Merge commit '0c3e271b0fef1dc1a1053899dcb61fdcbaea4886' into dev

2026-05-24 09:28:37 +00:00 · 2024-01-30 18:09:44 +01:00 · 2024-01-30 18:09:44 +01:00 · 974c781070
commit 974c781070
parent 4f9f666fb8 0c3e271b0f
8 changed files with 87 additions and 39 deletions
--- a/src/deps/src/modsecurity/.github/workflows/ci.yml
+++ b/src/deps/src/modsecurity/.github/workflows/ci.yml
@ -45,7 +45,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
-        os: [macos-11]
+        os: [macos-12]
        compiler: [clang]
        configure:
          - {label: "with parser generation", opt: "--enable-parser-generation" }
--- a/src/deps/src/modsecurity/CHANGES
+++ b/src/deps/src/modsecurity/CHANGES
@ -1,3 +1,11 @@
+v3.0.12 - 2024-Jan-30
+---------------------
+
+  - Change REQUEST_FILENAME and REQUEST_BASENAME behavior
+    [Issue #3048 - @martinhsv, @theMiddleBlue, @theseion, @M4tteoP, @airween]
+  - Set the minimum security protocol version for SecRemoteRules
+    [Issue security/code-scanning/2 - @airween]
+
 v3.0.11 - 2023-Dec-06
 ---------------------

--- a/src/deps/src/modsecurity/README.md
+++ b/src/deps/src/modsecurity/README.md
@ -1,16 +1,16 @@

-<img src="https://github.com/SpiderLabs/ModSecurity/raw/v3/master/others/modsec.png" width="50%">
+<img src="https://github.com/owasp-modsecurity/ModSecurity/raw/v3/master/others/modsec.png" width="50%">

-![Quality Assurance](https://github.com/SpiderLabs/ModSecurity/workflows/Quality%20Assurance/badge.svg)
-[![Build Status](https://sonarcloud.io/api/project_badges/measure?project=USHvY32Uy62L&metric=alert_status)](https://sonarcloud.io/dashboard?id=USHvY32Uy62L)
-[![](https://sonarcloud.io/api/project_badges/measure?project=USHvY32Uy62L&metric=sqale_rating
-)](https://sonarcloud.io/dashboard?id=USHvY32Uy62L)
-[![](https://sonarcloud.io/api/project_badges/measure?project=USHvY32Uy62L&metric=reliability_rating
-)](https://sonarcloud.io/dashboard?id=USHvY32Uy62L)
-[![](https://sonarcloud.io/api/project_badges/measure?project=USHvY32Uy62L&metric=security_rating
-)](https://sonarcloud.io/dashboard?id=USHvY32Uy62L)
-[![](https://sonarcloud.io/api/project_badges/measure?project=USHvY32Uy62L&metric=vulnerabilities
-)](https://sonarcloud.io/dashboard?id=USHvY32Uy62L)
+![Quality Assurance](https://github.com/owasp-modsecurity/ModSecurity/workflows/Quality%20Assurance/badge.svg)
+[![Build Status](https://sonarcloud.io/api/project_badges/measure?project=owasp-modsecurity_ModSecurity&metric=alert_status)](https://sonarcloud.io/dashboard?id=owasp-modsecurity_ModSecurity)
+[![](https://sonarcloud.io/api/project_badges/measure?project=owasp-modsecurity_ModSecurity&metric=sqale_rating
+)](https://sonarcloud.io/dashboard?id=owasp-modsecurity_ModSecurity)
+[![](https://sonarcloud.io/api/project_badges/measure?project=owasp-modsecurity_ModSecurity&metric=reliability_rating
+)](https://sonarcloud.io/dashboard?id=owasp-modsecurity_ModSecurity)
+[![](https://sonarcloud.io/api/project_badges/measure?project=owasp-modsecurity_ModSecurity&metric=security_rating
+)](https://sonarcloud.io/dashboard?id=owasp-modsecurity_ModSecurity)
+[![](https://sonarcloud.io/api/project_badges/measure?project=owasp-modsecurity_ModSecurity&metric=vulnerabilities
+)](https://sonarcloud.io/dashboard?id=owasp-modsecurity_ModSecurity)



@ -21,7 +21,7 @@ capability to load/interpret rules written in the ModSecurity SecRules format
 and apply them to HTTP content provided by your application via Connectors.

 If you are looking for ModSecurity for Apache (aka ModSecurity v2.x), it is still under maintenance and available:
-[here](https://github.com/SpiderLabs/ModSecurity/tree/v2/master).
+[here](https://github.com/owasp-modsecurity/ModSecurity/tree/v2/master).

 ### What is the difference between this project and the old ModSecurity (v2.x.x)?

@ -37,7 +37,7 @@ As a result of this goal we have rearchitected Libmodsecurity such that it is no

 ### It is no longer just a module.

-The 'ModSecurity' branch no longer contains the traditional module logic (for Nginx, Apache, and IIS) that has traditionally been packaged all together. Instead, this branch only contains the library portion (libmodsecurity) for this project. This library is consumed by what we have termed 'Connectors' these connectors will interface with your webserver and provide the library with a common format that it understands. Each of these connectors is maintained as a separate GitHub project. For instance, the Nginx connector is supplied by the ModSecurity-nginx project (https://github.com/SpiderLabs/ModSecurity-nginx).
+The 'ModSecurity' branch no longer contains the traditional module logic (for Nginx, Apache, and IIS) that has traditionally been packaged all together. Instead, this branch only contains the library portion (libmodsecurity) for this project. This library is consumed by what we have termed 'Connectors' these connectors will interface with your webserver and provide the library with a common format that it understands. Each of these connectors is maintained as a separate GitHub project. For instance, the Nginx connector is supplied by the ModSecurity-nginx project (https://github.com/owasp-modsecurity/ModSecurity-nginx).

 Keeping these connectors separated allows each project to have different release cycles, issues and development trees. Additionally, it means that when you install ModSecurity v3 you only get exactly what you need, no extras you won't be using.

@ -67,7 +67,7 @@ $ sudo make install
 ```

 Details on distribution specific builds can be found in our Wiki:
-[Compilation Recipes](https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes)
+[Compilation Recipes](https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes)

 ### Windows

@ -251,7 +251,7 @@ is one.
 ### Security issue

 Please do not make public any security issue. Contact us at:
-security@modsecurity.org reporting the issue. Once the problem is fixed your
+modsecurity@owasp.org reporting the issue. Once the problem is fixed your
 credit will be given.

 ## Feature request
--- a/src/deps/src/modsecurity/SECURITY.md
+++ b/src/deps/src/modsecurity/SECURITY.md
@ -6,4 +6,4 @@ The latest versions of both v2.9.x and v3.0.x are supported.

 ## Reporting a Vulnerability

-For information on how to report a security issue, please see https://github.com/SpiderLabs/ModSecurity#security-issue
+For information on how to report a security issue, please see https://github.com/owasp-modsecurity/ModSecurity#security-issue
--- a/src/deps/src/modsecurity/headers/modsecurity/modsecurity.h
+++ b/src/deps/src/modsecurity/headers/modsecurity/modsecurity.h
@ -190,7 +190,7 @@ namespace modsecurity {

 #define MODSECURITY_MAJOR "3"
 #define MODSECURITY_MINOR "0"
-#define MODSECURITY_PATCHLEVEL "11"
+#define MODSECURITY_PATCHLEVEL "12"
 #define MODSECURITY_TAG ""
 #define MODSECURITY_TAG_NUM "100"

@ -198,7 +198,7 @@ namespace modsecurity {
    MODSECURITY_MINOR "." MODSECURITY_PATCHLEVEL \
    MODSECURITY_TAG

-#define MODSECURITY_VERSION_NUM 30110100
+#define MODSECURITY_VERSION_NUM 30120100

 #define MODSECURITY_CHECK_VERSION(a) (MODSECURITY_VERSION_NUM <= a)

--- a/src/deps/src/modsecurity/src/transaction.cc
+++ b/src/deps/src/modsecurity/src/transaction.cc
@ -463,6 +463,14 @@ int Transaction::processURI(const char *uri, const char *method,

    size_t pos_raw_query = uri_s.find("?");

+    std::string path_info_raw;
+    if (pos_raw_query == std::string::npos) {
+        path_info_raw = std::string(uri_s, 0);
+    } else {
+        path_info_raw = std::string(uri_s, 0, pos_raw_query);
+    }
+    std::string path_info = utils::uri_decode(path_info_raw);
+
    m_uri_decoded = utils::uri_decode(uri_s);

    size_t var_size = pos_raw_query;
@ -477,15 +485,8 @@ int Transaction::processURI(const char *uri, const char *method,
    m_variableRequestProtocol.set("HTTP/" + std::string(http_version),
        m_variableOffset + requestLine.size() + 1);

-
-    size_t pos_query = m_uri_decoded.find("?");
-    if (pos_query != std::string::npos) {
-        m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
-            new std::string(m_uri_decoded, 0, pos_query));
-    } else {
-        m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
-            new std::string(m_uri_decoded));
-    }
+    m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
+        new std::string(path_info));


    if (pos_raw_query != std::string::npos) {
@ -495,12 +496,7 @@ int Transaction::processURI(const char *uri, const char *method,
            + std::string(method).size() + 1);
    }

-    std::string path_info;
-    if (pos_query == std::string::npos) {
-        path_info = std::string(m_uri_decoded, 0);
-    } else {
-        path_info = std::string(m_uri_decoded, 0, pos_query);
-    }
+
    if (var_size == std::string::npos) {
        var_size = uri_s.size();
    }
--- a/src/deps/src/modsecurity/src/utils/https_client.cc
+++ b/src/deps/src/modsecurity/src/utils/https_client.cc
@ -87,8 +87,8 @@ bool HttpsClient::download(const std::string &uri) {
        headers_chunk = curl_slist_append(headers_chunk, m_key.c_str());
    }

-    /* Make it TLS 1.x only. */
-    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+    /* Make it TLS 1.2 at least. */
+    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

    /* those are the default options, but lets make sure */
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
--- a/src/deps/src/modsecurity/test/test-cases/regression/variable-PATH_INFO.json
+++ b/src/deps/src/modsecurity/test/test-cases/regression/variable-PATH_INFO.json
@ -2,7 +2,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: PATH_INFO (1/3)",
+    "title":"Testing Variables :: PATH_INFO (1/4)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -46,7 +46,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: PATH_INFO (2/3)",
+    "title":"Testing Variables :: PATH_INFO (2/4)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -90,7 +90,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: PATH_INFO (3/3)",
+    "title":"Testing Variables :: PATH_INFO (3/4)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -130,5 +130,49 @@
      "SecRuleEngine On",
      "SecRule PATH_INFO \"@contains test \" \"id:1,phase:3,pass,t:trim\""
    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Variables :: PATH_INFO (4/4)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length":"27",
+        "Content-Type":"application/x-www-form-urlencoded"
+      },
+      "uri":"/one/t%3fo/three?key=value",
+      "method":"POST",
+      "body":[
+        "param1=value1&param2=value2"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "http_code": 403
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule PATH_INFO \"@contains three\" \"id:1,phase:2,deny,status:403,t:trim\""
+    ]
  }
 ]