.gitignore

@@ -1,2 +1 @@
 SOURCES/v3.3.4.tar.gz
-/v3.3.4.tar.gz

.mod_security_crs.metadata

@@ -0,0 +1 @@
+821796a48bbedd1a0d962614ef473625da85feae SOURCES/v3.3.4.tar.gz

SOURCES/mod_security_crs-rule-941310-dont-match-japanese-word.patch

@@ -0,0 +1,16 @@
+--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf	2020-07-01 18:38:19.000000000 +0200
++++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf	2023-02-16 09:14:52.151838881 +0100
+@@ -543,8 +543,11 @@
+     ctl:auditLogParts=+E,\
+     ver:'OWASP_CRS/3.3.4',\
+     severity:'CRITICAL',\
+-    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
++    chain"
++        SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx [^\xe4]\xbc[^\x9a][^\xbe>]*[^\xe7][^\xa4][\xbe>]|<[^\xbe]*[^\xe7][^\xa4]\xbe" \
++        "t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
++        setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
++        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+ 
+ #
+ # https://nedbatchelder.com/blog/200704/xss_with_utf7.html

SPECS/mod_security_crs.spec

@@ -1,7 +1,7 @@
 Summary: ModSecurity Rules
 Name: mod_security_crs
 Version: 3.3.4
-Release: 3%{?dist}.2
+Release: 3%{?dist}
 License: ASL 2.0
 URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
 Group: System Environment/Daemons
@@ -50,10 +50,6 @@ done
 %{_datarootdir}/mod_modsecurity_crs
 
 %changelog
-* Wed Feb 19 2025 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-3.2
-- Resolves: RHEL-78711 - A form data, "鹿沼市御成橋"(a name of street/city
-  in Japanese) is forbade by mod_security_crs-3.3.4-3.el8.noarch
-
 * Tue Apr 04 2023 Richard Lescak <rlescak@redhat.com> - 3.3.4-3
 - bump release to enable build
 - Related: rhbz#2040257

gating.yaml

@@ -1,7 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}

mod_security_crs-rule-941310-dont-match-japanese-word.patch

@@ -1,69 +0,0 @@
-diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
-index a48980c..e675687 100644
---- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
-+++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
-@@ -524,12 +524,46 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
- # US-ASCII encoding bypass listed on XSS filter evasion
- # Reported by Mazin Ahmed
- #
-+# This evasion covered by this chain of rules is specific to webservers that deliver content in US-ASCII.
-+# Only Apache Tomcat is known (according to the page linked above) to be vulnerable to this and probably has to be
-+# misconfigured for this to happen.
-+#
-+# Since US-ASCII is a seven bit encoding, bit 8 is ignored. Consider the following ISO 8859-1 sequence:
-+#
-+# ¼script¾alert(¢XSS¢)¼/script¾
-+#
-+# A filter looking for tags will usually not match against this sequence because there are no angle brackets (< / >). However,
-+# the characters where the brackets would be are ISO 8859-1 characters:
-+# - ¼: 0x00BC
-+# - ¾: 0x00BE
-+# - ¢: 0x00A2
-+#
-+# And this is how the sequence looks in in US-ASCII:
-+#
-+# <script>alert("XSSB")</script/>
-+#
-+# This enables an attacker to craft a string that will be delivered in a form that a browser will execute as script
-+# while being ignored by input filters.
-+#
-+# This rule looks for start tag sequene that looks like "<...>" (checks fo hex and plain to be sure).
-+# Because the bytes matched occur in many different languages encoded as multibyte characters (e.g. UTF-8)
-+# (e.g. German umlauts, Russion characters) this isn't very helpful and can cause many false positives. We, therefore,
-+# use a chained rule to also look fora an end tag sequence that looks like "</...>". Only if the chained rule matches will
-+# the request be blocked.
-+#
-+# This is of course still not perfect but should at least make it harder to hide most tags using this technique while
-+# requiring very specifig patterns in a language to match, which should get rid of most false positives.
-+# These rules would, for example, not guard against an element without an end tag, e.g. "<img... />".
-+#
-+# US-ASCII on Wikipedia: https://en.wikipedia.org/wiki/ASCII
-+# ISO 8859-1 on Wikipedia: https://en.wikipedia.org/wiki/ISO/IEC_8859-1
- 
- SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \
-     "id:941310,\
-     phase:2,\
-     block,\
-     capture,\
-+    chain,\
-     t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
-     msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\
-     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
-@@ -540,11 +574,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
-     tag:'paranoia-level/1',\
-     tag:'OWASP_CRS',\
-     tag:'capec/1000/152/242',\
--    ctl:auditLogParts=+E,\
-     ver:'OWASP_CRS/3.3.4',\
--    severity:'CRITICAL',\
--    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
--    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-+    severity:'CRITICAL'"
-+    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
-+        "t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
-+        ctl:auditLogParts=+E,\
-+        setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
- 
- #
- # https://nedbatchelder.com/blog/200704/xss_with_utf7.html

sources

@@ -1 +0,0 @@
-SHA512 (v3.3.4.tar.gz) = a8b8b210054a9a4e3f8e45a5a9428110bb4075e40430e3fc16f4717e363af141265b1fb5c173ff96abeff0ac61ef5eef667a4b9cb703f8edc15e48deb3342827