github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity
2,999 Commits 55 Branches 109 Tags
Commit Graph

986 Commits

Author SHA1 Message Date
Felipe Zimmerle
68ef2dece3
Cosmetics: address cppcheck warnings on src/variables 2020-01-27 09:08:31 -03:00
Felipe Zimmerle
ff9152ed74
Cosmetics: address cppcheck warnings on src/utils 2020-01-23 08:51:45 -03:00
Felipe Zimmerle
ff590174da
Cosmetics: address cppcheck warnings on src/operators 2020-01-23 08:10:05 -03:00
Felipe Zimmerle
9101a8ab15
Cosmetics: address cppcheck warnings on src/actions 2020-01-22 10:37:51 -03:00
Felipe Zimmerle
4f13fecbaf
cppcheck: make static analysis more pedantic 2020-01-22 09:16:10 -03:00
Felipe Zimmerle
86a5f471a9
Cosmetics: fixed static analysis issues. 2020-01-15 20:35:59 -03:00
martinhsv
0470168056 Fix: audit log data omitted when nolog,auditlog 2020-01-07 11:16:07 -03:00
root
6624a18a4e
Fixed inspectFile operator does not pass FILES_TMPNAMES 
pass FILES_TMPNAMES variable to lua engine Fixed Lua engine
should also be aware of the variable and pass it to the target
lua script main function
 2019-11-26 08:40:53 -03:00
Felipe Zimmerle
05e9e7cf31
XML: Remove error messages from stderr 2019-11-25 09:27:11 -03:00
toubley
7b1b00b5e1
filter comment or blank line for pmFromFile operator 2019-11-22 14:49:41 -03:00
martinhsv
ea7cacf289
Additional adjustment to Cookie header parsing 2019-11-21 16:50:27 -03:00
martinhsv
6395fe07ce
Restore chained rule logging to be more like 2.9 2019-11-21 08:21:59 -03:00
Ervin Hegedus
038522ad9b
Small fixes in log messages to help debugging 2019-11-20 15:24:30 -03:00
martinhsv
b8160cce6b Fix Cookie header parsing issues 2019-11-20 08:51:06 -03:00
Ervin Hegedus
7ba77631f9 Replace Cookie parsing method 2019-11-20 08:51:05 -03:00
martinhsv
199a9db3e2
Fix nolog rules logging to part H 2019-11-11 13:50:44 -03:00
martinhsv
9cac167faf Fix argument key-value pair parsing cases 2019-11-05 13:06:29 -03:00
martinhsv
68c995ca98 Fix: audit log part for response body for JSON format to be E 2019-10-25 09:51:26 -03:00
martinhsv
01c7a2689b
Fix test issue-1974 2019-10-24 09:57:49 -03:00
Victor Hora
d4dc3dbf2a
Make sure m_rulesMessages is filled after successfull match 2019-10-16 09:40:04 -03:00
Andrei Belov
5929277938
Avoid using NULL string (match) in Pm::evaluate 
Closes #2178.
 2019-10-07 08:37:05 -03:00
Felipe Zimmerle
beedddd6c6 Fix @pm lookup for possible matches on offset zero 2019-10-02 08:05:14 -07:00
marduone
96d36afeca
Add Missing throw in Operator::instantiate 2019-06-17 14:56:03 -03:00
Felipe Zimmerle
6ab464ab78
negative lookup on the key name instead of COLLECTION:key 2019-06-17 13:04:25 -03:00
Felipe Zimmerle
47dd9c5df4
Refactoring on the VariableValue class 2019-06-14 10:13:54 -03:00
Ervin Hegedus
c0142cf326
Changed compared variables of range id intervall in ruleRemoveById ctl action. #2111 
* changed the variables in clause
* added test case (@theMiddle)
* fixes #2111
 2019-06-04 10:28:30 -03:00
Felipe Zimmerle
50abc072c4
Make block action execution dependent of the SecEngine status 2019-06-03 19:55:02 -03:00
Felipe Zimmerle
a4e8484115
Having body limits to respect the rule engine state 2019-06-03 14:05:10 -03:00
Felipe Zimmerle
1b8d69da02
Fix dict element regular expression selection on SecRuleUpdateTargetByTag 2019-05-31 01:42:51 -03:00
Felipe Zimmerle
5472362313
Fix SecRuleUpdateTargetByTag with regular expressions 2019-05-31 01:42:47 -03:00
Ervin Hegedus
db298696fa Adds missing check for runtime ctl:ruleRemoveByTag 2019-05-30 09:50:56 -03:00
Rufus125
86ce479b59
Adds new operator to check for data leakage of Austrian social security number 2019-05-29 20:57:08 -03:00
Julien Leproust
49900eec97
Fix variables output in debug logs 2019-05-27 17:39:04 -03:00
Tim Herren
75a5c8d334
correct typo validade in log output 2019-05-27 17:13:29 -03:00
Thierry Fournier
4a3e9734ef
fix/minor: Error encoding hexa decimal 
String is defined as an array of char. The char can be negative. The
cast "reinterpret_cast" from char to int keep the negative side, so
the "unsigned char" number 0x91 is negative as "char". When it is
"reinterpret_cast" as integer, it becomes 0xffffff91, so the hexadecimal
display is broken:

   [155493246391.747672] [/absolute?what=badarg2] [9]  T (0) t:hexEncode: "ffffff91ffffffecffffffe6334bffffffebffffff87ffffff9affffff824a06ffffffc33b4cffff (14 characters omitted)"

This patch fix this behavior using classic cast without reinterpret_cast:

   [155493251286.221115] [/absolute?what=badarg2] [9]  T (0) t:hexEncode: "91ece6334beb879a824a06c33b4cb4240e4c6f56"
 2019-05-27 17:06:51 -03:00
Julien Leproust
1acd87a803
Limit log variables to 200 characters 
To avoid generating too long log lines which end up truncated (like in
nginx's error log), and missing important bits.
 2019-05-27 17:04:32 -03:00
Felipe Zimmerle
61c11251b6
parser: Fix filename 2019-04-23 13:17:23 -03:00
Felipe Zimmerle
0669c2e64d
parser: new bison version 2019-04-22 10:46:27 -03:00
Felipe Zimmerle
4e76c6adf0
Renames namespace Variables to variables 2019-03-06 15:53:20 -03:00
Felipe Zimmerle
b9ed150224
Fix namespace utilization on seclang-parser.yy 2019-03-06 15:12:44 -03:00
Ervin Hegedus
ccd90c51c5
Increment OVECCOUNT value for bigger regex's 2019-02-12 10:08:47 -03:00
Ervin Hegedus
a6e6bc2b5f
Allow empty anchored variable to use 2019-02-12 09:31:19 -03:00
Ervin Hegedus
17d79ed7ba
Fixed data collecting in multipart parsing 2019-02-12 09:16:07 -03:00
Ervin Hegedus
4b3e6328e3
Fixed validateByteRange parsing method 2019-02-12 09:10:36 -03:00
Felipe Zimmerle
2dff768262
Removes a memory leak on the JSON parser 2019-02-11 10:17:02 -03:00
WGH
37cf60b8d2
Fix use of deleted Regex copy constructor in LMDB code 
Bug introduced in ad28de4f. Fixes #2008.
 2019-01-28 16:20:02 -03:00
Felipe Zimmerle
dc78c0e180
Fix: Extra whitespace in some configuration directives causing error 
Issue #2006
 2019-01-21 14:44:31 -03:00
Felipe Zimmerle
df3c3f62b7 Cosmetics: coding style 2019-01-18 11:02:22 -03:00
WGH
ad28de4f14 Refactor regex code 
This commit fixes quite a few odd things in regex code:
 * Lack of encapsulation.
 * Non-method functions for matching without retrieving all groups.
 * Regex class being copyable without proper copy-constructor (potential UAF
   and double free due to pointer members m_pc and m_pce).
 * Redundant SMatch::m_length, which always equals to match.size() anyway.
 * Weird SMatch::size_ member which is initialized only by one of the three matching
   functions, and equals to the return value of that function anyways.
 * Several places in code having std::string value instead of reference.
 2019-01-18 10:34:01 -03:00
Andrei Belov
ae02076340
Fixed buffer overflow in Utils::Md5::hexdigest() 
Found via failed test (auditlog.json) on Alpine Linux 3.8.2.
 2019-01-14 16:29:07 -03:00