-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release builds doesn't contain the libs or dlls #3312
Comments
Hi @ElevationsRPG,
That's not as simple. libmodsecurity3 is a library with several optional features, eg. you can choose which storage type you want to use for transaction's data (LMDB, in-memory), which regex engine you want to use (pcre2, old pcre), do you want to use XML or not, want to use JSON or not, etc... With which features should we publish the compiled library/dll?
Sorry, I don't understand this. You can use libmodsecurity3 with Nginx through a connector, then you can use a rule set (eg. CRS). But I don't see the point here, how do you want to use straight the library with CRS... |
Actually it is that simple, You can just compile the libs with ALL default libaries selected that a standard LibModSecurity install would/should use for default behavior. Yes it might be true that you expect people to "plug n play" the libraries that they would prefer to use but that does not mean that LibModSecurity should not have its own standard and default selection of those libaries A LibModSecurity default installation would follow the default libs structure: This should be what the precompiled libs and dlls provide by the default option with all features turned on by default and if they want to disable them they can do so using the modsecurity.conf file or by specifing special #defines in the program. I am currently using LibModSecurity 3 for a custom built web application with the core CRS ruleset which is what i meant earlier it is not using any connectors and is instead directly loading the ruleset into my webapplication as a WAF (Web application firewall) |
No, I still think it's not simple. Eg. you listed YOUR installed versions of libraries, but what if other users have different versions? My other note: personally I don't like to use LMDB, so if I would have an LMDB linked library, there wasn't any chance to disable that. |
It is honestly simple: this isn't about personal preference; this is about having one default standard. How should a DEFAULT INSTALL look? I'm saying to link all of them, and yes, you can still disable the ones you don't intend to use from the config file or by using #defines in the code so that they aren't used. They might be bundled into the libraries and DLLs, but that doesn't mean they are used. Based on your own statement, your issue is regarding their use, not whether they are included(Linked) in the library itself. -My final note Is having all of them linked and a extra 2MB in size really that big of a problem? |
I don't want to mix my personal preference and community acts. I just wrote an example.
The problem is: there is no standard
Default install:
Especially if LMDB is linked to the library then it will use that. There is no option to choice not to use it (I have a plan to solve this issue too).
LMDB was just an example, I'm afraid you totally misunderstood this example.
Once again: there is no such option. For all linked libraries: LMDB (optional), YAJL, XML... If the build system finds any of them, the compilation process will link them and the library will use them. If someone uses this precompiled version, they will have to install all the libraries - with the same version. I hope now you see how painful would be this.
So if I compile the library with PCRE2 version 10.44 and someone grabs it, they have to compile the library used at the system wide (with all the dependent components)?
See above.
No, +2MB is not a problem. Other questions:
Someone says yes for these questions and someone says no. Everyone can decide these if they build for themselves. |
I dont understand this? You are saying precompiled versions they will have to install all the libaries? What? Why would they need all the libaries if its pre-compiled LIB/DLL this makes no sense. They would already be linked to the LibModSecurity3.dll ? No they would not need them installed at all.
You would have /Debug and /Release (Debug would contain symbols)
/Release would contain optimizations and no symbols yes
No only the precompiled libs and dll file LibModSecurity3.dll And finally you would have /MT and /MD options aswell here is how the default libs should look:
Keep in mind i am primarly talking about Windows builds here but you can easily compile the libs for both Windows, Linux and Macos Windows - .lib and .dll files
While adopting a unified standard across all platforms might seem challenging at first, it ultimately simplifies web application development by reducing the complexity of choosing and integrating libraries. ModSecurity is a fantastic WAF with great potential, and I hope to see it continue evolving with regular updates and community feedback. This evolution could involve phasing out outdated or unnecessary libraries and adopting modern, secure alternatives. For instance, ensuring that dependencies like PCRE2, yajl, and libxml2 are robust against potential exploits is crucial for improving security. A focus on modernizing ModSecurity and addressing vulnerabilities can not only enhance resilience but also provide developers with greater confidence in its reliability. Although this transition may initially be difficult, it promises a more streamlined and secure development cycle in the long term. |
Let's focus on the original issue: compiling ModSecurity for 32-bit Windows. I suppose it's an option to publish both 32 and 64-bit artefacts (this is my assumption, which might be incorrect). I can't personally tell how much effort that would be. Assuming such a 32-bit artefact would be built, would that solve your issue @ElevationsRPG? As for the discussion on default features, IMO that's an entirely separate topic (and shouldn't be discussed in this issue). Firstly, we already have a default. Secondly, every default will make someone unhappy. And thirdly, is it really worth changing the default and stalling all other work for that? We're pretty limited in terms of resources and I assume (with only little personal experience) that the work required for changing the default might be considerable (including changes to CI, tests, etc.). |
Yes providing a 32 bit artefacts would satisfy my issue. Assuming you mean the lib and dll files. But its a little confusing first I was told there is no default and now there is, anyway your right that deeper conversation about it should be another topic yes even though they happen to correlate with this topic. |
I would really appreciate if LibModSecurity contained both 32-bit and 64-bit libs and dlls in release builds so that i can get straight to using the library with core owasp crs ruleset.
The text was updated successfully, but these errors were encountered: