owasp-modsecurity · mikelolasagasti · May 15, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
diff --git a/headers/modsecurity/anchored_set_variable_translation_proxy.h b/headers/modsecurity/anchored_set_variable_translation_proxy.h
@@ -43,7 +43,8 @@ class AnchoredSetVariableTranslationProxy {
         m_fount(fount)
     {
         m_translate = [](const std::string *name, std::vector<const VariableValue *> *l) {
-            for (int i = 0; i < l->size(); ++i) {
+            for (std::vector<const VariableValue *>::size_type i = 0;
+                i < l->size(); ++i) {
                 VariableValue *newVariableValue = new VariableValue(name, &l->at(i)->getKey(), &l->at(i)->getKey());
                 const VariableValue *oldVariableValue = l->at(i);
                 l->at(i) = newVariableValue;

diff --git a/headers/modsecurity/intervention.h b/headers/modsecurity/intervention.h
@@ -30,33 +30,33 @@ typedef struct ModSecurityIntervention_t {
 
 #ifdef __cplusplus
 namespace intervention {
-    static void reset(ModSecurityIntervention_t *i) {
+    inline void reset(ModSecurityIntervention_t *i) {
         i->status = 200;
         i->pause = 0;
         i->disruptive = 0;
     }
 
-    static void clean(ModSecurityIntervention_t *i) {
+    inline void clean(ModSecurityIntervention_t *i) {
         i->url = NULL;
         i->log = NULL;
         reset(i);
     }
 
-    static void freeUrl(ModSecurityIntervention_t *i) {
+    inline void freeUrl(ModSecurityIntervention_t *i) {
         if (i->url) {
             free(i->url);
             i->url = NULL;
         }
     }
 
-    static void freeLog(ModSecurityIntervention_t *i) {
+    inline void freeLog(ModSecurityIntervention_t *i) {
         if (i->log) {
             free(i->log);
             i->log = NULL;
         }
     }
 
-    static void free(ModSecurityIntervention_t *i) {
+    inline void free(ModSecurityIntervention_t *i) {
         freeUrl(i);
         freeLog(i);
     }

diff --git a/src/actions/init_col.cc b/src/actions/init_col.cc
@@ -28,7 +28,7 @@ namespace actions {
 
 
 bool InitCol::init(std::string *error) {
-    int posEquals = m_parser_payload.find("=");
+    const std::string::size_type posEquals = m_parser_payload.find("=");
 
     if (m_parser_payload.size() < 2) {
         error->assign("Something wrong with initcol format: too small");

diff --git a/src/actions/transformations/compress_whitespace.cc b/src/actions/transformations/compress_whitespace.cc
@@ -38,8 +38,9 @@
         }
     }
 
-    const auto new_len = d - value.c_str();
-    const auto changed = new_len != value.length();
+    const std::string::size_type new_len = static_cast<std::string::size_type>(
+        d - value.data());
+    const bool changed = new_len != value.length();
     value.resize(new_len);
     return changed;
 }

diff --git a/src/actions/transformations/html_entity_decode.cc b/src/actions/transformations/html_entity_decode.cc
@@ -154,7 +154,7 @@ static inline bool inplace(std::string &value) {
 
 HTML_ENT_OUT:
 
-        for (auto z = 0; z < copy; z++) {
+        for (std::string::size_type z = 0; z < copy; z++) {
             *d++ = input[i++];
         }
     }

diff --git a/src/actions/transformations/utf8_to_unicode.cc b/src/actions/transformations/utf8_to_unicode.cc
@@ -76,13 +76,13 @@ static inline bool encode(std::string &value) {
                 unicode_len = 2;
                 count += 6;
                 if (count <= len) {
-                    int length = 0;
+                    size_t length = 0;
                     /* compute character number */
                     d = ((c & 0x1F) << 6) | (*(utf + 1) & 0x3F);
                     *data++ = '%';
                     *data++ = 'u';
                     snprintf(reinterpret_cast<char *>(unicode),
-                             sizeof(reinterpret_cast<char *>(unicode)),
+                             sizeof(unicode),
                              "%x", d);
                     length = strlen(reinterpret_cast<char *>(unicode));
 
@@ -104,7 +104,7 @@ static inline bool encode(std::string &value) {
                             break;
                     }
 
-                    for (std::string::size_type j = 0; j < length; j++) {
+                    for (size_t j = 0; j < length; j++) {
                         *data++ = unicode[j];
                     }
 
@@ -126,15 +126,15 @@ static inline bool encode(std::string &value) {
                 unicode_len = 3;
                 count+=6;
                 if (count <= len) {
-                    int length = 0;
+                    size_t length = 0;
                     /* compute character number */
                     d = ((c & 0x0F) << 12)
                         | ((*(utf + 1) & 0x3F) << 6)
                         | (*(utf + 2) & 0x3F);
                     *data++ = '%';
                     *data++ = 'u';
                     snprintf(reinterpret_cast<char *>(unicode),
-                             sizeof(reinterpret_cast<char *>(unicode)),
+                             sizeof(unicode),
                              "%x", d);
                     length = strlen(reinterpret_cast<char *>(unicode));
 
@@ -156,7 +156,7 @@ static inline bool encode(std::string &value) {
                             break;
                     }
 
-                    for (std::string::size_type j = 0; j < length; j++) {
+                    for (size_t j = 0; j < length; j++) {
                         *data++ = unicode[j];
                     }
 
@@ -187,7 +187,7 @@ static inline bool encode(std::string &value) {
                 unicode_len = 4;
                 count+=7;
                 if (count <= len) {
-                    int length = 0;
+                    size_t length = 0;
                     /* compute character number */
                     d = ((c & 0x07) << 18)
                         | ((*(utf + 1) & 0x3F) << 12)
@@ -196,7 +196,7 @@ static inline bool encode(std::string &value) {
                     *data++ = '%';
                     *data++ = 'u';
                     snprintf(reinterpret_cast<char *>(unicode),
-                             sizeof(reinterpret_cast<char *>(unicode)),
+                             sizeof(unicode),
                              "%x", d);
                     length = strlen(reinterpret_cast<char *>(unicode));
 
@@ -218,7 +218,7 @@ static inline bool encode(std::string &value) {
                             break;
                     }
 
-                    for (std::string::size_type j = 0; j < length; j++) {
+                    for (size_t j = 0; j < length; j++) {
                         *data++ = unicode[j];
                     }
 

diff --git a/src/modsecurity.cc b/src/modsecurity.cc
@@ -268,7 +268,7 @@ int ModSecurity::processContentOffset(const char *content, size_t len,
             size.size());
         yajl_gen_map_close(g);
 
-        if (stoi(startingAt) >= len) {
+        if (static_cast<size_t>(stoi(startingAt)) >= len) {
             *err = "Offset is out of the content limits.";
             return -1;
         }
@@ -347,7 +347,7 @@ int ModSecurity::processContentOffset(const char *content, size_t len,
             size.size());
         yajl_gen_map_close(g);
 
-        if (stoi(startingAt) >= varValue.size()) {
+        if (static_cast<size_t>(stoi(startingAt)) >= varValue.size()) {
             *err = "Offset is out of the variable limits.";
             return -1;
         }

diff --git a/src/operators/pm_from_file.cc b/src/operators/pm_from_file.cc
@@ -33,7 +33,7 @@ bool PmFromFile::isComment(const std::string &s) {
     }
     size_t pos = s.find("#");
     if (pos != std::string::npos) {
-        for (int i = 0; i < pos; i++) {
+        for (size_t i = 0; i < pos; i++) {
 	    if (!std::isspace(s[i])) {
 		return false;
 	    }

diff --git a/src/operators/rx.h b/src/operators/rx.h
@@ -37,8 +37,8 @@
  public:
     /** @ingroup ModSecurity_Operator */
     explicit Rx(std::unique_ptr<RunTimeString> param)
-        : m_re(nullptr),
-        Operator("Rx", std::move(param)) {
+        : Operator("Rx", std::move(param)),
+        m_re(nullptr) {
             m_couldContainsMacro = true;
         }
 

diff --git a/src/operators/rx_global.h b/src/operators/rx_global.h
@@ -37,8 +37,8 @@
  public:
     /** @ingroup ModSecurity_Operator */
     explicit RxGlobal(std::unique_ptr<RunTimeString> param)
-        : m_re(nullptr),
-        Operator("RxGlobal", std::move(param)) {
+        : Operator("RxGlobal", std::move(param)),
+        m_re(nullptr) {
             m_couldContainsMacro = true;
         }
 

diff --git a/src/operators/validate_url_encoding.cc b/src/operators/validate_url_encoding.cc
@@ -25,14 +25,13 @@ namespace operators {
 
 int ValidateUrlEncoding::validate_url_encoding(const char *input,
     uint64_t input_length, size_t *offset) {
-    int i;
+    uint64_t i = 0;
     *offset = 0;
 
     if ((input == NULL) || (input_length == 0)) {
         return -1;
     }
 
-    i = 0;
     while (i < input_length) {
         if (input[i] == '%') {
             if (i + 2 >= input_length) {

diff --git a/src/parser/driver.cc b/src/parser/driver.cc
@@ -108,7 +108,7 @@ int Driver::addSecRule(std::unique_ptr<RuleWithActions> r) {
 
     for (int i = 0; i < modsecurity::Phases::NUMBER_OF_PHASES; i++) {
         const Rules *rules = m_rulesSetPhases[i];
-        for (int j = 0; j < rules->size(); j++) {
+        for (size_t j = 0; j < rules->size(); j++) {
             const RuleWithOperator *lr = dynamic_cast<RuleWithOperator *>(rules->at(j).get());
             if (lr && lr->m_ruleId == rule->m_ruleId) {
                 m_parserError << "Rule id: " << std::to_string(rule->m_ruleId) \

diff --git a/src/parser/seclang-parser.yy b/src/parser/seclang-parser.yy
@@ -2588,92 +2588,79 @@ var:
     | RUN_TIME_VAR_DUR
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new Duration(name));
         $$ = std::move(c);
       }
 
     | RUN_TIME_VAR_BLD
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new ModsecBuild(name));
         $$ = std::move(c);
       }
     | RUN_TIME_VAR_HSV
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new HighestSeverity(name));
         $$ = std::move(c);
       }
     | RUN_TIME_VAR_REMOTE_USER
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new RemoteUser(name));
         $$ = std::move(c);
       }
     | RUN_TIME_VAR_TIME
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new Time(name));
         $$ = std::move(c);
       }
     | RUN_TIME_VAR_TIME_DAY
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new TimeDay(name));
         $$ = std::move(c);
       }
     | RUN_TIME_VAR_TIME_EPOCH
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new TimeEpoch(name));
         $$ = std::move(c);
       }
     | RUN_TIME_VAR_TIME_HOUR
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new TimeHour(name));
         $$ = std::move(c);
       }
     | RUN_TIME_VAR_TIME_MIN
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new TimeMin(name));
         $$ = std::move(c);
       }
     | RUN_TIME_VAR_TIME_MON
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new TimeMon(name));
         $$ = std::move(c);
       }
     | RUN_TIME_VAR_TIME_SEC
       {
         std::string name($1);
-        char z = name.at(0);
             std::unique_ptr<Variable> c(new TimeSec(name));
             $$ = std::move(c);
       }
     | RUN_TIME_VAR_TIME_WDAY
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new TimeWDay(name));
         $$ = std::move(c);
       }
     | RUN_TIME_VAR_TIME_YEAR
       {
         std::string name($1);
-        char z = name.at(0);
         std::unique_ptr<Variable> c(new TimeYear(name));
         $$ = std::move(c);
       }

diff --git a/src/request_body_processor/multipart.cc b/src/request_body_processor/multipart.cc
@@ -558,7 +558,7 @@ int Multipart::process_part_data(std::string *error, size_t offset) {
 
         /* check if the file limit has been reached */
         if (extract && m_transaction->m_rules->m_uploadFileLimit.m_value
-            && (m_nfiles >=
+            && (static_cast<uint32_t>(m_nfiles) >=
                 m_transaction->m_rules->m_uploadFileLimit.m_value)) {
             if (m_flag_file_limit_exceeded == 0) {
                 ms_dbg_a(m_transaction, 1,

diff --git a/src/rules_set.cc b/src/rules_set.cc
@@ -144,7 +144,7 @@ int RulesSet::evaluate(int phase, Transaction *t) {
     t->m_allowType = actions::disruptive::NoneAllowType;
     //}
 
-    for (int i = 0; i < rules->size(); i++) {
+    for (size_t i = 0; i < rules->size(); i++) {
         // FIXME: This is not meant to be here. At the end of this refactoring,
         //        the shared pointer won't be used.
         auto rule = rules->at(i);

diff --git a/src/transaction.cc b/src/transaction.cc
@@ -118,7 +118,8 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, const char *id, void
 
 Transaction::Transaction(ModSecurity *ms, RulesSet *rules, const char *id,
     void *logCbData, const time_t timestamp)
-    : m_creationTimeStamp(utils::cpu_seconds()),
+    : TransactionAnchoredVariables(this),
+    m_creationTimeStamp(utils::cpu_seconds()),
     m_ARGScombinedSizeDouble(0),
     m_clientPort(0),
     m_highestSeverityAction(255),
@@ -149,8 +150,7 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, const char *id,
 #endif
     m_secRuleEngine(RulesSetProperties::PropertyNotSetRuleEngine),
     m_secXMLParseXmlIntoArgs(rules->m_secXMLParseXmlIntoArgs),
-    m_logCbData(logCbData),
-    TransactionAnchoredVariables(this) {
+    m_logCbData(logCbData) {
     m_variableUrlEncodedError.set("0", 0);
     m_variableMscPcreError.set("0", 0);
     m_variableMscPcreLimitsExceeded.set("0", 0);
@@ -770,7 +770,7 @@ int Transaction::processRequestBody() {
     if (m_requestBodyType == MultiPartRequestBody) {
 #endif
         std::string error;
-        int reqbodyNoFilesLength = 0;
+        uint64_t reqbodyNoFilesLength = 0;
         if (a != NULL) {
             Multipart m(*a, this);
             if (m.init(&error) == true) {