Merge pull request #4 from SpiderLabs/v3.2/dev

Bringing fork up to date

Author: spartantri

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,29 @@
+<!--- For help and support please go to Stack Exchange: -->
+<!--- https://security.stackexchange.com/questions/tagged/owasp-crs -->
+
+<!--- Provide a general summary of the issue in the Title above -->
+
+## Type of Issue
+<!-- Incorrect blocking (false positive), incorrect bypass (false negative), -->
+<!-- bug fix, feature suggestion -->
+
+## Description
+<!-- In case of a false positive, please provide a copy of the audit -->
+<!-- log entry. You can usually find this at /var/log/modsec_audit.log. -->
+<!-- In case of a false negative, please provide the payload you -->
+<!-- are sending. For complex payloads with headers, please include -->
+<!-- a curl command. -->
+<!-- Include any relevant CVEs or research links. -->
+
+## Your Environment
+<!--- Include as many relevant details about the environment you -->
+<!--- experienced the bug in: -->
+* CRS version (e.g. v3.0.2):
+* ModSecurity version (e.g. 2.9.2):
+* Web Server and version (e.g. apache 2.4.27):
+* Operating System and version:
+
+## Confirmation
+
+[ ] I have removed any personal data (email addresses, IP addresses,
+    passwords, domain names) from any logs posted.

.gitmodules

@@ -2,7 +2,3 @@
 	path = documentation/OWASP-CRS-Documentation
 	url = https://github.com/SpiderLabs/OWASP-CRS-Documentation
 	branch = master
-[submodule "util/regression-tests/OWASP-CRS-regressions"]
-	path = util/regression-tests/OWASP-CRS-regressions
-	url = https://github.com/SpiderLabs/OWASP-CRS-regressions
-	branch = master

CHANGES

@@ -5,12 +5,122 @@
   or the CRS mailinglist at
 * https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
 
-== Version 3.1.0 - 6/5/2017 ==
+== Version 3.1.1 - 2019-06-26 ==
+ * Fix CVE-2019-11387 ReDoS against CRS on ModSecurity 3 at PL 2 (Christoph Hansen, Federico G. Schwindt)
+ * Content-Type made case insensitive in 920240, 920400 (Federico G. Schwindt)
+ * Allow % encoding in 920240 (Christoph Hansen)
+ * Fix bug in 920440 (Andrea Menin)
+ * Fix bug in 920470 (Walter Hop)
+ * Reduce false positives in 921110 (Yu Yagihashi, Federico G. Schwindt)
+ * Fix bug in 943120 (XeroChen)
+
+== Version 3.1.0 - 8/7/2018 ==
+ * Add Detectify scanner (theMiddle)
+ * Renaming matched_var/s (Victor Hora)
+ * Remove lines with bare '#' comment char (Walter Hop)
+ * Drop the XML variable from rule 932190 (Federico G. Schwindt)
+ * Update outdated URLs (Walter Hop)
+ * remove unused rule 901180 (Walter Hop)
+ * Drop exit from unix and windows RCE (Federico G. Schwindt)
+ * Fix anomaly_score counters (Federico G. Schwindt)
+ * Remove mostly redundant 944220 in favor of 944240 (Christian Folini)
+ * Add self[ and document[ to rule 941180 (theMiddle)
+ * Provide proxy support within CRS docker image (Scott O'Neil)
+ * Prevent bypass in rule 930120 PL3 (theMiddle)
+ * Fix small typo in variable (Felipe Zipitría)
+ * Fix bug #1166 in Docker image (Franziska Bühler)
+ * Remove revision status from rules (Federico G. Schwindt) 
+ * Add template for issues (Federico G. Schwindt)
+ * Correct failing travis tests in merge situations (Federico G. Schwindt)
+ * Remove unused global variable in IIS rules (Chaim Sanders)
+ * Refactor to use phase number instead of name (Federico G. Schwindt)
+ * Add uploaded file name check; refresh LFI / filename checks (Walter Hop)
+ * Introduce critical sibling of 920340 in PL2 (Walter Hop)
+ * Fix bypass caused by multiple spaces in RCE rules (Walter Hop)
+ * Remove unneded regex capture groups (Federico G. Schwindt)
+ * Add built-in exceptions for CPanel (Christoph Hansen)
+ * Add additional file restrictios for ws_ftp, DS_Store... (Jose Nazario)
+ * Fix missing strings in 942410 (Franziska Bühler)
+ * Add 2 missing PDO errors (Christoph Hansen)
+ * Fix issues with FPs in regression tests (Chaim Sanders)
+ * Add Nextcloud client exclusion support (Christoph Hansen)
+ * Fix spelling mistakes in REQUEST-942- (Padraig Doran, Chaim Sanders)
+ * Explicitly ignore the user defined rules (Aaron Haaf, Chaim Sanders)
+ * Add regression tests for 942490 (Christoph Hansen, Chaim Sanders)
+ * Add Owncloud client exclusion support (Christoph Hansen, Christian Folini)
+ * Adding 'F-Secure Radar' vulnerability scanner UA (Christian Folini, Chaim Sanders)
+ * Update DockerFile to use Ubuntu as base (Chaim Sanders)
+ * False positives 942360: move alter and union (Franziska Bühler, Chaim Sanders)
+ * Add support for Java style attacks (Manuel Spartan, Walter Hop)
+ * Fix various regression tests issues caused by webserver handling (azhao155, Chaim Sanders)
+ * Update TravisCI to build on a per PR basis (Chaim Sanders)
+ * Optimized rule 921160 and regex (Allan Boll, Chaim Sanders)
+ * Update the consistency across various files (Federico G. Schwindt)
+ * Add missing transform, 944120 sibling 944240 (Manuel Spartan)
+ * Fix false positive for 'like' in 942120 (Walter Hop)
+ * Add regression tests for Java Rules (Manuel Spartan)
+ * Fixup and small reorg of dokuwiki rule exclusion package (Christian Folini)
+ * Make TravisCI tests fail if Apache can't load rules (Felipe Zipitría)
+ * Add exclusion rules for Dokuwiki (Matt Bagley, Christian Folini)
+ * Inital exclusions for NextCloud installs (Matt Bagley, Christian Folini)
+ * Added struts-pwn UA to list (Manuel Spartan)
+ * Uses MULTIPART_MISSING_SEMICOLON instead of MULTIPART_SEMICOLON_MISSING (Felipe Zimmerle)
+ * Add file upload checks (Manuel Spartan)
+ * Check if Transfer-Encoding is missing (Federico G. Schwindt, Christian Folini)
+ * Remove duplicated variables (Federico G. Schwindt)
+ * Reduce FP by splitting classic SQL injection rule 942370 (Christoph Hansen)
+ * Fix typo in REQUEST-920-PROTOCOL-ENFORCEMENT (ihacku, Franziska Bühler)
+ * Add configurable timestamp format to FTW integration (Christian Folini)
+ * Add badges to README (Felipe Zipitría)
+ * Add clarifying comments to 910110 (Christian Folini)
+ * Making rule 933131 case-insensitive (Manuel Spartan)
+ * Merge and reorder rules as part of cleanup (Federico G. Schwindt)
+ * Update copyright date and syntax (Jose Nazario, Felipe Zipitría)
+ * Updated SecMarker and SkipAfter names to use meet guidelines (Felipe Zipitría)
+ * Tidy up single quotes and other guidelines updates (Felipe Zipitría)
+ * Syntax fix for setvar crs_exclusions_wordpress (Manuel Spartan)
+ * Updated various contributors to developers (Christian Folini)
+ * Revise SQL rules by disassembling them into their core protections (Franziska Bühler)
+ * Add an exmaple payload to 920220 (coolt)
+ * Add a missing regex to rule 942310 (Franziska Bühler)
+ * Detect GET or HEAD with Transfer-Encoding header (Federico G. Schwindt)
+ * Fix broken links in references (Pásztor Gábor)
+ * Add contributing guidelines (Felipe Zipitría)
+ * Fix processing bypasses in rule 931130 (Felipe Zipitría, Christian Folini)
+ * Correct small omissions in unix-shell.data (Walter Hop)
+ * Add IIS specific detection to LFI-os-files.data (Manuel Spartan)
+ * Update examples to match the current cleanup (Federico G. Schwindt)
+ * Corrected the ordering of actions to meet guidelines (Felipe Zipitría)
+ * Remove unused capture groups (Federico G. Schwindt)
+ * Use explicit rx operator (Federico G. Schwindt)
+ * Update the RCE regular expressions(Walter Hop, Federico G. Schwindt)
+ * Removing maturity & accuracy from rules (Felipe Zipitría)
+ * Increasing range header (Christoph Hansen)
+ * Fixed upgrade.py script argument options (Glyn Mooney)
+ * Updating to reflect OWASP flagship status (Chaim Sanders)
+ * Adding Docker support for CRS (Chaim Sanders)
+ * Initial Travis deployment (Zack Allen, Walter Hop)
+ * Inital commit of regression tests (Chaim Sanders, Walter Hop)
+ * Remove test for 921170 because it won't ever fire (Chaim Sanders, Walter Hop)
+ * Update minor incorrectness in asp.net regex (Chaim Sanders, Walter Hop)
+ * Add notification for builds against #modsecurity on freenode (Zack Allen, Walter Hop)
+ * Add all past code contributors and convert to markdown (Walter Hop)
+ * Block uploads of files with .phps extension (Walter Hop)
+ * Improve message for script upload with superfluous extension (Walter Hop)
+ * Remove trailing whitespace in various regexs (Walter Hop)
+ * Add command popd to direct unix rce list in rule 932150 (Franziska Bühler)
+ * Remove unnecessary END_XSS_CHECKS marker (Christian Folini)
+ * Ignore Whitespaces in Rule 942110 (Christoph Hansen)
+ * Update missing RCE Commands (Umar Farook)
+ * Update lfi-os-files.data (Umar Farook)
+ * Removed deprecated t:removeComments from 942100 (Christian Folini)
+ * Add word boundary to rule 942410 (Franziska Bühler)
 
 == Version 3.0.2 - 5/12/2017 ==
 
  * Remove debug rule that popped up in 3.0.1 (Christian Folini)
 
+
 == Version 3.0.1 - 5/9/2017 ==
 
  * SECURITY: Removed insecure handling of X-Forwarded-For header;
@@ -48,7 +158,6 @@
  * Fixed bug with DoS rule 912160 (@loudly-soft, Christian Folini)
 
 
-
 == Version 3.0.0 - 11/10/2016 ==
 
 Huge changeset running in separate branch from September 2013 to September 2016.

CONTRIBUTING.md

@@ -14,8 +14,9 @@ please adhere to the following contributing guidelines.
 
 ## Making Changes
 
-* Please base your changes on branch ```v3.1/dev```
+* Please base your changes on branch ```v3.2/dev```
 * Create a topic branch for your feature or bug fix.
+* Please fix only one problem at a time; this will help to quickly test and merge your change. If you intend to fix multiple unrelated problems, please use a separate branch for each problem.
 * Make commits of logical units.
 * Make sure your commits adhere to the rules guidelines below.
 * Make sure your commit messages are in the [proper format](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html): The first line of the message should have 50 characters or less, separated by a blank line from the (optional) body. The body should be wrapped at 70 characters and paragraphs separated by blank lines. Bulleted lists are also fine.
@@ -63,7 +64,6 @@ please adhere to the following contributing guidelines.
     sanitiseMatchedBytes
     ctl
     setenv
-    rev
     ver
     severity
     setvar

CONTRIBUTORS.md

@@ -12,6 +12,7 @@
 - [Franziska Bühler](https://github.com/franbuehler)
 - [Christoph Hansen](https://github.com/emphazer)
 - [Victor Hora](https://github.com/victorhora)
+- [Andrea Menin](https://github.com/theMiddleBlue)
 - [Federico G. Schwindt](https://github.com/fgsch)
 - [Manuel Spartan](https://github.com/spartantri)
 - [Felipe Zimmerle](https://github.com/zimmerle)
@@ -20,25 +21,35 @@
 ## Contributors:
 
 - [Zack Allen](https://github.com/zmallen)
+- [azhao155](https://github.com/azhao155)
+- [Matt Bagley](https://github.com/bagley)
 - [Ryan Barnett](https://github.com/rcbarnett)
+- [Allan Boll](https://github.com/allanbomsft)
 - [Jeremy Brown](https://github.com/jwbrown77)
 - [Jonathan Claudius](https://github.com/claudijd)
+- [coolt](https://github.com/coolt)
 - [Ashish Dixit](https://github.com/tundal45)
+- [Padraig Doran](https://github.com/padraigdoran)
+- [Umar Farook](https://github.com/umarfarook882)
 - [FrozenSolid](https://github.com/frozenSolid)
+- [Pásztor Gábor](https://github.com/gpasztor87)
 - [Aaron Haaf](https://github.com/Everspace)
 - [Michael Haas](https://github.com/MichaelHaas)
 - [jamuse](https://github.com/jamuse)
 - [Krzysztof Kotowicz](https://github.com/koto)
 - [Evgeny Marmalstein](https://github.com/shimshon70)
 - [Christian Mehlmauer](https://github.com/FireFart)
 - [Glyn Mooney](https://github.com/skidoosh)
+- [Jose Nazario](https://github.com/paralax)
+- [Scott O'Neil](https://github.com/cPanelScott)
 - [Robert Paprocki](https://github.com/p0pr0ck5)
 - [Christian Peron](https://github.com/csjperon)
 - [Elia Pinto](https://github.com/yersinia)
 - [Brian Rectanus](https://github.com/b1v1r)
 - Ofer Shezaf
 - Breno Silva
 - [Marc Stern](https://github.com/marcstern)
+- [theMiddle](https://github.com/theMiddleBlue)
 - [Ben Williams](https://github.com/benwilliams)
 - [Greg Wroblewski](https://github.com/gwroblew)
 - [ygrek](https://github.com/ygrek)

IDNUMBERING

@@ -25,11 +25,13 @@ Installing From a Package Manager
     maintained by independent packagers who package CRS in their own time.
     Historically, many of these packages have been out of date. As such,
     it is recommended that you install, where possible, from our GitHub
-    repository. The following packages are known to exist:
+    repository. The following CRS 3.x packages are known to exist:
 
-    *There are currently no known packages of CRS 3.x.*
+    modsecurity-crs  - Debian
+    mod_security_crs - Fedora
+    modsecurity-crs  - Gentoo 
 
-    Packages of CRS 2.0 are incompatible with CRS 3.x.
+    Packages of CRS 2.x are incompatible with CRS 3.x.
 
 Installing From Git
 ===================

INSTALL

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2006 the OWASP Core Rule Set contributors
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

LICENSE

@@ -1,5 +1,6 @@
-[![Join the chat at https://gitter.im/owasp-crs/Lobby](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/owasp-crs/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)![Travis build v3.1/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.1/dev&label=CRS%20v3.1/dev)![Travis build v3.0/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/dev&label=CRS%20v3.0/dev)![Travis build v3.0/master](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/master&label=CRS%20v3.0/master)
+![Travis build v3.2/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.2/dev&label=CRS%20v3.2/dev)![Travis build v3.1/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.1/dev&label=CRS%20v3.1/dev)![Travis build v3.0/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/dev&label=CRS%20v3.0/dev)
 [![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1390/badge)](https://bestpractices.coreinfrastructure.org/projects/1390)
 
 # OWASP ModSecurity Core Rule Set (CRS)