Fix bad merge of mem pool fix from trunk.

Update to latest core rules.

rules/blocking/modsecurity_crs_20_protocol_violations.conf

@@ -1,74 +1,84 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set
-# Copyright (C) 2006 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-#
-# TODO in some cases a valid client (usually automated) generates requests that
-#      violates the HTTP protocol. Create exceptions for those clients, but try
-#      to limit the exception to a source IP or other additional properties of 
-#      the request such as URL and not allow the violation generally. 
-#  
-#
-
-# Use status code 400 response status code by default as protocol violations 
-# are in essence bad requests.
-SecDefaultAction "log,pass,phase:1,status:400"
-
-# Accept only digits in content length 
-#
-SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'"
-
-# Do not accept GET or HEAD requests with bodies
-# HTTP standard allows GET requests to have a body but this
-# feature is not used in real life. Attackers could try to force
-# a request body on an unsuspecting web applications.
-#
-SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
-SecRule REQUEST_HEADERS:Content-Length "!^0?$"
-
-# Require Content-Length to be provided with every POST request.
-#
-SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'"
-SecRule &REQUEST_HEADERS:Content-Length "@eq 0"
-
-# Don't accept transfer encodings we know we don't know how to handle
-#
-# NOTE ModSecurity does not support chunked transfer encodings at
-#      this time. You MUST reject all such requests.
-#
-SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'"
-
-# Check decodings
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
-	"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
-
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"
-
-# Proxy access attempt
-# NOTE Apache blocks such access by default if not set as a proxy. The rule is 
-#      included in case Apache proxy is misconfigured.
-SecRule REQUEST_URI ^http:/ "deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014'"
-
-#
-# Restrict type of characters sent
-#
-# NOTE In order to be broad and support localized applications this rule
-#      only validates that NULL Is not used.
-#
-#	   The strict policy version also validates that protocol and application 
-#	   generated fields are limited to printable ASCII. 
-#
-# TODO If your application use the range 32-126 for parameters.
-#
-SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
-	"@validateByteRange 32-126" \
-	"deny,log,auditlog,status:400,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1"
-
-SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
-	"deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2"
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set
+# Copyright (C) 2006 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# TODO in some cases a valid client (usually automated) generates requests that
+#      violates the HTTP protocol. Create exceptions for those clients, but try
+#      to limit the exception to a source IP or other additional properties of 
+#      the request such as URL and not allow the violation generally. 
+#  
+#
+
+# Use status code 400 response status code by default as protocol violations 
+# are in essence bad requests.
+SecDefaultAction "log,pass,phase:2,status:400"
+
+
+# Validate request line
+SecRule REQUEST_LINE "!^[a-z]{3,10}\s*(?:http\:\/\/[\w\-\.\/]*)??\/[\w\-\.\/]*(?:\?[\S]*)??\s*http\/[01]\.[901]$" \
+    "t:none,t:lowercase,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',,id:'960911',severity:'2'"
+
+
+# Accept only digits in content length 
+#
+SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',,id:'960016',"
+
+# Do not accept GET or HEAD requests with bodies
+# HTTP standard allows GET requests to have a body but this
+# feature is not used in real life. Attackers could try to force
+# a request body on an unsuspecting web applications.
+#
+SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',,id:'960011',"
+SecRule REQUEST_HEADERS:Content-Length "!^0?$"
+
+# Require Content-Length to be provided with every POST request.
+#
+SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',,id:'960012',severity:'4'"
+SecRule &REQUEST_HEADERS:Content-Length "@eq 0"
+
+# Don't accept transfer encodings we know we don't know how to handle
+#
+# NOTE ModSecurity does not support chunked transfer encodings at
+#      this time. You MUST reject all such requests.
+#
+SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',,id:'960013',severity:'3'"
+
+# Check decodings
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
+	"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
+
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',,id:'950801',severity:'4'"
+
+# Disallow use of full-width unicode
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%u[fF]{2}[0-9a-fA-F]{2}" \
+  "t:none,deny,log,auditlog,status:400,msg:'Unicode Full/Half Width Abuse Attack Attempt',,id:'950116',severity:'4'"
+
+# Proxy access attempt
+# NOTE Apache blocks such access by default if not set as a proxy. The rule is 
+#      included in case Apache proxy is misconfigured.
+SecRule REQUEST_URI_RAW ^http:/ "deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',,id:'960014',"
+
+#
+# Restrict type of characters sent
+#
+# NOTE In order to be broad and support localized applications this rule
+#      only validates that NULL Is not used.
+#
+#	   The strict policy version also validates that protocol and application 
+#	   generated fields are limited to printable ASCII. 
+#
+# TODO If your application use the range 32-126 for parameters.
+#
+SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
+	"@validateByteRange 32-126" \
+	"deny,log,auditlog,status:400,msg:'Invalid character in request',,id:'960018',severity:'4',t:urlDecodeUni,phase:1"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
+	"deny,log,auditlog,status:400,msg:'Invalid character in request',,id:'960901',severity:'4',t:urlDecodeUni,phase:2"