diff --git a/CHANGES b/CHANGES
index 0eb5b1f3..bac22d22 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,10 @@
-?? ??? 2007 - 2.2.0-trunk
+?? ??? 2007 - 2.5.0-trunk
-------------------------
+ * Removed experimental variable RESPONSE_CONTENT_ENCODING which was not
+ working as intended.
+
* Update included core rules to latest version.
* Do not trigger "pause" action for internal requests.
@@ -9,8 +12,8 @@
* Added matching rule filename and line number to audit log.
* Added new phrase matching operators, @pm and @pmFromFile. These use
- an alternate set based matching engine to perform faster phrase
- type matches such as black/white lists, spam keywords, etc.
+ an alternate set based matching engine (Aho-Corasick) to perform faster
+ phrase type matches such as black/white lists, spam keywords, etc.
* Cache transformations per-request/phase so they are not repeated.
@@ -31,6 +34,34 @@
* Removed strnlen() calls for non-GNU platforms.
+14 June 2007 - 2.1.2-rc1
+------------------------
+
+ * Update included core rules to latest version.
+
+ * Do not trigger "pause" action for internal requests.
+
+ * Fixed issue with requests that use internal requests. These had the
+ potential to be intercepted incorrectly when other Apache httpd modules
+ that used internal requests were used with mod_security.
+
+ * Added Solaris to the list of platforms not supporting the hidden
+ visibility attribute.
+
+ * Fixed decoding full-width unicode in t:urlDecodeUni.
+
+ * Lessen some overhead of debugging messages and calculations.
+
+ * Do not try to intercept a request after a failed rule. This fixes the
+ issue associated with an "Internal Error: Asked to intercept request
+ but was_intercepted is zero" error message.
+
+ * Added SecAuditLog2 directive to allow redundent concurrent audit log
+ index files. This will allow sending audit data to two consoles, etc.
+
+ * Small performance improvement in memory management for rule execution.
+
+
11 May 2007 - 2.2.0-dev1
-------------------------
diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
index ce18f20f..932addd7 100644
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -50,7 +50,7 @@ typedef struct msc_string msc_string;
#include "http_protocol.h"
#define MODULE_NAME "ModSecurity"
-#define MODULE_RELEASE "2.2.0-trunk"
+#define MODULE_RELEASE "2.5.0-trunk"
#define MODULE_NAME_FULL (MODULE_NAME " v" MODULE_RELEASE " (Apache 2.x)")
#define PHASE_REQUEST_HEADERS 1
diff --git a/apache2/re_operators.c b/apache2/re_operators.c
index 5b7c50e6..e10afce7 100644
--- a/apache2/re_operators.c
+++ b/apache2/re_operators.c
@@ -190,16 +190,18 @@ static int msre_op_pm_param_init(msre_rule *rule, char **error_msg) {
ACMP *p = acmp_create(0, rule->ruleset->mp);
if (p == NULL) return 0;
- const char *s = rule->op_param;
- const char *e = rule->op_param + strlen(rule->op_param);
+ const char *phrase = apr_pstrdup(rule->ruleset->mp, rule->op_param);
+ const char *next = rule->op_param + strlen(rule->op_param);
+ /* Loop through phrases */
+ /* ENH: Need to allow quoted phrases w/space */
for (;;) {
- while((isspace(*s) != 0) && (*s != 0)) s++;
- if (*s == 0) break;
- e = s;
- while((isspace(*e) == 0) && (*e != 0)) e++;
- acmp_add_pattern(p, s, NULL, NULL, e - s);
- s = e;
+ while((isspace(*phrase) != 0) && (*phrase != '\0')) phrase++;
+ if (*phrase == '\0') break;
+ next = phrase;
+ while((isspace(*next) == 0) && (*next != 0)) next++;
+ acmp_add_pattern(p, phrase, NULL, NULL, next - phrase);
+ phrase = next;
}
acmp_prepare(p);
rule->op_param_data = p;
@@ -211,7 +213,10 @@ static int msre_op_pm_param_init(msre_rule *rule, char **error_msg) {
static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
char errstr[1024];
char buf[HUGE_STRING_LEN + 1];
- char *ptr = NULL;
+ char *fn;
+ char *next;
+ char *ptr;
+ const char *rulefile_path;
apr_status_t rc;
apr_file_t *fd;
@@ -223,20 +228,38 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
ACMP *p = acmp_create(0, rule->ruleset->mp);
if (p == NULL) return 0;
- char *fn = apr_pstrdup(rule->ruleset->mp, rule->op_param);
- char *next = fn + strlen(rule->op_param);
+ fn = apr_pstrdup(rule->ruleset->mp, rule->op_param);
+ next = fn + strlen(rule->op_param);
+ /* Get the path of the rule filename to use as a base */
+ rulefile_path = apr_pstrndup(rule->ruleset->mp, rule->filename, strlen(rule->filename) - strlen(apr_filepath_name_get(rule->filename)));
+
+ #ifdef DEBUG_CONF
+ fprintf(stderr, "Rulefile path: \"%s\"\n", rulefile_path);
+ #endif
+
/* Loop through filenames */
+ /* ENH: Need to allow quoted filenames w/space */
for (;;) {
+ const char *rootpath = NULL;
+ const char *filepath = NULL;
int line = 0;
/* Trim whitespace */
- while((isspace(*fn) != 0) && (*fn != 0)) fn++;
+ while((isspace(*fn) != 0) && (*fn != '\0')) fn++;
if (*fn == '\0') break;
next = fn;
while((isspace(*next) == 0) && (*next != '\0')) next++;
while((isspace(*next) != 0) && (*next != '\0')) *next++ = '\0';
+ /* Add path of the rule filename for a relative phrase filename */
+ filepath = fn;
+ if (apr_filepath_root(&rootpath, &filepath, APR_FILEPATH_TRUENAME, rule->ruleset->mp) != APR_SUCCESS) {
+ /* We are not an absolute path. It could mean an error, but
+ * let that pass through to the open call for a better error */
+ apr_filepath_merge(&fn, rulefile_path, fn, APR_FILEPATH_TRUENAME, rule->ruleset->mp);
+ }
+
/* Open file and read */
rc = apr_file_open(&fd, fn, APR_READ | APR_FILE_NOCLEANUP, 0, rule->ruleset->mp);
if (rc != APR_SUCCESS) {
diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml
index a45d5079..661d11c1 100644
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@@ -4409,17 +4409,35 @@ SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}"
for faster matches of keyword lists. This operator is the same as
@pm except that it takes a list of files as
arguments. It will match any one of the phrases listed in the file(s)
- anywhere in the target value. The contents of the files should be one
- phrase per line. End of line markers will be stripped from the phrases,
- however, whitespace will not be trimmed from phrases in the file.
+ anywhere in the target value.
+
+ Notes:
+
+
+
+ The contents of the files should be one phrase per line. End
+ of line markers will be stripped from the phrases, however,
+ whitespace will not be trimmed from phrases in the file. Empty lines
+ and comment lines (beginning with a '#') are ignored.
+
+
+
+ To allow easier inclusion of phrase files with rulesets,
+ relative paths may be used to the phrase files. In this case, the
+ path of the file containing the rule is prepended to the phrase file
+ path.
+
+
Example:
SecRule REQUEST_HEADERS:User-Agent "@pm /path/to/blacklist1 /path/to/blacklist2" "deny,status:403
+ role="bold">@pm /path/to/blacklist1 blacklist2" "deny,status:403
The above would deny access with 403 if any of the patterns in the
- two files matched within the User-Agent HTTP header value.
+ two files matched within the User-Agent HTTP header value. The
+ blacklist2 file would need to be placed in the same
+ path as the file containing the rule.