GitHub migration scheduled for March 18 had to be cancelled / postponed. TW and CRS do not agree on the procedure. Migration team: @dune73, @lifeforms and @fzipi.
A full test was performed today, you will see that every issue has a mention from the friendly CRS-migration-bot. You can see the results in https://github.com/crstest01/owasp-modsecurity-crs. There is also a plan to perform the migration, we only need to set the date with Trustwave.
Feel free to add items as you see fit either above, or below as comments.
Open Issues
In January 2020, we decided to look into 10 issues at the chat every month. But only after the Other items. Pick the issues before the meeting and list them below.
1708 @airween und Mirko will work on this PR and see it or a new PR getting merged during May
1710 merge
1734 merge
1735 merge
1738 merge
1739 merge
1740 stalled until #1748 is merged. Then @franbuehler needs somebody to talk this through.
1742 merge
1743 merge
1744 Assigning @franbuehler to review and investigat the use of ENV variables
1745 merge
1746 review by @fzipi
1748 merge and make sure we note the config change in the release notes (-> issue: #1752)
1750 merge
Other Items
Repo migration is now planned (but not confirmed by TW) for Wednesday May 13.
The migration will happen with a helper script and a migration bot programmed by @fzipi. This will copy all issues via the API and make sure the IDs remain the same! A test migration went smooth and @nerrehmit will now check the result carefully (-> https://github.com/fzipi/crs-migration)
We are seeing less active developers in the project. This is probably natural turnover, but it is painful for the project. We will schedule a talk about this at the next meeting.
This is the Agenda for the Monthly CRS Chat.
The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, May 4, at 20:30 CET.
Items on the Agenda:
Previous Meetings decisions: here
PRs
1707 New ldap injection rule 921200 (fixes issue #276)
1708 Perf issue with regexes that start with repeating digits
1710 Add word boundaries around values in SQL tautologies (942130) - reviewed, approved by @franbuehler. Ready to be merged.
1734 Fix content type whitelist (feedback @franbuehler: rule only on test system, @lifeforms?)
1735 Fix link for 941310
1738 WordPress: exclude additional URL fields in profile editor
1739 XenForo: update exclusions
1740 Make Content-Type case insensitive (on hold until #1748 is merged)
1742 Suppress rule 200002 when editing contacts in Nextcloud
1743 Allow REPORT requests without Content-Type header in Nextcloud
1744 Update README.md
1745 Changed variable to lowercase (fixed #1741)
1746 Fix 921120 FP (resolves issue #1615)
1748 Content-Type var fix ModSec v2 v3 900220 soap xml
1750 Added 'ver' action with current version to all necessary rules (fix for #650)
PRs on hold
1602 932200: PL1 RCE bypass uninitialized variable (DRAFT) (Has been in need of action for a long time)
1616 Revert #578 (Needs action)
1663 RE2 compatibility for 920120 (no feedback from CDN unfortunately)
1667 Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) (In progress)
1674 Extend sql having in rule 942230 (no feedback from CDN unfortunately)
1690 Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf (Needs action)
Other items
Feel free to add items as you see fit either above, or below as comments.
Open Issues
In January 2020, we decided to look into 10 issues at the chat every month. But only after the Other items. Pick the issues before the meeting and list them below.
If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM . Everybody is welcome to join our community chat.