mod_security/SOURCES/mod_security-2.9.6-CVE-2025-48866.patch

From 614c6e18a734bd31a483abc2fa2faf217dcb81c3 Mon Sep 17 00:00:00 2001
From: Ervin Hegedus <airween@gmail.com>
Date: Sat, 24 May 2025 12:04:39 +0200
Subject: [PATCH] fix: add ARGS to sanitize list only if it's not added yet in
 case of sanitizeArg

---
 apache2/re_actions.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apache2/re_actions.c b/apache2/re_actions.c
index 4a922d27f..febc4759e 100644
--- a/apache2/re_actions.c
+++ b/apache2/re_actions.c
@@ -1455,8 +1455,9 @@ static apr_status_t msre_action_sanitizeArg_execute(modsec_rec *msr, apr_pool_t
     for (i = 0; i < tarr->nelts; i++) {
         msc_arg *arg = (msc_arg *)telts[i].val;
 
-        if (strcasecmp(sargname, arg->name) == 0) {
+        if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, arg->name) == 0) {
             apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
+            arg->marked_for_sanitization = 1;
         }
     }