🚩 Modified the working modes STD and DYNAMIC.

ADD-SP · Jun 25, 2021 · 1ec0b38 · 1ec0b38
1 parent 803b154
commit 1ec0b38
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 6 deletions.
diff --git a/docs/advance/changes.md b/docs/advance/changes.md
@@ -17,6 +17,14 @@ lang: en
 
 ***
 
+## [5.5.0] - 2021-06-25 UTC+0800
+
+### Changed
+
+* Because of high false positives, [libinjection](https://github.com/libinjection/libinjection)-based XSS attack detection has been disabled in working modes `STD` and `DYNAMIC`.
+
+***
+
 ## [5.4.2] - 2021-06-15 UTC+0800
 
 ### Fixed

diff --git a/docs/advance/directive.md b/docs/advance/directive.md
@@ -59,9 +59,9 @@ Specify the working mode of the firewall, specifying at least one mode and up to
 * COMPAT: compatibility mode, used to enable compatibility options with other modules or environments, currently used for compatibility with the ngx_http_rewrite_module, see [compatibility statement](/guide/compatibility.md).
 * STRICT: Strict mode, which sacrifices some performance for more checks, currently only works when `COMPAT` mode is enabled, and performs a full round of inspections before and after the ngx_http_rewrite_module takes effect.
 * CACHE: Enable caching. Enabling this mode will cache the result of the inspection, so that the next time the same target is inspected, there is no need to repeat the inspection. However, the results of the POST body inspection are not cached. For example, if a URL is not in the blacklist after inspection, the next time the same URL is inspected, the cache can be read directly. When you enable this mode, you must set [waf_cache](#waf-cache).
-* STD: Standard working mode, equivalent to `HEAD GET POST IP URL RBODY ARGS UA CC COMPAT CACHE LIB-INJECTION`.
+* STD: Standard working mode, equivalent to `HEAD GET POST IP URL RBODY ARGS UA CC COMPAT CACHE LIB-INJECTION-SQLI`.
 * STATIC: working mode for static sites, equivalent to `HEAD GET IP URL UA CC CACHE`.
-* DYNAMIC: working mode for dynamic sites, equivalent to `HEAD GET POST IP URL ARGS UA RBODY COOKIE CC COMPAT CACHE LIB-INJECTION`.
+* DYNAMIC: working mode for dynamic sites, equivalent to `HEAD GET POST IP URL ARGS UA RBODY COOKIE CC COMPAT CACHE LIB-INJECTION-SQLI`.
 * FULL: Enable all modes.
 
 You can turn off a mode by prefixing a `mode_type` with `! ` prefix to a `mode_type` to turn it off. 

diff --git a/docs/zh-cn/advance/changes.md b/docs/zh-cn/advance/changes.md
@@ -17,6 +17,14 @@ lang: zh-CN
 
 ***
 
+## [5.5.0] - 2021-06-25 UTC+0800
+
+### 变动
+
+* 在工作模式 `STD` 和 `DYNAMIC` 中禁用了基于 `libinjection` 的 XSS 攻击检测，因为有用户反映误报比较高。
+
+***
+
 ## [5.4.2] - 2021-06-15 UTC+0800
 
 ### 修复

diff --git a/docs/zh-cn/advance/directive.md b/docs/zh-cn/advance/directive.md
@@ -59,9 +59,9 @@ lang: zh-CN
 * COMPAT：兼容模式，用来启用一些兼容性选项去兼容其它的模块或者环境，目前用于兼容 ngx_http_rewrite_module，详见[兼容性说明](/zh-cn/guide/compatibility.md)。
 * STRICT：严格模式，牺牲一些性能进行更多的检查，目前仅在启用了 `COMPAT` 模式时生效，在 ngx_http_rewrite_module 生效前和生效后都进行一轮完整的检查。
 * CACHE：启用缓存。启用此模式后会缓存检查的结果，下次检查相同的目标时就不需要重复检查了。不过不会缓存 POST 体的检查结果。比如一个 URL 经过检查后并没有在黑名单中，那么下次检查相同的 URL 时就无需再次检查 URL 黑名单了。当你启用了此模式，你必须设置 [waf_cache](#waf-cache)。
-* STD：标准工作模式，等价于 `HEAD GET POST IP URL RBODY ARGS UA CC COMPAT CACHE LIB-INJECTION`。
+* STD：标准工作模式，等价于 `HEAD GET POST IP URL RBODY ARGS UA CC COMPAT CACHE LIB-INJECTION-SQLI`。
 * STATIC：适用于静态站点的工作模式，等价于 `HEAD GET IP URL UA CC CACHE`。
-* DYNAMIC：适用于动态站点的工作模式，等价于 `HEAD GET POST IP URL ARGS UA RBODY COOKIE CC COMPAT CACHE LIB-INJECTION`。
+* DYNAMIC：适用于动态站点的工作模式，等价于 `HEAD GET POST IP URL ARGS UA RBODY COOKIE CC COMPAT CACHE LIB-INJECTION-SQLI`。
 * FULL: 启用所有的模式。
 
 您可以通过在某个 `mode_type` 前增加 `!` 前缀来关闭该模式，下面是一个例子。

diff --git a/inc/ngx_http_waf_module_macro.h b/inc/ngx_http_waf_module_macro.h
@@ -276,7 +276,7 @@
                                                 | NGX_HTTP_WAF_MODE_INSPECT_CC           \
                                                 | NGX_HTTP_WAF_MODE_EXTRA_COMPAT         \
                                                 | NGX_HTTP_WAF_MODE_EXTRA_CACHE          \
-                                                | NGX_HTTP_WAF_MODE_LIB_INJECTION)
+                                                | NGX_HTTP_WAF_MODE_LIB_INJECTION_SQLI)
 /**
  * @def MODE_STATIC
  * @brief 适用于静态站点的工作模式
@@ -305,7 +305,7 @@
                                                 | NGX_HTTP_WAF_MODE_INSPECT_CC           \
                                                 | NGX_HTTP_WAF_MODE_EXTRA_COMPAT         \
                                                 | NGX_HTTP_WAF_MODE_EXTRA_CACHE          \
-                                                | NGX_HTTP_WAF_MODE_LIB_INJECTION)
+                                                | NGX_HTTP_WAF_MODE_LIB_INJECTION_SQLI)
 
 
 /**