github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity
2,106 Commits 55 Branches 109 Tags
Commit Graph

1223 Commits

Author SHA1 Message Date
Felipe Zimmerle
6f49bad748
Fix the hex digit size for SHA1 on msc_crypt implementation 
Fix #1354
 2017-05-22 18:48:20 -03:00
Felipe Zimmerle
a249574692
Avoids to flush xml buffer while assembling the injected html 
Fix #742
 2017-05-22 18:44:22 -03:00
Daniel Stelter-Gliese
72f632e9b6
Avoid additional operator invokation if last transform of a multimatch doesn't modify the input 
Fixes #1086
 2017-05-22 15:13:54 -03:00
Felipe Zimmerle
9ac9ff8223
Adds a sanity check before use ctl:ruleRemoveTargetByTag 
This commit closes the issue #1353
 2017-05-22 09:23:58 -03:00
Felipe Zimmerle
112ba45e7a
Makes global mutex for collections optional 2017-05-21 08:53:11 -03:00
Mladen Turk
c6f6dffed2
Move locking before table update 2017-05-19 17:16:08 -03:00
Mladen Turk
84d2f30cc8
Use global mutex instead sdbm file lock to fix issues with threaded mpm's 2017-05-19 17:16:08 -03:00
Felipe Zimmerle
2de5175b9c
Fix collection naming problem 
As reported on #1274 we had a problem while merging the collections.
Turns out that the collection name was wrong while passing the
information to setvar.
 2017-05-19 10:29:30 -03:00
Felipe Zimmerle
a5bbb8345f
Fix compilation for 2.2.x and standalone after #1289 2017-05-11 09:14:49 -03:00
Robert Bost
4f55b5d1a7
Change from using rand() to thread-safe ap_random_pick. 2017-05-08 21:19:23 -03:00
Coty Sutherland
10fb76ff16
Adding comments around odd looking code to prevent future scrutiny 2017-05-08 21:07:14 -03:00
Felipe Zimmerle
d6bd0badc5
Cosmetics: fix #1400 indentation and help message 2017-05-08 16:01:37 -03:00
Marc Stern
70322304f2
{dis|en}able-server-context-logging: Option to disable logging of server info (log producer, sanitized objects, ...) in audit log. 2017-05-08 15:36:58 -03:00
Felipe Zimmerle
da995bb636
Adds sb_handle structure to specific versions of apache 
Fix issue #1407
 2017-05-05 23:06:43 -03:00
Felipe Zimmerle
9b3c32bb54
Makes #1308 compatible to older versions of Apache 2017-05-04 23:23:31 -03:00
Barry Pollard
019edfa1a9
This is a fix for #992 to allow drop to work with mod_http2 2017-05-04 22:19:57 -03:00
Sander Hoentjen
0f59d4e044
query MPM after all config is loaded (fixes #786) 2017-05-04 10:09:07 -03:00
Sander Hoentjen
a2eb4c8b04
Don't update the scoreboard ourself (fixes #1337) 
This is unsafe, and messes up the scoreboard on Apache >= 2.4.25 with Event MPM
 2017-05-04 10:09:07 -03:00
Sander Hoentjen
53edb258bb
get correct worker_score in loop 2017-05-04 10:09:06 -03:00
Sander Hoentjen
8efece97f7
don't use sb_handle on apache 2.4 2017-05-04 10:09:06 -03:00
Sander Hoentjen
f813365f7e
Fix logging for Apache 2.4 2017-05-04 10:09:06 -03:00
Felipe Zimmerle
caadf97524
Cosmetics: Fix 0x0bdda1 indentation issues 2017-05-03 09:34:47 -03:00
Marc Stern
51f312736a
rule id is not logged in case rule has no msg 2017-05-03 09:20:32 -03:00
Felipe Zimmerle
3e9e4b39cc
Cosmetics changes top of #1402 2017-05-02 17:14:06 -03:00
Marc Stern
7246998f09
Adds option to disable logging of stopwatches in audit log. 2017-05-02 17:11:58 -03:00
Marc Stern
d7383c39dd
Option to disable logging of dechunking 2017-05-02 11:09:42 -03:00
Felipe Zimmerle
a4724dfdab
Updates the libinjection 2017-04-28 14:56:06 -03:00
Marc Stern
7b86d8c51d
Extends a7731c by adding JSON support 2017-04-26 16:38:12 -03:00
Felipe Zimmerle
3de0dfc5fd
Cosmetics: fix #1381 indentation 2017-04-26 16:04:31 -03:00
Marc Stern
d1376c5525
Adds option to disable logging of Apache handler in audit log 2017-04-26 16:03:58 -03:00
Felipe Zimmerle
67908f45f4
Cosmetics: fix #1380 indentation 2017-04-26 15:28:13 -03:00
Marc Stern
d243818aff
{dis|en}able-collection-delete-problem-logging: Option to disable logging of collection delete problem in audit log when log level < 9 in audit log [Issue #576 - Marc Stern] 2017-04-26 15:27:57 -03:00
Felipe Zimmerle
45b7706f1f
Adds sanity check before print action message in the logs 
This is a sanity check on top of #1379
 2017-04-11 10:04:19 -03:00
Marc Stern
99eb07d944
Fix missing rule id in log See https://github.com/SpiderLabs/ModSecurity/issues/391 2017-04-10 12:28:38 -03:00
Marc Stern
9244cd9824
Option to disable logging of "Server" in audit log when log level < 9. [Issue #1070 - Marc Stern] 2017-04-10 12:13:55 -03:00
Marc Stern
c1c91e24cd
{dis|en}able-filename-logging: Option to disable logging of filename in audit log [Issue #1065 - Marc Stern] 2017-04-07 10:55:08 -03:00
Robert Paprocki
96a1f55e16
Read fuzzy hash databases on init 
Instead of reading the fuzzy db on every invocation, read and store
the db contents during initialization and store the contents in memory.
The only significant behavior change here is that a change in db contents
now (obviously) requires a daemon restart, as no API is provided to
flush the list of ssdeep chunks.
 2017-04-06 13:20:24 -03:00
Robert Paprocki
fd49ca7138
Don't leak an fd on fuzzy hash initialization 
Since we're re-opening this file with every invocation, let's
close our sanity check fd.
 2017-04-06 13:20:24 -03:00
Master Yoda
792a351de6
As of 17 May 2016, the country name "Czechia" replaces this MemberState's former short name of Czech Republic (code 203) 2016-12-01 15:07:46 -03:00
Marc Stern
7ff0e7e7b2
Added ALLOW_ID_NOT_UNIQUE compile flag to allow duplicate rule ids and no id 2016-11-21 09:58:40 -03:00
Robert Paprocki
a34f9eb785
Append a newline to concurrent JSON audit logs 2016-10-20 09:43:22 -03:00
Robert Paprocki
709042a472
Don't unnecessarily rename request body parts in cleanup 
When tmp_dir and upload_dir are identical, there's no reason to
rename multipart and request body parts, as this is a non-op. Let's
save the cycles and syscall.
 2016-10-10 10:06:38 -03:00
arminabf
fb3bbf37e8
revert error message assignment for older versions 
as errstr is only available since version > 2.2
 2016-10-06 13:28:37 -03:00
arminabf
e7f029b55a
fix error message 
both info->format and fmt (for versions prio 2.4) contain the error message format but not the actual formatted error message
 2016-10-06 13:28:37 -03:00
Robert Paprocki
2b4ece14c6
Remove logdata and msg fields from JSON audit log rule elements 
Writing macro-expanded strings to JSON elements during the post-logging
phase can be misleading, because it's possible that variable contents
(such as MATCHED_VAR) could have changed after the rule match, altering
their expected contents. Writing macro-epanded audit data really only
makes sense when the macros are expanded immediately following the
rule match. See issue #1174 for more details.
 2016-10-04 09:31:25 -03:00
Ephraim Vider
21a63cb83e
json parser handle cleanup 2016-09-21 00:03:40 -03:00
Chaim sanders
947cef7c8c
Adapted patch from 977 to fix status failing to report in Nginx auditlogs 2016-07-11 13:32:56 -03:00
Robert Paprocki
f2ef2017f1
Fix file upload JSON audit log entry 
Each uploaded file is a separate yajl array, but we forgot to open
the a map for the proper k/v pairs.

This fixes issue #1173.
 2016-07-11 12:14:37 -03:00
root
f9c253952c This is fix for reborn of https://github.com/SpiderLabs/ModSecurity/issues/334 This bug has been reborn, because Apache (at least in RedHat/CentOS) since version 2.2.15-47 returns in same case APR_INCOMPLETE (not APR_EOF). Based on same patch I have added handler for APR_INCOMPLETE. 2016-03-16 10:35:22 -03:00
Felipe Zimmerle
88bffb1e3e Version 2.9.1 (final) 
Increasing version to 2.9.1 (final)
 2016-03-09 14:48:29 -03:00