docs: remove inapplicable libmodsecurity v3.0.16 breaking-change note#4690
Merged
Conversation
main ships XML attribute inspection (XML://@*) unconditionally, with no ctl:ruleRemoveTargetByTag/ById opt-out gate and no '@' character in any ctl:ruleRemoveTarget* target anywhere in the ruleset. The libmodsecurity 3.0.16 requirement from owasp-modsecurity/ModSecurity#3589 (lexer rejecting '@' in ctl:ruleRemoveTarget* actions) only applies to the LTS branches, which implement this feature behind a runtime opt-in/opt-out gate using that exact ctl syntax. main has no such gate, so the note doesn't reflect what actually shipped.
theseion
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
what
removes the "Breaking Change" note under v4.28.0 in
CHANGES.mdstating this release requires libmodsecurity3 v3.0.16 because of owasp-modsecurity/ModSecurity#3589.why
that requirement doesn't apply to
main. It was carried over from the LTS release notes (lts/v4.25.x/v3.3/master), where the XML attribute inspection feature is implemented behind a runtime opt-in/opt-out gate usingctl:ruleRemoveTargetByTag=<tag>;XML://@*— the exact syntax that ModSecurity#3589 fixes a lexer rejection for.mainships theXML://@*addition unconditionally instead: there is notx.crs_xml_attr_inspectvariable, no gate rule, and noctl:ruleRemoveTarget*action anywhere in the ruleset that contains an@character in its target. Verified with:Since nothing in
main's current ruleset exercises the fixed code path, the version requirement doesn't reflect what actually shipped and would incorrectly tell operators they need to upgrade ModSecurity for no reason.refs
ai disclosure
main's XML attribute inspection implementation against the LTS branches, verifying noctl:ruleRemoveTarget*action with an@-containing target exists anywhere inmain's rules, drafting this PR descriptionrules/directory andcrs-setup.conf.examplefor any reference tocrs_xml_attr_inspect,ctl:ruleRemoveTarget*with@, or the PR/issue numbers involved, confirming none exist onmain