github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2026-01-13 23:17:10 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ab846f8fff8bf1e3d1da8428aaed9d0803eb0e4c
ModSecurity/CHANGES
brenosilva c1c0dd2216 Update CHANGES and release for branch 2.6.x
2011-04-18 14:53:32 +00:00

116 lines
4.8 KiB
Plaintext
Raw Blame History

18 Apr 2011 - 2.6.0-rc1
-------------------
* Replaced previous GPLv2 Licento to Apachev2.
* Added Google Safe Browsing lookups operator and directive. It should be
used to extract and lookup urls from http packets.
* Added Data Modification operator. It must be used with STREAM_* variables
to replace/add/edit any data from http bodies.
* Added STREAM_OUPUT_BODY and STREAM_INPUT_BODY variables to work with data
modification operators.
* Added fast ip address operator. It supports partial ip address, cidr for
IPv4 and IPv6. Thanks Tom Donovan.
* Added new sensitive data tracking verifyCPF and verifySSN.
* Added MATCHED_VARS and MATCHED_VARS_NAMES. It is similiar to MATCHED_VAR,
but now we should see all matched variables.
* Added UNIQUE_ID variable. It holds the data created my mod_unique_id.
* Added new tranformation cmdline. Thanks Mark Stern.
* Added new exception handling operators and directives. It should help users
reduce FN and FPs. The directives SecRuleUpdateTargetById, SecRuleRemoveByTag
and its ctl actions were included.
* Added SecStreamOutBodyInspection and SecStreamInBodyInspection to enable STREAM_*
variables.
* Added SecGsbLookupDB used to load Google Safe Browsing malware databse into
memory.
* Added the directive SecInterceptOnError to control what to do if a rule returns
values less than zero.
* Improvements in DetectionOnly engine mode. Also added SecRequestBodyLimitAction
to control what to do if the engine receive a http request over a hard limit.
Note that there is now many combinations with SecRuleEngine and the limit action
directives for response and request data. Please see the reference manual.
* Improvements under RBL operator. It now will parse return code values for some
RBL lists.
* Added new Log Part J. It should log some informations about uploaded files.
* Added new sanitizeMatchedBytes action. It will give more flexibilty for user to sanitize
logged data, also improving peformance when sanitize big amount of data.
* Improvements on Logging phase. It is possible now see full chains, distinguish between
simple rules, chain starters and chain nodes.
* Improvements on AutoTools usage.
* Improvements on pattern matching operators, pmf, pm and strmatch now supports more flexible
input data allowing any kind of special char.
* Improvements on SecRuleUpdateActionById to update chain nodes.
* Many bugs were fixed. Please see the ModSecurity Jira for more details
* Added SecDisableBackendCompression, which disabled backend compression
while keeping the frontend compression enabled (assuming mod_deflate
in installed and configured in the proxy). [Ivan Ristic]
* Added REQUEST_BODY_LENGTH, which contains the number of request body
bytes read. [Ivan Ristic]
* Integrate with mod_log_config using the %{VARNAME}M format string.
(MODSEC-108) [Ivan Ristic]
* Replaced the previous time-measuring mechanism with a new one, which
provides the following information: request time, request duration,
phase duration (for all 5 phases), time spent dealing with persistent
storage, and time spent on audit logging. The new information is now
available in the Stopwatch2 audit log header. The Stopwatch header
remains for backward compatiblity, although it now only includes
the request time and request duration values. Added the following
variables: PERF_COMBINED, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3,
PERF_PHASE4, PERF_PHASE5, PERF_SREAD, PERF_SWRITE, PERF_LOGGING,
PERF_GC. [Ivan Ristic]
* Added DURATION, which contains the time ellapsed since the beginning
of the current transaction, in milliseconds. [Ivan Ristic]
* Adjusted phase 5 to execute just prior to mod_log_config. This should
allow phase 5 rules to to implement conditional logging, as well as
pave support for allowing access to all ModSecurity variables from
mog_log_config. [Ivan Ristic]
* Added the URLENCODED_ERROR flag, which is raised whenever invalid URL
encoding is encountered in the query string or in the request body
(but only if URLENCODED request body processor is used). (MODSEC-111)
[Ivan Ristic]
* Removed the obsolete PDF UXSS functionality. (MODSEC-96) [Ivan Ristic]
* Renamed normalisePath to normalizePath and normalisePathWin to
normalizePathWin. Kept the previous names for backward compatibility.
(MODSEC-103) [Ivan Ristic]
* Moved phase 1 to be run in the same Apache hook as phase 2. This means
that you can now have phase 1 rules in <Location> tags and, more
importantly, override server configuration in <Location> and others.
(MODSEC-98) [Ivan Ristic]
* Renamed the sanitise family of actiont to sanitize. Kept the old variants
for backward compatibility. (MODSEC-95) [Ivan Ristic]
* Improve the logging of the ctl action. (MODSEC-99) [Ivan Ristic]
* Cleanup build files that were from the Apache source.
Reference in New Issue View Git Blame Copy Permalink