|
5 | 5 | or the CRS mailinglist at |
6 | 6 | * https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set |
7 | 7 |
|
8 | | -== Version 3.0.1 - 5/FIXME/2017 == |
9 | | - |
10 | | - * As of CRS version 3.0.1, support has been added for the application/soap+xml MIME |
11 | | - type by default, as specified in RFC 3902. OF IMPORTANCE, application/soap+xml is |
12 | | - indicative that XML will be provided. In accordance with this, ModSecurity's XML |
13 | | - Request Body Processor should also be configured to support this MIME type. Within |
14 | | - the ModSecurity project, commit 5e4e2af |
15 | | - (https://github.com/SpiderLabs/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e) |
16 | | - has been merged to support this endevour. However, if you are running a modified or |
17 | | - preexisting version of the modsecurity.conf provided by this repository, you may |
18 | | - wish to upgrade rule '200000' accordingly. The rule now appears as follows: |
19 | | - |
20 | | -``` |
21 | | -SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ |
22 | | - "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" |
23 | | -``` |
| 8 | +== Version 3.0.1 - 5/9/2017 == |
24 | 9 |
|
| 10 | + * SECURITY: Removed insecure handling of X-Forwarded-For header; |
| 11 | + reported by Christoph Hansen (Walter Hop) |
| 12 | + * Added support for mime type application/soap+xml (RFC 3902, Chaim Sanders) |
25 | 13 | * Fixed documentation errors in RESPONSE-999-... (Chaim Sanders) |
26 | 14 | * Reduced FPs on 942190 by adding a word boundary to regex (Franziska Bühler) |
27 | 15 | * Reduced FPs on 932150 by removing keyword reset (Franziska Bühler) |
|
0 commit comments