ModSecurity Versions Save

New features

• Having ARGS_NAMES, variables proxied [@zimmerle, @martinhsv, @KaNikita]
• Use explicit path for cross-compile environments. [Issue #2485 - @dtoubelis]
• Fix: FILES variable does not use multipart part name for key [Issue #2377 - @martinhsv]
• Regression: Mark the test as failed in case of segfault. [@zimmerle]
• GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE [Issues #2378, #2186 - @defanator]
• Add support to test framework for audit log content verification and add regression tests for issues #2000, #2196
• Support configurable limit on number of arguments processed [Issue #2234 - @jleproust, @martinhsv]
• Multipart Content-Dispostion should allow field: filename*= [@martinhsv]
• Adds support to lua 5.4 [@zimmerle]
• Add support for new operator rxGlobal [@martinhsv]

Bug fixes

• Replaces put with setenv in SetEnv action [Issue #2469 - @martinhsv, @WGH-, @zimmerle]
• Regex key selection should not be case-sensitive [Issue #2296, #2107, #2297 - @michaelgranzow-avi, @victorhora, @airween, @martinhsv, @zimmerle]
• Fix: Only delete Multipart tmp files after rules have run [Issue #2427 - @martinhsv]
• Fixed MatchedVar on chained rules [Issue #2423, #2435, #2436 - @michaelgranzow-avi]
• Fix maxminddb link on FreeBSD [Issue #2131 - @granalberto, @zimmerle]
• Fix IP address logging in Section A [Issue #2300 - @inaratech, @zavazingo, @martinhsv]
• rx: exit after full match (remove /g emulation); ensure capture groups occuring after unused groups still populate TX vars [Issue #2336 - @martinhsv]
• Correct CHANGES file entry for #2234
• Fix rule-update-target for non-regex [Issue #2251 - @martinhsv]
• Fix configure script when packaging for Buildroot [Issue #2235 - @frankvanbever]
• modsecurity.pc.in: add Libs.private [Issue #1918, #2253 - @ffontaine, @Dridi, @victorhora]

Security Impacting Issues

• Handle URI received with uri-fragment [@martinhsv]

Enhancements

• Add microsec timestamp resolution to the formatted log timestamp [Issue #2095 - @rainerjung]
• Added missing Geo Countries [Issue #2123, #2124 - @emphazer]

Bug fixes

• Store temporaries in the request pool for regexes compiled per-request. [Issue #890, #2049 - @lightsey]
• Fix other usage of the global pool for request temporaries in re_operators.c [Issue #890, #2049 - @lightsey]
• Adds a sanity check before use ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByMsg. [Issue #2033 - @studersi]
• Fix the order of error_msg validation [Issue #2128 - @marcstern, @zimmerle]
• When the input filter finishes, check whether we returned data [Issue #2091, #2092 - @rainerjung]
• fix: care non-null terminated chunk data [Issue #2097 - @orisano]
• Fix for apr_global_mutex_create() crashes with mod_security [Issue #1957 - @blappm]
• Fix inet addr handling on 64 bit big endian systems [Issue #1980 - @zimmerle, @airween]

Notes

• Windows installer no longer includes OWASP CRS.

New features

• SecRuleUpdateTargetById now supports regular expressions [Issue #1872 - @zimmerle, @anush-cr, @victorhora, @j0k2r]
• Adds a new operator verifySVNR that checks for Austrian social security numbers. [Issue #2063 - @Rufus125]
• Allow 0 length JSON requests. [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
• Adds support to multiple ranges in ctl:ruleRemoveById [Issue #1956 - @theseion, @victorhora, @zimmerle]

Bug fixes

• Fix: audit log data omitted when nolog,auditlog [@martinhsv]
• Adds missing check for runtime ctl:ruleRemoveByTag [Issue #2102, #2099 - @airween]
• Fix: ModSecurity 3.x inspectFile operator does not pass FILES_TMPNAMES parameter to lua engine [Issue #2204, #2205 - @kadirerdogan]
• XML: Remove error messages from stderr [Issue #2010 - @JaiHarpalani, @zimmerle]
• Filter comment or blank line for pmFromFile operator [Issue #1645 - @LeeShan87, @victorhora, @tdoubley]
• Additional adjustment to Cookie header parsing [@martinhsv]
• Restore chained rule part H logging to be more like 2.9 behavior [Issue #2196 - @martinhsv]
• Small fixes in log messages to help debugging the file upload [Issue #2130 - @airween]
• Fix Cookie header parsing issues [Issue #2201 - @airween, @martinhsv]
• Fix rules with nolog are logging to part H [Issue #2196 - @martinhsv]
• Fix argument key-value pair parsing cases [Issue #1904 - @martinhsv]
• Fix: audit log part for response body for JSON format to be E [Issue #2066 - @martinhsv, @zimmerle]
• Make sure m_rulesMessages is filled after successful match [Issue #2000, #2048 - @victorhora, @defanator]
• Fix @pm lookup for possible matches on offset zero. [@zimmerle, @afoxdavidi, @martinhsv, @marshal09]
• Regex lookup on the key name instead of COLLECTION:key [@rdiperri-yottaa, @danbiagini-work, @mmelo-yottaa, @zimmerle]
• Missing throw in Operator::instantiate [Issue #2106 - @marduone]
• Making block action execution dependent on the SecEngine status [Issue #2113, #2111 - @theMiddleBlue, @airween]
• Making block action execution dependent of the SecEngine status [Issue #1960 - @theMiddleBlue, @zimmerle, @airween, @victorhora]
• Having body limits to respect the rule engine state [@zimmerle]
• Fix variables output in debug logs [Issue #2057 - @jleproust]
• Correct typo validade in log output [Issue #2059 - @nerrehmit]
• fix/minor: Error encoding hexa decimal. [Issue #2068 - @tech-ozon-io]
• Limit more log variables to 200 characters. [Issue #2073 - @jleproust]
• parser: fix parsed file names [@zimmerle]
• Allow empty anchored variable [Issue #2024 - @airween]
• Fixed FILES_NAMES collection after the end of multipart parsing [Issue #2016 - @airween]
• Fixed validateByteRange parsing method [Issue #2017 - @airween]
• Removes a memory leak on the JSON parser [@zimmerle]
• Enables LMDB on the regression tests. [Issue #2011, #2008 - @WGH-, @mdunc]
• Fix: Extra whitespace in some configuration directives causing error [Issue #2006 - @porjo, @zimmerle]
• Refactoring on Regex and SMatch classes. [@WGH-]
• Fixed buffer overflow in Utils::Md5::hexdigest() [Issue #2002 - @defanator]
• Implemented merge() method for ConfigInt, ConfigDouble, ConfigString [Issue #1990 - @defanator]
• Adds initially support the drop action. [@zimmerle]
• Complete merging of particular rule properties [Issue #1978 - @defanator]
• Replaces AC_CHECK_FILE with 'test -f' [Issue #1984 - @chuckwolber]
• Fix inet addr handling on 64 bit big-endian systems [Issue #1980 - @airween]
• Fix tests on FreeBSD [Issue #1973 - @defanator]
• Changes ENV test case to read the default MODSECURTIY env var [Issue #1969 - @zimmerle, @airween, @inittab]
• Regression: Sets MODSECURITY env var during the tests execution [Issue #1969 - @zimmerle, @airween, @inittab]
• Fix setenv action to strdup key=variable [@zimmerle]
• Fix "make dist" target to include default configuration [Issue #1966 - @defanator]
• Replaced log locking using mutex with fcntl lock [Issue #1949, #1927 - @Cloaked9000]
• Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES [Issue #1959 - @weliu]
• Rule variable interpolation broken [Issue #1961 - @soonum, @zimmerle]
• Make the boundary check less strict as per RFC2046 [Issue #1943 - @victorhora, @allanbomsft]
• Fix buffer size for utf8toUnicode transformation [Issue #1208 - @katef, @victorhora]

Security issue

• Cookie parser problems [@airween, @theMiddleBlue, @martinhsv]

Bug fixes

• Fix buffer size for utf8toUnicode transformation [Issue #1208 - @katef, @victorhora]
• Fix sanitizing JSON request bodies in native audit log format [p0pr0ck5, @victorhora]
• Fix NetBSD build by renaming the hmac function to avoid conflicts [Issue #1241 - @victorhora, @joerg, @sevan]
• IIS: Windows build, fix duplicate YAJL dir in script [Issue #1612 - @allanbomsft, @victorhora]
• Fix mpm-itk / mod_ruid2 compatibility [Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora]
• potential off by one in parse_arguments [Issue #1799 - @tinselcity, @zimmerle]
• Fix utf-8 character encoding conversion [Issue #1794 - @tinselcity, @zimmerle]
• Fix ip tree lookup on netmask content [Issue #1793 - @tinselcity, @zimmerle]
• build: fix when multiple lines for curl version [Issue #1771 - @Artistan]
• Fixes SecConnWriteStateLimit [Issue #1545 - @nicjansma]
• Adds missing headers [Issue #1454 - @devnexen]

Improvements

• Allow 0 length JSON requests. [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
• Include unanmed JSON values in unnamed ARGS [Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle]
• IIS: Update Wix installer to bundle a supported CRS version (3.0) [@victorhora, @zimmerle]
• IIS: Update dependencies for Windows build [Issue #1848 - @victorhora, @hsluoyz]
• IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299) [Issue #1299 - @victorhora]
• IIS: Update modsecurity.conf [Issue #788 - @victorhora, @brianclark]
• Add sanity check for a couple malloc() and make code more resilient [Issue #979 - @dogbert2, @victorhora, @zimmerle]
• IIS: Remove body prebuffering due to no locking in modsecProcessRequest [Issue #1917 - @allanbomsft, @victorhora]
• Code cosmetics: checks if actionset is not null before use it [Issue #1556 - @marcstern, @zimmerle, @victorhora]
• Only generate SecHashKey when SecHashEngine is On [Issue #1671 - @dmuey, @monkburger, @zimmerle]
• Docs: Reformat README to Markdown and update dependencies [Issue #1857 - @hsluoyz, @victorhora]
• IIS: no lock on ProcessRequest. No reload of config. [Issue #1826 - @allanbomsft]
• IIS: buffer request body before taking lock [Issue #1651 - @allanbomsft]
• good practices: Initialize variables before use it [Issue #1889 - Marc Stern]
• Let body parsers observe SecRequestBodyNoFilesLimit [Issue #1613 - @allanbomsft]
• IIS: set overrideModeDefault to Allow so that individual websites can add <ModSecurity ...> to their web.config file [Issue #1781 - @default-kramer]
• modsecurity.conf-recommended: Fix spelling [Issue #1721 - @padraigdoran]
• Fix arabic charset in unicode_mapping file [Issue #1619 - @alaa-ahmed-a]
• Optionally preallocates memory when SecStreamInBodyInspection is on [Issue #1366 - @allanbomsft, @zimmerle]
• Fixed typo in build_yajl.bat [Issue #1366 - @allanbomsft]
• Added "empy chunk" check [Issue #1347, #1446 - @gravagli, @bostrt, @zimmerle]
• Add capture action to @detectXSS operator [Issue #1488, #1482 - @victorhora]
• Fix for wildcard operator when loading conf files on Nginx / IIS [Issue #1486, #1285 - @victorhora and @thierry-f-78]
• Set of fixies to make windows build workable with the buildbots [Commit 94fe3 - @zimmerle]
• Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH [Issue #1510 - @marcstern]

New features

• Adds new transaction constructor that accepts the transaction id as parameter. [Issue #1627 - @defanator, @zimmerle]
• Adds support to UpdateActionById. [Issue #1800 - @zimmerle, @victorhora, @NisariAIT]
• Adds support to setenv action. [Issue #1044 - @zimmerle]
• Adds support for ctl:requestBodyProcessor=URLENCODED [Issue #1797 - @victorhora]
• Implement support for Lua 5.1 [Issue #1809 - @p0pr0ck5, @victorhora]

Bug fixes

• Fix double macros bug [Issue #1943 - @supplient, @zimmerle]
• Override the default status code if not suitable to redirect action [Issue #1850 - @zimmerle, @victorhora]
• parser: Fix the support for CRLF configuration files [Issue #1945 - @zimmerle, @defanator, @kjakub]
• m_lineNumber in Rule not mapping with the correct line number in file [Issue #1844 - @zimmerle, @victorhora, @xizeng]
• Fix the SecUnicodeMapFile and SecUnicodeCodePage [0x3094d - @zimmerle, @victorhora]
• Fix crash in msc_rules_add_file() when using disruptive action in chain [Issue #1849 - @victorhora, @zimmerle, @rperper]
• Fix memory leak in AuditLog::init() [Issue #1897 - @weliu]
• Fix RulesProperties::appendRules() [Issue #1901 - @steven-j-wojcik]
• Fix RULE lookup in chained rules [0x3077c - @zimmerle]
• Add correct C function prototypes for msc_init and msc_create_rule_set [Issue #1922 - @steven-j-wojcik]
• Fix: function m.setvar in Lua scripts and add testcases [Issue #1859 - @nowaits, @victorhora]
• Fix SecResponseBodyAccess and ctl:requestBodyAccess directives [Issue #1531 - @victorhora, @defanator]
• parser: Fix simple quote setvar in the end of the line [Issue #1831 - @zimmerle, @csanders-git]
• Fix pc file [Issue #1847 - @gquintard]
• Fix utf-8 character encoding conversion [Issue #1794 - @tinselcity, @zimmerle]
• Fixed LMDB collection errors [Issue #1787 - @airween, @zimmerle]
• Fix ip tree lookup on netmask content [Issue #1793 - @tinselcity, @zimmerle]
• Fix race condition in UniqueId::uniqueId() [Issue #1786 - @weliu]
• Fix memory leak in error message for msc_rules_merge C APIs [Issue #1765 - @weliu]
• Build System: Fix when multiple lines for curl version. [Issue #1771 - @Artistan]
• Fix LDFLAGS for unit tests. [Issue #1758 - @smlx]
• Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp. [Issue #1738 - @victorhora]
• Fix broken @detectxss operator regression test case [Issue #1739 - @p0pr0ck5]
• Fix memory leak in modsecurity::utils::expandEnv() [Issue #1750 - @defanator] - Fix variable FILES_TMPNAMES [Issue #1646, #1610 - @victorhora, @zimmerle, @defanator]
• Fix memory leak in Collections [Issue #1729, #1730 - @defanator]

Improvements

• Organizes the server logs [0xb7c36 and 0x5ac20 - @zimmerle, @steven-j-wojcik]
• Using shared_ptr instead of unique_ptr on rules exceptions [Issue #1697 - @zimmerle, @brianp9906, @victorhora, @LeSwiss, @defanator]
• Changes debuglogs schema to avoid unecessary str allocation [0xb2840 - @zimmerle]
• Changes the timing to save the rule message [0xca270 - @zimmerle]
• @ipMatch "Could not add entry" on slash/32 notation in 2.9.0 [Issue #849 - @zimmerle, @dune73]
• Using values after transformation at MATCHED_VARS [0x14316 - @zimmerle]
• Allow LuaJIT 2.1 to be used [Issue #1909 - @victorhora, @mdunc]
• Match m_id JSON log with RuleMessage and v2 format [Issue #1185 - @victorhora]
• Adds request IDs and URIs to the debug log [Issue #1627 - @defanator, @zimmerle]
• Treating variables exception on load-time instead of run time. [0x028e0 and 0x275a1 - @zimmerle]
• Fix OpenBSD build [Issue #1841 - @victorhora, @zimmerle, @juanfra684]
• Fix parser to support GeoLookup with MaxMind [Issue #1884, #1895 - @victorhora, @everping]
• modsec_rules_check: uses the gnu .la' instead of .a' file [Issue #1853 - @ste7677, @victorhora, @zimmerle]
• good practices: Initialize variables before use it [Issue #1889 - Marc Stern]
• Add LUA compatibility for CentOS and try to use LuaJIT first if available [Issue #1622 - @victorhora, @dmitryzykov]
• Allow LuaJIT to be used [Issue #1809 - @victorhora, @p0pr0ck5]
• Variable names must match fully, not partially. Match should be case insensitive. [Issue #1818, #1820, #1810, #1808 - @michaelgranzow-avi, @victorhora, @theMiddleBlue, @airween, @zimmerle, @LeeShan87]
• Improves the performance while loading the rules [Issue #1735 - @zimmerle, @p0pr0ck5, @victorhora]
• Allow empty strings to be evaluated by regex::searchAll [Issue #1799, #1785 - @victorhora, @XuanHuyDuong, @zimmerle]
• Adds basic pkg-config info [Issue #1790 - @gquintard, @zimmerle]
• Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors [Issue #1747, #1924 - @airween, @victorhora, @defanator, @zimmerle]
• Changes the behavior of the default sec actions [Issue #1629 - @mirkodziadzka-avi, @zimmerle, @victorhora]
• Refactoring on {global,ip,resources,session,tx,user} collections [Issue #1754, #1778 - @LeeShan87, @zimmerle, @victorhora, @wwd5613, @sobigboy]
• Return false in SharedFiles::open() when an error happens [Issue #1783 - @weliu]
• Use rvalue reference in ModSecurity::serverLog [Issue #1769 - @weliu]
• Checks if response body inspection is enabled before process it [Issue #1643 - @zoltan-fedor, @dennus, @defanator, @zimmerle]
• Code Cleanup. [Issue #1757, #1755, #1756, #1761 - @p0pr0ck5]
• Fix setvar parsing of quoted data [Issue #1733, #1759, #1775 - @victorhora, @JaiHarpalani, @defanator]
• Adds time stamp back to the audit logs [Issue #1762 - @Pjack, @zimmerle]
• Disables skip counter if debug log is disabled [@zimmerle]
• Cosmetics: Represents amount of skipped rules without decimal [Issue #1737 - @p0pr0ck5]
• Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser [Issue #1752 - @victorhora]
• Initialize m_dtd member in ValidateDTD class as NULL [Issue #1751 - @airween]
• Fix utils::string::ssplit() to handle delimiter in the end of string [Issue #1743, #1744 - @defanator]

Bug fixes

• Fix lib version information while generating the .so file [@gl1f1v21, @zimmerle]

New features

• Support for ctl:ruleRemoveByTag [@zimmerle, @weliu]
• Support to libMaxMind [Issue #1307 - @zimmerle, @defanator]
• Added missing Base64 transformation statements to parser [Issue #1632 - @victorhora, @zimmerle]

Bug fixes

• Fix SecUploadDir configuration merge [Issue #1720 - @zimmerle, @gjvanetten]
• Fix: Reverse logic of checking output in @inspectFile [Issue #1715 - @defanator]
• Check for disruptive action on SecDefaultAction. [Issue #1614 - @zimmerle, @michaelgranzow-avi]
• Fix block-block infinite loop. [Issue #1614 - @zimmerle, @michaelgranzow-avi]
• Correction remove_by_tag and remove_by_msg logic. [Issue #1636 - @Minasu]
• Fix LMDB compile error [Issue #1691 - @airween]
• Fix msc_who_am_i() to return pointer to a valid C string [Issue #1640 - @defanator]
• Fix "include /foo/*.conf" for single matched object in directory [Issue #1677 - @defanator, @zimmerle]
• Fixed resource load on ip match from file [#1674 - @zimmerle, @StefaanSeys]
• Fixed examples compilation while using disable-shared [#1670 - @zimmerle, @ivanbaldo]
• Fixed compilation issue while xml is disabled [0x243028 - @zimmerle]
• Checking std::deque size before use it [0x217cbf - @zimmerle, Yaron Dayagi]
• Fix uri on the benchmark utility [0x63bec - @zimmerle]
• disable Lua on systems with liblua5.1 [Issue #1639 - @victorhora, @defanator]

Improvements

• Include all prerequisites for "make check" into dist archive [Issue #1716 - @defanator]
• Adds capture action to detectXSS [Issue #1698 - @victorhora]
• Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator [Issue #1701 - @victorhora]
• Adds capture action to detectSQLi [Issue #1698 - @zimmerle]
• Adds capture action to rbl [Issue #1698 - @zimmerle]
• Adds capture action to verifyCC [Issue #1698 - @michaelgranzow-avi, @zimmerle]
• Adds capture action to verifySSN [Issue #1698 - @zimmerle]
• Adds capture action to verifyCPF [Issue #1698 - @zimmerle]
• Prettier error messages for unsupported configurations (UX) [@victorhora]
• Add missing verify*** transformation statements to parser [Issue #1006 and #1007 - @victorhora]
• Fix a set of compilation warnings [Issue #1650 - @zimmerle, @JayCase]
• Added some cosmetics to autoconf related code [Issue #1652 - @airween]
• Fix "make dist" target to include necessary headers for Lua [Issue #1678 - @defanator]
• Having LDADD and LDFLAGS organized on Makefile.am [0xd0e85e - @zimmerle]
• perf improvement: Added the concept of RunTimeString and removed all run time parser. [0x3eae51 0x0320e0 0xb5688f 0xfe47a9 0xfa9842 0x1affc3 0x079de4 0xc7c04f 0x5262ea 0x01974a 0xd5ee1e - @zimmerle]
• perf improvement: Checks debuglog level before format debug msg [0x42ee9 - @zimmerle]
• perf. improvement/rx: Only compute dynamic regex in case of macro [0x91ff3 - @zimmerle]

Bug fixes

• Improvements on LUA build scripts and support for LUA 5.2. [Issue #1617 and #1622 - @victorhora, @zimmerle]
• Fix compilation error with disable_debug_log flag [0xfd84e - Izik Abramov]
• Improvements on the benchmark tool. [Issue #1615 - @michaelgranzow-avi]
• Fix lua headers on the build scripts [Issue #1621 - @Minasu]
• Refactoring on the JSON parser. [Issue #1576, #1577 - Tobias Gutknecht, @zimmerle, @victorhora, @marcstern]
• Fix build on non x86 arch build [Issue #1598 - @athmane]
• Fix memory issue while changing rule target dynamic [Issue #1590 - @zimmerle, @slabber]
• Fix log while displaying the name of a dict selection by regex. [@zimmerle]
• Setting http response code on the auditlog. [Issue #1592 - @zimmerle]
• Refactoring on RuleMessage class, now accepting http code as parameter. [@zimmerle]
• Having disruptive msgs as disruptive [instead of warnings] on audit log [Issue #1592 - @zimmerle, @nobodysz]
• Parser: Pipes are no longer welcomed inside regex dict element selection. [Issue #1591 - @zimmerle, @slabber]
• Avoids unicode initialization on every rules object [Issue #1563 - @zimmerle, @Tiki-God, @sethinsd, @Cloaked9000, @AnoopAlias, @intelbg]
• Makes clear to the user whenever the audit log is empty due to missing JSON support. [Issue #1585 - @zimmerle]
• Makes auditlog more verbose on debug logs [Issue: #1559 - @zimmerle]
• Enable support for AuditLogFormat Issue: #1583, #1493 and #1453 - @victorhora]
• Adds macro expansion for @rx operator [Issue: #1528, #1536 - @asterite3, @zimmerle]
• Consideres under quoted variable while loading the rules. [Felipe Zimmerle/@zimmerle, Victor Hora/@victorhora]
• Store the connection and url parameters in std::string [Issue: #1571 - @majordaw]
• Eliminate some reorder and sign warnings [Issue: #1572 - Dávid Major/@majordaw]
• Makes parallel logging to work when SELinux is enabled. [Issue: #1562 - David Buckle/@met3or]
• Adds possibility to run the pm operator inside a mutex to avoid concurrent access while working on a thread environment. This option is a compilation flag. [Felipe Zimmerle/@zimmerle]

Improvements

• Adds support to WEBAPPID variable. [Issue #1027 - @zimmerle, @victorhora]
• Adds support for SecWebAppId. [Issue #1442 - @zimmerle, @victorhora]
• Adds support for SecRuleRemoveByTag. [Issue #1476 - @zimmerle, @victorhora]
• Adds support for update target by message. [Issue #1474 - @zimmerle, @victorhora]
• Adds support to SecRuleScript directive. [Issue #994 - @zimmerle]
• Adds support for the exec action. [Issue #1050 - @zimmerle]
• Adds support for transformations inside Lua engine [Issue #994 - @zimmerle]
• Adds initial support for Lua engine. [Issue #994 - @zimmerle]
• Adds support for @inspectFile operator. [Issue #999 - @zimmerle, @victorhora]
• Adds support for RESOURCE variable collection. [Issue #1014 - @zimmerle, @victorhora]
• Adds support for @fuzzyHash operator. [Issue #997 - @zimmerle]

This is the first release candidate for ModSecurity version 3.

If you are not familiar with ModSecurity version 3, most likely this release is not what you are looking for. For the Apache module please refer to the v2.x releases.

There is no change log as this is the first release candidate. The goal was to mimic the version 2 most popular functionalities.

In order to use this library within your webserver, you need use a compatible connectors: ModSecurity-nginx, ModSecurity-apache.

Further information about this release can be found in our wiki: ModSecurity-version-3-RC1

Bug fixes

• IIS build refactoring and dependencies update [Issue #1487 - @victorhora]
• Best practice: Initialize msre_var pointers [Commit fbd57 - Allan Boll]
• nginx: Obtain port from r->connection->local_sockaddr. As reported by Przemyslaw Duda the lack of this commit may lead to a DoS. This patch is now merged on all nginx trees. But we still recommend nginx users to move forward to version 3. [Commit 51314 - @defanator and Przemyslaw Duda]
• Updates libinjection to v3.10.0 [Issue #1412 - @client9, @zimmerle and @bjdijk]
• Avoid log flood while using SecConnEngine [Issue #1436 - @victorhora]
• Make url path absolute for SecHashEngine only when it is relative in the first place. [Issue #752, #1071 - @hideaki]
• Fix the hex digit size for SHA1 on msc_crypt implementation. [Issue #1354 - @zimmerle and @parthasarathi204]
• Avoid to flush xml buffer while assembling the injected html. [Issue #742 - @zimmerle]
• Avoid additional operator invokation if last transform of a multimatch doesn't modify the input [Issue #1086, #1087 - Daniel Stelter-Gliese]
• Adds a sanity check before use ctl:ruleRemoveTargetByTag. [Issue #1353 - @LukeP21 and @zimmerle]
• Uses an optional global lock while manipulating collections. [Issues #1224 - @mturk and @zimmerle]
• Fix collection naming problem while merging collections. [Issue #1274 - Coty Sutherland and @zimmerle]
• Fix --enable-docs adding missing Makefile, modifying autoconf and filenames [Issue #1322 - @victorhora]
• Change from using rand() to thread-safe ap_random_pick. [Issue #1289 - Robert Bost]
• Cosmetics: added comments on odd looking code to prevent future scrutiny [Issue #1279 - Coty Sutherland]
• {dis|en}able-server-context-logging: Option to disable logging of server info (log producer, sanitized objects, ...) in audit log. [Issue #1069 - Marc Stern]
• Allow drop to work with mod_http2 [Issue #1308, #992 - @bazzadp]
• Fix SecConn(Read|Write)StateLimit on Apache 2.4 [Issue #1340, #1337, #786 - Sander Hoentjen]
• {dis|en}able-stopwatch-logging: Option to disable logging of stopwatches in audit log. [Issue #1067 - Marc Stern]
• {dis|en}able-dechunk-logging: Option to disable logging of dechunking in audit log when log level < 9. [Issue #1068 - Marc Stern]
• Updates libinjection to: da027ab52f9cf14401dd92e34e6683d183bdb3b4 [ModSecurity team]
• {dis|en}able-handler-logging: Option to disable logging of Apache handler in audit log [Issue #1070, #1381 - Marc Stern]
• {dis|en}able-collection-delete-problem-logging: Option to disable logging of collection delete problem in audit log when log level < 9. [Issue #1380 - Marc Stern]
• Adds rule id in logs whenever a rule fail. [Issue #1379, #391 - Marc Stern]
• {dis|en}able-server-logging: Option to disable logging of "Server" in audit log when log level < 9. [Issue #1070 - Marc Stern]
• {dis|en}able-filename-logging: Option to disable logging of filename in audit log. [Issue #1065 - Marc Stern]
• Reads fuzzy hash databases on init [Issue #1339 - Robert Paprocki and @Rendername]
• Changes the configuration to recognize soap+xml as XML [Issue #1374 - @emphazer and Chaim Sanders]
• Fix building with nginx >= 1.11.11 [Issue #1373, #1359 - Andrei Belov and Thomas Deutschmann]
• Using Czechia instea of Czech Republic [Issue #1258 - Michael Kjeldsen]
• {dis|en}able-rule-id-validation: Option to disable rule id validation [Issue #1150 - Marc Stern and ModSecurity team]
• JSON Log: Append a newline to concurrent JSON audit logs [Issue #1233 - Robert Paprocki]
• JSON Log: Don't unnecessarily rename request body parts in cleanup [Issue #1223 - Robert Paprocki]
• Fix error message inside audit logs [Issue #1216 and #1073 - Armin Abfalterer]
• Remove port from IPV4 address when running under IIS. [Issue #1220, #1109 and #734 - Robert Culyer]
• Remove logdata and msg fields from JSON audit log rule. [Issue #1190 and #1174 - Robert Paprocki]
• Better handle the json parser cleanup [Issue #1204 - Ephraim Vider]
• Fix status failing to report in Nginx auditlogs [Issue #977, #1171 - @charlymps and Chaim Sanders]
• Fix file upload JSON audit log entry [Issue #1181 and #1173 - Robert Paprocki and Christian Folini]
• configure: Fix detection whether libcurl is linked against gnutls and, move verbose_output declaration up to the beginning. [Issue #1158 - Thomas Deutschmann (@Whissi)]
• Treat APR_INCOMPLETE as APR_EOF while receiving the request body. [Issue #1060, #334 - Alexey Sintsov]

Security Issues

• Allan Boll reported an uninitialize variable that may lead to a crash on Windows platform.
• Brian Adeloye reported an infinite loop on the version of libInjection used on ModSecurity 2.9.1.