Web Application Security – ModSecurity Commercial Rules, Update for December 2022 | Trustwave

We are announcing the release of ModSecurity version 3.0.7. 

New Features

• Support PCRE2
  [Issue #2668 - @martinhsv]

PCRE2 is now available as an option in libModSecurity. Initially, this functionality will mostly be of interest to those already wishing to use a version of nginx that both supports PCRE2 and uses it by default. Some notes on version compatibility between ModSecurity, ModSecurity-nginx, and nginx are available at #2719 .

• Support SecRequestBodyNoFilesLimit
  [Issue #2670 - @airween , @martinhsv]

The SecRequestBodyNoFilesLimit configuration directive was already present in modsecurity.conf-recommended but was not functional. The value specified via this directive is now respected by the processing, so users may wish to review the current value of their setting when upgrading to v3.0.7.

• Add ctl:auditEngine action support
  [Issue #2606 - @alekravch, @martinhsv]

Support for the ctl:auditEngine action has been added with functionality comparable to v2: it allows a transaction-level override of the value normally specified by the SecAuditEngine configuration directive.

Bug fixes

• Move PCRE2 match block from member variable
  [@martinhsv]
• Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
  [Issue #2738 - @jleproust, @martinhsv]
• Fix memory leak when concurrent log includes REMOTE_USER
  [Issue #2727 - @liudongmiao]
• Fix LMDB initialization issues
  [Issue #2688 - @ziollek @martinhsv]
• Fix initcol error message wording
  [Issue #2732 - @877509395, @martinhsv]
• Tolerate other parameters after boundary in multipart C-T
  [Issue #1900 - @martinhsv]
• Add DebugLog message for bad pattern in rx operator
  [Issue #2723 - @martinhsv]
• Fix misuses of LMDB API
  [Issue #2601, #2602 - @hyc]
• Fix duplication typo in code comment
  [Issue #2677 - @gleydsonsoares]
• Fix multiMatch msg, etc, population in audit log
  [Issue #2573 - @Sachin-M-Desai , @martinhsv ]
• Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
  [Issue #2627, #2648 - @lontchianicet , @victorserbu2709 , @martinhsv]
• Adjust confusing variable name in setRequestBody method
  [Issue #2635 - @Mesar-Ali , @martinhsv]
• Multipart names/filenames may include single quote if double-quote enclosed
  [Issue #2352 - @martinhsv]
• Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
  [Issue #2647 - @theMiddleBlue ,  @airween , @877509395 , @martinhsv]

Additional information on the release, including the source and binaries (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.7

The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/issues

Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc.