Initially those directives were only able to load content from a
local file. This commit extends this functionality allowing the user to
provide an HTTP URI that can be downloaded and loaded by ModSecurity.
Initially the download is associated with a server restart. For next
versions we expect to load such resources as it become outdated (Without
need to resetart the server).
The script was looking for the wrong header file. Instead of look for
yajl_parse.h it was looking for yajl.h. Originally reported by
@rpfilomeno at #804.
On Apache platform the server signature can be replaced using the
SecServerSignature directive. Status call was using the signature informed by
this directive instead of using the original one. As reported at #702.
As reported at #714 status calls with long `apache version' name was broken.
DNS queries cannot be so long. This field is now limited to 25 characters
which is a valid size when encoded into base32
Seems like curl versions older than 7.34.0 does not have support for
`CURL_SSLVERSION_TLSv1_2'. In this cases, using CURL_SSLVERSION_TLSv1
which was added at version 7.9.2. ModSecurity demands a curl version
newer than 7.15.1.
Using apr-util installed by Macports results in build failure because apr-util uses BerkeleyDB that MacPorts installs into a subdir of $prefix/lib and $prefix/include (so that multiple versions of BerkeleyDB can be installed simultaneously). apu-1-config's --ldflags output includes the -L/path/to/bdb that's needed.
As of Automake 1.4, it starts to warning about the lack of utilization
of `subdir-objects' option, which will be default in the further
releases. Avoiding break stuff we are patching ModSecurity to support
such option when it still an option (Issue #760).
FuzzyHash operator is optional and only installed if the headers for libfuzzy
was found in the system. Otherwise, the FuzzyHash operator is disable during
the compilation. After this commit, if some rules tries to use it, ModSecurity
will produce an runtime error not a config time error, allowing the web server
to procede normal with its operations.
The fuzzyHash operator can be used to match files. In conjuntcion
with FILES_TMP_CONTENT collection it can scan uploaded files and
try to match it with a pre caculated list of know malicious content,
more details on how it works can be found on ssdeep website:
http://ssdeep.sourceforge.net/
The collection is filled with a key-value set where value is the content of
the file which was uploaded. This collection can be used with all supported
operators, however SecUploadKeepFiles should be set to 'On' in order
to have this collection filled.
The ipv4 representation was only accepting slash notation with masks
represented in 2 digits. In the ipv6 implementation several fixies were made:
The maximum value to a bitmask was 64 which is not the reality, as ipv6 can
handle 128 bits. The second change was also to enable mask representation with
more and less than 2 digits. A more general fix was added to allow the unit
tests to work even if a invalid ip/range was informed during the creation of
the "tree", now it is checking if the tree is NULL while performing the
execution of the operator. Initial problem was reported at the issue: #706.
As reported on issue #706 the @ipMatch operator is not working as expected
creating this test case to confirm the issue and to avoid that happens in
the future.
ModSecurityIIS was reporting events to Windows using ID 0
which seems cause an unexpected verbose message at the
event logger window as reported on #676, changing the ID
to 0x1, although will be nice to have separated events for
misconfiguration, warnings, etc...
Custom build stops the IIS Server before start the compilation.
After finish the compilation the ModSecurity.DLL is copied to the
inetsrv folder and the IIS is restarted.
Windows compilation was failing due to the utilization of size_t which is part
of the strings.h. strings.h was not part of windows and so the compilation
was failing. This update fix that. Issue #65 on libinjection:
https://github.com/client9/libinjection/issues/65
Apperantly forcing the charset is not placing any benefits, instead it is
cousing problems as documented on #650. This still experimental, just
testing against our regression tests. Such feature was added by the commit:
177b5b9c989b0095e5c91b01d205df64e65e6c9e.
The Sec{Read|Write}StateLimits are filters related to the connections, when the
server did not know yet which vhost the request goes to. This means that once
those configrations are set it will be applied to entire server. This patch
just renames the Sec{Read|Write}StateLimits to SecConn{Read|Write}StateLimits
to make it more clear to the user. SecConnectionEngine was also renamed to
SecConnEngine.
Different from the Rules or other options, the connections filters are applied
to entire server, not to a single vhost, or so. In order to keep it clear to
the user this patches adds "SecConnectionEngine" which works in the same way
that SecRuleEngine does.
The SecRuleEngine has the capability to Enable, Disable or even to place the
ModSecurity in DetectionOnly mode. The SecReadStateLimit and SecWriteStateLimit
were not honoring such state, due the fact that our configuration belongs to
requests not to connections, the only struct that exists while those filters
are placed. By adding a global variable "conn_limits_filter_state" we are now
able to identify the current state of the ModSecurity, once the configuration
is loaded this variable is set and used by the connections filters.
Used by the operator @ipMatch and variants, this structure storage all the IPs
addresses for later comparison. Last version was using RadixTree only if the
set of IPs was specified from files. IPs specified as parameters, was using
a chained list. Chained lists may affect the performance, since lookups in
worst case will be O(n). RadixTrees could provide better results depending
on the amount of elements and its contents.
