MODULE_DECLARE_DATA security2_module;
 
 extern DSOLOCAL const command_rec module_directives[];
 
+extern DSOLOCAL unsigned long int msc_pcre_match_limit;
+
+extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
+
 #define RESBODY_STATUS_NOT_READ         0   /* we were not configured to read the body */
 #define RESBODY_STATUS_ERROR            1   /* error occured while we were reading the body */
 #define RESBODY_STATUS_PARTIAL          2   /* partial body content available in the brigade */

apache2/msc_pcre.c

@@ -38,17 +38,21 @@ apr_status_t msc_pcre_cleanup(msc_regex_t *regex) {
 }
 
 /**
- * Compiles the provided regular expression pattern. The last two
+ * Compiles the provided regular expression pattern. The _err*
  * parameters are optional, but if they are provided and an error
  * occurs they will contain the error message and the offset in
- * the pattern where the offending part of the pattern begins.
+ * the pattern where the offending part of the pattern begins. The
+ * match_limit* parameters are optional and if >0, then will set
+ * match limits.
  */
-void *msc_pregcomp(apr_pool_t *pool, const char *pattern, int options,
+void *msc_pregcomp_ex(apr_pool_t *pool, const char *pattern, int options,
-    const char **_errptr, int *_erroffset)
+                      const char **_errptr, int *_erroffset,
+                      int match_limit, int match_limit_recursion)
 {
     const char *errptr = NULL;
     int erroffset;
     msc_regex_t *regex;
+    pcre_extra *pe = NULL;
 
     regex = apr_pcalloc(pool, sizeof(msc_regex_t));
     if (regex == NULL) return NULL;
@@ -62,15 +66,59 @@ void *msc_pregcomp(apr_pool_t *pool, const char *pattern, int options,
     if (regex->re == NULL) return NULL;
 
     #ifdef WITH_PCRE_STUDY
-    regex->pe = pcre_study(regex->re, 0, &errptr);
+    pe = pcre_study(regex->re, 0, &errptr);
     #endif
 
+    /* Setup the pcre_extra record if pcre_study did not already do it */
+    if (pe == NULL) {
+        pe = malloc(sizeof(pcre_extra));
+        if (pe == NULL) {
+            return NULL;
+        }
+        memset(pe, 0, sizeof(pcre_extra));
+    }
+
+    /* Set some PCRE limits */
+    if (match_limit > 0) {
+        pe->match_limit = match_limit;
+        pe->flags |= PCRE_EXTRA_MATCH_LIMIT;
+    }
+#ifdef MODSEC_PCRE_MATCH_LIMIT
+    else {
+        pe->match_limit = MODSEC_PCRE_MATCH_LIMIT;
+        pe->flags |= PCRE_EXTRA_MATCH_LIMIT;
+    }
+#endif
+
+    if (match_limit_recursion > 0) {
+        pe->match_limit_recursion = match_limit_recursion;
+        pe->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION;
+    }
+#ifdef MODSEC_PCRE_MATCH_LIMIT_RECURSION
+    else {
+        pe->match_limit_recursion = MODSEC_PCRE_MATCH_LIMIT_RECURSION;
+        pe->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION;
+    }
+#endif
+
+    regex->pe = pe;
+
     apr_pool_cleanup_register(pool, (void *)regex,
         (apr_status_t (*)(void *))msc_pcre_cleanup, apr_pool_cleanup_null);
 
     return regex;
 }
 
+/**
+ * Compiles the provided regular expression pattern.  Calls msc_pregcomp_ex()
+ * with default limits.
+ */
+void *msc_pregcomp(apr_pool_t *pool, const char *pattern, int options,
+                   const char **_errptr, int *_erroffset)
+{
+    return msc_pregcomp_ex(pool, pattern, options, _errptr, _erroffset, 0, 0);
+}
+
 /**
  * Executes regular expression with extended options.
  * Returns PCRE_ERROR_NOMATCH when there is no match, error code < -1
@@ -119,3 +167,4 @@ int msc_fullinfo(msc_regex_t *regex, int what, void *where)
 {
     return pcre_fullinfo(regex->re, regex->pe, what, where);
 }
+

apache2/msc_pcre.h

@@ -33,17 +33,23 @@ struct msc_regex_t {
 
 apr_status_t DSOLOCAL msc_pcre_cleanup(msc_regex_t *regex);
 
+void DSOLOCAL *msc_pregcomp_ex(apr_pool_t *pool, const char *pattern, int options,
+                               const char **_errptr, int *_erroffset,
+                               int match_limit, int match_limit_recursion);
+
 void DSOLOCAL *msc_pregcomp(apr_pool_t *pool, const char *pattern, int options,
                             const char **_errptr, int *_erroffset);
 
-int DSOLOCAL msc_regexec_ex(msc_regex_t *regex, const char *s, unsigned int slen,
+int DSOLOCAL msc_regexec_ex(msc_regex_t *regex, const char *s,
-    int startoffset, int options, int *ovector, int ovecsize, char **error_msg);
+                            unsigned int slen, int startoffset, int options,
+                            int *ovector, int ovecsize, char **error_msg);
 
 int DSOLOCAL msc_regexec_capture(msc_regex_t *regex, const char *s,
-    unsigned int slen, int *ovector, int ovecsize, char **error_msg);
+                                 unsigned int slen, int *ovector,
+                                 int ovecsize, char **error_msg);
 
-int DSOLOCAL msc_regexec(msc_regex_t *regex, const char *s, unsigned int slen,
+int DSOLOCAL msc_regexec(msc_regex_t *regex, const char *s,
-    char **error_msg);
+                         unsigned int slen, char **error_msg);
 
 int DSOLOCAL msc_fullinfo(msc_regex_t *regex, int what, void *where);
 

apache2/msc_test.c

@@ -80,7 +80,8 @@ static apr_pool_t *g_mp = NULL;
 static modsec_rec *g_msr = NULL;
 static unsigned char buf[BUFLEN];
 msc_engine *modsecurity = NULL;
-
+unsigned long int DSOLOCAL msc_pcre_match_limit = 0;
+unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
 
 /* Stubs */
 char *format_error_log_message(apr_pool_t *mp, error_message *em) {
@@ -772,7 +773,7 @@ int main(int argc, const char * const argv[])
                 result = RESULT_WRONGRET;
             }
             else if (param_len != out_len) {
-                fprintf(stderr, "Lenth %" APR_SIZE_T_FMT " (expected %" APR_SIZE_T_FMT ")\n", out_len, param_len);
+                fprintf(stderr, "Length %" APR_SIZE_T_FMT " (expected %" APR_SIZE_T_FMT ")\n", out_len, param_len);
                 result = RESULT_WRONGSIZE;
             }
             else {

apache2/re_operators.c

@@ -84,7 +84,7 @@ static int msre_op_rx_param_init(msre_rule *rule, char **error_msg) {
     *error_msg = NULL;
 
     /* Compile pattern */
-    regex = msc_pregcomp(rule->ruleset->mp, pattern, PCRE_DOTALL | PCRE_DOLLAR_ENDONLY, &errptr, &erroffset);
+    regex = msc_pregcomp_ex(rule->ruleset->mp, pattern, PCRE_DOTALL | PCRE_DOLLAR_ENDONLY, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
     if (regex == NULL) {
         *error_msg = apr_psprintf(rule->ruleset->mp, "Error compiling pattern (offset %d): %s",
             erroffset, errptr);
@@ -141,8 +141,29 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c
      * and no memory has to be allocated for any backreferences.
      */
     rc = msc_regexec_capture(regex, target, target_length, ovector, 30, &my_error_msg);
-    if (rc < -1) {
+    if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
-        *error_msg = apr_psprintf(msr->mp, "Regex execution failed: %s", my_error_msg);
+        msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+
+        if (s == NULL) return -1;
+        s->name = apr_pstrdup(msr->mp, "MSC_PCRE_LIMITS_EXCEEDED");
+        s->name_len = strlen(s->name);
+        s->value = apr_pstrdup(msr->mp, "1");
+        s->value_len = 1;
+        if ((s->name == NULL)||(s->value == NULL)) return -1;
+        apr_table_setn(msr->tx_vars, s->name, (void *)s);
+
+        *error_msg = apr_psprintf(msr->mp,
+                                  "Rule execution error - "
+                                  "PCRE limits exceeded (%d): %s",
+                                  rc, my_error_msg);
+
+        msr_log(msr, 3, "%s.", *error_msg);
+
+        return 0; /* No match. */
+    }
+    else if (rc < -1) {
+        *error_msg = apr_psprintf(msr->mp, "Regex execution failed (%d): %s",
+                                  rc, my_error_msg);
         return -1;
     }
 
@@ -1053,7 +1074,7 @@ static int msre_op_verifyCC_init(msre_rule *rule, char **error_msg) {
     *error_msg = NULL;
 
     /* Compile rule->op_param */
-    regex = msc_pregcomp(rule->ruleset->mp, rule->op_param, PCRE_DOTALL | PCRE_MULTILINE, &errptr, &erroffset);
+    regex = msc_pregcomp_ex(rule->ruleset->mp, rule->op_param, PCRE_DOTALL | PCRE_MULTILINE, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
     if (regex == NULL) {
         *error_msg = apr_psprintf(rule->ruleset->mp, "Error compiling pattern (offset %d): %s",
             erroffset, errptr);

doc/modsecurity2-apache-reference.xml

@@ -1465,6 +1465,61 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
 SecMarker 99</emphasis></programlisting></para>
     </section>
 
+    <section>
+      <title><literal>SecPcreMatchLimit</literal></title>
+
+      <para><emphasis>Description:</emphasis>Sets the the match limit in the
+      PCRE library. See the pcre_extra field in the pcreapi man page.</para>
+
+      <para><emphasis>Syntax:</emphasis> <literal
+      moreinfo="none">SecPcreMatchLimit value</literal></para>
+
+      <para><emphasis>Example Usage:</emphasis> <literal
+      moreinfo="none">SecPcreMatchLimit 1500</literal></para>
+
+      <para><emphasis>Processing Phase:</emphasis> N/A</para>
+
+      <para><emphasis>Scope:</emphasis> Global</para>
+
+      <para><emphasis>Version:</emphasis> 2.5.12</para>
+
+      <para><emphasis>Dependencies/Notes:</emphasis> Default is set at compile
+      (1500 by default)</para>
+
+      <para>The <literal>--enable-pcre-match-limit=val</literal> configure
+      option will set a custom default and the
+      <literal>--disable-pcre-match-limit</literal> option will resort to the
+      compiled PCRE library default.</para>
+    </section>
+
+    <section>
+      <title><literal>SecPcreMatchLimitRecursion</literal></title>
+
+      <para><emphasis>Description:</emphasis>Sets the the match limit
+      recursion in the PCRE library. See the pcre_extra field in the pcreapi
+      man page.</para>
+
+      <para><emphasis>Syntax:</emphasis> <literal
+      moreinfo="none">SecPcreMatchLimitRecursion value</literal></para>
+
+      <para><emphasis>Example Usage:</emphasis> <literal
+      moreinfo="none">SecPcreMatchLimitRecursion 1500</literal></para>
+
+      <para><emphasis>Processing Phase:</emphasis> N/A</para>
+
+      <para><emphasis>Scope:</emphasis> Global</para>
+
+      <para><emphasis>Version:</emphasis> 2.5.12</para>
+
+      <para><emphasis>Dependencies/Notes:</emphasis> Default is set at compile
+      (1500 by default)</para>
+
+      <para>The <literal>--enable-pcre-match-limit-recursion=val</literal>
+      configure option will set a custom default and the
+      <literal>--disable-pcre-match-limit-recursion</literal> option will
+      resort to the compiled PCRE library default.</para>
+    </section>
+
     <section>
       <title><literal>SecPdfProtect</literal></title>
 
@@ -3833,6 +3888,21 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
           moreinfo="none">@rx</literal> operator with capturing parens and the
           <literal moreinfo="none">capture</literal> action.</para>
         </listitem>
+
+        <listitem>
+          <para><literal moreinfo="none">TX:MSC_.*</literal> - ModSecurity
+          processing flags.</para>
+
+          <itemizedlist>
+            <listitem>
+              <para><literal
+              moreinfo="none">MSC_PCRE_LIMITS_EXCEEDED</literal> - Set
+              non-zero if PCRE match limits are exceeded. See <literal
+              moreinfo="none">SecPcreMatchLimit</literal> and <literal
+              moreinfo="none">SecPcreMatchLimitRecursion</literal>.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
       </itemizedlist>
 
       <programlisting format="linespecific">SecRule WEBSERVER_ERROR_LOG "does not exist" "phase:5,pass,<emphasis>setvar:tx.score=+5</emphasis>"

modsecurity.conf-minimal

@@ -4,6 +4,10 @@ SecRuleEngine On
 SecRequestBodyAccess On
 SecResponseBodyAccess Off
 
+# PCRE Tuning
+SecPcreMatchLimit 1000
+SecPcreMatchLimitRecursion 1000
+
 # Handling of file uploads
 # TODO Choose a folder private to Apache.
 # SecUploadDir /opt/apache-frontend/tmp/