docs: add missing libmodsecurity v3.0.16 requirement to v3.3.10 CHANGES#4693
Merged
Merged
Conversation
Rule 901181 (added in v3.3.10) uses the same ctl:ruleRemoveTargetByTag with an '@'-containing target as v4.25.1's equivalent rule, and v3.3 supports running on nginx/libmodsecurity v3 (see tests/docker-compose.yml). The v3.3.10 CHANGES.md entry only documented the ModSecurity v2 opt-out limitation and was missing this separate, already-fixed parse-time requirement that v4.25.1's CHANGES.md already has.
M4tteoP
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
what
adds a "requires libmodsecurity v3.0.16 or later" breaking-change bullet to the v3.3.10 entry in
CHANGES.md, alongside the existing ModSecurity v2 opt-out note.why
v3.3.10(#4689, already merged) added rule901181, which usesctl:ruleRemoveTargetByTag=<tag>;XML://@*— the same syntax as v4.25.1's equivalent rule. The@character in that target fails to parse on libmodsecurity v3 versions older than v3.0.16 (owasp-modsecurity/ModSecurity#3589), a parse-time failure distinct from the already-documented ModSecurity v2 runtime limitation.v3.3supports running on nginx/libmodsecurity v3 (seetests/docker-compose.yml'smodsec3-nginxservice), so this requirement applies here just as it does on v4.25.1 — but the v3.3.10CHANGES.mdentry only documented the ModSecurity v2 side. Missed because the two breaking changes address different engines (v2 vs v3) and different failure modes (silent no-op vs. parse failure); v4.25.1'sCHANGES.mdhas both, v3.3.10's was missing this one.refs
ai disclosure
CHANGES.mdagainst v4.25.1's, confirming rule 901181 uses the affectedctlsyntax, drafting this PR descriptionrules/REQUEST-901-INITIALIZATION.confonv3.3/masterpost-merge to confirm thectl:ruleRemoveTargetByTag=...;XML://@*action is present, and checkedtests/docker-compose.ymlto confirm nginx/libmodsecurity v3 is a supported target for this branch