Updates CRS to 0a1ced3993d4fea76a14ad6350cc2737c1bb08e6

rules/@crs-setup.conf.example

@@ -407,6 +407,25 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    setvar:tx.early_blocking=1"
 
 
+#
+# -- [[ Initialize Default Collections ]] -----------------------------------
+#
+# CRS provides a centralized option to initialize and populate collections
+# meant to be used by plugins (E.g.DoS protection plugin).
+# By default, Global and IP collections (see rule 901320),
+# being not used by core rules, are not initialized.
+#
+# Uncomment this rule to change the default:
+#
+#SecAction \
+#    "id:900130,\
+#    phase:1,\
+#    pass,\
+#    t:none,\
+#    nolog,\
+#    setvar:tx.enable_default_collections=1"
+
+
 #
 # -- [[ HTTP Policy Settings ]] ------------------------------------------------
 #
@@ -459,7 +478,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    nolog,\
 #    ctl:ruleRemoveById=920420,\
 #    chain"
-#    SecRule REQUEST_URI "@rx ^/foo/bar" "t:none"
+#    SecRule REQUEST_URI "@rx ^/foo/bar" \
+#        "t:none"
 #
 # Uncomment this rule to change the default.
 #
@@ -472,8 +492,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
 
 # Allowed HTTP versions.
-# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
-# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
+# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0
+# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0
 # Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so
 # we include both version strings by default.
 # Uncomment this rule to change the default.
@@ -483,7 +503,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    pass,\
 #    t:none,\
 #    nolog,\
-#    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
+#    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
 
 # Forbidden file extensions.
 # Guards against unintended exposure of development/configuration files.
@@ -507,26 +527,39 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    nolog,\
 #    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
 
-# Forbidden request headers.
-# Header names should be lowercase, enclosed by /slashes/ as delimiters.
-# Default: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/
+# Restricted request headers.
+# The HTTP request headers that CRS restricts are split into two categories:
+# basic (always forbidden) and extended (may be forbidden). All header names
+# should be lowercase and enclosed by /slashes/ as delimiters.
+#
+# [ Basic ]
+# Includes deprecated headers and headers with known security risks. Always
+# forbidden.
+# Default: /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/
+#
+# /content-encoding/
+#   Used to list any encodings that have been applied to the original payload.
+#   Only used for compression, which isn't supported by CRS by default since CRS
+#   blocks newlines and null bytes inside the request body. Most compression
+#   algorithms require at least null bytes per RFC. Blocking Content-Encoding
+#   shouldn't break anything and increases security since WAF engines, including
+#   ModSecurity, are typically incapable of properly scanning compressed request
+#   bodies.
 #
-# Note: Accept-Charset is a deprecated header that should not be used by clients and
-# ignored by servers. It can be used for a response WAF bypass, by asking for a charset
-# that the WAF cannot decode.
-# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset
+# /proxy/
+#   Blocking this prevents the 'httpoxy' vulnerability: https://httpoxy.org
 #
-# Note: Content-Encoding is used to list any encodings that have been applied to the
-# original payload. It is only used for compression, which isn't supported by CRS by
-# default since it blocks newlines and null bytes inside the request body. Most
-# compression algorithms require at least null bytes per RFC. Blocking it shouldn't
-# break anything and increases security since ModSecurity is incapable of properly
-# scanning compressed request bodies.
+# /lock-token/
 #
-# Note: Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
+# /content-range/
 #
-# Note: Blocking the x-http-method-override,x-http-method and x-method-override headers
-# prevents attacks as described here: https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it
+# /if/
+#
+# /x-http-method-override/
+# /x-http-method/
+# /x-method-override/
+#   Blocking these headers prevents method override attacks, as described here:
+#   https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it
 #
 # Uncomment this rule to change the default.
 #SecAction \
@@ -535,7 +568,31 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    pass,\
 #    t:none,\
 #    nolog,\
-#    setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
+#    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
+#
+# [ Extended ]
+# Includes deprecated headers that are still in use (so false positives are
+# possible) and headers with possible security risks. Forbidden at a higher
+# paranoia level.
+# Default: /accept-charset/
+#
+# /accept-charset/
+#   Deprecated header that should not be used by clients and should be ignored
+#   by servers. Can be used for a response WAF bypass by asking for a charset
+#   that the WAF cannot decode. Considered to be a good indicator of suspicious
+#   behavior but produces too many false positives to be forbidden by default.
+#   References:
+#   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset
+#   https://github.com/coreruleset/coreruleset/issues/3140
+#
+# Uncomment this rule to change the default.
+#SecAction \
+#    "id:900255,\
+#    phase:1,\
+#    pass,\
+#    t:none,\
+#    nolog,\
+#    setvar:'tx.restricted_headers_extended=/accept-charset/'"
 
 # Content-Types charsets that a client is allowed to send in a request.
 # The content-types are enclosed by |pipes| as delimiters to guarantee exact matches.