Skip to content

docs: remove inapplicable libmodsecurity v3.0.16 breaking-change note#4690

Merged
fzipi merged 1 commit into
mainfrom
fix/changes-md-breaking-change-note
Jul 2, 2026
Merged

docs: remove inapplicable libmodsecurity v3.0.16 breaking-change note#4690
fzipi merged 1 commit into
mainfrom
fix/changes-md-breaking-change-note

Conversation

@fzipi

@fzipi fzipi commented Jul 1, 2026

Copy link
Copy Markdown
Member

what

removes the "Breaking Change" note under v4.28.0 in CHANGES.md stating this release requires libmodsecurity3 v3.0.16 because of owasp-modsecurity/ModSecurity#3589.

why

that requirement doesn't apply to main. It was carried over from the LTS release notes (lts/v4.25.x / v3.3/master), where the XML attribute inspection feature is implemented behind a runtime opt-in/opt-out gate using ctl:ruleRemoveTargetByTag=<tag>;XML://@* — the exact syntax that ModSecurity#3589 fixes a lexer rejection for.

main ships the XML://@* addition unconditionally instead: there is no tx.crs_xml_attr_inspect variable, no gate rule, and no ctl:ruleRemoveTarget* action anywhere in the ruleset that contains an @ character in its target. Verified with:

grep -rn "ctl:ruleRemoveTarget" rules/ | grep "@"   # no matches
grep -rn "crs_xml_attr_inspect" rules/ crs-setup.conf.example   # no matches

Since nothing in main's current ruleset exercises the fixed code path, the version requirement doesn't reflect what actually shipped and would incorrectly tell operators they need to upgrade ModSecurity for no reason.

refs

ai disclosure

  • tools used: Claude (Sonnet 5)
  • assisted with: comparing main's XML attribute inspection implementation against the LTS branches, verifying no ctl:ruleRemoveTarget* action with an @-containing target exists anywhere in main's rules, drafting this PR description
  • review performed: grepped the full rules/ directory and crs-setup.conf.example for any reference to crs_xml_attr_inspect, ctl:ruleRemoveTarget* with @, or the PR/issue numbers involved, confirming none exist on main

main ships XML attribute inspection (XML://@*) unconditionally, with no
ctl:ruleRemoveTargetByTag/ById opt-out gate and no '@' character in any
ctl:ruleRemoveTarget* target anywhere in the ruleset. The libmodsecurity
3.0.16 requirement from owasp-modsecurity/ModSecurity#3589 (lexer
rejecting '@' in ctl:ruleRemoveTarget* actions) only applies to the LTS
branches, which implement this feature behind a runtime opt-in/opt-out
gate using that exact ctl syntax. main has no such gate, so the note
doesn't reflect what actually shipped.
@fzipi fzipi added this pull request to the merge queue Jul 2, 2026
Merged via the queue into main with commit 55b09f5 Jul 2, 2026
3 of 4 checks passed
@fzipi fzipi deleted the fix/changes-md-breaking-change-note branch July 2, 2026 08:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants