Macro expansion on msg and logdata does not work for DURATION #1725
Description
This affects libModSecurity 3.0.0.
Example Rule
SecRule DURATION "@unconditionalMatch" "phase:2,id:10001,log,auditlog,pass,msg:'%{REQUEST_URI}; %{MATCHED_VAR}; %{DURATION};',logdata:'%{REQUEST_URI}; %{MATCHED_VAR}; %{DURATION};'"
libModSecurity 3.0.0 on NGINX:
2018/03/27 13:13:42 [info] 26840#26840: *3 ModSecurity: Warning. Matched "Operator `UnconditionalMatch' with parameter `' against variable `DURATION' (Value: `0.002141' ) [file "conf/modsecurity.conf"] [line "56"] [id "10001"] [rev ""] [msg "/index.html; 0.002141; ;"] [data "/index.html; 0.002141; ;"] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/index.html"] [unique_id "152214922282.302214"] [ref ""] while sending response to client, client: 127.0.0.1, server: localhost, request: "GET /index.html HTTP/1.1", host: "localhost"
ModSecurity 2.9.2 on Apache:
[2018-03-27 13:18:50.200754] [-:error] 127.0.0.1:45910 Wroomsg7lNvUrwUHJxmbbQAAAAA [client 127.0.0.1] ModSecurity: Warning. Unconditional match in SecAction. [file "/apache/conf/httpd.conf_pod_2018-03-27_11:09"] [line "142"] [id "10001"] [msg "/index.html; 232; 269;"] [data "/index.html; 232; 280;"] [hostname "localhost"] [uri "/index.html"] [unique_id "Wroomsg7lNvUrwUHJxmbbQAAAAA"]
Apparently, there is a DURATION variable, but it does not work with macro expansion within msg and logdata.
Also, the reference handbook specifies the DURATION variable to be microseconds, but the implementation is now a floating point fraction of seconds with 6 digits after the dot.