This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, May 4, at 20:30 CET.

Items on the Agenda:

Previous Meetings decisions: here

PRs

• #1707 New ldap injection rule 921200 (fixes issue #276)
• #1708 Perf issue with regexes that start with repeating digits
• #1710 Add word boundaries around values in SQL tautologies (942130) - reviewed, approved by @franbuehler. Ready to be merged.
• #1734 Fix content type whitelist (feedback @franbuehler: rule only on test system, @lifeforms?)
• #1735 Fix link for 941310
• #1738 WordPress: exclude additional URL fields in profile editor
• #1739 XenForo: update exclusions
• #1740 Make Content-Type case insensitive (on hold until #1748 is merged)
• #1742 Suppress rule 200002 when editing contacts in Nextcloud
• #1743 Allow REPORT requests without Content-Type header in Nextcloud
• #1744 Update README.md
• #1745 Changed variable to lowercase (fixed #1741)
• #1746 Fix 921120 FP (resolves issue #1615)
• #1748 Content-Type var fix ModSec v2 v3 900220 soap xml
• #1750 Added 'ver' action with current version to all necessary rules (fix for #650)

PRs on hold

• #1602 932200: PL1 RCE bypass uninitialized variable (DRAFT) (Has been in need of action for a long time)
• #1616 Revert #578 (Needs action)
• #1663 RE2 compatibility for 920120 (no feedback from CDN unfortunately)
• #1667 Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) (In progress)
• #1674 Extend sql having in rule 942230 (no feedback from CDN unfortunately)
• #1690 Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf (Needs action)

Other items

• GitHub migration scheduled for March 18 had to be cancelled / postponed. TW and CRS do not agree on the procedure. Migration team: @dune73, @lifeforms and @fzipi.
  A full test was performed today, you will see that every issue has a mention from the friendly CRS-migration-bot. You can see the results in https://github.com/crstest01/owasp-modsecurity-crs. There is also a plan to perform the migration, we only need to set the date with Trustwave.

Feel free to add items as you see fit either above, or below as comments.

Open Issues

In January 2020, we decided to look into 10 issues at the chat every month. But only after the Other items. Pick the issues before the meeting and list them below.

• Issue slot 1: #1666
• Issue slot 2: #1711
• Issue slot 3: #1726
• Issue slot 4: #1727
• Issue slot 5: #1736
• Issue slot 6: #1737
• Issue slot 7: #1751

If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM .
Everybody is welcome to join our community chat.

Decisions

PRs

• #1707 merge
• #1708 @airween und Mirko will work on this PR and see it or a new PR getting merged during May
• #1710 merge
• #1734 merge
• #1735 merge
• #1738 merge
• #1739 merge
• #1740 stalled until #1748 is merged. Then @franbuehler needs somebody to talk this through.
• #1742 merge
• #1743 merge
• #1744 Assigning @franbuehler to review and investigat the use of ENV variables
• #1745 merge
• #1746 review by @fzipi
• #1748 merge and make sure we note the config change in the release notes (-> issue: #1752)
• #1750 merge

Other Items

• Repo migration is now planned (but not confirmed by TW) for Wednesday May 13.
• The migration will happen with a helper script and a migration bot programmed by @fzipi. This will copy all issues via the API and make sure the IDs remain the same! A test migration went smooth and @nerrehmit will now check the result carefully (-> https://github.com/fzipi/crs-migration)
• We are seeing less active developers in the project. This is probably natural turnover, but it is painful for the project. We will schedule a talk about this at the next meeting.

Issues

• #1751 -> @dune73
• #1736 -> @fzipi
• #1737 -> @lifeforms
• #1666 -> @franbuehler
• #1727 -> @mirkodziadzka-avi
• #1726 -> @fzipi
• #1711 -> @franbuehler