Merge pull request #1527 from lifeforms/release-v3.2

Update changes, contributors, versions for v3.2

Author: lifeforms

CHANGES

@@ -5,6 +5,159 @@
   or the CRS mailinglist at
 * https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
 
+== Version 3.2.0 - 9/20/2019 ==
+
+New functionality:
+ * Add AngularJS client side template injection 941380 PL2 (Franziska Bühler)
+ * Add docker-compose.yaml and example rule exclusion files for docker-compose (Franziska Bühler)
+ * Add extended access.log format to Docker (Franziska Bühler)
+ * Add libinjection check on last path segment (Max Leske, Christian Folini)
+ * Add PUBLIC identifier for XML entities (#1490) (Rufus125)
+ * Add .rdb to default restricted_extensions (Walter Hop)
+ * Add rule 933200 PHP Wrappers (Andrea Menin)
+ * Add support for shell evasions with $IFS (Walter Hop, Chaim Sanders)
+ * Add unix-shell commands (Christoph Hansen, Chaim Sanders)
+ * Also inspect the path for the script tag (Federico G. Schwindt)
+ * Detect 80legs, sysscan, Gobuster scanners (Brent Clark)
+ * Detect CGI source code leakages (Christoph Hansen, Walter Hop)
+ * Detect 'crawler' user-agent (Federico G. Schwindt)
+ * Detect Jorgee, Zgrab scanners (Walter Hop)
+ * Detect MySQL in-line comments (Franziska Bühler)
+ * Detect Wappalyzer scanner (Christian Folini, Chaim Sanders)
+ * Java RCE: Add struts namespaces (Walter Hop)
+ * Java RCE: Detect more java classes (Manuel Leos)
+ * Javascript: Add 941370 preventing a bypass for 941180 (Andrea Menin)
+ * Make CRS variables configurable in Docker image (Franziska Bühler)
+ * New PL3 rule 920490 to protect against content-type charset bypassing (Christian Folini)
+ * Node.js unserialization + javascript RCE snippets (Walter Hop)
+ * Request smuggling: Also cover pre http/1.0 requests (Federico G. Schwindt)
+ * Restricted files: Added many dotfiles (Dan Ehrlich)
+ * SQLi bypass detection: ticks and backticks (Franziska Bühler)
+ * XenForo rule exclusion profile (Walter Hop)
+
+Removed functionality:
+ * Remove unused protected_uploads setting from setup (Walter Hop)
+ * Remove deprecated tx.msg and tx.%{rule.id}-... (Federico G. Schwindt)
+ * Remove deprecated upgrade script (Walter Hop)
+
+Improved compatibility:
+ * Add OWASP_CRS tags for ModSec 3 changes and replace ruleRemoveTargetByTag arguments (Ervin Hegedus)
+ * Replace @contain % with @rx 25; ModSec 3 fails to parse % by itself (or escaped). (Federico G. Schwindt)
+ * RE2 compatibility for 941130, 920220, 920240, 920230, 920460, 942200, 942370 (Allan Boll)
+ * Hyperscan compatibility and simplification for 942450 (Allan Boll)
+
+Fixes and improvements:
+ * 932140: fix ReDoS in FOR expression (Walter Hop)
+ * 933200: Simplify pattern (Federico G. Schwindt, Andrea Menin)
+ * Add content-type application/csp-report (Andrea Menin)
+ * Add content-type application/xss-auditor-report (Andrea Menin)
+ * Add CRS 3.2 Badge build support. (Chaim Sanders)
+ * Add CVE-2018-11776 to comments of 933160 and 933161 (Franziska Bühler)
+ * Add CVE-2018-2380 to comments of rules (Franziska Bühler)
+ * Add CVE numbers for Apache Struts vulnerabilities to comments in rules (Franziska Bühler)
+ * Added spaces in front of closing square brackets (Franziska Bühler)
+ * Adding travis changes (#1316) (Chaim Sanders)
+ * Add missing OWASP_CRS tags to 921xxx rules (Walter Hop)
+ * Add REQUEST_FILENAME to rule id 944130 and add exploits to comment (Franziska Bühler)
+ * Allow dot characters in Content-Type multipart boundary (Walter Hop)
+ * Also handle dot variant of X_Filename. PHP will transform dots to underscore in variable names since dot is invalid. (Federico G. Schwindt)
+ * Bring back CRS 2.x renumbering utility (Walter Hop)
+ * Clean up travis and reorg (Federico G. Schwindt)
+ * Content-Type is case insensitive (Federico G. Schwindt)
+ * Disassembled 941160 (Franziska Bühler)
+ * Drop separate regexp files. They are not really needed and save us from updating multiple places. (Federico G. Schwindt)
+ * Drop t:lowercase from 941350 (Federico G. Schwindt)
+ * Drop unneeded capture groups and tidy up (Federico G. Schwindt)
+ * Drop unneeded capture groups and tidy up regexps (Federico G. Schwindt)
+ * Drop unneeded unicode from 941110. Add tests to cover a few more variants as well as a negative test (Federico G. Schwindt)
+ * Fix 920440 "URL file extension is restricted by policy" regex (Andrea Menin)
+ * Fix 920460 test (Federico G. Schwindt)
+ * Fix 942101 and 942460 by adding to sqli_score variable (Christian Folini)
+ * Fix checking the existence of 'HTTP' trailing request verb and request path in the payload for HTTP request smuggling; decreases false-positives on free-form text. (Yu Yagihashi)
+ * Fix commit default for non 2.9 branch (Chaim Sanders)
+ * Fix CRS2->CRS3 mapping table (973344 -> 941100) (Chaim Sanders)
+ * Fix date (Chaim Sanders)
+ * Fix duplicate .env (jschleus, Chaim Sanders)
+ * Fix executing paranoia level counters (Christian Folini)
+ * Fix indentation and python version in crs2-renumbering script (Chaim Sanders)
+ * Fix input / headers misordering (Christian Folini)
+ * Fix path traversal attack pattern at id:930110 (Ervin Hegedus)
+ * Fix regexp in Docker image (Franziska Bühler)
+ * Fix regexp with incorrect dot '.' escape in rule 943120 (XeroChen)
+ * Fix request header Sec-Fetch-User false positive (na1ex)
+ * Fix runaway regexp in 942260. Add variant regexp assemble script to handle possessive qualifiers. Use possessive qualifiers to tight this up and solve ReDoS problem. (Federico G. Schwindt)
+ * Fix small typo in variable (Felipe Zipitria)
+ * Fix spelling error in variable name (supplient)
+ * Fix transform name pointed out by secrules_parsing (Federico G. Schwindt)
+ * Fix Travis Merge not being able to find HEAD (Chaim Sanders)
+ * Fix vulnerable regexp in rule 942490 (CVE-2019-11387) (Christoph Hansen)
+ * Fix wrong regex, assembly result, in 942370 (Franziska Bühler)
+ * Jwall auditconsole outbound anomaly scoring requirements (Christoph Hansen)
+ * Mark patterns not supported by re2 (Federico G. Schwindt)
+ * Move duplicated 900270 to 900280 Fixes #1236. (Federico G. Schwindt)
+ * Move PROXYLOCATION var (Franziska Bühler)
+ * PHP: move get_defined_functions() and friends into PL1 (Walter Hop)
+ * Pin the ftw version to 1.1.7 for now (Federico G. Schwindt)
+ * Prevent bypass 933180 PHP Variable Function (Andrea Menin)
+ * Reduce comments, introduction of triggered exploits (Franziska Bühler)
+ * Remove auditlog No other rules specify it. Add missing quotes and drop rev (Federico G. Schwindt)
+ * Remove capture, remove tx.0, add transformation functions, fix regex, add presentation link (Andrea Menin)
+ * Remove old and unwanted setvar constructs (Federico G. Schwindt)
+ * Remove superfluous comments (Walter Hop)
+ * Remove superfluous pmf (Federico G. Schwindt)
+ * Remove t:lowercase from 920490 (Christian Folini)
+ * Remove WARNING from php-errors.data (Andrea Menin)
+ * Reorder actions (Federico G. Schwindt)
+ * Replacing all @pmf with @pmFromFile (Christian Treutler)
+ * Restricted-files.data: add AWS config (Walter Hop)
+ * SQLI: removed unnecessary + (Christoph Hansen)
+ * Switch Docker image to owasp/modsecurity:2.9-apache-ubuntu (Federico G. Schwindt)
+ * unix-shell.data: fix typo in 'more' (Walter Hop)
+ * Update dockerfile to always use 3.2/dev (Federico G. Schwindt)
+ * Update OWASP CRS Docker image to support the new upstream and 2.9.3 (Peter Bittner, Chaim Sanders)
+ * Update RESPONSE-950-DATA-LEAKAGES.conf (Christoph Hansen)
+ * Update RESPONSE-959-BLOCKING-EVALUATION.conf (Christoph Hansen)
+ * Update .travis.yml Update to support v3.1 (Chaim Sanders)
+ * Wordpress: add support for Gutenberg editor (siric_, Walter Hop)
+ * Wordpress: allow searching for any term in admin posts/pages overview (Walter Hop)
+ * WordPress: exclude Gutenberg via rest_route (Walter Hop)
+ * WordPress: exclude some more profile.php fields from RFI rule (Walter Hop)
+ * WordPress: exclude SQL comment rule from _wp_http_referer (Walter Hop)
+ * XML Soap Encoding fix 920240 (Christoph Hansen)
+
+Unit tests:
+ * 932140: add regression tests (Walter Hop)
+ * 933180: fix tests which were doing nothing (Walter Hop)
+ * 941370: add some more tests, fix whitespace (Walter Hop)
+ * Added regression tests for rules 942320, 942360, 942361, 942210, 942380, 942410, 942470, 942120, 942240, 942160, 942190, 942140, 942490, 942120 (Christoph Hansen)
+ * Add more tests for 941130 (Christian Folini)
+ * Add regression test for 941101 (Avery Wong)
+ * Add regression tests for 942150, 942100, 942260 (Christian Folini)
+ * Add regression tests to 941160 (Franziska Bühler)
+ * Add some regression tests (Ervin Hegedus)
+ * Add testing support for libmodsecurity running on Apache and Nginx (Chaim Sanders)
+ * Add tests for 941360 that fights JSFuck and Hieroglyphy (Christian Folini)
+ * Add tests for rule 921110 (Yu Yagihashi)
+ * Drop tests for removed rules (Federico G. Schwindt)
+ * Fix failing tests (Manuel Spartan, Chaim Sanders)
+ * Fix readme typos in example rule (Walter Hop)
+ * Fix test 941110-2 (Federico G. Schwindt)
+ * RCE: Add tests for the for command (Federico G. Schwindt)
+ * Update regression tests for rules 931110, 931120, 931130 (Simon Studer)
+
+Documentation:
+ * Add details to README for Dockerhub (Franziska Bühler)
+ * Add intro/comment to CVE comments (Franziska Bühler)
+ * CONTRIBUTING: add note about separate PRs (Walter Hop)
+ * Erased gitter chat. Added CII badge (Felipe Zipitria)
+ * Replaced descriptions (Christian Folini)
+ * Summarized authors on single line in tests for 941160 (Christian Folini)
+ * Update broken link in regexp-assemble blog URLs (Walter Hop)
+ * Update CONTRIBUTING.md To base changes on v3.2/dev. (Felipe Zipitría)
+ * Update CONTRIBUTORS order (Andrea Menin)
+ * Update README.md (Rufus125)
+ * Updating crs site location (Chaim Sanders)
+
 == Version 3.1.1 - 2019-06-26 ==
  * Fix CVE-2019-11387 ReDoS against CRS on ModSecurity 3 at PL 2 (Christoph Hansen, Federico G. Schwindt)
  * Content-Type made case insensitive in 920240, 920400 (Federico G. Schwindt)
@@ -29,7 +182,7 @@
  * Prevent bypass in rule 930120 PL3 (theMiddle)
  * Fix small typo in variable (Felipe Zipitría)
  * Fix bug #1166 in Docker image (Franziska Bühler)
- * Remove revision status from rules (Federico G. Schwindt) 
+ * Remove revision status from rules (Federico G. Schwindt)
  * Add template for issues (Federico G. Schwindt)
  * Correct failing travis tests in merge situations (Federico G. Schwindt)
  * Remove unused global variable in IIS rules (Chaim Sanders)

CONTRIBUTORS.md

@@ -1,9 +1,6 @@
-## Project Lead:
+## Project Co-Leads:
 
 - [Chaim Sanders](https://github.com/csanders-git)
-
-## Core Developers:
-
 - [Christian Folini](https://github.com/dune73)
 - [Walter Hop](https://github.com/lifeforms)
 
@@ -24,35 +21,50 @@
 - [azhao155](https://github.com/azhao155)
 - [Matt Bagley](https://github.com/bagley)
 - [Ryan Barnett](https://github.com/rcbarnett)
+- [Peter Bittner](https://github.com/bittner)
 - [Allan Boll](https://github.com/allanbomsft)
 - [Jeremy Brown](https://github.com/jwbrown77)
+- [Brent Clark](https://github.com/brentclark)
 - [Jonathan Claudius](https://github.com/claudijd)
 - [coolt](https://github.com/coolt)
 - [Ashish Dixit](https://github.com/tundal45)
 - [Padraig Doran](https://github.com/padraigdoran)
+- [Dan Ehrlich](https://github.com/danehrlich1)
 - [Umar Farook](https://github.com/umarfarook882)
 - [FrozenSolid](https://github.com/frozenSolid)
 - [Pásztor Gábor](https://github.com/gpasztor87)
 - [Aaron Haaf](https://github.com/Everspace)
 - [Michael Haas](https://github.com/MichaelHaas)
+- [Ervin Hegedus](https://github.com/airween)
 - [jamuse](https://github.com/jamuse)
+- [jschleus](https://github.com/jschleus)
 - [Krzysztof Kotowicz](https://github.com/koto)
+- [Max Leske](https://github.com/theseion)
+- Manuel Leos
 - [Evgeny Marmalstein](https://github.com/shimshon70)
 - [Christian Mehlmauer](https://github.com/FireFart)
 - [Glyn Mooney](https://github.com/skidoosh)
+- [na1ex](https://github.com/na1ex)
 - [Jose Nazario](https://github.com/paralax)
 - [Scott O'Neil](https://github.com/cPanelScott)
 - [Robert Paprocki](https://github.com/p0pr0ck5)
 - [Christian Peron](https://github.com/csjperon)
 - [Elia Pinto](https://github.com/yersinia)
 - [Brian Rectanus](https://github.com/b1v1r)
+- [Rufus125](https://github.com/Rufus125)
 - Ofer Shezaf
 - Breno Silva
+- siric\_
 - [Marc Stern](https://github.com/marcstern)
+- [Simon Studer](https://github.com/studersi)
+- [supplient](https://github.com/supplient)
 - [theMiddle](https://github.com/theMiddleBlue)
 - [Ben Williams](https://github.com/benwilliams)
+- [Avery Wong](https://github.com/4v3r9)
 - [Greg Wroblewski](https://github.com/gwroblew)
+- [XeroChen](https://github.com/XeroChen)
 - [ygrek](https://github.com/ygrek)
+- [Yu Yagihashi](https://github.com/yagihash)
 - [Zino](https://github.com/zinoe)
 - Josh Zlatin
 - [Zou Guangxian](https://github.com/zouguangxian)

README.md

@@ -22,7 +22,6 @@ We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beg
 
 ## License
 
-Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 
 The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.
-

crs-setup.conf.example

@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
 # OWASP ModSecurity Core Rule Set ver.3.2.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -797,4 +797,4 @@ SecAction \
   nolog,\
   pass,\
   t:none,\
-  setvar:tx.crs_setup_version=310"
+  setvar:tx.crs_setup_version=320"

rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example

@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.2.0
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

rules/REQUEST-901-INITIALIZATION.conf

@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.0.2
-# Copyright (c) 2006-2017 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.2.0
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -25,7 +25,7 @@
 #
 # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
 #
-SecComponentSignature "OWASP_CRS/3.1.0"
+SecComponentSignature "OWASP_CRS/3.2.0"
 
 #
 # -=[ Default setup values ]=-
@@ -297,7 +297,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
     msg:'Enabling body inspection',\
     tag:'paranoia-level/1',\
     ctl:forceRequestBodyVariable=On,\
-    ver:'OWASP_CRS/3.1.0'"
+    ver:'OWASP_CRS/3.2.0'"
 
 # Force body processor URLENCODED
 SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@@ -308,7 +308,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
     nolog,\
     noauditlog,\
     msg:'Enabling forced body inspection for ASCII content',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.2.0',\
     chain"
     SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
         "ctl:requestBodyProcessor=URLENCODED"

rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf

@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2017 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.2.0
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2017 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.2.0
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf

@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.2.0
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2

rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf

@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.2.0
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2