diff --git a/.gitattributes b/.gitattributes index 9b03811..73d0e79 100644 --- a/.gitattributes +++ b/.gitattributes @@ -21,3 +21,5 @@ *.xz filter=lfs diff=lfs merge=lfs -text *.zip filter=lfs diff=lfs merge=lfs -text *.zst filter=lfs diff=lfs merge=lfs -text +## Specific LFS patterns +modsecurity_diagram_apache_request_cycle.jpg filter=lfs diff=lfs merge=lfs -text diff --git a/ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 b/ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 new file mode 100644 index 0000000..6deb6f5 --- /dev/null +++ b/ModSecurity-Frequently-Asked-Questions-FAQ.html.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bab5e208e8c2aa4beeb799a4d05bceb3eb44846e75565b32b483fb5fb32023a7 +size 11838 diff --git a/README-SUSE-mod_security2.txt b/README-SUSE-mod_security2.txt new file mode 100644 index 0000000..ed8e241 --- /dev/null +++ b/README-SUSE-mod_security2.txt @@ -0,0 +1,13 @@ + +# +# Dear Administrator, +# +# mod_security2 is not activated by default upon installation of the +# apache module. +# +# Your starting point for the configuration of mod_security2 is +# /etc/apache2/conf.d/mod_security2.conf . +# Please see that file for comments on how to activate the module +# and on how to assign rules. +# + diff --git a/Reference-Manual.html.bz2 b/Reference-Manual.html.bz2 new file mode 100644 index 0000000..b86cb92 --- /dev/null +++ b/Reference-Manual.html.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:160af986e97bafad2cdbd58469115102068eff3b2f2f246f559adf7256d0dcf8 +size 60381 diff --git a/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz b/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz new file mode 100644 index 0000000..78f0869 --- /dev/null +++ b/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bae3ef19925168a3b8ef9663bc9ed677cc6ca2fdbdbdd6111653c1b2991e24e3 +size 280011 diff --git a/apache2-mod_security2-no_rpath.diff b/apache2-mod_security2-no_rpath.diff new file mode 100644 index 0000000..49c19c8 --- /dev/null +++ b/apache2-mod_security2-no_rpath.diff @@ -0,0 +1,324 @@ +diff -rNU 30 ../modsecurity-2.8.0-o/apache2/Makefile.am ./apache2/Makefile.am +--- ../modsecurity-2.8.0-o/apache2/Makefile.am 2014-04-15 14:44:04.000000000 +0200 ++++ ./apache2/Makefile.am 2014-06-16 16:17:44.000000000 +0200 +@@ -73,61 +73,61 @@ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif + + if MACOSX + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif + + if SOLARIS + mod_security2_la_LDFLAGS = -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif + + if LINUX +-mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH@ \ ++mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif + + if FREEBSD + mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif + + if OPENBSD + mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \ + @APR_LDFLAGS@ \ + @APU_LDFLAGS@ \ + @APXS_LDFLAGS@ \ + @LIBXML2_LDFLAGS@ \ + @LUA_LDFLAGS@ \ + @PCRE_LDFLAGS@ \ + @YAJL_LDFLAGS@ + endif +diff -rNU 30 ../modsecurity-2.8.0-o/apache2/Makefile.in ./apache2/Makefile.in +--- ../modsecurity-2.8.0-o/apache2/Makefile.in 2014-04-15 14:44:14.000000000 +0200 ++++ ./apache2/Makefile.in 2014-06-16 16:18:03.000000000 +0200 +@@ -600,61 +600,61 @@ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkglibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkglibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \ + } + + uninstall-pkglibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \ + done + + clean-pkglibLTLIBRARIES: + -test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES) + @list='$(pkglib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + + mod_security2.la: $(mod_security2_la_OBJECTS) $(mod_security2_la_DEPENDENCIES) $(EXTRA_mod_security2_la_DEPENDENCIES) +- $(AM_V_CCLD)$(mod_security2_la_LINK) -rpath $(pkglibdir) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS) ++ $(AM_V_CCLD)$(mod_security2_la_LINK) $(mod_security2_la_OBJECTS) $(mod_security2_la_LIBADD) $(LIBS) + + mostlyclean-compile: + -rm -f *.$(OBJEXT) + + distclean-compile: + -rm -f *.tab.c + + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-acmp.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_config.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_io.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-apache2_util.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_html5.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_sqli.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-libinjection_xss.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-mod_security2.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-modsecurity.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_crypt.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_geo.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_gsb.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_json.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_logging.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_lua.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_multipart.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_parsers.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_pcre.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_release.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_reqbody.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_status_engine.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_tree.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-msc_unicode.Plo@am__quote@ +diff -rNU 30 ../modsecurity-2.8.0-o/build/libtool.m4 ./build/libtool.m4 +--- ../modsecurity-2.8.0-o/build/libtool.m4 2014-04-15 14:44:04.000000000 +0200 ++++ ./build/libtool.m4 2014-06-16 16:16:39.000000000 +0200 +@@ -4661,61 +4661,61 @@ + if test "$with_gnu_ld" = yes; then + case $host_os in + aix*) + # The AIX port of GNU ld has always aspired to compatibility + # with the native linker. However, as the warning in the GNU ld + # block says, versions before 2.19.5* couldn't really create working + # shared libraries, regardless of the interface used. + case `$LD -v 2>&1` in + *\ \(GNU\ Binutils\)\ 2.19.5*) ;; + *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;; + *\ \(GNU\ Binutils\)\ [[3-9]]*) ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + fi + + if test "$lt_use_gnu_ld_interface" = yes; then + # If archive_cmds runs LD, not CC, wlarc should be empty + wlarc='${wl}' + + # Set some defaults for GNU ld with shared library support. These + # are reset later if shared libraries are not supported. Putting them + # here allows them to be overridden if necessary. + runpath_var=LD_RUN_PATH +- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' ++ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + # ancient GNU ld didn't support --whole-archive et. al. + if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then + _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + supports_anon_versioning=no + case `$LD -v 2>&1` in + *GNU\ gold*) supports_anon_versioning=yes ;; + *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11 + *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... + *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... + *\ 2.11.*) ;; # other 2.11 versions + *) supports_anon_versioning=yes ;; + esac + + # See if GNU ld supports shared libraries. + case $host_os in + aix[[3-9]]*) + # On AIX/PPC, the GNU linker is very broken + if test "$host_cpu" != ia64; then + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 + + *** Warning: the GNU linker, at least up to release 2.19, is reported + *** to be unable to reliably create shared libraries on AIX. + *** Therefore, libtool is disabling shared libraries support. If you + *** really care for shared libraries, you may want to install binutils + *** 2.20 or above, or modify your PATH so that a non-GNU linker is found. +@@ -4897,61 +4897,61 @@ + _LT_EOF + elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) + case `$LD -v 2>&1` in + *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 + + *** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not + *** reliably create shared libraries on SCO systems. Therefore, libtool + *** is disabling shared libraries support. We urge you to upgrade GNU + *** binutils to release 2.16.91.0.3 or newer. Another option is to modify + *** your PATH or compiler configuration so that the native linker is + *** used, and then restart. + + _LT_EOF + ;; + *) + # For security reasons, it is highly recommended that you always + # use absolute paths for naming shared libraries, and exclude the + # DT_RUNPATH tag from executables and libraries. But doing so + # requires that you compile everything twice, which is a pain. + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then +- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' ++ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + + sunos4*) + _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' + wlarc= + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + *) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + + if test "$_LT_TAGVAR(ld_shlibs, $1)" = no; then + runpath_var= + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= + _LT_TAGVAR(export_dynamic_flag_spec, $1)= +@@ -5907,61 +5907,61 @@ + else + $as_unset lt_cv_path_LD + fi + test -z "${LDCXX+set}" || LD=$LDCXX + CC=${CXX-"c++"} + CFLAGS=$CXXFLAGS + compiler=$CC + _LT_TAGVAR(compiler, $1)=$CC + _LT_CC_BASENAME([$compiler]) + + if test -n "$compiler"; then + # We don't want -fno-exception when compiling C++ code, so set the + # no_builtin_flag separately + if test "$GXX" = yes; then + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' + else + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= + fi + + if test "$GXX" = yes; then + # Set up default GNU C++ configuration + + LT_PATH_LD + + # Check if GNU C++ uses GNU ld as the underlying linker, since the + # archiving commands below assume that GNU ld is being used. + if test "$with_gnu_ld" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + +- _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' ++ _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + + # If archive_cmds runs LD, not CC, wlarc should be empty + # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to + # investigate it a little bit more. (MM) + wlarc='${wl}' + + # ancient GNU ld didn't support --whole-archive et. al. + if eval "`$CC -print-prog-name=ld` --help 2>&1" | + $GREP 'no-whole-archive' > /dev/null; then + _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + else + with_gnu_ld=no + wlarc= + + # A generic and very simple default shared library creation + # command for GNU C++ for the case where it uses the native + # linker, instead of GNU ld. If possible, this setting should + # overridden to take advantage of the native linker features on + # the platform it is being used on. + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' + fi + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index ea55bbd..f2ba18f 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,138 @@ +------------------------------------------------------------------- +Wed Aug 27 17:30:25 CEST 2014 - draht@suse.de + +- Portability: provide /etc/apache2/mod_security2.d/empty.conf + to avoid a non-match of the file-glob in the Include statement + from /etc/apache2/conf.d/mod_security2.conf . This restores + the Include back from the IncludeOptional, which is not portable. +- Source URL set to (expanded) + https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz + +------------------------------------------------------------------- +Mon Aug 25 19:33:11 UTC 2014 - thomas.worm@sicsec.de + +- Fixed spec file to work with older distribution versions. + Before openSuSE 13.1 aclocal doesn't work, instead autoreconf + has to be called. + +------------------------------------------------------------------- +Mon Jul 7 14:06:19 CEST 2014 - draht@suse.de + +- last changelog does not say that + apache2-mod_security2-libtool-fix.diff was obsoleted. + +------------------------------------------------------------------- +Mon Jun 16 19:04:00 CEST 2014 - draht@suse.de + +- BuildRequires: libtool missing + +------------------------------------------------------------------- +Mon Jun 16 18:17:26 CEST 2014 - draht@suse.de + +- apache2-mod_security2-libtool-fix.diff: initialize libtool. + +------------------------------------------------------------------- +Mon Jun 16 17:31:34 CEST 2014 - draht@suse.de + +- apache2-mod_security2-no_rpath.diff: avoid the usage of -rpath + in autoconf m4 macros. Obsoletes patch + modsecurity-apache_2.8.0-build_fix_pcre.diff +- use automake for build, add autoconf and automake to + BuildRequires:. This fix is combined with [bnc#876878]. +- turn on --enable-htaccess-config +- use %{?_smp_mflags} for build + +------------------------------------------------------------------- +Thu Jun 12 12:33:49 CEST 2014 - draht@suse.de + +- OWASP rule set. [bnc#876878] + new in 2.8.0 (more complete changelog to add to last changelog): + * Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) + now support white and suspicious list + * New variables: FULL_REQUEST and FULL_REQUEST_LENGTH + * GPLv2 replaced by Apache License v2 + * rules are not part of the source tarball any longer, but + maintaned upstream externally, and included in this package. + * documentation was externalized to a wiki. Package contains + the FAQ and the reference manual in html form. + * renamed the term "Encryption" in directives that actually refer + to hashes. See CHANGES file for more details. + * byte conversion issues on s390x when logging fixed. + * many small issues fixed that were discovered by a Coverity scanner + * updated reference manual + * wrong time calculation when logging for some timezones fixed. + * replaced time-measuring mechanism with finer granularity for + measured request/answer phases. (Stopwatch remains for compat.) + * cookie parser memory leak fix + * parsing of quoted strings in multipart Content-Disposition + headers fixed. + +------------------------------------------------------------------- +Thu May 1 05:06:15 UTC 2014 - thomas.worm@sicsec.de + +- Raised to version 2.8.0. +- updated patches: + * modsecurity-apache_2.8.0-build_fix_pcre.diff + -> modsecurity-apache_2.7.7-build_fix_pcre.diff + +------------------------------------------------------------------- +Sat Jan 25 17:43:33 UTC 2014 - thomas.worm@sicsec.de + + - Raised to version 2.7.7. + - modified patches: + * modsecurity-apache_2.7.5-build_fix_pcre.diff, + renamed to modsecurity-apache_2.7.7-build_fix_pcre.diff. + +------------------------------------------------------------------- +Thu Jan 23 13:06:09 UTC 2014 - aj@ajaissle.de + +- Use correct source Url + +------------------------------------------------------------------- +Fri Aug 2 14:18:39 CEST 2013 - draht@suse.de + +- complete overhaul of this package, with update to 2.7.5. +- ruleset update to 2.2.8-0-g0f07cbb. +- new configuration framework private to mod_security2: + /etc/apache2/conf.d/mod_security2.conf loads + /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf, + then /etc/apache2/mod_security2.d/*.conf , as set up based on + advice in /etc/apache2/conf.d/mod_security2.conf + Your configuration starting point is + /etc/apache2/conf.d/mod_security2.conf +- !!! Please note that mod_unique_id is needed for mod_security2 to run! +- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous + linker parameter, preventing rpath in shared object. +- fixes contained for the following bugs: + * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling + * [bnc#768293] multi-part bypass, minor threat + * CVE-2013-1915 [bnc#813190] XML external entity vulnerability + * CVE-2012-4528 [bnc#789393] rule bypass + * CVE-2013-2765 [bnc#822664] null pointer dereference crash +- new from 2.5.9 to 2.7.5, only major changes: + * GPLv2 replaced by Apache License v2 + * rules are not part of the source tarball any longer, but + maintaned upstream externally, and included in this package. + * documentation was externalized to a wiki. Package contains + the FAQ and the reference manual in html form. + * renamed the term "Encryption" in directives that actually refer + to hashes. See CHANGES file for more details. + * new directive SecXmlExternalEntity, default off + * byte conversion issues on s390x when logging fixed. + * many small issues fixed that were discovered by a Coverity scanner + * updated reference manual + * wrong time calculation when logging for some timezones fixed. + * replaced time-measuring mechanism with finer granularity for + measured request/answer phases. (Stopwatch remains for compat.) + * cookie parser memory leak fix + * parsing of quoted strings in multipart Content-Disposition + headers fixed. + * SDBM deadlock fix + * @rsub memory leak fix + * cookie separator code improvements + * build failure fixes + * compile time option --enable-htaccess-config (set) + ------------------------------------------------------------------- Mon Aug 27 11:43:47 UTC 2012 - cfarrell@suse.com diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index bc21cf5..0462382 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_security2 # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,41 +17,50 @@ Name: apache2-mod_security2 -Version: 2.6.7 -Release: 0 -%define aversion 2.6.7 +Version: 2.8.0 +Release: 0.1 # # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: apache2-devel BuildRequires: apache2-prefork +BuildRequires: autoconf +BuildRequires: automake BuildRequires: c++_compiler -BuildRequires: curl-devel +BuildRequires: libcurl-devel +BuildRequires: libtool BuildRequires: libxml2-devel +BuildRequires: lua-devel BuildRequires: pcre-devel %define apache apache2 %define modname mod_security2 -%define tarballname modsecurity-apache_%{aversion} +%define tarballname modsecurity-%{version} # - -%{!?apxs: %global apxs /usr/sbin/apxs2} -%{!?apache_libexecdir: %global apache_libexecdir %(%{apxs} -q LIBEXECDIR)} -%{!?apache_sysconfdir: %global apache_sysconfdir %(%{apxs} -q SYSCONFDIR)} -%{!?apache_includedir: %global apache_includedir %(%{apxs} -q INCLUDEDIR)} -%{!?apache_serveroot: %global apache_serverroot %(%{apxs} -q PREFIX)} -%{!?apache_localstatedir: %global apache_localstatedir %(%{apxs} -q LOCALSTATEDIR)} -%{!?apache_mmn: %global apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)} - +%define apxs %{_sbindir}/apxs2 +%define apache_libexecdir %(%{apxs} -q LIBEXECDIR) +%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR) +%define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)/MMN; test -x $MMN && $MMN) +%define usrsharedir %{_prefix}/share/%{name} +%define refman Reference-Manual.html +%define faq ModSecurity-Frequently-Asked-Questions-FAQ.html +%if 0%{?apache_mmn} Requires: %{apache_mmn} +%endif Requires: apache2 # Url: http://www.modsecurity.org/ -Source: http://www.modsecurity.org/download/%{tarballname}.tar.gz -Source1: mod_security2.conf -Source2: rules.tar.bz2 +Source: https://www.modsecurity.org/tarball/%{version}/%{tarballname}.tar.gz +Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz +Source2: mod_security2.conf +Source3: %{refman}.bz2 +Source4: %{faq}.bz2 +Source5: modsecurity_diagram_apache_request_cycle.jpg +Source6: README-SUSE-mod_security2.txt +Source7: empty.conf +Patch0: apache2-mod_security2-no_rpath.diff # Summary: ModSecurity Open Source Web Application Firewall -License: Apache-2.0 and GPL-2.0 +License: Apache-2.0 Group: Productivity/Networking/Web/Servers %description @@ -61,44 +70,81 @@ as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks. +The modsecurity team also offer a commercial version of their excellent +ruleset. Please have a look at http://www.modsecurity.org/ for more details. %prep %setup -n %{tarballname} -tar -xvjpf %{S:2} +%setup -D -T -a 1 -n %{tarballname} +mv -v SpiderLabs* rules +bzip2 -dc %{SOURCE3} > %{_sourcedir}/%{refman} && touch -r %{SOURCE3} %{_sourcedir}/%{refman} +bzip2 -dc %{SOURCE4} > %{_sourcedir}/%{faq} && touch -r %{SOURCE4} %{_sourcedir}/%{faq} +%patch0 +#%patch1 +#%patch2 %build -#pushd %{apache} - ./configure - make %{?_smp_mflags} -# make -C mlogc-src/ -#popd +# aclocal only works with never distributions, +%if 0%{?suse_version} >= 1310 +aclocal +# on older versions only autoconf is called. +%else +autoreconf -fi +%endif +automake +./configure --with-apxs=%{apxs} --enable-request-early --enable-htaccess-config +CFLAGS="%{optflags}" make %{?_smp_mflags} %install pushd %{apache} - install -D -m 0755 .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so + install -d -m 0755 %{buildroot}%{apache_libexecdir} + install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so popd - install -D -m 0755 mlogc/mlogc %{buildroot}%{_sbindir}/mlogc - install -D -m 0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_sbindir}/mlogc-batch-load.pl - install -D -m 0640 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf - cp mlogc/INSTALL mlogc/INSTALL.mlogc -install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf -mkdir examples -cp -a tools examples -rm -f examples/tools/M* -chmod 644 examples/tools/* +install -D -m 0644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf +install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d +install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d +install -D -m 0644 %{SOURCE7} %{buildroot}%{apache_sysconfdir}/mod_security2.d +cp -a %{SOURCE6} doc +install -m 0644 %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} doc +install -m 0644 %{SOURCE5} doc +install -d -m 0755 %{buildroot}/%{usrsharedir} +install -d -m 0755 %{buildroot}/%{usrsharedir}/tools +install -d -m 0755 %{buildroot}/%{usrsharedir} +rm -f rules/.gitignore rules/LICENSE +cp -a rules/util/README %{buildroot}/%{usrsharedir}/tools/README-rules-updater.txt +cp -a tools/rules-updater.pl tools/rules-updater-example.conf %{buildroot}/%{usrsharedir}/tools +find rules -type f -print0 | \ + xargs -0 chmod 644 +cp -a rules %{buildroot}/%{usrsharedir} +rm -rf %{buildroot}/%{usrsharedir}/rules/util +rm -rf %{buildroot}/%{usrsharedir}/rules/lua +rm -f %{buildroot}/%{usrsharedir}/rules/READM* +rm -f %{buildroot}/%{usrsharedir}/rules/INSTALL %{buildroot}/%{usrsharedir}/rules/CHANGELOG +mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \ + %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf + +%clean +%{__rm} -rf %{buildroot}; +%{__rm} -f %{_sourcedir}/%{faq} %{_sourcedir}/%{refman} %files %defattr(-, root, root, 0755) %{apache_libexecdir}/%{modname}.so %config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf -%doc doc/Reference_Manual.html -%doc README.TXT CHANGES LICENSE modsecurity.conf-recommended -%doc mlogc/INSTALL.mlogc mlogc/mlogc-default.conf -%doc examples/ -%doc rules/ -%{_sbindir}/mlogc -%{_sbindir}/mlogc-batch-load.pl -%config(noreplace) %{_sysconfdir}/mlogc.conf +%dir %{apache_sysconfdir}/mod_security2.d +%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt +%{apache_sysconfdir}/mod_security2.d/empty.conf +%dir %{usrsharedir} +#%dir %{usrsharedir}/tools +#%dir %{usrsharedir}/rules +%doc README.TXT CHANGES LICENSE NOTICE authors.txt +%{usrsharedir} +#%{usrsharedir}/rules/activated_rules +#%{usrsharedir}/rules/base_rules +#%{usrsharedir}/rules/experimental_rules +#%{usrsharedir}/rules/optional_rules +#%{usrsharedir}/rules/slr_rules +%doc doc/* rules/util/regression-tests %changelog diff --git a/empty.conf b/empty.conf new file mode 100644 index 0000000..7b57715 --- /dev/null +++ b/empty.conf @@ -0,0 +1,4 @@ +# This configuration file has been intentionally left empty to avoid errors +# resulting from an Include statement that matches no files. +# (IncludeOptional is available for apache > 2.4) +# diff --git a/mod_security2.conf b/mod_security2.conf index fee845f..24600a1 100644 --- a/mod_security2.conf +++ b/mod_security2.conf @@ -1,60 +1,293 @@ + +# Dear administrator/webmaster, +# +# Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for +# the configuration of mod_security2. +# Please read this text down to line 63 for information about activation +# and configuration of the mod_security2 apache module. +# +# To activate mod_security2, its apache module must be configured to be +# loaded when apache starts. The mod_security2 apache module depends on +# the module mod_unique_id to be able to run. This means that both apache +# modules must be activated/loaded when apache starts. + +# Change the configuration to load these two modules by adding the two +# module names "security2" and "unique_id" to the variable APACHE_MODULES +# in /etc/sysconfig/apache2 . You can do that manually, or use the tools +# a2enmod (enable apache module) and a2dismod (disable apache module). +# These two tools expect the name of the module without the leading +# "mod_" as an argument! +# +# note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache +# start script /usr/sbin/start_apache2 . Changes in APACHE_MODULES are then +# visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start +# script. +# +# example for the use of a2enmod/a2dismod: +# +# a2enmod security2 # enable module security2 +# a2enmod unique_id # enable module unique_id +# +# a2dismod security2 # disable +# a2dismod unique_id # % + +# +# This file /etc/apache2/conf.d/mod_security2.conf makes some basic +# configuration settings, then loads +# /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf +# which is the baseline for the rules that can be loaded later. +# +# Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read. +# For the rules you wish to apply, place a symlink to the rules file there. +# +# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.9 +# is contained in this package, a splendid set of rules made to provide for a +# decent basic and even advanced protection. The rules files are contained +# in the directory /usr/share/apache2-mod_security2/rules/. +# +# Example (use all of the basic rules that come with the package): +# +# cd /etc/apache2/mod_security2.d +# for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do +# ln -s $i . +# done +# +# At last, simply restart apache: +# rcapache2 restart +# +# In doubt, please consult the valuable online documentation on the project's +# website, which is the authoritative source for documentation. +# For offline reading, the webpages for the Reference Guide and the FAQ are +# located in the package's documentation directory, in the state of 2013/01: +# /usr/share/doc/packages/apache2-mod_security2 +# +# Roman Drahtmueller , SUSE, 20140610. +# + + + - # Basic configuration options - SecRuleEngine On - SecRequestBodyAccess On - SecResponseBodyAccess Off - # Handling of file uploads - # TODO Choose a folder private to Apache. - # SecUploadDir /opt/apache-frontend/tmp/ - SecUploadKeepFiles Off +# -- Rule engine initialization ---------------------------------------------- - # Debug log - SecDebugLog /var/log/apache2/modsec_debug.log - SecDebugLogLevel 0 +# Enable ModSecurity, attaching it to every transaction. Use detection +# only to start with, because that minimises the chances of post-installation +# disruption. +# +SecRuleEngine DetectionOnly - # Serial audit log - SecAuditEngine RelevantOnly - SecAuditLogRelevantStatus ^5 - SecAuditLogParts ABIFHZ - SecAuditLogType Serial - SecAuditLog /var/log/apache2/modsec_audit.log - # Maximum request body size we will - # accept for buffering - SecRequestBodyLimit 131072 +# -- Request body handling --------------------------------------------------- - # Store up to 128 KB in memory - SecRequestBodyInMemoryLimit 131072 +# Allow ModSecurity to access request bodies. If you don't, ModSecurity +# won't be able to see any POST parameters, which opens a large security +# hole for attackers to exploit. +# +SecRequestBodyAccess On - # Buffer response bodies of up to - # 512 KB in length - SecResponseBodyLimit 524288 - # Verify that we've correctly processed the request body. - # As a rule of thumb, when failing to process a request body - # you should reject the request (when deployed in blocking mode) - # or log a high-severity alert (when deployed in detection-only mode). - SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2" +# Enable XML request body parser. +# Initiate XML Processor in case of xml content-type +# +SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" - # By default be strict with what we accept in the multipart/form-data - # request body. If the rule below proves to be too strict for your - # environment consider changing it to detection-only. You are encouraged - # _not_ to remove it altogether. - SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Multipart request body \ - failed strict validation: \ - PE %{REQBODY_PROCESSOR_ERROR}, \ - BQ %{MULTIPART_BOUNDARY_QUOTED}, \ - BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ - DB %{MULTIPART_DATA_BEFORE}, \ - DA %{MULTIPART_DATA_AFTER}, \ - HF %{MULTIPART_HEADER_FOLDING}, \ - LF %{MULTIPART_LF_LINE}, \ - SM %{MULTIPART_SEMICOLON_MISSING}'" - # Did we see anything that might be a boundary? - SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" +# Maximum request body size we will accept for buffering. If you support +# file uploads then the value given on the first line has to be as large +# as the largest file you are willing to accept. The second value refers +# to the size of data, with files excluded. You want to keep that value as +# low as practical. +# +SecRequestBodyLimit 13107200 +SecRequestBodyNoFilesLimit 131072 + +# Store up to 128 KB of request body data in memory. When the multipart +# parser reachers this limit, it will start using your hard disk for +# storage. That is slow, but unavoidable. +# +SecRequestBodyInMemoryLimit 131072 + +# What do do if the request body size is above our configured limit. +# Keep in mind that this setting will automatically be set to ProcessPartial +# when SecRuleEngine is set to DetectionOnly mode in order to minimize +# disruptions when initially deploying ModSecurity. +# +SecRequestBodyLimitAction Reject + +# Verify that we've correctly processed the request body. +# As a rule of thumb, when failing to process a request body +# you should reject the request (when deployed in blocking mode) +# or log a high-severity alert (when deployed in detection-only mode). +# +SecRule REQBODY_ERROR "!@eq 0" \ +"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + +# By default be strict with what we accept in the multipart/form-data +# request body. If the rule below proves to be too strict for your +# environment consider changing it to detection-only. You are encouraged +# _not_ to remove it altogether. +# +SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ +"id:'200002',phase:2,t:none,log,deny,status:44, \ +msg:'Multipart request body failed strict validation: \ +PE %{REQBODY_PROCESSOR_ERROR}, \ +BQ %{MULTIPART_BOUNDARY_QUOTED}, \ +BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ +DB %{MULTIPART_DATA_BEFORE}, \ +DA %{MULTIPART_DATA_AFTER}, \ +HF %{MULTIPART_HEADER_FOLDING}, \ +LF %{MULTIPART_LF_LINE}, \ +SM %{MULTIPART_MISSING_SEMICOLON}, \ +IQ %{MULTIPART_INVALID_QUOTING}, \ +IP %{MULTIPART_INVALID_PART}, \ +IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ +FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + +# Did we see anything that might be a boundary? +# +SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ +"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" + +# PCRE Tuning +# We want to avoid a potential RegEx DoS condition +# +SecPcreMatchLimit 1000 +SecPcreMatchLimitRecursion 1000 + +# Some internal errors will set flags in TX and we will need to look for these. +# All of these are prefixed with "MSC_". The following flags currently exist: +# +# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. +# +SecRule TX:/^MSC_/ "!@streq 0" \ + "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + + +# -- Response body handling -------------------------------------------------- + +# Allow ModSecurity to access response bodies. +# You should have this directive enabled in order to identify errors +# and data leakage issues. +# +# Do keep in mind that enabling this directive does increases both +# memory consumption and response latency. +# +SecResponseBodyAccess On + +# Which response MIME types do you want to inspect? You should adjust the +# configuration below to catch documents but avoid static files +# (e.g., images and archives). +# +SecResponseBodyMimeType text/plain text/html text/xml + +# Buffer response bodies of up to 512 KB in length. +SecResponseBodyLimit 524288 + +# What happens when we encounter a response body larger than the configured +# limit? By default, we process what we have and let the rest through. +# That's somewhat less secure, but does not break any legitimate pages. +# +SecResponseBodyLimitAction ProcessPartial + + +# -- Filesystem configuration ------------------------------------------------ + +# The location where ModSecurity stores temporary files (for example, when +# it needs to handle a file upload that is larger than the configured limit). +# +# This default setting is chosen due to all systems have /tmp available however, +# this is less than ideal. It is recommended that you specify a location that's private. +# +SecTmpDir /tmp/ + +# The location where ModSecurity will keep its persistent data. This default setting +# is chosen due to all systems have /tmp available however, it +# too should be updated to a place that other users can't access. +# +SecDataDir /tmp/ + + +# -- File uploads handling configuration ------------------------------------- + +# The location where ModSecurity stores intercepted uploaded files. This +# location must be private to ModSecurity. You don't want other users on +# the server to access the files, do you? +# +#SecUploadDir /opt/modsecurity/var/upload/ + +# By default, only keep the files that were determined to be unusual +# in some way (by an external inspection script). For this to work you +# will also need at least one file inspection rule. +# +#SecUploadKeepFiles RelevantOnly + +# Uploaded files are by default created with permissions that do not allow +# any other user to access them. You may need to relax that if you want to +# interface ModSecurity to an external program (e.g., an anti-virus). +# +#SecUploadFileMode 0600 + + +# -- Debug log configuration ------------------------------------------------- + +# The default debug log configuration is to duplicate the error, warning +# and notice messages from the error log. +# +#SecDebugLog /var/log/apache2/modsec_debug.log +#SecDebugLogLevel 3 + +# -- Audit log configuration ------------------------------------------------- + +# Log the transactions that are marked by a rule, as well as those that +# trigger a server error (determined by a 5xx or 4xx, excluding 404, +# level response status codes). +# +SecAuditEngine RelevantOnly +SecAuditLogRelevantStatus "^(?:5|4(?!04))" + +# Log everything we know about a transaction. +SecAuditLogParts ABIJDEFHZ + +# Use a single file for logging. This is much easier to look at, but +# assumes that you will use the audit log only ocassionally. +# +SecAuditLogType Serial +SecAuditLog /var/log/apache2/modsec_audit.log + +# Specify the path for concurrent audit logging. +#SecAuditLogStorageDir /opt/modsecurity/var/audit/ + + +# -- Miscellaneous ----------------------------------------------------------- + +# Use the most commonly used application/x-www-form-urlencoded parameter +# separator. There's probably only one application somewhere that uses +# something else so don't expect to change this value. +# +SecArgumentSeparator & + +# Settle on version 0 (zero) cookies, as that is what most applications +# use. Using an incorrect cookie version may open your installation to +# evasion attacks (against the rules that examine named cookies). +# +SecCookieFormat 0 + +# Specify your Unicode Code Point. +# This mapping is used by the t:urlDecodeUni transformation function +# to properly map encoded data to your language. Properly setting +# these directives helps to reduce false positives and negatives. +# +#SecUnicodeCodePage 20127 +#SecUnicodeMapFile unicode.mapping + + + + + + +Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf +# as set up with symlinks for files that are placed here: +Include /etc/apache2/mod_security2.d/*.conf + diff --git a/modsecurity-2.8.0.tar.gz b/modsecurity-2.8.0.tar.gz new file mode 100644 index 0000000..7f20c32 --- /dev/null +++ b/modsecurity-2.8.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5cbbc7fc993d39106b653213753d25c4ec21771eee17b01b69122ccf3f73460e +size 3940357 diff --git a/modsecurity-apache_2.6.7.tar.gz b/modsecurity-apache_2.6.7.tar.gz deleted file mode 100644 index cd8df78..0000000 --- a/modsecurity-apache_2.6.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3fa05e2be9e8a6e99747defe0df35ace99ba44683afef5205819db9706c03f29 -size 785852 diff --git a/modsecurity_diagram_apache_request_cycle.jpg b/modsecurity_diagram_apache_request_cycle.jpg new file mode 100644 index 0000000..b31317a --- /dev/null +++ b/modsecurity_diagram_apache_request_cycle.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4366e727c511bccbf56ec646dd0961c65c8054fdc235ab26e06e3faf08052f6d +size 46799 diff --git a/rules.tar.bz2 b/rules.tar.bz2 deleted file mode 100644 index dcd63ce..0000000 --- a/rules.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5b025dd7e2fc74aebf4bbf671ef238325737cc8a5da9e1eda6c9f739d5d2226b -size 33001