github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity
1,777 Commits 55 Branches 109 Tags
Commit Graph

1050 Commits

Author SHA1 Message Date
Felipe Zimmerle
8dd40709ee
good practices: Initialize variables before use it 
Original author: Marc Stern (#1889)
 2018-09-05 23:35:52 -03:00
Allan Boll
6bb4461911
AppGw WAF version that doesn't block failed body parsing in detect-only mode 2018-09-05 16:08:21 -03:00
Allan Boll
2ae357be88
Let body parsers observe SecRequestBodyNoFilesLimit 
Previously, modsecurity_request_body_store would keep feeding the body parsers (JSON/XML/Multipart) even after the SecRequestBodyNoFilesLimit limit was met. This change prevents this. Also, modsecurity_request_body_end now returns an error code when the limit is met, so that a message can be logged for this event.
 2018-09-05 16:08:21 -03:00
Felipe Zimmerle
89f5427c1c
potential off by one in parse_arguments 
Issue: #1799
 2018-09-05 15:33:39 -03:00
Felipe Zimmerle
739048749e
Fix utf-8 character encoding conversion 
Reported on: #1794
 2018-09-04 21:02:09 -03:00
Reed Morrison
f66cd4111f
Fix ip tree lookup on netmask content 2018-06-07 14:48:18 -03:00
florian-eichelberger
f86de566d1
Enables sanitizing of json request bodies in the apache module for native log format 2018-02-05 09:36:45 -03:00
Felipe Zimmerle
6406e2108d
Makes `large stream optimization' optional 2017-10-06 16:43:45 +00:00
Allan Boll
2e9ea0a677
Avoid use of min-macro, as it is not available in all envs 2017-10-05 17:20:41 +00:00
Allan Boll
7fff8938ba
Check return value of modsecurity_request_body_store 2017-10-05 17:20:41 +00:00
Allan Boll
6ce7f4d689
Remove the unneeded null termination for the stream_input_data 2017-10-05 17:20:41 +00:00
Allan Boll
023b863853
Ensure memory preallocation for streaming is bounded by SecRequestBodyLimit 2017-10-05 17:20:41 +00:00
Allan Boll
97b51ebfed
Renamed local var and initialized local vars. Undid accidental move. 2017-10-05 17:20:40 +00:00
Allan Boll
afae690655
Preallocate memory when SecStreamInBodyInspection is on. 20x speed improvement for 10mb upload. Also simplified modsecurity_request_body_to_stream. 2017-10-05 17:20:40 +00:00
Nic Jansma
a0bd72334d
Fixes SecConnWriteStateLimit 2017-10-05 14:38:42 +00:00
Felipe Zimmerle
934a9fcc02
Verify if chunk exists before access it 2017-10-05 13:28:28 +00:00
Guido Ravagli
b8636a70d1
added "empy chunk" check 2017-10-05 13:24:59 +00:00
Victor Hora
9b90d86f75
Add capture action to @detectXSS operator 2017-10-05 03:24:23 +00:00
Marc Stern
89764f12b0
Fixed typos: LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH $log_server_context instead of $log_server_context 2017-09-29 18:34:30 +00:00
David Carlier
7ead7f4d23
Few missing headers, in the <arpa/inet.h> inclusions ones mainly due to the fact APR_HAVE* constants are simply into apr.h 2017-09-29 14:00:32 +00:00
Felipe Zimmerle
b878ece6c6 Version 2.9.2 
Increasing version to 2.9.2 (final)
 2017-07-18 09:59:59 -07:00
Felipe Zimmerle
61bce8d9a9
Cosmetics: moving declaration to the too of the block 2017-07-14 13:47:30 -03:00
Allan Boll
04e4a6f9b8 Initialize msre_var pointers 2017-06-23 16:16:23 -03:00
Felipe Zimmerle
9c0229ce1f
Updates libinjection to v3.10.0 2017-05-31 21:06:33 -03:00
Felipe Zimmerle
53571a860d
Updates libinjection. 
This is not yet their v3.10.0. But I belive it is close to be.
See #124 at client9/libinjection for further information.
 2017-05-30 10:48:11 -03:00
Victor Hora
1684400eee
Fixes issue #1432 by not logging normal behavior to error.log and using APLOG_DEBUG instead 2017-05-30 08:13:11 -03:00
Hideaki Hayashi
6473cf626d
Make url path absolute for SecHashEngine only when it is relative in the first place. Fix #752 2017-05-22 18:56:37 -03:00
Felipe Zimmerle
6f49bad748
Fix the hex digit size for SHA1 on msc_crypt implementation 
Fix #1354
 2017-05-22 18:48:20 -03:00
Felipe Zimmerle
a249574692
Avoids to flush xml buffer while assembling the injected html 
Fix #742
 2017-05-22 18:44:22 -03:00
Daniel Stelter-Gliese
72f632e9b6
Avoid additional operator invokation if last transform of a multimatch doesn't modify the input 
Fixes #1086
 2017-05-22 15:13:54 -03:00
Felipe Zimmerle
9ac9ff8223
Adds a sanity check before use ctl:ruleRemoveTargetByTag 
This commit closes the issue #1353
 2017-05-22 09:23:58 -03:00
Felipe Zimmerle
112ba45e7a
Makes global mutex for collections optional 2017-05-21 08:53:11 -03:00
Mladen Turk
c6f6dffed2
Move locking before table update 2017-05-19 17:16:08 -03:00
Mladen Turk
84d2f30cc8
Use global mutex instead sdbm file lock to fix issues with threaded mpm's 2017-05-19 17:16:08 -03:00
Felipe Zimmerle
2de5175b9c
Fix collection naming problem 
As reported on #1274 we had a problem while merging the collections.
Turns out that the collection name was wrong while passing the
information to setvar.
 2017-05-19 10:29:30 -03:00
Felipe Zimmerle
a5bbb8345f
Fix compilation for 2.2.x and standalone after #1289 2017-05-11 09:14:49 -03:00
Robert Bost
4f55b5d1a7
Change from using rand() to thread-safe ap_random_pick. 2017-05-08 21:19:23 -03:00
Coty Sutherland
10fb76ff16
Adding comments around odd looking code to prevent future scrutiny 2017-05-08 21:07:14 -03:00
Felipe Zimmerle
d6bd0badc5
Cosmetics: fix #1400 indentation and help message 2017-05-08 16:01:37 -03:00
Marc Stern
70322304f2
{dis|en}able-server-context-logging: Option to disable logging of server info (log producer, sanitized objects, ...) in audit log. 2017-05-08 15:36:58 -03:00
Felipe Zimmerle
da995bb636
Adds sb_handle structure to specific versions of apache 
Fix issue #1407
 2017-05-05 23:06:43 -03:00
Felipe Zimmerle
9b3c32bb54
Makes #1308 compatible to older versions of Apache 2017-05-04 23:23:31 -03:00
Barry Pollard
019edfa1a9
This is a fix for #992 to allow drop to work with mod_http2 2017-05-04 22:19:57 -03:00
Sander Hoentjen
0f59d4e044
query MPM after all config is loaded (fixes #786) 2017-05-04 10:09:07 -03:00
Sander Hoentjen
a2eb4c8b04
Don't update the scoreboard ourself (fixes #1337) 
This is unsafe, and messes up the scoreboard on Apache >= 2.4.25 with Event MPM
 2017-05-04 10:09:07 -03:00
Sander Hoentjen
53edb258bb
get correct worker_score in loop 2017-05-04 10:09:06 -03:00
Sander Hoentjen
8efece97f7
don't use sb_handle on apache 2.4 2017-05-04 10:09:06 -03:00
Sander Hoentjen
f813365f7e
Fix logging for Apache 2.4 2017-05-04 10:09:06 -03:00
Felipe Zimmerle
caadf97524
Cosmetics: Fix 0x0bdda1 indentation issues 2017-05-03 09:34:47 -03:00
Marc Stern
51f312736a
rule id is not logged in case rule has no msg 2017-05-03 09:20:32 -03:00