chore: update Windows build to use PCRE2 as default

[fzipi]

what

• Windows/IIS build modernization: Updated to PCRE2, Visual C++ 2019 redistributables, and modern dependencies
• Installer refactoring: Replaced deprecated merge modules with redistributable package checks and launch conditions
• Build scripts: Fixed PCRE2 directory paths, updated dependency versions (CMake 4.2.3, PCRE2 10.47, Apache 2.4.66, zlib 1.3.1, libxml2 2.15.1, Lua 5.4.8, cURL 8.18.0,
  ssdeep 2.14.1)
• Configuration updates: Synced modsecurity.conf with recommended settings (fixed regex anchors, added JSON depth limit, deprecated SecStatusEngine)
• Documentation: Expanded Windows build guides with prerequisites, troubleshooting, and VC++ 2019 requirements
• Removed obsolete files: Deleted VC110/VC120 merge modules (VS2012/2013)
• CI enhancement: Enabled PCRE JIT in Windows workflow

why

• PCRE deprecation: PCRE is no longer maintained; PCRE2 provides better performance, JIT support, and (might) fix stack overflow issues
• Microsoft recommendation: Redistributable packages allow Windows Update to patch security vulnerabilities automatically, unlike deprecated merge modules
• Stability: Addresses reported pcre.dll stack overflow crashes (Stack overflow in pcre.dll #3436)
• Modern toolchain: VS2019/2022 support with up-to-date dependencies for better compatibility and security
• Maintainability: Smaller MSI installers, clearer error messages with download links, reduced deployment complexity
• Consistency: Aligned all documentation with current versions and corrected path inconsistencies

references

• partially addresses Stack overflow in pcre.dll #3436

[Copilot]

Pull request overview

Updates the Windows/IIS build tooling and documentation to prefer PCRE2 (and newer dependency versions), aligning with PCRE deprecation and addressing stability concerns like the reported pcre.dll stack overflow.

Changes:

• Bump Windows dependency versions (CMake, PCRE2, zlib, libxml2, Lua, cURL, Apache, ssdeep) and update download URLs.
• Switch Windows build/release scripts and NMake linkage from pcre.dll/pcre.lib to pcre2-8.dll/pcre2-8.lib, enabling PCRE JIT flags in NMake builds.
• Refresh README_WINDOWS.md build instructions to reference PCRE2 and newer dependency versions; CI attempts to enable PCRE JIT.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
iis/download_files.bat	Updates dependency versions and download URLs (including PCRE2).
iis/dependencies/build_pcre.bat	Switches dependency build from PCRE to PCRE2 and copies PCRE2 artifacts.
iis/build_release.bat	Packages pcre2-8.dll into release artifacts instead of pcre.dll.
iis/build_dependencies.bat	Updates dependency version variables used by the batch build pipeline.
iis/Makefile.win	Links against pcre2-8.lib and defines WITH_PCRE_JIT.
README_WINDOWS.md	Updates Windows build documentation to use PCRE2 and newer dependency versions.
.github/workflows/test-ci-windows.yml	Adds -DWITH_PCRE_JIT=ON to the IIS CMake configure step.

Comments suppressed due to low confidence (2)

README_WINDOWS.md:57

• The updated doc switches the Apache install dir to C:\Apache2466, but the example still references Apache/httpd 2.4.27 (httpd-2.4.27 and HTTPD_BUILD=C:\work\httpd-2.4.27). This is inconsistent and will mislead users following the updated instructions; update these example paths/versions to match the new Apache 2.4.66 guidance.

The directory where you build software from source ( ``C:\work`` in this exmaple)
must contain the Apache source you used to build the Apache web serverand the mod_security source

    Apache source is in             C:\work\httpd-2.4.27    in this example.
    Apache has been installed to    C:\Apache2466           in this example.
    Mod_security source is in       C:\work\mod_security    in this example.

## Download and untar the prerequisite library sources:

    Download pcre2-10.47.zip from https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.47/
    unzip it into C:\work\  creating C:\work\pcre2-10.47

    Download libxml2-2.15.1.tar.gz from https://download.gnome.org/sources/libxml2/2.15/
    untar it into C:\work\ creating C:\work\libxml2-2.15.1

    Download lua-5.4.8.tar.gz from http://www.lua.org/ftp/
    untar it into C:\work\ creating C:\work\lua-5.4.8

    Download curl-8.18.0.zip from https://curl.se/download/
    unzip it into C:\work\ creating C:\work\curl-8.18.0

    Download zlib-1.3.1.tar.gz from https://github.com/madler/zlib/releases/download/v1.3.1/
    untar it into C:\work\ creating C:\work\zlib-1.3.1

## Setup your build environment:

1. The ``PATH`` environment variable must include the Visual Studio variables as set by ``vsvars32.bat``

2. The ``PATH`` environment variable must also include the CMAKE ``bin\`` directory

3. Set an environment variable to the Apache source code directory:

SET HTTPD_BUILD=C:\work\httpd-2.4.27

README_WINDOWS.md:204

• The mlogc configuration examples still reference Apache2427 paths (e.g., CollectorRoot and SecAuditLog |C:/Apache2427/...) even though the PR updates the guide to Apache2466. These should be updated for consistency, otherwise users will end up with incorrect paths in their configs.

    CollectorRoot       "C:/Apache2427/logs"
    ConsoleURI          "https://localhost:8888/rpc/auditLogReceiver"
    SensorUsername      "test"
    SensorPassword      "testtest"
    LogStorageDir       "data"
    TransactionLog      "mlogc-transaction.log"
    QueuePath           "mlogc-queue.log"
    ErrorLog            "mlogc-error.log"
    LockFile            "mlogc.lck"
    KeepEntries         0
    ErrorLogLevel       2
    MaxConnections      10
    MaxWorkerRequests   1000
    TransactionDelay    50
    StartupDelay        5000
    CheckpointInterval  15
    ServerErrorTimeout  60

Change the SecAuditLog directive in ``conf\httpd.conf`` to pipe the log data to mlogc instead of writing them to a file:

    SecAuditLog |C:/Apache2427/bin/mlogc.bat

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 16 out of 20 changed files in this pull request and generated 10 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[fzipi]

@copilot open a new pull request to apply changes based on the open comments in this thread

[fzipi]

Documentation on Windows should be updated also on the wiki, if this one gets merged (follow up).

[Copilot]

Pull request overview

Copilot reviewed 17 out of 21 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (1)

iis/wix/list_dependencies.bat:83

• Several writes to the log file and the final explorer invocation use %log_file% without quotes (e.g., echo. >> %log_file%, >> %log_file%, explorer %log_file%). Since %TEMP% commonly contains spaces (user profile paths), these commands can break or write to the wrong file. Quote %log_file% consistently everywhere it’s used for redirection or as a command argument.

echo. >> %log_file%

REM Updated paths to include Visual Studio 2019 and 2022
set POSSIBLE_PATHS_X86="C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\*\bin\Hostx86\x86\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\dumpbin.exe"
set POSSIBLE_PATHS_X64="C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\*\bin\Hostx64\x64\dumpbin.exe" "C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\x86_amd64\dumpbin.exe"

for %%i in (%POSSIBLE_PATHS_X86%) do (
	echo Checking for dumpbin x86... %%i
	echo Checking for dumpbin x86... %%i >> %log_file% 
	if exist %%i (

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Copilot reviewed 18 out of 22 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The documentation references C:\work\mod_security\apache2\mlogc-src\mlogc.exe, but this repository’s mlogc project lives under the top-level mlogc/ directory (and there is no apache2\mlogc-src folder). Please update this path to the actual built mlogc.exe location so Windows users can follow the instructions successfully.

Suggested change

	C:\work\mod_security\apache2\mlogc-src\mlogc.exe C:\Apache2466\bin\
	C:\work\mod_security\mlogc\mlogc.exe C:\Apache2466\bin\

[Copilot]

#pragma warning(disable: 4996) in a public header affects every translation unit that includes it, which can unintentionally suppress CRT warnings outside ModSecurity code. Prefer limiting the scope with #pragma warning(push)/pop, or moving this suppression into the Windows build flags (e.g., /wd4996) for the specific targets that need it.

Suggested change

	/* These functions are safe in ModSecurity's usage and required for portability */
	#pragma warning(disable: 4996)
	/* These functions are safe in ModSecurity's usage and required for portability */
	#pragma warning(push)
	#pragma warning(disable: 4996)
	#pragma warning(pop)

[Copilot]

This “latest versions … known to work well” list still calls out very old versions (e.g., zlib 1.2.11, libxml2 2.9.4, lua 5.3.4, curl 7.54.1, httpd 2.4.27) even though the build scripts in this PR now default to much newer versions. Updating this list to match the versions pinned in iis/build_dependencies.bat/iis/download_files.bat will avoid confusing builders about which versions are actually expected/tested.

[Copilot]

The YAJL_URL download still uses plain HTTP, which allows a network attacker to tamper with the yajl_2.1.0.orig.tar.gz archive in transit and inject malicious code into the libraries you later build and package. Because this script is intended to fetch build-time dependencies for ModSecurity, a compromised YAJL tarball could result in a backdoored module being compiled and shipped. Switch this URL to an authenticated HTTPS source (or add checksum/signature verification) so the YAJL source integrity is cryptographically verified before use.