Topic: ModSecurity 2.5.7 Released

[Steffen]

ModSecurity 2.5.7 is now avaliable, I upgraded it also to the newest LUA 5.1.4 en libxml2 2.7.2 versions.

ModSecurity 2.5.7 contains also quite a few fixes for some not-so-common issues. If you are seeing any of the following issues, then please upgrade to 2.5.7.

1) Cannot turn off the request body limit check. This release allows you to use ctl:requestBodyAccess=off and/or ctl:ruleEngine=off in phase:1 so that you can selectively bypass this check.

2) Some XML issues were difficult (impossible?) to diagnose as the underlying XML error/warning was not logged. All XML processing errors and warnings are now logged to the debug log (if level is high enough).

3) XML DTD/Schema validation still succeeded when the XML was not well formed, but could still be parsed. This is corrected and the validation will fail on any request parsing errors.

4) The hostname logged in the error log is the canonical name, not the request supplied name. This makes sure that there is always a hostname in the log entry.

5) The REQUEST_BODY variable was not available unless you forced the use of URLENCODED processor. This would cause parsing to fail if it was not a url encoded POST. You can now use ctl:forceRequestBodyVariable=on to force populating the REQUEST_BODY variable without setting the processor and thus avoiding the parsing errors.

6) Certain "legacy" protocols have been ported to be tunneled in HTTP request. Some of these requests use the 8th bit of each byte as a parity bit. This can cause problems when trying to perform matches on the data. It is now possible to transform (t:parityEven7bit, t:parityOdd7bit) or remove (t:parityZero7bit) the parity.

Steffen