Closed combine-space closed 1 month ago
Thanks for the detailed report! Are you up for a patch?
Today's release should have your fix. Please test after baking have finished and let us know!
Thanks for providing the image so quickly, I really appreciate it. The fix is working, I already pushed it to our waf cluster. 👍
No problem! Please feel free to contribute any time soon! 😄
After switching over to the latest release
202405101205
, the environment variableRESTRICTED_HEADERS=
is not getting applied anymore. In CRS until v.4.0.0-rc1 the setvar name wastx.restricted_headers
(https://github.com/coreruleset/coreruleset/blob/v4.0.0-rc1/crs-setup.conf.example#L492), in CRS v4.2.0 the rule has been splitted into two new rules,tx.restricted_headers_basic
andtx.restricted_headers_extended
(https://github.com/coreruleset/coreruleset/blob/v4.2.0/crs-setup.conf.example#L591-L625).It seems, that the entrypoint script was not updated: https://github.com/coreruleset/modsecurity-crs-docker/blob/release/20240510/src/opt/modsecurity/activate-rules.sh#L62-L65
When running the sed line below with the corrected setvar name, it works again: