diff --git a/mod_security-2.9.3-remote-rules-timeout.patch b/mod_security-2.9.3-remote-rules-timeout.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1d347ac9b74fa5e883e836d940c0b3c428569509
--- /dev/null
+++ b/mod_security-2.9.3-remote-rules-timeout.patch
@@ -0,0 +1,85 @@
+diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
+index 80f8f2b..7912d84 100644
+--- a/apache2/apache2_config.c
++++ b/apache2/apache2_config.c
+@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
+ }
+
+
++static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1)
++{
++ directory_config *dcfg = (directory_config *)_dcfg;
++ long int timeout;
++
++ if (dcfg == NULL) return NULL;
++
++ timeout = strtol(p1, NULL, 10);
++ if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) {
++ return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1);
++ }
++
++ remote_rules_timeout = timeout;
++
++ return NULL;
++}
++
++
+ static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
+ {
+ if (strcasecmp(p1, "on") == 0) {
+@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = {
+ "Abort or Warn"
+ ),
+
++ AP_INIT_TAKE1 (
++ "SecRemoteTimeout",
++ cmd_remote_timeout,
++ NULL,
++ CMD_SCOPE_ANY,
++ "timeout in seconds"
++ ),
++
+
+ AP_INIT_TAKE1 (
+ "SecXmlExternalEntity",
+diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
+index 7bb215e..c155495 100644
+--- a/apache2/mod_security2.c
++++ b/apache2/mod_security2.c
+@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
+ #endif
+ int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
+ char DSOLOCAL *remote_rules_fail_message = NULL;
++unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET;
++
+
+ int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
+
+diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
+index f24bc75..8bcd453 100644
+--- a/apache2/modsecurity.h
++++ b/apache2/modsecurity.h
+@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
+ #endif
+ extern DSOLOCAL int remote_rules_fail_action;
+ extern DSOLOCAL char *remote_rules_fail_message;
++extern DSOLOCAL unsigned long int remote_rules_timeout;
+
+ extern DSOLOCAL int status_engine_state;
+
+diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
+index 99968f0..b8db13e 100644
+--- a/apache2/msc_remote_rules.c
++++ b/apache2/msc_remote_rules.c
+@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
+ /* We want Curl to return error in case there is an HTTP error code */
+ curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
+
++ /* In case we want different timeout than a default one */
++ if (remote_rules_timeout != NOT_SET){
++ curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout);
++ }
++
+ res = curl_easy_perform(curl);
+
+ if (res != CURLE_OK)
diff --git a/mod_security.conf b/mod_security.conf
index 728afc1afd34e9f516859df64b14689f6d17dd68..e9fe3ddcee5fb67af7c78b8c8613b17b06d3465e 100644
--- a/mod_security.conf
+++ b/mod_security.conf
@@ -1,226 +1,56 @@
-# -- Rule engine initialization ----------------------------------------------
-
-# Enable ModSecurity, attaching it to every transaction. Use detection
-# only to start with, because that minimises the chances of post-installation
-# disruption.
-#
-SecRuleEngine DetectionOnly
-
-
-# -- Request body handling ---------------------------------------------------
-
-# Allow ModSecurity to access request bodies. If you don't, ModSecurity
-# won't be able to see any POST parameters, which opens a large security
-# hole for attackers to exploit.
-#
-SecRequestBodyAccess On
-
-
-# Enable XML request body parser.
-# Initiate XML Processor in case of xml content-type
-#
-SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
- "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
-
-# Enable JSON request body parser.
-# Initiate JSON Processor in case of JSON content-type; change accordingly
-# if your application does not use 'application/json'
-#
-SecRule REQUEST_HEADERS:Content-Type "application/json" \
- "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
-
-# Maximum request body size we will accept for buffering. If you support
-# file uploads then the value given on the first line has to be as large
-# as the largest file you are willing to accept. The second value refers
-# to the size of data, with files excluded. You want to keep that value as
-# low as practical.
-#
-SecRequestBodyLimit 13107200
-SecRequestBodyNoFilesLimit 131072
-
-# Store up to 128 KB of request body data in memory. When the multipart
-# parser reachers this limit, it will start using your hard disk for
-# storage. That is slow, but unavoidable.
-#
-SecRequestBodyInMemoryLimit 131072
-
-# What do do if the request body size is above our configured limit.
-# Keep in mind that this setting will automatically be set to ProcessPartial
-# when SecRuleEngine is set to DetectionOnly mode in order to minimize
-# disruptions when initially deploying ModSecurity.
-#
-SecRequestBodyLimitAction Reject
-
-# Verify that we've correctly processed the request body.
-# As a rule of thumb, when failing to process a request body
-# you should reject the request (when deployed in blocking mode)
-# or log a high-severity alert (when deployed in detection-only mode).
-#
-SecRule REQBODY_ERROR "!@eq 0" \
-"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
-
-# By default be strict with what we accept in the multipart/form-data
-# request body. If the rule below proves to be too strict for your
-# environment consider changing it to detection-only. You are encouraged
-# _not_ to remove it altogether.
-#
-SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-"id:'200003',phase:2,t:none,log,deny,status:400, \
-msg:'Multipart request body failed strict validation: \
-PE %{REQBODY_PROCESSOR_ERROR}, \
-BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-DB %{MULTIPART_DATA_BEFORE}, \
-DA %{MULTIPART_DATA_AFTER}, \
-HF %{MULTIPART_HEADER_FOLDING}, \
-LF %{MULTIPART_LF_LINE}, \
-SM %{MULTIPART_MISSING_SEMICOLON}, \
-IQ %{MULTIPART_INVALID_QUOTING}, \
-IP %{MULTIPART_INVALID_PART}, \
-IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
-FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-
-# Did we see anything that might be a boundary?
-#
-SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
-"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
-
-# PCRE Tuning
-# We want to avoid a potential RegEx DoS condition
-#
-SecPcreMatchLimit 1000
-SecPcreMatchLimitRecursion 1000
-
-# Some internal errors will set flags in TX and we will need to look for these.
-# All of these are prefixed with "MSC_". The following flags currently exist:
-#
-# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
-#
-SecRule TX:/^MSC_/ "!@streq 0" \
- "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
-
-
-# -- Response body handling --------------------------------------------------
-
-# Allow ModSecurity to access response bodies.
-# You should have this directive enabled in order to identify errors
-# and data leakage issues.
-#
-# Do keep in mind that enabling this directive does increases both
-# memory consumption and response latency.
-#
-SecResponseBodyAccess On
-
-# Which response MIME types do you want to inspect? You should adjust the
-# configuration below to catch documents but avoid static files
-# (e.g., images and archives).
-#
-SecResponseBodyMimeType text/plain text/html text/xml
-
-# Buffer response bodies of up to 512 KB in length.
-SecResponseBodyLimit 524288
-
-# What happens when we encounter a response body larger than the configured
-# limit? By default, we process what we have and let the rest through.
-# That's somewhat less secure, but does not break any legitimate pages.
-#
-SecResponseBodyLimitAction ProcessPartial
-
-
-# -- Filesystem configuration ------------------------------------------------
-
-# The location where ModSecurity stores temporary files (for example, when
-# it needs to handle a file upload that is larger than the configured limit).
-#
-# This default setting is chosen due to all systems have /tmp available however,
-# this is less than ideal. It is recommended that you specify a location that's private.
-#
-SecTmpDir /tmp/
-
-# The location where ModSecurity will keep its persistent data. This default setting
-# is chosen due to all systems have /tmp available however, it
-# too should be updated to a place that other users can't access.
-#
-SecDataDir /tmp/
-
-
-# -- File uploads handling configuration -------------------------------------
-
-# The location where ModSecurity stores intercepted uploaded files. This
-# location must be private to ModSecurity. You don't want other users on
-# the server to access the files, do you?
-#
-#SecUploadDir /opt/modsecurity/var/upload/
-
-# By default, only keep the files that were determined to be unusual
-# in some way (by an external inspection script). For this to work you
-# will also need at least one file inspection rule.
-#
-#SecUploadKeepFiles RelevantOnly
-
-# Uploaded files are by default created with permissions that do not allow
-# any other user to access them. You may need to relax that if you want to
-# interface ModSecurity to an external program (e.g., an anti-virus).
-#
-#SecUploadFileMode 0600
-
-
-# -- Debug log configuration -------------------------------------------------
-
-# The default debug log configuration is to duplicate the error, warning
-# and notice messages from the error log.
-#
-#SecDebugLog /opt/modsecurity/var/log/debug.log
-#SecDebugLogLevel 3
-
-
-# -- Audit log configuration -------------------------------------------------
-
-# Log the transactions that are marked by a rule, as well as those that
-# trigger a server error (determined by a 5xx or 4xx, excluding 404,
-# level response status codes).
-#
-SecAuditEngine RelevantOnly
-SecAuditLogRelevantStatus "^(?:5|4(?!04))"
-
-# Log everything we know about a transaction.
-SecAuditLogParts ABIJDEFHZ
-
-# Use a single file for logging. This is much easier to look at, but
-# assumes that you will use the audit log only ocassionally.
-#
-SecAuditLogType Serial
-SecAuditLog /var/log/modsec_audit.log
-
-# Specify the path for concurrent audit logging.
-#SecAuditLogStorageDir /opt/modsecurity/var/audit/
-
-
-# -- Miscellaneous -----------------------------------------------------------
-
-# Use the most commonly used application/x-www-form-urlencoded parameter
-# separator. There's probably only one application somewhere that uses
-# something else so don't expect to change this value.
-#
-SecArgumentSeparator &
-
-# Settle on version 0 (zero) cookies, as that is what most applications
-# use. Using an incorrect cookie version may open your installation to
-# evasion attacks (against the rules that examine named cookies).
-#
-SecCookieFormat 0
-
-# Specify your Unicode Code Point.
-# This mapping is used by the t:urlDecodeUni transformation function
-# to properly map encoded data to your language. Properly setting
-# these directives helps to reduce false positives and negatives.
-#
-SecUnicodeMapFile unicode.mapping 20127
-
-# Improve the quality of ModSecurity by sharing information about your
-# current ModSecurity version and dependencies versions.
-# The following information will be shared: ModSecurity version,
-# Web Server version, APR version, PCRE version, Lua version, Libxml2
-# version, Anonymous unique id for host.
-SecStatusEngine On
-
+
+ # Default recommended configuration
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+ SecRequestBodyLimit 13107200
+ SecRequestBodyNoFilesLimit 131072
+ SecRequestBodyInMemoryLimit 131072
+ SecRequestBodyLimitAction Reject
+ SecRule REQBODY_ERROR "!@eq 0" \
+ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+ SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+ "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
+ failed strict validation: \
+ PE %{REQBODY_PROCESSOR_ERROR}, \
+ BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+ DB %{MULTIPART_DATA_BEFORE}, \
+ DA %{MULTIPART_DATA_AFTER}, \
+ HF %{MULTIPART_HEADER_FOLDING}, \
+ LF %{MULTIPART_LF_LINE}, \
+ SM %{MULTIPART_MISSING_SEMICOLON}, \
+ IQ %{MULTIPART_INVALID_QUOTING}, \
+ IP %{MULTIPART_INVALID_PART}, \
+ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+ SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+ "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+ SecPcreMatchLimit 1000
+ SecPcreMatchLimitRecursion 1000
+
+ SecRule TX:/^MSC_/ "!@streq 0" \
+ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+ SecResponseBodyAccess Off
+ SecDebugLog /var/log/httpd/modsec_debug.log
+ SecDebugLogLevel 0
+ SecAuditEngine RelevantOnly
+ SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+ SecAuditLogParts ABIJDEFHZ
+ SecAuditLogType Serial
+ SecAuditLog /var/log/httpd/modsec_audit.log
+ SecArgumentSeparator &
+ SecCookieFormat 0
+ SecTmpDir /var/lib/mod_security
+ SecDataDir /var/lib/mod_security
+
+ # ModSecurity Core Rules Set and Local configuration
+ Include modsecurity.d/*.conf
+ Include modsecurity.d/activated_rules/*.conf
+ Include modsecurity.d/local_rules/*.conf
+
+
diff --git a/mod_security.spec b/mod_security.spec
index 027a7a342408227414bb9e5b77069b7a8d21259e..219652165650268e72cd70aaee88db685d54cae7 100644
--- a/mod_security.spec
+++ b/mod_security.spec
@@ -6,8 +6,8 @@
%global mod_audit_log_collector 0
Name: mod_security
-Version: 2.9.5
-Release: 8
+Version: 2.9.7
+Release: 1
Summary: Security module for the Apache HTTP Server
License: ASL 2.0
URL: http://www.modsecurity.org/
@@ -15,16 +15,13 @@ Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/
Source1: mod_security.conf
Source2: 10-mod_security.conf
Source3: modsecurity_localrules.conf
-Patch0000: modsecurity-2.9.5-lua-54.patch
-Patch0001: modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch
-Patch0002: modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch
-Patch0003: modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch
-Patch0004: modsecurity-2.9.5-Fix-memory-leak-that-occurs-on-JSON-parsing-error.patch
-Patch0005: modsecurity-2.9.5-Set-SecStatusEngine-Off-in-modsecurity.conf.patch
-Patch0006: modsecurity-2.9.5-Allow-no-key-single-value-JSON-body.patch
+Patch0000: modsecurity-2.9.3-lua-54.patch
+Patch0001: modsecurity-2.9.3-apulibs.patch
+Patch0002: mod_security-2.9.3-remote-rules-timeout.patch
+
Requires: httpd httpd-mmn = %{_httpd_mmn}
-BuildRequires: gcc make perl-generators httpd-devel yajl yajl-devel
+BuildRequires: gcc make perl-generators httpd-devel yajl yajl-devel pcre2-devel
BuildRequires: pkgconfig(lua) pkgconfig(libcurl) pkgconfig(libxml-2.0) pkgconfig(libpcre)
BuildRequires: autoconf automake libtool
@@ -48,7 +45,13 @@ This package collects mod_security audit log.
%build
./autogen.sh
-%configure --with-yajl --with-apxs=%{_httpd_apxs} --enable-pcre-match-limit-recursion=1000000 --enable-pcre-match-limit=1000000
+%configure --enable-pcre-match-limit=1000000 \
+ --enable-pcre-match-limit-recursion=1000000 \
+ --with-apxs=%{_httpd_apxs} \
+ --with-yajl \
+ --with-pcre2 \
+ --disable-static
+
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
make %{_smp_mflags}
@@ -104,6 +107,9 @@ install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
%endif
%changelog
+* Mon Jul 17 2023 chenchen - 2.9.7-1
+- Upgrade to version 2.9.7
+
* Mon Jan 9 2023 yaoguangzhong - 2.9.5-8
- backport allow no-key, single-value JSON body
diff --git a/modsecurity-2.9.3-apulibs.patch b/modsecurity-2.9.3-apulibs.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bde44bb3c697ea447408c66b785c537d3a8e4d7b
--- /dev/null
+++ b/modsecurity-2.9.3-apulibs.patch
@@ -0,0 +1,14 @@
+
+Strip redundant APR-util dependent libraries, it is sufficient to link against -laprutil-1.
+
+--- modsecurity-2.9.3/build/find_apu.m4.apulibs
++++ modsecurity-2.9.3/build/find_apu.m4
+@@ -59,7 +59,7 @@
+ APU_CFLAGS="`${APU_CONFIG} --includes`"
+ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu CFLAGS: $APU_CFLAGS); fi
+ APU_LDFLAGS="`${APU_CONFIG} --ldflags`"
+- APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --libs`"
++ APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --avoid-ldap --avoid-dbm --libs`"
+ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDFLAGS: $APU_LDFLAGS); fi
+ APU_LDADD="`${APU_CONFIG} --link-libtool`"
+ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDADD: $APU_LDADD); fi
diff --git a/modsecurity-2.9.5-lua-54.patch b/modsecurity-2.9.3-lua-54.patch
similarity index 84%
rename from modsecurity-2.9.5-lua-54.patch
rename to modsecurity-2.9.3-lua-54.patch
index 62dd671b02a0f3c01e79822bd637a84f14065bd9..ca6e56024f158b0feb9d0100a2ba5c412de51292 100644
--- a/modsecurity-2.9.5-lua-54.patch
+++ b/modsecurity-2.9.3-lua-54.patch
@@ -1,6 +1,6 @@
-diff -ru modsecurity-2.9.5/apache2/msc_lua.c modsecurity-2.9.5-lua-patch/apache2/msc_lua.c
---- modsecurity-2.9.5/apache2/msc_lua.c 2018-12-04 18:49:37.000000000 +0000
-+++ modsecurity-2.9.5-lua-patch/apache2/msc_lua.c 2020-08-08 16:55:14.936045777 +0000
+diff -ru modsecurity-2.9.3/apache2/msc_lua.c modsecurity-2.9.3-lua-patch/apache2/msc_lua.c
+--- modsecurity-2.9.3/apache2/msc_lua.c 2018-12-04 18:49:37.000000000 +0000
++++ modsecurity-2.9.3-lua-patch/apache2/msc_lua.c 2020-08-08 16:55:14.936045777 +0000
@@ -429,12 +429,12 @@
#else
diff --git a/modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch b/modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch
deleted file mode 100644
index 3918deade2dbef08ded858068a3dfb13f690bd92..0000000000000000000000000000000000000000
--- a/modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From d12959e18fccaf12708897baced782b9a63622fa Mon Sep 17 00:00:00 2001
-From: yaoguangzhong
-Date: Sat, 7 Jan 2023 11:05:51 +0800
-Subject: [PATCH] Add SecRequestBodyJsonDepthLimit to
- modsecurity.conf-recommended
-
-From Author: Martin Vierula
----
- modsecurity.conf-recommended | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended
-index f357d95..c84ddce 100644
---- a/modsecurity.conf-recommended
-+++ b/modsecurity.conf-recommended
-@@ -58,6 +58,11 @@ SecRequestBodyInMemoryLimit 131072
- #
- SecRequestBodyLimitAction Reject
-
-+# Maximum parsing depth allowed for JSON objects. You want to keep this
-+# value as low as practical.
-+#
-+SecRequestBodyJsonDepthLimit 512
-+
- # Verify that we've correctly processed the request body.
- # As a rule of thumb, when failing to process a request body
- # you should reject the request (when deployed in blocking mode)
---
-2.27.0
-
diff --git a/modsecurity-2.9.5-Allow-no-key-single-value-JSON-body.patch b/modsecurity-2.9.5-Allow-no-key-single-value-JSON-body.patch
deleted file mode 100644
index c746e80c6ad881cd2de9e809e910d2f250c002ee..0000000000000000000000000000000000000000
--- a/modsecurity-2.9.5-Allow-no-key-single-value-JSON-body.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 630d57d7bd07696a72ac8ded7593bbcf31168a95 Mon Sep 17 00:00:00 2001
-From: yaoguangzhong
-Date: Mon, 9 Jan 2023 16:00:15 +0800
-Subject: [PATCH] backport Allow no-key, single-value JSON body
-
-From Author: Martin Vierula
-From commit 4a98032b7f827c4edd2514ce2af29222bb2ba289
-Signed-off-by: Guangzhong Yao
----
- apache2/msc_json.c | 3 +--
- apache2/msc_json.h | 2 +-
- tests/regression/rule/15-json.t | 34 +++++++++++++++++++++++++++++++++
- 3 files changed, 36 insertions(+), 3 deletions(-)
-
-diff --git a/apache2/msc_json.c b/apache2/msc_json.c
-index cbaab0e..bab3a6d 100644
---- a/apache2/msc_json.c
-+++ b/apache2/msc_json.c
-@@ -27,8 +27,7 @@ int json_add_argument(modsec_rec *msr, const char *value, unsigned length)
- * to reference this argument; for now we simply ignore these
- */
- if (!msr->json->current_key) {
-- msr_log(msr, 3, "Cannot add scalar value without an associated key");
-- return 1;
-+ msr->json->current_key = "";
- }
-
- arg = (msc_arg *) apr_pcalloc(msr->mp, sizeof(msc_arg));
-diff --git a/apache2/msc_json.h b/apache2/msc_json.h
-index 7e3d725..089dab4 100644
---- a/apache2/msc_json.h
-+++ b/apache2/msc_json.h
-@@ -39,7 +39,7 @@ struct json_data {
-
- /* prefix is used to create data hierarchy (i.e., 'parent.child.value') */
- unsigned char *prefix;
-- unsigned char *current_key;
-+ const unsigned char *current_key;
- long int current_depth;
- int depth_limit_exceeded;
- };
-diff --git a/tests/regression/rule/15-json.t b/tests/regression/rule/15-json.t
-index f84355a..65f53ec 100644
---- a/tests/regression/rule/15-json.t
-+++ b/tests/regression/rule/15-json.t
-@@ -224,6 +224,40 @@
- ),
- ),
- ),
-+},
-+{
-+ type => "rule",
-+ comment => "json parser - no-key single value",
-+ conf => qq(
-+ SecRuleEngine On
-+ SecRequestBodyAccess On
-+ SecDebugLog $ENV{DEBUG_LOG}
-+ SecAuditEngine RelevantOnly
-+ SecAuditLog "$ENV{AUDIT_LOG}"
-+ SecDebugLogLevel 9
-+ SecRequestBodyJsonDepthLimit 3
-+ SecRule REQUEST_HEADERS:Content-Type "application/json" \\
-+ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
-+ SecRule REQBODY_ERROR "!\@eq 0" "id:'200444',phase:2,log,deny,status:403,msg:'Failed to parse request body'"
-+ SecRule ARGS "\@streq 25" "id:'200445',phase:2,log,deny,status:403"
-+ ),
-+ match_log => {
-+ audit => [ qr/200445/s, 1 ],
-+ },
-+ match_response => {
-+ status => qr/^403$/,
-+ },
-+ request => new HTTP::Request(
-+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
-+ [
-+ "Content-Type" => "application/json",
-+ ],
-+ normalize_raw_request_data(
-+ q(
-+ 25
-+ ),
-+ ),
-+ ),
- }
-
-
---
-2.39.0.windows.2
-
diff --git a/modsecurity-2.9.5-Fix-memory-leak-that-occurs-on-JSON-parsing-error.patch b/modsecurity-2.9.5-Fix-memory-leak-that-occurs-on-JSON-parsing-error.patch
deleted file mode 100644
index 1ee6e1f36cece5e1cc7ef706fa18c3e01eafeca4..0000000000000000000000000000000000000000
--- a/modsecurity-2.9.5-Fix-memory-leak-that-occurs-on-JSON-parsing-error.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 0951ccdfa2eee85e71ddcec6a45c87ce37772c69 Mon Sep 17 00:00:00 2001
-From: yaoguangzhong
-Date: Sat, 7 Jan 2023 15:02:18 +0800
-Subject: [PATCH] Fix memory leak that occurs on JSON parsing error
-
-From Author: Martin Vierula
-commit c6582df2e5e3a92ba4b90e2a6cfaeb89f61bcadf
----
- apache2/msc_json.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/apache2/msc_json.c b/apache2/msc_json.c
-index d69e9eb..cbaab0e 100644
---- a/apache2/msc_json.c
-+++ b/apache2/msc_json.c
-@@ -351,11 +351,12 @@ int json_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char
- /* Feed our parser and catch any errors */
- msr->json->status = yajl_parse(msr->json->handle, buf, size);
- if (msr->json->status != yajl_status_ok) {
-- /* We need to free the yajl error message later, how to do this? */
- if (msr->json->depth_limit_exceeded) {
- *error_msg = "JSON depth limit exceeded";
- } else {
-- *error_msg = yajl_get_error(msr->json->handle, 0, NULL, 0);
-+ char *yajl_err = yajl_get_error(msr->json->handle, 0, buf, size);
-+ *error_msg = apr_pstrdup(msr->mp, yajl_err);
-+ yajl_free_error(msr->json->handle, yajl_err);
- }
- return -1;
- }
-@@ -375,11 +376,12 @@ int json_complete(modsec_rec *msr, char **error_msg) {
- /* Wrap up the parsing process */
- msr->json->status = yajl_complete_parse(msr->json->handle);
- if (msr->json->status != yajl_status_ok) {
-- /* We need to free the yajl error message later, how to do this? */
- if (msr->json->depth_limit_exceeded) {
- *error_msg = "JSON depth limit exceeded";
- } else {
-- *error_msg = yajl_get_error(msr->json->handle, 0, NULL, 0);
-+ char *yajl_err = yajl_get_error(msr->json->handle, 0, NULL, 0);
-+ *error_msg = apr_pstrdup(msr->mp, yajl_err);
-+ yajl_free_error(msr->json->handle, yajl_err);
- }
-
- return -1;
---
-2.27.0
-
diff --git a/modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch b/modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch
deleted file mode 100644
index e74ddde56f846d9a3a02302ffc9ed4bbd41dad81..0000000000000000000000000000000000000000
--- a/modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 6a5ec1ff7bd5a4a653da417f9a49a50cf5b2429d Mon Sep 17 00:00:00 2001
-From: Vladimir Krivopalov
-Date: Mon, 13 Jan 2020 16:36:09 -0800
-Subject: [PATCH] Properly cleanup XML parser contexts upon completion
-
-It is currently possible that the XML parsing context is not properly
-cleaned up if a parsed XML document is malformed.
-
-This fix makes sure that the context is taken care of.
-
-Signed-off-by: Vladimir Krivopalov
----
- apache2/msc_xml.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/apache2/msc_xml.c b/apache2/msc_xml.c
-index a31decb5..9cc4da65 100644
---- a/apache2/msc_xml.c
-+++ b/apache2/msc_xml.c
-@@ -137,6 +137,13 @@ int xml_complete(modsec_rec *msr, char **error_msg) {
- * Frees the resources used for XML parsing.
- */
- apr_status_t xml_cleanup(modsec_rec *msr) {
-+ if (msr->xml->parsing_ctx != NULL) {
-+ if (msr->xml->parsing_ctx->myDoc) {
-+ xmlFreeDoc(msr->xml->parsing_ctx->myDoc);
-+ }
-+ xmlFreeParserCtxt(msr->xml->parsing_ctx);
-+ msr->xml->parsing_ctx = NULL;
-+ }
- if (msr->xml->doc != NULL) {
- xmlFreeDoc(msr->xml->doc);
- msr->xml->doc = NULL;
---
-2.27.0
-
diff --git a/modsecurity-2.9.5-Set-SecStatusEngine-Off-in-modsecurity.conf.patch b/modsecurity-2.9.5-Set-SecStatusEngine-Off-in-modsecurity.conf.patch
deleted file mode 100644
index ce14f7169e7c2052366fa59d78ce90a8f510a319..0000000000000000000000000000000000000000
--- a/modsecurity-2.9.5-Set-SecStatusEngine-Off-in-modsecurity.conf.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From fc84c6a3f6c446760350f80189d4bbfc116c143c Mon Sep 17 00:00:00 2001
-From: yaoguangzhong
-Date: Sat, 7 Jan 2023 15:26:23 +0800
-Subject: [PATCH] backport Set SecStatusEngine Off in
- modsecurity.conf-recommended
-
-From Author: Martin Vierula
-commit 733427197e2fe4fabcbb0f43bd1e636ef923a6b4
----
- modsecurity.conf-recommended | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended
-index c84ddce..923f5d8 100644
---- a/modsecurity.conf-recommended
-+++ b/modsecurity.conf-recommended
-@@ -234,5 +234,6 @@ SecUnicodeMapFile unicode.mapping 20127
- # The following information will be shared: ModSecurity version,
- # Web Server version, APR version, PCRE version, Lua version, Libxml2
- # version, Anonymous unique id for host.
--SecStatusEngine On
--
-++# NB: As of April 2022, there is no longer any advantage to turning this
-++# setting On, as there is no active receiver for the information.
-++SecStatusEngine Off
---
-2.27.0
-
diff --git a/modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch b/modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch
deleted file mode 100644
index 648e6e19815070fe680b32a07c7b380beed18c4d..0000000000000000000000000000000000000000
--- a/modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From 46c6cb2759327d94e619454dbe61f1e7639dd607 Mon Sep 17 00:00:00 2001
-From: Armin Abfalterer
-Date: Tue, 12 Mar 2019 16:29:43 +0100
-Subject: [PATCH] use uid if user name is not available
-
----
- apache2/msc_logging.c | 10 +++++++---
- apache2/persist_dbm.c | 29 +++++++++++++++++++----------
- 2 files changed, 26 insertions(+), 13 deletions(-)
-
-diff --git a/apache2/msc_logging.c b/apache2/msc_logging.c
-index d50f709e..d1a867c3 100644
---- a/apache2/msc_logging.c
-+++ b/apache2/msc_logging.c
-@@ -234,16 +234,20 @@ static char *construct_auditlog_filename(apr_pool_t *mp, const char *uniqueid) {
- * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
- * It also changes the return statement.
- */
-- char *username;
-+ char *userinfo;
-+ apr_status_t rc;
- apr_uid_t uid;
- apr_gid_t gid;
- apr_uid_current(&uid, &gid, mp);
-- apr_uid_name_get(&username, uid, mp);
-+ rc = apr_uid_name_get(&userinfo, uid, mp);
-+ if (rc != APR_SUCCESS) {
-+ userinfo = apr_psprintf(mp, "%u", uid);
-+ }
-
- apr_time_exp_lt(&t, apr_time_now());
-
- apr_strftime(tstr, &len, 299, "/%Y%m%d/%Y%m%d-%H%M/%Y%m%d-%H%M%S", &t);
-- return apr_psprintf(mp, "/%s%s-%s", username, tstr, uniqueid);
-+ return apr_psprintf(mp, "/%s%s-%s", userinfo, tstr, uniqueid);
- }
-
- /**
-diff --git a/apache2/persist_dbm.c b/apache2/persist_dbm.c
-index efbbf6eb..e4f8036f 100644
---- a/apache2/persist_dbm.c
-+++ b/apache2/persist_dbm.c
-@@ -104,11 +104,14 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
- /**
- * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
- */
-- char *username;
-+ char *userinfo;
- apr_uid_t uid;
- apr_gid_t gid;
- apr_uid_current(&uid, &gid, msr->mp);
-- apr_uid_name_get(&username, uid, msr->mp);
-+ rc = apr_uid_name_get(&userinfo, uid, msr->mp);
-+ if (rc != APR_SUCCESS) {
-+ userinfo = apr_psprintf(msr->mp, "%u", uid);
-+ }
-
- if (msr->txcfg->data_dir == NULL) {
- msr_log(msr, 1, "collection_retrieve_ex: Unable to retrieve collection (name \"%s\", key \"%s\"). Use "
-@@ -117,7 +120,7 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
- goto cleanup;
- }
-
-- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", col_name, NULL);
-+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", col_name, NULL);
-
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name),
-@@ -385,11 +388,14 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
- /**
- * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
- */
-- char *username;
-+ char *userinfo;
- apr_uid_t uid;
- apr_gid_t gid;
- apr_uid_current(&uid, &gid, msr->mp);
-- apr_uid_name_get(&username, uid, msr->mp);
-+ rc = apr_uid_name_get(&userinfo, uid, msr->mp);
-+ if (rc != APR_SUCCESS) {
-+ userinfo = apr_psprintf(msr->mp, "%u", uid);
-+ }
-
- var_name = (msc_string *)apr_table_get(col, "__name");
- if (var_name == NULL) {
-@@ -409,7 +415,7 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
- }
-
- // ENH: lowercase the var name in the filename
-- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", var_name->value, NULL);
-+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", var_name->value, NULL);
-
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collection_store: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, var_name->value),
-@@ -675,11 +681,14 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) {
- /**
- * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
- */
-- char *username;
-+ char *userinfo;
- apr_uid_t uid;
- apr_gid_t gid;
- apr_uid_current(&uid, &gid, msr->mp);
-- apr_uid_name_get(&username, uid, msr->mp);
-+ rc = apr_uid_name_get(&userinfo, uid, msr->mp);
-+ if (rc != APR_SUCCESS) {
-+ userinfo = apr_psprintf(msr->mp, "%u", uid);
-+ }
-
- if (msr->txcfg->data_dir == NULL) {
- /* The user has been warned about this problem enough times already by now.
-@@ -690,9 +699,9 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) {
- }
-
- if(strstr(col_name,"USER") || strstr(col_name,"SESSION") || strstr(col_name, "RESOURCE"))
-- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", msr->txcfg->webappid, "_", col_name, NULL);
-+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", msr->txcfg->webappid, "_", col_name, NULL);
- else
-- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", col_name, NULL);
-+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", col_name, NULL);
-
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collections_remove_stale: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name),
---
-2.27.0
-
diff --git a/modsecurity-2.9.5.tar.gz b/modsecurity-2.9.7.tar.gz
similarity index 57%
rename from modsecurity-2.9.5.tar.gz
rename to modsecurity-2.9.7.tar.gz
index cbbf85bfd7b30fa238ae6cb1d2d59af9df977379..5f2e728e857e2826964e669b34107b933e68a00f 100644
Binary files a/modsecurity-2.9.5.tar.gz and b/modsecurity-2.9.7.tar.gz differ
diff --git a/modsecurity_localrules.conf b/modsecurity_localrules.conf
index 13935cd13185526fbf89d4e7bae60c0da363766c..983d7df3c459efa3b0c713f01e9ee7cee12f6419 100644
--- a/modsecurity_localrules.conf
+++ b/modsecurity_localrules.conf
@@ -1,3 +1,5 @@
+# User defined rules and settings .
+#
# You can use this file/directory to drop your local rules or
# to remove some rules provided by mod_security_crs package with SecRuleRemoveById
#