Merge branch 'owasp-modsecurity:v3/master' into v3/release2408

2025-08-14 05:45:59 +03:00 · 2024-08-28 16:37:12 +02:00 · 2024-08-28 16:37:12 +02:00 · 865b75b8fa
commit 865b75b8fa
parent 542a5ea35c f180e647a1
217 changed files with 4319 additions and 4906 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -66,7 +66,7 @@ jobs:
        env:
          CC: ${{ matrix.compiler.cc }}
          CXX: ${{ matrix.compiler.cxx }}
-        run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }}
+        run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }} --enable-assertions=yes
      - uses: ammaraskar/gcc-problem-matcher@master
      - name: make
        run: make -j `nproc`
@ -78,7 +78,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
-        os: [macos-12]
+        os: [macos-14]
        configure:
          - {label: "with parser generation", opt: "--enable-parser-generation" }
          - {label: "wo curl",    opt: "--without-curl" }
@ -91,10 +91,12 @@ jobs:
          - {label: "with pcre2", opt: "--with-pcre2" }
    steps:
      - name: Setup Dependencies
-        # autoconf, curl, pcre2 not installed because they're already
+        # curl, pcre2 not installed because they're already
        # included in the image
        run: |
-          brew install automake \
+          brew install autoconf \
                       automake \
                       libtool \
                       yajl \
                       lmdb \
                       lua \
@ -112,7 +114,7 @@ jobs:
      - name: build.sh
        run: ./build.sh
      - name: configure
-        run: ./configure ${{ matrix.configure.opt }}
+        run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes
      - uses: ammaraskar/gcc-problem-matcher@master
      - name: make
        run: make -j `sysctl -n hw.logicalcpu`
@ -130,11 +132,11 @@ jobs:
        configuration: [Release]
        configure:
          - {label: "full",       opt: "" }
-          - {label: "wo curl",    opt: "-DWITHOUT_CURL=ON" }
+          - {label: "wo curl",    opt: "-DWITH_CURL=OFF" }
-          - {label: "wo lmdb",    opt: "-DWITHOUT_LMDB=ON" }
+          - {label: "wo lua",     opt: "-DWITH_LUA=OFF" }
-          - {label: "wo lua",     opt: "-DWITHOUT_LUA=ON" }
+          - {label: "wo maxmind", opt: "-DWITH_MAXMIND=OFF" }
-          - {label: "wo maxmind", opt: "-DWITHOUT_MAXMIND=ON" }
+          - {label: "wo libxml",  opt: "-DWITH_LIBXML2=OFF" }
-          - {label: "wo libxml",  opt: "-WITHOUT_LIBXML2=ON" }
+          - {label: "with lmdb",  opt: "-DWITH_LMDB=ON" }
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.gitignore
+++ b/.gitignore
@ -50,6 +50,7 @@ ltmain.sh
 examples/simple_example_using_c/test
 /tools/rules-check/modsec-rules-check
 examples/multiprocess_c/multi
 examples/multithread/multithread
 examples/reading_logs_via_rule_message/simple_request
 examples/reading_logs_with_offset/read
 examples/using_bodies_in_chunks/simple_request
--- a/README.md
+++ b/README.md
@ -236,10 +236,16 @@ CFLAGS to disable the compilation optimization parameters:
 ```shell
 $ export CFLAGS="-g -O0"
 $ ./build.sh
-$ ./configure
+$ ./configure --enable-assertions=yes
 $ make
 $ sudo make install
 ```
 "Assertions allow us to document assumptions and to spot violations early in the
 development process. What is more, assertions allow us to spot violations with a
 minimum of effort." https://dl.acm.org/doi/pdf/10.1145/240964.240969
 It is recommended to use assertions where applicable, and to enable them with
 '--enable-assertions=yes' during the testing and debugging workflow.
 ### Benchmarking
--- a/build/ax_cxx_compile_stdcxx.m4
+++ b/build/ax_cxx_compile_stdcxx.m4
--- a/build/ax_cxx_compile_stdcxx_11.m4
+++ b/build/ax_cxx_compile_stdcxx_11.m4
@ -1,171 +0,0 @@
 # ============================================================================
 #  http://www.gnu.org/software/autoconf-archive/ax_cxx_compile_stdcxx_11.html
 # ============================================================================
 #
 # SYNOPSIS
 #
 #   AX_CXX_COMPILE_STDCXX_11([ext|noext],[mandatory|optional])
 #
 # DESCRIPTION
 #
 #   Check for baseline language coverage in the compiler for the C++11
 #   standard; if necessary, add switches to CXXFLAGS to enable support.
 #
 #   The first argument, if specified, indicates whether you insist on an
 #   extended mode (e.g. -std=gnu++11) or a strict conformance mode (e.g.
 #   -std=c++11).  If neither is specified, you get whatever works, with
 #   preference for an extended mode.
 #
 #   The second argument, if specified 'mandatory' or if left unspecified,
 #   indicates that baseline C++11 support is required and that the macro
 #   should error out if no mode with that support is found.  If specified
 #   'optional', then configuration proceeds regardless, after defining
 #   HAVE_CXX11 if and only if a supporting mode is found.
 #
 # LICENSE
 #
 #   Copyright (c) 2008 Benjamin Kosnik <bkoz@redhat.com>
 #   Copyright (c) 2012 Zack Weinberg <zackw@panix.com>
 #   Copyright (c) 2013 Roy Stogner <roystgnr@ices.utexas.edu>
 #   Copyright (c) 2014, 2015 Google Inc.; contributed by Alexey Sokolov <sokolov@google.com>
 #   Copyright (c) 2015 Paul Norman <penorman@mac.com>
 #
 #   Copying and distribution of this file, with or without modification, are
 #   permitted in any medium without royalty provided the copyright notice
 #   and this notice are preserved. This file is offered as-is, without any
 #   warranty.
 #serial 12
 m4_define([_AX_CXX_COMPILE_STDCXX_11_testbody], [[
  template <typename T>
    struct check
    {
      static_assert(sizeof(int) <= sizeof(T), "not big enough");
    };
    struct Base {
    virtual void f() {}
    };
    struct Child : public Base {
    virtual void f() override {}
    };
    typedef check<check<bool>> right_angle_brackets;
    int a;
    decltype(a) b;
    typedef check<int> check_type;
    check_type c;
    check_type&& cr = static_cast<check_type&&>(c);
    auto d = a;
    auto l = [](){};
    // Prevent Clang error: unused variable 'l' [-Werror,-Wunused-variable]
    struct use_l { use_l() { l(); } };
    // http://stackoverflow.com/questions/13728184/template-aliases-and-sfinae
    // Clang 3.1 fails with headers of libstd++ 4.8.3 when using std::function because of this
    namespace test_template_alias_sfinae {
        struct foo {};
        template<typename T>
        using member = typename T::member_type;
        template<typename T>
        void func(...) {}
        template<typename T>
        void func(member<T>*) {}
        void test();
        void test() {
            func<foo>(0);
        }
    }
    // Check for C++11 attribute support
    void noret [[noreturn]] () { throw 0; }
 ]])
 AC_DEFUN([AX_CXX_COMPILE_STDCXX_11], [dnl
  m4_if([$1], [], [],
        [$1], [ext], [],
        [$1], [noext], [],
        [m4_fatal([invalid argument `$1' to AX_CXX_COMPILE_STDCXX_11])])dnl
  m4_if([$2], [], [ax_cxx_compile_cxx11_required=true],
        [$2], [mandatory], [ax_cxx_compile_cxx11_required=true],
        [$2], [optional], [ax_cxx_compile_cxx11_required=false],
        [m4_fatal([invalid second argument `$2' to AX_CXX_COMPILE_STDCXX_11])])
  AC_LANG_PUSH([C++])dnl
  ac_success=no
  AC_CACHE_CHECK(whether $CXX supports C++11 features by default,
  ax_cv_cxx_compile_cxx11,
  [AC_COMPILE_IFELSE([AC_LANG_SOURCE([_AX_CXX_COMPILE_STDCXX_11_testbody])],
    [ax_cv_cxx_compile_cxx11=yes],
    [ax_cv_cxx_compile_cxx11=no])])
  if test x$ax_cv_cxx_compile_cxx11 = xyes; then
    ac_success=yes
  fi
  m4_if([$1], [noext], [], [dnl
  if test x$ac_success = xno; then
    for switch in -std=gnu++11 -std=gnu++0x; do
      cachevar=AS_TR_SH([ax_cv_cxx_compile_cxx11_$switch])
      AC_CACHE_CHECK(whether $CXX supports C++11 features with $switch,
                     $cachevar,
        [ac_save_CXXFLAGS="$CXXFLAGS"
         CXXFLAGS="$CXXFLAGS $switch"
         AC_COMPILE_IFELSE([AC_LANG_SOURCE([_AX_CXX_COMPILE_STDCXX_11_testbody])],
          [eval $cachevar=yes],
          [eval $cachevar=no])
         CXXFLAGS="$ac_save_CXXFLAGS"])
      if eval test x\$$cachevar = xyes; then
        CXXFLAGS="$CXXFLAGS $switch"
        ac_success=yes
        break
      fi
    done
  fi])
  m4_if([$1], [ext], [], [dnl
  if test x$ac_success = xno; then
    dnl HP's aCC needs +std=c++11 according to:
    dnl http://h21007.www2.hp.com/portal/download/files/unprot/aCxx/PDF_Release_Notes/769149-001.pdf
    for switch in -std=c++11 -std=c++0x +std=c++11; do
      cachevar=AS_TR_SH([ax_cv_cxx_compile_cxx11_$switch])
      AC_CACHE_CHECK(whether $CXX supports C++11 features with $switch,
                     $cachevar,
        [ac_save_CXXFLAGS="$CXXFLAGS"
         CXXFLAGS="$CXXFLAGS $switch"
         AC_COMPILE_IFELSE([AC_LANG_SOURCE([_AX_CXX_COMPILE_STDCXX_11_testbody])],
          [eval $cachevar=yes],
          [eval $cachevar=no])
         CXXFLAGS="$ac_save_CXXFLAGS"])
      if eval test x\$$cachevar = xyes; then
        CXXFLAGS="$CXXFLAGS $switch"
        ac_success=yes
        break
      fi
    done
  fi])
  AC_LANG_POP([C++])
  if test x$ax_cxx_compile_cxx11_required = xtrue; then
    if test x$ac_success = xno; then
      AC_MSG_ERROR([*** A compiler with support for C++11 language features is required.])
    fi
  else
    if test x$ac_success = xno; then
      HAVE_CXX11=0
      AC_MSG_NOTICE([No compiler with C++11 support was found])
    else
      HAVE_CXX11=1
      AC_DEFINE(HAVE_CXX11,1,
                [define if the compiler supports basic C++11 syntax])
    fi
    AC_SUBST(HAVE_CXX11)
  fi
 ])
--- a/build/pcre.m4
+++ b/build/pcre.m4
@ -27,30 +27,41 @@ else
    AC_MSG_CHECKING([for libpcre config script])
-    for x in ${test_paths}; do
+    AC_CHECK_PROG([PCRE_CONFIG_IN_ENV], [pcre-config], [yes], [no])
        dnl # Determine if the script was specified and use it directly
        if test ! -d "$x" -a -e "$x"; then
            PCRE_CONFIG=$x
            pcre_path="no"
            break
        fi
-        dnl # Try known config script names/locations
+    if test "$PCRE_CONFIG_IN_ENV" = "yes"; then
-        for PCRE_CONFIG in pcre-config; do
+        AC_MSG_NOTICE([pcre-config found in envinronment])
-            if test -e "${x}/bin/${PCRE_CONFIG}"; then
+
-                pcre_path="${x}/bin"
+        PCRE_CONFIG=pcre-config
        pcre_path="no"
    else
        AC_MSG_NOTICE([pcre-config not found in environment. checking known paths])
        for x in ${test_paths}; do
            dnl # Determine if the script was specified and use it directly
            if test ! -d "$x" -a -e "$x"; then
                PCRE_CONFIG=$x
                pcre_path="no"
                break
-            elif test -e "${x}/${PCRE_CONFIG}"; then
+            fi
-                pcre_path="${x}"
+
            dnl # Try known config script names/locations
            for PCRE_CONFIG in pcre-config; do
                if test -e "${x}/bin/${PCRE_CONFIG}"; then
                    pcre_path="${x}/bin"
                    break
                elif test -e "${x}/${PCRE_CONFIG}"; then
                    pcre_path="${x}"
                    break
                else
                    pcre_path=""
                fi
            done
            if test -n "$pcre_path"; then
                break
            else
                pcre_path=""
            fi
        done
-        if test -n "$pcre_path"; then
+    fi
            break
        fi
    done
    if test -n "${pcre_path}"; then
        if test "${pcre_path}" != "no"; then
--- a/build/win32/CMakeLists.txt
+++ b/build/win32/CMakeLists.txt
@ -2,13 +2,13 @@ cmake_minimum_required(VERSION 3.24)
 set(BASE_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)
-option(WITHOUT_LMDB    "Include LMDB support"    OFF)
+option(WITH_LMDB    "Include LMDB support"    OFF)
-option(WITHOUT_LUA     "Include LUA support"     OFF)
+option(WITH_LUA     "Include LUA support"     ON)
-option(WITHOUT_LIBXML2 "Include LibXML2 support" OFF)
+option(WITH_LIBXML2 "Include LibXML2 support" ON)
-option(WITHOUT_MAXMIND "Include MaxMind support" OFF)
+option(WITH_MAXMIND "Include MaxMind support" ON)
-option(WITHOUT_CURL    "Include CURL support"    OFF)
+option(WITH_CURL    "Include CURL support"    ON)
-option(USE_ASAN        "Build with Address Sanitizer" OFF)
+option(USE_ASAN     "Build with Address Sanitizer" OFF)
 # common compiler settings
@ -93,24 +93,23 @@ set(HAVE_SSDEEP   0)    # should always be zero, no conan package available
 macro(enable_feature flag option)
  if(${option})
-    set(${flag} 0)
+    set(${flag} 1)  # ON
  else()
-    set(${flag} 1)
+    set(${flag} 0)  # OFF
  endif()
 endmacro()
-enable_feature(HAVE_LMDB ${WITHOUT_LMDB})
+enable_feature(HAVE_LMDB ${WITH_LMDB})
-enable_feature(HAVE_LUA ${WITHOUT_LUA})
+enable_feature(HAVE_LUA ${WITH_LUA})
-enable_feature(HAVE_LIBXML2 ${WITHOUT_LIBXML2})
+enable_feature(HAVE_LIBXML2 ${WITH_LIBXML2})
-enable_feature(HAVE_MAXMIND ${WITHOUT_MAXMIND})
+enable_feature(HAVE_MAXMIND ${WITH_MAXMIND})
-enable_feature(HAVE_CURL ${WITHOUT_CURL})
+enable_feature(HAVE_CURL ${WITH_CURL})
 include(${CMAKE_CURRENT_LIST_DIR}/ConfigureChecks.cmake)
 configure_file(config.h.cmake ${BASE_DIR}/src/config.h)
 find_package(PCRE2 REQUIRED)
 find_package(PThreads4W REQUIRED)
 find_package(Poco REQUIRED)
 find_package(dirent REQUIRED)		# used only by tests (check dirent::dirent refernces)
@ -139,7 +138,7 @@ add_library(libModSecurity SHARED ${libModSecuritySources})
 target_compile_definitions(libModSecurity PRIVATE WITH_PCRE2)
 target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include)
-target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 pthreads4w::pthreads4w libinjection mbedcrypto Poco::Poco Iphlpapi.lib)
+target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 libinjection mbedcrypto Poco::Poco Iphlpapi.lib)
 macro(add_package_dependency project compile_definition link_library flag)
  if(${flag})
@ -255,12 +254,15 @@ setExampleTargetProperties(using_bodies_in_chunks)
 # reading_logs_via_rule_message
 add_executable(reading_logs_via_rule_message ${BASE_DIR}/examples/reading_logs_via_rule_message/simple_request.cc)
 setExampleTargetProperties(reading_logs_via_rule_message)
 target_link_libraries(reading_logs_via_rule_message PRIVATE libModSecurity pthreads4w::pthreads4w)
 # reading_logs_with_offset
 add_executable(reading_logs_with_offset ${BASE_DIR}/examples/reading_logs_with_offset/read.cc)
 setExampleTargetProperties(reading_logs_with_offset)
 # multithread
 add_executable(multithread ${BASE_DIR}/examples/multithread/multithread.cc)
 setExampleTargetProperties(multithread)
 # tools
 #
--- a/build/win32/README.md
+++ b/build/win32/README.md
@ -51,6 +51,7 @@ Built files will be located in the directory: `build\win32\build\[build_configur
    * `using_bodies_in_chunks.exe`
    * `reading_logs_via_rule_message.exe`
    * `reading_logs_with_offset.exe`
    * `multithread.exe`
 * Executable files for tools
    * `rules_check.exe`
--- a/build/win32/conanfile.txt
+++ b/build/win32/conanfile.txt
@ -1,7 +1,6 @@
 [requires]
 yajl/2.1.0
 pcre2/10.42
 pthreads4w/3.0.0
 libxml2/2.12.6
 lua/5.4.6
 libcurl/8.6.0
--- a/build/yajl.m4
+++ b/build/yajl.m4
@ -78,6 +78,29 @@ else
 #    fi
 fi
 # FIX: if the include directory in CFLAGS ends with "include/yajl",
 # remove the suffix "/yajl". the library header files are included
 # using the prefix (for example, #include <yajl/yajl_tree.h>), and
 # this is even the case for the library itself (for example,
 # yajl_tree.h includes yajl/yajl_common.h).
 new_cflags=""
 for flag in $YAJL_CFLAGS; do
    case "$flag" in
        -I*/include/yajl)
            new_flag="${flag%/yajl}"
            new_cflags="$new_cflags $new_flag"
            ;;
        *)
            new_cflags="$new_cflags $flag"
            ;;
    esac
 done
 YAJL_CFLAGS="$new_cflags"
 if test -z "${YAJL_LDADD}"; then
    if test -z "${YAJL_MANDATORY}"; then
        if test -z "${YAJL_DISABLED}"; then
--- a/configure.ac
+++ b/configure.ac
@ -52,8 +52,8 @@ AC_PROG_MAKE_SET
 PKG_PROG_PKG_CONFIG
-# Check if the compiler is c++17 compatible.
+# Set C++ standard version and check if compiler supports it.
-# AX_CXX_COMPILE_STDCXX_17(,mandatory)
+AX_CXX_COMPILE_STDCXX(17, noext, mandatory)
 # Check for libinjection
 if ! test -f "${srcdir}/others/libinjection/src/libinjection_html5.c"; then
@ -164,8 +164,8 @@ AC_CHECK_HEADERS([iostream])
 AC_CHECK_HEADERS([sys/utsname.h])
-# ??
+# Initialize libtool
-LT_INIT([dlopen])
+LT_INIT
 # Identify platform
 AC_CANONICAL_HOST
@ -248,6 +248,17 @@ AC_SUBST([MSC_VERSION])
 MSC_GIT_VERSION=msc_version_git
 AC_SUBST([MSC_GIT_VERSION])
 AC_ARG_ENABLE(assertions,
    [AS_HELP_STRING([--enable-assertions],[Turn on assertions feature: undefine NDEBUG])],
    [case "${enableval}" in
        yes) assertions=true ;;
        no)  assertions=false ;;
        *) AC_MSG_ERROR(bad value ${enableval} for --enable-assertions) ;;
        esac],
        [assertions=false]
        )
 AC_ARG_ENABLE(debug-logs,
    [AS_HELP_STRING([--disable-debug-logs],[Turn off the SecDebugLog feature])],
@ -305,23 +316,6 @@ AC_ARG_ENABLE(parser-generation,
    [buildParser=false]
    )
 # Mutex
 AC_ARG_ENABLE(mutex-on-pm,
    [AS_HELP_STRING([--enable-mutex-on-pm],[Treats pm operations as a critical section])],
    [case "${enableval}" in
        yes) mutexPm=true ;;
        no)  mutexPm=false ;;
        *) AC_MSG_ERROR(bad value ${enableval} for --enable-mutex-on-pm) ;;
    esac],
    [mutexPm=false]
    )
 if test "$mutexPm" == "true"; then
    MODSEC_MUTEX_ON_PM="-DMUTEX_ON_PM=1"
    AC_SUBST(MODSEC_MUTEX_ON_PM)
 fi
 if test $buildParser = true; then
    AC_PROG_YACC
@ -377,6 +371,14 @@ if test "$aflFuzzer" == "true"; then
    GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $FUZZ_CPPCFLAGS"
    $buildExamples = false
 fi
 case $assertions in
    false) ASSERTIONS_CPPCFLAGS="-DNDEBUG" ;;
    true) ASSERTIONS_CPPCFLAGS="-UNDEBUG" ;;
    *) AC_MSG_ERROR(bad value ${assertions} for assertions) ;;
 esac
 GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $ASSERTIONS_CPPCFLAGS"
 AC_SUBST(GLOBAL_LDADD)
 AC_SUBST(GLOBAL_CPPFLAGS)
@ -404,6 +406,7 @@ AM_COND_IF([EXAMPLES],
            examples/Makefile \
            examples/simple_example_using_c/Makefile \
            examples/multiprocess_c/Makefile \
            examples/multithread/Makefile \
            examples/reading_logs_with_offset/Makefile \
            examples/reading_logs_via_rule_message/Makefile \
            examples/using_bodies_in_chunks/Makefile \
@ -613,6 +616,11 @@ if test $buildTestUtilities = true; then
 else
    echo "   + Test Utilities                                ....disabled"
 fi
 if test $assertions = true; then
    echo "   + Assertions                                    ....enabled"
 else
    echo "   + Assertions                                    ....disabled"
 fi
 if test $debugLogs = true; then
    echo "   + SecDebugLog                                   ....enabled"
 else
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@ -4,6 +4,7 @@ ACLOCAL_AMFLAGS = -I build
 SUBDIRS = \
 	multiprocess_c \
 	multithread \
 	reading_logs_with_offset \
 	reading_logs_via_rule_message \
 	simple_example_using_c \
--- a/examples/multiprocess_c/Makefile.am
+++ b/examples/multiprocess_c/Makefile.am
@ -15,7 +15,6 @@ multi_LDFLAGS = \
 	-L$(top_builddir)/src/.libs/ \
 	$(GEOIP_LDFLAGS) \
 	-lmodsecurity \
 	-lpthread \
 	-lm \
 	-lstdc++ \
 	$(LUA_LDFLAGS) \
--- a/examples/multithread/Makefile.am
+++ b/examples/multithread/Makefile.am
@ -0,0 +1,55 @@
 noinst_PROGRAMS = multithread
 multithread_SOURCES = \
 	multithread.cc
 multithread_LDADD = \
 	$(CURL_LDADD) \
 	$(GEOIP_LDADD) \
 	$(GLOBAL_LDADD) \
 	$(LIBXML2_LDADD) \
 	$(LMDB_LDADD) \
 	$(MAXMIND_LDADD) \
 	$(LUA_LDADD) \
 	$(PCRE_LDADD) \
 	$(SSDEEP_LDADD) \
 	$(YAJL_LDADD)
 multithread_LDFLAGS = \
 	-L$(top_builddir)/src/.libs/ \
 	$(GEOIP_LDFLAGS) \
 	-lmodsecurity \
 	-lpthread \
 	-lm \
 	-lstdc++ \
 	$(LMDB_LDFLAGS) \
 	$(LUA_LDFLAGS) \
 	$(MAXMIND_LDFLAGS) \
 	$(SSDEEP_LDFLAGS) \
 	$(YAJL_LDFLAGS)
 multithread_CPPFLAGS = \
 	$(GLOBAL_CFLAGS) \
 	-I$(top_builddir)/headers \
 	-I$(top_builddir) \
 	-g \
 	-I../others \
 	-fPIC \
 	-O3 \
 	$(CURL_CFLAGS) \
 	$(GEOIP_CFLAGS) \
 	$(GLOBAL_CPPFLAGS) \
 	$(MODSEC_NO_LOGS) \
 	$(YAJL_CFLAGS) \
 	$(LMDB_CFLAGS) \
 	$(LUA_CFLAGS) \
 	$(PCRE_CFLAGS) \
 	$(LIBXML2_CFLAGS)
 MAINTAINERCLEANFILES = \
 	Makefile.in
--- a/examples/multithread/basic_rules.conf
+++ b/examples/multithread/basic_rules.conf
@ -0,0 +1,14 @@
 SecDebugLog debug.log
 SecDebugLogLevel 9
 SecRule REQUEST_HEADERS:User-Agent ".*" "id:1,phase:1,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{MATCHED_VAR}"
 SecAction "id:2,phase:2,initcol:ip=%{REMOTE_ADDR}_%{tx.ua_hash}"
 SecRule REQUEST_HEADERS:User-Agent "@rx .*" "id:3,phase:2,setvar:ip.auth_attempt=+1"
 SecRule ARGS:foo "@rx herewego" "id:4,phase:2,setvar:ip.foo=bar,expirevar:ip.foo=2"
 #SecRule ARGS:foo "@rx herewego" "id:4,phase:2,setvar:ip.foo=bar"
 SecRule IP "@rx bar" "id:5,phase:2,pass"
 SecRule IP:auth_attempt "@rx bar" "id:6,phase:2,pass"
--- a/examples/multithread/multithread.cc
+++ b/examples/multithread/multithread.cc
@ -0,0 +1,68 @@
 #include <iostream>
 #include <thread>
 #include <array>
 #include <modsecurity/modsecurity.h>
 #include <modsecurity/transaction.h>
 #include <modsecurity/rules_set.h>
 static void process_request(modsecurity::ModSecurity *modsec, modsecurity::RulesSet *rules, int tid) {
    std::cout << "Hello World! It's me, thread #" << tid << std::endl;
    for(int i = 0; i != 1'000; i++) {
        auto modsecTransaction = std::make_unique<modsecurity::Transaction>(modsec, rules, nullptr);
        modsecTransaction->processConnection("127.0.0.1", 12345, "127.0.0.1", 80);
        modsecTransaction->processURI(
            "https://www.modsecurity.org/test?foo=herewego",
            "GET", "1.1");
        modsecTransaction->addRequestHeader("User-Agent",
            "Basic ModSecurity example");
        modsecTransaction->processRequestHeaders();
        modsecTransaction->processRequestBody();
        modsecTransaction->addResponseHeader("HTTP/1.1",
            "200 OK");
        modsecTransaction->processResponseHeaders(200, "HTTP 1.2");
        modsecTransaction->processResponseBody();
        modsecTransaction->processLogging();
        std::this_thread::sleep_for(std::chrono::microseconds(100));
    }
    std::cout << "Thread #" << tid << " exits" << std::endl;
 }
 int main (int argc, char *argv[]) {
    auto modsec = std::make_unique<modsecurity::ModSecurity>();
    modsec->setConnectorInformation("ModSecurity-test v0.0.1-alpha (Simple " \
        "example on how to use ModSecurity API");
    char main_rule_uri[] = "basic_rules.conf";
    auto rules = std::make_unique<modsecurity::RulesSet>();
    if (rules->loadFromUri(main_rule_uri) < 0) {
        std::cerr << "Problems loading the rules..." << std::endl;
        std::cerr << rules->m_parserError.str() << std::endl;
        return -1;
    }
    constexpr auto NUM_THREADS = 100;
    std::array<std::thread, NUM_THREADS> threads;
    for (auto i = 0; i != threads.size(); ++i) {
        threads[i] = std::thread(
            [&modsec, &rules, i]() {
                process_request(modsec.get(), rules.get(), i);
            });
    }
    std::this_thread::sleep_for(std::chrono::microseconds(10000));
    for (auto i = 0; i != threads.size(); ++i) {
        threads[i].join();
    }
    return 0;
 }
--- a/examples/reading_logs_via_rule_message/Makefile.am
+++ b/examples/reading_logs_via_rule_message/Makefile.am
@ -32,7 +32,6 @@ simple_request_LDFLAGS = \
 simple_request_CPPFLAGS = \
 	$(GLOBAL_CFLAGS) \
 	-std=c++17 \
 	-I$(top_builddir)/headers \
 	-I$(top_builddir) \
 	-g \
--- a/examples/reading_logs_via_rule_message/reading_logs_via_rule_message.h
+++ b/examples/reading_logs_via_rule_message/reading_logs_via_rule_message.h
@ -13,14 +13,19 @@
 *
 */
 #ifndef EXAMPLES_READING_LOGS_VIA_RULE_MESSAGE_READING_LOGS_VIA_RULE_MESSAGE_H_
 #define EXAMPLES_READING_LOGS_VIA_RULE_MESSAGE_READING_LOGS_VIA_RULE_MESSAGE_H_
 #include <string>
 #include <memory>
 #include <thread>
 #include <array>
 #include <chrono>
-#include <pthread.h>
+
 #include "modsecurity/rule_message.h"
-#define NUM_THREADS 100
+constexpr auto NUM_THREADS = 100;
 char request_header[] =  "" \
@ -62,40 +67,21 @@ char response_body[] = "" \
 char ip[] = "200.249.12.31";
 #include "modsecurity/rule_message.h"
-#ifndef EXAMPLES_READING_LOGS_VIA_RULE_MESSAGE_READING_LOGS_VIA_RULE_MESSAGE_H_
+static void process_request(modsecurity::ModSecurity *modsec, modsecurity::RulesSet *rules) {
-#define EXAMPLES_READING_LOGS_VIA_RULE_MESSAGE_READING_LOGS_VIA_RULE_MESSAGE_H_
+    for (auto z = 0; z < 10000; z++) {
        auto modsecTransaction = std::make_unique<modsecurity::Transaction>(modsec, rules, nullptr);
 struct data_ms {
    modsecurity::ModSecurity *modsec;
    modsecurity::RulesSet *rules;
 };
 #if defined _MSC_VER
 #pragma warning(push)
 #pragma warning(disable:4716)   // avoid error C4716: 'process_request': must return a value, as MSVC C++ compiler doesn't support [[noreturn]]
 #pragma warning(disable:4715)   // avoid warning c4715: 'process_request' : not all control paths return a value
 #endif
 [[noreturn]] static void *process_request(void *data) {
    struct data_ms *a = (struct data_ms *)data;
    modsecurity::ModSecurity *modsec = a->modsec;
    modsecurity::RulesSet *rules = a->rules;
    int z = 0;
    for (z = 0; z < 10000; z++) {
        modsecurity::Transaction *modsecTransaction = \
            new modsecurity::Transaction(modsec, rules, NULL);
        modsecTransaction->processConnection(ip, 12345, "127.0.0.1", 80);
        modsecTransaction->processURI(request_uri, "GET", "1.1");
        std::this_thread::sleep_for(std::chrono::microseconds(10));
        modsecTransaction->addRequestHeader("Host",
            "net.tutsplus.com");
        modsecTransaction->processRequestHeaders();
        modsecTransaction->processRequestBody();
        modsecTransaction->addResponseHeader("HTTP/1.1",
            "200 OK");
        modsecTransaction->processResponseHeaders(200, "HTTP 1.2");
@ -103,18 +89,11 @@ struct data_ms {
            (const unsigned char*)response_body,
            strlen((const char*)response_body));
        modsecTransaction->processResponseBody();
        modsecTransaction->processLogging();
        delete modsecTransaction;
    }
    pthread_exit(nullptr);
 }
 #if defined _MSC_VER
 #pragma warning(pop)
 #endif
 class ReadingLogsViaRuleMessage {
 public:
    ReadingLogsViaRuleMessage(char *request_header,
@ -134,11 +113,6 @@ class ReadingLogsViaRuleMessage {
        { }
    int process() const {
        pthread_t threads[NUM_THREADS];
        int i;
        struct data_ms dms;
        void *status;
        auto modsec = std::make_unique<modsecurity::ModSecurity>();
        modsec->setConnectorInformation("ModSecurity-test v0.0.1-alpha" \
            " (ModSecurity test)");
@ -152,18 +126,19 @@ class ReadingLogsViaRuleMessage {
            return -1;
        }
-        dms.modsec = modsec.get();
+        std::array<std::thread, NUM_THREADS> threads;
        dms.rules = rules.get();
-        for (i = 0; i < NUM_THREADS; i++) {
+        for (auto i = 0; i != threads.size(); ++i) {
-            pthread_create(&threads[i], NULL, process_request,
+            threads[i] = std::thread(
-		reinterpret_cast<void *>(&dms));
+                [&modsec, &rules]() {
                    process_request(modsec.get(), rules.get());
                });
        }
        std::this_thread::sleep_for(std::chrono::microseconds(10000));
-        for (i=0; i < NUM_THREADS; i++) {
+        for (auto i = 0; i != threads.size(); ++i) {
-            pthread_join(threads[i], &status);
+            threads[i].join();
            std::cout << "Main: completed thread id :" << i << std::endl;
        }
--- a/examples/reading_logs_with_offset/Makefile.am
+++ b/examples/reading_logs_with_offset/Makefile.am
@ -21,7 +21,6 @@ read_LDFLAGS = \
 	-L$(top_builddir)/src/.libs/ \
 	$(GEOIP_LDFLAGS) \
 	-lmodsecurity \
 	-lpthread \
 	-lm \
 	-lstdc++ \
 	$(LMDB_LDFLAGS) \
@ -32,7 +31,6 @@ read_LDFLAGS = \
 read_CPPFLAGS = \
 	$(GLOBAL_CFLAGS) \
 	-std=c++17 \
 	-I$(top_builddir)/headers \
 	-I$(top_builddir) \
 	-g \
--- a/examples/simple_example_using_c/test.c
+++ b/examples/simple_example_using_c/test.c
@ -68,6 +68,8 @@ int main (int argc, char **argv)
    msc_process_response_body(transaction);
    msc_process_logging(transaction);
 end:
    if(error != NULL)
        msc_rules_error_cleanup(error);
    msc_rules_cleanup(rules);
    msc_cleanup(modsec);
--- a/examples/using_bodies_in_chunks/Makefile.am
+++ b/examples/using_bodies_in_chunks/Makefile.am
@ -21,19 +21,16 @@ simple_request_LDFLAGS = \
 	-L$(top_builddir)/src/.libs/ \
 	$(GEOIP_LDFLAGS) \
 	-lmodsecurity \
 	-lpthread \
 	-lm \
 	-lstdc++ \
 	$(MAXMIND_LDFLAGS) \
 	$(LMDB_LDFLAGS) \
 	-lpthread \
 	$(LUA_LDFLAGS) \
 	$(SSDEEP_LDFLAGS) \
 	$(YAJL_LDFLAGS)
 simple_request_CPPFLAGS = \
 	$(GLOBAL_CFLAGS) \
 	-std=c++17 \
 	-I$(top_builddir)/headers \
 	-I$(top_builddir) \
 	-g \
--- a/headers/modsecurity/actions/action.h
+++ b/headers/modsecurity/actions/action.h
@ -13,41 +13,66 @@
 *
 */
 #ifdef __cplusplus
 #include <string>
 #include <iostream>
 #include <memory>
 #endif
 #include "modsecurity/intervention.h"
 #include "modsecurity/rule.h"
 #include "modsecurity/rule_with_actions.h"
 #ifndef HEADERS_MODSECURITY_ACTIONS_ACTION_H_
 #define HEADERS_MODSECURITY_ACTIONS_ACTION_H_
 #ifdef __cplusplus
 #include <string>
 #include <memory>
 namespace modsecurity {
 class Transaction;
 class RuleWithOperator;
 class RuleWithActions;
 class RuleMessage;
 namespace actions {
 class Action {
 public:
    /**
     *
     * Define the action kind regarding to the execution time.
     * 
     * 
     */
    enum class Kind {
    /**
     *
     * Action that are executed while loading the configuration. For instance
     * the rule ID or the rule phase.
     *
     */
     ConfigurationKind,
    /**
     *
     * Those are actions that demands to be executed before call the operator.
     * For instance the tranformations.
     *
     *
     */
     RunTimeBeforeMatchAttemptKind,
    /**
     *
     * Actions that are executed after the execution of the operator, only if
     * the operator returned Match (or True). For instance the disruptive
     * actions.
     *
     */
     RunTimeOnlyIfMatchKind,
    };
    explicit Action(const std::string& _action)
        : m_isNone(false),
        temporaryAction(false),
-        action_kind(2),
+        action_kind(Kind::RunTimeOnlyIfMatchKind),
        m_name(nullptr),
        m_parser_payload("") {
            set_name_and_payload(_action);
        }
-    explicit Action(const std::string& _action, int kind)
+    explicit Action(const std::string& _action, Kind kind)
        : m_isNone(false),
        temporaryAction(false),
        action_kind(kind),
@ -74,8 +99,6 @@ class Action {
    virtual ~Action() { }
    virtual std::string evaluate(const std::string &exp,
        Transaction *transaction);
    virtual bool evaluate(RuleWithActions *rule, Transaction *transaction);
    virtual bool evaluate(RuleWithActions *rule, Transaction *transaction,
        std::shared_ptr<RuleMessage> ruleMessage) {
@ -87,9 +110,9 @@ class Action {
    void set_name_and_payload(const std::string& data) {
        size_t pos = data.find(":");
-        std::string t = "t:";
+        const char t[] = "t:";
-        if (data.compare(0, t.length(), t) == 0) {
+        if (data.compare(0, std::size(t) - 1, t) == 0) {
            pos = data.find(":", 2);
        }
@ -109,41 +132,9 @@ class Action {
    bool m_isNone;
    bool temporaryAction;
-    int action_kind;
+    Kind action_kind;
    std::shared_ptr<std::string> m_name;
    std::string m_parser_payload;
    /**
     *
     * Define the action kind regarding to the execution time.
     * 
     * 
     */
    enum Kind {
    /**
     *
     * Action that are executed while loading the configuration. For instance
     * the rule ID or the rule phase.
     *
     */
     ConfigurationKind,
    /**
     *
     * Those are actions that demands to be executed before call the operator.
     * For instance the tranformations.
     *
     *
     */
     RunTimeBeforeMatchAttemptKind,
    /**
     *
     * Actions that are executed after the execution of the operator, only if
     * the operator returned Match (or True). For instance the disruptive
     * actions.
     *
     */
     RunTimeOnlyIfMatchKind,
    };
 };
--- a/headers/modsecurity/modsecurity.h
+++ b/headers/modsecurity/modsecurity.h
@ -81,6 +81,11 @@
 #endif
 #include "modsecurity/intervention.h"
 #include "modsecurity/transaction.h"
 #include "modsecurity/debug_log.h"
 #ifndef HEADERS_MODSECURITY_MODSECURITY_H_
 #define HEADERS_MODSECURITY_MODSECURITY_H_
@ -170,11 +175,6 @@ namespace modsecurity {
 #endif
 #include "modsecurity/intervention.h"
 #include "modsecurity/transaction.h"
 #include "modsecurity/debug_log.h"
 /**
 * TAG_NUM:
 *
--- a/headers/modsecurity/rule.h
+++ b/headers/modsecurity/rule.h
@ -52,7 +52,7 @@ namespace operators {
 class Operator;
 }
-using TransformationResult = std::pair<std::shared_ptr<std::string>,
+using TransformationResult = std::pair<std::string,
    std::shared_ptr<std::string>>;
 using TransformationResults = std::list<TransformationResult>;
--- a/headers/modsecurity/rule_with_actions.h
+++ b/headers/modsecurity/rule_with_actions.h
@ -119,16 +119,7 @@ class RuleWithActions : public Rule {
    void executeTransformations(
-        Transaction *trasn, const std::string &value, TransformationResults &ret);
+        const Transaction *trasn, const std::string &value, TransformationResults &ret);
    inline void executeTransformation(
        actions::transformations::Transformation *a,
        std::shared_ptr<std::string> *value,
        Transaction *trans,
        TransformationResults *ret,
        std::string *path,
        int *nth) const;
    void performLogging(Transaction *trans,
        std::shared_ptr<RuleMessage> ruleMessage,
@ -166,6 +157,14 @@ class RuleWithActions : public Rule {
    RuleWithActions *m_chainedRuleParent;
 private:
    inline void executeTransformation(
        const actions::transformations::Transformation &a,
        std::string &value,
        const Transaction *trans,
        TransformationResults &ret,
        std::string &path,
        int &nth) const;
    /* actions */
    actions::Action *m_disruptiveAction;
    actions::LogData *m_logData;
--- a/headers/modsecurity/rule_with_operator.h
+++ b/headers/modsecurity/rule_with_operator.h
@ -50,7 +50,7 @@ class RuleWithOperator : public RuleWithActions {
    bool evaluate(Transaction *transaction,
        std::shared_ptr<RuleMessage> rm) override;
-    void getVariablesExceptions(Transaction *t,
+    void getVariablesExceptions(Transaction &t,
        variables::Variables *exclusion, variables::Variables *addition);
    inline void getFinalVars(variables::Variables *vars,
        variables::Variables *eclusion, Transaction *trans);
--- a/headers/modsecurity/rules_set.h
+++ b/headers/modsecurity/rules_set.h
@ -99,6 +99,7 @@ int msc_rules_add_remote(RulesSet *rules, const char *key, const char *uri,
    const char **error);
 int msc_rules_add_file(RulesSet *rules, const char *file, const char **error);
 int msc_rules_add(RulesSet *rules, const char *plain_rules, const char **error);
 void msc_rules_error_cleanup(const char *error);
 int msc_rules_cleanup(RulesSet *rules);
 #ifdef __cplusplus
--- a/headers/modsecurity/rules_set_properties.h
+++ b/headers/modsecurity/rules_set_properties.h
@ -333,9 +333,9 @@ class RulesSetProperties {
        case FalseConfigBoolean:
            return "False";
        case PropertyNotSetConfigBoolean:
        default:
            return "Not set";
        }
        return NULL;
    }
--- a/headers/modsecurity/transaction.h
+++ b/headers/modsecurity/transaction.h
@ -14,6 +14,7 @@
 */
 #ifdef __cplusplus
 #include <cassert>
 #include <ctime>
 #include <fstream>
 #include <iomanip>
@ -307,11 +308,8 @@ class TransactionSecMarkerManagement {
    }
    std::shared_ptr<std::string> getCurrentMarker() const {
-        if (m_marker) {
+        assert((m_marker != nullptr) && "You might have forgotten to call and evaluate isInsideAMarker() before calling getCurrentMarker().");
-            return m_marker;
+        return m_marker;
        } else {
            throw; // cppcheck-suppress rethrowNoCurrentException
        }
    }
    void removeMarker() {
@ -725,6 +723,9 @@ void msc_transaction_cleanup(Transaction *transaction);
 /** @ingroup ModSecurity_C_API */
 int msc_intervention(Transaction *transaction, ModSecurityIntervention *it);
 /** @ingroup ModSecurity_C_API */
 void msc_intervention_cleanup(ModSecurityIntervention *it);
 /** @ingroup ModSecurity_C_API */
 int msc_process_logging(Transaction *transaction);
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -219,7 +219,6 @@ OPERATORS = \
 	operators/no_match.cc \
 	operators/operator.cc \
 	operators/pm.cc \
 	operators/pm_f.cc \
 	operators/pm_from_file.cc \
 	operators/rbl.cc \
 	operators/rsub.cc \
@ -248,12 +247,9 @@ UTILS = \
 	utils/geo_lookup.cc \
 	utils/https_client.cc \
 	utils/ip_tree.cc \
 	utils/md5.cc \
 	utils/msc_tree.cc \
 	utils/random.cc \
 	utils/regex.cc \
 	utils/sha1.cc \
 	utils/string.cc \
 	utils/system.cc \
 	utils/shared_files.cc
@ -311,7 +307,6 @@ libmodsecurity_la_CFLAGS =
 libmodsecurity_la_CPPFLAGS = \
 	-std=c++17 \
 	-I.. \
 	-g \
 	-I../others \
@ -323,7 +318,6 @@ libmodsecurity_la_CPPFLAGS = \
 	$(GEOIP_CFLAGS) \
 	$(GLOBAL_CPPFLAGS) \
 	$(MODSEC_NO_LOGS) \
 	$(MODSEC_MUTEX_ON_PM) \
 	$(YAJL_CFLAGS) \
 	$(LMDB_CFLAGS) \
 	$(PCRE_CFLAGS) \
--- a/src/actions/accuracy.cc
+++ b/src/actions/accuracy.cc
@ -15,16 +15,10 @@
 #include "src/actions/accuracy.h"
-#include <iostream>
+#include "modsecurity/rule_with_actions.h"
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "modsecurity/transaction.h"
 #include "modsecurity/rule.h"
-namespace modsecurity {
+namespace modsecurity::actions {
 namespace actions {
 bool Accuracy::init(std::string *error) {
@ -45,5 +39,4 @@ bool Accuracy::evaluate(RuleWithActions *rule, Transaction *transaction) {
 }
-}  // namespace actions
+}  // namespace modsecurity::actions
 }  // namespace modsecurity
--- a/src/actions/accuracy.h
+++ b/src/actions/accuracy.h
@ -30,7 +30,7 @@ namespace actions {
 class Accuracy : public Action {
 public:
    explicit Accuracy(const std::string &action) 
-        : Action(action, ConfigurationKind),
+        : Action(action, Kind::ConfigurationKind),
        m_accuracy(0) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
--- a/src/actions/action.cc
+++ b/src/actions/action.cc
@ -45,12 +45,6 @@ namespace modsecurity {
 namespace actions {
 std::string Action::evaluate(const std::string &value,
    Transaction *transaction) {
    return value;
 }
 bool Action::evaluate(RuleWithActions *rule, Transaction *transaction) {
    return true;
 }
--- a/src/actions/audit_log.h
+++ b/src/actions/audit_log.h
@ -33,7 +33,7 @@ namespace actions {
 class AuditLog : public Action {
 public:
    explicit AuditLog(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction,
        std::shared_ptr<RuleMessage> rm) override;
--- a/src/actions/capture.h
+++ b/src/actions/capture.h
@ -29,7 +29,7 @@ namespace actions {
 class Capture : public Action {
 public:
    explicit Capture(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
 };
--- a/src/actions/chain.cc
+++ b/src/actions/chain.cc
@ -15,14 +15,9 @@
 #include "src/actions/chain.h"
-#include <iostream>
+#include "modsecurity/rule_with_actions.h"
 #include <string>
-#include "modsecurity/transaction.h"
+namespace modsecurity::actions {
 #include "modsecurity/rule.h"
 namespace modsecurity {
 namespace actions {
 bool Chain::evaluate(RuleWithActions *rule, Transaction *transaction) {
@ -31,5 +26,4 @@ bool Chain::evaluate(RuleWithActions *rule, Transaction *transaction) {
 }
-}  // namespace actions
+}  // namespace modsecurity::actions
 }  // namespace modsecurity
--- a/src/actions/chain.h
+++ b/src/actions/chain.h
@ -33,7 +33,7 @@ namespace actions {
 class Chain : public Action {
 public:
    explicit Chain(const std::string &action) 
-        : Action(action, ConfigurationKind) { }
+        : Action(action, Kind::ConfigurationKind) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
 };
--- a/src/actions/ctl/audit_engine.h
+++ b/src/actions/ctl/audit_engine.h
@ -34,7 +34,7 @@ namespace ctl {
 class AuditEngine : public Action {
 public:
    explicit AuditEngine(const std::string &action)
-        : Action(action, RunTimeOnlyIfMatchKind),
+        : Action(action),
        m_auditEngine(audit_log::AuditLog::AuditLogStatus::NotSetLogStatus) { }
    bool init(std::string *error) override;
--- a/src/actions/ctl/audit_log_parts.h
+++ b/src/actions/ctl/audit_log_parts.h
@ -29,7 +29,7 @@ namespace ctl {
 class AuditLogParts : public Action {
 public:
    explicit AuditLogParts(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind),
+        : Action(action),
        mPartsAction(0),
        mParts("") { }
--- a/src/actions/ctl/request_body_access.h
+++ b/src/actions/ctl/request_body_access.h
@ -30,7 +30,7 @@ namespace ctl {
 class RequestBodyAccess : public Action {
 public:
    explicit RequestBodyAccess(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind),
+        : Action(action),
        m_request_body_access(false) { }
    bool init(std::string *error) override;
--- a/src/actions/ctl/request_body_processor_json.h
+++ b/src/actions/ctl/request_body_processor_json.h
@ -29,7 +29,7 @@ namespace ctl {
 class RequestBodyProcessorJSON : public Action {
 public:
    explicit RequestBodyProcessorJSON(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
 };
--- a/src/actions/ctl/request_body_processor_urlencoded.h
+++ b/src/actions/ctl/request_body_processor_urlencoded.h
@ -29,7 +29,7 @@ namespace ctl {
 class RequestBodyProcessorURLENCODED : public Action {
 public:
    explicit RequestBodyProcessorURLENCODED(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
 };
--- a/src/actions/ctl/request_body_processor_xml.h
+++ b/src/actions/ctl/request_body_processor_xml.h
@ -29,7 +29,7 @@ namespace ctl {
 class RequestBodyProcessorXML : public Action {
 public:
    explicit RequestBodyProcessorXML(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
 };
--- a/src/actions/ctl/rule_engine.h
+++ b/src/actions/ctl/rule_engine.h
@ -31,7 +31,7 @@ namespace ctl {
 class RuleEngine : public Action {
 public:
    explicit RuleEngine(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind),
+        : Action(action),
        m_ruleEngine(RulesSetProperties::PropertyNotSetRuleEngine) { }
    bool init(std::string *error) override;
--- a/src/actions/ctl/rule_remove_by_id.h
+++ b/src/actions/ctl/rule_remove_by_id.h
@ -30,7 +30,7 @@ namespace ctl {
 class RuleRemoveById : public Action {
 public:
    explicit RuleRemoveById(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    bool init(std::string *error) override;
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
--- a/src/actions/ctl/rule_remove_by_tag.h
+++ b/src/actions/ctl/rule_remove_by_tag.h
@ -30,7 +30,7 @@ namespace ctl {
 class RuleRemoveByTag : public Action {
 public:
    explicit RuleRemoveByTag(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind),
+        : Action(action),
        m_tag("") { }
    bool init(std::string *error) override;
--- a/src/actions/ctl/rule_remove_target_by_id.h
+++ b/src/actions/ctl/rule_remove_target_by_id.h
@ -30,7 +30,7 @@ namespace ctl {
 class RuleRemoveTargetById : public Action {
 public:
    explicit RuleRemoveTargetById(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind),
+        : Action(action),
        m_id(0),
        m_target("") { }
--- a/src/actions/ctl/rule_remove_target_by_tag.h
+++ b/src/actions/ctl/rule_remove_target_by_tag.h
@ -30,7 +30,7 @@ namespace ctl {
 class RuleRemoveTargetByTag : public Action {
 public:
    explicit RuleRemoveTargetByTag(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    bool init(std::string *error) override;
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
--- a/src/actions/data/status.h
+++ b/src/actions/data/status.h
@ -33,8 +33,8 @@ namespace data {
 class Status : public Action {
 public:
-    explicit Status(const std::string &action) : Action(action, 2),
+    explicit Status(const std::string &action)
-    m_status(0) { }
+        : Action(action), m_status(0) { }
    bool init(std::string *error) override;
    bool evaluate(RuleWithActions *rule, Transaction *transaction,
--- a/src/actions/disruptive/allow.h
+++ b/src/actions/disruptive/allow.h
@ -54,7 +54,7 @@ enum AllowType : int {
 class Allow : public Action {
 public:
    explicit Allow(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind),
+        : Action(action),
        m_allowType(NoneAllowType) { }
--- a/src/actions/disruptive/redirect.h
+++ b/src/actions/disruptive/redirect.h
@ -37,12 +37,12 @@ namespace disruptive {
 class Redirect : public Action {
 public:
    explicit Redirect(const std::string &action)
-        : Action(action, RunTimeOnlyIfMatchKind),
+        : Action(action),
        m_status(0),
        m_string(nullptr) { }
    explicit Redirect(std::unique_ptr<RunTimeString> z)
-        : Action("redirert", RunTimeOnlyIfMatchKind),
+        : Action("redirert"),
            m_status(0),
            m_string(std::move(z)) { }
--- a/src/actions/expire_var.h
+++ b/src/actions/expire_var.h
@ -36,7 +36,7 @@ class ExpireVar : public Action {
    explicit ExpireVar(const std::string &action) : Action(action) { }
    explicit ExpireVar(std::unique_ptr<RunTimeString> z)
-        : Action("expirevar", RunTimeOnlyIfMatchKind),
+        : Action("expirevar"),
            m_string(std::move(z)) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
--- a/src/actions/init_col.h
+++ b/src/actions/init_col.h
@ -35,7 +35,7 @@ class InitCol : public Action {
    explicit InitCol(const std::string &action) : Action(action) { }
    InitCol(const std::string &action, std::unique_ptr<RunTimeString> z)
-        : Action(action, RunTimeOnlyIfMatchKind),
+        : Action(action),
            m_string(std::move(z)) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
--- a/src/actions/log.h
+++ b/src/actions/log.h
@ -31,7 +31,7 @@ namespace actions {
 class Log : public Action {
 public:
    explicit Log(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction,
        std::shared_ptr<RuleMessage> rm) override;
--- a/src/actions/log_data.h
+++ b/src/actions/log_data.h
@ -33,10 +33,10 @@ namespace actions {
 class LogData : public Action {
 public:
    explicit LogData(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    explicit LogData(std::unique_ptr<RunTimeString> z)
-        : Action("logdata", RunTimeOnlyIfMatchKind),
+        : Action("logdata"),
            m_string(std::move(z)) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction,
--- a/src/actions/maturity.cc
+++ b/src/actions/maturity.cc
@ -15,16 +15,10 @@
 #include "src/actions/maturity.h"
-#include <iostream>
+#include "modsecurity/rule_with_actions.h"
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "modsecurity/transaction.h"
 #include "modsecurity/rule.h"
-namespace modsecurity {
+namespace modsecurity::actions {
 namespace actions {
 bool Maturity::init(std::string *error) {
@ -45,5 +39,4 @@ bool Maturity::evaluate(RuleWithActions *rule, Transaction *transaction) {
 }
-}  // namespace actions
+}  // namespace modsecurity::actions
 }  // namespace modsecurity
--- a/src/actions/maturity.h
+++ b/src/actions/maturity.h
@ -30,7 +30,7 @@ namespace actions {
 class Maturity : public Action {
 public:
    explicit Maturity(const std::string &action) 
-        : Action(action, ConfigurationKind),
+        : Action(action, Kind::ConfigurationKind),
        m_maturity(0) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
--- a/src/actions/msg.h
+++ b/src/actions/msg.h
@ -34,10 +34,10 @@ namespace actions {
 class Msg : public Action {
 public:
    explicit Msg(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    explicit Msg(std::unique_ptr<RunTimeString> z)
-        : Action("msg", RunTimeOnlyIfMatchKind),
+        : Action("msg"),
            m_string(std::move(z)) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction,
--- a/src/actions/multi_match.h
+++ b/src/actions/multi_match.h
@ -33,7 +33,7 @@ namespace actions {
 class MultiMatch : public Action {
 public:
    explicit MultiMatch(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
 };
--- a/src/actions/no_audit_log.h
+++ b/src/actions/no_audit_log.h
@ -33,7 +33,7 @@ namespace actions {
 class NoAuditLog : public Action {
 public:
    explicit NoAuditLog(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction,
        std::shared_ptr<RuleMessage> rm) override;
--- a/src/actions/no_log.h
+++ b/src/actions/no_log.h
@ -31,7 +31,7 @@ namespace actions {
 class NoLog : public Action {
 public:
    explicit NoLog(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind) { }
+        : Action(action) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction,
        std::shared_ptr<RuleMessage> rm) override;
--- a/src/actions/phase.cc
+++ b/src/actions/phase.cc
@ -15,20 +15,15 @@
 #include "src/actions/phase.h"
-#include <iostream>
+#include "modsecurity/rule_with_actions.h"
 #include <string>
 #include "modsecurity/transaction.h"
 #include "modsecurity/rule.h"
 #include "modsecurity/modsecurity.h"
 #include "src/utils/string.h"
-namespace modsecurity {
+namespace modsecurity::actions {
-namespace actions {
+
 bool Phase::init(std::string *error) {
-    std::string a = utils::string::tolower(m_parser_payload);
+    const auto a = utils::string::tolower(m_parser_payload);
    m_phase = -1;
    try {
@ -77,5 +72,5 @@ bool Phase::evaluate(RuleWithActions *rule, Transaction *transaction) {
    return true;
 }
-}  // namespace actions
+
-}  // namespace modsecurity
+}  // namespace modsecurity::actions
--- a/src/actions/phase.h
+++ b/src/actions/phase.h
@ -32,7 +32,7 @@ namespace actions {
 class Phase : public Action {
 public:
-    explicit Phase(const std::string &action) : Action(action, ConfigurationKind),
+    explicit Phase(const std::string &action) : Action(action, Kind::ConfigurationKind),
        m_phase(0),
        m_secRulesPhase(0) { }
--- a/src/actions/rev.cc
+++ b/src/actions/rev.cc
@ -15,16 +15,10 @@
 #include "src/actions/rev.h"
-#include <iostream>
+#include "modsecurity/rule_with_actions.h"
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "modsecurity/transaction.h"
 #include "modsecurity/rule.h"
-namespace modsecurity {
+namespace modsecurity::actions {
 namespace actions {
 bool Rev::init(std::string *error) {
@ -39,5 +33,4 @@ bool Rev::evaluate(RuleWithActions *rule, Transaction *transaction) {
 }
-}  // namespace actions
+}  // namespace modsecurity::actions
 }  // namespace modsecurity
--- a/src/actions/rev.h
+++ b/src/actions/rev.h
@ -29,7 +29,7 @@ namespace actions {
 class Rev : public Action {
 public:
-    explicit Rev(const std::string &action) : Action(action, ConfigurationKind) { }
+    explicit Rev(const std::string &action) : Action(action, Kind::ConfigurationKind) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
    bool init(std::string *error) override;
--- a/src/actions/rule_id.cc
+++ b/src/actions/rule_id.cc
@ -15,14 +15,10 @@
 #include "src/actions/rule_id.h"
-#include <iostream>
+#include "modsecurity/rule_with_actions.h"
 #include <string>
 #include "modsecurity/transaction.h"
 #include "modsecurity/rule.h"
-namespace modsecurity {
+namespace modsecurity::actions {
 namespace actions {
 bool RuleId::init(std::string *error) {
@ -54,5 +50,4 @@ bool RuleId::evaluate(RuleWithActions *rule, Transaction *transaction) {
 }
-}  // namespace actions
+}  // namespace modsecurity::actions
 }  // namespace modsecurity
--- a/src/actions/rule_id.h
+++ b/src/actions/rule_id.h
@ -33,7 +33,7 @@ namespace actions {
 class RuleId : public Action {
 public:
    explicit RuleId(const std::string &action) 
-        : Action(action, ConfigurationKind),
+        : Action(action, Kind::ConfigurationKind),
        m_ruleId(0) { }
    bool init(std::string *error) override;
--- a/src/actions/set_env.h
+++ b/src/actions/set_env.h
@ -36,7 +36,7 @@ class SetENV : public Action {
        : Action(_action) { }
    explicit SetENV(std::unique_ptr<RunTimeString> z)
-        : Action("setenv", RunTimeOnlyIfMatchKind),
+        : Action("setenv"),
            m_string(std::move(z)) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
--- a/src/actions/set_rsc.h
+++ b/src/actions/set_rsc.h
@ -36,7 +36,7 @@ class SetRSC : public Action {
        : Action(_action) { }
    explicit SetRSC(std::unique_ptr<RunTimeString> z)
-        : Action("setsrc", RunTimeOnlyIfMatchKind),
+        : Action("setsrc"),
            m_string(std::move(z)) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
--- a/src/actions/set_sid.h
+++ b/src/actions/set_sid.h
@ -36,7 +36,7 @@ class SetSID : public Action {
        : Action(_action) { }
    explicit SetSID(std::unique_ptr<RunTimeString> z)
-        : Action("setsid", RunTimeOnlyIfMatchKind),
+        : Action("setsid"),
            m_string(std::move(z)) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
--- a/src/actions/set_uid.h
+++ b/src/actions/set_uid.h
@ -36,7 +36,7 @@ class SetUID : public Action {
        : Action(_action) { }
    explicit SetUID(std::unique_ptr<RunTimeString> z)
-        : Action("setuid", RunTimeOnlyIfMatchKind),
+        : Action("setuid"),
            m_string(std::move(z)) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
--- a/src/actions/set_var.cc
+++ b/src/actions/set_var.cc
@ -51,18 +51,12 @@ bool SetVar::evaluate(RuleWithActions *rule, Transaction *t) {
    std::string m_variableNameExpanded;
    auto *v = m_variable.get();
-    variables::Tx_DynamicElement *tx = dynamic_cast<
+    auto tx = dynamic_cast<variables::Tx_DynamicElement *> (v);
-        variables::Tx_DynamicElement *> (v);
+    auto session = dynamic_cast<variables::Session_DynamicElement *> (v);
-    variables::Session_DynamicElement *session = dynamic_cast<
+    auto ip = dynamic_cast<variables::Ip_DynamicElement *> (v);
-        variables::Session_DynamicElement *> (v);
+    auto resource = dynamic_cast<variables::Resource_DynamicElement *> (v);
-    variables::Ip_DynamicElement *ip = dynamic_cast<
+    auto global = dynamic_cast<variables::Global_DynamicElement *> (v);
-        variables::Ip_DynamicElement *> (v);
+    auto user = dynamic_cast<variables::User_DynamicElement *> (v);
    variables::Resource_DynamicElement *resource = dynamic_cast<
        variables::Resource_DynamicElement *> (v);
    variables::Global_DynamicElement *global = dynamic_cast<
        variables::Global_DynamicElement *> (v);
    variables::User_DynamicElement *user = dynamic_cast<
        variables::User_DynamicElement *> (v);
    if (tx) {
        m_variableNameExpanded = tx->m_string->evaluate(t, rule);
    } else if (session) {
--- a/src/actions/skip.h
+++ b/src/actions/skip.h
@ -30,7 +30,7 @@ namespace actions {
 class Skip : public Action {
 public:
    explicit Skip(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind),
+        : Action(action),
        m_skip_next(0) { }
    bool init(std::string *error) override;
--- a/src/actions/skip_after.h
+++ b/src/actions/skip_after.h
@ -31,7 +31,7 @@ namespace actions {
 class SkipAfter : public Action {
 public:
    explicit SkipAfter(const std::string &action) 
-        : Action(action, RunTimeOnlyIfMatchKind),
+        : Action(action),
        m_skipName(std::make_shared<std::string>(m_parser_payload)) { }
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
--- a/src/actions/tag.h
+++ b/src/actions/tag.h
@ -33,7 +33,7 @@ namespace actions {
 class Tag : public Action {
 public:
    explicit Tag(std::unique_ptr<RunTimeString> z)
-        : Action("tag", RunTimeOnlyIfMatchKind),
+        : Action("tag"),
        m_string(std::move(z)) { }
    std::string getName(Transaction *transaction);
--- a/src/actions/transformations/base64_decode.cc
+++ b/src/actions/transformations/base64_decode.cc
@ -13,33 +13,19 @@
 *
 */
-#include "src/actions/transformations/base64_decode.h"
+#include "base64_decode.h"
 #include <iostream>
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
 #include "src/utils/base64.h"
-namespace modsecurity {
+namespace modsecurity::actions::transformations {
 namespace actions {
 namespace transformations {
-std::string Base64Decode::evaluate(const std::string &value,
+bool Base64Decode::transform(std::string &value, const Transaction *trans) const {
-    Transaction *transaction) {
+    if (value.empty()) return false;
-    std::string ret = Utils::Base64::decode(value);
+    value = Utils::Base64::decode(value);
-
+    return true;
    return ret;
 }
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
--- a/src/actions/transformations/base64_decode.h
+++ b/src/actions/transformations/base64_decode.h
@ -13,33 +13,20 @@
 *
 */
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_BASE64_DECODE_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_BASE64_DECODE_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
-namespace actions {
+namespace modsecurity::actions::transformations {
 namespace transformations {
 class Base64Decode : public Transformation {
 public:
-    explicit Base64Decode(const std::string &action)  : Transformation(action) { }
+    using Transformation::Transformation;
-    std::string evaluate(const std::string &exp,
+    bool transform(std::string &value, const Transaction *trans) const override;
        Transaction *transaction) override;
 };
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_BASE64_DECODE_H_
--- a/src/actions/transformations/base64_decode_ext.cc
+++ b/src/actions/transformations/base64_decode_ext.cc
@ -13,33 +13,19 @@
 *
 */
-#include "src/actions/transformations/base64_decode_ext.h"
+#include "base64_decode_ext.h"
 #include <iostream>
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
 #include "src/utils/base64.h"
-namespace modsecurity {
+namespace modsecurity::actions::transformations {
 namespace actions {
 namespace transformations {
-std::string Base64DecodeExt::evaluate(const std::string &value,
+bool Base64DecodeExt::transform(std::string &value, const Transaction *trans) const {
-    Transaction *transaction) {
+    if (value.empty()) return false;
-    std::string ret = Utils::Base64::decode_forgiven(value);
+    value = Utils::Base64::decode_forgiven(value);
-
+    return true;
    return ret;
 }
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
--- a/src/actions/transformations/base64_decode_ext.h
+++ b/src/actions/transformations/base64_decode_ext.h
@ -13,33 +13,20 @@
 *
 */
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_BASE64_DECODE_EXT_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_BASE64_DECODE_EXT_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
-namespace actions {
+namespace modsecurity::actions::transformations {
 namespace transformations {
 class Base64DecodeExt : public Transformation {
 public:
-    explicit Base64DecodeExt(const std::string &action)  : Transformation(action) { }
+    using Transformation::Transformation;
-    std::string evaluate(const std::string &exp,
+    bool transform(std::string &value, const Transaction *trans) const override;
        Transaction *transaction) override;
 };
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_BASE64_DECODE_EXT_H_
--- a/src/actions/transformations/base64_encode.cc
+++ b/src/actions/transformations/base64_encode.cc
@ -13,33 +13,19 @@
 *
 */
-#include "src/actions/transformations/base64_encode.h"
+#include "base64_encode.h"
 #include <iostream>
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
 #include "src/utils/base64.h"
-namespace modsecurity {
+namespace modsecurity::actions::transformations {
 namespace actions {
 namespace transformations {
-std::string Base64Encode::evaluate(const std::string &value,
+bool Base64Encode::transform(std::string &value, const Transaction *trans) const {
-    Transaction *transaction) {
+    if (value.empty()) return false;
-    std::string ret = Utils::Base64::encode(value);
+    value = Utils::Base64::encode(value);
-
+    return true;
    return ret;
 }
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
--- a/src/actions/transformations/base64_encode.h
+++ b/src/actions/transformations/base64_encode.h
@ -13,33 +13,20 @@
 *
 */
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_BASE64_ENCODE_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_BASE64_ENCODE_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
-namespace actions {
+namespace modsecurity::actions::transformations {
 namespace transformations {
 class Base64Encode : public Transformation {
 public:
-    explicit Base64Encode(const std::string &action)  : Transformation(action) { }
+    using Transformation::Transformation;
-    std::string evaluate(const std::string &exp,
+    bool transform(std::string &value, const Transaction *trans) const override;
        Transaction *transaction) override;
 };
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_BASE64_ENCODE_H_
--- a/src/actions/transformations/cmd_line.cc
+++ b/src/actions/transformations/cmd_line.cc
@ -13,30 +13,17 @@
 *
 */
-#include "src/actions/transformations/cmd_line.h"
+#include "cmd_line.h"
 #include <iostream>
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
-namespace modsecurity {
+namespace modsecurity::actions::transformations {
 namespace actions {
 namespace transformations {
-std::string CmdLine::evaluate(const std::string &value,
+bool CmdLine::transform(std::string &value, const Transaction *trans) const {
-    Transaction *transaction) {
+    char *d = value.data();
-    std::string ret;
+    bool space = false;
    int space = 0;
-    for (auto& a : value) {
+    for (const auto& a : value) {
        switch (a) {
            /* remove some characters */
            case '"':
@ -52,9 +39,9 @@ std::string CmdLine::evaluate(const std::string &value,
            case '\t':
            case '\r':
            case '\n':
-                if (space == 0) {
+                if (space == false) {
-                    ret.append(" ");
+                    *d++ = ' ';
-                    space++;
+                    space = true;
                }
                break;
@ -62,26 +49,27 @@ std::string CmdLine::evaluate(const std::string &value,
            case '/':
            case '(':
                if (space) {
-                    ret.pop_back();
+                    d--;
                }
-                space = 0;
+                space = false;
-                ret.append(&a, 1);
+                *d++ = a;
                break;
            /* copy normal characters */
            default :
                char b = std::tolower(a);
-                ret.append(&b, 1);
+                *d++ = b;
-                space = 0;
+                space = false;
                break;
        }
    }
-    return ret;
+    const auto new_len = d - value.c_str();
    const auto changed = new_len != value.length();
    value.resize(new_len);
    return changed;
 }
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
--- a/src/actions/transformations/cmd_line.h
+++ b/src/actions/transformations/cmd_line.h
@ -13,35 +13,21 @@
 *
 */
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_CMD_LINE_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_CMD_LINE_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
-namespace actions {
+namespace modsecurity::actions::transformations {
 namespace transformations {
 class CmdLine : public Transformation {
 public:
-    explicit CmdLine(const std::string &action) 
+    using Transformation::Transformation;
        : Transformation(action) { }
-    std::string evaluate(const std::string &exp,
+    bool transform(std::string &value, const Transaction *trans) const override;
        Transaction *transaction) override;
 };
-}  // namespace transformations
+}  // modsecurity::namespace actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_CMD_LINE_H_
--- a/src/actions/transformations/compress_whitespace.cc
+++ b/src/actions/transformations/compress_whitespace.cc
@ -13,54 +13,36 @@
 *
 */
-#include "src/actions/transformations/compress_whitespace.h"
+#include "compress_whitespace.h"
 #include <iostream>
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
-namespace modsecurity {
+namespace modsecurity::actions::transformations {
 namespace actions {
 namespace transformations {
 CompressWhitespace::CompressWhitespace(const std::string &action) 
    : Transformation(action) {
    this->action_kind = 1;
 }
-std::string CompressWhitespace::evaluate(const std::string &value,
+bool CompressWhitespace::transform(std::string &value, const Transaction *trans) const {
-    Transaction *transaction) {
+    bool inWhiteSpace = false;
-    std::string a;
+    auto d = value.data();
    int inWhiteSpace = 0;
    int i = 0;
-    while (i < value.size()) {
+    for(const auto c : value) {
-        if (isspace(value[i])) {
+        if (isspace(c)) {
            if (inWhiteSpace) {
                i++;
                continue;
            } else {
-                inWhiteSpace = 1;
+                inWhiteSpace = true;
-                a.append(" ", 1);
+                *d++ = ' ';
            }
        } else {
-            inWhiteSpace = 0;
+            inWhiteSpace = false;
-            a.append(&value.at(i), 1);
+            *d++ = c;
        }
        i++;
    }
-    return a;
+    const auto new_len = d - value.c_str();
    const auto changed = new_len != value.length();
    value.resize(new_len);
    return changed;
 }
-}  // namespace transformations
+
-}  // namespace actions
+}  // namespace modsecurity::actions::transformations
 }  // namespace modsecurity
--- a/src/actions/transformations/compress_whitespace.h
+++ b/src/actions/transformations/compress_whitespace.h
@ -13,34 +13,20 @@
 *
 */
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_COMPRESS_WHITESPACE_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_COMPRESS_WHITESPACE_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
-namespace actions {
+namespace modsecurity::actions::transformations {
 namespace transformations {
 class CompressWhitespace : public Transformation {
 public:
    using Transformation::Transformation;
-    explicit CompressWhitespace(const std::string &action) ;
+    bool transform(std::string &value, const Transaction *trans) const override;
    std::string evaluate(const std::string &exp,
        Transaction *transaction) override;
 };
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_COMPRESS_WHITESPACE_H_
--- a/src/actions/transformations/css_decode.cc
+++ b/src/actions/transformations/css_decode.cc
@ -13,42 +13,13 @@
 *
 */
-#include "src/actions/transformations/css_decode.h"
+#include "css_decode.h"
 #include <string.h>
 #include <iostream>
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
 #include "src/utils/string.h"
 using namespace modsecurity::utils::string;
-namespace modsecurity {
+namespace modsecurity::actions::transformations {
 namespace actions {
 namespace transformations {
 std::string CssDecode::evaluate(const std::string &value,
    Transaction *transaction) {
    char *tmp = reinterpret_cast<char *>(
        malloc(sizeof(char) * value.size() + 1));
    memcpy(tmp, value.c_str(), value.size() + 1);
    tmp[value.size()] = '\0';
    CssDecode::css_decode_inplace(reinterpret_cast<unsigned char *>(tmp),
        value.size());
    std::string ret(tmp, 0, value.size());
    free(tmp);
    return ret;
 }
 /**
@ -58,15 +29,13 @@ std::string CssDecode::evaluate(const std::string &value,
 *     http://www.w3.org/TR/REC-CSS2/syndata.html#q4
 *     http://www.unicode.org/roadmaps/
 */
-int CssDecode::css_decode_inplace(unsigned char *input, int64_t input_len) {
+static inline bool css_decode_inplace(std::string &val) {
-    unsigned char *d = (unsigned char *)input;
+    const auto input_len = val.length();
-    int64_t i, j, count;
+    auto input = reinterpret_cast<unsigned char *>(val.data());
    auto d = input;
    bool changed = false;
-    if (input == NULL) {
+    std::string::size_type i = 0;
        return -1;
    }
    i = count = 0;
    while (i < input_len) {
        /* Is the character a backslash? */
        if (input[i] == '\\') {
@ -75,7 +44,7 @@ int CssDecode::css_decode_inplace(unsigned char *input, int64_t input_len) {
                i++; /* We are not going to need the backslash. */
                /* Check for 1-6 hex characters following the backslash */
-                j = 0;
+                std::string::size_type j = 0;
                while ((j < 6)
                        && (i + j < input_len)
                        && (VALID_HEX(input[i + j]))) {
@ -157,40 +126,45 @@ int CssDecode::css_decode_inplace(unsigned char *input, int64_t input_len) {
                    }
                    /* Move over. */
                    count++;
                    i += j;
                    changed = true;
                } else if (input[i] == '\n') {
                /* No hexadecimal digits after backslash */
                    /* A newline character following backslash is ignored. */
                    i++;
                    changed = true;
                } else {
                /* The character after backslash is not a hexadecimal digit,
                 * nor a newline. */
                    /* Use one character after backslash as is. */
                    *d++ = input[i++];
                    count++;
                }
            } else {
            /* No characters after backslash. */
                /* Do not include backslash in output
                 *(continuation to nothing) */
                i++;
                changed = true;
            }
        } else {
        /* Character is not a backslash. */
            /* Copy one normal character to output. */
            *d++ = input[i++];
            count++;
        }
    }
    /* Terminate output string. */
    *d = '\0';
-    return count;
+    val.resize(d - input);
    return changed;
 }
-}  // namespace transformations
+bool CssDecode::transform(std::string &value, const Transaction *trans) const {
-}  // namespace actions
+    return css_decode_inplace(value);
-}  // namespace modsecurity
+}
 }  // namespace modsecurity::actions::transformations
--- a/src/actions/transformations/css_decode.h
+++ b/src/actions/transformations/css_decode.h
@ -13,37 +13,20 @@
 *
 */
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_CSS_DECODE_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_CSS_DECODE_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
 namespace actions {
 namespace transformations {
 namespace modsecurity::actions::transformations {
 class CssDecode : public Transformation {
 public:
-    explicit CssDecode(const std::string &action) 
+    using Transformation::Transformation;
        : Transformation(action) { }
    std::string evaluate(const std::string &exp,
        Transaction *transaction) override;
-    static int css_decode_inplace(unsigned char *input, int64_t input_len);
+    bool transform(std::string &value, const Transaction *trans) const override;
 };
-
+}  // namespace modsecurity::actions::transformations
 }  // namespace transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_CSS_DECODE_H_
--- a/src/actions/transformations/escape_seq_decode.cc
+++ b/src/actions/transformations/escape_seq_decode.cc
@ -13,36 +13,22 @@
 *
 */
-#include "src/actions/transformations/escape_seq_decode.h"
+#include "escape_seq_decode.h"
 #include <iostream>
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include <cstring>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
 #include "src/utils/string.h"
-namespace modsecurity {
+using namespace modsecurity::utils::string;
 namespace actions {
 namespace transformations {
-EscapeSeqDecode::EscapeSeqDecode(const std::string &action) 
+namespace modsecurity::actions::transformations {
    : Transformation(action) {
    this->action_kind = 1;
 }
-int EscapeSeqDecode::ansi_c_sequences_decode_inplace(unsigned char *input,
+static inline int ansi_c_sequences_decode_inplace(std::string &value) {
-    int input_len) {
+    auto d = reinterpret_cast<unsigned char *>(value.data());
-    unsigned char *d = input;
+    const unsigned char* input = d;
-    int i, count;
+    const auto input_len = value.length();
-    i = count = 0;
+    bool changed = false;
    std::string::size_type i = 0;
    while (i < input_len) {
        if ((input[i] == '\\') && (i + 1 < input_len)) {
            int c = -1;
@ -120,43 +106,29 @@ int EscapeSeqDecode::ansi_c_sequences_decode_inplace(unsigned char *input,
            if (c == -1) {
                /* Didn't recognise encoding, copy raw bytes. */
                *d++ = input[i + 1];
                count++;
                i += 2;
            } else {
                /* Converted the encoding. */
                *d++ = c;
                count++;
            }
            changed = true;
        } else {
            /* Input character not a backslash, copy it. */
            *d++ = input[i++];
            count++;
        }
    }
    *d = '\0';
-    return count;
+    value.resize(d - input);
    return changed;
 }
-std::string EscapeSeqDecode::evaluate(const std::string &value,
+bool EscapeSeqDecode::transform(std::string &value, const Transaction *trans) const {
-    Transaction *transaction) {
+    return ansi_c_sequences_decode_inplace(value);
    unsigned char *tmp = (unsigned char *) malloc(sizeof(char)
        * value.size() + 1);
    memcpy(tmp, value.c_str(), value.size() + 1);
    tmp[value.size()] = '\0';
    int size = ansi_c_sequences_decode_inplace(tmp, value.size());
    std::string ret("");
    ret.assign(reinterpret_cast<char *>(tmp), size);
    free(tmp);
    return ret;
 }
-}  // namespace transformations
+
-}  // namespace actions
+}  // namespace modsecurity::actions::transformations
 }  // namespace modsecurity
--- a/src/actions/transformations/escape_seq_decode.h
+++ b/src/actions/transformations/escape_seq_decode.h
@ -13,35 +13,20 @@
 *
 */
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_ESCAPE_SEQ_DECODE_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_ESCAPE_SEQ_DECODE_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
-namespace actions {
+namespace modsecurity::actions::transformations {
 namespace transformations {
 class EscapeSeqDecode : public Transformation {
 public:
    using Transformation::Transformation;
-    explicit EscapeSeqDecode(const std::string &action) ;
+    bool transform(std::string &value, const Transaction *trans) const override;
    std::string evaluate(const std::string &exp,
        Transaction *transaction) override;
    int ansi_c_sequences_decode_inplace(unsigned char *input, int input_len);
 };
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_ESCAPE_SEQ_DECODE_H_
--- a/src/actions/transformations/hex_decode.cc
+++ b/src/actions/transformations/hex_decode.cc
@ -13,67 +13,35 @@
 *
 */
-#include "src/actions/transformations/hex_decode.h"
+#include "hex_decode.h"
 #include <iostream>
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include <cstring>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
 #include "src/utils/string.h"
-namespace modsecurity {
+
-namespace actions {
+namespace modsecurity::actions::transformations {
 namespace transformations {
-std::string HexDecode::evaluate(const std::string &value,
+static inline int inplace(std::string &value) {
-    Transaction *transaction) {
+    if (value.empty()) return false;
    std::string ret;
    unsigned char *input;
    int size = 0;
-    input = reinterpret_cast<unsigned char *>
+    const auto len = value.length();
-        (malloc(sizeof(char) * value.length()+1));
+    auto d = reinterpret_cast<unsigned char *>(value.data());
    const auto data = d;
-    if (input == NULL) {
+    for (int i = 0; i <= len - 2; i += 2) {
        return "";
    }
    memcpy(input, value.c_str(), value.length()+1);
    size = inplace(input, value.length());
    ret.assign(reinterpret_cast<char *>(input), size);
    free(input);
    return ret;
 }
 int HexDecode::inplace(unsigned char *data, int len) {
    unsigned char *d = data;
    int count = 0;
    if ((data == NULL) || (len == 0)) {
        return 0;
    }
    for (int i = 0;i <= len - 2;i += 2) {
        *d++ = utils::string::x2c(&data[i]);
        count++;
    }
    *d = '\0';
-    return count;
+    value.resize(d - data);
    return true;
 }
-}  // namespace transformations
+bool HexDecode::transform(std::string &value, const Transaction *trans) const {
-}  // namespace actions
+    return inplace(value);
-}  // namespace modsecurity
+}
 }  // namespace modsecurity::actions::transformations
--- a/src/actions/transformations/hex_decode.h
+++ b/src/actions/transformations/hex_decode.h
@ -13,35 +13,20 @@
 *
 */
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_HEX_DECODE_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_HEX_DECODE_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
-namespace actions {
+namespace modsecurity::actions::transformations {
 namespace transformations {
 class HexDecode : public Transformation {
 public:
-    explicit HexDecode(const std::string &action)  : Transformation(action) { }
+    using Transformation::Transformation;
-    std::string evaluate(const std::string &exp,
+    bool transform(std::string &value, const Transaction *trans) const override;
        Transaction *transaction) override;
    static int inplace(unsigned char *data, int len);
 };
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_HEX_DECODE_H_
--- a/src/actions/transformations/hex_encode.cc
+++ b/src/actions/transformations/hex_encode.cc
@ -13,41 +13,25 @@
 *
 */
-#include "src/actions/transformations/hex_encode.h"
+#include "hex_encode.h"
-#include <iostream>
+#include "modsecurity/rule_with_actions.h"
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include <iterator>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
-namespace modsecurity {
+namespace modsecurity::actions::transformations {
 namespace actions {
 namespace transformations {
 HexEncode::HexEncode(const std::string &action) 
    : Transformation(action) {
    this->action_kind = 1;
 }
-std::string HexEncode::evaluate(const std::string &value,
+bool HexEncode::transform(std::string &value, const Transaction *trans) const {
-    Transaction *transaction) {
+    if (value.empty()) return false;
    std::stringstream result;
-    for (std::size_t i=0; i < value.length(); i++) {
+    for (const auto c : value) {
-        unsigned int ii = (unsigned char)(value[i]);
+        unsigned int ii = (unsigned char)c;
        result << std::setw(2) << std::setfill('0') << std::hex << ii;
    }
-    return result.str();
+    value = result.str();
    return true;
 }
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
--- a/src/actions/transformations/hex_encode.h
+++ b/src/actions/transformations/hex_encode.h
@ -13,34 +13,20 @@
 *
 */
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_HEX_ENCODE_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_HEX_ENCODE_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
-namespace actions {
+namespace modsecurity::actions::transformations {
 namespace transformations {
 class HexEncode : public Transformation {
 public:
    using Transformation::Transformation;
-    explicit HexEncode(const std::string &action);
+    bool transform(std::string &value, const Transaction *trans) const override;
    std::string evaluate(const std::string &exp,
        Transaction *transaction) override;
 };
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_HEX_ENCODE_H_
--- a/src/actions/transformations/html_entity_decode.cc
+++ b/src/actions/transformations/html_entity_decode.cc
@ -13,70 +13,36 @@
 *
 */
-#include "src/actions/transformations/html_entity_decode.h"
+#include "html_entity_decode.h"
-#include <string.h>
+#include <cstring>
-#include <iostream>
+#include "src/utils/string.h"
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
 #ifdef WIN32
 #include "src/compat/msvc.h"
 #endif
 using namespace modsecurity::utils::string;
-namespace modsecurity {
+namespace modsecurity::actions::transformations {
 namespace actions {
 namespace transformations {
-std::string HtmlEntityDecode::evaluate(const std::string &value,
+static inline bool inplace(std::string &value) {
-    Transaction *transaction) {
+    const auto input_len = value.length();
-    std::string ret;
+    auto d = reinterpret_cast<unsigned char*>(value.data());
-    unsigned char *input;
+    const unsigned char *input = d;
    const unsigned char *end = input + input_len;
-    input = reinterpret_cast<unsigned char *>
+    std::string::size_type i = 0;
-        (malloc(sizeof(char) * value.length()+1));
+    while (i < input_len) {
-
+        std::string::size_type copy = 1;
    if (input == NULL) {
        return "";
    }
    memcpy(input, value.c_str(), value.length()+1);
    size_t i = inplace(input, value.length());
    ret.assign(reinterpret_cast<char *>(input), i);
    free(input);
    return ret;
 }
 int HtmlEntityDecode::inplace(unsigned char *input, uint64_t input_len) {
    unsigned char *d = input;
    int i, count;
    if ((input == NULL) || (input_len == 0)) {
        return 0;
    }
    i = count = 0;
    while ((i < input_len) && (count < input_len)) {
        int z, copy = 1;
        /* Require an ampersand and at least one character to
         * start looking into the entity.
         */
        if ((input[i] == '&') && (i + 1 < input_len)) {
-            int k, j = i + 1;
+            auto j = i + 1;
            if (input[j] == '#') {
                /* Numerical entity. */
@ -96,19 +62,18 @@ int HtmlEntityDecode::inplace(unsigned char *input, uint64_t input_len) {
                    }
                    j++; /* j is the position of the first digit now. */
-                    k = j;
+                    constexpr int MAX_HEX_DIGITS = 2;   // supports only bytes (max value 0xff)
-                    while ((j < input_len) && (isxdigit(input[j]))) {
+                    auto k = j;
                    while ((j - k < MAX_HEX_DIGITS) && (j < input_len) && (isxdigit(input[j]))) {
                        j++;
                    }
                    if (j > k) { /* Do we have at least one digit? */
                        /* Decode the entity. */
-                        char *x;
+                        char x[MAX_HEX_DIGITS + 1];
                        x = reinterpret_cast<char *>(calloc(sizeof(char),
                            ((j - k) + 1)));
                        memcpy(x, (const char *)&input[k], j - k);
-                        *d++ = (unsigned char)strtol(x, NULL, 16);
+                        x[j - k] = '\0';
-                        free(x);
+
-                        count++;
+                        *d++ = (unsigned char)strtol(x, nullptr, 16);
                        /* Skip over the semicolon if it's there. */
                        if ((j < input_len) && (input[j] == ';')) {
@ -122,19 +87,18 @@ int HtmlEntityDecode::inplace(unsigned char *input, uint64_t input_len) {
                    }
                } else {
                    /* Decimal entity. */
-                    k = j;
+                    constexpr int MAX_DEC_DIGITS = 3;   // supports only bytes (max value 255)
-                    while ((j < input_len) && (isdigit(input[j]))) {
+                    auto k = j;
                    while ((j - k < MAX_DEC_DIGITS) && (j < input_len) && (isdigit(input[j]))) {
                        j++;
                    }
                    if (j > k) { /* Do we have at least one digit? */
                        /* Decode the entity. */
-                        char *x;
+                        char x[MAX_DEC_DIGITS + 1];
                        x = reinterpret_cast<char *>(calloc(sizeof(char),
                            ((j - k) + 1)));
                        memcpy(x, (const char *)&input[k], j - k);
-                        *d++ = (unsigned char)strtol(x, NULL, 10);
+                        x[j - k] = '\0';
-                        free(x);
+
-                        count++;
+                        *d++ = (unsigned char)strtol(x, nullptr, 10);
                        /* Skip over the semicolon if it's there. */
                        if ((j < input_len) && (input[j] == ';')) {
@ -149,38 +113,31 @@ int HtmlEntityDecode::inplace(unsigned char *input, uint64_t input_len) {
                }
            } else {
                /* Text entity. */
-                k = j;
+                auto k = j;
                while ((j < input_len) && (isalnum(input[j]))) {
                    j++;
                }
                if (j > k) { /* Do we have at least one digit? */
-                    char *x;
+                    const auto x = reinterpret_cast<const char*>(&input[k]);
                    x = reinterpret_cast<char *>(calloc(sizeof(char),
                        ((j - k) + 1)));
                    memcpy(x, (const char *)&input[k], j - k);
                    /* Decode the entity. */
                    /* ENH What about others? */
-                    if (strcasecmp(x, "quot") == 0) {
+                    if (strncasecmp(x, "quot", 4) == 0) {
                        *d++ = '"';
-                    } else if (strcasecmp(x, "amp") == 0) {
+                    } else if (strncasecmp(x, "amp", 3) == 0) {
                        *d++ = '&';
-                    } else if (strcasecmp(x, "lt") == 0) {
+                    } else if (strncasecmp(x, "lt", 2) == 0) {
                        *d++ = '<';
-                    } else if (strcasecmp(x, "gt") == 0) {
+                    } else if (strncasecmp(x, "gt", 2) == 0) {
                        *d++ = '>';
-                    } else if (strcasecmp(x, "nbsp") == 0) {
+                    } else if (strncasecmp(x, "nbsp", 4) == 0) {
                        *d++ = NBSP;
                    } else {
                        /* We do no want to convert this entity,
                         * copy the raw data over. */
                        copy = j - k + 1;
                        free(x);
                        goto HTML_ENT_OUT;
                    }
                    free(x);
                    count++;
                    /* Skip over the semicolon if it's there. */
                    if ((j < input_len) && (input[j] == ';')) {
@ -196,17 +153,21 @@ int HtmlEntityDecode::inplace(unsigned char *input, uint64_t input_len) {
 HTML_ENT_OUT:
-        for (z = 0; ((z < copy) && (count < input_len)); z++) {
+        for (auto z = 0; z < copy; z++) {
            *d++ = input[i++];
            count++;
        }
    }
    *d = '\0';
-    return count;
+    value.resize(d - input);
    return d != end;
 }
-}  // namespace transformations
+
-}  // namespace actions
+bool HtmlEntityDecode::transform(std::string &value, const Transaction *trans) const {
-}  // namespace modsecurity
+    return inplace(value);
 }
 }  // namespace modsecurity::actions::transformations
--- a/src/actions/transformations/html_entity_decode.h
+++ b/src/actions/transformations/html_entity_decode.h
@ -13,40 +13,20 @@
 *
 */
 #include <string>
 #include <unordered_map>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #include "src/utils/string.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_HTML_ENTITY_DECODE_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_HTML_ENTITY_DECODE_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
 namespace actions {
 namespace transformations {
 namespace modsecurity::actions::transformations {
 class HtmlEntityDecode : public Transformation {
 public:
-    explicit HtmlEntityDecode(const std::string &action) 
+    using Transformation::Transformation;
        : Transformation(action) { }
-    std::string evaluate(const std::string &exp,
+    bool transform(std::string &value, const Transaction *trans) const override;
        Transaction *transaction) override;
    static int inplace(unsigned char *input, uint64_t input_len);
 };
-
+}  // namespace modsecurity::actions::transformations
 }  // namespace transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_HTML_ENTITY_DECODE_H_
--- a/src/actions/transformations/js_decode.cc
+++ b/src/actions/transformations/js_decode.cc
@ -13,55 +13,22 @@
 *
 */
-#include "src/actions/transformations/js_decode.h"
+#include "js_decode.h"
 #include <string.h>
 #include <iostream>
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
 #include "src/utils/string.h"
 using namespace modsecurity::utils::string;
-namespace modsecurity {
+namespace modsecurity::actions::transformations {
 namespace actions {
 namespace transformations {
-std::string JsDecode::evaluate(const std::string &value,
+static inline int inplace(std::string &value) {
-    Transaction *transaction) {
+    auto d = reinterpret_cast<unsigned char*>(value.data());
-    std::string ret;
+    const unsigned char *input = d;
-    unsigned char *input;
+    const auto input_len = value.length();
-    input = reinterpret_cast<unsigned char *>
+    bool changed = false;
-        (malloc(sizeof(char) * value.length()+1));
+    std::string::size_type i = 0;
    if (input == NULL) {
        return "";
    }
    memcpy(input, value.c_str(), value.length()+1);
    size_t i = inplace(input, value.length());
    ret.assign(reinterpret_cast<char *>(input), i);
    free(input);
    return ret;
 }
 int JsDecode::inplace(unsigned char *input, uint64_t input_len) {
    unsigned char *d = (unsigned char *)input;
    int64_t i, count;
    i = count = 0;
    while (i < input_len) {
        if (input[i] == '\\') {
            /* Character is an escape. */
@ -82,14 +49,14 @@ int JsDecode::inplace(unsigned char *input, uint64_t input_len) {
                }
                d++;
                count++;
                i += 6;
                changed = true;
            } else if ((i + 3 < input_len) && (input[i + 1] == 'x')
                    && VALID_HEX(input[i + 2]) && VALID_HEX(input[i + 3])) {
                /* \xHH */
                *d++ = utils::string::x2c(&input[i + 2]);
                count++;
                i += 4;
                changed = true;
            } else if ((i + 1 < input_len) && ISODIGIT(input[i + 1])) {
                /* \OOO (only one byte, \000 - \377) */
                char buf[4];
@ -110,7 +77,7 @@ int JsDecode::inplace(unsigned char *input, uint64_t input_len) {
                    }
                    *d++ = (unsigned char)strtol(buf, NULL, 8);
                    i += 1 + j;
-                    count++;
+                    changed = true;
                }
            } else if (i + 1 < input_len) {
                /* \C */
@ -144,25 +111,28 @@ int JsDecode::inplace(unsigned char *input, uint64_t input_len) {
                *d++ = c;
                i += 2;
-                count++;
+                changed = true;
            } else {
                /* Not enough bytes */
                while (i < input_len) {
                    *d++ = input[i++];
                    count++;
                }
            }
        } else {
            *d++ = input[i++];
            count++;
        }
    }
    *d = '\0';
-    return count;
+    value.resize(d - input);
    return changed;
 }
-}  // namespace transformations
+
-}  // namespace actions
+bool JsDecode::transform(std::string &value, const Transaction *trans) const {
-}  // namespace modsecurity
+    return inplace(value);
 }
 }  // namespace modsecurity::actions::transformations
--- a/src/actions/transformations/js_decode.h
+++ b/src/actions/transformations/js_decode.h
@ -13,35 +13,20 @@
 *
 */
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_JS_DECODE_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_JS_DECODE_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
-namespace actions {
+namespace modsecurity::actions::transformations {
 namespace transformations {
 class JsDecode : public Transformation {
 public:
-    explicit JsDecode(const std::string &action) 
+    using Transformation::Transformation;
        : Transformation(action) { }
-    std::string evaluate(const std::string &exp,
+    bool transform(std::string &value, const Transaction *trans) const override;
        Transaction *transaction) override;
    static int inplace(unsigned char *input, uint64_t input_len);
 };
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_JS_DECODE_H_
--- a/src/actions/transformations/length.cc
+++ b/src/actions/transformations/length.cc
@ -13,34 +13,16 @@
 *
 */
-#include "src/actions/transformations/length.h"
+#include "length.h"
 #include <iostream>
 #include <string>
 #include <algorithm>
 #include <functional>
 #include <cctype>
 #include <locale>
 #include "modsecurity/transaction.h"
 #include "src/actions/transformations/transformation.h"
-namespace modsecurity {
+namespace modsecurity::actions::transformations {
 namespace actions {
 namespace transformations {
-Length::Length(const std::string &action) 
+
-    : Transformation(action) {
+bool Length::transform(std::string &value, const Transaction *trans) const {
-    this->action_kind = 1;
+    value = std::to_string(value.size());
    return true;
 }
 std::string Length::evaluate(const std::string &value,
    Transaction *transaction) {
-    return std::to_string(value.size());
+}  // namespace modsecurity::actions::transformations
 }
 }  // namespace transformations
 }  // namespace actions
 }  // namespace modsecurity
--- a/src/actions/transformations/length.h
+++ b/src/actions/transformations/length.h
@ -13,34 +13,20 @@
 *
 */
 #include <string>
 #include "modsecurity/actions/action.h"
 #include "src/actions/transformations/transformation.h"
 #ifndef SRC_ACTIONS_TRANSFORMATIONS_LENGTH_H_
 #define SRC_ACTIONS_TRANSFORMATIONS_LENGTH_H_
-#ifdef __cplusplus
+#include "transformation.h"
 namespace modsecurity {
 class Transaction;
-namespace actions {
+namespace modsecurity::actions::transformations {
 namespace transformations {
 class Length : public Transformation {
 public:
    using Transformation::Transformation;
-    explicit Length(const std::string &action);
+    bool transform(std::string &value, const Transaction *trans) const override;
    std::string evaluate(const std::string &exp,
        Transaction *transaction) override;
 };
-}  // namespace transformations
+}  // namespace modsecurity::actions::transformations
 }  // namespace actions
 }  // namespace modsecurity
 #endif
 #endif  // SRC_ACTIONS_TRANSFORMATIONS_LENGTH_H_
--- a/src/actions/transformations/lower_case.cc
+++ b/src/actions/transformations/lower_case.cc
@ -13,37 +13,19 @@
 *
 */
 #include "src/actions/transformations/lower_case.h"
-#include <algorithm>
+#include "lower_case.h"
 #include <string>
 #include <locale>
-#include "modsecurity/transaction.h"
+#include <cctype>
 #include "src/actions/transformations/transformation.h"
 #include "modsecurity/actions/action.h"
 namespace modsecurity {
 namespace actions {
 namespace transformations {
-LowerCase::LowerCase(const std::string &a)
+namespace modsecurity::actions::transformations {
-    : Transformation(a) {
+
 bool LowerCase::transform(std::string &value, const Transaction *trans) const {
    return convert(value, [](auto c) {
                    return std::tolower(c); });
 }
 std::string LowerCase::evaluate(const std::string &val,
    Transaction *transaction) {
    std::locale loc;
    std::string value(val);
-    for (std::string::size_type i=0; i < value.length(); ++i) {
+}  // namespace modsecurity::actions::transformations
        value[i] = std::tolower(value[i], loc);
    }
    return value;
 }
 }  // namespace transformations
 }  // namespace actions
 }  // namespace modsecurity
--- a/Show More
+++ b/Show More