fix: replacing t:UrlDecode with t:UrlDecodeUni (921240 PL1, 932170 PL1, 932171 PL1, 932190 PL3, 932190 PL1, 933211 PL3, 941310 PL1, 941350 PL1)

rules/REQUEST-921-PROTOCOL-ATTACK.conf

@@ -290,7 +290,7 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \
     phase:1,\
     block,\
     capture,\
-    t:none,t:urlDecode,t:lowercase,\
+    t:none,t:urlDecodeUni,t:lowercase,\
     msg:'mod_proxy attack attempt detected',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\

rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf

@@ -589,7 +589,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
     phase:1,\
     block,\
     capture,\
-    t:none,t:urlDecode,\
+    t:none,t:urlDecodeUni,\
     msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -610,7 +610,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecode,t:urlDecodeUni,\
+    t:none,t:urlDecodeUni,\
     msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -1670,7 +1670,7 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\
+    t:none,t:urlDecodeUni,t:normalizePath,t:cmdLine,\
     msg:'Remote Command Execution: Wildcard bypass technique attempt',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\

rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

@@ -493,7 +493,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,\
+    t:none,t:urlDecodeUni,t:replaceComments,t:removeWhitespace,\
     msg:'PHP Injection Attack: Variable Function Call Found',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -744,7 +744,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,\
+    t:none,t:urlDecodeUni,t:replaceComments,t:removeWhitespace,\
     msg:'PHP Injection Attack: Variable Function Call Found',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

@@ -583,7 +583,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
+    t:none,t:lowercase,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,\
     msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -612,7 +612,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
+    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,\
     msg:'UTF-7 Encoding IE XSS - Attack Detected',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\