Squashed 'src/deps/src/modsecurity/' changes from bbde9381cb..5f44383236

5f44383236 Change release version to v3.0.12 d648a44ff5 Merge pull request #3048 from airween/v3/encodedqm 5f28c2bb21 Change REQUEST_FILENAME behavior a859574bf2 Merge pull request #3041 from airween/v3/remoterulestls 9040893c04 Merge pull request #3042 from airween/v3/docsecurity_updates de4d97ea4e Replaced the organization name in references; changed the security e-mail ec8e800a6a Set the minimum security protocol version for SecRemoteRules 7aae94b286 Update README.md 3e7227bfa1 github workflow: update macos version to macos-12 1ced1047cc CHANGES: Preparing for next version git-subtree-dir: src/deps/src/modsecurity git-subtree-split: 5f44383236b94ef8066529861d0b4d603f9b3bcb
2026-05-24 09:28:37 +00:00 · 2024-01-30 18:09:44 +01:00 · 2024-01-30 18:09:44 +01:00 · 0c3e271b0f
commit 0c3e271b0f
parent cfc32af85c
8 changed files with 87 additions and 39 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -45,7 +45,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
-        os: [macos-11]
+        os: [macos-12]
        compiler: [clang]
        configure:
          - {label: "with parser generation", opt: "--enable-parser-generation" }
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+v3.0.12 - 2024-Jan-30
+---------------------
+
+  - Change REQUEST_FILENAME and REQUEST_BASENAME behavior
+    [Issue #3048 - @martinhsv, @theMiddleBlue, @theseion, @M4tteoP, @airween]
+  - Set the minimum security protocol version for SecRemoteRules
+    [Issue security/code-scanning/2 - @airween]
+
 v3.0.11 - 2023-Dec-06
 ---------------------

--- a/README.md
+++ b/README.md
@ -1,16 +1,16 @@

-<img src="https://github.com/SpiderLabs/ModSecurity/raw/v3/master/others/modsec.png" width="50%">
+<img src="https://github.com/owasp-modsecurity/ModSecurity/raw/v3/master/others/modsec.png" width="50%">

-![Quality Assurance](https://github.com/SpiderLabs/ModSecurity/workflows/Quality%20Assurance/badge.svg)
-[![Build Status](https://sonarcloud.io/api/project_badges/measure?project=USHvY32Uy62L&metric=alert_status)](https://sonarcloud.io/dashboard?id=USHvY32Uy62L)
-[![](https://sonarcloud.io/api/project_badges/measure?project=USHvY32Uy62L&metric=sqale_rating
-)](https://sonarcloud.io/dashboard?id=USHvY32Uy62L)
-[![](https://sonarcloud.io/api/project_badges/measure?project=USHvY32Uy62L&metric=reliability_rating
-)](https://sonarcloud.io/dashboard?id=USHvY32Uy62L)
-[![](https://sonarcloud.io/api/project_badges/measure?project=USHvY32Uy62L&metric=security_rating
-)](https://sonarcloud.io/dashboard?id=USHvY32Uy62L)
-[![](https://sonarcloud.io/api/project_badges/measure?project=USHvY32Uy62L&metric=vulnerabilities
-)](https://sonarcloud.io/dashboard?id=USHvY32Uy62L)
+![Quality Assurance](https://github.com/owasp-modsecurity/ModSecurity/workflows/Quality%20Assurance/badge.svg)
+[![Build Status](https://sonarcloud.io/api/project_badges/measure?project=owasp-modsecurity_ModSecurity&metric=alert_status)](https://sonarcloud.io/dashboard?id=owasp-modsecurity_ModSecurity)
+[![](https://sonarcloud.io/api/project_badges/measure?project=owasp-modsecurity_ModSecurity&metric=sqale_rating
+)](https://sonarcloud.io/dashboard?id=owasp-modsecurity_ModSecurity)
+[![](https://sonarcloud.io/api/project_badges/measure?project=owasp-modsecurity_ModSecurity&metric=reliability_rating
+)](https://sonarcloud.io/dashboard?id=owasp-modsecurity_ModSecurity)
+[![](https://sonarcloud.io/api/project_badges/measure?project=owasp-modsecurity_ModSecurity&metric=security_rating
+)](https://sonarcloud.io/dashboard?id=owasp-modsecurity_ModSecurity)
+[![](https://sonarcloud.io/api/project_badges/measure?project=owasp-modsecurity_ModSecurity&metric=vulnerabilities
+)](https://sonarcloud.io/dashboard?id=owasp-modsecurity_ModSecurity)



@ -21,7 +21,7 @@ capability to load/interpret rules written in the ModSecurity SecRules format
 and apply them to HTTP content provided by your application via Connectors.

 If you are looking for ModSecurity for Apache (aka ModSecurity v2.x), it is still under maintenance and available:
-[here](https://github.com/SpiderLabs/ModSecurity/tree/v2/master).
+[here](https://github.com/owasp-modsecurity/ModSecurity/tree/v2/master).

 ### What is the difference between this project and the old ModSecurity (v2.x.x)?

@ -37,7 +37,7 @@ As a result of this goal we have rearchitected Libmodsecurity such that it is no

 ### It is no longer just a module.

-The 'ModSecurity' branch no longer contains the traditional module logic (for Nginx, Apache, and IIS) that has traditionally been packaged all together. Instead, this branch only contains the library portion (libmodsecurity) for this project. This library is consumed by what we have termed 'Connectors' these connectors will interface with your webserver and provide the library with a common format that it understands. Each of these connectors is maintained as a separate GitHub project. For instance, the Nginx connector is supplied by the ModSecurity-nginx project (https://github.com/SpiderLabs/ModSecurity-nginx).
+The 'ModSecurity' branch no longer contains the traditional module logic (for Nginx, Apache, and IIS) that has traditionally been packaged all together. Instead, this branch only contains the library portion (libmodsecurity) for this project. This library is consumed by what we have termed 'Connectors' these connectors will interface with your webserver and provide the library with a common format that it understands. Each of these connectors is maintained as a separate GitHub project. For instance, the Nginx connector is supplied by the ModSecurity-nginx project (https://github.com/owasp-modsecurity/ModSecurity-nginx).

 Keeping these connectors separated allows each project to have different release cycles, issues and development trees. Additionally, it means that when you install ModSecurity v3 you only get exactly what you need, no extras you won't be using.

@ -67,7 +67,7 @@ $ sudo make install
 ```

 Details on distribution specific builds can be found in our Wiki:
-[Compilation Recipes](https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes)
+[Compilation Recipes](https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes)

 ### Windows

@ -251,7 +251,7 @@ is one.
 ### Security issue

 Please do not make public any security issue. Contact us at:
-security@modsecurity.org reporting the issue. Once the problem is fixed your
+modsecurity@owasp.org reporting the issue. Once the problem is fixed your
 credit will be given.

 ## Feature request
--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,4 +6,4 @@ The latest versions of both v2.9.x and v3.0.x are supported.

 ## Reporting a Vulnerability

-For information on how to report a security issue, please see https://github.com/SpiderLabs/ModSecurity#security-issue
+For information on how to report a security issue, please see https://github.com/owasp-modsecurity/ModSecurity#security-issue
--- a/headers/modsecurity/modsecurity.h
+++ b/headers/modsecurity/modsecurity.h
@ -190,7 +190,7 @@ namespace modsecurity {

 #define MODSECURITY_MAJOR "3"
 #define MODSECURITY_MINOR "0"
-#define MODSECURITY_PATCHLEVEL "11"
+#define MODSECURITY_PATCHLEVEL "12"
 #define MODSECURITY_TAG ""
 #define MODSECURITY_TAG_NUM "100"

@ -198,7 +198,7 @@ namespace modsecurity {
    MODSECURITY_MINOR "." MODSECURITY_PATCHLEVEL \
    MODSECURITY_TAG

-#define MODSECURITY_VERSION_NUM 30110100
+#define MODSECURITY_VERSION_NUM 30120100

 #define MODSECURITY_CHECK_VERSION(a) (MODSECURITY_VERSION_NUM <= a)

--- a/src/transaction.cc
+++ b/src/transaction.cc
@ -463,6 +463,14 @@ int Transaction::processURI(const char *uri, const char *method,

    size_t pos_raw_query = uri_s.find("?");

+    std::string path_info_raw;
+    if (pos_raw_query == std::string::npos) {
+        path_info_raw = std::string(uri_s, 0);
+    } else {
+        path_info_raw = std::string(uri_s, 0, pos_raw_query);
+    }
+    std::string path_info = utils::uri_decode(path_info_raw);
+
    m_uri_decoded = utils::uri_decode(uri_s);

    size_t var_size = pos_raw_query;
@ -477,15 +485,8 @@ int Transaction::processURI(const char *uri, const char *method,
    m_variableRequestProtocol.set("HTTP/" + std::string(http_version),
        m_variableOffset + requestLine.size() + 1);

-
-    size_t pos_query = m_uri_decoded.find("?");
-    if (pos_query != std::string::npos) {
-        m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
-            new std::string(m_uri_decoded, 0, pos_query));
-    } else {
-        m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
-            new std::string(m_uri_decoded));
-    }
+    m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
+        new std::string(path_info));


    if (pos_raw_query != std::string::npos) {
@ -495,12 +496,7 @@ int Transaction::processURI(const char *uri, const char *method,
            + std::string(method).size() + 1);
    }

-    std::string path_info;
-    if (pos_query == std::string::npos) {
-        path_info = std::string(m_uri_decoded, 0);
-    } else {
-        path_info = std::string(m_uri_decoded, 0, pos_query);
-    }
+
    if (var_size == std::string::npos) {
        var_size = uri_s.size();
    }
--- a/src/utils/https_client.cc
+++ b/src/utils/https_client.cc
@ -87,8 +87,8 @@ bool HttpsClient::download(const std::string &uri) {
        headers_chunk = curl_slist_append(headers_chunk, m_key.c_str());
    }

-    /* Make it TLS 1.x only. */
-    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+    /* Make it TLS 1.2 at least. */
+    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

    /* those are the default options, but lets make sure */
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
--- a/test/test-cases/regression/variable-PATH_INFO.json
+++ b/test/test-cases/regression/variable-PATH_INFO.json
@ -2,7 +2,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: PATH_INFO (1/3)",
+    "title":"Testing Variables :: PATH_INFO (1/4)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -46,7 +46,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: PATH_INFO (2/3)",
+    "title":"Testing Variables :: PATH_INFO (2/4)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -90,7 +90,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: PATH_INFO (3/3)",
+    "title":"Testing Variables :: PATH_INFO (3/4)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -130,5 +130,49 @@
      "SecRuleEngine On",
      "SecRule PATH_INFO \"@contains test \" \"id:1,phase:3,pass,t:trim\""
    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Variables :: PATH_INFO (4/4)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length":"27",
+        "Content-Type":"application/x-www-form-urlencoded"
+      },
+      "uri":"/one/t%3fo/three?key=value",
+      "method":"POST",
+      "body":[
+        "param1=value1&param2=value2"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "http_code": 403
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule PATH_INFO \"@contains three\" \"id:1,phase:2,deny,status:403,t:trim\""
+    ]
  }
 ]