v3.0.4

New features

• SecRuleUpdateTargetById now supports regular expressions
  [Issue #1872 - @zimmerle, @anush-cr, @victorhora, @j0k2r]
• Adds a new operator verifySVNR that checks for Austrian social
  security numbers.
  [Issue #2063 - @Rufus125]
• Allow 0 length JSON requests.
  [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
• Adds support to multiple ranges in ctl:ruleRemoveById
  [Issue #1956 - @theseion, @victorhora, @zimmerle]

Bug fixes

• Fix: audit log data omitted when nolog,auditlog
  [@martinhsv]
• Adds missing check for runtime ctl:ruleRemoveByTag
  [Issue #2102, #2099 - @airween]
• Fix: ModSecurity 3.x inspectFile operator does not pass FILES_TMPNAMES parameter to lua engine
  [Issue #2204, #2205 - @kadirerdogan]
• XML: Remove error messages from stderr
  [Issue #2010 - @JaiHarpalani, @zimmerle]
• Filter comment or blank line for pmFromFile operator
  [Issue #1645 - @LeeShan87, @victorhora, @tdoubley]
• Additional adjustment to Cookie header parsing
  [@martinhsv]
• Restore chained rule part H logging to be more like 2.9 behavior
  [Issue #2196 - @martinhsv]
• Small fixes in log messages to help debugging the file upload
  [Issue #2130 - @airween]
• Fix Cookie header parsing issues
  [Issue #2201 - @airween, @martinhsv]
• Fix rules with nolog are logging to part H
  [Issue #2196 - @martinhsv]
• Fix argument key-value pair parsing cases
  [Issue #1904 - @martinhsv]
• Fix: audit log part for response body for JSON format to be E
  [Issue #2066 - @martinhsv, @zimmerle]
• Make sure m_rulesMessages is filled after successful match
  [Issue #2000, #2048 - @victorhora, @defanator]
• Fix @pm lookup for possible matches on offset zero.
  [@zimmerle, @afoxdavidi, @martinhsv, @marshal09]
• Regex lookup on the key name instead of COLLECTION:key
  [@rdiperri-yottaa, @danbiagini-work, @mmelo-yottaa, @zimmerle]
• Missing throw in Operator::instantiate
  [Issue #2106 - @marduone]
• Making block action execution dependent on the SecEngine status
  [Issue #2113, #2111 - @theMiddleBlue, @airween]
• Making block action execution dependent of the SecEngine status
  [Issue #1960 - @theMiddleBlue, @zimmerle, @airween, @victorhora]
• Having body limits to respect the rule engine state
  [@zimmerle]
• Fix variables output in debug logs
  [Issue #2057 - @jleproust]
• Correct typo validade in log output
  [Issue #2059 - @nerrehmit]
• fix/minor: Error encoding hexa decimal.
  [Issue #2068 - @tech-ozon-io]
• Limit more log variables to 200 characters.
  [Issue #2073 - @jleproust]
• parser: fix parsed file names
  [@zimmerle]
• Allow empty anchored variable
  [Issue #2024 - @airween]
• Fixed FILES_NAMES collection after the end of multipart parsing
  [Issue #2016 - @airween]
• Fixed validateByteRange parsing method
  [Issue #2017 - @airween]
• Removes a memory leak on the JSON parser
  [@zimmerle]
• Enables LMDB on the regression tests.
  [Issue #2011, #2008 - @WGH-, @mdunc]
• Fix: Extra whitespace in some configuration directives causing error
  [Issue #2006 - @porjo, @zimmerle]
• Refactoring on Regex and SMatch classes.
  [@WGH-]
• Fixed buffer overflow in Utils::Md5::hexdigest()
  [Issue #2002 - @defanator]
• Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
  [Issue #1990 - @defanator]
• Adds initially support the drop action.
  [@zimmerle]
• Complete merging of particular rule properties
  [Issue #1978 - @defanator]
• Replaces AC_CHECK_FILE with 'test -f'
  [Issue #1984 - @chuckwolber]
• Fix inet addr handling on 64 bit big-endian systems
  [Issue #1980 - @airween]
• Fix tests on FreeBSD
  [Issue #1973 - @defanator]
• Changes ENV test case to read the default MODSECURTIY env var
  [Issue #1969 - @zimmerle, @airween, @inittab]
• Regression: Sets MODSECURITY env var during the tests execution
  [Issue #1969 - @zimmerle, @airween, @inittab]
• Fix setenv action to strdup key=variable
  [@zimmerle]
• Fix "make dist" target to include default configuration
  [Issue #1966 - @defanator]
• Replaced log locking using mutex with fcntl lock
  [Issue #1949, #1927 - @Cloaked9000]
• Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES
  [Issue #1959 - @weliu]
• Rule variable interpolation broken
  [Issue #1961 - @soonum, @zimmerle]
• Make the boundary check less strict as per RFC2046
  [Issue #1943 - @victorhora, @allanbomsft]
• Fix buffer size for utf8toUnicode transformation
  [Issue #1208 - @katef, @victorhora]

Security issue

• Cookie parser problems
  [@airween, @theMiddleBlue, @martinhsv]