github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 05:45:59 +03:00
Code Issues Packages Projects Releases Wiki Activity
3,364 Commits 55 Branches 109 Tags
Commit Graph

365 Commits

Author SHA1 Message Date
Abhi Joglekar
28a44b966a
SecLang uses RESPONSE_STATUS as variable, not STATUS 
Seclang uses RESPONSE_STATUS as variable to encode the status code for the
request.
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#RESPONSE_STATUS

The CRS v3.0.0-dev rules, for instance, uses the RESPONSE_STATUS variable.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/rules/RESPONSE-50-DATA-LEAKAGES-IIS.conf

When processing response headers, the variable was named STATUS when creating/storing
it in the collection. Fix it, and update regression testcases.
 2016-10-18 21:30:06 -03:00
Felipe Zimmerle
678a97d0f7
Refectoring on the DebugLog mechanism 
The DebugLog implementation was modified to use shared memory
to keep the information about the opened files and file handles.
The modification was necessary to avoid race-conditions. This
commit also closes the issue SpiderLabs/ModSecurity-nginx#17
 2016-10-18 18:43:51 -03:00
Felipe Zimmerle
f3bbcfc7ef
Removes SecDebugLog directive from the test cases 2016-10-18 18:23:35 -03:00
Felipe Zimmerle
0e5f72977e Changes MATCHED_VAR behaviour 
Only cleanup the variable if there wasn't a match within the rule
 2016-07-29 10:40:45 -07:00
Felipe Zimmerle
f723870f18
Fix case sensitive variable resolution in in memory backend 
Variables are case insensitive
 2016-07-22 13:34:57 -03:00
Felipe Zimmerle
5d64f73817
Makes RULE collection to be resolved inside a macro expansion 2016-07-21 13:09:22 -03:00
Felipe Zimmerle
37079ef668
Adds support to SecRuleRemoveById 2016-07-18 15:02:38 -03:00
Felipe Zimmerle
38b338d1d6
Adds test case for regular express selection 2016-07-11 11:07:30 -03:00
Felipe Zimmerle
4daf9d8ab0
Adds a test case for WEBSERVER_ERROR_LOG 
WEBSERVER_ERROR_LOG is not supported by libmodsecurity. This test case
confirms the parser error that says so.
 2016-07-08 11:05:09 -03:00
Felipe Zimmerle
6e4226ee4d
Adds support to global collections shared among different process 
There is a memory leak in the variable resolution that should be
contained by an internal change in the way that the variables
are resolved.
 2016-07-07 23:03:47 -03:00
Felipe Zimmerle
3d1d0514fd
Fix pass action behaviour: now only ingore actions within the same rule 
More details on issue #1152
 2016-07-01 11:01:51 -03:00
Felipe Zimmerle
b332018cc2
Adds regressiont test for issue #1152 2016-06-30 23:50:21 -03:00
Felipe Zimmerle
f72bd587ec
Adds support to the allow action 2016-06-30 20:44:51 -03:00
Felipe Zimmerle
b0f69b1262
Adds support to the `skip' action 2016-06-30 10:35:42 -03:00
Felipe Zimmerle
90adb53935
Adds support to JSON request body parser 2016-06-29 21:55:41 -03:00
Felipe Zimmerle
193fa2e804
Changes regressions tests to fit the recent modification on the parser 2016-06-24 09:18:48 -03:00
Felipe Zimmerle
02909f7cd8
parser: arbitraty text can be used instead of operator 
The usage of an arbitrary text instead operator was expecting that the
arbitrary text start by something different from "@" or "!", now it can
start with anything, including "@", and/or "!". Notice however that
there aren't such thing as a bad  operator. Bad operator will be used as
input of @rx. Issue #1136.
 2016-06-22 16:59:50 -03:00
Felipe Zimmerle
0d53dda1a1
Adds support to @unconditionalMatch 
Issue #1002
 2016-06-21 13:46:55 -03:00
Felipe Zimmerle
60be385ebe
Adds support to the SERVER_NAME variable 2016-06-21 10:53:11 -03:00
Felipe Zimmerle
df1f7c5e08
Adds support to the RESPONSE_PROTOCOL variable 2016-06-21 10:52:18 -03:00
Felipe Zimmerle
a36b2da86a
Adds support to the STATUS variable 2016-06-20 20:34:39 -03:00
Felipe Zimmerle
56d084a7f4
Adds support the variable rule 
Issue #1016
 2016-06-20 14:03:45 -03:00
Felipe Zimmerle
45bfb594b9
Adds missing tests cases 2016-06-20 11:35:00 -03:00
Felipe Zimmerle
6052d2628b
Adds support to URLENCODED_ERROR variable 2016-06-20 11:34:43 -03:00
Felipe Zimmerle
c5262d54f2
Fix argument uri decode order 
The uri decode happens after the string is splitted, not before.
 2016-06-17 15:34:06 -03:00
Felipe Zimmerle
1e6b40ebea
Fix some improperly formatted test cases 2016-06-14 15:32:37 -03:00
Felipe Zimmerle
2e3da7ea24 Better support for multipart 
ModSecurity v2.x parser was ported into 3.x branch.

All the multipart related variables should be workbale.
 2016-06-10 09:40:08 -03:00
Felipe Zimmerle
967c8c90f2 Fixed minor behavior on the trasnformations and added sha1-mbedtls 2016-05-30 16:54:13 -03:00
Felipe Zimmerle
f35d28b8d3 Loads the transformations test cases during the unit test 
Related to: #1156
 2016-05-27 11:03:46 -03:00
Felipe Zimmerle
1fe0e34201 Adds support to sqlHexDecode transformation 
Issue #973
 2016-05-25 20:19:54 -03:00
Felipe Zimmerle
2b056485d0 Adds support to Utf8ToUnicode transformation 
Issue #974
 2016-05-25 18:21:26 -03:00
Felipe Zimmerle
348cf3bfab Adds support to the REMOTE_USER variable 2016-05-23 18:32:53 -03:00
Felipe Zimmerle
f989ecd5cb Adds support to SecXMLExternalEntity 2016-05-18 17:02:15 -03:00
Felipe Zimmerle
6a7b970fe3 Adds support to ctl:requestBodyProcessor=XML 2016-05-18 10:30:25 -03:00
Felipe Zimmerle
1f45d6cea8 Adds full support to the libxml action 
Issue #1148
 2016-05-18 09:47:30 -03:00
Felipe Zimmerle
8c714af8e1 Actions refactoring: now there is a clear definiation on the action name 2016-05-17 14:36:59 -03:00
Felipe Zimmerle
1b88947d9b Adds support 'xmlns' action to the libmodsec parser 2016-05-16 18:24:54 -03:00
Felipe Zimmerle
3e8defb853 Adds support to the operator @validateDTD 
Further info #1003
 2016-05-13 09:20:10 -03:00
Felipe Zimmerle
6a40752500 Adds XML variable, xml body request processor and @validateSchema 2016-05-12 11:11:40 -03:00
Felipe Zimmerle
35636674e3 Adds the missing regression tests for USERID 2016-05-11 20:36:47 -03:00
Felipe Zimmerle
ff9aa5c7cf Adds support to the variable SESSIONID 2016-05-06 14:38:38 -03:00
Felipe Zimmerle
a2a47798e9 Adds support to the collection SESSION and setsid action 2016-05-06 14:38:04 -03:00
Felipe Zimmerle
5643d2fa28 Warming up to the remote collections support 
Huge refactoring to have the code in shape to later support the
remote collections with different backends.
 2016-05-03 17:39:49 -03:00
Felipe Zimmerle
19137452c4 Updates `secrules-language-tests' reference. 
SpiderLabs/ModSecurity#1098
 2016-04-04 15:22:24 -03:00
Felipe Zimmerle
e5acc95de8 First version of global' and ip' collections 2016-03-30 18:22:00 -03:00
Felipe Zimmerle
e0926fee37 Fix parser error while dealing with operator negation 
This patch closes the issue #960
 2016-03-17 18:06:46 -03:00
Felipe Zimmerle
a102b5ce2c Improves the method fill the ARGS collection 2016-01-15 10:35:24 -03:00
Felipe Zimmerle
2830525f89 Adds missing file: script.lua 2016-01-14 12:07:59 -03:00
Felipe Zimmerle
a225f8b5b7 Fix SecResponseBodyMimeType test case 2016-01-06 17:00:43 -03:00
Felipe Zimmerle
decf04d264 Adds support to SecResponseBodyMimeType 2015-12-24 11:55:24 -03:00