Merged changes from 2.5.x to trunk.

2025-08-13 21:36:00 +03:00 · 2010-02-11 17:49:15 +00:00 · 2010-02-11 17:49:15 +00:00 · b48fdddf4c
commit b48fdddf4c
parent 6f548e91f7
3 changed files with 46 additions and 15 deletions
--- a/4
+++ b/4
@ -1,6 +1,8 @@
-04 Feb 2010 - trunk
+11 Feb 2010 - trunk
 -------------------

+ * Fix some portability issues on Windows.
+
 * Add REQUEST_BODY_LENGTH, which contains the number of request body
   bytes read. [Ivan Ristic]

--- a/apache2/msc_pcre.c
+++ b/apache2/msc_pcre.c
@ -94,7 +94,7 @@ void *msc_pregcomp_ex(apr_pool_t *pool, const char *pattern, int options,
    }
 #endif /* MODSEC_PCRE_MATCH_LIMIT */
 #else
-#warning This PCRE version does not support match limits!  Upgrade to at least PCRE v6.5.
+#pragma message ( "This PCRE version does not support match limits!  Upgrade to at least PCRE v6.5." )
 #endif /* PCRE_EXTRA_MATCH_LIMIT */

 #ifdef PCRE_EXTRA_MATCH_LIMIT_RECURSION
@ -113,7 +113,7 @@ void *msc_pregcomp_ex(apr_pool_t *pool, const char *pattern, int options,
    }
 #endif /* MODSEC_PCRE_MATCH_LIMIT_RECURSION */
 #else
-#warning This PCRE version does not support match recursion limits!  Upgrade to at least PCRE v6.5.
+#pragma message ( "This PCRE version does not support match recursion limits!  Upgrade to at least PCRE v6.5." )
 #endif /* PCRE_EXTRA_MATCH_LIMIT_RECURSION */

    regex->pe = pe;
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@ -4,7 +4,7 @@
 <article>
  <title><trademark class="registered">ModSecurity</trademark> Reference Manual</title>
  <articleinfo>
-    <releaseinfo>Version 2.6.0-trunk (Feb 3, 2009)</releaseinfo>
+    <releaseinfo>Version 2.6.0-trunk (Feb 11, 2009)</releaseinfo>
    <copyright>
      <year>2004-2010</year>
      <holder>Breach Security, Inc. (<ulink url="http://www.breach.com"
@ -1019,12 +1019,27 @@ SecMarker 99</emphasis></programlisting>
      <para><emphasis>Version:</emphasis> 2.5.12</para>

      <para><emphasis>Dependencies/Notes:</emphasis> Default is set at compile
-      (1500 by default)</para>
+      (1500 by default). See also
+      <literal>SecPcreMatchLimitRecursion</literal></para>

-      <para>The <literal>--enable-pcre-match-limit=val</literal> configure
-      option will set a custom default and the
-      <literal>--disable-pcre-match-limit</literal> option will resort to the
-      compiled PCRE library default.</para>
+      <para>If the limits are exceeded this will be logged at level 3 in the
+      debug log, added as a Message line in the audit log and the <literal
+      moreinfo="none">TX:MSC_PCRE_LIMITS_EXCEEDED</literal> flag will be set
+      to a non-zero value. To prevent bypass, you should write a rule to check
+      for the existance of the <literal
+      moreinfo="none">TX:MSC_PCRE_LIMITS_EXCEEDED</literal> flag.</para>
+
+      <programlisting>SecPcreMatchLimit 100
+SecPcreMatchLimitRecursion 100
+  ...
+SecRule TX:/^MSC_/ "!@eq 0" "phase:5,pass,log,auditlog,msg:'Potential REDoS'"</programlisting>
+
+      <note>
+        <para>The <literal>--enable-pcre-match-limit=val</literal> configure
+        option will set a custom default and the
+        <literal>--disable-pcre-match-limit</literal> option will resort to
+        the compiled PCRE library default.</para>
+      </note>
    </section>

    <section>
@ -1047,12 +1062,26 @@ SecMarker 99</emphasis></programlisting>
      <para><emphasis>Version:</emphasis> 2.5.12</para>

      <para><emphasis>Dependencies/Notes:</emphasis> Default is set at compile
-      (1500 by default)</para>
+      (1500 by default). See also <literal>SecPcreMatchLimit</literal></para>

-      <para>The <literal>--enable-pcre-match-limit-recursion=val</literal>
-      configure option will set a custom default and the
-      <literal>--disable-pcre-match-limit-recursion</literal> option will
-      resort to the compiled PCRE library default.</para>
+      <para>If the limits are exceeded this will be logged at level 3 in the
+      debug log, added as a Message line in the audit log and the <literal
+      moreinfo="none">TX:MSC_PCRE_LIMITS_EXCEEDED</literal> flag will be set
+      to a non-zero value. To prevent bypass, you should write a rule to check
+      for the existance of the <literal
+      moreinfo="none">TX:MSC_PCRE_LIMITS_EXCEEDED</literal> flag.</para>
+
+      <programlisting>SecPcreMatchLimit 100
+SecPcreMatchLimitRecursion 100
+  ...
+SecRule TX:/^MSC_/ "!@eq 0" "phase:5,pass,log,auditlog,msg:'Potential REDoS'"</programlisting>
+
+      <note>
+        <para>The <literal>--enable-pcre-match-limit-recursion=val</literal>
+        configure option will set a custom default and the
+        <literal>--disable-pcre-match-limit-recursion</literal> option will
+        resort to the compiled PCRE library default.</para>
+      </note>
    </section>

    <section>
@ -2677,7 +2706,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
        </listitem>

        <listitem>
-          <para><literal moreinfo="none">TX:MSC_.*</literal> - ModSecurity
+          <para><literal moreinfo="none">TX:MSC_*</literal> - ModSecurity
          processing flags.</para>

          <itemizedlist>