ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard
verified publisher icon owasp-modsecurity

Add PCRE2 support to ModSecurity v2

Open martinhsv opened this issue 3 years ago • 3 comments

The legacy PCRE implementation (more recently referred to as PCRE1) is no longer being updated, with v8.45 (from June 2021) expected to be the final version.

Also, Apache HTTP Server recently (as of 2.4.53) changed to support PCRE2.

Given the above, ModSecurity v2.9.x should be updated to support PCRE2 (as has already been done for the ModSecurity v3 branch via #2668 ).

martinhsv avatar May 04 '22 13:05 martinhsv

That would be highly welcome. We are observing the way PCRE1 becomes obsolete and would welcome a shift to PCRE2 for ModSec 2.9.

dune73 avatar May 04 '22 14:05 dune73

The legacy PCRE implementation (more recently referred to as PCRE1) is no longer being updated, with v8.45 (from June 2021) expected to be the final version.

Also, Apache HTTP Server recently (as of 2.4.53) changed to support PCRE2.

Given the above, ModSecurity v2.9.x should be updated to support PCRE2 (as has already been done for the ModSecurity v3 branch via #2668 ).

@martinhsv , Could you give us a tentative date for this undertaking? Is just merging (https://github.com/SpiderLabs/ModSecurity/pull/2719/commits/f84614fe066f74d111b802d582599655d0d7e3af#diff-aa2169b293a3363fc744929dd76991d33aaaec98b880d7502732d5ac138f61fc) to v2 branch enough to add support of PCRE2?

vinaykumarlaxman avatar Aug 23 '22 10:08 vinaykumarlaxman

Hello @vinaykumarlaxman ,

This item is considered to be fairly high priority. However, providing a precise date is not possible. I expect to work on this soon, but all items are potentially subject to higher-priority items arising.

No, it is not a simple matter of merging the v3 changes. For one thing, ModSecurity v3 is written in C++, while ModSecurity v2 is written in C.

martinhsv avatar Sep 12 '22 15:09 martinhsv

The PCRE2 functionality for ModSecurity v2 with Apache is now available for use.

The configure step by default will still attempt to use the legacy pcre1. If you wish to build with pcre2, you can use

./configure --with-pcre2

Note that implementation work so far includes the main functionality as well as mlogc, but so far not:

  • the optional PCRE2 Jit functionality
  • build infrastructure for ModSecurity for IIS
  • the separate alp2 audit parser lib (Is anybody still using this? It looks obsolete?)

martinhsv avatar Nov 16 '22 21:11 martinhsv