!40 Upgrade to version 2.9.7

From: @chen-jan 
Reviewed-by: @wu-leilei 
Signed-off-by: @wu-leilei

mod_security-2.9.3-remote-rules-timeout.patch

@@ -0,0 +1,85 @@
+diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
+index 80f8f2b..7912d84 100644
+--- a/apache2/apache2_config.c
++++ b/apache2/apache2_config.c
+@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
+ }
+ 
+ 
++static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1)
++{
++    directory_config *dcfg = (directory_config *)_dcfg;
++    long int timeout;
++
++    if (dcfg == NULL) return NULL;
++
++    timeout = strtol(p1, NULL, 10);
++    if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) {
++        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1);
++    }
++
++    remote_rules_timeout = timeout;
++
++    return NULL;
++}
++
++
+ static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
+ {
+     if (strcasecmp(p1, "on") == 0) {
+@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = {
+         "Abort or Warn"
+     ),
+ 
++    AP_INIT_TAKE1 (
++        "SecRemoteTimeout",
++        cmd_remote_timeout,
++        NULL,
++        CMD_SCOPE_ANY,
++        "timeout in seconds"
++    ),
++
+ 
+     AP_INIT_TAKE1 (
+         "SecXmlExternalEntity",
+diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
+index 7bb215e..c155495 100644
+--- a/apache2/mod_security2.c
++++ b/apache2/mod_security2.c
+@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
+ #endif
+ int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
+ char DSOLOCAL *remote_rules_fail_message = NULL;
++unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET;
++
+ 
+ int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
+ 
+diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
+index f24bc75..8bcd453 100644
+--- a/apache2/modsecurity.h
++++ b/apache2/modsecurity.h
+@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
+ #endif
+ extern DSOLOCAL int remote_rules_fail_action;
+ extern DSOLOCAL char *remote_rules_fail_message;
++extern DSOLOCAL unsigned long int remote_rules_timeout;
+ 
+ extern DSOLOCAL int status_engine_state;
+ 
+diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
+index 99968f0..b8db13e 100644
+--- a/apache2/msc_remote_rules.c
++++ b/apache2/msc_remote_rules.c
+@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
+         /* We want Curl to return error in case there is an HTTP error code */
+         curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
+ 
++        /* In case we want different timeout than a default one */
++        if (remote_rules_timeout != NOT_SET){
++            curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout);
++        }
++
+         res = curl_easy_perform(curl);
+ 
+         if (res != CURLE_OK)

mod_security.conf

@@ -1,226 +1,56 @@
-# -- Rule engine initialization ----------------------------------------------
+<IfModule mod_security2.c>
+    # Default recommended configuration
+    SecRuleEngine On
+    SecRequestBodyAccess On
+    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+    SecRequestBodyLimit 13107200
+    SecRequestBodyNoFilesLimit 131072
+    SecRequestBodyInMemoryLimit 131072
+    SecRequestBodyLimitAction Reject
+    SecRule REQBODY_ERROR "!@eq 0" \
+    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+    "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
+    failed strict validation: \
+    PE %{REQBODY_PROCESSOR_ERROR}, \
+    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+    DB %{MULTIPART_DATA_BEFORE}, \
+    DA %{MULTIPART_DATA_AFTER}, \
+    HF %{MULTIPART_HEADER_FOLDING}, \
+    LF %{MULTIPART_LF_LINE}, \
+    SM %{MULTIPART_MISSING_SEMICOLON}, \
+    IQ %{MULTIPART_INVALID_QUOTING}, \
+    IP %{MULTIPART_INVALID_PART}, \
+    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
 
-# Enable ModSecurity, attaching it to every transaction. Use detection
-# only to start with, because that minimises the chances of post-installation
-# disruption.
-#
-SecRuleEngine DetectionOnly
+    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
 
+    SecPcreMatchLimit 1000
+    SecPcreMatchLimitRecursion 1000
 
-# -- Request body handling ---------------------------------------------------
+    SecRule TX:/^MSC_/ "!@streq 0" \
+            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
 
-# Allow ModSecurity to access request bodies. If you don't, ModSecurity
-# won't be able to see any POST parameters, which opens a large security
-# hole for attackers to exploit.
-#
-SecRequestBodyAccess On
-
-
-# Enable XML request body parser.
-# Initiate XML Processor in case of xml content-type
-#
-SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
-     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
-
-# Enable JSON request body parser.
-# Initiate JSON Processor in case of JSON content-type; change accordingly
-# if your application does not use 'application/json'
-#
-SecRule REQUEST_HEADERS:Content-Type "application/json" \
-     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
-
-# Maximum request body size we will accept for buffering. If you support
-# file uploads then the value given on the first line has to be as large
-# as the largest file you are willing to accept. The second value refers
-# to the size of data, with files excluded. You want to keep that value as
-# low as practical.
-#
-SecRequestBodyLimit 13107200
-SecRequestBodyNoFilesLimit 131072
-
-# Store up to 128 KB of request body data in memory. When the multipart
-# parser reachers this limit, it will start using your hard disk for
-# storage. That is slow, but unavoidable.
-#
-SecRequestBodyInMemoryLimit 131072
-
-# What do do if the request body size is above our configured limit.
-# Keep in mind that this setting will automatically be set to ProcessPartial
-# when SecRuleEngine is set to DetectionOnly mode in order to minimize
-# disruptions when initially deploying ModSecurity.
-#
-SecRequestBodyLimitAction Reject
-
-# Verify that we've correctly processed the request body.
-# As a rule of thumb, when failing to process a request body
-# you should reject the request (when deployed in blocking mode)
-# or log a high-severity alert (when deployed in detection-only mode).
-#
-SecRule REQBODY_ERROR "!@eq 0" \
-"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
-
-# By default be strict with what we accept in the multipart/form-data
-# request body. If the rule below proves to be too strict for your
-# environment consider changing it to detection-only. You are encouraged
-# _not_ to remove it altogether.
-#
-SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-"id:'200003',phase:2,t:none,log,deny,status:400, \
-msg:'Multipart request body failed strict validation: \
-PE %{REQBODY_PROCESSOR_ERROR}, \
-BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-DB %{MULTIPART_DATA_BEFORE}, \
-DA %{MULTIPART_DATA_AFTER}, \
-HF %{MULTIPART_HEADER_FOLDING}, \
-LF %{MULTIPART_LF_LINE}, \
-SM %{MULTIPART_MISSING_SEMICOLON}, \
-IQ %{MULTIPART_INVALID_QUOTING}, \
-IP %{MULTIPART_INVALID_PART}, \
-IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
-FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-
-# Did we see anything that might be a boundary?
-#
-SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
-"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
-
-# PCRE Tuning
-# We want to avoid a potential RegEx DoS condition
-#
-SecPcreMatchLimit 1000
-SecPcreMatchLimitRecursion 1000
-
-# Some internal errors will set flags in TX and we will need to look for these.
-# All of these are prefixed with "MSC_".  The following flags currently exist:
-#
-# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
-#
-SecRule TX:/^MSC_/ "!@streq 0" \
-        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
-
-
-# -- Response body handling --------------------------------------------------
-
-# Allow ModSecurity to access response bodies. 
-# You should have this directive enabled in order to identify errors
-# and data leakage issues.
-# 
-# Do keep in mind that enabling this directive does increases both
-# memory consumption and response latency.
-#
-SecResponseBodyAccess On
-
-# Which response MIME types do you want to inspect? You should adjust the
-# configuration below to catch documents but avoid static files
-# (e.g., images and archives).
-#
-SecResponseBodyMimeType text/plain text/html text/xml
-
-# Buffer response bodies of up to 512 KB in length.
-SecResponseBodyLimit 524288
-
-# What happens when we encounter a response body larger than the configured
-# limit? By default, we process what we have and let the rest through.
-# That's somewhat less secure, but does not break any legitimate pages.
-#
-SecResponseBodyLimitAction ProcessPartial
-
-
-# -- Filesystem configuration ------------------------------------------------
-
-# The location where ModSecurity stores temporary files (for example, when
-# it needs to handle a file upload that is larger than the configured limit).
-# 
-# This default setting is chosen due to all systems have /tmp available however, 
-# this is less than ideal. It is recommended that you specify a location that's private.
-#
-SecTmpDir /tmp/
-
-# The location where ModSecurity will keep its persistent data.  This default setting 
-# is chosen due to all systems have /tmp available however, it
-# too should be updated to a place that other users can't access.
-#
-SecDataDir /tmp/
-
-
-# -- File uploads handling configuration -------------------------------------
-
-# The location where ModSecurity stores intercepted uploaded files. This
-# location must be private to ModSecurity. You don't want other users on
-# the server to access the files, do you?
-#
-#SecUploadDir /opt/modsecurity/var/upload/
-
-# By default, only keep the files that were determined to be unusual
-# in some way (by an external inspection script). For this to work you
-# will also need at least one file inspection rule.
-#
-#SecUploadKeepFiles RelevantOnly
-
-# Uploaded files are by default created with permissions that do not allow
-# any other user to access them. You may need to relax that if you want to
-# interface ModSecurity to an external program (e.g., an anti-virus).
-#
-#SecUploadFileMode 0600
-
-
-# -- Debug log configuration -------------------------------------------------
-
-# The default debug log configuration is to duplicate the error, warning
-# and notice messages from the error log.
-#
-#SecDebugLog /opt/modsecurity/var/log/debug.log
-#SecDebugLogLevel 3
-
-
-# -- Audit log configuration -------------------------------------------------
-
-# Log the transactions that are marked by a rule, as well as those that
-# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
-# level response status codes).
-#
-SecAuditEngine RelevantOnly
-SecAuditLogRelevantStatus "^(?:5|4(?!04))"
-
-# Log everything we know about a transaction.
-SecAuditLogParts ABIJDEFHZ
-
-# Use a single file for logging. This is much easier to look at, but
-# assumes that you will use the audit log only ocassionally.
-#
-SecAuditLogType Serial
-SecAuditLog /var/log/modsec_audit.log
-
-# Specify the path for concurrent audit logging.
-#SecAuditLogStorageDir /opt/modsecurity/var/audit/
-
-
-# -- Miscellaneous -----------------------------------------------------------
-
-# Use the most commonly used application/x-www-form-urlencoded parameter
-# separator. There's probably only one application somewhere that uses
-# something else so don't expect to change this value.
-#
-SecArgumentSeparator &
-
-# Settle on version 0 (zero) cookies, as that is what most applications
-# use. Using an incorrect cookie version may open your installation to
-# evasion attacks (against the rules that examine named cookies).
-#
-SecCookieFormat 0
-
-# Specify your Unicode Code Point.
-# This mapping is used by the t:urlDecodeUni transformation function
-# to properly map encoded data to your language. Properly setting
-# these directives helps to reduce false positives and negatives.
-#
-SecUnicodeMapFile unicode.mapping 20127
-
-# Improve the quality of ModSecurity by sharing information about your
-# current ModSecurity version and dependencies versions.
-# The following information will be shared: ModSecurity version,
-# Web Server version, APR version, PCRE version, Lua version, Libxml2
-# version, Anonymous unique id for host.
-SecStatusEngine On
+    SecResponseBodyAccess Off
+    SecDebugLog /var/log/httpd/modsec_debug.log
+    SecDebugLogLevel 0
+    SecAuditEngine RelevantOnly
+    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+    SecAuditLogParts ABIJDEFHZ
+    SecAuditLogType Serial
+    SecAuditLog /var/log/httpd/modsec_audit.log
+    SecArgumentSeparator &
+    SecCookieFormat 0
+    SecTmpDir /var/lib/mod_security
+    SecDataDir /var/lib/mod_security
 
+    # ModSecurity Core Rules Set and Local configuration
+	Include modsecurity.d/*.conf
+	Include modsecurity.d/activated_rules/*.conf
+	Include modsecurity.d/local_rules/*.conf
+    
+</IfModule>

mod_security.spec

@@ -6,8 +6,8 @@
 %global mod_audit_log_collector 0
 
 Name: mod_security
-Version: 2.9.5
-Release: 4
+Version: 2.9.7
+Release: 1
 Summary: Security module for the Apache HTTP Server
 License: ASL 2.0
 URL: http://www.modsecurity.org/
@@ -15,12 +15,13 @@ Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/
 Source1: mod_security.conf
 Source2: 10-mod_security.conf
 Source3: modsecurity_localrules.conf
-Patch0000: modsecurity-2.9.5-lua-54.patch
-Patch0001: modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch
-Patch0002: modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch
+Patch0000: modsecurity-2.9.3-lua-54.patch
+Patch0001: modsecurity-2.9.3-apulibs.patch
+Patch0002: mod_security-2.9.3-remote-rules-timeout.patch
+
 
 Requires: httpd httpd-mmn = %{_httpd_mmn}
-BuildRequires: gcc make perl-generators httpd-devel yajl yajl-devel
+BuildRequires: gcc make perl-generators httpd-devel yajl yajl-devel pcre2-devel
 BuildRequires: pkgconfig(lua) pkgconfig(libcurl) pkgconfig(libxml-2.0) pkgconfig(libpcre)
 BuildRequires: autoconf automake libtool
 
@@ -44,7 +45,13 @@ This package collects mod_security audit log.
 
 %build
 ./autogen.sh
-%configure --with-yajl --with-apxs=%{_httpd_apxs} --enable-pcre-match-limit-recursion=1000000 --enable-pcre-match-limit=1000000
+%configure --enable-pcre-match-limit=1000000 \
+           --enable-pcre-match-limit-recursion=1000000 \
+           --with-apxs=%{_httpd_apxs} \
+           --with-yajl \
+           --with-pcre2 \
+           --disable-static
+
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 make %{_smp_mflags}
@@ -100,6 +107,21 @@ install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
 %endif
 
 %changelog
+* Mon Jul 17 2023 chenchen <chen_aka_jan@163.com> - 2.9.7-1
+- Upgrade to version 2.9.7
+
+* Mon Jan 9 2023 yaoguangzhong <yaoguangzhong@xfusion.com> - 2.9.5-8
+- backport allow no-key, single-value JSON body
+
+* Sat Jan 7 2023 yaoguangzhong <yaoguangzhong@xfusion.com> - 2.9.5-7
+- backport Set SecStatusEngine Off in modsecurity.conf-recommended
+
+* Sat Jan 7 2023 yaoguangzhong <yaoguangzhong@xfusion.com> - 2.9.5-6
+- backport fix memory leak that occurs on JSON parsing error
+
+* Sat Jan 7 2023 yaoguangzhong <yaoguangzhong@xfusion.com> - 2.9.5-5
+- backport Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
+
 * Fri Jan 6 2023 yaoguangzhong <yaoguangzhong@xfusion.com> - 2.9.5-4
 - backport properly cleanup XML parser contexts upon completion
 

modsecurity-2.9.3-apulibs.patch

@@ -0,0 +1,14 @@
+
+Strip redundant APR-util dependent libraries, it is sufficient to link against -laprutil-1.
+
+--- modsecurity-2.9.3/build/find_apu.m4.apulibs
++++ modsecurity-2.9.3/build/find_apu.m4
+@@ -59,7 +59,7 @@
+     APU_CFLAGS="`${APU_CONFIG} --includes`"
+     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu CFLAGS: $APU_CFLAGS); fi
+     APU_LDFLAGS="`${APU_CONFIG} --ldflags`"
+-    APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --libs`"
++    APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --avoid-ldap --avoid-dbm --libs`"
+     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDFLAGS: $APU_LDFLAGS); fi
+     APU_LDADD="`${APU_CONFIG} --link-libtool`"
+     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDADD: $APU_LDADD); fi

modsecurity-2.9.3-lua-54.patch

@@ -1,6 +1,6 @@
-diff -ru modsecurity-2.9.5/apache2/msc_lua.c modsecurity-2.9.5-lua-patch/apache2/msc_lua.c
---- modsecurity-2.9.5/apache2/msc_lua.c	2018-12-04 18:49:37.000000000 +0000
-+++ modsecurity-2.9.5-lua-patch/apache2/msc_lua.c	2020-08-08 16:55:14.936045777 +0000
+diff -ru modsecurity-2.9.3/apache2/msc_lua.c modsecurity-2.9.3-lua-patch/apache2/msc_lua.c
+--- modsecurity-2.9.3/apache2/msc_lua.c	2018-12-04 18:49:37.000000000 +0000
++++ modsecurity-2.9.3-lua-patch/apache2/msc_lua.c	2020-08-08 16:55:14.936045777 +0000
 @@ -429,12 +429,12 @@
  #else
  

modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch

@@ -1,36 +0,0 @@
-From 6a5ec1ff7bd5a4a653da417f9a49a50cf5b2429d Mon Sep 17 00:00:00 2001
-From: Vladimir Krivopalov <vlkrivop@microsoft.com>
-Date: Mon, 13 Jan 2020 16:36:09 -0800
-Subject: [PATCH] Properly cleanup XML parser contexts upon completion
-
-It is currently possible that the XML parsing context is not properly
-cleaned up if a parsed XML document is malformed.
-
-This fix makes sure that the context is taken care of.
-
-Signed-off-by: Vladimir Krivopalov <vlkrivop@microsoft.com>
----
- apache2/msc_xml.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/apache2/msc_xml.c b/apache2/msc_xml.c
-index a31decb5..9cc4da65 100644
---- a/apache2/msc_xml.c
-+++ b/apache2/msc_xml.c
-@@ -137,6 +137,13 @@ int xml_complete(modsec_rec *msr, char **error_msg) {
-  * Frees the resources used for XML parsing.
-  */
- apr_status_t xml_cleanup(modsec_rec *msr) {
-+    if (msr->xml->parsing_ctx != NULL) {
-+        if (msr->xml->parsing_ctx->myDoc) {
-+            xmlFreeDoc(msr->xml->parsing_ctx->myDoc);
-+        }
-+        xmlFreeParserCtxt(msr->xml->parsing_ctx);
-+        msr->xml->parsing_ctx = NULL;
-+    }
-     if (msr->xml->doc != NULL) {
-         xmlFreeDoc(msr->xml->doc);
-         msr->xml->doc = NULL;
--- 
-2.27.0
-

modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch

@@ -1,126 +0,0 @@
-From 46c6cb2759327d94e619454dbe61f1e7639dd607 Mon Sep 17 00:00:00 2001
-From: Armin Abfalterer <armin.abfalterer@united-security-providers.ch>
-Date: Tue, 12 Mar 2019 16:29:43 +0100
-Subject: [PATCH] use uid if user name is not available
-
----
- apache2/msc_logging.c | 10 +++++++---
- apache2/persist_dbm.c | 29 +++++++++++++++++++----------
- 2 files changed, 26 insertions(+), 13 deletions(-)
-
-diff --git a/apache2/msc_logging.c b/apache2/msc_logging.c
-index d50f709e..d1a867c3 100644
---- a/apache2/msc_logging.c
-+++ b/apache2/msc_logging.c
-@@ -234,16 +234,20 @@ static char *construct_auditlog_filename(apr_pool_t *mp, const char *uniqueid) {
-      * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations 
-      * It also changes the return statement.
-      */
--    char *username;
-+    char *userinfo;
-+    apr_status_t rc;
-     apr_uid_t uid;
-     apr_gid_t gid;
-     apr_uid_current(&uid, &gid, mp);
--    apr_uid_name_get(&username, uid, mp);
-+    rc = apr_uid_name_get(&userinfo, uid, mp);
-+    if (rc != APR_SUCCESS) {
-+      userinfo = apr_psprintf(mp, "%u", uid);
-+    }
- 
-     apr_time_exp_lt(&t, apr_time_now());
- 
-     apr_strftime(tstr, &len, 299, "/%Y%m%d/%Y%m%d-%H%M/%Y%m%d-%H%M%S", &t);
--    return apr_psprintf(mp, "/%s%s-%s", username, tstr, uniqueid);
-+    return apr_psprintf(mp, "/%s%s-%s", userinfo, tstr, uniqueid);
- }
- 
- /**
-diff --git a/apache2/persist_dbm.c b/apache2/persist_dbm.c
-index efbbf6eb..e4f8036f 100644
---- a/apache2/persist_dbm.c
-+++ b/apache2/persist_dbm.c
-@@ -104,11 +104,14 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
-     /**
-      * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations 
-      */
--    char *username;
-+    char *userinfo;
-     apr_uid_t uid;
-     apr_gid_t gid;
-     apr_uid_current(&uid, &gid, msr->mp);
--    apr_uid_name_get(&username, uid, msr->mp);
-+    rc = apr_uid_name_get(&userinfo, uid, msr->mp);
-+    if (rc != APR_SUCCESS) {
-+      userinfo = apr_psprintf(msr->mp, "%u", uid);
-+    }
- 
-     if (msr->txcfg->data_dir == NULL) {
-         msr_log(msr, 1, "collection_retrieve_ex: Unable to retrieve collection (name \"%s\", key \"%s\"). Use "
-@@ -117,7 +120,7 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
-         goto cleanup;
-     }
- 
--    dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", col_name, NULL);
-+    dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", col_name, NULL);
- 
-     if (msr->txcfg->debuglog_level >= 9) {
-         msr_log(msr, 9, "collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name),
-@@ -385,11 +388,14 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
-     /**
-      * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations 
-      */
--    char *username;
-+    char *userinfo;
-     apr_uid_t uid;
-     apr_gid_t gid;
-     apr_uid_current(&uid, &gid, msr->mp);
--    apr_uid_name_get(&username, uid, msr->mp);
-+    rc = apr_uid_name_get(&userinfo, uid, msr->mp);
-+    if (rc != APR_SUCCESS) {
-+      userinfo = apr_psprintf(msr->mp, "%u", uid);
-+    }
- 
-     var_name = (msc_string *)apr_table_get(col, "__name");
-     if (var_name == NULL) {
-@@ -409,7 +415,7 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
-     }
- 
-     // ENH: lowercase the var name in the filename
--    dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", var_name->value, NULL);
-+    dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", var_name->value, NULL);
- 
-     if (msr->txcfg->debuglog_level >= 9) {
-         msr_log(msr, 9, "collection_store: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, var_name->value),
-@@ -675,11 +681,14 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) {
-     /**
-      * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations 
-      */
--    char *username;
-+    char *userinfo;
-     apr_uid_t uid;
-     apr_gid_t gid;
-     apr_uid_current(&uid, &gid, msr->mp);
--    apr_uid_name_get(&username, uid, msr->mp);
-+    rc = apr_uid_name_get(&userinfo, uid, msr->mp);
-+    if (rc != APR_SUCCESS) {
-+      userinfo = apr_psprintf(msr->mp, "%u", uid);
-+    }
- 
-     if (msr->txcfg->data_dir == NULL) {
-         /* The user has been warned about this problem enough times already by now.
-@@ -690,9 +699,9 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) {
-     }
- 
-     if(strstr(col_name,"USER") || strstr(col_name,"SESSION") || strstr(col_name, "RESOURCE"))
--        dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", msr->txcfg->webappid, "_", col_name, NULL);
-+        dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", msr->txcfg->webappid, "_", col_name, NULL);
-     else
--        dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", col_name, NULL);
-+        dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", col_name, NULL);
- 
-     if (msr->txcfg->debuglog_level >= 9) {
-         msr_log(msr, 9, "collections_remove_stale: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name),
--- 
-2.27.0
-

modsecurity_localrules.conf

@@ -1,3 +1,5 @@
+# User defined rules and settings .
+#
 # You can use this file/directory to drop your local rules or
 # to remove some rules provided by mod_security_crs package with SecRuleRemoveById
 #