owasp-modsecurity
diff --git a/‎.github/ISSUE_TEMPLATE/bug-report-for-version-2-x.md
Lines changed: 3 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/bug-report-for-version-2-x.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/bug-report-for-version-3-x.md
Lines changed: 6 additions & 3 deletions b/‎.github/ISSUE_TEMPLATE/bug-report-for-version-3-x.md
Lines changed: 6 additions & 3 deletions
diff --git a/‎CHANGES
Lines changed: 17 additions & 0 deletions b/‎CHANGES
Lines changed: 17 additions & 0 deletions
diff --git a/‎configure.ac
Lines changed: 10 additions & 10 deletions b/‎configure.ac
Lines changed: 10 additions & 10 deletions
diff --git a/‎headers/modsecurity/modsecurity.h
Lines changed: 3 additions & 3 deletions b/‎headers/modsecurity/modsecurity.h
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/parser/driver.cc
Lines changed: 7 additions & 4 deletions b/‎src/parser/driver.cc
Lines changed: 7 additions & 4 deletions
diff --git a/‎src/parser/driver.h
Lines changed: 9 additions & 10 deletions b/‎src/parser/driver.h
Lines changed: 9 additions & 10 deletions
@@ -1,6 +1,9 @@
 ---
 name: Bug report for version 2.x
 about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
 
 ---
 
 
@@ -2,6 +2,9 @@
 name: Bug report for version 3.x
 about: Create a report to help us improve. If you don't know a specific detail or
   piece of information leave it blank, if necessary we will help you to figure out.
+title: ''
+labels: ''
+assignees: ''
 
 ---
 
@@ -17,7 +20,7 @@ Output of:
  3. Error logs
  4. If there is a crash, the core dump file.
 
-_Notice:_ Be carefully to not leak any confidential information.
+_Notice:_ Be careful to not leak any confidential information.
 
 **To Reproduce**
 
@@ -33,8 +36,8 @@ A **curl** command line that mimics the original request and reproduces the prob
 A clear and concise description of what you expected to happen.
 
 **Server (please complete the following information):**
- - ModSecurity version (and connector): [e.g. ModSecurity v3.0.1 with nginx-connector v1.0.0]
- - WebServer: [e.g. nginx-1.15.5]
+ - ModSecurity version (and connector): [e.g. ModSecurity v3.0.8 with nginx-connector v1.0.3]
+ - WebServer: [e.g. nginx-1.18.0]
  - OS (and distro): [e.g. Linux, archlinux]
 
 
 
@@ -1,6 +1,23 @@
 v3.x.y - YYYY-MMM-DD (to be released)
 -------------------------------------
+  - Configure: use AS_ECHO_N instead echo -n
+    [Issue #2894 - @liudongmiao, @martinhsv]
+  - Adjust position of memset from 2890
+    [Issue #2891 - @mirkodziadzka-avi, @martinhsv]
+  - Add test: empty lines in ipMatchFromFile test
+    [Issue #2846 - @tomsommer]
 
+
+
+v3.0.9 - 2023-Apr-12
+--------------------
+
+  - Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
+    [Issue #2877, #2890 - @tomsommer, @martinhsv]
+  - Add some member variable inits in Transaction class (possible segfault)
+    [Issue #2886 - @GNU-Plus-Windows-User, @airween, @mdounin, @martinhsv]
+  - Resolve memory leak on reload (bison-generated variable)
+    [Issue #2876 - @martinhsv]
   - Support equals sign in XPath expressions
     [Issue #2328 - @dennus, @martinhsv]
   - Encode two special chars in error.log output
 
@@ -424,9 +424,9 @@ echo " "
 echo "ModSecurity - ${MSC_GIT_VERSION} for $PLATFORM"
 echo " "
 echo " Mandatory dependencies"
-echo -n "   + libInjection                                  ...."
+AS_ECHO_N("   + libInjection                                  ....")
 echo LIBINJECTION_VERSION
-echo -n "   + SecLang tests                                 ...."
+AS_ECHO_N("   + SecLang tests                                 ....")
 echo SECLANG_TEST_VERSION
 
 echo " "
@@ -439,7 +439,7 @@ if test "x$GEOIP_FOUND" = "x0" && test "x$MAXMIND_FOUND" = "x0"; then
     echo "   + GeoIP/MaxMind                                 ....not found"
 fi
 if test "x$GEOIP_FOUND" = "x1" || test "x$MAXMIND_FOUND" = "x1"; then
-    echo -n "   + GeoIP/MaxMind                                 ....found "
+    AS_ECHO_N("   + GeoIP/MaxMind                                 ....found ")
     echo ""
     if test "x$MAXMIND_FOUND" = "x1"; then
         echo "      * (MaxMind) v${MAXMIND_VERSION}"
@@ -460,7 +460,7 @@ if test "x$CURL_FOUND" = "x0"; then
     echo "   + LibCURL                                       ....not found"
 fi
 if test "x$CURL_FOUND" = "x1"; then
-    echo -n "   + LibCURL                                       ....found "
+    AS_ECHO_N("   + LibCURL                                       ....found ")
     if ! test "x$CURL_VERSION" = "x"; then
         echo "v${CURL_VERSION}"
     else
@@ -478,7 +478,7 @@ if test "x$YAJL_FOUND" = "x0"; then
     echo "   + YAJL                                          ....not found"
 fi
 if test "x$YAJL_FOUND" = "x1"; then
-    echo -n "   + YAJL                                          ....found "
+    AS_ECHO_N("   + YAJL                                          ....found ")
     if ! test "x$YAJL_VERSION" = "x"; then
         echo "v${YAJL_VERSION}"
     else
@@ -496,7 +496,7 @@ if test "x$LMDB_FOUND" = "x0"; then
     echo "   + LMDB                                          ....not found"
 fi
 if test "x$LMDB_FOUND" = "x1"; then
-    echo -n "   + LMDB                                          ....found "
+    AS_ECHO_N("   + LMDB                                          ....found ")
     if ! test "x$LMDB_VERSION" = "x"; then
         echo "v${LMDB_VERSION}"
     else
@@ -514,7 +514,7 @@ if test "x$LIBXML2_FOUND" = "x0"; then
     echo "   + LibXML2                                       ....not found"
 fi
 if test "x$LIBXML2_FOUND" = "x1"; then
-    echo -n "   + LibXML2                                       ....found "
+    AS_ECHO_N("   + LibXML2                                       ....found ")
     if ! test "x$LIBXML2_VERSION" = "x"; then
         echo "v${LIBXML2_VERSION}"
     else
@@ -532,7 +532,7 @@ if test "x$SSDEEP_FOUND" = "x0"; then
     echo "   + SSDEEP                                        ....not found"
 fi
 if test "x$SSDEEP_FOUND" = "x1"; then
-    echo -n "   + SSDEEP                                        ....found "
+    AS_ECHO_N("   + SSDEEP                                        ....found ")
     if ! test "x$SSDEEP_VERSION" = "x"; then
         echo "v${SSDEEP_VERSION}"
     else
@@ -549,7 +549,7 @@ if test "x$LUA_FOUND" = "x0"; then
     echo "   + LUA                                           ....not found"
 fi
 if test "x$LUA_FOUND" = "x1"; then
-    echo -n "   + LUA                                           ....found "
+    AS_ECHO_N("   + LUA                                           ....found ")
     if ! test "x$LUA_VERSION" = "x"; then
         echo "v${LUA_VERSION}"
     else
@@ -567,7 +567,7 @@ if test "x$PCRE2_FOUND" = "x0"; then
     echo "   + PCRE2                                          ....not found"
 fi
 if test "x$PCRE2_FOUND" = "x1"; then
-    echo -n "   + PCRE2                                          ....found "
+    AS_ECHO_N("   + PCRE2                                          ....found ")
     if ! test "x$PCRE2_VERSION" = "x"; then
         echo "v${PCRE2_VERSION}"
     else
 
@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -190,15 +190,15 @@ namespace modsecurity {
 
 #define MODSECURITY_MAJOR "3"
 #define MODSECURITY_MINOR "0"
-#define MODSECURITY_PATCHLEVEL "8"
+#define MODSECURITY_PATCHLEVEL "9"
 #define MODSECURITY_TAG ""
 #define MODSECURITY_TAG_NUM "100"
 
 #define MODSECURITY_VERSION MODSECURITY_MAJOR "." \
     MODSECURITY_MINOR "." MODSECURITY_PATCHLEVEL \
     MODSECURITY_TAG
 
-#define MODSECURITY_VERSION_NUM 3080100
+#define MODSECURITY_VERSION_NUM 3090100
 
 #define MODSECURITY_CHECK_VERSION(a) (MODSECURITY_VERSION_NUM <= a)
 
 
@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -34,6 +34,7 @@ Driver::Driver()
 
 
 Driver::~Driver() {
+
     while (loc.empty() == false) {
         yy::location *a = loc.back();
         loc.pop_back();
@@ -42,7 +43,7 @@ Driver::~Driver() {
 }
 
 
-int Driver::addSecMarker(std::string marker, std::unique_ptr<std::string> fileName, int lineNumber) {
+int Driver::addSecMarker(const std::string& marker, std::unique_ptr<std::string> fileName, int lineNumber) {
     // FIXME: we might move this to the parser.
     for (int i = 0; i < modsecurity::Phases::NUMBER_OF_PHASES; i++) {
         RuleMarker *r = new RuleMarker(marker, std::unique_ptr<std::string>(new std::string(*fileName)), lineNumber);
@@ -129,9 +130,11 @@ int Driver::parse(const std::string &f, const std::string &ref) {
     m_lastRule = nullptr;
     loc.push_back(new yy::location());
     if (ref.empty()) {
-        loc.back()->begin.filename = loc.back()->end.filename = new std::string("<<reference missing or not informed>>");
+        m_filenames.push_back("<<reference missing or not informed>>");
+        loc.back()->begin.filename = loc.back()->end.filename = &(m_filenames.back());
     } else {
-        loc.back()->begin.filename = loc.back()->end.filename = new std::string(ref);
+        m_filenames.push_back(ref);
+        loc.back()->begin.filename = loc.back()->end.filename = &(m_filenames.back());
     }
 
     if (f.empty()) {
 
@@ -1,6 +1,6 @@
 /*
  * ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -53,22 +53,14 @@ typedef struct Driver_t Driver;
 #endif
 
 
-/**
- *
- * FIXME: There is a memory leak in the filename at yy::location.
- *        The filename should be converted into a shared string to
- *        save memory or be associated with the life cycle of the
- *        driver class.
- *
- **/
 class Driver : public RulesSetProperties {
  public:
     Driver();
     virtual ~Driver();
 
     int addSecRule(std::unique_ptr<RuleWithActions> rule);
     int addSecAction(std::unique_ptr<RuleWithActions> rule);
-    int addSecMarker(std::string marker, std::unique_ptr<std::string> fileName, int lineNumber);
+    int addSecMarker(const std::string& marker, std::unique_ptr<std::string> fileName, int lineNumber);
     int addSecRuleScript(std::unique_ptr<RuleScript> rule);
 
     bool scan_begin();
@@ -92,6 +84,13 @@ class Driver : public RulesSetProperties {
     RuleWithActions *m_lastRule;
 
     RulesSetPhases m_rulesSetPhases;
+
+    // Retain a list of new'd filenames so that they are available during the lifetime
+    // of the Driver object, but so that they will get cleaned up by the Driver
+    // destructor. This is to resolve a memory leak of  yy.position.filename in location.hh.
+    // Ordinarily other solutions would have been preferable, but location.hh is a
+    // bison-generated file, which makes some alternative solutions impractical.
+    std::list<std::string> m_filenames;
 };