1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
|
v3.0.14 - 2025-Feb-25
---------------------
- [fix: fixed htmlEntityDecode methods]
[PR from private repo - @theseion,@airween; fixed CVE-2025-27110]
- fix: Added missing header to avoid build error with gcc-15
[PR #3342 - @airween]
- Fix for issue #3334: build not finding YAJL
[PR #3335 - @RooHTaylor]
- fix: add value checking to @validateByteRange
[PR #3322 - @airween]
- fix: build library on OSX without GeoIP brew package
[PR #3319 - @theseion,@airween]
- Update README.md
[PR #3314 - @ElevationsRPG]
- Fix: Add false positive cppcheck-suppress for compatibility with upda…
[PR #3307 - @gberkes]
- fix: align TIME_MON variable's behavior
[PR #3306 - @M4tteoP,@theseion,@airween]
- Fix m_requestHostName variable behavior
[PR #3298 - @airween]
- Add regression rules for test
[PR #3291 - @hnakamur]
- Fix modsecurity-regression-test-secremoterules.txt URL in example
[PR #3287 - @hnakamur]
- Use latest version of cppcheck (2.15.0) to analyze codebase
[PR #3283 - @eduar-hte]
- Replace usage of range-checked 'at' method when vector/string has already been size checked
[PR #3280 - @eduar-hte]
- chore: add 'log' action to rule 200005
[PR #3266 - @airween]
- docs: add a logo picture for github dark theme
[PR #3264 - @xuruidong]
- Leverage std::make_unique & std::make_shared to create objects in the heap
[PR #3254 - @eduar-hte]
- Simplified handling of RuleMessage by removing usage of std::shared_ptr
[PR #3253 - @eduar-hte]
- Simplified constructors, copy constructors & assignment operators
[PR #3248 - @eduar-hte]
v3.0.13 - 2024-Sep-03
---------------------
- Adjust reference to modsecurity::utils::string::VALID_HEX
[PR #3243 - @eduar-hte]
- Lua::run: Move logging of str parameter to higher log level.
[PR #3240 - @frozenice]
- Remove unnecessary heap allocated copies in Transformation actions
[PR #3231 - @eduar-hte]
- Removed multiple heap-allocated copies in Pm::init & parse_pm_content
[PR #3233 - @eduar-hte]
- Unit tests results should not be displayed in 'automake output' mode
[PR #3232 - @eduar-hte]
- Replace usage of std::ctime, which is not safe in
multithread contexts
[PR #3228 - @eduar-hte]
- Removed unnecessary lock to call acmp_process_quick in Pm::evaluate
[PR #3227 - @eduar-hte]
- feat: Check if the MP header contains invalid character
[PR #3225 - @airween]
- Prevent concurrent access to data in InMemoryPerProcess'
resolveXXX methods
[PR #3216 - @eduar-hte]
- Remove several string copies and unnecessary heap allocations
[PR #3222 - @eduar-hte]
- Creating a std::string with a null pointer
is undefined behaviour
[PR #3220 - @eduar-hte]
- Simplifiy configuration to build using std C++17
[PR #3219 - @eduar-hte]
- Remove unnecessary dynamic casts
[PR #3218 - @eduar-hte]
- fix: Sonarcloud reported memleak fixes
[PR #3114 - @airween]
- V3/sonarcloud replace this declaration by a structured
binding declaration
[PR #3217 - @gberkes]
- Do not assume ModSecurityIntervention argument to
transaction::intervention has been initialized/cleaned
[PR #3212 - @eduar-hte]
- Refactor: used the init-statement to declare "pos" inside the
if statement
[PR #3214 - @gberkes]
- Refactor: moved 3 #include directives to the top of the file.
[PR #3213 - @gberkes]
- Fix SecRemoteRules regression test not to depend on a
specific error message
[PR #3211 - @eduar-hte]
- Fixed shared files deadlock in a multi-threaded Windows application
[PR #3210 - @eduar-hte]
- Add cleanup methods to complete C based ABI
[PR #3209 - @eduar-hte]
- Build on macOS with Apple silicon (arm64)
[PR #3208 - @eduar-hte]
- remove 'this throw' call in transaction
[PR #3207 - @gberkes]
- New API function: set hostname for log
[PR #3203 - @airween]
- Fixing typo in Dockerfile
[PR #3189 - @bitbehz]
- Simplify checkout of submodules in GitHub workflows (with support for git describe)
[PR #3185 - @eduar-hte]
- Update README.md: use submodule and use benchmark tool
[PR #3182 - @airween]
- Improve performance of VariableOrigin instances
[PR #3164 - @eduar-hte]
- Update libinjection & Mbed TLS
[PR #3161 - @eduar-hte]
- chore: add PR template (v3)
[PR #3160 - @fzipi]
- Update to seclang-scanner changes introduced by Windows support
[PR #3146 - @eduar-hte]
- GitHub build & quality assurance workflow updates
[PR #3144 - @eduar-hte]
- Add link to Rust bindings in README
[PR #3141 - @rkrishn7]
- Remove cppcheck suppressions with line numbers in test/cppcheck_suppressions.txt
[PR #3134 - @eduar-hte]
- Add support to build libModSecurity v3 on Windows
[PR #3132 - @eduar-hte]
- fix: update submodule url
[PR #3128 - @fzipi]
- fix(rbl): typo in rbl check selector
[PR #3127 - @fzipi]
- fix: Changed 'equal_range()' + loop by 'find()' in resolveFirst() methods
[PR #3117 - @airween]
- Deleted redundant code in 'ModSecurity::serverLog(...)'.
[PR #3116 - @gberkes]
- doc: Update CHANGES
[PR #3101 - @airween]
- Reduce the scope of variables in a for loop
[PR #3098 - @devzero2000]
- Clean up 'return' never will be executed.
[PR #3096 - @gberkes]
- fix: Replace obsolete macros
[PR #3095 - @airween]
- fix: Change 'SecEngineStatus' to Off by default
[PR #3092 - @airween]
- chore: update bug-report-for-version-3-x.md
[PR #3086 - @fzipi]
- test: Logical, syntax and cosmetic fixes on test cases
[PR #3080 - @MirkoDziadzka, @airween]
- Bump the C++ version from C++11 to C++17
[PR #3079 - @MirkoDziadzka]
- fix: makes uri decode platform independent
[PR #3016 - @M4tteoP]
v3.0.12 - 2024-Jan-30
---------------------
- Change REQUEST_FILENAME and REQUEST_BASENAME behavior
[Issue #3048 - @martinhsv, @theMiddleBlue, @theseion, @M4tteoP, @airween]
- Set the minimum security protocol version for SecRemoteRules
[Issue security/code-scanning/2 - @airween]
v3.0.11 - 2023-Dec-06
---------------------
- Add WRDE_NOCMD to wordexp call
[Issue #3024 - @sahruldotid, @martinhsv]
- Fix: validateDTD compile fails if when libxml2 not installed
[Issue #3014 - @zangobot, @martinhsv]
- Fix memory leak of validateDTD's dtd object
[Issue #3008 - @martinhsv, @zimmerle]
- Fix memory leaks in ValidateSchema
[Issue #3005 - @martinhsv, @zimmerle]
- Add support for expirevar action
[Issue #1803, #3001 - @martinhsv]
- Fix: lmdb regex match on non-null terminated string
[Issue #2985 - @martinhsv]
- Fix memory leaks in lmdb code (new'd strings)
[Issue #2983 - @martinhsv]
- Configure: add additional name to pcre2 pkg-config list
[Issue #2939 - @agebhar1, @fzipi, @martinhsv]
v3.0.10 - 2023-Jul-25
---------------------
- Fix: worst-case time in implementation of four transformations
[Issue #2934 - @martinhsv]
- Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
[Issue #2901 - @airween]
- Make MULTIPART_PART_HEADERS accessible to lua
[Issue #2916 - @martinhsv]
- Fix: Lua scripts cannot read whole collection at once
[Issue #2900 - @udi-aharon, @airween, @martinhsv]
- Fix: quoted Include config with wildcard
[Issue #2905 - @wiseelf, @airween, @martinhsv]
- Support isolated PCRE match limits
[Issue #2736 - @brandonpayton, @martinhsv]
- Fix: meta actions not applied if multiMatch in first rule of chain
[Issue #2867, #2868 - @mlevogiannis, @martinhsv]
- Fix: audit log may omit tags when multiMatch
[Issue #2866 - @mlevogiannis]
- Exclude CRLF from MULTIPART_PART_HEADER value
[Issue #2870 - @airween, @martinhsv]
- Configure: use AS_ECHO_N instead echo -n
[Issue #2894 - @liudongmiao, @martinhsv]
- Adjust position of memset from 2890
[Issue #2891 - @mirkodziadzka-avi, @martinhsv]
- Add test: empty lines in ipMatchFromFile test
[Issue #2846 - @tomsommer]
v3.0.9 - 2023-Apr-12
--------------------
- Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
[Issue #2877, #2890 - @tomsommer, @martinhsv]
- Add some member variable inits in Transaction class (possible segfault)
[Issue #2886 - @GNU-Plus-Windows-User, @airween, @mdounin, @martinhsv]
- Resolve memory leak on reload (bison-generated variable)
[Issue #2876 - @martinhsv]
- Support equals sign in XPath expressions
[Issue #2328 - @dennus, @martinhsv]
- Encode two special chars in error.log output
[Issue #2854 - @airween, @martinhsv]
- Add JIT support for PCRE2
[Issue #2791 - @wfjsw, @airween, @FireBurn, @martinhsv]
- Support comments in ipMatchFromFile file via '#' token
[Issue #2554 - @tomsommer, @martinhsv]
- Use name package name libmaxminddb with pkg-config
[Issue #2595, #2596 - @frankvanbever, @ffontaine, @arnout]
- Fix: FILES_TMP_CONTENT collection key should use part name
[Issue #2831 - @airween]
- Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
[Issue #2806 - @hughmcmaster]
- During configure, do not check for pcre if pcre2 specified
[Issue #2750 - @dvershinin, @martinhsv]
- Use pkg-config to find libxml2 first
[Issue #2714 - @hughmcmaster]
- Fix two rule-reload memory leak issues
[Issue #2801 - @Abce, @martinhsv]
- Correct whitespace handling for Include directive
[Issue #2800 - @877509395, @martinhsv]
v3.0.8 - 2022-Sep-07
--------------------
- Adjust parser activation rules in modsecurity.conf-recommended
[Issue #2796 - @terjanq, @martinhsv]
- Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
[Issue #2795 - @terjanq, @martinhsv]
- Prevent LMDB related segfault
[Issue #2755, #2761 - @dvershinin]
- Fix msc_transaction_cleanup function comment typo
[Issue #2788 - @lookat23]
- Fix: MULTIPART_INVALID_PART connected to wrong internal variable
[Issue #2785 - @martinhsv]
- Restore Unique_id to include random portion after timestamp
[Issue #2752, #2758 - @datkps11, @martinhsv]
v3.0.7 - 2022-May-30
--------------------
- Move PCRE2 match block from member variable
[@martinhsv]
- Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
[Issue #2738 - @jleproust, @martinhsv]
- Fix memory leak when concurrent log includes REMOTE_USER
[Issue #2727 - @liudongmiao]
- Fix LMDB initialization issues
[Issue #2688 - @ziollek, @martinhsv]
- Fix initcol error message wording
[Issue #2732 - @877509395, @martinhsv]
- Tolerate other parameters after boundary in multipart C-T
[Issue #1900 - @martinhsv]
- Add DebugLog message for bad pattern in rx operator
[Issue #2723 - @martinhsv]
- Support PCRE2
[Issue #2668 - @martinhsv]
- Support SecRequestBodyNoFilesLimit
[Issue #2670 - @airween, @martinhsv]
- Fix misuses of LMDB API
[Issue #2601, #2602 - @hyc]
- Fix duplication typo in code comment
[Issue #2677 - @gleydsonsoares]
- Add ctl:auditEngine action support
[Issue #2606 - @alekravch, @martinhsv]
- Fix multiMatch msg, etc, population in audit log
[Issue #2573 - @Sachin-M-Desai, @martinhsv]
- Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
[Issue #2627, #2648 - @lontchianicet, @victorserbu2709, @martinhsv]
- Adjust confusing variable name in setRequestBody method
[Issue #2635 - @Mesar-Ali, @martinhsv]
- Multipart names/filenames may include single quote if double-quote enclosed
[Issue #2352 - @martinhsv]
- Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
[Issue #2647 - @theMiddleBlue, @airween, @877509395 ,@martinhsv]
v3.0.6 - 2021-Nov-19
--------------------
- Support configurable limit on depth of JSON parsing
[@theMiddleBlue, @martinhsv]
v3.0.5 - 2021-Jul-07
--------------------
- Handle URI received with uri-fragment
[@martinhsv]
- Having ARGS_NAMES, variables proxied
[@zimmerle, @martinhsv, @KaNikita]
- Use explicit path for cross-compile environments.
[Issue #2485 - @dtoubelis]
- Fix: FILES variable does not use multipart part name for key
[Issue #2377 - @martinhsv]
- Replaces put with setenv in SetEnv action
[Issue #2469 - @martinhsv, @WGH-, @zimmerle]
- Regression: Mark the test as failed in case of segfault.
[@zimmerle]
- Regex key selection should not be case-sensitive
[Issue #2296, #2107, #2297 - @michaelgranzow-avi, @victorhora,
@airween, @martinhsv, @zimmerle]
- Fix: Only delete Multipart tmp files after rules have run
[Issue #2427 - @martinhsv]
- Fixed MatchedVar on chained rules
[Issue #2423, #2435, #2436 - @michaelgranzow-avi]
- Add support for new operator rxGlobal
[@martinhsv]
- Fix maxminddb link on FreeBSD
[Issue #2131 - @granalberto, @zimmerle]
- Fix IP address logging in Section A
[Issue #2300 - @inaratech, @zavazingo, @martinhsv]
- Adds support to lua 5.4
[@zimmerle]
- GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
[Issues #2378, #2186 - @defanator]
- rx: exit after full match (remove /g emulation); ensure capture
groups occuring after unused groups still populate TX vars
[Issue #2336 - @martinhsv]
- Correct CHANGES file entry for #2234
- Add support to test framework for audit log content verification
and add regression tests for issues #2000, #2196
- Support configurable limit on number of arguments processed
[Issue #2234 - @jleproust, @martinhsv]
- Multipart Content-Dispostion should allow field: filename*=
[@martinhsv]
- Fix rule-update-target for non-regex
[Issue 2251 - @martinhsv]
- Fix configure script when packaging for Buildroot
[Issue 2235 - @frankvanbever]
- modsecurity.pc.in: add Libs.private
[Issue #1918, #2253 - @ffontaine, @Dridi, @victorhora]
v3.0.4 - 2020-Jan-13
--------------------
- Fix: audit log data omitted when nolog,auditlog
[@martinhsv]
- Fix: ModSecurity 3.x inspectFile operator does not pass
FILES_TMPNAMES parameter to lua engine
[Issue #2204, #2205 - @kadirerdogan]
- XML: Remove error messages from stderr
[Issue #2010 - @JaiHarpalani, @zimmerle]
- Filter comment or blank line for pmFromFile operator
[Issue #1645 - @LeeShan87, @victorhora, @tdoubley]
- Additional adjustment to Cookie header parsing
[@martinhsv]
- Restore chained rule part H logging to be more like 2.9 behaviour
[Issue #2196 - @martinhsv]
- Small fixes in log messages to help debugging the file upload
[Issue #2130 - @airween]
- Fix Cookie header parsing issues
[Issue #2201 - @airween, @martinhsv]
- Fix rules with nolog are logging to part H
[Issue #2196 - @martinhsv]
- Fix argument key-value pair parsing cases
[Issue #1904 - @martinhsv]
- Fix: audit log part for response body for JSON format to be E
[Issue #2066 - @martinhsv, @zimmerle]
- Make sure m_rulesMessages is filled after successfull match
[Issue #2000, #2048 - @victorhora, @defanator]
- Fix @pm lookup for possible matches on offset zero.
[@zimmerle, @afoxdavidi, @martinhsv, @marshal09]
- Regex lookup on the key name instead of COLLECTION:key
[@rdiperri-yottaa, @danbiagini-work, @mmelo-yottaa, @zimmerle]
- Missing throw in Operator::instantiate
[Issue #2106 - @marduone]
- Making block action execution dependent of the SecEngine status
[Issue #2113, #2111 - @theMiddleBlue, @airween]
- Making block action execution dependent of the SecEngine status
[Issue #1960 - @theMiddleBlue, @zimmerle, @airween, @victorhora]
- Having body limits to respect the rule engine state
[@zimmerle]
- Fix SecRuleUpdateTargetById does not match regular expressions
[Issue #1872 - @zimmerle, @anush-cr, @victorhora, @j0k2r]
- Adds missing check for runtime ctl:ruleRemoveByTag
[Issue #2102, #2099 - @airween]
- Adds a new operator verifySVNR that checks for Austrian social
security numbers.
[Issue #2063 - @Rufus125]
- Fix variables output in debug logs
[Issue #2057 - @jleproust]
- Correct typo validade in log output
[Issue #2059 - @nerrehmit]
- fix/minor: Error encoding hexa decimal.
[Issue #2068 - @tech-ozon-io]
- Limit more log variables to 200 characters.
[Issue #2073 - @jleproust]
- parser: fix parsed file names
[@zimmerle]
- Allow empty anchored variable
[Issue #2024 - @airween]
- Fixed FILES_NAMES collection after the end of multipart parsing
[Issue #2016 - @airween]
- Fixed validateByteRange parsing method
[Issue #2017 - @airween]
- Removes a memory leak on the JSON parser
[@zimmerle]
- Enables LMDB on the regression tests.
[Issue #2011, #2008 - @WGH-, @mdunc]
- Fix: Extra whitespace in some configuration directives causing error
[Issue #2006 - @porjo, @zimmerle]
- Refactoring on Regex and SMatch classes.
[@WGH-]
- Fixed buffer overflow in Utils::Md5::hexdigest()
[Issue #2002 - @defanator]
- Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
[Issue #1990 - @defanator]
- Adds initially support to the drop action.
[@zimmerle]
- Complete merging of particular rule properties
[Issue #1978 - @defanator]
- Replaces AC_CHECK_FILE with 'test -f'
[Issue #1984 - @chuckwolber]
- Fix inet addr handling on 64 bit big endian systems
[Issue #1980 - @airween]
- Fix tests on FreeBSD
[Issue #1973 - @defanator]
- Changes ENV test case to read the default MODSECURTIY env var
[Issue #1969 - @zimmerle, @airween, @inittab]
- Regression: Sets MODSECURITY env var during the tests execution
[Issue #1969 - @zimmerle, @airween, @inittab]
- Fix setenv action to strdup key=variable
[@zimmerle]
- Allow 0 length JSON requests.
[Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
- Fix "make dist" target to include default configuration
[Issue #1966 - @defanator]
- Replaced log locking using mutex with fcntl lock
[Issue #1949, #1927 - @Cloaked9000]
- Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES
[Issue #1959 - @weliu]
- Adds support to multiple ranges in ctl:ruleRemoveById
[Issue #1956 - @theseion, @victorhora, @zimmerle]
- Rule variable interpolation broken
[Issue #1961 - @soonum, @zimmerle]
- Make the boundary check less strict as per RFC2046
[Issue #1943 - @victorhora, @allanbomsft]
- Fix buffer size for utf8toUnicode transformation
[Issue #1208 - @katef, @victorhora]
v3.0.3 - 2018-Nov-05
--------------------
- Fix double macros bug
[Issue #1943 - @supplient, @zimmerle]
- Override the default status code if not suitable to redirect action
[Issue #1850 - @zimmerle, @victorhora]
- parser: Fix the support for CRLF configuration files
[Issue #1945 - @zimmerle, @defanator, @kjakub]
- Organizes the server logs
[0xb7c36 and 0x5ac20 - @zimmerle, @steven-j-wojcik]
- m_lineNumber in Rule not mapping with the correct line number in file
[Issue #1844 - @zimmerle, @victorhora, @xizeng]
- Using shared_ptr instead of unique_ptr on rules exceptions
[Issue #1697 - @zimmerle, @brianp9906, @victorhora, @LeSwiss, @defanator]
- Changes debuglogs schema to avoid unecessary str allocation
[0xb2840 - @zimmerle]
- Fix the SecUnicodeMapFile and SecUnicodeCodePage
[0x3094d - @zimmerle, @victorhora]
- Changes the timing to save the rule message
[0xca270 - @zimmerle]
- Fix crash in msc_rules_add_file() when using disruptive action in chain
[Issue #1849 - @victorhora, @zimmerle, @rperper]
- Fix memory leak in AuditLog::init()
[Issue #1897 - @weliu]
- Fix RulesProperties::appendRules()
[Issue #1901 - @steven-j-wojcik]
- Fix RULE lookup in chained rules
[0x3077c - @zimmerle]
- @ipMatch "Could not add entry" on slash/32 notation in 2.9.0
[Issue #849 - @zimmerle, @dune73]
- Using values after transformation at MATCHED_VARS
[0x14316 - @zimmerle]
- Adds support to UpdateActionById.
[Issue #1800 - @zimmerle, @victorhora, @NisariAIT]
- Add correct C function prototypes for msc_init and msc_create_rule_set
[Issue #1922 - @steven-j-wojcik]
- Allow LuaJIT 2.1 to be used
[Issue #1909 - @victorhora, @mdunc]
- Match m_id JSON log with RuleMessage and v2 format
[Issue #1185 - @victorhora]
- Adds support to setenv action.
[Issue #1044 - @zimmerle]
- Adds new transaction constructor that accepts the transaction id
as parameter.
[Issue #1627 - @defanator, @zimmerle]
- Adds request IDs and URIs to the debug log
[Issue #1627 - @defanator, @zimmerle]
- Treating variables exception on load-time instead of run time.
[0x028e0 and 0x275a1 - @zimmerle]
- Fix: function m.setvar in Lua scripts and add testcases
[Issue #1859 - @nowaits, @victorhora]
- Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
[Issue #1531 - @victorhora, @defanator]
- Fix OpenBSD build
[Issue #1841 - @victorhora, @zimmerle, @juanfra684]
- Fix parser to support GeoLookup with MaxMind
[Issue #1884, #1895 - @victorhora, @everping]
- parser: Fix simple quote setvar in the end of the line
[Issue #1831 - @zimmerle, @csanders-git]
- Fix pc file
[Issue #1847 - @gquintard]
- modsec_rules_check: uses the gnu `.la' instead of `.a' file
[Issue #1853 - @ste7677, @victorhora, @zimmerle]
- good practices: Initialize variables before use it
[Issue #1889 - Marc Stern]
- Fix utf-8 character encoding conversion
[Issue #1794 - @tinselcity, @zimmerle]
- Adds support for ctl:requestBodyProcessor=URLENCODED
[Issue #1797 - @victorhora]
- Add LUA compatibility for CentOS and try to use LuaJIT first if available
[Issue #1622 - @victorhora, @dmitryzykov]
- Allow LuaJIT to be used
[Issue #1809 - @victorhora, @p0pr0ck5]
- Implement support for Lua 5.1
[Issue #1809 - @p0pr0ck5, @victorhora]
- Variable names must match fully, not partially. Match should be case
insensitive.
[Issue #1818, #1820, #1810, #1808 - @michaelgranzow-avi, @victorhora,
@theMiddleBlue, @airween, @zimmerle,
@LeeShan87]
- Improves the performance while loading the rules
[Issue #1735 - @zimmerle, @p0pr0ck5, @victorhora]
- Allow empty strings to be evaluated by regex::searchAll
[Issue #1799, #1785 - @victorhora, @XuanHuyDuong, @zimmerle]
- Adds basic pkg-config info
[Issue #1790 - @gquintard, @zimmerle]
- Fixed LMDB collection errors
[Issue #1787 - @airween, @zimmerle]
- Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors
[Issue #1747, #1924 - @airween, @victorhora, @defanator, @zimmerle]
- Fix ip tree lookup on netmask content
[Issue #1793 - @tinselcity, @zimmerle]
- Changes the behavior of the default sec actions
[Issue #1629 - @mirkodziadzka-avi, @zimmerle, @victorhora]
- Refactoring on {global,ip,resources,session,tx,user} collections
[Issue #1754, #1778 - @LeeShan87, @zimmerle, @victorhora, @wwd5613,
@sobigboy]
- Fix race condition in UniqueId::uniqueId()
[Issue #1786 - @weliu]
- Fix memory leak in error message for msc_rules_merge C APIs
[Issue #1765 - @weliu]
- Return false in SharedFiles::open() when an error happens
[Issue #1783 - @weliu]
- Use rvalue reference in ModSecurity::serverLog
[Issue #1769 - @weliu]
- Build System: Fix when multiple lines for curl version.
[Issue #1771 - @Artistan]
- Checks if response body inspection is enabled before process it
[Issue #1643 - @zoltan-fedor, @dennus, @defanator, @zimmerle]
- Code Cleanup.
[Issue #1757, #1755, #1756, #1761 - @p0pr0ck5]
- Fix setvar parsing of quoted data
[Issue #1733, #1759, #1775 - @victorhora, @JaiHarpalani, @defanator]
- Fix LDFLAGS for unit tests.
[Issue #1758 - @smlx]
- Adds time stamp back to the audit logs
[Issue #1762 - @Pjack, @zimmerle]
- Disables skip counter if debug log is disabled
[@zimmerle]
- Cosmetics: Represents amount of skipped rules without decimal
[Issue #1737 - @p0pr0ck5]
- Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser
[Issue #1752 - @victorhora]
- Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.
[Issue #1738 - @victorhora]
- Fix memory leak in modsecurity::utils::expandEnv()
[Issue #1750 - @defanator]
- Initialize m_dtd member in ValidateDTD class as NULL
[Issue #1751 - @airween]
- Fix broken @detectxss operator regression test case
[Issue #1739 - @p0pr0ck5]
- Fix utils::string::ssplit() to handle delimiter in the end of string
[Issue #1743, #1744 - @defanator]
- Fix variable FILES_TMPNAMES
[Issue #1646, #1610 - @victorhora, @zimmerle, @defanator]
- Fix memory leak in Collections
[Issue #1729, #1730 - @defanator]
v3.0.2 - 2018-Apr-03
--------------------
- Fix lib version information while generating the .so file
[@gl1f1v21, @zimmerle]
v3.0.1 - 2018-Apr-02
--------------------
- Adds support for ctl:ruleRemoveByTag
[@zimmerle, @weliu]
- Fix SecUploadDir configuration merge
[Issue #1720 - @zimmerle, @gjvanetten]
- Include all prerequisites for "make check" into dist archive
[Issue #1716 - @defanator]
- Fix: Reverse logic of checking output in @inspectFile
[Issue #1715 - @defanator]
- Adds support to libMaxMind
[Issue #1307 - @zimmerle, @defanator]
- Adds capture action to detectXSS
[Issue #1698 - @victorhora]
- Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator
[Issue #1701 - @victorhora]
- Adds capture action to detectSQLi
[Issue #1698 - @zimmerle]
- Adds capture action to rbl
[Issue #1698 - @zimmerle]
- Adds capture action to verifyCC
[Issue #1698 - @michaelgranzow-avi, @zimmerle]
- Adds capture action to verifySSN
[Issue #1698 - @zimmerle]
- Adds capture action to verifyCPF
[Issue #1698 - @zimmerle]
- Prettier error messages for unsupported configurations (UX)
[@victorhora]
- Add missing verify*** transformation statements to parser
[Issue #1006 and #1007 - @victorhora]
- Fix a set of compilation warnings
[Issue #1650 - @zimmerle, @JayCase]
- Check for disruptive action on SecDefaultAction.
[Issue #1614 - @zimmerle, @michaelgranzow-avi]
- Fix block-block infinite loop.
[Issue #1614 - @zimmerle, @michaelgranzow-avi]
- Correction remove_by_tag and remove_by_msg logic.
[Issue #1636 - @Minasu]
- Fix LMDB compile error
[Issue #1691 - @airween]
- Fix msc_who_am_i() to return pointer to a valid C string
[Issue #1640 - @defanator]
- Added some cosmetics to autoconf related code
[Issue #1652 - @airween]
- Fix "make dist" target to include necessary headers for Lua
[Issue #1678 - @defanator]
- Fix "include /foo/*.conf" for single matched object in directory
[Issue #1677 - @defanator, @zimmerle]
- Add missing Base64 transformation statements to parser
[Issue #1632 - @victorhora, @zimmerle]
- Fixed resource load on ip match from file
[#1674 - @zimmerle, @StefaanSeys]
- Fixed examples compilation while using disable-shared
[#1670 - @zimmerle, @ivanbaldo]
- Fixed compilation issue while xml is disabled
[0x243028 - @zimmerle]
- Having LDADD and LDFLAGS organized on Makefile.am
[0xd0e85e - @zimmerle]
- Checking std::deque size before use it
[0x217cbf - @zimmerle, Yaron Dayagi]
- perf improvement: Added the concept of RunTimeString and removed
all run time parser.
[0x3eae51 0x0320e0 0xb5688f 0xfe47a9 0xfa9842 0x1affc3 0x079de4
0xc7c04f 0x5262ea 0x01974a 0xd5ee1e - @zimmerle]
- perf improvement: Checks debuglog level before format debug msg
[0x42ee9 - @zimmerle]
- perf. improvement/rx: Only compute dynamic regex in case of macro
[0x91ff3 - @zimmerle]
- Fix uri on the benchmark utility
[0x63bec - @zimmerle]
- disable Lua on systems with liblua5.1
[Issue #1639 - @victorhora, @defanator]
v3.0.0 - 2017-Dec-13
--------------------
- Improvements on LUA build scripts and support for LUA 5.2.
[Issue #1617 and #1622 - @victorhora, @zimmerle]
- Fix compilation error with disable_debug_log flag
[0xfd84e - Izik Abramov]
- Improvements on the benchmark tool.
[Issue #1615 - @zimmerle]
- Fix lua headers on the build scripts
[Issue #1621 - @Minasu]
- Refactoring on the JSON parser.
[Issue #1576, #1577 - Tobias Gutknecht, @zimmerle, @victorhora, @marcstern]
- Adds support to WEBAPPID variable.
[Issue #1027 - @zimmerle, @victorhora]
- Adds support for SecWebAppId.
[Issue #1442 - @zimmerle, @victorhora]
- Adds support for SecRuleRemoveByTag.
[Issue #1476 - @zimmerle, @victorhora]
- Adds support for update target by message.
[Issue #1474 - @zimmerle, @victorhora]
- Adds support to SecRuleScript directive.
[Issue #994 - @zimmerle]
- Adds support for the exec action.
[Issue #1050 - @zimmerle]
- Adds support for transformations inside Lua engine
[Issue #994 - @zimmerle]
- Adds initial support for Lua engine.
[Issue #994 - @zimmerle]
- Adds support for @inspectFile operator.
[Issue #999 - @zimmerle, @victorhora]
- Adds support for RESOURCE variable collection.
[Issue #1014 - @zimmerle, @victorhora]
- Adds support for @fuzzyHash operator.
[Issue #997 - @zimmerle]
- Fix build on non x86 arch build
[Issue #1598 - @athmane]
- Fix memory issue while changing rule target dynamic
[Issue #1590 - @zimmerle, @slabber]
- Fix log while displaying the name of a dict selection by regex.
[@zimmerle]
- Setting http response code on the auditlog.
[Issue #1592 - @zimmerle]
- Refactoring on RuleMessage class, now accepting http code as parameter.
[@zimmerle]
- Having disruptive msgs as disruptive [instead of warnings] on audit log
[Issue #1592 - @zimmerle, @nobodysz]
- Parser: Pipes are no longer welcomed inside regex dict element selection.
[Issue #1591 - @zimmerle, @slabber]
- Avoids unicode initialization on every rules object
[Issue #1563 - @zimmerle, @Tiki-God, @sethinsd, @Cloaked9000, @AnoopAlias,
@intelbg]
- Makes clear to the user whenever the audit log is empty due to missing
JSON support.
[Issue #1585 - @zimmerle]
- Makes auditlog more verbose on debug logs
[Issue: #1559 - @zimmerle]
- Enable support for AuditLogFormat
Issue: #1583, #1493 and #1453 - @victorhora]
- Adds macro expansion for @rx operator
[Issue: #1528, #1536 - @asterite3, @zimmerle]
- Consideres under quoted variable while loading the rules.
[Felipe Zimmerle/@zimmerle, Victor Hora/@victorhora]
- Store the connection and url parameters in std::string
[Issue: #1571 - @majordaw]
- Eliminate some reorder and sign warnings
[Issue: #1572 - Dávid Major/@majordaw]
- Makes parallel logging to work when SELinux is enabled.
[Issue: #1562 - David Buckle/@met3or]
- Adds possibility to run the pm operator inside a mutex to avoid concurrent
access while working on a thread environment. This option is a compilation
flag.
[Felipe Zimmerle/@zimmerle]
v3.0.0-rc1 - 2017-Aug-28
------------------------
Very first public version.
|
