github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 05:45:59 +03:00
Code Issues Packages Projects Releases Wiki Activity
1,832 Commits 55 Branches 109 Tags
Commit Graph

1076 Commits

Author SHA1 Message Date
Felipe Zimmerle
b32cc1680c Version 2.9.4 
Increasing version to 2.9.4
 2021-06-21 09:36:18 -03:00
Rainer Jung
f80114a906
Add microsec timestamp resolution to the formatted log timestamp. 2021-01-15 15:11:14 -03:00
John Lightsey
039b35029c
Fix other usage of the global pool for request temporaries in re_operators.c 2021-01-14 14:23:39 -03:00
John Lightsey
e419b50fe7
Store temporaries in the request pool for regexes compiled per-request. 
The code for testing regexes with embedded Apache variables
(rule->re_precomp == 1) during request processing was utilizing the global
engine pool for the storage of temporary values. This approach is not
threadsafe, retains the temporary variables longer than they are usable,
and causes corruption of the global pool's "cleanups" linked-lists when
Apache is configured with a threaded MPM.
 2021-01-14 14:23:39 -03:00
studersi
12cefbd70f Adds a sanity check before use ctl:ruleRemove(TargetById|TargetByMsg) 
This commit closes the issue #2033.
 2019-11-20 09:49:17 -03:00
Felipe Zimmerle
176276a931
Fix the order of error_msg validation 
Reported by @marcstern at #2128
 2019-07-10 14:52:46 -03:00
emphazer
f7e4d01b01
added missing Geo Countries 2019-06-26 13:02:25 -03:00
Rainer Jung
32e185c2ca
When the input filter finishes, check whether we returned data during the last read and if not, delegate to the remaining filter chain. 
Without that, ProcessPartial for the request body breaks forwarding
of uploaded files using mod_proxy_ajp and mod_wl.

See issue #2091.
 2019-05-27 14:45:44 -03:00
Nao YONASHIRO
774ff40c96
fix: care non-null terminated chunk data 2019-05-27 10:29:01 -03:00
Felipe Zimmerle
52532a1bce Fix curl callback function 2018-12-15 00:08:31 -03:00
Martin.Blapp
b90fa2d063
Use tempfiles for apr_global_mutex_create() to fix segfaults with Apache 2.2. 
Call modsecurity_init() for the first invocation too.
 2018-12-10 16:24:48 -03:00
Ervin Hegedus
0dcbb8b087
Fix inet addr handling on 64 bit big endian systems 
Back port from v3. @zimmerle.
 2018-12-10 15:39:58 -03:00
Felipe Zimmerle
2c400951a5
Version 2.9.3 
Increasing version to 2.9.3
 2018-12-04 14:50:34 -03:00
Allan Boll
f15976f68f
Allow 0 length JSON requests. 0 len XML and multipart already allowed. 2018-11-27 09:01:05 -03:00
Felipe Zimmerle
25e5543c7f Allow empty arrays in JSON parser 
Issue #1576
 2018-11-26 10:40:46 -03:00
Allan Boll
7af8363fd4 Less strict multipart parsing 2018-11-21 12:47:56 -05:00
Victor Hora
b600669d02 Fix buffer size for utf8toUnicode transformation 2018-11-16 15:05:47 -03:00
Victor Hora
1adea9f1e8
Merge pull request #1714 from p0pr0ck5/sanitize-json 2018-11-12 19:45:38 -05:00
Victor Hora
9be0a407eb Add sanity check for a couple malloc() and make code more resilient 2018-11-04 22:04:34 -05:00
Victor Hora
b3fa87dc7c Fix NetBSD build by renaming the hmac function to avoid conflicts 2018-11-04 21:20:10 -05:00
Victor Hora
a3dc602128 ju5t patch to fix mpm-itk mod_ruid2 compatibility 2018-10-12 21:20:40 -04:00
Victor Hora
96756533ba Code cosmetics: Minor change to match commit 2a42cc 2018-09-22 20:40:30 -04:00
Victor Hora
aab128f810 Code cosmetics: checks if actionset is not null before use it 2018-09-22 20:21:23 -04:00
Daniel Muey
a677456078 Issue #1671: Only generate SecHashKey when SecHashEngine is On 2018-09-20 17:46:55 -04:00
Felipe Zimmerle
8dd40709ee
good practices: Initialize variables before use it 
Original author: Marc Stern (#1889)
 2018-09-05 23:35:52 -03:00
Allan Boll
6bb4461911
AppGw WAF version that doesn't block failed body parsing in detect-only mode 2018-09-05 16:08:21 -03:00
Allan Boll
2ae357be88
Let body parsers observe SecRequestBodyNoFilesLimit 
Previously, modsecurity_request_body_store would keep feeding the body parsers (JSON/XML/Multipart) even after the SecRequestBodyNoFilesLimit limit was met. This change prevents this. Also, modsecurity_request_body_end now returns an error code when the limit is met, so that a message can be logged for this event.
 2018-09-05 16:08:21 -03:00
Felipe Zimmerle
89f5427c1c
potential off by one in parse_arguments 
Issue: #1799
 2018-09-05 15:33:39 -03:00
Felipe Zimmerle
739048749e
Fix utf-8 character encoding conversion 
Reported on: #1794
 2018-09-04 21:02:09 -03:00
Reed Morrison
f66cd4111f
Fix ip tree lookup on netmask content 2018-06-07 14:48:18 -03:00
Robert Paprocki
8d4124eee2 Enable sanitizing JSON request bodies in native audit log format 
f86de56 enabled sanitizing JSON request body data in JSON audit
log formats (the commit message is misleading). This commit supplements
JSON request body sanitization to support sanitized elements in
native audit log formats.
 2018-03-20 11:35:40 -07:00
Robert Paprocki
830f0b7c54 Fix compiler warning in JSON parser 2018-03-20 10:57:19 -07:00
florian-eichelberger
f86de566d1
Enables sanitizing of json request bodies in the apache module for native log format 2018-02-05 09:36:45 -03:00
Felipe Zimmerle
6406e2108d
Makes `large stream optimization' optional 2017-10-06 16:43:45 +00:00
Allan Boll
2e9ea0a677
Avoid use of min-macro, as it is not available in all envs 2017-10-05 17:20:41 +00:00
Allan Boll
7fff8938ba
Check return value of modsecurity_request_body_store 2017-10-05 17:20:41 +00:00
Allan Boll
6ce7f4d689
Remove the unneeded null termination for the stream_input_data 2017-10-05 17:20:41 +00:00
Allan Boll
023b863853
Ensure memory preallocation for streaming is bounded by SecRequestBodyLimit 2017-10-05 17:20:41 +00:00
Allan Boll
97b51ebfed
Renamed local var and initialized local vars. Undid accidental move. 2017-10-05 17:20:40 +00:00
Allan Boll
afae690655
Preallocate memory when SecStreamInBodyInspection is on. 20x speed improvement for 10mb upload. Also simplified modsecurity_request_body_to_stream. 2017-10-05 17:20:40 +00:00
Nic Jansma
a0bd72334d
Fixes SecConnWriteStateLimit 2017-10-05 14:38:42 +00:00
Felipe Zimmerle
934a9fcc02
Verify if chunk exists before access it 2017-10-05 13:28:28 +00:00
Guido Ravagli
b8636a70d1
added "empy chunk" check 2017-10-05 13:24:59 +00:00
Victor Hora
9b90d86f75
Add capture action to @detectXSS operator 2017-10-05 03:24:23 +00:00
Marc Stern
89764f12b0
Fixed typos: LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH $log_server_context instead of $log_server_context 2017-09-29 18:34:30 +00:00
David Carlier
7ead7f4d23
Few missing headers, in the <arpa/inet.h> inclusions ones mainly due to the fact APR_HAVE* constants are simply into apr.h 2017-09-29 14:00:32 +00:00
Felipe Zimmerle
b878ece6c6 Version 2.9.2 
Increasing version to 2.9.2 (final)
 2017-07-18 09:59:59 -07:00
Felipe Zimmerle
61bce8d9a9
Cosmetics: moving declaration to the too of the block 2017-07-14 13:47:30 -03:00
Allan Boll
04e4a6f9b8 Initialize msre_var pointers 2017-06-23 16:16:23 -03:00
Felipe Zimmerle
9c0229ce1f
Updates libinjection to v3.10.0 2017-05-31 21:06:33 -03:00