github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity
1,801 Commits 55 Branches 109 Tags
1adea9f1e848ab69d72fcbe34718ae79f1ee923b
Commit Graph

1059 Commits

Author SHA1 Message Date
Victor Hora
1adea9f1e8 Merge pull request #1714 from p0pr0ck5/sanitize-json 2018-11-12 19:45:38 -05:00
Victor Hora
9be0a407eb Add sanity check for a couple malloc() and make code more resilient 2018-11-04 22:04:34 -05:00
Victor Hora
b3fa87dc7c Fix NetBSD build by renaming the hmac function to avoid conflicts 2018-11-04 21:20:10 -05:00
Victor Hora
a3dc602128 ju5t patch to fix mpm-itk mod_ruid2 compatibility 2018-10-12 21:20:40 -04:00
Victor Hora
96756533ba Code cosmetics: Minor change to match commit 2a42cc 2018-09-22 20:40:30 -04:00
Victor Hora
aab128f810 Code cosmetics: checks if actionset is not null before use it 2018-09-22 20:21:23 -04:00
Daniel Muey
a677456078 Issue #1671: Only generate SecHashKey when SecHashEngine is On 2018-09-20 17:46:55 -04:00
Felipe Zimmerle
8dd40709ee good practices: Initialize variables before use it 
Original author: Marc Stern (#1889)
 2018-09-05 23:35:52 -03:00
Allan Boll
6bb4461911 AppGw WAF version that doesn't block failed body parsing in detect-only mode 2018-09-05 16:08:21 -03:00
Allan Boll
2ae357be88 Let body parsers observe SecRequestBodyNoFilesLimit 
Previously, modsecurity_request_body_store would keep feeding the body parsers (JSON/XML/Multipart) even after the SecRequestBodyNoFilesLimit limit was met. This change prevents this. Also, modsecurity_request_body_end now returns an error code when the limit is met, so that a message can be logged for this event.
 2018-09-05 16:08:21 -03:00
Felipe Zimmerle
89f5427c1c potential off by one in parse_arguments 
Issue: #1799
 2018-09-05 15:33:39 -03:00
Felipe Zimmerle
739048749e Fix utf-8 character encoding conversion 
Reported on: #1794
 2018-09-04 21:02:09 -03:00
Reed Morrison
f66cd4111f Fix ip tree lookup on netmask content 2018-06-07 14:48:18 -03:00
Robert Paprocki
8d4124eee2 Enable sanitizing JSON request bodies in native audit log format 
f86de56 enabled sanitizing JSON request body data in JSON audit
log formats (the commit message is misleading). This commit supplements
JSON request body sanitization to support sanitized elements in
native audit log formats.
 2018-03-20 11:35:40 -07:00
Robert Paprocki
830f0b7c54 Fix compiler warning in JSON parser 2018-03-20 10:57:19 -07:00
florian-eichelberger
f86de566d1 Enables sanitizing of json request bodies in the apache module for native log format 2018-02-05 09:36:45 -03:00
Felipe Zimmerle
6406e2108d Makes `large stream optimization' optional 2017-10-06 16:43:45 +00:00
Allan Boll
2e9ea0a677 Avoid use of min-macro, as it is not available in all envs 2017-10-05 17:20:41 +00:00
Allan Boll
7fff8938ba Check return value of modsecurity_request_body_store 2017-10-05 17:20:41 +00:00
Allan Boll
6ce7f4d689 Remove the unneeded null termination for the stream_input_data 2017-10-05 17:20:41 +00:00
Allan Boll
023b863853 Ensure memory preallocation for streaming is bounded by SecRequestBodyLimit 2017-10-05 17:20:41 +00:00
Allan Boll
97b51ebfed Renamed local var and initialized local vars. Undid accidental move. 2017-10-05 17:20:40 +00:00
Allan Boll
afae690655 Preallocate memory when SecStreamInBodyInspection is on. 20x speed improvement for 10mb upload. Also simplified modsecurity_request_body_to_stream. 2017-10-05 17:20:40 +00:00
Nic Jansma
a0bd72334d Fixes SecConnWriteStateLimit 2017-10-05 14:38:42 +00:00
Felipe Zimmerle
934a9fcc02 Verify if chunk exists before access it 2017-10-05 13:28:28 +00:00
Guido Ravagli
b8636a70d1 added "empy chunk" check 2017-10-05 13:24:59 +00:00
Victor Hora
9b90d86f75 Add capture action to @detectXSS operator 2017-10-05 03:24:23 +00:00
Marc Stern
89764f12b0 Fixed typos: LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH $log_server_context instead of $log_server_context 2017-09-29 18:34:30 +00:00
David Carlier
7ead7f4d23 Few missing headers, in the <arpa/inet.h> inclusions ones mainly due to the fact APR_HAVE* constants are simply into apr.h 2017-09-29 14:00:32 +00:00
Felipe Zimmerle
b878ece6c6 Version 2.9.2 
Increasing version to 2.9.2 (final)
 2017-07-18 09:59:59 -07:00
Felipe Zimmerle
61bce8d9a9 Cosmetics: moving declaration to the too of the block 2017-07-14 13:47:30 -03:00
Allan Boll
04e4a6f9b8 Initialize msre_var pointers 2017-06-23 16:16:23 -03:00
Felipe Zimmerle
9c0229ce1f Updates libinjection to v3.10.0 2017-05-31 21:06:33 -03:00
Felipe Zimmerle
53571a860d Updates libinjection. 
This is not yet their v3.10.0. But I belive it is close to be.
See #124 at client9/libinjection for further information.
 2017-05-30 10:48:11 -03:00
Victor Hora
1684400eee Fixes issue #1432 by not logging normal behavior to error.log and using APLOG_DEBUG instead 2017-05-30 08:13:11 -03:00
Hideaki Hayashi
6473cf626d Make url path absolute for SecHashEngine only when it is relative in the first place. Fix #752 2017-05-22 18:56:37 -03:00
Felipe Zimmerle
6f49bad748 Fix the hex digit size for SHA1 on msc_crypt implementation 
Fix #1354
 2017-05-22 18:48:20 -03:00
Felipe Zimmerle
a249574692 Avoids to flush xml buffer while assembling the injected html 
Fix #742
 2017-05-22 18:44:22 -03:00
Daniel Stelter-Gliese
72f632e9b6 Avoid additional operator invokation if last transform of a multimatch doesn't modify the input 
Fixes #1086
 2017-05-22 15:13:54 -03:00
Felipe Zimmerle
9ac9ff8223 Adds a sanity check before use ctl:ruleRemoveTargetByTag 
This commit closes the issue #1353
 2017-05-22 09:23:58 -03:00
Felipe Zimmerle
112ba45e7a Makes global mutex for collections optional 2017-05-21 08:53:11 -03:00
Mladen Turk
c6f6dffed2 Move locking before table update 2017-05-19 17:16:08 -03:00
Mladen Turk
84d2f30cc8 Use global mutex instead sdbm file lock to fix issues with threaded mpm's 2017-05-19 17:16:08 -03:00
Felipe Zimmerle
2de5175b9c Fix collection naming problem 
As reported on #1274 we had a problem while merging the collections.
Turns out that the collection name was wrong while passing the
information to setvar.
 2017-05-19 10:29:30 -03:00
Felipe Zimmerle
a5bbb8345f Fix compilation for 2.2.x and standalone after #1289 2017-05-11 09:14:49 -03:00
Robert Bost
4f55b5d1a7 Change from using rand() to thread-safe ap_random_pick. 2017-05-08 21:19:23 -03:00
Coty Sutherland
10fb76ff16 Adding comments around odd looking code to prevent future scrutiny 2017-05-08 21:07:14 -03:00
Felipe Zimmerle
d6bd0badc5 Cosmetics: fix #1400 indentation and help message 2017-05-08 16:01:37 -03:00
Marc Stern
70322304f2 {dis|en}able-server-context-logging: Option to disable logging of server info (log producer, sanitized objects, ...) in audit log. 2017-05-08 15:36:58 -03:00
Felipe Zimmerle
da995bb636 Adds sb_handle structure to specific versions of apache 
Fix issue #1407
 2017-05-05 23:06:43 -03:00