zimmerle
commented
5 years ago Hi @airween,
You mentioned that it depends on the patched libModSecurity. Do you mind to share the exact patches that you are referring to?
Open airween opened 5 years ago
zimmerle
commented
5 years ago Hi @airween,
You mentioned that it depends on the patched libModSecurity. Do you mind to share the exact patches that you are referring to?
airween
commented
5 years ago Hi @zimmerle
there is one bug in libmodsecurity3, what I couldn't fixed yet. In the tests what I referred above, I've used a quick and dirty workaround for some CRS rule. I need some time to finish that.
Any other patches are shared, most of them are merged :).
Note, that these fixes are independents of the libmodsecurity3 and those patches.
Finally, the ec098a isn't complete yet too (the process_intervention() missing when msc_process_request_body() called, but with it the response will always HTTP 400, no matters what is in the rule, eg. 403 or something other...).
Summarize: I think these collection won't spoil the Apache connector :), and I guess this way is right to make it better.
With these commits, the Apache passes all CRS (3.1) regression tests (with patched libmodsecurity3).