The OWASP CRS v4.6.0 is a collection of attack detection rules designed for ModSecurity or compatible web application firewalls. It's all about keeping web applications safe from a range of attacks, including the notorious OWASP Top Ten, while keeping false alarms to a minimum. Some of the highlights in this release are the prevention of backslashes in file names, the addition of an invalid character in multipart headers, an update to 932270's version, and the inclusion of pem in the list of restricted file extensions.
OWASP CRS v4.6.0
What's Changed
Important changes
- fix: prevent using backslash in file names by @fzipi in #3799
- feat: add new rule to catch invalid character in multipart headers by @airween, @theseion, @fzipi in #3796
Big thanks tu @luelueking for reporting us these two
️ .
Other Changes
- feat: rule to detect bash tilde expansion by @Xhoenix in #3765
- fix: Update 932270's
verby @airween in #3786- perf: remove unnecessary chain rule and capture (921180 PL3) by @EsadCetiner in #3787
- fix: add pem to restricted file extensions by @EsadCetiner in #3789
- fix(942160): check REQUEST_FILENAME by @mat1010 in #3782
New Contributors
Full Changelog: v4.5.0...v4.6.0
