mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-08-13 13:26:01 +03:00
314 lines
13 KiB
Plaintext
314 lines
13 KiB
Plaintext
v3.0.4 - YYYY-MMM-DD (to be released)
|
|
-------------------------------------
|
|
|
|
- Adds support to multiple ranges in ctl:ruleRemoveById
|
|
[Issue #1956 - @theseion, @victorhora, @zimmerle]
|
|
- Rule variable interpolation broken
|
|
[Issue #1961 - @soonum, @zimmerle]
|
|
- Make the boundary check less strict as per RFC2046
|
|
[Issue #1943 - @victorhora, @allanbomsft]
|
|
- Fix buffer size for utf8toUnicode transformation
|
|
[Issue #1208 - @katef, @victorhora]
|
|
|
|
|
|
v3.0.3 - 2018-Nov-05
|
|
--------------------
|
|
|
|
- Fix double macros bug
|
|
[Issue #1943 - @supplient, @zimmerle]
|
|
- Override the default status code if not suitable to redirect action
|
|
[Issue #1850 - @zimmerle, @victorhora]
|
|
- parser: Fix the support for CRLF configuration files
|
|
[Issue #1945 - @zimmerle, @defanator, @kjakub]
|
|
- Organizes the server logs
|
|
[0xb7c36 and 0x5ac20 - @zimmerle]
|
|
- m_lineNumber in Rule not mapping with the correct line number in file
|
|
[Issue #1844 - @zimmerle, @victorhora, @xizeng]
|
|
- Using shared_ptr instead of unique_ptr on rules exceptions
|
|
[Issue #1697 - @zimmerle, @brianp9906, @victorhora, @LeSwiss, @defanator]
|
|
- Changes debuglogs schema to avoid unecessary str allocation
|
|
[0xb2840 - @zimmerle]
|
|
- Fix the SecUnicodeMapFile and SecUnicodeCodePage
|
|
[0x3094d - @zimmerle, @victorhora]
|
|
- Changes the timing to save the rule message
|
|
[0xca270 - @zimmerle]
|
|
- Fix crash in msc_rules_add_file() when using disruptive action in chain
|
|
[Issue #1849 - @victorhora, @zimmerle, @rperper]
|
|
- Fix memory leak in AuditLog::init()
|
|
[Issue #1897 - @weliu]
|
|
- Fix RulesProperties::appendRules()
|
|
[Issue #1901 - @steven-j-wojcik]
|
|
- Fix RULE lookup in chained rules
|
|
[0x3077c - @zimmerle]
|
|
- @ipMatch "Could not add entry" on slash/32 notation in 2.9.0
|
|
[Issue #849 - @zimmerle, @dune73]
|
|
- Using values after transformation at MATCHED_VARS
|
|
[0x14316 - @zimmerle]
|
|
- Adds support to UpdateActionById.
|
|
[Issue #1800 - @zimmerle, @victorhora, @NisariAIT]
|
|
- Add correct C function prototypes for msc_init and msc_create_rule_set
|
|
[Issue #1922 - @steven-j-wojcik]
|
|
- Allow LuaJIT 2.1 to be used
|
|
[Issue #1909 - @victorhora, @mdunc]
|
|
- Match m_id JSON log with RuleMessage and v2 format
|
|
[Issue #1185 - @victorhora]
|
|
- Adds support to setenv action.
|
|
[Issue #1044 - @zimmerle]
|
|
- Adds new transaction constructor that accepts the transaction id
|
|
as parameter.
|
|
[Issue #1627 - @defanator, @zimmerle]
|
|
- Adds request IDs and URIs to the debug log
|
|
[Issue #1627 - @defanator, @zimmerle]
|
|
- Treating variables exception on load-time instead of run time.
|
|
[0x028e0 and 0x275a1 - @zimmerle]
|
|
- Fix: function m.setvar in Lua scripts and add testcases
|
|
[Issue #1859 - @nowaits, @victorhora]
|
|
- Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
|
|
[Issue #1531 - @victorhora, @defanator]
|
|
- Fix OpenBSD build
|
|
[Issue #1841 - @victorhora, @zimmerle, @juanfra684]
|
|
- Fix parser to support GeoLookup with MaxMind
|
|
[Issue #1884, #1895 - @victorhora, @everping]
|
|
- parser: Fix simple quote setvar in the end of the line
|
|
[Issue #1831 - @zimmerle, @csanders-git]
|
|
- Fix pc file
|
|
[Issue #1847 - @gquintard]
|
|
- modsec_rules_check: uses the gnu `.la' instead of `.a' file
|
|
[Issue #1853 - @ste7677, @victorhora, @zimmerle]
|
|
- good practices: Initialize variables before use it
|
|
[Issue #1889 - Marc Stern]
|
|
- Fix utf-8 character encoding conversion
|
|
[Issue #1794 - @tinselcity, @zimmerle]
|
|
- Adds support for ctl:requestBodyProcessor=URLENCODED
|
|
[Issue #1797 - @victorhora]
|
|
- Add LUA compatibility for CentOS and try to use LuaJIT first if available
|
|
[Issue #1622 - @victorhora, @dmitryzykov]
|
|
- Allow LuaJIT to be used
|
|
[Issue #1809 - @victorhora, @p0pr0ck5]
|
|
- Implement support for Lua 5.1
|
|
[Issue #1809 - @p0pr0ck5, @victorhora]
|
|
- Variable names must match fully, not partially. Match should be case
|
|
insensitive.
|
|
[Issue #1818, #1820, #1810, #1808 - @michaelgranzow-avi, @victorhora,
|
|
@theMiddleBlue, @airween, @zimmerle,
|
|
@LeeShan87]
|
|
- Improves the performance while loading the rules
|
|
[Issue #1735 - @zimmerle, @p0pr0ck5, @victorhora]
|
|
- Allow empty strings to be evaluated by regex::searchAll
|
|
[Issue #1799, #1785 - @victorhora, @XuanHuyDuong, @zimmerle]
|
|
- Adds basic pkg-config info
|
|
[Issue #1790 - @gquintard, @zimmerle]
|
|
- Fixed LMDB collection errors
|
|
[Issue #1787 - @airween, @zimmerle]
|
|
- Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors
|
|
[Issue #1747, #1924 - @airween, @victorhora, @defanator, @zimmerle]
|
|
- Fix ip tree lookup on netmask content
|
|
[Issue #1793 - @tinselcity, @zimmerle]
|
|
- Changes the behavior of the default sec actions
|
|
[Issue #1629 - @mirkodziadzka-avi, @zimmerle, @victorhora]
|
|
- Refactoring on {global,ip,resources,session,tx,user} collections
|
|
[Issue #1754, #1778 - @LeeShan87, @zimmerle, @victorhora, @wwd5613,
|
|
@sobigboy]
|
|
- Fix race condition in UniqueId::uniqueId()
|
|
[Issue #1786 - @weliu]
|
|
- Fix memory leak in error message for msc_rules_merge C APIs
|
|
[Issue #1765 - @weliu]
|
|
- Return false in SharedFiles::open() when an error happens
|
|
[Issue #1783 - @weliu]
|
|
- Use rvalue reference in ModSecurity::serverLog
|
|
[Issue #1769 - @weliu]
|
|
- Build System: Fix when multiple lines for curl version.
|
|
[Issue #1771 - @Artistan]
|
|
- Checks if response body inspection is enabled before process it
|
|
[Issue #1643 - @zoltan-fedor, @dennus, @defanator, @zimmerle]
|
|
- Code Cleanup.
|
|
[Issue #1757, #1755, #1756, #1761 - @p0pr0ck5]
|
|
- Fix setvar parsing of quoted data
|
|
[Issue #1733, #1759, #1775 - @victorhora, @JaiHarpalani, @defanator]
|
|
- Fix LDFLAGS for unit tests.
|
|
[Issue #1758 - @smlx]
|
|
- Adds time stamp back to the audit logs
|
|
[Issue #1762 - @Pjack, @zimmerle]
|
|
- Disables skip counter if debug log is disabled
|
|
[@zimmerle]
|
|
- Cosmetics: Represents amount of skipped rules without decimal
|
|
[Issue #1737 - @p0pr0ck5]
|
|
- Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser
|
|
[Issue #1752 - @victorhora]
|
|
- Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.
|
|
[Issue #1738 - @victorhora]
|
|
- Fix memory leak in modsecurity::utils::expandEnv()
|
|
[Issue #1750 - @defanator]
|
|
- Initialize m_dtd member in ValidateDTD class as NULL
|
|
[Issue #1751 - @airween]
|
|
- Fix broken @detectxss operator regression test case
|
|
[Issue #1739 - @p0pr0ck5]
|
|
- Fix utils::string::ssplit() to handle delimiter in the end of string
|
|
[Issue #1743, #1744 - @defanator]
|
|
- Fix variable FILES_TMPNAMES
|
|
[Issue #1646, #1610 - @victorhora, @zimmerle, @defanator]
|
|
- Fix memory leak in Collections
|
|
[Issue #1729, #1730 - @defanator]
|
|
|
|
|
|
v3.0.2 - 2018-Apr-03
|
|
--------------------
|
|
|
|
- Fix lib version information while generating the .so file
|
|
[@gl1f1v21, @zimmerle]
|
|
|
|
v3.0.1 - 2018-Apr-02
|
|
--------------------
|
|
|
|
- Adds support for ctl:ruleRemoveByTag
|
|
[@zimmerle, @weliu]
|
|
- Fix SecUploadDir configuration merge
|
|
[Issue #1720 - @zimmerle, @gjvanetten]
|
|
- Include all prerequisites for "make check" into dist archive
|
|
[Issue #1716 - @defanator]
|
|
- Fix: Reverse logic of checking output in @inspectFile
|
|
[Issue #1715 - @defanator]
|
|
- Adds support to libMaxMind
|
|
[Issue #1307 - @zimmerle, @defanator]
|
|
- Adds capture action to detectXSS
|
|
[Issue #1698 - @victorhora]
|
|
- Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator
|
|
[Issue #1701 - @victorhora]
|
|
- Adds capture action to detectSQLi
|
|
[Issue #1698 - @zimmerle]
|
|
- Adds capture action to rbl
|
|
[Issue #1698 - @zimmerle]
|
|
- Adds capture action to verifyCC
|
|
[Issue #1698 - @michaelgranzow-avi, @zimmerle]
|
|
- Adds capture action to verifySSN
|
|
[Issue #1698 - @zimmerle]
|
|
- Adds capture action to verifyCPF
|
|
[Issue #1698 - @zimmerle]
|
|
- Prettier error messages for unsupported configurations (UX)
|
|
[@victorhora]
|
|
- Add missing verify*** transformation statements to parser
|
|
[Issue #1006 and #1007 - @victorhora]
|
|
- Fix a set of compilation warnings
|
|
[Issue #1650 - @zimmerle, @JayCase]
|
|
- Check for disruptive action on SecDefaultAction.
|
|
[Issue #1614 - @zimmerle, @michaelgranzow-avi]
|
|
- Fix block-block infinite loop.
|
|
[Issue #1614 - @zimmerle, @michaelgranzow-avi]
|
|
- Correction remove_by_tag and remove_by_msg logic.
|
|
[Issue #1636 - @Minasu]
|
|
- Fix LMDB compile error
|
|
[Issue #1691 - @airween]
|
|
- Fix msc_who_am_i() to return pointer to a valid C string
|
|
[Issue #1640 - @defanator]
|
|
- Added some cosmetics to autoconf related code
|
|
[Issue #1652 - @airween]
|
|
- Fix "make dist" target to include necessary headers for Lua
|
|
[Issue #1678 - @defanator]
|
|
- Fix "include /foo/*.conf" for single matched object in directory
|
|
[Issue #1677 - @defanator, @zimmerle]
|
|
- Add missing Base64 transformation statements to parser
|
|
[Issue #1632 - @victorhora, @zimmerle]
|
|
- Fixed resource load on ip match from file
|
|
[#1674 - @zimmerle, @StefaanSeys]
|
|
- Fixed examples compilation while using disable-shared
|
|
[#1670 - @zimmerle, @ivanbaldo]
|
|
- Fixed compilation issue while xml is disabled
|
|
[0x243028 - @zimmerle]
|
|
- Having LDADD and LDFLAGS organized on Makefile.am
|
|
[0xd0e85e - @zimmerle]
|
|
- Checking std::deque size before use it
|
|
[0x217cbf - @zimmerle, Yaron Dayagi]
|
|
- perf improvement: Added the concept of RunTimeString and removed
|
|
all run time parser.
|
|
[0x3eae51 0x0320e0 0xb5688f 0xfe47a9 0xfa9842 0x1affc3 0x079de4
|
|
0xc7c04f 0x5262ea 0x01974a 0xd5ee1e - @zimmerle]
|
|
- perf improvement: Checks debuglog level before format debug msg
|
|
[0x42ee9 - @zimmerle]
|
|
- perf. improvement/rx: Only compute dynamic regex in case of macro
|
|
[0x91ff3 - @zimmerle]
|
|
- Fix uri on the benchmark utility
|
|
[0x63bec - @zimmerle]
|
|
- disable Lua on systems with liblua5.1
|
|
[Issue #1639 - @victorhora, @defanator]
|
|
|
|
v3.0.0 - 2017-Dec-13
|
|
--------------------
|
|
|
|
- Improvements on LUA build scripts and support for LUA 5.2.
|
|
[Issue #1617 and #1622 - @victorhora, @zimmerle]
|
|
- Fix compilation error with disable_debug_log flag
|
|
[0xfd84e - Izik Abramov]
|
|
- Improvements on the benchmark tool.
|
|
[Issue #1615 - @zimmerle]
|
|
- Fix lua headers on the build scripts
|
|
[Issue #1621 - @Minasu]
|
|
- Refactoring on the JSON parser.
|
|
[Issue #1576, #1577 - Tobias Gutknecht, @zimmerle, @victorhora, @marcstern]
|
|
- Adds support to WEBAPPID variable.
|
|
[Issue #1027 - @zimmerle, @victorhora]
|
|
- Adds support for SecWebAppId.
|
|
[Issue #1442 - @zimmerle, @victorhora]
|
|
- Adds support for SecRuleRemoveByTag.
|
|
[Issue #1476 - @zimmerle, @victorhora]
|
|
- Adds support for update target by message.
|
|
[Issue #1474 - @zimmerle, @victorhora]
|
|
- Adds support to SecRuleScript directive.
|
|
[Issue #994 - @zimmerle]
|
|
- Adds support for the exec action.
|
|
[Issue #1050 - @zimmerle]
|
|
- Adds support for transformations inside Lua engine
|
|
[Issue #994 - @zimmerle]
|
|
- Adds initial support for Lua engine.
|
|
[Issue #994 - @zimmerle]
|
|
- Adds support for @inspectFile operator.
|
|
[Issue #999 - @zimmerle, @victorhora]
|
|
- Adds support for RESOURCE variable collection.
|
|
[Issue #1014 - @zimmerle, @victorhora]
|
|
- Adds support for @fuzzyHash operator.
|
|
[Issue #997 - @zimmerle]
|
|
- Fix build on non x86 arch build
|
|
[Issue #1598 - @athmane]
|
|
- Fix memory issue while changing rule target dynamic
|
|
[Issue #1590 - @zimmerle, @slabber]
|
|
- Fix log while displaying the name of a dict selection by regex.
|
|
[@zimmerle]
|
|
- Setting http response code on the auditlog.
|
|
[Issue #1592 - @zimmerle]
|
|
- Refactoring on RuleMessage class, now accepting http code as parameter.
|
|
[@zimmerle]
|
|
- Having disruptive msgs as disruptive [instead of warnings] on audit log
|
|
[Issue #1592 - @zimmerle, @nobodysz]
|
|
- Parser: Pipes are no longer welcomed inside regex dict element selection.
|
|
[Issue #1591 - @zimmerle, @slabber]
|
|
- Avoids unicode initialization on every rules object
|
|
[Issue #1563 - @zimmerle, @Tiki-God, @sethinsd, @Cloaked9000, @AnoopAlias,
|
|
@intelbg]
|
|
- Makes clear to the user whenever the audit log is empty due to missing
|
|
JSON support.
|
|
[Issue #1585 - @zimmerle]
|
|
- Makes auditlog more verbose on debug logs
|
|
[Issue: #1559 - @zimmerle]
|
|
- Enable support for AuditLogFormat
|
|
Issue: #1583, #1493 and #1453 - @victorhora]
|
|
- Adds macro expansion for @rx operator
|
|
[Issue: #1528, #1536 - @asterite3, @zimmerle]
|
|
- Consideres under quoted variable while loading the rules.
|
|
[Felipe Zimmerle/@zimmerle, Victor Hora/@victorhora]
|
|
- Store the connection and url parameters in std::string
|
|
[Issue: #1571 - @majordaw]
|
|
- Eliminate some reorder and sign warnings
|
|
[Issue: #1572 - Dávid Major/@majordaw]
|
|
- Makes parallel logging to work when SELinux is enabled.
|
|
[Issue: #1562 - David Buckle/@met3or]
|
|
- Adds possibility to run the pm operator inside a mutex to avoid concurrent
|
|
access while working on a thread environment. This option is a compilation
|
|
flag.
|
|
[Felipe Zimmerle/@zimmerle]
|
|
|
|
|
|
v3.0.0-rc1 - 2017-Aug-28
|
|
------------------------
|
|
|
|
Very first public version.
|
|
|