Merge pull request #612 from dune73/known_bugs_rc2

Known bugs rc2
SpiderLabs · Oct 15, 2016 · cb54f27 · cb54f27
2 parents 96f27e5 + 9538e05
commit cb54f27
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 17 deletions.
diff --git a/KNOWN_BUGS b/KNOWN_BUGS
@@ -6,24 +6,24 @@ or the CRS mailinglist at
 * https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
 
 * There are still false positives for standard web applications in
-  the default install (paranoia level 1). Please report these when 
-  you encounter them. 
+  the default install (paranoia level 1). Please report these when
+  you encounter them.
   False Positives from paranoia level 2 rules are less interesting,
   as we expect users to write exclusion rules for their alerts in
   the higher paranoia levels.
-* Permanent blocking of clients based on previous user agent match /
-  IP reputation filter.
-  This is On by default in CRSv3.0.0-RC1, but will be off by default
-  for the full release.
-  See https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/514
-* Apache 2.4 prior to 2.4.11 is affected by a bug, which causes
-  the server to fail during startup with an error pointing to various
-  lines in the CRS ruleset.
-  https://bz.apache.org/bugzilla/show_bug.cgi?id=55910
+* Permanent blocking of clients is based on a previous user agent / IP
+  combination. Changing the user agent will thus allow to bypass
+  this new filter. The plan is to allow for a purely IP based
+  filter in the future.
+* Apache 2.4 prior to 2.4.11 is affected by a bug in parsing multi-line
+  configuration directives, which causes Apache to fail during startup
+  with an error such as:
+    Error parsing actions: Unknown action: \\
+    Action 'configtest' failed.
   This bug is known to plague RHEL 7 and Ubuntu 14.04 LTS users.
-  We advise to update your apache version.
-  A workaround exists: You can try and enter empty lines into your
-  rule files until the error disappears. Please be aware that this
-  will mean that updates to the rulesets will have to be done by
-  hand in the future as you are changing the rule files.
-
+  https://bz.apache.org/bugzilla/show_bug.cgi?id=55910
+  We advise to upgrade your Apache version. If upgrading is not possible,
+  we have provided a script in the util/join-multiline-rules directory
+  which converts the rules into a format that works around the bug.
+  You have to re-run this script whenever you modify or update 
+  the CRS rules.
diff --git a/util/join-multiline-rules/join.py b/util/join-multiline-rules/join.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+#
+# This script reads all the rule files passed on the command line,
+# and outputs them, with each (multi-line) directive joined as a
+# single line.
+#
+# This can be used to work around a bug in Apache < 2.4.11 in
+# parsing long configuration directives.
+#
+# Usage:
+#
+#   util/join-multiline-rules/join.py rules/*.conf > rules/rules.conf.joined
+#
+# This produces a single 'rules.conf.joined' file that can be included
+# in buggy Apache versions. It is recommended to keep this file in the
+# rules/ directory (because it refers to .data files in that directory)
+# but give it a name not ending in .conf (so the file will not be
+# included in *.conf and you can re-run the command multiple times
+# without including its own output).
+#
+# Example:
+#
+#   SecRule &TX:paranoia_level "@eq 0" \
+#      "id:901120,\
+#      phase:1,\
+#      pass,\
+#      nolog,\
+#      setvar:tx.paranoia_level=1"
+#
+# will be outputted as:
+#
+#   SecRule &TX:paranoia_level "@eq 0" "id:901120,phase:1,pass,nolog,setvar:tx.paranoia_level=1"
+#
+
+import fileinput, sys
+
+for line in fileinput.input():
+    line = line.strip()
+    if line == '':
+        sys.stdout.write("\n")
+        continue
+
+    if line[-1] == '\\':
+        sys.stdout.write(line[0:-1])
+    else:
+        sys.stdout.write(line)
+        sys.stdout.write("\n")