Added support for MATCHED_VAR and MATCHED_VAR_NAME. See #123.

apache2/modsecurity.c

@@ -304,6 +304,9 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
     msr->tcache = apr_hash_make(msr->mp);
     if (msr->tcache == NULL) return -1;
 
+    msr->matched_var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+    if (msr->matched_var == NULL) return -1;
+
     msr->highest_severity = 255; /* high, invalid value */
 
     return 1;

apache2/modsecurity.h

@@ -324,7 +324,7 @@ struct modsec_rec {
     apr_time_t           time_checkpoint_2;
     apr_time_t           time_checkpoint_3;
 
-    const char          *matched_var;
+    msc_string          *matched_var;
     int                  highest_severity;
 
     /* upload */

apache2/re.c

@@ -1342,7 +1342,11 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
                 log_escape(msr->mp, full_varname));
         }
 
-        msr->matched_var = apr_pstrdup(msr->mp, var->name);
+        /* Save the last matched var data */
+        msr->matched_var->name = apr_pstrdup(msr->mp, var->name);
+        msr->matched_var->name_len = strlen(msr->matched_var->name);
+        msr->matched_var->value = apr_pmemdup(msr->mp, var->value, var->value_len);
+        msr->matched_var->value_len = var->value_len;
 
         /* Keep track of the highest severity matched so far */
         if ((acting_actionset->severity > 0) && (acting_actionset->severity < msr->highest_severity))

apache2/re_actions.c

@@ -769,39 +769,40 @@ static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_poo
     const apr_array_header_t *tarr;
     const apr_table_entry_t *telts;
     int i, type = 0;
+    msc_string *mvar = msr->matched_var;
 
-    if (msr->matched_var == NULL) return 0;
+    if (mvar->name_len == 0) return 0;
 
     /* IMP1 We need to extract the variable name properly here,
      *      taking into account it may have been escaped.
      */
-    if (strncmp(msr->matched_var, "ARGS:", 5) == 0) {
+    if ((mvar->name_len > 5) && (strncmp(mvar->name, "ARGS:", 5) == 0)) {
-        sargname = apr_pstrdup(msr->mp, msr->matched_var + 5);
+        sargname = apr_pstrdup(msr->mp, mvar->name + 5);
         type = SANITISE_ARG;
     } else
-    if (strncmp(msr->matched_var, "ARGS_NAMES:", 11) == 0) {
+    if ((mvar->name_len > 11) && (strncmp(mvar->name, "ARGS_NAMES:", 11) == 0)) {
-        sargname = apr_pstrdup(msr->mp, msr->matched_var + 11);
+        sargname = apr_pstrdup(msr->mp, mvar->name + 11);
         type = SANITISE_ARG;
     } else
-    if (strncmp(msr->matched_var, "REQUEST_HEADERS:", 16) == 0) {
+    if ((mvar->name_len > 16) && (strncmp(mvar->name, "REQUEST_HEADERS:", 16) == 0)) {
-        sargname = apr_pstrdup(msr->mp, msr->matched_var + 16);
+        sargname = apr_pstrdup(msr->mp, mvar->name + 16);
         type = SANITISE_REQUEST_HEADER;
     } else
-    if (strncmp(msr->matched_var, "REQUEST_HEADERS_NAMES:", 22) == 0) {
+    if ((mvar->name_len > 22) && (strncmp(mvar->name, "REQUEST_HEADERS_NAMES:", 22) == 0)) {
-        sargname = apr_pstrdup(msr->mp, msr->matched_var + 22);
+        sargname = apr_pstrdup(msr->mp, mvar->name + 22);
         type = SANITISE_REQUEST_HEADER;
     } else
-    if (strncmp(msr->matched_var, "RESPONSE_HEADERS:", 17) == 0) {
+    if ((mvar->name_len > 17) && (strncmp(mvar->name, "RESPONSE_HEADERS:", 17) == 0)) {
-        sargname = apr_pstrdup(msr->mp, msr->matched_var + 17);
+        sargname = apr_pstrdup(msr->mp, mvar->name + 17);
         type = SANITISE_RESPONSE_HEADER;
     } else
-    if (strncmp(msr->matched_var, "RESPONSE_HEADERS_NAMES:", 23) == 0) {
+    if ((mvar->name_len > 23) && (strncmp(mvar->name, "RESPONSE_HEADERS_NAMES:", 23) == 0)) {
-        sargname = apr_pstrdup(msr->mp, msr->matched_var + 23);
+        sargname = apr_pstrdup(msr->mp, mvar->name + 23);
         type = SANITISE_RESPONSE_HEADER;
     }
     else {
         msr_log(msr, 3, "sanitiseMatched: Don't know how to handle variable: %s",
-            msr->matched_var);
+            mvar->name);
         return 0;
     }
 

apache2/re_variables.c

@@ -843,8 +843,23 @@ static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
 static int var_matched_var_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
     apr_table_t *vartab, apr_pool_t *mptmp)
 {
-    return var_simple_generate(var, vartab, mptmp,
+    return var_simple_generate_ex(var, vartab, mptmp,
-                               apr_pstrdup(mptmp, msr->matched_var));
+                               apr_pmemdup(mptmp,
+                                   msr->matched_var->value,
+                                   msr->matched_var->value_len),
+                               msr->matched_var->value_len);
+}
+
+/* MATCHED_VAR_NAME */
+
+static int var_matched_var_name_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+    apr_table_t *vartab, apr_pool_t *mptmp)
+{
+    return var_simple_generate_ex(var, vartab, mptmp,
+                               apr_pmemdup(mptmp,
+                                   msr->matched_var->name,
+                                   msr->matched_var->name_len),
+                               msr->matched_var->name_len);
 }
 
 /* SESSION */
@@ -2312,6 +2327,17 @@ void msre_engine_register_default_variables(msre_engine *engine) {
         PHASE_REQUEST_HEADERS
     );
 
+    /* MATCHED_VAR_NAME */
+    msre_engine_variable_register(engine,
+        "MATCHED_VAR_NAME",
+        VAR_SIMPLE,
+        0, 0,
+        NULL,
+        var_matched_var_name_generate,
+        VAR_DONT_CACHE,
+        PHASE_REQUEST_HEADERS
+    );
+
     /* MODSEC_BUILD */
     msre_engine_variable_register(engine,
         "MODSEC_BUILD",

doc/modsecurity2-apache-reference.xml

@@ -2025,9 +2025,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis
     <para>The following variables are supported in ModSecurity 2.x:</para>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">ARGS</literal></title>
-        <literal moreinfo="none">ARGS</literal>
-      </title>
 
       <para><literal>ARGS</literal> is a collection and can be used on its own
       (means all arguments including the POST Payload), with a static
@@ -2072,9 +2070,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">ARGS_COMBINED_SIZE</literal></title>
-        <literal moreinfo="none">ARGS_COMBINED_SIZE</literal>
-      </title>
 
       <para>This variable allows you to set more targeted evaluations on the
       total size of the Arguments as compared with normal Apache LimitRequest
@@ -2088,9 +2084,7 @@ SecRule <emphasis role="bold">ARGS_COMBINED_SIZE</emphasis> "@gt 25"</programlis
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">ARGS_NAMES</literal></title>
-        <literal moreinfo="none">ARGS_NAMES</literal>
-      </title>
 
       <para>Is a collection of the argument names. You can search for specific
       argument names that you want to block. In a positive policy scenario,
@@ -2104,18 +2098,14 @@ SecRule<emphasis role="bold"> ARGS_NAMES</emphasis> "!^(p|a)$"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">ARGS_GET</literal></title>
-        <literal moreinfo="none">ARGS_GET</literal>
-      </title>
 
       <para><literal>ARGS_GET</literal> is similar to <literal>ARGS</literal>,
       but only contains arguments from the query string.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">ARGS_GET_NAMES</literal></title>
-        <literal moreinfo="none">ARGS_GET_NAMES</literal>
-      </title>
 
       <para><literal>ARGS_GET_NAMES</literal> is similar to
       <literal>ARGS_NAMES</literal>, but only contains argument names from the
@@ -2123,9 +2113,7 @@ SecRule<emphasis role="bold"> ARGS_NAMES</emphasis> "!^(p|a)$"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">ARGS_POST</literal></title>
-        <literal moreinfo="none">ARGS_POST</literal>
-      </title>
 
       <para><literal>ARGS_POST</literal> is similar to
       <literal>ARGS</literal>, but only contains arguments from the POST
@@ -2133,9 +2121,7 @@ SecRule<emphasis role="bold"> ARGS_NAMES</emphasis> "!^(p|a)$"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">ARGS_POST_NAMES</literal></title>
-        <literal moreinfo="none">ARGS_POST_NAMES</literal>
-      </title>
 
       <para><literal>ARGS_POST_NAMES</literal> is similar to
       <literal>ARGS_NAMES</literal>, but only contains argument names from the
@@ -2143,18 +2129,14 @@ SecRule<emphasis role="bold"> ARGS_NAMES</emphasis> "!^(p|a)$"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">AUTH_TYPE</literal></title>
-        <literal moreinfo="none">AUTH_TYPE</literal>
-      </title>
 
       <para>This variable holds the authentication method used to validate a
       user. Example:</para>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">AUTH_TYPE</emphasis> "basic" log,deny,status:403,phase:1,t:lowercase</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This data will not be available in a proxy-mode deployment as the
       authentication is not local. In a proxy-mode deployment, you would need
@@ -2163,9 +2145,7 @@ SecRule<emphasis role="bold"> ARGS_NAMES</emphasis> "!^(p|a)$"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">ENV</literal></title>
-        <literal moreinfo="none">ENV</literal>
-      </title>
 
       <para>Collection, requires a single parameter (after a colon character).
       The ENV variable is set with setenv and does not give access to the CGI
@@ -2177,9 +2157,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">FILES</literal></title>
-        <literal moreinfo="none">FILES</literal>
-      </title>
 
       <para>Collection. Contains a collection of original file names (as they
       were called on the remote user's file system). Note: only available if
@@ -2189,9 +2167,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">FILES_COMBINED_SIZE</literal></title>
-        <literal moreinfo="none">FILES_COMBINED_SIZE</literal>
-      </title>
 
       <para>Single value. Total size of the uploaded files. Note: only
       available if files were extracted from the request body. Example:</para>
@@ -2200,9 +2176,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">FILES_NAMES</literal></title>
-        <literal moreinfo="none">FILES_NAMES</literal>
-      </title>
 
       <para>Collection w/o parameter. Contains a list of form fields that were
       used for file upload. Note: only available if files were extracted from
@@ -2212,9 +2186,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">FILES_SIZES</literal></title>
-        <literal moreinfo="none">FILES_SIZES</literal>
-      </title>
 
       <para>Collection. Contains a list of file sizes. Useful for implementing
       a size limitation on individual uploaded files. Note: only available if
@@ -2224,9 +2196,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">FILES_TMPNAMES</literal></title>
-        <literal moreinfo="none">FILES_TMPNAMES</literal>
-      </title>
 
       <para>Collection. Contains a collection of temporary files' names on the
       disk. Useful when used together with <literal
@@ -2237,9 +2207,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">GEO</literal></title>
-        <literal moreinfo="none">GEO</literal>
-      </title>
 
       <para><literal>GEO</literal> is a collection populated by the <literal
       moreinfo="none">@geoLookups</literal> operator. It can be used to match
@@ -2313,9 +2281,7 @@ SecRule GEO:COUNTRY_CODE "!@streq UK"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">HIGHEST_SEVERITY</literal></title>
-        <literal moreinfo="none">HIGHEST_SEVERITY</literal>
-      </title>
 
       <para>This variable holds the highest severity of any rules that have
       matched so far. Severities are numeric values and thus can be used with
@@ -2332,22 +2298,31 @@ SecRule GEO:COUNTRY_CODE "!@streq UK"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">MATCHED_VAR</literal></title>
-        <literal moreinfo="none">MATCHED_VAR</literal>
+
-      </title>
+      <para>This variable holds the value of the variable that was matched
+      against. It is similar to the TX:0, except it can be used for all
+      operators and does not require that the <literal
+      moreinfo="none">capture</literal> action be specified.</para>
+
+      <programlisting format="linespecific">SecRule ARGS pattern chain,deny
+...
+SecRule <emphasis role="bold">MATCHED_VAR</emphasis> "further scrutiny"</programlisting>
+    </section>
+
+    <section>
+      <title><literal moreinfo="none">MATCHED_VAR_NAME</literal></title>
 
       <para>This variable holds the full name of the variable that was matched
       against.</para>
 
-      <programlisting format="linespecific">SecRule ARGS pattern setvar:tx.mymatch=%{MATCHED_VAR}
+      <programlisting format="linespecific">SecRule ARGS pattern setvar:tx.mymatch=%{MATCHED_VAR_NAME}
 ...
 SecRule <emphasis role="bold">TX:MYMATCH</emphasis> "@eq ARGS:param" deny</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">MODSEC_BUILD</literal></title>
-        <literal moreinfo="none">MODSEC_BUILD</literal>
-      </title>
 
       <para>This variable holds the ModSecurity build number. This variable is
       intended to be used to check the build number prior to using a feature
@@ -2358,9 +2333,7 @@ SecRule ARGS "@pm some key words" deny,status:500</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal>MULTIPART_STRICT_ERROR</literal></title>
-        <literal>MULTIPART_STRICT_ERROR</literal>
-      </title>
 
       <para><literal>MULTIPART_STRICT_ERROR</literal> will be set to
       <literal>1</literal> when any of the following variables is also set to
@@ -2407,9 +2380,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal>MULTIPART_UNMATCHED_BOUNDARY</literal></title>
-        <literal>MULTIPART_UNMATCHED_BOUNDARY</literal>
-      </title>
 
       <para>Set to <literal>1</literal> when, during the parsing phase of a
       <literal>multipart/request-body</literal>, ModSecurity encounters what
@@ -2427,9 +2398,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">PATH_INFO</literal></title>
-        <literal moreinfo="none">PATH_INFO</literal>
-      </title>
 
       <para>Besides passing query information to a script/handler, you can
       also pass additional data, known as extra path information, as part of
@@ -2439,9 +2408,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">QUERY_STRING</literal></title>
-        <literal moreinfo="none">QUERY_STRING</literal>
-      </title>
 
       <para>This variable holds form data passed to the script/handler by
       appending data after a question mark. Warning: Not URL-decoded.
@@ -2451,9 +2418,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REMOTE_ADDR</literal></title>
-        <literal moreinfo="none">REMOTE_ADDR</literal>
-      </title>
 
       <para>This variable holds the IP address of the remote client.
       Example:</para>
@@ -2462,9 +2427,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REMOTE_HOST</literal></title>
-        <literal moreinfo="none">REMOTE_HOST</literal>
-      </title>
 
       <para>If HostnameLookUps are set to On, then this variable will hold the
       DNS resolved remote host name. If it is set to Off, then it will hold
@@ -2476,9 +2439,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REMOTE_PORT</literal></title>
-        <literal moreinfo="none">REMOTE_PORT</literal>
-      </title>
 
       <para>This variable holds information on the source port that the client
       used when initiating the connection to our web server. Example: in this
@@ -2490,9 +2451,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REMOTE_USER</literal></title>
-        <literal moreinfo="none">REMOTE_USER</literal>
-      </title>
 
       <para>This variable holds the username of the authenticated user. If
       there are no password (basic|digest) access controls in place, then this
@@ -2500,18 +2459,14 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">REMOTE_USER</emphasis> "admin"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This data will not be available in a proxy-mode deployment as the
       authentication is not local.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQBODY_PROCESSOR</literal></title>
-        <literal moreinfo="none">REQBODY_PROCESSOR</literal>
-      </title>
 
       <para>Built-in processors are <literal
       moreinfo="none">URLENCODED</literal>,<literal moreinfo="none">
@@ -2523,9 +2478,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal
-        <literal moreinfo="none">REQBODY_PROCESSOR_ERROR</literal>
+      moreinfo="none">REQBODY_PROCESSOR_ERROR</literal></title>
-      </title>
 
       <para>Possible values are 0 (no error) or 1 (error). This variable will
       be set by request body processors (typically the
@@ -2550,9 +2504,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal
-        <literal moreinfo="none">REQBODY_PROCESSOR_ERROR_MSG</literal>
+      moreinfo="none">REQBODY_PROCESSOR_ERROR_MSG</literal></title>
-      </title>
 
       <para>Empty, or contains the error message from the processor.
       Example:</para>
@@ -2561,9 +2514,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_BASENAME</literal></title>
-        <literal moreinfo="none">REQUEST_BASENAME</literal>
-      </title>
 
       <para>This variable holds just the filename part of
       <literal>REQUEST_FILENAME</literal> (e.g. index.php). Warning: not
@@ -2573,9 +2524,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_BODY</literal></title>
-        <literal moreinfo="none">REQUEST_BODY</literal>
-      </title>
 
       <para>This variable holds the data in the request body (including
       POST_PAYLOAD data). REQUEST_BODY should be used if the original order of
@@ -2584,18 +2533,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_BODY</emphasis> "^username=\w{25,}\&amp;password=\w{25,}\&amp;Submit\=login$"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This variable is only available if the content type is
       application/x-www-form-urlencoded.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_COOKIES</literal></title>
-        <literal moreinfo="none">REQUEST_COOKIES</literal>
-      </title>
 
       <para>This variable is a collection of all of the cookie data. Example:
       the following example is using the Ampersand special operator to count
@@ -2606,9 +2551,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_COOKIES_NAMES</literal></title>
-        <literal moreinfo="none">REQUEST_COOKIES_NAMES</literal>
-      </title>
 
       <para>This variable is a collection of the cookie names in the request
       headers. Example: the following rule will trigger if the JSESSIONID
@@ -2618,9 +2561,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_FILENAME</literal></title>
-        <literal moreinfo="none">REQUEST_FILENAME</literal>
-      </title>
 
       <para>This variable holds the relative REQUEST_URI minus the
       QUERY_STRING part (e.g. /index.php). Example:</para>
@@ -2629,9 +2570,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_HEADERS</literal></title>
-        <literal moreinfo="none">REQUEST_HEADERS</literal>
-      </title>
 
       <para>This variable can be used as either a collection of all of the
       Request Headers or can be used to specify indivudual headers (by using
@@ -2649,9 +2588,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_HEADERS_NAMES</literal></title>
-        <literal moreinfo="none">REQUEST_HEADERS_NAMES</literal>
-      </title>
 
       <para>This variable is a collection of the names of all of the Request
       Headers. Example:</para>
@@ -2661,9 +2598,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_LINE</literal></title>
-        <literal moreinfo="none">REQUEST_LINE</literal>
-      </title>
 
       <para>This variable holds the complete request line sent to the server
       (including the REQUEST_METHOD and HTTP version data). Example: this
@@ -2673,9 +2608,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_LINE</emphasis> "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>Due to the default action transformation function lowercase, the
       regex strings should be in lowercase as well unless the t:none
@@ -2683,9 +2616,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_METHOD</literal></title>
-        <literal moreinfo="none">REQUEST_METHOD</literal>
-      </title>
 
       <para>This variable holds the Request Method used by the client.
       Example: the following example will trigger if the Request Method is
@@ -2693,9 +2624,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_METHOD</emphasis> "^((?:connect|trace))$"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>Due to the default action transformation function lowercase, the
       regex strings should be in lowercase as well unless the t:none
@@ -2703,18 +2632,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_PROTOCOL</literal></title>
-        <literal moreinfo="none">REQUEST_PROTOCOL</literal>
-      </title>
 
       <para>This variable holds the Request Protocol Version information.
       Example:</para>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_PROTOCOL</emphasis> "!^http/(0\.9|1\.0|1\.1)$"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>Due to the default action transformation function lowercase, the
       regex strings should be in lowercase as well unless the t:none
@@ -2722,9 +2647,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_URI</literal></title>
-        <literal moreinfo="none">REQUEST_URI</literal>
-      </title>
 
       <para>This variable holds the full URL including the QUERY_STRING data
       (e.g. /index.php?p=X), however it will never contain a domain name, even
@@ -2736,9 +2659,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">REQUEST_URI_RAW</literal></title>
-        <literal moreinfo="none">REQUEST_URI_RAW</literal>
-      </title>
 
       <para>Same as REQUEST_URI but will contain the domain name if it was
       provided on the request line (e.g.
@@ -2749,9 +2670,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">RESPONSE_BODY</literal></title>
-        <literal moreinfo="none">RESPONSE_BODY</literal>
-      </title>
 
       <para>This variable holds the data for the response payload.
       Example:</para>
@@ -2760,9 +2679,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal>RESPONSE_CONTENT_LENGTH</literal></title>
-        <literal>RESPONSE_CONTENT_LENGTH</literal>
-      </title>
 
       <para>Response body length in bytes. Can be available starting with
       phase 3 but it does not have to be (as the length of response body is
@@ -2778,18 +2695,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal>RESPONSE_CONTENT_TYPE</literal></title>
-        <literal>RESPONSE_CONTENT_TYPE</literal>
-      </title>
 
       <para>Response content type. Only available starting with phase
       3.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">RESPONSE_HEADERS</literal></title>
-        <literal moreinfo="none">RESPONSE_HEADERS</literal>
-      </title>
 
       <para>This variable is similar to the REQUEST_HEADERS variable and can
       be used in the same manner. Example:</para>
@@ -2797,9 +2710,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
       <programlisting format="linespecific">SecRule<emphasis role="bold"> RESPONSE_HEADERS</emphasis><emphasis
           role="bold">:X-Cache</emphasis> "MISS"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This variable may not have access to some headers when running in
       embedded-mode. Headers such as Server, Date, Connection and Content-Type
@@ -2809,27 +2720,21 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">RESPONSE_HEADERS_NAMES</literal></title>
-        <literal moreinfo="none">RESPONSE_HEADERS_NAMES</literal>
-      </title>
 
       <para>This variable is a collection of the response header names.
       Example:</para>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">RESPONSE_HEADERS_NAMES</emphasis> "Set-Cookie"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>Same limitations as RESPONSE_HEADERS with regards to access to
       some headers in embedded-mode.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">RESPONSE_PROTOCOL</literal></title>
-        <literal moreinfo="none">RESPONSE_PROTOCOL</literal>
-      </title>
 
       <para>This variable holds the HTTP Response Protocol information.
       Example:</para>
@@ -2838,18 +2743,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">RESPONSE_STATUS</literal></title>
-        <literal moreinfo="none">RESPONSE_STATUS</literal>
-      </title>
 
       <para>This variable holds the HTTP Response Status Code generated by
       Apache. Example:</para>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">RESPONSE_STATUS</emphasis> "^[45]"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This directive may not work as expected in embedded-mode as Apache
       handles many of the stock response codes (404, 401, etc...) earlier in
@@ -2858,9 +2759,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">RULE</literal></title>
-        <literal moreinfo="none">RULE</literal>
-      </title>
 
       <para>This variable provides access to the <literal
       moreinfo="none">id</literal>, <literal moreinfo="none">rev</literal>,
@@ -2875,77 +2774,59 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SCRIPT_BASENAME</literal></title>
-        <literal moreinfo="none">SCRIPT_BASENAME</literal>
-      </title>
 
       <para>This variable holds just the local filename part of
       SCRIPT_FILENAME. Example:</para>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">SCRIPT_BASENAME</emphasis> "^login\.php$"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This variable is not available in proxy mode.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SCRIPT_FILENAME</literal></title>
-        <literal moreinfo="none">SCRIPT_FILENAME</literal>
-      </title>
 
       <para>This variable holds the full path on the server to the requested
       script. (e.g. SCRIPT_NAME plus the server path). Example:</para>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">SCRIPT_FILENAME</emphasis> "^/usr/local/apache/cgi-bin/login\.php$"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This variable is not available in proxy mode.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SCRIPT_GID</literal></title>
-        <literal moreinfo="none">SCRIPT_GID</literal>
-      </title>
 
       <para>This variable holds the groupid (numerical value) of the group
       owner of the script. Example:</para>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">SCRIPT_GID</emphasis> "!^46$"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This variable is not available in proxy mode.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SCRIPT_GROUPNAME</literal></title>
-        <literal moreinfo="none">SCRIPT_GROUPNAME</literal>
-      </title>
 
       <para>This variable holds the group name of the group owner of the
       script. Example:</para>
 
       <programlisting format="linespecific">SecRule<emphasis role="bold"> SCRIPT_GROUPNAME</emphasis> "!^apache$"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This variable is not available in proxy mode.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SCRIPT_MODE</literal></title>
-        <literal moreinfo="none">SCRIPT_MODE</literal>
-      </title>
 
       <para>This variable holds the script's permissions mode data (numerical
       - 1=execute, 2=write, 4=read and 7=read/write/execute). Example: will
@@ -2953,17 +2834,13 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">SCRIPT_MODE</emphasis> "^(2|3|6|7)$"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This variable is not available in proxy mode.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SCRIPT_UID</literal></title>
-        <literal moreinfo="none">SCRIPT_UID</literal>
-      </title>
 
       <para>This variable holds the userid (numerical value) of the owner of
       the script. Example: the example rule below will trigger if the UID is
@@ -2971,34 +2848,26 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
 
       <programlisting format="linespecific">SecRule<emphasis role="bold"> SCRIPT_UID</emphasis> "!^46$"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This variable is not available in proxy mode.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SCRIPT_USERNAME</literal></title>
-        <literal moreinfo="none">SCRIPT_USERNAME</literal>
-      </title>
 
       <para>This variable holds the username of the owner of the script.
       Example:</para>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">SCRIPT_USERNAME</emphasis> "!^apache$"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This variable is not available in proxy mode.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SERVER_ADDR</literal></title>
-        <literal moreinfo="none">SERVER_ADDR</literal>
-      </title>
 
       <para>This variable contains the IP address of the server.
       Example:</para>
@@ -3007,27 +2876,21 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SERVER_NAME</literal></title>
-        <literal moreinfo="none">SERVER_NAME</literal>
-      </title>
 
       <para>This variable contains the server's hostname or IP address.
       Example:</para>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">SERVER_NAME</emphasis> "hostname\.com$"</programlisting>
 
-      <para>
+      <para><emphasis role="bold">Note</emphasis></para>
-        <emphasis role="bold">Note</emphasis>
-      </para>
 
       <para>This data is taken from the Host header submitted in the client
       request.</para>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SERVER_PORT</literal></title>
-        <literal moreinfo="none">SERVER_PORT</literal>
-      </title>
 
       <para>This variable contains the local port that the web server is
       listening on. Example:</para>
@@ -3036,9 +2899,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SESSION</literal></title>
-        <literal moreinfo="none">SESSION</literal>
-      </title>
 
       <para>This variable is a collection, available only after <literal
       moreinfo="none">setsid</literal> is executed. Example: the following
@@ -3056,9 +2917,7 @@ SecRule<emphasis role="bold"> SESSION:BLOCKED</emphasis> "@eq 1" "log,deny,statu
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">SESSIONID</literal></title>
-        <literal moreinfo="none">SESSIONID</literal>
-      </title>
 
       <para>This variable is the value set with <literal
       moreinfo="none">setsid</literal>. Example:</para>
@@ -3069,9 +2928,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">TIME</literal></title>
-        <literal moreinfo="none">TIME</literal>
-      </title>
 
       <para>This variable holds a formatted string representing the time
       (hour:minute:second). Example:</para>
@@ -3080,9 +2937,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">TIME_DAY</literal></title>
-        <literal moreinfo="none">TIME_DAY</literal>
-      </title>
 
       <para>This variable holds the current date (1-31). Example: this rule
       would trigger anytime between the 10th and 20th days of the
@@ -3092,9 +2947,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">TIME_EPOCH</literal></title>
-        <literal moreinfo="none">TIME_EPOCH</literal>
-      </title>
 
       <para>This variable holds the time in seconds since 1970.
       Example:</para>
@@ -3103,9 +2956,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">TIME_HOUR</literal></title>
-        <literal moreinfo="none">TIME_HOUR</literal>
-      </title>
 
       <para>This variable holds the current hour (0-23). Example: this rule
       would trigger during "off hours".</para>
@@ -3114,9 +2965,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">TIME_MIN</literal></title>
-        <literal moreinfo="none">TIME_MIN</literal>
-      </title>
 
       <para>This variable holds the current minute (0-59). Example: this rule
       would trigger during the last half hour of every hour.</para>
@@ -3125,9 +2974,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">TIME_MON</literal></title>
-        <literal moreinfo="none">TIME_MON</literal>
-      </title>
 
       <para>This variable holds the current month (0-11). Example: this rule
       would match if the month was either November (10) or December
@@ -3137,9 +2984,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">TIME_SEC</literal></title>
-        <literal moreinfo="none">TIME_SEC</literal>
-      </title>
 
       <para>This variable holds the current second count (0-59).
       Example:</para>
@@ -3148,9 +2993,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">TIME_WDAY</literal></title>
-        <literal moreinfo="none">TIME_WDAY</literal>
-      </title>
 
       <para>This variable holds the current weekday (0-6). Example: this rule
       would trigger only on week-ends (Saturday and Sunday).</para>
@@ -3159,9 +3002,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">TIME_YEAR</literal></title>
-        <literal moreinfo="none">TIME_YEAR</literal>
-      </title>
 
       <para>This variable holds the current four-digit year data.
       Example:</para>
@@ -3170,9 +3011,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">TX</literal></title>
-        <literal moreinfo="none">TX</literal>
-      </title>
 
       <para>Transaction Collection. This is used to store pieces of data,
       create a transaction anomaly score, and so on. Transaction variables are
@@ -3208,9 +3047,7 @@ SecRule<emphasis role="bold"> TX:SCORE</emphasis> "@gt 20" deny,log</programlist
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">USERID</literal></title>
-        <literal moreinfo="none">USERID</literal>
-      </title>
 
       <para>This variable is the value set with <literal
       moreinfo="none">setuid</literal>. Example:</para>
@@ -3220,9 +3057,7 @@ SecRule<emphasis role="bold"> USERID</emphasis> "Admin"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">WEBAPPID</literal></title>
-        <literal moreinfo="none">WEBAPPID</literal>
-      </title>
 
       <para>This variable is the value set with <literal
       moreinfo="none">SecWebAppId</literal>. Example:</para>
@@ -3233,9 +3068,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">WEBSERVER_ERROR_LOG</literal></title>
-        <literal moreinfo="none">WEBSERVER_ERROR_LOG</literal>
-      </title>
 
       <para>Contains zero or more error messages produced by the web server.
       Access to this variable is in phase:5 (logging). Example:</para>
@@ -3244,9 +3077,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"</programlisting>
     </section>
 
     <section>
-      <title>
+      <title><literal moreinfo="none">XML</literal></title>
-        <literal moreinfo="none">XML</literal>
-      </title>
 
       <para>Can be used standalone (as a target for validateDTD and
       validateSchema) or with an XPath expression parameter (which makes it a
@@ -3317,17 +3148,14 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
 
       <orderedlist>
         <listitem>
-          <para>
+          <para><ulink url="http://www.w3.org/TR/xpath">XPath
-            <ulink url="http://www.w3.org/TR/xpath">XPath Standard</ulink>
+          Standard</ulink></para>
-          </para>
         </listitem>
 
         <listitem>
-          <para>
+          <para><ulink
-            <ulink
+          url="http://www.zvon.org/xxl/XPathTutorial/General/examples.html">XPath
-            url="http://www.zvon.org/xxl/XPathTutorial/General/examples.html">XPath
+          Tutorial</ulink></para>
-            Tutorial</ulink>
-          </para>
         </listitem>
       </orderedlist>
     </section>
@@ -5264,4 +5092,4 @@ SecRule REQUEST_METHOD "!<emphasis role="bold">@within %{tx.allowed_methods}</em
       </section>
     </section>
   </section>
-</article>
+</article>