Accepting request 206042 from home:draht:branches:Apache:Modules

- complete overhaul of this package, with update to 2.7.5.
- ruleset update to 2.2.8-0-g0f07cbb.
- new configuration framework private to mod_security2:
  /etc/apache2/conf.d/mod_security2.conf loads
  /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf,
  then /etc/apache2/mod_security2.d/*.conf , as set up based on
  advice in /etc/apache2/conf.d/mod_security2.conf
  Your configuration starting point is
  /etc/apache2/conf.d/mod_security2.conf
- !!! Please note that mod_unique_id is needed for mod_security2 to run!
- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous
  linker parameter, preventing rpath in shared object.
- fixes contained for the following bugs:
  * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
  * [bnc#768293] multi-part bypass, minor threat
  * CVE-2013-1915 [bnc#813190] XML external entity vulnerability
  * CVE-2012-4528 [bnc#789393] rule bypass
  * CVE-2013-2765 [bnc#822664] null pointer dereference crash
- new from 2.5.9 to 2.7.5, only major changes:
  * GPLv2 replaced by Apache License v2
  * rules are not part of the source tarball any longer, but
    maintaned upstream externally, and included in this package.
  * documentation was externalized to a wiki. Package contains
    the FAQ and the reference manual in html form.
  * renamed the term "Encryption" in directives that actually refer
    to hashes. See CHANGES file for more details.
  * new directive SecXmlExternalEntity, default off
  * byte conversion issues on s390x when logging fixed.
  * many small issues fixed that were discovered by a Coverity scanner
  * updated reference manual

OBS-URL: https://build.opensuse.org/request/show/206042
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=42

.gitattributes

@@ -21,3 +21,5 @@
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
+## Specific LFS patterns
+modsecurity_diagram_apache_request_cycle.jpg filter=lfs diff=lfs merge=lfs -text

ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bab5e208e8c2aa4beeb799a4d05bceb3eb44846e75565b32b483fb5fb32023a7
+size 11838

README-SUSE-mod_security2.txt

@@ -0,0 +1,13 @@
+
+#
+# Dear Administrator,
+#
+# mod_security2 is not activated by default upon installation of the
+# apache module.
+#
+# Your starting point for the configuration of mod_security2 is
+# /etc/apache2/conf.d/mod_security2.conf .
+# Please see that file for comments on how to activate the module
+# and on how to assign rules.
+#
+

Reference-Manual.html.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:160af986e97bafad2cdbd58469115102068eff3b2f2f246f559adf7256d0dcf8
+size 60381

SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:74053b91ff528ef1052da65ea56881c6849ef809074a84e01dbd8a70ec369e87
+size 279879

apache2-mod_security2.changes

@@ -1,3 +1,48 @@
+-------------------------------------------------------------------
+Fri Aug  2 14:18:39 CEST 2013 - draht@suse.de
+
+- complete overhaul of this package, with update to 2.7.5.
+- ruleset update to 2.2.8-0-g0f07cbb.
+- new configuration framework private to mod_security2:
+  /etc/apache2/conf.d/mod_security2.conf loads
+  /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf,
+  then /etc/apache2/mod_security2.d/*.conf , as set up based on
+  advice in /etc/apache2/conf.d/mod_security2.conf
+  Your configuration starting point is
+  /etc/apache2/conf.d/mod_security2.conf
+- !!! Please note that mod_unique_id is needed for mod_security2 to run!
+- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous
+  linker parameter, preventing rpath in shared object.
+- fixes contained for the following bugs:
+  * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
+  * [bnc#768293] multi-part bypass, minor threat
+  * CVE-2013-1915 [bnc#813190] XML external entity vulnerability
+  * CVE-2012-4528 [bnc#789393] rule bypass
+  * CVE-2013-2765 [bnc#822664] null pointer dereference crash
+- new from 2.5.9 to 2.7.5, only major changes:
+  * GPLv2 replaced by Apache License v2
+  * rules are not part of the source tarball any longer, but
+    maintaned upstream externally, and included in this package.
+  * documentation was externalized to a wiki. Package contains
+    the FAQ and the reference manual in html form.
+  * renamed the term "Encryption" in directives that actually refer
+    to hashes. See CHANGES file for more details.
+  * new directive SecXmlExternalEntity, default off
+  * byte conversion issues on s390x when logging fixed.
+  * many small issues fixed that were discovered by a Coverity scanner
+  * updated reference manual
+  * wrong time calculation when logging for some timezones fixed.
+  * replaced time-measuring mechanism with finer granularity for
+    measured request/answer phases. (Stopwatch remains for compat.)
+  * cookie parser memory leak fix
+  * parsing of quoted strings in multipart Content-Disposition
+    headers fixed.
+  * SDBM deadlock fix
+  * @rsub memory leak fix
+  * cookie separator code improvements
+  * build failure fixes
+  * compile time option --enable-htaccess-config (set)
+
 -------------------------------------------------------------------
 Mon Aug 27 11:43:47 UTC 2012 - cfarrell@suse.com
 

apache2-mod_security2.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package apache2-mod_security2
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,9 +17,9 @@
 
 
 Name:           apache2-mod_security2
-Version:        2.6.7
+Version:        2.7.5
 Release:        0
-%define aversion 2.6.7
+%define aversion 2.7.5
 #
 #
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -32,7 +32,9 @@ BuildRequires:  pcre-devel
 %define apache        apache2
 %define modname       mod_security2
 %define tarballname   modsecurity-apache_%{aversion}
-#
+%define refman        Reference-Manual.html
+%define faq           ModSecurity-Frequently-Asked-Questions-FAQ.html
+%define usrsharedir %{_prefix}/share/%{name}
 
 %{!?apxs: %global apxs /usr/sbin/apxs2}
 %{!?apache_libexecdir: %global apache_libexecdir %(%{apxs} -q LIBEXECDIR)}
@@ -47,11 +49,16 @@ Requires:       apache2
 #
 Url:            http://www.modsecurity.org/
 Source:         http://www.modsecurity.org/download/%{tarballname}.tar.gz
-Source1:        mod_security2.conf
+Source1:        https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.8-0-g0f07cbb.tar.gz
-Source2:        rules.tar.bz2
+Source2:        mod_security2.conf
+Source3:        %{refman}.bz2
+Source4:        %{faq}.bz2
+Source5:        modsecurity_diagram_apache_request_cycle.jpg
+Source6:        README-SUSE-mod_security2.txt
 #
+Patch0:         modsecurity-apache_2.7.5-build_fix_pcre.diff
 Summary:        ModSecurity Open Source Web Application Firewall
-License:        Apache-2.0 and GPL-2.0
+License:        Apache-2.0
 Group:          Productivity/Networking/Web/Servers
 
 %description
@@ -61,44 +68,73 @@ as an Apache Web server module or standalone, the purpose of
 ModSecurity is to increase web application security, protecting web
 applications from known and unknown attacks.
 
+The modsecurity team also offer a commercial version of their excellent
+ruleset. Please have a look at http://www.modsecurity.org/ for more details.
 
 
 %prep
 %setup -n %{tarballname}
-tar -xvjpf %{S:2}
+#tar -xvjpf %{S:2}
+%setup -D -T -a 1 -n %{tarballname}
+mv -v SpiderLabs* rules
+bzip2 -dc %{SOURCE3} > %{_sourcedir}/%{refman} && touch -r %{SOURCE3} %{_sourcedir}/%{refman}
+bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4} %{_sourcedir}/%{faq}
+%patch0
+#%patch1
+#%patch2
 
 %build
-#pushd %{apache}
+%configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config
-  ./configure
+make %{?_smp_mflags}
-  make %{?_smp_mflags}
-#  make -C mlogc-src/
-#popd
 
 %install
 pushd %{apache}
-  install -D -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
+  install -d -m 0755 %{buildroot}%{apache_libexecdir}
+  install -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
 popd
-  install -D -m 0755 mlogc/mlogc               %{buildroot}%{_sbindir}/mlogc
+install -D -m 0644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf
-  install -D -m 0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_sbindir}/mlogc-batch-load.pl
+install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d
-  install -D -m 0640 mlogc/mlogc-default.conf  %{buildroot}%{_sysconfdir}/mlogc.conf
+install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d
-  cp mlogc/INSTALL mlogc/INSTALL.mlogc
+cp -a %{SOURCE6} doc
-install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf
+install -m 0644 %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} doc
-mkdir examples
+install -m 0644 %{SOURCE5} doc
-cp -a tools examples
+install -d -m 0755 %{buildroot}/%{usrsharedir}
-rm -f examples/tools/M*
+install -d -m 0755 %{buildroot}/%{usrsharedir}/tools
-chmod 644 examples/tools/*
+install -d -m 0755 %{buildroot}/%{usrsharedir}
+rm -f rules/.gitignore rules/LICENSE
+cp -a rules/util/README %{buildroot}/%{usrsharedir}/tools/README-rules-updater.txt
+cp -a tools/rules-updater.pl tools/rules-updater-example.conf %{buildroot}/%{usrsharedir}/tools
+find rules -type f -print0 | \
+  xargs -0 chmod 644
+cp -a rules %{buildroot}/%{usrsharedir}
+rm -rf %{buildroot}/%{usrsharedir}/rules/util
+rm -rf %{buildroot}/%{usrsharedir}/rules/lua
+rm -f %{buildroot}/%{usrsharedir}/rules/READM*
+rm -f %{buildroot}/%{usrsharedir}/rules/INSTALL %{buildroot}/%{usrsharedir}/rules/CHANGELOG
+mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \
+  %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf
+
+%clean
+%{__rm} -rf %{buildroot};
+%{__rm} -f %{_sourcedir}/%{faq} %{_sourcedir}/%{refman}
 
 %files
 %defattr(-, root, root, 0755)
 %{apache_libexecdir}/%{modname}.so
 %config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf
-%doc doc/Reference_Manual.html
+%dir %{apache_sysconfdir}/mod_security2.d
-%doc README.TXT CHANGES LICENSE modsecurity.conf-recommended
+%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt
-%doc mlogc/INSTALL.mlogc mlogc/mlogc-default.conf
+%dir %{usrsharedir}
-%doc examples/
+#%dir %{usrsharedir}/tools
-%doc rules/
+#%dir %{usrsharedir}/rules
-%{_sbindir}/mlogc
+%doc README.TXT CHANGES LICENSE NOTICE authors.txt
-%{_sbindir}/mlogc-batch-load.pl
+%{usrsharedir}
-%config(noreplace) %{_sysconfdir}/mlogc.conf
+#%{usrsharedir}/rules/activated_rules
+#%{usrsharedir}/rules/base_rules
+#%{usrsharedir}/rules/experimental_rules
+#%{usrsharedir}/rules/optional_rules
+#%{usrsharedir}/rules/slr_rules
+%doc doc/*
+#rules/util/regression_tests
 
 %changelog

mod_security2.conf

@@ -1,60 +1,297 @@
+
+# Dear administrator/webmaster,
+#
+# Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for
+# the configuration of mod_security2.
+# Please read this text down to line 63 for information about activation
+# and configuration of the mod_security2 apache module.
+#
+# To activate mod_security2, its apache module must be configured to be
+# loaded when apache starts. The mod_security2 apache module depends on 
+# the module mod_unique_id to be able to run. This means that both apache
+# modules must be activated/loaded when apache starts.
+
+# Change the configuration to load these two modules by adding the two
+# module names "security2" and "unique_id" to the variable APACHE_MODULES
+# in /etc/sysconfig/apache2 . You can do that manually, or use the tools
+# a2enmod (enable apache module) and a2dismod (disable apache module). 
+# These two tools expect the name of the module without the leading 
+# "mod_" as an argument!
+#
+# note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache
+# start script /etc/init.d/apache2 . Changes in APACHE_MODULES are then 
+# visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start
+# script.
+#
+# example for the use of a2enmod/a2dismod:
+#
+# a2enmod security2		# enable module security2
+# a2enmod unique_id		# enable module unique_id
+#
+# a2dismod security2		# disable
+# a2dismod unique_id		# %
+
+#
+# This file /etc/apache2/conf.d/mod_security2.conf makes some basic
+# configuration settings, then loads
+#   /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
+# which is the baseline for the rules that can be loaded later.
+#
+# Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read.
+# For the rules you wish to apply, place a symlink to the rules file there.
+#
+# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.7
+# is contained in this package, a splendid set of rules made to provide for a
+# decent basic and even advanced protection. The rules files are contained
+# in the directory /usr/share/apache2-mod_security2/rules/.
+#
+# Example (use all of the basic rules that come with the package):
+#
+# cd /etc/apache2/mod_security2.d
+# for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do
+#   ln -s $i .
+# done
+#
+# At last, simply restart apache:
+#   rcapache2 restart
+#
+# In doubt, please consult the valuable online documentation on the project's
+# website, which is the authoritative source for documentation.
+# For offline reading, the webpages for the Reference Guide and the FAQ are
+# located in the package's documentation directory, in the state of 2013/01:
+# /usr/share/doc/packages/apache2-mod_security2
+#
+# Roman Drahtmueller <draht@suse.de>, SUSE, 20130118.
+#
+
+
+
 <IfModule mod_security2.c>
-	# Basic configuration options
-	SecRuleEngine On
-	SecRequestBodyAccess On
-	SecResponseBodyAccess Off
 
-	# Handling of file uploads
+# -- Rule engine initialization ----------------------------------------------
-	# TODO Choose a folder private to Apache.
-	# SecUploadDir /opt/apache-frontend/tmp/
-	SecUploadKeepFiles Off
 
-	# Debug log
+# Enable ModSecurity, attaching it to every transaction. Use detection
-	SecDebugLog /var/log/apache2/modsec_debug.log
+# only to start with, because that minimises the chances of post-installation
-	SecDebugLogLevel 0
+# disruption.
+#
+SecRuleEngine DetectionOnly
 
-	# Serial audit log
-	SecAuditEngine RelevantOnly
-	SecAuditLogRelevantStatus ^5
-	SecAuditLogParts ABIFHZ
-	SecAuditLogType Serial
-	SecAuditLog /var/log/apache2/modsec_audit.log
 
-	# Maximum request body size we will
+# -- Request body handling ---------------------------------------------------
-	# accept for buffering
-	SecRequestBodyLimit 131072
 
-	# Store up to 128 KB in memory
+# Allow ModSecurity to access request bodies. If you don't, ModSecurity
-	SecRequestBodyInMemoryLimit 131072
+# won't be able to see any POST parameters, which opens a large security
+# hole for attackers to exploit.
+#
+SecRequestBodyAccess On
 
-	# Buffer response bodies of up to
-	# 512 KB in length
-	SecResponseBodyLimit 524288
 
-	# Verify that we've correctly processed the request body.
+# Enable XML request body parser.
-	# As a rule of thumb, when failing to process a request body
+# Initiate XML Processor in case of xml content-type
-	# you should reject the request (when deployed in blocking mode)
+#
-	# or log a high-severity alert (when deployed in detection-only mode).
+SecRule REQUEST_HEADERS:Content-Type "text/xml" \
-	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
+     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
-	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
 
-	# By default be strict with what we accept in the multipart/form-data
-	# request body. If the rule below proves to be too strict for your
-	# environment consider changing it to detection-only. You are encouraged
-	# _not_ to remove it altogether.
-	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Multipart request body \
-	failed strict validation: \
-	PE %{REQBODY_PROCESSOR_ERROR}, \
-	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-	DB %{MULTIPART_DATA_BEFORE}, \
-	DA %{MULTIPART_DATA_AFTER}, \
-	HF %{MULTIPART_HEADER_FOLDING}, \
-	LF %{MULTIPART_LF_LINE}, \
-	SM %{MULTIPART_SEMICOLON_MISSING}'"
 
-	# Did we see anything that might be a boundary?
+# -- XML external entity loading by libxml2.
-	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+# Defaults to off.
-	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+SecXmlExternalEntity Off
+
+# Maximum request body size we will accept for buffering. If you support
+# file uploads then the value given on the first line has to be as large
+# as the largest file you are willing to accept. The second value refers
+# to the size of data, with files excluded. You want to keep that value as
+# low as practical.
+#
+SecRequestBodyLimit 13107200
+SecRequestBodyNoFilesLimit 131072
+
+# Store up to 128 KB of request body data in memory. When the multipart
+# parser reachers this limit, it will start using your hard disk for
+# storage. That is slow, but unavoidable.
+#
+SecRequestBodyInMemoryLimit 131072
+
+# What do do if the request body size is above our configured limit.
+# Keep in mind that this setting will automatically be set to ProcessPartial
+# when SecRuleEngine is set to DetectionOnly mode in order to minimize
+# disruptions when initially deploying ModSecurity.
+#
+SecRequestBodyLimitAction Reject
+
+# Verify that we've correctly processed the request body.
+# As a rule of thumb, when failing to process a request body
+# you should reject the request (when deployed in blocking mode)
+# or log a high-severity alert (when deployed in detection-only mode).
+#
+SecRule REQBODY_ERROR "!@eq 0" \
+"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+
+# By default be strict with what we accept in the multipart/form-data
+# request body. If the rule below proves to be too strict for your
+# environment consider changing it to detection-only. You are encouraged
+# _not_ to remove it altogether.
+#
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+"id:'200002',phase:2,t:none,log,deny,status:44, \
+msg:'Multipart request body failed strict validation: \
+PE %{REQBODY_PROCESSOR_ERROR}, \
+BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+DB %{MULTIPART_DATA_BEFORE}, \
+DA %{MULTIPART_DATA_AFTER}, \
+HF %{MULTIPART_HEADER_FOLDING}, \
+LF %{MULTIPART_LF_LINE}, \
+SM %{MULTIPART_MISSING_SEMICOLON}, \
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IP %{MULTIPART_INVALID_PART}, \
+IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+# Did we see anything that might be a boundary?
+#
+SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+# PCRE Tuning
+# We want to avoid a potential RegEx DoS condition
+#
+SecPcreMatchLimit 1000
+SecPcreMatchLimitRecursion 1000
+
+# Some internal errors will set flags in TX and we will need to look for these.
+# All of these are prefixed with "MSC_".  The following flags currently exist:
+#
+# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
+#
+SecRule TX:/^MSC_/ "!@streq 0" \
+        "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+
+# -- Response body handling --------------------------------------------------
+
+# Allow ModSecurity to access response bodies. 
+# You should have this directive enabled in order to identify errors
+# and data leakage issues.
+# 
+# Do keep in mind that enabling this directive does increases both
+# memory consumption and response latency.
+#
+SecResponseBodyAccess On
+
+# Which response MIME types do you want to inspect? You should adjust the
+# configuration below to catch documents but avoid static files
+# (e.g., images and archives).
+#
+SecResponseBodyMimeType text/plain text/html text/xml
+
+# Buffer response bodies of up to 512 KB in length.
+SecResponseBodyLimit 524288
+
+# What happens when we encounter a response body larger than the configured
+# limit? By default, we process what we have and let the rest through.
+# That's somewhat less secure, but does not break any legitimate pages.
+#
+SecResponseBodyLimitAction ProcessPartial
+
+
+# -- Filesystem configuration ------------------------------------------------
+
+# The location where ModSecurity stores temporary files (for example, when
+# it needs to handle a file upload that is larger than the configured limit).
+# 
+# This default setting is chosen due to all systems have /tmp available however, 
+# this is less than ideal. It is recommended that you specify a location that's private.
+#
+SecTmpDir /tmp/
+
+# The location where ModSecurity will keep its persistent data.  This default setting 
+# is chosen due to all systems have /tmp available however, it
+# too should be updated to a place that other users can't access.
+#
+SecDataDir /tmp/
+
+
+# -- File uploads handling configuration -------------------------------------
+
+# The location where ModSecurity stores intercepted uploaded files. This
+# location must be private to ModSecurity. You don't want other users on
+# the server to access the files, do you?
+#
+#SecUploadDir /opt/modsecurity/var/upload/
+
+# By default, only keep the files that were determined to be unusual
+# in some way (by an external inspection script). For this to work you
+# will also need at least one file inspection rule.
+#
+#SecUploadKeepFiles RelevantOnly
+
+# Uploaded files are by default created with permissions that do not allow
+# any other user to access them. You may need to relax that if you want to
+# interface ModSecurity to an external program (e.g., an anti-virus).
+#
+#SecUploadFileMode 0600
+
+
+# -- Debug log configuration -------------------------------------------------
+
+# The default debug log configuration is to duplicate the error, warning
+# and notice messages from the error log.
+#
+#SecDebugLog /var/log/apache2/modsec_debug.log
+#SecDebugLogLevel 3
+
+# -- Audit log configuration -------------------------------------------------
+
+# Log the transactions that are marked by a rule, as well as those that
+# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
+# level response status codes).
+#
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+
+# Log everything we know about a transaction.
+SecAuditLogParts ABIJDEFHZ
+
+# Use a single file for logging. This is much easier to look at, but
+# assumes that you will use the audit log only ocassionally.
+#
+SecAuditLogType Serial
+SecAuditLog /var/log/apache2/modsec_audit.log
+
+# Specify the path for concurrent audit logging.
+#SecAuditLogStorageDir /opt/modsecurity/var/audit/
+
+
+# -- Miscellaneous -----------------------------------------------------------
+
+# Use the most commonly used application/x-www-form-urlencoded parameter
+# separator. There's probably only one application somewhere that uses
+# something else so don't expect to change this value.
+#
+SecArgumentSeparator &
+
+# Settle on version 0 (zero) cookies, as that is what most applications
+# use. Using an incorrect cookie version may open your installation to
+# evasion attacks (against the rules that examine named cookies).
+#
+SecCookieFormat 0
+
+# Specify your Unicode Code Point.
+# This mapping is used by the t:urlDecodeUni transformation function
+# to properly map encoded data to your language. Properly setting
+# these directives helps to reduce false positives and negatives.
+#
+#SecUnicodeCodePage 20127
+#SecUnicodeMapFile unicode.mapping
+
+
+
+
+
+
+Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
+# as set up with symlinks for files that are placed here:
+Include /etc/apache2/mod_security2.d/*.conf
+
 </IfModule>

modsecurity-apache_2.6.7.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3fa05e2be9e8a6e99747defe0df35ace99ba44683afef5205819db9706c03f29
-size 785852

modsecurity-apache_2.7.5-build_fix_pcre.diff

@@ -0,0 +1,199 @@
+diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/Makefile.am ./apache2/Makefile.am
+--- ../modsecurity-apache_2.7.5-o/apache2/Makefile.am	2013-07-28 05:58:49.000000000 +0200
++++ ./apache2/Makefile.am	2013-08-01 15:08:21.000000000 +0200
+@@ -17,61 +17,61 @@
+ mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \
+                           @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@
+ mod_security2_la_CPPFLAGS = @APR_CPPFLAGS@ @PCRE_CPPFLAGS@ @LIBXML2_CPPFLAGS@
+ mod_security2_la_LIBADD = @APR_LDADD@ @APU_LDADD@ @PCRE_LDADD@ @LIBXML2_LDADD@ @LUA_LDADD@
+ 
+ if AIX
+ mod_security2_la_LDFLAGS = -module -avoid-version \
+                            @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+                            @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ endif
+ 
+ if HPUX
+ mod_security2_la_LDFLAGS = -module -avoid-version \
+                            @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+                            @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ endif
+ 
+ if MACOSX
+ mod_security2_la_LDFLAGS = -module -avoid-version \
+                            @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+                            @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ endif
+ 
+ if SOLARIS
+ mod_security2_la_LDFLAGS = -module -avoid-version \
+                            @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+                            @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ endif
+ 
+ if LINUX
+-mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \
++mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
+                            @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+                            @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ endif
+ 
+ if FREEBSD
+ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
+                            @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+                            @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ endif
+ 
+ if OPENBSD
+ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
+                            @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+                            @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ endif
+ 
+ if NETBSD
+ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
+                            @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+                            @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ endif
+ 
+ if LINUX
+ install-exec-hook: $(pkglib_LTLIBRARIES)
+ 	@echo "Removing unused static libraries..."; \
+ 	for m in $(pkglib_LTLIBRARIES); do \
+ 	  base=`echo $$m | sed 's/\..*//'`; \
+ 	  rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \
+ 	  install -D -m444 $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES)/$$base.so; \
+ 	done
+diff -rNU 30 ../modsecurity-apache_2.7.5-o/apache2/Makefile.in ./apache2/Makefile.in
+--- ../modsecurity-apache_2.7.5-o/apache2/Makefile.in	2013-07-28 05:59:01.000000000 +0200
++++ ./apache2/Makefile.in	2013-08-01 15:08:56.000000000 +0200
+@@ -303,61 +303,61 @@
+ #include_HEADERS = re.h modsecurity.h msc_logging.h msc_multipart.h \
+ #                  msc_parsers.h msc_pcre.h msc_util.h msc_xml.h \
+ #                  persist_dbm.h apache2.h msc_geo.h acmp.h utf8tables.h \
+ #                  msc_lua.h msc_release.h
+ mod_security2_la_SOURCES = mod_security2.c \
+                            apache2_config.c apache2_io.c apache2_util.c \
+                            re.c re_operators.c re_actions.c re_tfns.c \
+                            re_variables.c msc_logging.c msc_xml.c \
+                            msc_multipart.c modsecurity.c msc_parsers.c \
+                            msc_util.c msc_pcre.c persist_dbm.c msc_reqbody.c \
+                            msc_geo.c msc_gsb.c msc_crypt.c msc_tree.c msc_unicode.c acmp.c msc_lua.c msc_release.c \
+                            libinjection/libinjection_sqli.c
+ 
+ mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \
+                           @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@
+ 
+ mod_security2_la_CPPFLAGS = @APR_CPPFLAGS@ @PCRE_CPPFLAGS@ @LIBXML2_CPPFLAGS@
+ mod_security2_la_LIBADD = @APR_LDADD@ @APU_LDADD@ @PCRE_LDADD@ @LIBXML2_LDADD@ @LUA_LDADD@
+ @AIX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \
+ @AIX_TRUE@                           @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+ @AIX_TRUE@                           @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ 
+ @FREEBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
+ @FREEBSD_TRUE@                           @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+ @FREEBSD_TRUE@                           @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ 
+ @HPUX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \
+ @HPUX_TRUE@                           @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+ @HPUX_TRUE@                           @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ 
+-@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \
++@LINUX_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
+ @LINUX_TRUE@                           @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+ @LINUX_TRUE@                           @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ 
+ @MACOSX_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \
+ @MACOSX_TRUE@                           @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+ @MACOSX_TRUE@                           @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ 
+ @NETBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
+ @NETBSD_TRUE@                           @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+ @NETBSD_TRUE@                           @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ 
+ @OPENBSD_TRUE@mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
+ @OPENBSD_TRUE@                           @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+ @OPENBSD_TRUE@                           @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ 
+ @SOLARIS_TRUE@mod_security2_la_LDFLAGS = -module -avoid-version \
+ @SOLARIS_TRUE@                           @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \
+ @SOLARIS_TRUE@                           @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
+ 
+ all: modsecurity_config_auto.h
+ 	$(MAKE) $(AM_MAKEFLAGS) all-am
+ 
+ .SUFFIXES:
+ .SUFFIXES: .c .lo .o .obj
+ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+ 	@for dep in $?; do \
+ 	  case '$(am__configure_deps)' in \
+ 	    *$$dep*) \
+ 	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ 	        && { if test -f $@; then exit 0; else break; fi; }; \
+diff -rNU 30 ../modsecurity-apache_2.7.5-o/configure ./configure
+--- ../modsecurity-apache_2.7.5-o/configure	2013-07-28 05:59:03.000000000 +0200
++++ ./configure	2013-08-01 15:02:59.000000000 +0200
+@@ -13103,61 +13103,62 @@
+         if test -e "${x}/bin/${PCRE_CONFIG}"; then
+             pcre_path="${x}/bin"
+             break
+         elif test -e "${x}/${PCRE_CONFIG}"; then
+             pcre_path="${x}"
+             break
+         else
+             pcre_path=""
+         fi
+     done
+     if test -n "$pcre_path"; then
+         break
+     fi
+ done
+ 
+ if test -n "${pcre_path}"; then
+     if test "${pcre_path}" != "no"; then
+         PCRE_CONFIG="${pcre_path}/${PCRE_CONFIG}"
+     fi
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${PCRE_CONFIG}" >&5
+ $as_echo "${PCRE_CONFIG}" >&6; }
+     PCRE_VERSION="`${PCRE_CONFIG} --version`"
+     if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre VERSION: $PCRE_VERSION" >&5
+ $as_echo "$as_me: pcre VERSION: $PCRE_VERSION" >&6;}; fi
+     PCRE_CFLAGS="`${PCRE_CONFIG} --cflags`"
+     if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre CFLAGS: $PCRE_CFLAGS" >&5
+ $as_echo "$as_me: pcre CFLAGS: $PCRE_CFLAGS" >&6;}; fi
+     PCRE_LDADD="`${PCRE_CONFIG} --libs`"
+     if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre LDADD: $PCRE_LDADD" >&5
+ $as_echo "$as_me: pcre LDADD: $PCRE_LDADD" >&6;}; fi
+-    PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`"
++#    PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`"
++    PCRE_LD_PATH=""
+     if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&5
+ $as_echo "$as_me: pcre PCRE_LD_PATH: $PCRE_LD_PATH" >&6;}; fi
+ else
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ $as_echo "no" >&6; }
+ fi
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ if test -z "${PCRE_VERSION}"; then
+     { $as_echo "$as_me:${as_lineno-$LINENO}: *** pcre library not found." >&5
+ $as_echo "$as_me: *** pcre library not found." >&6;}
+     as_fn_error "pcre library is required" "$LINENO" 5
+ else
+     { $as_echo "$as_me:${as_lineno-$LINENO}: using pcre v${PCRE_VERSION}" >&5
+ $as_echo "$as_me: using pcre v${PCRE_VERSION}" >&6;}
+ 
+ fi
+ 
+ if test "$build_apache2_module" -ne 0 -o "$build_mlogc" -ne 0; then
+ 
+ 
+ # Check whether --with-apr was given.
+ if test "${with_apr+set}" = set; then :

modsecurity-apache_2.7.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9e907536278d8da80d3dbb29aeffe9c4ec37ce9b641035b2da64e993135647a2
+size 1045387

modsecurity_diagram_apache_request_cycle.jpg

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4366e727c511bccbf56ec646dd0961c65c8054fdc235ab26e06e3faf08052f6d
+size 46799

rules.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5b025dd7e2fc74aebf4bbf671ef238325737cc8a5da9e1eda6c9f739d5d2226b
-size 33001