Marc Stern
Marc Stern
In modsec_var_log_handler(), ther's a check for msr being NULL: if (msr == NULL) return NULL; return construct_single_var(msr, name); construct_single_var() uses msr->msc_rule_mptmp, so this should also be checked: if (msr->msc_rule_mptmp ==...
Allow macro expansion in ctl:ruleRemoveTargetByTag. This allows, for instance, to detect headers not containing a specific character, then removing these headers from some rules.
In collection_retrieve_ex(), we check if a key exist with the name "KEY": if (apr_table_get(col, "KEY") == NULL) ... In collection_store(), we store the key with the name "__KEY": var_key =...
On Redhat/CentOS/Rocky 8, httpd crashes with a segmentation fault when enabling SecStreamInBodyInspection and sending a chunked encoded request. This happens with the platform httpd & mod_security2. Same with latest mod_security2...
In apache2/persist_dbm.c, in collection_store(), we have the following declaration: char *username; The variable is supposed to be initialized on line 392: apr_uid_name_get(&username, uid, msr->mp); In case there's a problem in...
sanitiseMatchedBytes:5/8 => OK sanitiseMatchedBytes:10/2 => not accepted => sanitizes the whole string In msre_action_sanitizeMatchedBytes_init(): `if (action->param != NULL && strlen(action->param) == 3)` should be `if (action->param != NULL && strlen(action->param)...
apr_pool_cleanup_register() is called at the very end of the function. In case any problem occurs (e.g., regex cannot compile) we return immediately, so the cleanup is never performed. apr_pool_cleanup_register() should...
For some collections (ARGS, REQUEST_COOKIES), it may be necessary to have them sorted in order to concatenate them in an intelligent way (i.e. concatenated all ARGS named "a" without others...
Most memory leak detectors redefine "alloc", "realloc" and "free" (and others). In struct _LIBSSH2_SESSION, we have fields with these names. This breaks the syntax when using such a memory leak...
Fixes several NULL pointers use. In case no rule id exists, log file name & line number in debug log. Obsoletes https://github.com/owasp-modsecurity/ModSecurity/pull/2950 (corrupted).