The OWASP ModSecurity team is pleased to announce the release of versions 2.9.8 and 3.0.13. These versions both include a mixture of new features and bug fixes.
For the complete list of changes, please take a look at the respective CHANGELOGs: mod_security2 and libmodsecurity3. For some of the more complex changes, you may want to read through the corresponding pull requests (linked below) to understand rationales and implementation details.
It’s been a long time since the last releases, especially in case of v2.
Major changes in v2 (details below):
- added a CI workflow
- changed error log format - #1
- added a new MULTIPART HEADER check - #2
- fixed many potential memory leaks and other potential memory handling problems
v2 #1 - changed error log format
See PR #3192. The old log format differs from the new one as follows:
old:
[Wed Aug 28 17:07:09.416861 2024] [security2:error] [pid 729352:tid 729355] [client ::1:55806] [client ::1] ModSecurity ...
new:
[Wed Aug 28 17:07:09.416861 2024] [security2:error] [pid 729352:tid 729355] [client ::1:55806] ModSecurity ...
As you can see the second [client] field was removed.
v2 #2 - added a new MULTIPART HEADER check
See PR #3226. For multipart requests, the engine checks that the header does not contain invalid characters. This is similar to CRS’s PR #3796 but on the engine’s level. For more details, see the related blog post.
Contributors:
@3eka, @airween, @fzipi, @marcstern, @martinhsv, @Polynomial-C, @twouters, @zhaoshikui.
Major changes in v3:
- added Windows port - #1
- improved CI workflow
- removed unnecessary string copy operations, improved engine speed - several PR’s
- fixed a bug in
@pmoperator - #2 - extended the C/C++ API - #3
v3 #1 - added Windows port
See PR #3132. Libmodsecurity3 builds on Windows now.
v3 #2 - fixed a bug in @pm operator
See PR #3243 and PR #3233. Fixed parsing of digits which were not quoted and thus not interpreted as ASCII characters (like the hexadecimal digits) but as binary values, eg 0 was interpreted as string terminator ('\0') and not ASCII '0' (chr(48)).
v3 #3 - extended the C/C++ API
There are three new functions:
Contributors:
@airween, @bitbehz, @devzero2000, @eduar-hte, @frozenice, @fzipi, @gberkes, @M4tteoP, @MirkoDziadzka, @rkrishn7.
Special thanks to:
@dune73, @fzipi, @theseion for their huge help in discussions, ideas, Github settings and workflow management.
We would like to thank the employers of the participating developers, especially Approach Cyber and Digitalwave.