|
5 | 5 | or the CRS mailinglist at |
6 | 6 | * https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set |
7 | 7 |
|
| 8 | +== Version 3.2.0 - 9/20/2019 == |
| 9 | + |
| 10 | +New functionality: |
| 11 | + * Add AngularJS client side template injection 941380 PL2 (Franziska Bühler) |
| 12 | + * Add docker-compose.yaml and example rule exclusion files for docker-compose (Franziska Bühler) |
| 13 | + * Add extended access.log format to Docker (Franziska Bühler) |
| 14 | + * Add libinjection check on last path segment (Max Leske, Christian Folini) |
| 15 | + * Add PUBLIC identifier for XML entities (#1490) (Rufus125) |
| 16 | + * Add .rdb to default restricted_extensions (Walter Hop) |
| 17 | + * Add rule 933200 PHP Wrappers (Andrea Menin) |
| 18 | + * Add support for shell evasions with $IFS (Walter Hop, Chaim Sanders) |
| 19 | + * Add unix-shell commands (Christoph Hansen, Chaim Sanders) |
| 20 | + * Also inspect the path for the script tag (Federico G. Schwindt) |
| 21 | + * Detect 80legs, sysscan, Gobuster scanners (Brent Clark) |
| 22 | + * Detect CGI source code leakages (Christoph Hansen, Walter Hop) |
| 23 | + * Detect 'crawler' user-agent (Federico G. Schwindt) |
| 24 | + * Detect Jorgee, Zgrab scanners (Walter Hop) |
| 25 | + * Detect MySQL in-line comments (Franziska Bühler) |
| 26 | + * Detect Wappalyzer scanner (Christian Folini, Chaim Sanders) |
| 27 | + * Java RCE: Add struts namespaces (Walter Hop) |
| 28 | + * Java RCE: Detect more java classes (Manuel Leos) |
| 29 | + * Javascript: Add 941370 preventing a bypass for 941180 (Andrea Menin) |
| 30 | + * Make CRS variables configurable in Docker image (Franziska Bühler) |
| 31 | + * New PL3 rule 920490 to protect against content-type charset bypassing (Christian Folini) |
| 32 | + * Node.js unserialization + javascript RCE snippets (Walter Hop) |
| 33 | + * Request smuggling: Also cover pre http/1.0 requests (Federico G. Schwindt) |
| 34 | + * Restricted files: Added many dotfiles (Dan Ehrlich) |
| 35 | + * SQLi bypass detection: ticks and backticks (Franziska Bühler) |
| 36 | + * XenForo rule exclusion profile (Walter Hop) |
| 37 | + |
| 38 | +Removed functionality: |
| 39 | + * Remove unused protected_uploads setting from setup (Walter Hop) |
| 40 | + * Remove deprecated tx.msg and tx.%{rule.id}-... (Federico G. Schwindt) |
| 41 | + * Remove deprecated upgrade script (Walter Hop) |
| 42 | + |
| 43 | +Improved compatibility: |
| 44 | + * Add OWASP_CRS tags for ModSec 3 changes and replace ruleRemoveTargetByTag arguments (Ervin Hegedus) |
| 45 | + * Replace @contain % with @rx 25; ModSec 3 fails to parse % by itself (or escaped). (Federico G. Schwindt) |
| 46 | + * RE2 compatibility for 941130, 920220, 920240, 920230, 920460, 942200, 942370 (Allan Boll) |
| 47 | + * Hyperscan compatibility and simplification for 942450 (Allan Boll) |
| 48 | + |
| 49 | +Fixes and improvements: |
| 50 | + * 932140: fix ReDoS in FOR expression (Walter Hop) |
| 51 | + * 933200: Simplify pattern (Federico G. Schwindt, Andrea Menin) |
| 52 | + * Add content-type application/csp-report (Andrea Menin) |
| 53 | + * Add content-type application/xss-auditor-report (Andrea Menin) |
| 54 | + * Add CRS 3.2 Badge build support. (Chaim Sanders) |
| 55 | + * Add CVE-2018-11776 to comments of 933160 and 933161 (Franziska Bühler) |
| 56 | + * Add CVE-2018-2380 to comments of rules (Franziska Bühler) |
| 57 | + * Add CVE numbers for Apache Struts vulnerabilities to comments in rules (Franziska Bühler) |
| 58 | + * Added spaces in front of closing square brackets (Franziska Bühler) |
| 59 | + * Adding travis changes (#1316) (Chaim Sanders) |
| 60 | + * Add missing OWASP_CRS tags to 921xxx rules (Walter Hop) |
| 61 | + * Add REQUEST_FILENAME to rule id 944130 and add exploits to comment (Franziska Bühler) |
| 62 | + * Allow dot characters in Content-Type multipart boundary (Walter Hop) |
| 63 | + * Also handle dot variant of X_Filename. PHP will transform dots to underscore in variable names since dot is invalid. (Federico G. Schwindt) |
| 64 | + * Bring back CRS 2.x renumbering utility (Walter Hop) |
| 65 | + * Clean up travis and reorg (Federico G. Schwindt) |
| 66 | + * Content-Type is case insensitive (Federico G. Schwindt) |
| 67 | + * Disassembled 941160 (Franziska Bühler) |
| 68 | + * Drop separate regexp files. They are not really needed and save us from updating multiple places. (Federico G. Schwindt) |
| 69 | + * Drop t:lowercase from 941350 (Federico G. Schwindt) |
| 70 | + * Drop unneeded capture groups and tidy up (Federico G. Schwindt) |
| 71 | + * Drop unneeded capture groups and tidy up regexps (Federico G. Schwindt) |
| 72 | + * Drop unneeded unicode from 941110. Add tests to cover a few more variants as well as a negative test (Federico G. Schwindt) |
| 73 | + * Fix 920440 "URL file extension is restricted by policy" regex (Andrea Menin) |
| 74 | + * Fix 920460 test (Federico G. Schwindt) |
| 75 | + * Fix 942101 and 942460 by adding to sqli_score variable (Christian Folini) |
| 76 | + * Fix checking the existence of 'HTTP' trailing request verb and request path in the payload for HTTP request smuggling; decreases false-positives on free-form text. (Yu Yagihashi) |
| 77 | + * Fix commit default for non 2.9 branch (Chaim Sanders) |
| 78 | + * Fix CRS2->CRS3 mapping table (973344 -> 941100) (Chaim Sanders) |
| 79 | + * Fix date (Chaim Sanders) |
| 80 | + * Fix duplicate .env (jschleus, Chaim Sanders) |
| 81 | + * Fix executing paranoia level counters (Christian Folini) |
| 82 | + * Fix indentation and python version in crs2-renumbering script (Chaim Sanders) |
| 83 | + * Fix input / headers misordering (Christian Folini) |
| 84 | + * Fix path traversal attack pattern at id:930110 (Ervin Hegedus) |
| 85 | + * Fix regexp in Docker image (Franziska Bühler) |
| 86 | + * Fix regexp with incorrect dot '.' escape in rule 943120 (XeroChen) |
| 87 | + * Fix request header Sec-Fetch-User false positive (na1ex) |
| 88 | + * Fix runaway regexp in 942260. Add variant regexp assemble script to handle possessive qualifiers. Use possessive qualifiers to tight this up and solve ReDoS problem. (Federico G. Schwindt) |
| 89 | + * Fix small typo in variable (Felipe Zipitria) |
| 90 | + * Fix spelling error in variable name (supplient) |
| 91 | + * Fix transform name pointed out by secrules_parsing (Federico G. Schwindt) |
| 92 | + * Fix Travis Merge not being able to find HEAD (Chaim Sanders) |
| 93 | + * Fix vulnerable regexp in rule 942490 (CVE-2019-11387) (Christoph Hansen) |
| 94 | + * Fix wrong regex, assembly result, in 942370 (Franziska Bühler) |
| 95 | + * Jwall auditconsole outbound anomaly scoring requirements (Christoph Hansen) |
| 96 | + * Mark patterns not supported by re2 (Federico G. Schwindt) |
| 97 | + * Move duplicated 900270 to 900280 Fixes #1236. (Federico G. Schwindt) |
| 98 | + * Move PROXYLOCATION var (Franziska Bühler) |
| 99 | + * PHP: move get_defined_functions() and friends into PL1 (Walter Hop) |
| 100 | + * Pin the ftw version to 1.1.7 for now (Federico G. Schwindt) |
| 101 | + * Prevent bypass 933180 PHP Variable Function (Andrea Menin) |
| 102 | + * Reduce comments, introduction of triggered exploits (Franziska Bühler) |
| 103 | + * Remove auditlog No other rules specify it. Add missing quotes and drop rev (Federico G. Schwindt) |
| 104 | + * Remove capture, remove tx.0, add transformation functions, fix regex, add presentation link (Andrea Menin) |
| 105 | + * Remove old and unwanted setvar constructs (Federico G. Schwindt) |
| 106 | + * Remove superfluous comments (Walter Hop) |
| 107 | + * Remove superfluous pmf (Federico G. Schwindt) |
| 108 | + * Remove t:lowercase from 920490 (Christian Folini) |
| 109 | + * Remove WARNING from php-errors.data (Andrea Menin) |
| 110 | + * Reorder actions (Federico G. Schwindt) |
| 111 | + * Replacing all @pmf with @pmFromFile (Christian Treutler) |
| 112 | + * Restricted-files.data: add AWS config (Walter Hop) |
| 113 | + * SQLI: removed unnecessary + (Christoph Hansen) |
| 114 | + * Switch Docker image to owasp/modsecurity:2.9-apache-ubuntu (Federico G. Schwindt) |
| 115 | + * unix-shell.data: fix typo in 'more' (Walter Hop) |
| 116 | + * Update dockerfile to always use 3.2/dev (Federico G. Schwindt) |
| 117 | + * Update OWASP CRS Docker image to support the new upstream and 2.9.3 (Peter Bittner, Chaim Sanders) |
| 118 | + * Update RESPONSE-950-DATA-LEAKAGES.conf (Christoph Hansen) |
| 119 | + * Update RESPONSE-959-BLOCKING-EVALUATION.conf (Christoph Hansen) |
| 120 | + * Update .travis.yml Update to support v3.1 (Chaim Sanders) |
| 121 | + * Wordpress: add support for Gutenberg editor (siric_, Walter Hop) |
| 122 | + * Wordpress: allow searching for any term in admin posts/pages overview (Walter Hop) |
| 123 | + * WordPress: exclude Gutenberg via rest_route (Walter Hop) |
| 124 | + * WordPress: exclude some more profile.php fields from RFI rule (Walter Hop) |
| 125 | + * WordPress: exclude SQL comment rule from _wp_http_referer (Walter Hop) |
| 126 | + * XML Soap Encoding fix 920240 (Christoph Hansen) |
| 127 | + |
| 128 | +Unit tests: |
| 129 | + * 932140: add regression tests (Walter Hop) |
| 130 | + * 933180: fix tests which were doing nothing (Walter Hop) |
| 131 | + * 941370: add some more tests, fix whitespace (Walter Hop) |
| 132 | + * Added regression tests for rules 942320, 942360, 942361, 942210, 942380, 942410, 942470, 942120, 942240, 942160, 942190, 942140, 942490, 942120 (Christoph Hansen) |
| 133 | + * Add more tests for 941130 (Christian Folini) |
| 134 | + * Add regression test for 941101 (Avery Wong) |
| 135 | + * Add regression tests for 942150, 942100, 942260 (Christian Folini) |
| 136 | + * Add regression tests to 941160 (Franziska Bühler) |
| 137 | + * Add some regression tests (Ervin Hegedus) |
| 138 | + * Add testing support for libmodsecurity running on Apache and Nginx (Chaim Sanders) |
| 139 | + * Add tests for 941360 that fights JSFuck and Hieroglyphy (Christian Folini) |
| 140 | + * Add tests for rule 921110 (Yu Yagihashi) |
| 141 | + * Drop tests for removed rules (Federico G. Schwindt) |
| 142 | + * Fix failing tests (Manuel Spartan, Chaim Sanders) |
| 143 | + * Fix readme typos in example rule (Walter Hop) |
| 144 | + * Fix test 941110-2 (Federico G. Schwindt) |
| 145 | + * RCE: Add tests for the for command (Federico G. Schwindt) |
| 146 | + * Update regression tests for rules 931110, 931120, 931130 (Simon Studer) |
| 147 | + |
| 148 | +Documentation: |
| 149 | + * Add details to README for Dockerhub (Franziska Bühler) |
| 150 | + * Add intro/comment to CVE comments (Franziska Bühler) |
| 151 | + * CONTRIBUTING: add note about separate PRs (Walter Hop) |
| 152 | + * Erased gitter chat. Added CII badge (Felipe Zipitria) |
| 153 | + * Replaced descriptions (Christian Folini) |
| 154 | + * Summarized authors on single line in tests for 941160 (Christian Folini) |
| 155 | + * Update broken link in regexp-assemble blog URLs (Walter Hop) |
| 156 | + * Update CONTRIBUTING.md To base changes on v3.2/dev. (Felipe Zipitría) |
| 157 | + * Update CONTRIBUTORS order (Andrea Menin) |
| 158 | + * Update README.md (Rufus125) |
| 159 | + * Updating crs site location (Chaim Sanders) |
| 160 | + |
8 | 161 | == Version 3.1.0 - 8/7/2018 == |
9 | 162 | * Add Detectify scanner (theMiddle) |
10 | 163 | * Renaming matched_var/s (Victor Hora) |
|
20 | 173 | * Prevent bypass in rule 930120 PL3 (theMiddle) |
21 | 174 | * Fix small typo in variable (Felipe Zipitría) |
22 | 175 | * Fix bug #1166 in Docker image (Franziska Bühler) |
23 | | - * Remove revision status from rules (Federico G. Schwindt) |
| 176 | + * Remove revision status from rules (Federico G. Schwindt) |
24 | 177 | * Add template for issues (Federico G. Schwindt) |
25 | 178 | * Correct failing travis tests in merge situations (Federico G. Schwindt) |
26 | 179 | * Remove unused global variable in IIS rules (Chaim Sanders) |
|
0 commit comments