Difference Between Revision 36 and internetx:managed:testing / mod_security
| [-] | Changed | mod_security-ix.changes |
|
x 1 2 -------------------------------------------------------------------3 -Wed Jan 11 06:34:21 UTC 2023 - Carsten Schoene <carsten.schoene@internetx.com>4 -5 -- Update to release 2.9.7 6 -7 --------------------------------------------------------------------8 -Thu Mar 17 10:30:16 UTC 2022 - Local OBS User <cs@linux-administrator.com>9 -10 -- Update to release 2.9.511 -12 --------------------------------------------------------------------13 -Mon Aug 23 11:39:54 UTC 2021 - Local OBS User <cs@linux-administrator.com>14 -15 -- Update to release 2.9.4 16 -17 --------------------------------------------------------------------18 -Wed Feb 5 09:52:49 UTC 2020 - Local OBS User <cs@linux-administrator.com>19 -20 -- Update to release 2.9.321 -22 --------------------------------------------------------------------23 -Wed May 16 06:44:59 UTC 2018 - cs@linux-administrator.com24 -25 -- Update to release 2.9.2 26 -27 --------------------------------------------------------------------28 -Thu Apr 9 09:26:32 UTC 2015 - cs@linux-administrator.com29 -30 -- Update to relesae 2.9.031 -- set PERL ENV var to /usr/bin/perl32 -- drop mlogc-disable-force-sslv3.patch (TLSv1 is default now)33 -34 --------------------------------------------------------------------35 -Fri Aug 8 17:29:19 UTC 2014 - cs@linux-administrator.com36 -37 -- Update to release 2.8.038 -39 --------------------------------------------------------------------40 -Sun Jan 5 16:20:52 UTC 2014 - cs@linux-administrator.com41 -42 -- enable --enable-htaccess-config 43 -44 --------------------------------------------------------------------45 -Thu Dec 19 23:23:46 UTC 2013 - cs@linux-administrator.com46 -47 -- Update to release 2.7.7 48 -49 --------------------------------------------------------------------50 -Tue Jul 30 17:01:30 UTC 2013 - cs@linux-administrator.com51 -52 -- Update to release 2.7.5 53 -54 --------------------------------------------------------------------55 -Thu Jul 11 19:33:18 UTC 2013 - cs@linux-administrator.com56 -57 -- build against asl-libxml2 for EL5 based systems58 -59 --------------------------------------------------------------------60 -Sat Jun 29 17:00:16 UTC 2013 - cs@linux-administrator.com61 -62 -- added CVE-2013-2765.patch for 2.6.8 (included in 2.7.4)63 -64 --------------------------------------------------------------------65 -Wed Jun 5 10:16:47 UTC 2013 - cs@linux-administrator.com66 -67 -- fix permissions in cleanup cron script 68 -69 --------------------------------------------------------------------70 -Mon May 27 17:02:32 UTC 2013 - cs@linux-administrator.com71 -72 -- Update to release 2.7.4 (only for >= SLE_11, >= EL6) 73 -74 --------------------------------------------------------------------75 Fri Mar 29 17:31:45 UTC 2013 - cs@linux-administrator.com76 77 - Update to release 2.7.3 (only for >= SLE_11, >= EL6) 78 |
||
| [-] | Changed | mod_security-ix.spec ^ |
|
117 1 2 -%define aslxml 13 -%define pkgname modsecurity-4 Summary: Security module for the Apache HTTP Server5 Name: mod_security 6 %if 0%{?centos_version} >= 6 || 0%{?rhel_version} >= 600 || 0%{?sl_version} >= 600 || 0%{?suse_version} >= 1110 || 0%{?sles_version} >= 117 -%define pkgversion 2.9.78 -%define oldver 09 -%define _aslxml 010 -%define epoch 111 -BuildRequires: libxml2-devel12 -%else13 -%if %{aslxml}14 -%define pkgversion 2.9.715 -%define oldver 016 -%define _aslxml 117 -%define epoch 118 -BuildRequires: asl-libxml2-devel19 +%define pkgversion 2.7.320 %else21 %define pkgversion 2.6.822 -%define pkgname modsecurity-apache_23 -%define oldver 124 -%define _aslxml 025 -%define epoch 026 -BuildRequires: libxml2-devel27 -%endif28 %endif29 Version: %{pkgversion}30 -Epoch: %{epoch}31 -Release: 3532 +Release: 3033 License: GPLv234 URL: http://www.modsecurity.org/35 Group: System Environment/Daemons36 -Source: http://www.modsecurity.org/download/%{pkgname}%{version}.tar.bz237 +Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.bz238 %if 0%{?rhel_version} || 0%{?centos_version} || 0%{?sl_version} || 0%{?redhat_version}39 Source1: 00_mod_security.conf40 Source2: modsecurity_crs_10_config-default.conf41 42 Source5: modsec-clamscan.pl43 Source6: modsec-clean_var-asl-data-audit44 Patch1: waf-label.patch45 -Patch2: modsecurity-2.9.1_curl-lower_7.34.patch46 -Patch50: CVE-2013-2765.patch47 +Patch2: mlogc-disable-force-sslv3.patch48 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)49 %if 0%{?rhel_version} || 0%{?centos_version} || 0%{?sl_version} || 0%{?redhat_version}50 Requires: httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing)51 BuildRequires: httpd-devel pkgconfig lua-devel52 Requires: lua53 -%if 0%{?rhel} >= 7 54 -%define apxs %{_bindir}/apxs55 -%else56 %define apxs %{_sbindir}/apxs57 -%endif58 %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) 59 ##%define apache_sysconfdir %(%{apxs} -q SYSCONFDIR)60 %define apache_sysconfdir /etc/httpd61 62 Provides: apache2-mod_security2 = %{version}63 %endif64 65 -BuildRequires: pcre-devel libtool curl-devel 66 +BuildRequires: libxml2-devel pcre-devel libtool curl-devel 67 BuildRequires: curl68 69 -BuildRequires: autoconf automake70 Requires: libxml2 pcre71 Provides: ix-mod_security = %{version}72 73 74 as a powerful umbrella - shielding web applications from attacks.75 76 %prep77 -%setup -n %{pkgname}%{version}78 +%setup -n modsecurity-apache_%{version}79 %patch1 -p180 -%patch2 -p081 -%if 0%{?oldver} == 182 -%patch50 -p183 -%endif84 +%patch285 86 %build87 CFLAGS="%{optflags}"88 export CFLAGS89 -export PERL=/usr/bin/perl90 -91 -[ ! -f configure ] && ./autogen.sh92 93 %configure \94 -%if 0%{_aslxml} == 195 - --with-libxml=/var/asl/usr/ \96 -%endif97 - --enable-pcre-match-limit=no \98 - --enable-pcre-match-limit-recursion=no \99 - --enable-pcre-study \100 - --enable-htaccess-config101 + --disable-pcre-match-limit \102 + --disable-pcre-match-limit-recursion103 +104 +# Legacy from LoadFile105 +#perl -pi.orig -e 's|LIBDIR|%{_libdir}|;' %{SOURCE1}106 107 make %{_smp_mflags}108 109 110 install -D -m644 %{SOURCE4} %{buildroot}/%{apache_sysconfdir}/modsec/zzz_asl_custom_local_exclude.conf111 install -D -m755 %{SOURCE5} %{buildroot}%{_bindir}/modsec-clamscan.pl112 install -D -m755 %{SOURCE6} %{buildroot}%{_sysconfdir}/cron.daily/modsec-clean_var-asl-data-audit113 -sed -i s@"%APAUSR%:%APAGRP%"@"%{apache_usr}:%{apache_grp}"@g %{buildroot}%{_sysconfdir}/cron.daily/modsec-clean_var-asl-data-audit114 115 mkdir -p %{buildroot}/var/log/mlogc/data116 install -D -m755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc117 |
||
| [+] | Deleted | CVE-2013-2765.patch ^ |
| @@ -1,10 +0,0 @@ ---- modsecurity-apache_2.6.8/apache2/msc_reqbody.c.orig 2013-06-29 18:56:31.446864803 +0200 -+++ modsecurity-apache_2.6.8/apache2/msc_reqbody.c 2013-06-29 18:56:45.354863561 +0200 -@@ -170,6 +170,7 @@ - - /* Would storing this chunk mean going over the limit? */ - if ((msr->msc_reqbody_spilltodisk) -+ && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON) - && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit)) - { - msc_data_chunk **chunks; | ||
| [+] | Deleted | modsecurity-2.9.1_curl-lower_7.34.patch ^ |
| @@ -1,60 +0,0 @@ ---- mlogc/mlogc.c.orig 2016-06-02 09:15:03.283648355 +0200 -+++ mlogc/mlogc.c 2016-06-02 10:59:44.378377602 +0200 -@@ -1270,33 +1270,36 @@ - } - - -- /* Seems like CURL_SSLVERSION_TLSv1_2 is not supported on libcurl -- * < v7.34.0 -- * -- * version_num is a 24 bit number created like this: -- * <8 bits major number> | <8 bits minor number> | <8 bits patch number>. -- */ -- switch (tlsprotocol) { -- case 0: -- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0); -- break; -- case 1: -- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1); -- break; -- case 2: -- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); -- break; -- default: -- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); -- break; -- } - cmaj = curlversion->version_num >> 16; - cmin = (curlversion->version_num & 0x00ff00) >> 8; - cpat = (curlversion->version_num & 0x0000ff); - /* If cURL version < v7.34.0, use TLS v1.x */ - if (cmaj <= 7 && cmin < 34) { - curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); -- } -+#ifdef CURL_SSLVERSION_TLSv1_0 -+ } else { -+ /* Seems like CURL_SSLVERSION_TLSv1_2 is not supported on libcurl -+ * < v7.34.0 -+ * -+ * version_num is a 24 bit number created like this: -+ * <8 bits major number> | <8 bits minor number> | <8 bits patch number>. -+ */ -+ switch (tlsprotocol) { -+ case 0: -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0); -+ break; -+ case 1: -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1); -+ break; -+ case 2: -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); -+ break; -+ default: -+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); -+ break; -+ } -+#endif -+ } - - curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 15); - curl_easy_setopt(curl, CURLOPT_NOSIGNAL, TRUE); | ||
| [+] | Changed | modsec-clamscan.pl ^ |
| @@ -27,7 +27,7 @@ my ($FILE) = @ARGV; -$cmd = "$CLAMSCAN --stdout --no-summary $FILE"; +$cmd = "$CLAMSCAN --stdout --disable-summary $FILE"; $input = `$cmd`; $input =~ m/^(.+)/; $error_message = $1; | ||
| [+] | Changed | modsec-clean_var-asl-data-audit ^ |
| @@ -1,5 +1,4 @@ #!/bin/bash -nice -n 19 find /var/asl/data/audit -type d -mindepth 1 -cmin +30 -print0 | xargs -r -0 rm -rf +nice -n 19 find /var/asl/data/audit -type d -cmin +30 -print0 | xargs -r -0 rm -rf mkdir -p /var/asl/data/audit -chown -R %APAUSR%:%APAGRP% /var/asl/data/audit [ -x /usr/local/bin/modsec-permissions ] && /usr/local/bin/modsec-permissions || : | ||
| Deleted | modsecurity-2.8.0.tar.bz2 ^ | |
| Deleted | modsecurity-2.9.0.tar.bz2 ^ | |
| Deleted | modsecurity-2.9.2.tar.bz2 ^ | |
| Deleted | modsecurity-2.9.3.tar.bz2 ^ | |
| Deleted | modsecurity-2.9.4.tar.bz2 ^ | |
| Deleted | modsecurity-2.9.5.tar.bz2 ^ | |
| Deleted | modsecurity-2.9.7.tar.bz2 ^ | |
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/CHANGES ^ |
| @@ -1,32 +1,3 @@ -10 May 2013 - 2.7.4 -------------------- -Improvements: - - * Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath). - - * Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries. - - * NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches. - -Bug Fixes: - - * Fixed SecRulePerfTime storing unnecessary rules performance times. - - * Fixed Possible SDBM deadlock condition. - - * Fixed Possible @rsub memory leak. - - * Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present. - - * Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID. - - * Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body. - -Security Issues: - - * Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, - mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI). - 28 Mar 2013 - 2.7.3 ------------------- @@ -61,7 +32,7 @@ * SECURITY: Added SecXmlExternalEntity (On|Off - default it Off) that will disable by default the external entity load task executed by LibXml2. This is a security issue - [CVE-2013-1915] reported by Timur Yunusov, Alexey Osipov (Positive Technologies). + reported by Timur Yunusov, Alexey Osipov (Positive Technologies). 21 Jan 2013 - 2.7.2 ------------------- @@ -159,7 +130,7 @@ support Include directive like Apache2. * Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for multipart strict - validation. https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20121017-0_mod_security_ruleset_bypass.txt). + validation. * Updated Reference Manual. | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/Makefile.in ^ |
| @@ -118,17 +118,13 @@ APR_CFLAGS = @APR_CFLAGS@ APR_CONFIG = @APR_CONFIG@ APR_CPPFLAGS = @APR_CPPFLAGS@ -APR_INCLUDEDIR = @APR_INCLUDEDIR@ APR_LDADD = @APR_LDADD@ APR_LDFLAGS = @APR_LDFLAGS@ -APR_LINKLD = @APR_LINKLD@ APR_VERSION = @APR_VERSION@ APU_CFLAGS = @APU_CFLAGS@ APU_CONFIG = @APU_CONFIG@ -APU_INCLUDEDIR = @APU_INCLUDEDIR@ APU_LDADD = @APU_LDADD@ APU_LDFLAGS = @APU_LDFLAGS@ -APU_LINKLD = @APU_LINKLD@ APU_VERSION = @APU_VERSION@ APXS = @APXS@ APXS_BINDIR = @APXS_BINDIR@ | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/NOTICE ^ |
| @@ -1,5 +1,5 @@ ModSecurity (www.modsecurity.org) - Copyright [2004-2013] Trustwave Holdings, Inc + Copyright [2004-2011] Trustwave Holdings, Inc This product includes software developed at Trustwave Holdings, Inc (http://www.trustwave.com/). | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/README.TXT ^ |
| @@ -1,5 +1,5 @@ ModSecurity for Apache 2.x, http://www.modsecurity.org/ -Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) You may not use this file except in compliance with the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/alp2/Makefile.in ^ |
| @@ -108,17 +108,13 @@ APR_CFLAGS = @APR_CFLAGS@ APR_CONFIG = @APR_CONFIG@ APR_CPPFLAGS = @APR_CPPFLAGS@ -APR_INCLUDEDIR = @APR_INCLUDEDIR@ APR_LDADD = @APR_LDADD@ APR_LDFLAGS = @APR_LDFLAGS@ -APR_LINKLD = @APR_LINKLD@ APR_VERSION = @APR_VERSION@ APU_CFLAGS = @APU_CFLAGS@ APU_CONFIG = @APU_CONFIG@ -APU_INCLUDEDIR = @APU_INCLUDEDIR@ APU_LDADD = @APU_LDADD@ APU_LDFLAGS = @APU_LDFLAGS@ -APU_LINKLD = @APU_LINKLD@ APU_VERSION = @APU_VERSION@ APXS = @APXS@ APXS_BINDIR = @APXS_BINDIR@ | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/alp2/alp2.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/alp2/alp2.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/alp2/alp2_pp.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/alp2/alp2_pp.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/Makefile.am ^ |
| @@ -11,7 +11,7 @@ re_variables.c msc_logging.c msc_xml.c \ msc_multipart.c modsecurity.c msc_parsers.c \ msc_util.c msc_pcre.c persist_dbm.c msc_reqbody.c \ - msc_geo.c msc_gsb.c msc_crypt.c msc_tree.c msc_unicode.c acmp.c msc_lua.c msc_release.c libinjection/sqlparse.c + msc_geo.c msc_gsb.c msc_crypt.c msc_tree.c msc_unicode.c acmp.c msc_lua.c msc_release.c mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \ @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@ | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/Makefile.in ^ |
| @@ -93,7 +93,7 @@ mod_security2_la-msc_gsb.lo mod_security2_la-msc_crypt.lo \ mod_security2_la-msc_tree.lo mod_security2_la-msc_unicode.lo \ mod_security2_la-acmp.lo mod_security2_la-msc_lua.lo \ - mod_security2_la-msc_release.lo mod_security2_la-sqlparse.lo + mod_security2_la-msc_release.lo mod_security2_la_OBJECTS = $(am_mod_security2_la_OBJECTS) mod_security2_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(mod_security2_la_CFLAGS) \ @@ -122,17 +122,13 @@ APR_CFLAGS = @APR_CFLAGS@ APR_CONFIG = @APR_CONFIG@ APR_CPPFLAGS = @APR_CPPFLAGS@ -APR_INCLUDEDIR = @APR_INCLUDEDIR@ APR_LDADD = @APR_LDADD@ APR_LDFLAGS = @APR_LDFLAGS@ -APR_LINKLD = @APR_LINKLD@ APR_VERSION = @APR_VERSION@ APU_CFLAGS = @APU_CFLAGS@ APU_CONFIG = @APU_CONFIG@ -APU_INCLUDEDIR = @APU_INCLUDEDIR@ APU_LDADD = @APU_LDADD@ APU_LDFLAGS = @APU_LDFLAGS@ -APU_LINKLD = @APU_LINKLD@ APU_VERSION = @APU_VERSION@ APXS = @APXS@ APXS_BINDIR = @APXS_BINDIR@ @@ -309,7 +305,7 @@ re_variables.c msc_logging.c msc_xml.c \ msc_multipart.c modsecurity.c msc_parsers.c \ msc_util.c msc_pcre.c persist_dbm.c msc_reqbody.c \ - msc_geo.c msc_gsb.c msc_crypt.c msc_tree.c msc_unicode.c acmp.c msc_lua.c msc_release.c libinjection/sqlparse.c + msc_geo.c msc_gsb.c msc_crypt.c msc_tree.c msc_unicode.c acmp.c msc_lua.c msc_release.c mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \ @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@ @@ -466,7 +462,6 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-re_operators.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-re_tfns.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-re_variables.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mod_security2_la-sqlparse.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -671,13 +666,6 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(mod_security2_la_CPPFLAGS) $(CPPFLAGS) $(mod_security2_la_CFLAGS) $(CFLAGS) -c -o mod_security2_la-msc_release.lo `test -f 'msc_release.c' || echo '$(srcdir)/'`msc_release.c -mod_security2_la-sqlparse.lo: libinjection/sqlparse.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(mod_security2_la_CPPFLAGS) $(CPPFLAGS) $(mod_security2_la_CFLAGS) $(CFLAGS) -MT mod_security2_la-sqlparse.lo -MD -MP -MF $(DEPDIR)/mod_security2_la-sqlparse.Tpo -c -o mod_security2_la-sqlparse.lo `test -f 'libinjection/sqlparse.c' || echo '$(srcdir)/'`libinjection/sqlparse.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/mod_security2_la-sqlparse.Tpo $(DEPDIR)/mod_security2_la-sqlparse.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='libinjection/sqlparse.c' object='mod_security2_la-sqlparse.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(mod_security2_la_CPPFLAGS) $(CPPFLAGS) $(mod_security2_la_CFLAGS) $(CFLAGS) -c -o mod_security2_la-sqlparse.lo `test -f 'libinjection/sqlparse.c' || echo '$(srcdir)/'`libinjection/sqlparse.c - mostlyclean-libtool: -rm -f *.lo | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/Makefile.win ^ |
| @@ -46,7 +46,7 @@ msc_logging.obj msc_xml.obj msc_multipart.obj modsecurity.obj \ msc_parsers.obj msc_util.obj msc_pcre.obj persist_dbm.obj \ msc_reqbody.obj msc_geo.obj msc_gsb.obj msc_crypt.obj msc_tree.obj msc_unicode.obj acmp.obj msc_lua.obj \ - msc_release.obj libinjection\sqlparse.obj + msc_release.obj all: $(DLL) | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/acmp.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/acmp.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/apache2.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/apache2_config.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -2346,7 +2346,7 @@ dcfg->hash_is_enabled = HASH_DISABLED; dcfg->hash_enforcement = HASH_DISABLED; } - else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecHashEngine: %s", p1); + else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SexHashEngine: %s", p1); return NULL; } | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/apache2_io.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ - * Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/apache2_util.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -198,10 +198,6 @@ apr_size_t nbytes, nbytes_written; apr_file_t *debuglog_fd = NULL; int filter_debug_level = 0; - char *remote = NULL; - char *parse_remote = NULL; - char *saved = NULL; - char *str = NULL; char str1[1024] = ""; char str2[1256] = ""; @@ -273,8 +269,8 @@ hostname, log_escape(msr->mp, r->uri), unique_id); #else ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server, - "[client %s] ModSecurity: %s%s [uri \"%s\"]%s", msr->remote_addr ? msr->remote_addr : r->connection->remote_ip, str1, - hostname, log_escape(msr->mp, r->uri), unique_id); + "[client %s] ModSecurity: %s%s [uri \"%s\"]%s", r->connection->remote_ip, str1, + hostname, log_escape(msr->mp, r->uri), unique_id); #endif /* Add this message to the list. */ | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/mod_security2.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/modsecurity.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -391,9 +391,11 @@ if (msr->matched_vars == NULL) return -1; apr_table_clear(msr->matched_vars); - msr->perf_rules = apr_table_make(msr->mp, 8); - if (msr->perf_rules == NULL) return -1; - apr_table_clear(msr->perf_rules); + if(msr->txcfg->max_rule_time > 0) { + msr->perf_rules = apr_table_make(msr->mp, 8); + if (msr->perf_rules == NULL) return -1; + apr_table_clear(msr->perf_rules); + } /* Locate the cookie headers and parse them */ arr = apr_table_elts(msr->request_headers); | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/modsecurity.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -442,8 +442,6 @@ lua_State *L; #endif #endif - - int msc_sdbm_delete_error; }; struct directory_config { @@ -581,7 +579,7 @@ /* Hash */ apr_array_header_t *hash_method; - const char *crypto_key; + const char *crypto_key; int crypto_key_len; const char *crypto_param_name; int hash_is_enabled; | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_crypt.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ - * Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_crypt.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_geo.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_geo.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_gsb.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_gsb.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_logging.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_logging.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_lua.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_lua.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_multipart.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_multipart.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_parsers.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_parsers.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_pcre.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_pcre.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_release.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_release.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -38,7 +38,7 @@ #define MODSEC_VERSION_MAJOR "2" #define MODSEC_VERSION_MINOR "7" -#define MODSEC_VERSION_MAINT "4" +#define MODSEC_VERSION_MAINT "3" #define MODSEC_VERSION_TYPE "" #define MODSEC_VERSION_RELEASE "" @@ -53,10 +53,10 @@ #define MODSEC_MODULE_NAME "ModSecurity for IIS (STABLE)" #else #ifdef VERSION_NGINX -#define MODSEC_MODULE_NAME "ModSecurity for nginx (STABLE)" +#define MODSEC_MODULE_NAME "ModSecurity for nginx (RC)" #else #ifdef VERSION_STANDALONE -#define MODSEC_MODULE_NAME "ModSecurity Standalone (STABLE)" +#define MODSEC_MODULE_NAME "ModSecurity Standalone (RC)" #else #define MODSEC_MODULE_NAME "ModSecurity for Apache" #endif | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_reqbody.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -170,7 +170,6 @@ /* Would storing this chunk mean going over the limit? */ if ((msr->msc_reqbody_spilltodisk) - && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON) && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit)) { msc_data_chunk **chunks; | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_tree.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ - * Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_tree.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_unicode.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_unicode.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_util.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_util.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_xml.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/msc_xml.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/persist_dbm.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -220,7 +220,6 @@ msr_log(msr, 1, "collection_retrieve_ex: Failed deleting collection (name \"%s\", " "key \"%s\"): %s", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len), get_apr_error(msr->mp, rc)); - msr->msc_sdbm_delete_error = 1; goto cleanup; } @@ -468,7 +467,7 @@ var->value = apr_psprintf(msr->mp, "%d", newval); var->value_len = strlen(var->value); - + if (msr->txcfg->debuglog_level >= 9) { msr_log(msr, 9, "collection_store: Delta applied for %s.%s %d->%d (%d): %d + (%d) = %d [%s,%d]", log_escape_ex(msr->mp, var_name->value, var_name->value_len), @@ -491,12 +490,7 @@ /* Now generate the binary object. */ blob = apr_pcalloc(msr->mp, blob_size); if (blob == NULL) { - if (dbm != NULL) { - apr_sdbm_unlock(dbm); - apr_sdbm_close(dbm); - } - - return -1; + goto error; } blob[0] = 0x49; @@ -548,16 +542,10 @@ rc = apr_sdbm_store(dbm, key, value, APR_SDBM_REPLACE); if (rc != APR_SUCCESS) { msr_log(msr, 1, "collection_store: Failed to write to DBM file \"%s\": %s", dbm_filename, - get_apr_error(msr->mp, rc)); - if (dbm != NULL) { - apr_sdbm_unlock(dbm); - apr_sdbm_close(dbm); - } - - return -1; + get_apr_error(msr->mp, rc)); + goto error; } - apr_sdbm_unlock(dbm); apr_sdbm_close(dbm); if (msr->txcfg->debuglog_level >= 4) { @@ -569,6 +557,11 @@ return 0; error: + + if (dbm) { + apr_sdbm_close(dbm); + } + return -1; } @@ -679,10 +672,9 @@ msr_log(msr, 1, "collections_remove_stale: Failed deleting collection (name \"%s\", " "key \"%s\"): %s", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1), get_apr_error(msr->mp, rc)); - msr->msc_sdbm_delete_error = 1; goto error; } - + if (msr->txcfg->debuglog_level >= 4) { msr_log(msr, 4, "collections_remove_stale: Removed stale collection (name \"%s\", " "key \"%s\").", log_escape(msr->mp, col_name), | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/persist_dbm.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/re.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -2604,16 +2604,12 @@ rt_time = apr_table_get(msr->perf_rules, rule->actionset->id); if(rt_time == NULL) { rt_time = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT, (t1 - time_before_op)); - rule_time = (apr_time_t)atoi(rt_time); - if(rule_time >= msr->txcfg->max_rule_time) - apr_table_setn(msr->perf_rules, rule->actionset->id, rt_time); + apr_table_setn(msr->perf_rules, rule->actionset->id, rt_time); } else { rule_time = (apr_time_t)atoi(rt_time); rule_time += (t1 - time_before_op); - if(rule_time >= msr->txcfg->max_rule_time) { - rt_time = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT, rule_time); - apr_table_setn(msr->perf_rules, rule->actionset->id, rt_time); - } + rt_time = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT, rule_time); + apr_table_setn(msr->perf_rules, rule->actionset->id, rt_time); } } } | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/re.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/re_actions.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/re_operators.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -27,9 +27,6 @@ #include <arpa/inet.h> #endif -#include "libinjection/sqlparse.h" -#include "libinjection/sqli_fingerprints.h" - /** * */ @@ -372,7 +369,7 @@ /* rsub */ static char *param_remove_escape(msre_rule *rule, char *str, int len) { - char *parm = apr_pcalloc(rule->ruleset->mp, len); + char *parm = apr_palloc(rule->ruleset->mp, len); char *ret = parm; for(;*str!='\0';str++) { @@ -2132,42 +2129,6 @@ return 0; } -/** libinjection detectSQLi -* links against files in libinjection directory - * See www.client9.com/libinjection for details - * `is_sqli_pattern` right now is a hardwired set of sqli fingerprints. - * In future, change to read from file. -*/ -static int msre_op_detectSQLi_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, - char **error_msg) { - sfilter sf; - int issqli = is_sqli(&sf, var->value, var->value_len, is_sqli_pattern); - int capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0; - - if (error_msg == NULL) return -1; - *error_msg = NULL; - - if (issqli) { - set_match_to_tx(msr, capture, sf.pat, 0); - - *error_msg = apr_psprintf(msr->mp, "detected SQLi using libinjection fingerprint '%s' at %s", - sf.pat, var->name); - - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "detectSQLi: libinjection fingerprint '%s' matched input '%s'", - sf.pat, - log_escape_ex(msr->mp, var->value, var->value_len)); - } - } else { - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "detectSQLi: no sql, libinjection no match input '%s' at '%s'", - log_escape_ex(msr->mp, var->value, var->value_len), var->name); - } - } - - return issqli; -} - /* containsWord */ static int msre_op_containsWord_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { @@ -4541,14 +4502,7 @@ msre_op_containsWord_execute ); - /* detectSQLi */ - msre_engine_op_register(engine, - "detectSQLi", - NULL, - msre_op_detectSQLi_execute - ); - - /* streq */ + /* is */ msre_engine_op_register(engine, "streq", NULL, /* ENH init function to flag var substitution */ | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/re_tfns.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/re_variables.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -511,19 +511,6 @@ return 1; } -/* SDBM_DELETE_ERROR */ -static int var_sdbm_delete_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, - apr_table_t *vartab, apr_pool_t *mptmp) -{ - msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); - - rvar->value = apr_psprintf(mptmp, "%d", msr->msc_sdbm_delete_error); - rvar->value_len = strlen(rvar->value); - apr_table_addn(vartab, rvar->name, (void *)rvar); - - return 1; -} - /* REQBODY_ERROR */ static int var_reqbody_processor_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, @@ -713,20 +700,13 @@ static int var_remote_addr_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 3 - if (ap_find_linked_module("mod_remoteip.c") != NULL) { - if(msr->r->useragent_ip != NULL) msr->remote_addr = apr_pstrdup(msr->mp, msr->r->useragent_ip); - return var_simple_generate(var, vartab, mptmp, msr->remote_addr); - } -#endif - return var_simple_generate(var, vartab, mptmp, msr->remote_addr); } /* REMOTE_HOST */ static int var_remote_host_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, - apr_table_t *vartab, apr_pool_t *mptmp) + apr_table_t *vartab, apr_pool_t *mptmp) { const char *value1 = ap_get_remote_host(msr->r->connection, msr->r->per_dir_config, REMOTE_NAME, NULL); @@ -3137,16 +3117,6 @@ PHASE_REQUEST_HEADERS ); - msre_engine_variable_register(engine, - "SDBM_DELETE_ERROR", - VAR_SIMPLE, - 0, 0, - NULL, - var_sdbm_delete_error_generate, - VAR_DONT_CACHE, /* dynamic */ - PHASE_REQUEST_BODY - ); - /* REQBODY_PROCESSOR_ERROR - Deprecated */ msre_engine_variable_register(engine, "REQBODY_PROCESSOR_ERROR", | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/apache2/utf8tables.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/build/find_apr.m4 ^ |
| @@ -11,8 +11,7 @@ APR_CPPFLAGS="" APR_LDFLAGS="" APR_LDADD="" -APR_INCLUDEDIR="" -APR_LINKLD="" + AC_DEFUN([CHECK_APR], [dnl @@ -64,10 +63,6 @@ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr LDFLAGS: $APR_LDFLAGS); fi APR_LDADD="`${APR_CONFIG} --link-libtool`" if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr LDADD: $APR_LDADD); fi - APR_INCLUDEDIR="`${APR_CONFIG} --includedir`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr INCLUDEDIR: $APR_INCLUDEDIR); fi - APR_LINKLD="`${APR_CONFIG} --link-ld`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr LINKLD: $APR_LINKLD); fi else AC_MSG_RESULT([no]) fi @@ -78,8 +73,6 @@ AC_SUBST(APR_CPPFLAGS) AC_SUBST(APR_LDFLAGS) AC_SUBST(APR_LDADD) -AC_SUBST(APR_INCLUDEDIR) -AC_SUBST(APR_LINKLD) if test -z "${APR_VERSION}"; then AC_MSG_NOTICE([*** apr library not found.]) | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/build/find_apu.m4 ^ |
| @@ -10,8 +10,6 @@ APU_CFLAGS="" APU_LDFLAGS="" APU_LDADD="" -APU_INCLUDEDIR="" -APU_LINKLD="" AC_DEFUN([CHECK_APU], [dnl @@ -20,7 +18,7 @@ apu, [AC_HELP_STRING([--with-apu=PATH],[Path to apu prefix or config script])], [test_paths="${with_apu}"], - [test_paths="/usr/local/libapr-util /usr/local/apr-util /usr/local/libapu /usr/local/apu /usr/local/apr /usr/local /opt/libapr-util /opt/apr-util /opt/libapu /opt/apu /opt /usr"]) + [test_paths="/usr/local/libapr-util /usr/local/apr-util /usr/local/libapu /usr/local/apu /usr/local /opt/libapr-util /opt/apr-util /opt/libapu /opt/apu /opt /usr"]) AC_MSG_CHECKING([for libapu config script]) @@ -62,10 +60,6 @@ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDFLAGS: $APU_LDFLAGS); fi APU_LDADD="`${APU_CONFIG} --link-libtool`" if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDADD: $APU_LDADD); fi - APU_INCLUDEDIR="`${APU_CONFIG} --includedir`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu INCLUDEDIR: $APU_INCLUDEDIR); fi - APU_LINKLD="`${APU_CONFIG} --link-ld`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LINKLD: $APU_LINKLD); fi else AC_MSG_RESULT([no]) fi @@ -75,8 +69,6 @@ AC_SUBST(APU_CFLAGS) AC_SUBST(APU_LDFLAGS) AC_SUBST(APU_LDADD) -AC_SUBST(APU_INCLUDEDIR) -AC_SUBST(APU_LINKLD) if test -z "${APU_VERSION}"; then AC_MSG_NOTICE([*** apu library not found.]) | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/configure ^ |
| @@ -764,15 +764,11 @@ LIBXML2_CFLAGS LIBXML2_VERSION LIBXML2_CONFIG -APU_LINKLD -APU_INCLUDEDIR APU_LDADD APU_LDFLAGS APU_CFLAGS APU_VERSION APU_CONFIG -APR_LINKLD -APR_INCLUDEDIR APR_LDADD APR_LDFLAGS APR_CPPFLAGS @@ -1648,8 +1644,7 @@ --enable-htaccess-config Enable some mod_security directives into htaccess files. - --enable-request-early Place phase1 into post_read_request hook. default is - hook_request_early + --enable-request-early Place phase1 into post_read_request hook. --disable-errors Disable errors during configure. --enable-verbose-output Enable more verbose configure output. --enable-strict-compile Enable strict compilation (warnings are errors). @@ -4751,13 +4746,13 @@ else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:4754: $ac_compile\"" >&5) + (eval echo "\"\$as_me:4749: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:4757: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:4752: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:4760: output\"" >&5) + (eval echo "\"\$as_me:4755: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -5963,7 +5958,7 @@ ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 5966 "configure"' > conftest.$ac_ext + echo '#line 5961 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -7492,11 +7487,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7495: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7490: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7499: \$? = $ac_status" >&5 + echo "$as_me:7494: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -7831,11 +7826,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7834: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7829: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7838: \$? = $ac_status" >&5 + echo "$as_me:7833: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -7936,11 +7931,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7939: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7934: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:7943: \$? = $ac_status" >&5 + echo "$as_me:7938: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -7991,11 +7986,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7994: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7989: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:7998: \$? = $ac_status" >&5 + echo "$as_me:7993: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10375,7 +10370,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10378 "configure" +#line 10373 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -10471,7 +10466,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10474 "configure" +#line 10469 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -13214,12 +13209,6 @@ APR_LDADD="`${APR_CONFIG} --link-libtool`" if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: apr LDADD: $APR_LDADD" >&5 $as_echo "$as_me: apr LDADD: $APR_LDADD" >&6;}; fi - APR_INCLUDEDIR="`${APR_CONFIG} --includedir`" - if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: apr INCLUDEDIR: $APR_INCLUDEDIR" >&5 -$as_echo "$as_me: apr INCLUDEDIR: $APR_INCLUDEDIR" >&6;}; fi - APR_LINKLD="`${APR_CONFIG} --link-ld`" - if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: apr LINKLD: $APR_LINKLD" >&5 -$as_echo "$as_me: apr LINKLD: $APR_LINKLD" >&6;}; fi else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } @@ -13232,8 +13221,6 @@ - - if test -z "${APR_VERSION}"; then { $as_echo "$as_me:${as_lineno-$LINENO}: *** apr library not found." >&5 $as_echo "$as_me: *** apr library not found." >&6;} @@ -13250,7 +13237,7 @@ if test "${with_apu+set}" = set; then : withval=$with_apu; test_paths="${with_apu}" else - test_paths="/usr/local/libapr-util /usr/local/apr-util /usr/local/libapu /usr/local/apu /usr/local/apr /usr/local /opt/libapr-util /opt/apr-util /opt/libapu /opt/apu /opt /usr" + test_paths="/usr/local/libapr-util /usr/local/apr-util /usr/local/libapu /usr/local/apu /usr/local /opt/libapr-util /opt/apr-util /opt/libapu /opt/apu /opt /usr" fi @@ -13298,12 +13285,6 @@ APU_LDADD="`${APU_CONFIG} --link-libtool`" if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: apu LDADD: $APU_LDADD" >&5 $as_echo "$as_me: apu LDADD: $APU_LDADD" >&6;}; fi - APU_INCLUDEDIR="`${APU_CONFIG} --includedir`" - if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: apu INCLUDEDIR: $APU_INCLUDEDIR" >&5 -$as_echo "$as_me: apu INCLUDEDIR: $APU_INCLUDEDIR" >&6;}; fi - APU_LINKLD="`${APU_CONFIG} --link-ld`" - if test "$verbose_output" -eq 1; then { $as_echo "$as_me:${as_lineno-$LINENO}: apu LINKLD: $APU_LINKLD" >&5 -$as_echo "$as_me: apu LINKLD: $APU_LINKLD" >&6;}; fi else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } @@ -13311,8 +13292,6 @@ - - | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/configure.ac ^ |
| @@ -374,7 +374,7 @@ # Enable phase-1 in post_read_request AC_ARG_ENABLE(request-early, AS_HELP_STRING([--enable-request-early], - [Place phase1 into post_read_request hook. default is hook_request_early]), + [Place phase1 into post_read_request hook.]), [ if test "$enableval" != "no"; then request_early="-DREQUEST_EARLY" | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/ext/Makefile.in ^ |
| @@ -136,17 +136,13 @@ APR_CFLAGS = @APR_CFLAGS@ APR_CONFIG = @APR_CONFIG@ APR_CPPFLAGS = @APR_CPPFLAGS@ -APR_INCLUDEDIR = @APR_INCLUDEDIR@ APR_LDADD = @APR_LDADD@ APR_LDFLAGS = @APR_LDFLAGS@ -APR_LINKLD = @APR_LINKLD@ APR_VERSION = @APR_VERSION@ APU_CFLAGS = @APU_CFLAGS@ APU_CONFIG = @APU_CONFIG@ -APU_INCLUDEDIR = @APU_INCLUDEDIR@ APU_LDADD = @APU_LDADD@ APU_LDFLAGS = @APU_LDFLAGS@ -APU_LINKLD = @APU_LINKLD@ APU_VERSION = @APU_VERSION@ APXS = @APXS@ APXS_BINDIR = @APXS_BINDIR@ | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/ext/mod_op_strstr.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/ext/mod_reqbody_example.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/ext/mod_tfn_reverse.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/ext/mod_var_remote_addr_port.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/iis/Makefile.win ^ |
| @@ -52,7 +52,6 @@ msc_release.obj msc_crypt.obj msc_tree.obj OBJS2 = api.obj buckets.obj config.obj filters.obj hooks.obj regex.obj server.obj OBJS3 = main.obj moduleconfig.obj mymodule.obj -OBJS4 = sqlparse.obj all: $(DLL) @@ -61,17 +60,14 @@ $(OBJS1): ..\apache2\$*.c $(CC) $(CFLAGS) -c ..\apache2\$*.c -Fo$@ -$(OBJS4): ..\apache2\libinjection\$*.c - $(CC) $(CFLAGS) -c ..\apache2\libinjection\$*.c -Fo$@ - $(OBJS2): ..\standalone\$*.c $(CC) $(CFLAGS) -c ..\standalone\$*.c -Fo$@ .cpp.obj: $(CC) $(CFLAGS) -c $< -Fo$@ -$(DLL): $(OBJS1) $(OBJS2) $(OBJS3) $(OBJS4) - $(LINK) $(LDFLAGS) $(OBJS1) $(OBJS2) $(OBJS3) $(OBJS4) $(LIBS) +$(DLL): $(OBJS1) $(OBJS2) $(OBJS3) + $(LINK) $(LDFLAGS) $(OBJS1) $(OBJS2) $(OBJS3) $(LIBS) IF EXIST $(DLL).manifest $(MT) -manifest $(DLL).manifest -outputresource:$(DLL);#1 clean: | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/iis/main.cpp ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/iis/moduleconfig.cpp ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/iis/moduleconfig.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/iis/mymodule.cpp ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/iis/mymodule.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/iis/mymodulefactory.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/mlogc/Makefile.in ^ |
| @@ -109,17 +109,13 @@ APR_CFLAGS = @APR_CFLAGS@ APR_CONFIG = @APR_CONFIG@ APR_CPPFLAGS = @APR_CPPFLAGS@ -APR_INCLUDEDIR = @APR_INCLUDEDIR@ APR_LDADD = @APR_LDADD@ APR_LDFLAGS = @APR_LDFLAGS@ -APR_LINKLD = @APR_LINKLD@ APR_VERSION = @APR_VERSION@ APU_CFLAGS = @APU_CFLAGS@ APU_CONFIG = @APU_CONFIG@ -APU_INCLUDEDIR = @APU_INCLUDEDIR@ APU_LDADD = @APU_LDADD@ APU_LDFLAGS = @APU_LDFLAGS@ -APU_LINKLD = @APU_LINKLD@ APU_VERSION = @APU_VERSION@ APXS = @APXS@ APXS_BINDIR = @APXS_BINDIR@ | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/mlogc/mlogc-batch-load.pl.in ^ |
| @@ -1,7 +1,7 @@ #!@PERL@ # # ModSecurity for Apache 2.x, http://www.modsecurity.org/ -# Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +# Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) # # You may not use this file except in compliance with # the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/mlogc/mlogc.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/modsecurity.conf-recommended ^ |
| @@ -77,7 +77,7 @@ # Did we see anything that might be a boundary? # SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ -"id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" +"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" # PCRE Tuning # We want to avoid a potential RegEx DoS condition | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/nginx/modsecurity/apr_bucket_nginx.c ^ |
| @@ -204,17 +204,6 @@ if (APR_BUCKET_IS_EOS(e)) { if (cl == NULL) { - cl = ngx_alloc_chain_link(pool); - if (cl == NULL) { - break; - } - - cl->buf = ngx_calloc_buf(pool); - if (cl->buf == NULL) { - break; - } - - cl->buf->last_buf = 1; *ll = cl; } else { cl->buf->last_buf = 1; | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/nginx/modsecurity/config ^ |
| @@ -3,5 +3,5 @@ HTTP_AUX_FILTER_MODULES="ngx_http_modsecurity $HTTP_AUX_FILTER_MODULES" NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_modsecurity.c $ngx_addon_dir/apr_bucket_nginx.c $ngx_addon_dir/ngx_pool_context.c" NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_addon_dir/apr_bucket_nginx.h $ngx_addon_dir/ngx_pool_context.h" -CORE_LIBS="$CORE_LIBS $ngx_addon_dir/../../standalone/.libs/standalone.a -L/usr/local/apr/lib -lapr-1 -L/usr/local/apr/lib -laprutil-1 -lpcre -lxml2 -lz -lm -ldl " -CORE_INCS="$CORE_INCS $ngx_addon_dir $ngx_addon_dir/../../standalone $ngx_addon_dir/../../apache2 /usr/include/libxml2 /usr/local/apache2/include /usr/local/apr/include/apr-1 /usr/local/apr/include/apr-1" +CORE_LIBS="$CORE_LIBS $ngx_addon_dir/../../standalone/.libs/standalone.a -lapr-1 -laprutil-1 -lxml2 -lm " +CORE_INCS="$CORE_INCS /usr/include/apache2 /usr/include/apr-1.0 /usr/include/httpd /usr/include/apr-1 $ngx_addon_dir $ngx_addon_dir/../../standalone $ngx_addon_dir/../../apache2 /usr/include/libxml2 " | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/nginx/modsecurity/ngx_http_modsecurity.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -16,8 +16,6 @@ #include <apr_bucket_nginx.h> #include <ngx_pool_context.h> -#include <apr_base64.h> - #undef CR #undef LF #undef CRLF @@ -54,6 +52,7 @@ static ngx_int_t ngx_http_modsecurity_preconfiguration(ngx_conf_t *cf); static ngx_int_t ngx_http_modsecurity_init(ngx_conf_t *cf); static ngx_int_t ngx_http_modsecurity_init_process(ngx_cycle_t *cycle); +static void ngx_http_modsecurity_exit_process(ngx_cycle_t *cycle); static void *ngx_http_modsecurity_create_loc_conf(ngx_conf_t *cf); static char *ngx_http_modsecurity_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child); static char *ngx_http_modsecurity_config(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); @@ -61,7 +60,6 @@ static ngx_http_modsecurity_ctx_t * ngx_http_modsecurity_create_ctx(ngx_http_request_t *r); static int ngx_http_modsecurity_drop_action(request_rec *r); -static void ngx_http_modsecurity_finalize(void *data); static void ngx_http_modsecurity_cleanup(void *data); static int ngx_http_modsecurity_save_headers_in_visitor(void *data, const char *key, const char *value); @@ -115,8 +113,8 @@ ngx_http_modsecurity_init_process, /* init process */ NULL, /* init thread */ NULL, /* exit thread */ - NULL, /* exit process */ - NULL, /* exit master */ + ngx_http_modsecurity_exit_process, /* exit process */ + ngx_http_modsecurity_exit_process, /* exit master */ NGX_MODULE_V1_PADDING }; @@ -158,8 +156,7 @@ } -static inline int -ngx_http_modsecurity_method_number(unsigned int nginx) +static inline int ngx_http_modsecurity_method_number(unsigned int nginx) { /* * http://graphics.stanford.edu/~seander/bithacks.html#ZerosOnRightMultLookup @@ -249,7 +246,7 @@ } #endif - req->parsed_uri.path = (char *)ngx_pstrdup0(r->pool, &r->uri); + req->parsed_uri.path = req->path_info; req->parsed_uri.is_initialized = 1; str.data = r->port_start; @@ -257,7 +254,7 @@ req->parsed_uri.port = ngx_atoi(str.data, str.len); req->parsed_uri.port_str = (char *)ngx_pstrdup0(r->pool, &str); - req->parsed_uri.query = r->args.len ? req->args : NULL; + req->parsed_uri.query = req->args; req->parsed_uri.dns_looked_up = 0; req->parsed_uri.dns_resolved = 0; @@ -789,29 +786,6 @@ return 1; } - -static ngx_inline ngx_int_t -ngx_http_modsecurity_status(ngx_http_request_t *r, int status) -{ - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: status %d", status); - - if (status == DECLINED || status == APR_SUCCESS) { - return NGX_DECLINED; - } - - /* nginx known status */ - if ( (status >= 300 && status < 308) /* 3XX */ - || (status >= 400 && status < 417) /* 4XX */ - || (status >= 500 && status < 508) /* 5XX */ - || (status == NGX_HTTP_CREATED || status == NGX_HTTP_NO_CONTENT) ) { - - return status; - } - - return NGX_HTTP_INTERNAL_SERVER_ERROR; -} - - /* create loc conf struct */ static void * ngx_http_modsecurity_create_loc_conf(ngx_conf_t *cf) @@ -884,8 +858,7 @@ static ngx_int_t ngx_http_modsecurity_preconfiguration(ngx_conf_t *cf) { - server_rec *s; - ngx_pool_cleanup_t *cln; + server_rec *s; /* XXX: temporary hack, nginx uses pcre as well and hijacks these two */ pcre_malloc = modsec_pcre_malloc; @@ -900,12 +873,6 @@ return NGX_ERROR; } - cln = ngx_pool_cleanup_add(cf->pool, 0); - if (cln == NULL) { - return NGX_ERROR; - } - cln->handler = ngx_http_modsecurity_finalize; - /* set host name */ s->server_hostname = ngx_palloc(cf->pool, ngx_cycle->hostname.len + 1); if (s->server_hostname == NULL) { @@ -919,12 +886,6 @@ } -static void -ngx_http_modsecurity_finalize(void *data) -{ - modsecTerminate(); -} - static ngx_int_t ngx_http_modsecurity_init(ngx_conf_t *cf) @@ -935,6 +896,9 @@ modsecFinalizeConfig(); cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); + if (cmcf == NULL) { + return NGX_ERROR; + } h = ngx_array_push(&cmcf->phases[NGX_HTTP_PREACCESS_PHASE].handlers); if (h == NULL) { @@ -957,12 +921,17 @@ static ngx_int_t ngx_http_modsecurity_init_process(ngx_cycle_t *cycle) { - /* must set log hook here cf->log maybe changed */ modsecSetLogHook(cycle->log, modsecLog); modsecInitProcess(); return NGX_OK; } +static void +ngx_http_modsecurity_exit_process(ngx_cycle_t *cycle) +{ + modsecTerminate(); +} + /* ** [ENTRY POINT] does : this function called by nginx from the request handler @@ -983,18 +952,18 @@ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: handler"); - /* create / retrive request ctx */ if (r->internal) { - + /* we have already processed the request headers with previous loc conf */ + + /* TODO: do we need update ctx and process headers again? */ ctx = ngx_http_get_module_pool_ctx(r, ngx_http_modsecurity); if (ctx) { - /* we have already processed the request headers */ ngx_http_set_ctx(r, ctx, ngx_http_modsecurity); return NGX_DECLINED; } - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: request pool ctx empty"); + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: get internel request ctx failed"); } ctx = ngx_http_modsecurity_create_ctx(r); @@ -1009,34 +978,52 @@ return NGX_ERROR; } - /* load request to request rec */ - if (ngx_http_modsecurity_load_request(r) != NGX_OK - || ngx_http_modsecurity_load_headers_in(r) != NGX_OK) { + ngx_http_modsecurity_load_request(r); + + if (ngx_http_modsecurity_load_headers_in(r) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } /* processing request headers */ - rc = ngx_http_modsecurity_status(r, modsecProcessRequestHeaders(ctx->req)); + rc = modsecProcessRequestHeaders(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestHeaders %d", rc); - if (rc != NGX_DECLINED) { - return rc; + if (rc == DECLINED) { + + if (modsecIsRequestBodyAccessEnabled(ctx->req) + && r->method == NGX_HTTP_POST) { + + /* Processing POST request body, should we process PUT? */ + rc = ngx_http_read_client_request_body(r, ngx_http_modsecurity_body_handler); + if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { + return rc; + } + + return NGX_DONE; + } + /* other method */ + rc = modsecProcessRequestBody(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestBody %d", rc); } - if (r->method == NGX_HTTP_POST - && modsecIsRequestBodyAccessEnabled(ctx->req) ) { + if (rc != DECLINED) { - /* read POST request body, should we process PUT? */ - rc = ngx_http_read_client_request_body(r, ngx_http_modsecurity_body_handler); - if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { - return rc; + /* Nginx and Apache share same response code */ + if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; } + return rc; + } + + /* + if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK) { - return NGX_DONE; + return NGX_HTTP_INTERNAL_SERVER_ERROR; } - - /* other method */ - return ngx_http_modsecurity_status(r, modsecProcessRequestBody(ctx->req)); + */ + + return NGX_DECLINED; } @@ -1051,12 +1038,19 @@ ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); if (ngx_http_modsecurity_load_request_body(r) != NGX_OK) { + return ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); } - rc = ngx_http_modsecurity_status(r, modsecProcessRequestBody(ctx->req)); + rc = modsecProcessRequestBody(ctx->req); + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestBody %d", rc); - if (rc != NGX_DECLINED) { + if (rc != DECLINED) { + /* Nginx and Apache share same response code */ + if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) { + rc = NGX_HTTP_INTERNAL_SERVER_ERROR; + } return ngx_http_finalize_request(r, rc); } @@ -1076,48 +1070,18 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r) { ngx_http_modsecurity_loc_conf_t *cf; ngx_http_modsecurity_ctx_t *ctx; - const char *location; - ngx_table_elt_t *h; ngx_int_t rc; - cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); - /* already processed, checking redirect action. */ - if (ctx && ctx->complete - && r->err_status >= NGX_HTTP_MOVED_PERMANENTLY - && r->err_status < 308) { - - /* 3XX load redirect location header so that we can do redirect in phase 3,4 */ - location = apr_table_get(ctx->req->headers_out, "Location"); - - if (location == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; - } - - h = ngx_list_push(&r->headers_out.headers); - if (h == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; - } - - h->hash = 1; - h->key.data = (u_char *)"Location"; - h->key.len = ngx_strlen("Location"); - h->value.data = (u_char *)location; - h->value.len = ngx_strlen(location); - - return ngx_http_next_header_filter(r); - } - - if (r != r->main || !cf->enable || ctx == NULL ||ctx->complete) { + if (r != r->main || !cf->enable || ctx->complete) { return ngx_http_next_header_filter(r); } ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: header filter"); - /* header only or SecResponseBodyAccess off */ - if (r->header_only || (!modsecIsResponseBodyAccessEnabled(ctx->req)) ) { + if (r->method == NGX_HTTP_HEAD || r->header_only) { ctx->complete = 1; @@ -1127,26 +1091,26 @@ return NGX_HTTP_INTERNAL_SERVER_ERROR; } - rc = ngx_http_modsecurity_status(r, modsecProcessResponse(ctx->req)); + rc = modsecProcessResponse(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessResponse %d", rc); - if (rc != NGX_DECLINED) { - return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc); + if (rc == DECLINED || rc == APR_SUCCESS) { + + if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK + || ngx_http_modsecurity_save_headers_out(r) != NGX_OK) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + return ngx_http_next_header_filter(r); } - if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK - || ngx_http_modsecurity_save_headers_out(r) != NGX_OK) { - return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR); + if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) { + rc = NGX_HTTP_INTERNAL_SERVER_ERROR; } - return ngx_http_next_header_filter(r); + return rc; } - /* SecResponseBodyAccess on, process rules in body filter */ - - /* pretend we are ngx_http_header_filter */ - r->header_sent = 1; - - r->filter_need_in_memory = 1; return NGX_OK; } @@ -1158,105 +1122,80 @@ ngx_http_modsecurity_ctx_t *ctx; ngx_int_t rc; apr_off_t content_length; - ngx_chain_t *cl, *out; - ngx_int_t last_buf = 0; cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); - if (r != r->main || !cf->enable || ctx == NULL || ctx->complete) { + if (r != r->main || !cf->enable || ctx->complete) { return ngx_http_next_body_filter(r, in); } ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: body filter"); - for (cl = in; cl; cl = cl->next) { - apr_bucket *e; - ngx_buf_t *buf = cl->buf; - apr_bucket_brigade *bb = ctx->brigade; - off_t size = ngx_buf_size(buf); - if (size) { - char *data = apr_pmemdup(bb->p, buf->pos, size); - if (data == NULL) { - return ngx_http_filter_finalize_request(r, - &ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR); - } - e = apr_bucket_pool_create(data , size, bb->p, bb->bucket_alloc); - if (e == NULL) { - return ngx_http_filter_finalize_request(r, - &ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR); - } - APR_BRIGADE_INSERT_TAIL(bb, e); - } - - if (buf->last_buf) { - last_buf = 1; - buf->last_buf = 0; - e = apr_bucket_eos_create(bb->bucket_alloc); - if (e == NULL) { - return ngx_http_filter_finalize_request(r, - &ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR); - } - APR_BRIGADE_INSERT_TAIL(bb, e); - break; - } - - buf->pos = buf->last; + if (in == NULL) { + return NGX_AGAIN; } - if (!last_buf) { - return NGX_AGAIN; + rc = move_chain_to_brigade(in, ctx->brigade, r->pool, 0); + if (rc != NGX_OK) { + return rc; } /* last buf has been saved */ + ctx->complete = 1; modsecSetResponseBrigade(ctx->req, ctx->brigade); + // TODO: do we need reload headers_in ? + // if (ngx_http_modsecurity_load_headers_in(r) != NGX_OK || ngx_http_modsecurity_load_headers_out(r) != NGX_OK) { - return ngx_http_filter_finalize_request(r, - &ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR); + return NGX_HTTP_INTERNAL_SERVER_ERROR; } - rc = ngx_http_modsecurity_status(r, modsecProcessResponse(ctx->req)); + rc = modsecProcessResponse(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessResponse %d", rc); - if (rc != NGX_DECLINED) { - return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc); - } + if (rc == DECLINED || rc == APR_SUCCESS) { - apr_brigade_length(ctx->brigade, 0, &content_length); + in = NULL; - rc = move_brigade_to_chain(ctx->brigade, &out, r->pool); - if (rc == NGX_ERROR) { - return ngx_http_filter_finalize_request(r, - &ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR); - } + apr_brigade_length(ctx->brigade, 0, &content_length); - if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK - ||ngx_http_modsecurity_save_headers_out(r) != NGX_OK) { + rc = move_brigade_to_chain(ctx->brigade, &in, r->pool); + if (rc == NGX_ERROR) { + return NGX_ERROR; + } - return ngx_http_filter_finalize_request(r, - &ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR); - } + if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK + ||ngx_http_modsecurity_save_headers_out(r) != NGX_OK) { - if (r->headers_out.content_length_n != -1) { + return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR); + } - r->headers_out.content_length_n = content_length; - r->headers_out.content_length = NULL; /* header filter will set this */ - } + if (r->headers_out.content_length_n != -1) { + + r->headers_out.content_length_n = content_length; + r->headers_out.content_length = NULL; /* header filter will set this */ + } + + rc = ngx_http_next_header_filter(r); + + if (rc == NGX_ERROR || rc > NGX_OK) { + return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc); + } - r->header_sent = 0; - rc = ngx_http_next_header_filter(r); + return ngx_http_next_body_filter(r, in); + } - if (rc == NGX_ERROR || rc > NGX_OK) { - return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc); + if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) { + rc = NGX_HTTP_INTERNAL_SERVER_ERROR; } - return ngx_http_next_body_filter(r, out); + return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc); } -#define TXID_SIZE 25 static ngx_http_modsecurity_ctx_t * ngx_http_modsecurity_create_ctx(ngx_http_request_t *r) @@ -1266,9 +1205,6 @@ ngx_http_modsecurity_ctx_t *ctx; apr_sockaddr_t *asa; struct sockaddr_in *sin; - char *txid; - unsigned char salt[TXID_SIZE]; - int i; #if (NGX_HAVE_INET6) struct sockaddr_in6 *sin6; #endif @@ -1342,26 +1278,7 @@ ctx->req = modsecNewRequest(ctx->connection, cf->config); apr_table_setn(ctx->req->notes, NOTE_NGINX_REQUEST_CTX, (const char *) ctx); - apr_generate_random_bytes(salt, TXID_SIZE); - - txid = apr_pcalloc (ctx->req->pool, TXID_SIZE); - apr_base64_encode (txid, (const char*)salt, TXID_SIZE); - - for(i=0;i<TXID_SIZE;i++) { - if((salt[i] >= 0x30) && (salt[i] <= 0x39)) {} - else if((salt[i] >= 0x40) && (salt[i] <= 0x5A)) {} - else if((salt[i] >= 0x61) && (salt[i] <= 0x7A)) {} - else { - if((i%2)==0) - salt[i] = 0x41; - else - salt[i] = 0x63; - } - } - - salt[i] = '\0'; - - apr_table_setn(ctx->req->subprocess_env, "UNIQUE_ID", apr_psprintf(ctx->req->pool, "%s", salt)); + apr_table_setn(ctx->req->subprocess_env, "UNIQUE_ID", "12345"); ctx->brigade = apr_brigade_create(ctx->req->pool, ctx->req->connection->bucket_alloc); @@ -1372,7 +1289,7 @@ return ctx; } - static void +static void ngx_http_modsecurity_cleanup(void *data) { ngx_http_modsecurity_ctx_t *ctx = data; @@ -1382,7 +1299,7 @@ } } - static char * +static char * ngx_http_modsecurity_config(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { ngx_http_modsecurity_loc_conf_t *mscf = conf; @@ -1408,7 +1325,7 @@ msg = modsecProcessConfig(mscf->config, (const char *)value[1].data, NULL); if (msg != NULL) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "ModSecurityConfig in %s:%ui: %s", - cf->conf_file->file.name.data, cf->conf_file->line, msg); + cf->conf_file->file.name.data, cf->conf_file->line, msg); return NGX_CONF_ERROR; } @@ -1416,7 +1333,7 @@ } - static char * +static char * ngx_http_modsecurity_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { ngx_http_modsecurity_loc_conf_t *mscf = conf; @@ -1434,7 +1351,7 @@ } - static int +static int ngx_http_modsecurity_drop_action(request_rec *r) { ngx_http_modsecurity_ctx_t *ctx; | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/nginx/modsecurity/ngx_pool_context.c ^ |
| @@ -196,7 +196,7 @@ { ngx_pool_context_conf_t *pcf = conf; - ngx_conf_init_uint_value(pcf->size, cycle->connection_n); + ngx_conf_init_uint_value(pcf->size, NGX_POOL_CTX_SIZE); ngx_pool_context_hash_size = pcf->size; | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/standalone/Makefile.am ^ |
| @@ -13,7 +13,7 @@ ../apache2/msc_util.c ../apache2/msc_pcre.c ../apache2/persist_dbm.c ../apache2/msc_reqbody.c \ ../apache2/msc_geo.c ../apache2/msc_gsb.c ../apache2/msc_unicode.c \ ../apache2/acmp.c ../apache2/msc_lua.c ../apache2/msc_release.c \ - ../apache2/msc_crypt.c ../apache2/msc_tree.c ../apache2/libinjection/sqlparse.c \ + ../apache2/msc_crypt.c ../apache2/msc_tree.c \ api.c buckets.c \ config.c filters.c \ hooks.c \ @@ -72,10 +72,6 @@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ endif -standalone_INCS = `echo "@LIBXML2_CFLAGS@ @LUA_CFLAGS@" | sed -n 's/ *-I *\([^ ]*\) /\1 /gp'` \ - @APXS_INCLUDEDIR@ @APR_INCLUDEDIR@ @APU_INCLUDEDIR@ -standalone_LIBS = @APR_LINKLD@ @APU_LINKLD@ @APXS_LDFLAGS@ \ - @PCRE_LDADD@ @LIBXML2_LDADD@ @LUA_LDADD@ install-exec-hook: $(pkglib_LTLIBRARIES) @echo "Creating Nginx config file..."; \ rm -f ../nginx/modsecurity/config; \ @@ -83,9 +79,9 @@ echo "CORE_MODULES=\"\$$CORE_MODULES ngx_pool_context_module\"" >> ../nginx/modsecurity/config; \ echo "HTTP_AUX_FILTER_MODULES=\"ngx_http_modsecurity \$$HTTP_AUX_FILTER_MODULES\"" >> ../nginx/modsecurity/config; \ echo "NGX_ADDON_SRCS=\"\$$NGX_ADDON_SRCS \$$ngx_addon_dir/ngx_http_modsecurity.c \$$ngx_addon_dir/apr_bucket_nginx.c \$$ngx_addon_dir/ngx_pool_context.c\"" >> ../nginx/modsecurity/config;\ - echo "NGX_ADDON_DEPS=\"\$$NGX_ADDON_DEPS \$$ngx_addon_dir/apr_bucket_nginx.h \$$ngx_addon_dir/ngx_pool_context.h \$$ngx_addon_dir/ngx_http_modsecurity.c \$$ngx_addon_dir/apr_bucket_nginx.c \$$ngx_addon_dir/ngx_pool_context.c\"" >> ../nginx/modsecurity/config; \ - echo "CORE_LIBS=\"\$$CORE_LIBS \$$ngx_addon_dir/../../standalone/.libs/standalone.a $(standalone_LIBS) \"" >> ../nginx/modsecurity/config; \ - echo "CORE_INCS=\"\$$CORE_INCS \$$ngx_addon_dir \$$ngx_addon_dir/../../standalone \$$ngx_addon_dir/../../apache2 $(standalone_INCS)\"" >> ../nginx/modsecurity/config; \ + echo "NGX_ADDON_DEPS=\"\$$NGX_ADDON_DEPS \$$ngx_addon_dir/apr_bucket_nginx.h \$$ngx_addon_dir/ngx_pool_context.h\"" >> ../nginx/modsecurity/config; \ + echo "CORE_LIBS=\"\$$CORE_LIBS \$$ngx_addon_dir/../../standalone/.libs/standalone.a -lapr-1 -laprutil-1 -lxml2 -lm @LUA_LDADD@\"" >> ../nginx/modsecurity/config; \ + echo "CORE_INCS=\"\$$CORE_INCS /usr/include/apache2 /usr/include/apr-1.0 /usr/include/httpd /usr/include/apr-1 \$$ngx_addon_dir \$$ngx_addon_dir/../../standalone \$$ngx_addon_dir/../../apache2 /usr/include/libxml2 `echo @LUA_CFLAGS@ | cut -d "I" -f3`\"" >> ../nginx/modsecurity/config; \ echo "Removing unused static libraries..."; \ for m in $(pkglib_LTLIBRARIES); do \ base=`echo $$m | sed 's/\..*//'`; \ | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/standalone/Makefile.in ^ |
| @@ -89,11 +89,10 @@ standalone_la-msc_gsb.lo standalone_la-msc_unicode.lo \ standalone_la-acmp.lo standalone_la-msc_lua.lo \ standalone_la-msc_release.lo standalone_la-msc_crypt.lo \ - standalone_la-msc_tree.lo standalone_la-sqlparse.lo \ - standalone_la-api.lo standalone_la-buckets.lo \ - standalone_la-config.lo standalone_la-filters.lo \ - standalone_la-hooks.lo standalone_la-regex.lo \ - standalone_la-server.lo + standalone_la-msc_tree.lo standalone_la-api.lo \ + standalone_la-buckets.lo standalone_la-config.lo \ + standalone_la-filters.lo standalone_la-hooks.lo \ + standalone_la-regex.lo standalone_la-server.lo standalone_la_OBJECTS = $(am_standalone_la_OBJECTS) standalone_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(standalone_la_CFLAGS) \ @@ -122,17 +121,13 @@ APR_CFLAGS = @APR_CFLAGS@ APR_CONFIG = @APR_CONFIG@ APR_CPPFLAGS = @APR_CPPFLAGS@ -APR_INCLUDEDIR = @APR_INCLUDEDIR@ APR_LDADD = @APR_LDADD@ APR_LDFLAGS = @APR_LDFLAGS@ -APR_LINKLD = @APR_LINKLD@ APR_VERSION = @APR_VERSION@ APU_CFLAGS = @APU_CFLAGS@ APU_CONFIG = @APU_CONFIG@ -APU_INCLUDEDIR = @APU_INCLUDEDIR@ APU_LDADD = @APU_LDADD@ APU_LDFLAGS = @APU_LDFLAGS@ -APU_LINKLD = @APU_LINKLD@ APU_VERSION = @APU_VERSION@ APXS = @APXS@ APXS_BINDIR = @APXS_BINDIR@ @@ -311,7 +306,7 @@ ../apache2/msc_util.c ../apache2/msc_pcre.c ../apache2/persist_dbm.c ../apache2/msc_reqbody.c \ ../apache2/msc_geo.c ../apache2/msc_gsb.c ../apache2/msc_unicode.c \ ../apache2/acmp.c ../apache2/msc_lua.c ../apache2/msc_release.c \ - ../apache2/msc_crypt.c ../apache2/msc_tree.c ../apache2/libinjection/sqlparse.c \ + ../apache2/msc_crypt.c ../apache2/msc_tree.c \ api.c buckets.c \ config.c filters.c \ hooks.c \ @@ -354,12 +349,6 @@ @SOLARIS_TRUE@ @APR_LDFLAGS@ @APU_LDFLAGS@ @APXS_LDFLAGS@ \ @SOLARIS_TRUE@ @PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@ -standalone_INCS = `echo "@LIBXML2_CFLAGS@ @LUA_CFLAGS@" | sed -n 's/ *-I *\([^ ]*\) /\1 /gp'` \ - @APXS_INCLUDEDIR@ @APR_INCLUDEDIR@ @APU_INCLUDEDIR@ - -standalone_LIBS = @APR_LINKLD@ @APU_LINKLD@ @APXS_LDFLAGS@ \ - @PCRE_LDADD@ @LIBXML2_LDADD@ @LUA_LDADD@ - all: all-am .SUFFIXES: @@ -467,7 +456,6 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/standalone_la-re_variables.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/standalone_la-regex.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/standalone_la-server.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/standalone_la-sqlparse.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -672,13 +660,6 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(standalone_la_CPPFLAGS) $(CPPFLAGS) $(standalone_la_CFLAGS) $(CFLAGS) -c -o standalone_la-msc_tree.lo `test -f '../apache2/msc_tree.c' || echo '$(srcdir)/'`../apache2/msc_tree.c -standalone_la-sqlparse.lo: ../apache2/libinjection/sqlparse.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(standalone_la_CPPFLAGS) $(CPPFLAGS) $(standalone_la_CFLAGS) $(CFLAGS) -MT standalone_la-sqlparse.lo -MD -MP -MF $(DEPDIR)/standalone_la-sqlparse.Tpo -c -o standalone_la-sqlparse.lo `test -f '../apache2/libinjection/sqlparse.c' || echo '$(srcdir)/'`../apache2/libinjection/sqlparse.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/standalone_la-sqlparse.Tpo $(DEPDIR)/standalone_la-sqlparse.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='../apache2/libinjection/sqlparse.c' object='standalone_la-sqlparse.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(standalone_la_CPPFLAGS) $(CPPFLAGS) $(standalone_la_CFLAGS) $(CFLAGS) -c -o standalone_la-sqlparse.lo `test -f '../apache2/libinjection/sqlparse.c' || echo '$(srcdir)/'`../apache2/libinjection/sqlparse.c - standalone_la-api.lo: api.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(standalone_la_CPPFLAGS) $(CPPFLAGS) $(standalone_la_CFLAGS) $(CFLAGS) -MT standalone_la-api.lo -MD -MP -MF $(DEPDIR)/standalone_la-api.Tpo -c -o standalone_la-api.lo `test -f 'api.c' || echo '$(srcdir)/'`api.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/standalone_la-api.Tpo $(DEPDIR)/standalone_la-api.Plo @@ -937,6 +918,7 @@ pdf pdf-am ps ps-am tags uninstall uninstall-am \ uninstall-pkglibLTLIBRARIES + install-exec-hook: $(pkglib_LTLIBRARIES) @echo "Creating Nginx config file..."; \ rm -f ../nginx/modsecurity/config; \ @@ -944,9 +926,9 @@ echo "CORE_MODULES=\"\$$CORE_MODULES ngx_pool_context_module\"" >> ../nginx/modsecurity/config; \ echo "HTTP_AUX_FILTER_MODULES=\"ngx_http_modsecurity \$$HTTP_AUX_FILTER_MODULES\"" >> ../nginx/modsecurity/config; \ echo "NGX_ADDON_SRCS=\"\$$NGX_ADDON_SRCS \$$ngx_addon_dir/ngx_http_modsecurity.c \$$ngx_addon_dir/apr_bucket_nginx.c \$$ngx_addon_dir/ngx_pool_context.c\"" >> ../nginx/modsecurity/config;\ - echo "NGX_ADDON_DEPS=\"\$$NGX_ADDON_DEPS \$$ngx_addon_dir/apr_bucket_nginx.h \$$ngx_addon_dir/ngx_pool_context.h \$$ngx_addon_dir/ngx_http_modsecurity.c \$$ngx_addon_dir/apr_bucket_nginx.c \$$ngx_addon_dir/ngx_pool_context.c\"" >> ../nginx/modsecurity/config; \ - echo "CORE_LIBS=\"\$$CORE_LIBS \$$ngx_addon_dir/../../standalone/.libs/standalone.a $(standalone_LIBS) \"" >> ../nginx/modsecurity/config; \ - echo "CORE_INCS=\"\$$CORE_INCS \$$ngx_addon_dir \$$ngx_addon_dir/../../standalone \$$ngx_addon_dir/../../apache2 $(standalone_INCS)\"" >> ../nginx/modsecurity/config; \ + echo "NGX_ADDON_DEPS=\"\$$NGX_ADDON_DEPS \$$ngx_addon_dir/apr_bucket_nginx.h \$$ngx_addon_dir/ngx_pool_context.h\"" >> ../nginx/modsecurity/config; \ + echo "CORE_LIBS=\"\$$CORE_LIBS \$$ngx_addon_dir/../../standalone/.libs/standalone.a -lapr-1 -laprutil-1 -lxml2 -lm @LUA_LDADD@\"" >> ../nginx/modsecurity/config; \ + echo "CORE_INCS=\"\$$CORE_INCS /usr/include/apache2 /usr/include/apr-1.0 /usr/include/httpd /usr/include/apr-1 \$$ngx_addon_dir \$$ngx_addon_dir/../../standalone \$$ngx_addon_dir/../../apache2 /usr/include/libxml2 `echo @LUA_CFLAGS@ | cut -d "I" -f3`\"" >> ../nginx/modsecurity/config; \ echo "Removing unused static libraries..."; \ for m in $(pkglib_LTLIBRARIES); do \ base=`echo $$m | sed 's/\..*//'`; \ | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/standalone/api.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -223,10 +223,40 @@ } apr_status_t ap_http_out_filter(ap_filter_t *f, apr_bucket_brigade *b) { + modsec_rec *msr = (modsec_rec *)f->ctx; apr_status_t rc; - apr_bucket_brigade *bb_out = (apr_bucket_brigade *)f->ctx; + apr_bucket_brigade *bb_out; + + bb_out = modsecGetResponseBrigade(f->r); + + + if (bb_out) { + APR_BRIGADE_CONCAT(bb_out, b); + return APR_SUCCESS; + } + + // is there a way to tell whether the response body was modified or not? + // + if((msr->txcfg->content_injection_enabled || msr->content_prepend_len != 0 || msr->content_append_len != 0) + && msr->txcfg->resbody_access) { + + if (modsecWriteResponse != NULL) { + char *data = NULL; + apr_size_t length; + + rc = apr_brigade_pflatten(msr->of_brigade, &data, &length, msr->mp); + + if (rc != APR_SUCCESS) { + msr_log(msr, 1, "Output filter: Failed to flatten brigade (%d): %s", rc, + get_apr_error(msr->mp, rc)); + return -1; + } + + /* TODO: return ?*/ + modsecWriteResponse(msr->r, data, msr->stream_output_length); + } + } - APR_BRIGADE_CONCAT(bb_out, b); return APR_SUCCESS; } @@ -521,117 +551,74 @@ } int modsecProcessResponse(request_rec *r) { - int status; - modsec_rec *msr; - apr_bucket *e; - ap_filter_t *f; - apr_bucket_brigade *bb_in, *bb_out, *bb; - - if(r->output_filters == NULL) { - return DECLINED; - } - - msr = (modsec_rec *)r->output_filters->ctx; - if (msr == NULL) { - ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server, - "ModSecurity: Internal Error: msr is null in output filter."); - ap_remove_output_filter(r->output_filters); - return APR_EGENERAL; - } - - msr->r = r; - - /* create input response brigade */ - bb_in = apr_brigade_create(msr->mp, r->connection->bucket_alloc); - - if (bb_in == NULL) { - msr_log(msr, 1, "Process response: Failed to create brigade."); - return APR_EGENERAL; - } + int status = DECLINED; - /* get input response brigade */ - bb = modsecGetResponseBrigade(r); - if (bb != NULL) { - APR_BRIGADE_CONCAT(bb_in, bb); - if (!APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb_in))) { - e = apr_bucket_eos_create(bb_in->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb_in, e); - } - } else if (modsecReadResponse != NULL) { + if(r->output_filters != NULL) { + modsec_rec *msr = (modsec_rec *)r->output_filters->ctx; + char buf[8192]; + char *tmp = NULL; + apr_bucket *e = NULL; unsigned int readcnt = 0; int is_eos = 0; - char buf[8192]; - while(!is_eos) { - modsecReadResponse(r, buf, 8192, &readcnt, &is_eos); + ap_filter_t *f = NULL; + apr_bucket_brigade *bb_in, *bb = NULL; - if(readcnt > 0) { - char *tmp = (char *)apr_palloc(r->pool, readcnt); - memcpy(tmp, buf, readcnt); - e = apr_bucket_pool_create(tmp, readcnt, r->pool, r->connection->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb_in, e); - } + if (msr == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server, + "ModSecurity: Internal Error: msr is null in output filter."); + ap_remove_output_filter(r->output_filters); + return send_error_bucket(msr, r->output_filters, HTTP_INTERNAL_SERVER_ERROR); } - e = apr_bucket_eos_create(r->connection->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb_in, e); - } else { - /* cannot read response body process header only */ - - e = apr_bucket_eos_create(r->connection->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb_in, e); - } - - bb_out = bb ? bb : apr_brigade_create(msr->mp, r->connection->bucket_alloc); - - if (bb_out == NULL) { - msr_log(msr, 1, "Process response: Failed to create brigade."); - return APR_EGENERAL; - } + bb = apr_brigade_create(msr->mp, r->connection->bucket_alloc); - /* concat output bucket to bb_out */ - f = ap_add_output_filter("HTTP_OUT", bb_out, r, r->connection); - status = ap_pass_brigade(r->output_filters, bb_in); - ap_remove_output_filter(f); - - if (status == APR_EGENERAL) { - /* retrive response status from bb_out */ - for(e = APR_BRIGADE_FIRST(bb_out); - e != APR_BRIGADE_SENTINEL(bb_out); - e = APR_BUCKET_NEXT(e)) { - if (AP_BUCKET_IS_ERROR(e)) { - return ((ap_bucket_error*) e->data)->status; - } + if (bb == NULL) { + msr_log(msr, 1, "Process response: Failed to create brigade."); + return APR_EGENERAL; } - return APR_EGENERAL; - } - if (status != DECLINED) { - return status; - } - - /* copy bb_out */ - // is there a way to tell whether the response body was modified or not? - if (modsecWriteResponse != NULL - && (msr->txcfg->content_injection_enabled || msr->content_prepend_len != 0 || msr->content_append_len != 0) - && msr->txcfg->resbody_access) { + msr->r = r; + + bb_in = modsecGetResponseBrigade(r); - char *data = NULL; - apr_size_t length; + if (bb_in != NULL) { + APR_BRIGADE_CONCAT(bb, bb_in); + if (!APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) { + e = apr_bucket_eos_create(bb->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + } + } else if (modsecReadResponse != NULL) { + while(!is_eos) { + modsecReadResponse(r, buf, 8192, &readcnt, &is_eos); + + if(readcnt > 0) { + tmp = (char *)apr_palloc(r->pool, readcnt); + memcpy(tmp, buf, readcnt); + e = apr_bucket_pool_create(tmp, readcnt, r->pool, r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + } + } - status = apr_brigade_pflatten(msr->of_brigade, &data, &length, msr->mp); + e = apr_bucket_eos_create(r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + } else { + /* cannot read response body process header only */ - if (status != APR_SUCCESS) { - msr_log(msr, 1, "Output filter: Failed to flatten brigade (%d): %s", status, - get_apr_error(msr->mp, status)); - return APR_EGENERAL; + e = apr_bucket_eos_create(r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); } - - if ( modsecWriteResponse(msr->r, data, msr->stream_output_length) != APR_SUCCESS) { - return APR_EGENERAL; + + f = ap_add_output_filter("HTTP_OUT", msr, r, r->connection); + status = ap_pass_brigade(r->output_filters, bb); + ap_remove_output_filter(f); + if(status > 0 + && msr->intercept_actionset->intercept_status != 0) { + status = msr->intercept_actionset->intercept_status; } + return status; } - - return DECLINED; + + return status; } int modsecFinishRequest(request_rec *r) { | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/standalone/api.h ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/standalone/buckets.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/standalone/config.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/standalone/filters.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/standalone/hooks.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/standalone/main.cpp ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/standalone/regex.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/standalone/server.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/tests/Makefile.am ^ |
| @@ -21,8 +21,7 @@ $(top_srcdir)/apache2/msc_gsb.c \ $(top_srcdir)/apache2/acmp.c \ $(top_srcdir)/apache2/msc_lua.c \ - $(top_srcdir)/apache2/msc_release.c \ - $(top_srcdir)/apache2/libinjection/sqlparse.c + $(top_srcdir)/apache2/msc_release.c msc_test_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \ @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @LUA_CFLAGS@ msc_test_CPPFLAGS = -I$(top_srcdir)/apache2 \ | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/tests/Makefile.in ^ |
| @@ -68,8 +68,7 @@ msc_test-msc_reqbody.$(OBJEXT) msc_test-msc_crypt.$(OBJEXT) \ msc_test-msc_tree.$(OBJEXT) msc_test-msc_geo.$(OBJEXT) \ msc_test-msc_gsb.$(OBJEXT) msc_test-acmp.$(OBJEXT) \ - msc_test-msc_lua.$(OBJEXT) msc_test-msc_release.$(OBJEXT) \ - msc_test-sqlparse.$(OBJEXT) + msc_test-msc_lua.$(OBJEXT) msc_test-msc_release.$(OBJEXT) msc_test_OBJECTS = $(am_msc_test_OBJECTS) msc_test_DEPENDENCIES = msc_test_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ @@ -100,17 +99,13 @@ APR_CFLAGS = @APR_CFLAGS@ APR_CONFIG = @APR_CONFIG@ APR_CPPFLAGS = @APR_CPPFLAGS@ -APR_INCLUDEDIR = @APR_INCLUDEDIR@ APR_LDADD = @APR_LDADD@ APR_LDFLAGS = @APR_LDFLAGS@ -APR_LINKLD = @APR_LINKLD@ APR_VERSION = @APR_VERSION@ APU_CFLAGS = @APU_CFLAGS@ APU_CONFIG = @APU_CONFIG@ -APU_INCLUDEDIR = @APU_INCLUDEDIR@ APU_LDADD = @APU_LDADD@ APU_LDFLAGS = @APU_LDFLAGS@ -APU_LINKLD = @APU_LINKLD@ APU_VERSION = @APU_VERSION@ APXS = @APXS@ APXS_BINDIR = @APXS_BINDIR@ @@ -298,8 +293,7 @@ $(top_srcdir)/apache2/msc_gsb.c \ $(top_srcdir)/apache2/acmp.c \ $(top_srcdir)/apache2/msc_lua.c \ - $(top_srcdir)/apache2/msc_release.c \ - $(top_srcdir)/apache2/libinjection/sqlparse.c + $(top_srcdir)/apache2/msc_release.c msc_test_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \ @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @LUA_CFLAGS@ @@ -400,7 +394,6 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/msc_test-re_operators.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/msc_test-re_tfns.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/msc_test-re_variables.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/msc_test-sqlparse.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -745,20 +738,6 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(msc_test_CPPFLAGS) $(CPPFLAGS) $(msc_test_CFLAGS) $(CFLAGS) -c -o msc_test-msc_release.obj `if test -f '$(top_srcdir)/apache2/msc_release.c'; then $(CYGPATH_W) '$(top_srcdir)/apache2/msc_release.c'; else $(CYGPATH_W) '$(srcdir)/$(top_srcdir)/apache2/msc_release.c'; fi` -msc_test-sqlparse.o: $(top_srcdir)/apache2/libinjection/sqlparse.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(msc_test_CPPFLAGS) $(CPPFLAGS) $(msc_test_CFLAGS) $(CFLAGS) -MT msc_test-sqlparse.o -MD -MP -MF $(DEPDIR)/msc_test-sqlparse.Tpo -c -o msc_test-sqlparse.o `test -f '$(top_srcdir)/apache2/libinjection/sqlparse.c' || echo '$(srcdir)/'`$(top_srcdir)/apache2/libinjection/sqlparse.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/msc_test-sqlparse.Tpo $(DEPDIR)/msc_test-sqlparse.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$(top_srcdir)/apache2/libinjection/sqlparse.c' object='msc_test-sqlparse.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(msc_test_CPPFLAGS) $(CPPFLAGS) $(msc_test_CFLAGS) $(CFLAGS) -c -o msc_test-sqlparse.o `test -f '$(top_srcdir)/apache2/libinjection/sqlparse.c' || echo '$(srcdir)/'`$(top_srcdir)/apache2/libinjection/sqlparse.c - -msc_test-sqlparse.obj: $(top_srcdir)/apache2/libinjection/sqlparse.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(msc_test_CPPFLAGS) $(CPPFLAGS) $(msc_test_CFLAGS) $(CFLAGS) -MT msc_test-sqlparse.obj -MD -MP -MF $(DEPDIR)/msc_test-sqlparse.Tpo -c -o msc_test-sqlparse.obj `if test -f '$(top_srcdir)/apache2/libinjection/sqlparse.c'; then $(CYGPATH_W) '$(top_srcdir)/apache2/libinjection/sqlparse.c'; else $(CYGPATH_W) '$(srcdir)/$(top_srcdir)/apache2/libinjection/sqlparse.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/msc_test-sqlparse.Tpo $(DEPDIR)/msc_test-sqlparse.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$(top_srcdir)/apache2/libinjection/sqlparse.c' object='msc_test-sqlparse.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(msc_test_CPPFLAGS) $(CPPFLAGS) $(msc_test_CFLAGS) $(CFLAGS) -c -o msc_test-sqlparse.obj `if test -f '$(top_srcdir)/apache2/libinjection/sqlparse.c'; then $(CYGPATH_W) '$(top_srcdir)/apache2/libinjection/sqlparse.c'; else $(CYGPATH_W) '$(srcdir)/$(top_srcdir)/apache2/libinjection/sqlparse.c'; fi` - mostlyclean-libtool: -rm -f *.lo | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/tests/msc_test.c ^ |
| @@ -1,6 +1,6 @@ /* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at | ||
| [+] | Changed | modsecurity-apache_2.7.3.tar.bz2/tools/Makefile.in ^ |
| @@ -85,17 +85,13 @@ APR_CFLAGS = @APR_CFLAGS@ APR_CONFIG = @APR_CONFIG@ APR_CPPFLAGS = @APR_CPPFLAGS@ -APR_INCLUDEDIR = @APR_INCLUDEDIR@ APR_LDADD = @APR_LDADD@ APR_LDFLAGS = @APR_LDFLAGS@ -APR_LINKLD = @APR_LINKLD@ APR_VERSION = @APR_VERSION@ APU_CFLAGS = @APU_CFLAGS@ APU_CONFIG = @APU_CONFIG@ -APU_INCLUDEDIR = @APU_INCLUDEDIR@ APU_LDADD = @APU_LDADD@ APU_LDFLAGS = @APU_LDFLAGS@ -APU_LINKLD = @APU_LINKLD@ APU_VERSION = @APU_VERSION@ APXS = @APXS@ APXS_BINDIR = @APXS_BINDIR@ | ||
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/apache2/libinjection ^ |
| -(directory) | ||
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/apache2/libinjection/COPYING.txt ^ |
| @@ -1,37 +0,0 @@ -/* - * Copyright 2012, 2013 - * Nick Galbreath -- nickg [at] client9 [dot] com - * http://www.client9.com/projects/libinjection/ - * - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * Neither the name of libinjection nor the names of its - * contributors may be used to endorse or promote products derived from - * this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - * This is the standard "new" BSD license: - * http://www.opensource.org/licenses/bsd-license.php - */ | ||
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/apache2/libinjection/sqli_fingerprints.h ^ |
| @@ -1,2327 +0,0 @@ -#ifndef _SQLPARSE_FINGERPRINTS_H -#define _SQLPARSE_FINGERPRINTS_H - -static const char* patmap[] = { - "&1o1U", - "&1osU", - "&1ovU", - "&f()o", - "&f(1)", - "&f(1o", - "&f(s)", - "&f(v)", - "&f(vo", - "&so1U", - "&sosU", - "&sovU", - "&vo1U", - "&vosU", - "&vovU", - "1&((f", - "1&((k", - "1&(1)", - "1&(1,", - "1&(1o", - "1&(f(", - "1&(k(", - "1&(k1", - "1&(kf", - "1&(kk", - "1&(kn", - "1&(ko", - "1&(ks", - "1&(kv", - "1&(s)", - "1&(s,", - "1&(so", - "1&(v)", - "1&(v,", - "1&(vo", - "1&1", - "1&1Bf", - "1&1Uk", - "1&1c", - "1&1f(", - "1&1o(", - "1&1o1", - "1&1of", - "1&1ok", - "1&1on", - "1&1oo", - "1&1os", - "1&1ov", - "1&f((", - "1&f()", - "1&f(1", - "1&f(f", - "1&f(k", - "1&f(n", - "1&f(s", - "1&f(v", - "1&k(1", - "1&k(f", - "1&k(s", - "1&k(v", - "1&k1k", - "1&kUk", - "1&kk1", - "1&kks", - "1&kkv", - "1&ksk", - "1&kvk", - "1&n()", - "1&no1", - "1&nos", - "1&nov", - "1&o(1", - "1&o(s", - "1&o(v", - "1&o1o", - "1&oso", - "1&ovo", - "1&sBf", - "1&sU(", - "1&sUk", - "1&sf(", - "1&so(", - "1&so1", - "1&sof", - "1&sok", - "1&son", - "1&soo", - "1&sos", - "1&sov", - "1&v", - "1&vBf", - "1&vU(", - "1&vUk", - "1&vc", - "1&vf(", - "1&vo(", - "1&vo1", - "1&vof", - "1&vok", - "1&von", - "1&voo", - "1&vos", - "1&vov", - "1)&(1", - "1)&(f", - "1)&(k", - "1)&(n", - "1)&(s", - "1)&(v", - "1)&1B", - "1)&1U", - "1)&1f", - "1)&1o", - "1)&f(", - "1)&o(", - "1)&sB", - "1)&sU", - "1)&sf", - "1)&so", - "1)&vB", - "1)&vU", - "1)&vf", - "1)&vo", - "1)()s", - "1)()v", - "1))&(", - "1))&1", - "1))&f", - "1))&o", - "1))&s", - "1))&v", - "1)))&", - "1))))", - "1)));", - "1)))B", - "1)))U", - "1)))c", - "1)))k", - "1)))o", - "1));c", - "1));k", - "1))B1", - "1))Bs", - "1))Bv", - "1))Uk", - "1))Un", - "1))c", - "1))k1", - "1))kk", - "1))ks", - "1))kv", - "1))o(", - "1))o1", - "1))of", - "1))ok", - "1))on", - "1))os", - "1))ov", - "1),(1", - "1),(s", - "1),(v", - "1);c", - "1);k&", - "1);k(", - "1);kf", - "1);kk", - "1);kn", - "1);ko", - "1)B1", - "1)B1&", - "1)B1c", - "1)B1o", - "1)Bs", - "1)Bs&", - "1)Bsc", - "1)Bso", - "1)Bv", - "1)Bv&", - "1)Bvc", - "1)Bvo", - "1)U(k", - "1)Uk(", - "1)Uk1", - "1)Ukf", - "1)Ukk", - "1)Ukn", - "1)Uko", - "1)Uks", - "1)Ukv", - "1)Unk", - "1)c", - "1)k1", - "1)k1c", - "1)k1o", - "1)kks", - "1)kkv", - "1)knk", - "1)ks", - "1)ksc", - "1)kso", - "1)kv", - "1)kvc", - "1)kvo", - "1)o(1", - "1)o(k", - "1)o(n", - "1)o(s", - "1)o(v", - "1)o1)", - "1)o1B", - "1)o1U", - "1)o1f", - "1)o1k", - "1)o1o", - "1)of(", - "1)ok(", - "1)ok1", - "1)oks", - "1)okv", - "1)on&", - "1)os)", - "1)osB", - "1)osU", - "1)osf", - "1)osk", - "1)oso", - "1)ov)", - "1)ovB", - "1)ovU", - "1)ovf", - "1)ovk", - "1)ovo", - "1,(f(", - "1,(k(", - "1,(k1", - "1,(kf", - "1,(ks", - "1,(kv", - "1,1),", - "1,1)o", - "1,1B1", - "1,1Bs", - "1,1Bv", - "1,1Uk", - "1,f(1", - "1,f(s", - "1,f(v", - "1,s),", - "1,s)o", - "1,sB1", - "1,sBs", - "1,sBv", - "1,sUk", - "1,v),", - "1,v)o", - "1,vB1", - "1,vBs", - "1,vBv", - "1,vUk", - "1;c", - "1;k&k", - "1;k((", - "1;k(1", - "1;k(o", - "1;k(s", - "1;k(v", - "1;k1,", - "1;kf(", - "1;kks", - "1;kkv", - "1;kn(", - "1;kn,", - "1;knc", - "1;ko(", - "1;kok", - "1;ks,", - "1;kv,", - "1B1", - "1B1,1", - "1B1,n", - "1B1,s", - "1B1,v", - "1B1Uk", - "1B1c", - "1B1k1", - "1B1ks", - "1B1kv", - "1Bf(1", - "1Bf(f", - "1Bf(s", - "1Bf(v", - "1Bk(1", - "1Bk(s", - "1Bk(v", - "1Bn,n", - "1Bnk1", - "1Bnks", - "1Bnkv", - "1Bs", - "1Bs,1", - "1Bs,n", - "1Bs,s", - "1Bs,v", - "1BsUk", - "1Bsc", - "1Bsk1", - "1Bsks", - "1Bskv", - "1Bv", - "1Bv,1", - "1Bv,n", - "1Bv,s", - "1Bv,v", - "1BvUk", - "1Bvc", - "1Bvk1", - "1Bvks", - "1Bvkv", - "1U", - "1U((k", - "1U(k1", - "1U(kf", - "1U(kn", - "1U(ks", - "1U(kv", - "1U1,1", - "1U1,s", - "1U1,v", - "1Uc", - "1Uk", - "1Uk(1", - "1Uk(k", - "1Uk(n", - "1Uk(s", - "1Uk(v", - "1Uk1", - "1Uk1,", - "1Uk1c", - "1Uk1f", - "1Uk1k", - "1Uk1n", - "1Uk1o", - "1Ukf", - "1Ukf(", - "1Ukf,", - "1Ukk(", - "1Ukk,", - "1Ukk1", - "1Ukkk", - "1Ukkn", - "1Ukks", - "1Ukkv", - "1Ukn&", - "1Ukn(", - "1Ukn,", - "1Ukn1", - "1Uknc", - "1Uknk", - "1Ukno", - "1Ukns", - "1Uknv", - "1Uko1", - "1Ukok", - "1Ukos", - "1Ukov", - "1Uks", - "1Uks,", - "1Uksc", - "1Uksf", - "1Uksk", - "1Uksn", - "1Ukso", - "1Ukv", - "1Ukv,", - "1Ukvc", - "1Ukvf", - "1Ukvk", - "1Ukvn", - "1Ukvo", - "1Un,1", - "1Un,s", - "1Un,v", - "1Un1,", - "1Unk(", - "1Unk1", - "1Unkf", - "1Unks", - "1Unkv", - "1Uns,", - "1Unv,", - "1Uon1", - "1Uons", - "1Uonv", - "1Us,1", - "1Us,s", - "1Us,v", - "1Uv,1", - "1Uv,s", - "1Uv,v", - "1c", - "1f()k", - "1k1U(", - "1k1Uk", - "1k1c", - "1k1o1", - "1k1ov", - "1kU1,", - "1kUs,", - "1kUv,", - "1kf(1", - "1kf(s", - "1kf(v", - "1kk(1", - "1kk(s", - "1kk(v", - "1kksc", - "1kkvc", - "1knkn", - "1kno1", - "1knov", - "1kokn", - "1ksU(", - "1ksUk", - "1ksc", - "1kvU(", - "1kvUk", - "1kvc", - "1kvo1", - "1kvov", - "1n&f(", - "1n)Uk", - "1nUk1", - "1nUkn", - "1nUks", - "1nUkv", - "1nk1c", - "1nkf(", - "1nksc", - "1nkvc", - "1o(((", - "1o((1", - "1o((f", - "1o((s", - "1o((v", - "1o(1)", - "1o(1o", - "1o(f(", - "1o(k(", - "1o(k1", - "1o(kf", - "1o(kn", - "1o(ks", - "1o(kv", - "1o(n)", - "1o(o1", - "1o(os", - "1o(ov", - "1o(s)", - "1o(so", - "1o(v)", - "1o(vo", - "1o1)&", - "1o1)o", - "1o1Bf", - "1o1Uk", - "1o1f(", - "1o1kf", - "1o1o(", - "1o1o1", - "1o1of", - "1o1oo", - "1o1os", - "1o1ov", - "1of()", - "1of(1", - "1of(f", - "1of(n", - "1of(s", - "1of(v", - "1ok(1", - "1ok(k", - "1ok(s", - "1ok(v", - "1ok)U", - "1ok)o", - "1ok1", - "1ok1,", - "1ok1c", - "1ok1k", - "1okUk", - "1okf(", - "1oks", - "1oks,", - "1oksc", - "1oksk", - "1okv", - "1okv,", - "1okvc", - "1okvk", - "1onos", - "1onov", - "1os)&", - "1os)U", - "1os)o", - "1osBf", - "1osUk", - "1osf(", - "1oskf", - "1oso(", - "1oso1", - "1osof", - "1osoo", - "1osos", - "1osov", - "1ov)&", - "1ov)U", - "1ov)o", - "1ovBf", - "1ovUk", - "1ovf(", - "1ovkf", - "1ovo(", - "1ovo1", - "1ovof", - "1ovoo", - "1ovos", - "1ovov", - ";kknc", - "Uk1,1", - "Uk1,f", - "Uk1,n", - "Uk1,s", - "Uk1,v", - "Ukkkn", - "Uks,1", - "Uks,f", - "Uks,n", - "Uks,s", - "Uks,v", - "Ukv,1", - "Ukv,f", - "Ukv,n", - "Ukv,s", - "Ukv,v", - "f((f(", - "f((k(", - "f((kf", - "f()&f", - "f()of", - "f(1)&", - "f(1)U", - "f(1)o", - "f(1,1", - "f(1,f", - "f(1,s", - "f(1,v", - "f(1o1", - "f(1os", - "f(1ov", - "f(f()", - "f(f(1", - "f(f(f", - "f(f(s", - "f(f(v", - "f(k()", - "f(k,(", - "f(k,f", - "f(k,n", - "f(n()", - "f(s)&", - "f(s)U", - "f(s)o", - "f(s,1", - "f(s,f", - "f(s,s", - "f(s,v", - "f(so1", - "f(sos", - "f(sov", - "f(v)&", - "f(v)U", - "f(v)o", - "f(v,1", - "f(v,f", - "f(v,s", - "f(v,v", - "f(vo1", - "f(vos", - "f(vov", - "k()ok", - "k(1)U", - "k(f(1", - "k(f(v", - "k(ok(", - "k(s)U", - "k(sv)", - "k(v)U", - "k(vs)", - "k(vv)", - "k1,1,", - "k1,1c", - "k1,1k", - "k1,f(", - "k1,n,", - "k1,s,", - "k1,sc", - "k1,sk", - "k1,v,", - "k1,vc", - "k1,vk", - "k1k(k", - "k1kf(", - "k1o(s", - "k1o(v", - "k;non", - "kc", - "kf((f", - "kf(1)", - "kf(1,", - "kf(f(", - "kf(n,", - "kf(o)", - "kf(s)", - "kf(s,", - "kf(s:", - "kf(v)", - "kf(v,", - "kf(v:", - "kk(f(", - "kk1f(", - "kk1fn", - "kk1kk", - "kk1nk", - "kk1sf", - "kk1sk", - "kk1sn", - "kk1vf", - "kk1vk", - "kk1vn", - "kksf(", - "kksfn", - "kkskk", - "kksnk", - "kksvk", - "kksvn", - "kkvf(", - "kkvfn", - "kkvkk", - "kkvnk", - "kkvsf", - "kkvsk", - "kkvsn", - "kkvvf", - "kkvvk", - "kkvvn", - "kn1kk", - "kn1sk", - "kn1sn", - "kn1vk", - "kn1vn", - "knk(k", - "knskk", - "knsvk", - "knsvn", - "knvkk", - "knvsk", - "knvsn", - "knvvk", - "knvvn", - "ko(k(", - "ko(kf", - "ko(n,", - "ko(s,", - "ko(v,", - "kok(k", - "ks&(k", - "ks&(o", - "ks)", - "ks,1,", - "ks,1c", - "ks,1k", - "ks,f(", - "ks,s,", - "ks,sc", - "ks,sk", - "ks,v,", - "ks,vc", - "ks,vk", - "ksf(1", - "ksf(s", - "ksf(v", - "ksk(1", - "ksk(k", - "ksk(s", - "ksk(v", - "kso(s", - "kso(v", - "kv&(k", - "kv&(o", - "kv)", - "kv,1,", - "kv,1c", - "kv,1k", - "kv,f(", - "kv,n,", - "kv,s,", - "kv,sc", - "kv,sk", - "kv,v,", - "kv,vc", - "kv,vk", - "kvf(1", - "kvf(s", - "kvf(v", - "kvk(1", - "kvk(k", - "kvk(s", - "kvk(v", - "kvkf(", - "kvo(s", - "kvo(v", - "n&(1)", - "n&(1,", - "n&(k1", - "n&(ks", - "n&(kv", - "n&(o1", - "n&(os", - "n&(ov", - "n&(s)", - "n&(s,", - "n&(v)", - "n&(v,", - "n&1Bf", - "n&1f(", - "n&1o(", - "n&1o1", - "n&1of", - "n&1oo", - "n&1os", - "n&1ov", - "n&f(1", - "n&f(f", - "n&f(s", - "n&f(v", - "n&k(1", - "n&k(s", - "n&k(v", - "n&o1o", - "n&oso", - "n&ovo", - "n&sf(", - "n&so(", - "n&so1", - "n&sof", - "n&soo", - "n&sos", - "n&sov", - "n&vBf", - "n&vf(", - "n&vo(", - "n&vo1", - "n&vof", - "n&voo", - "n&vos", - "n&vov", - "n)&(k", - "n)&1f", - "n)&1o", - "n)&f(", - "n)&sf", - "n)&so", - "n)&vf", - "n)&vo", - "n))&(", - "n))&1", - "n))&f", - "n))&s", - "n))&v", - "n)))&", - "n)));", - "n)))B", - "n)))U", - "n)))c", - "n)))k", - "n)))o", - "n));c", - "n));k", - "n))B1", - "n))Bv", - "n))Uk", - "n))c", - "n))kk", - "n))o(", - "n))o1", - "n))of", - "n))ok", - "n))os", - "n))ov", - "n);c", - "n);k&", - "n);k(", - "n);kf", - "n);kk", - "n);kn", - "n);ko", - "n)B1c", - "n)Bvc", - "n)Uk1", - "n)Ukv", - "n)c", - "n)k1o", - "n)kks", - "n)kkv", - "n)kso", - "n)kvo", - "n)o(k", - "n)o1&", - "n)o1f", - "n)o1o", - "n)of(", - "n)ok(", - "n)os&", - "n)osf", - "n)oso", - "n)ov&", - "n)ovf", - "n)ovo", - "n,(f(", - "n,(k(", - "n,(k1", - "n,(kf", - "n,(ks", - "n,(kv", - "n,f(1", - "n,f(s", - "n,f(v", - "n:o1U", - "n:osU", - "n:ovU", - "n;c", - "n;k&k", - "n;k((", - "n;k(1", - "n;k(s", - "n;k(v", - "n;kf(", - "n;kks", - "n;kkv", - "n;kn(", - "n;ko(", - "n;kok", - "nB1c", - "nBvc", - "nUk(k", - "nUk1,", - "nUk1c", - "nUkf(", - "nUkn,", - "nUks,", - "nUkv,", - "nUkvc", - "nUnk(", - "nc", - "nk1Uk", - "nk1o1", - "nk1ov", - "nkf(1", - "nkf(s", - "nkf(v", - "nkksc", - "nkkvc", - "nksUk", - "nkvUk", - "nkvo1", - "nkvov", - "nnn)U", - "nno1U", - "nnosU", - "nnovU", - "no(k1", - "no(ks", - "no(kv", - "no(o1", - "no(os", - "no(ov", - "no1&1", - "no1&s", - "no1&v", - "no1Uk", - "no1f(", - "no1o(", - "no1of", - "no1oo", - "no1os", - "no1ov", - "nof(1", - "nof(s", - "nof(v", - "nok(1", - "nok(f", - "nok(k", - "nok(s", - "nok(v", - "nono1", - "nonov", - "nos&1", - "nos&s", - "nos&v", - "nosUk", - "nosf(", - "noso(", - "noso1", - "nosof", - "nosoo", - "nosos", - "nosov", - "nov&1", - "nov&s", - "nov&v", - "novUk", - "novf(", - "novo(", - "novo1", - "novof", - "novoo", - "novos", - "novov", - "o1kf(", - "oUk1,", - "oUks,", - "oUkv,", - "oc", - "of()o", - "of(1)", - "of(s)", - "of(v)", - "ok1o1", - "ok1os", - "ok1ov", - "okkkn", - "okso1", - "oksos", - "oksov", - "okvo1", - "okvos", - "okvov", - "ook1,", - "ooks,", - "ookv,", - "oskf(", - "ovkf(", - "s&((f", - "s&((k", - "s&(1)", - "s&(1,", - "s&(1o", - "s&(f(", - "s&(k(", - "s&(k)", - "s&(k1", - "s&(kc", - "s&(kf", - "s&(kk", - "s&(kn", - "s&(ko", - "s&(ks", - "s&(kv", - "s&(s)", - "s&(s,", - "s&(so", - "s&(v)", - "s&(v,", - "s&(vo", - "s&1", - "s&1Bf", - "s&1Uk", - "s&1c", - "s&1f(", - "s&1o(", - "s&1o1", - "s&1of", - "s&1ok", - "s&1on", - "s&1oo", - "s&1os", - "s&1ov", - "s&f((", - "s&f()", - "s&f(1", - "s&f(f", - "s&f(k", - "s&f(n", - "s&f(s", - "s&f(v", - "s&k&s", - "s&k&v", - "s&k(1", - "s&k(f", - "s&k(o", - "s&k(s", - "s&k(v", - "s&k1k", - "s&k1o", - "s&kUk", - "s&kc", - "s&kk1", - "s&kks", - "s&kkv", - "s&knk", - "s&ko(", - "s&ko1", - "s&kok", - "s&kos", - "s&kov", - "s&ksk", - "s&kso", - "s&kvk", - "s&kvo", - "s&n&s", - "s&n&v", - "s&n()", - "s&no1", - "s&nos", - "s&nov", - "s&o(1", - "s&o(k", - "s&o(s", - "s&o(v", - "s&o1o", - "s&okc", - "s&oko", - "s&os", - "s&oso", - "s&ov", - "s&ovo", - "s&s", - "s&s:o", - "s&sBf", - "s&sU(", - "s&sUk", - "s&sc", - "s&sf(", - "s&so(", - "s&so1", - "s&sof", - "s&sok", - "s&son", - "s&soo", - "s&sos", - "s&sov", - "s&svo", - "s&v", - "s&v:o", - "s&vBf", - "s&vU(", - "s&vUk", - "s&vc", - "s&vf(", - "s&vo(", - "s&vo1", - "s&vof", - "s&vok", - "s&von", - "s&voo", - "s&vos", - "s&vov", - "s&vso", - "s&vvo", - "s(c", - "s)&(1", - "s)&(f", - "s)&(k", - "s)&(n", - "s)&(s", - "s)&(v", - "s)&1B", - "s)&1U", - "s)&1f", - "s)&1o", - "s)&f(", - "s)&o(", - "s)&sB", - "s)&sU", - "s)&sf", - "s)&so", - "s)&vB", - "s)&vU", - "s)&vf", - "s)&vo", - "s)()s", - "s)()v", - "s))&(", - "s))&1", - "s))&f", - "s))&n", - "s))&o", - "s))&s", - "s))&v", - "s)))&", - "s))))", - "s)));", - "s)))B", - "s)))U", - "s)))c", - "s)))k", - "s)))o", - "s));c", - "s));k", - "s))B1", - "s))Bs", - "s))Bv", - "s))Uk", - "s))Un", - "s))c", - "s))k1", - "s))kk", - "s))ks", - "s))kv", - "s))o(", - "s))o1", - "s))of", - "s))ok", - "s))on", - "s))os", - "s))ov", - "s),(1", - "s),(s", - "s),(v", - "s);c", - "s);k&", - "s);k(", - "s);kf", - "s);kk", - "s);kn", - "s);ko", - "s)B1", - "s)B1&", - "s)B1c", - "s)B1o", - "s)Bs", - "s)Bs&", - "s)Bsc", - "s)Bso", - "s)Bv", - "s)Bv&", - "s)Bvc", - "s)Bvo", - "s)U(k", - "s)Uk(", - "s)Uk1", - "s)Ukf", - "s)Ukk", - "s)Ukn", - "s)Uko", - "s)Uks", - "s)Ukv", - "s)Unk", - "s)c", - "s)k1", - "s)k1c", - "s)k1o", - "s)kks", - "s)kkv", - "s)ks", - "s)ksc", - "s)kso", - "s)kv", - "s)kvc", - "s)kvo", - "s)o(1", - "s)o(k", - "s)o(n", - "s)o(s", - "s)o(v", - "s)o1B", - "s)o1U", - "s)o1f", - "s)o1k", - "s)o1o", - "s)of(", - "s)ok(", - "s)ok1", - "s)oks", - "s)okv", - "s)on&", - "s)os)", - "s)osB", - "s)osU", - "s)osf", - "s)osk", - "s)oso", - "s)ov)", - "s)ovB", - "s)ovU", - "s)ovf", - "s)ovk", - "s)ovo", - "s,(f(", - "s,(k(", - "s,(k1", - "s,(kf", - "s,(ks", - "s,(kv", - "s,1),", - "s,1)o", - "s,1B1", - "s,1Bs", - "s,1Bv", - "s,1Uk", - "s,f(1", - "s,f(s", - "s,f(v", - "s,s),", - "s,s)o", - "s,sB1", - "s,sBs", - "s,sBv", - "s,sUk", - "s,v),", - "s,v)o", - "s,vB1", - "s,vBs", - "s,vBv", - "s,vUk", - "s:o1)", - "s:os)", - "s:ov)", - "s;c", - "s;k&k", - "s;k((", - "s;k(1", - "s;k(o", - "s;k(s", - "s;k(v", - "s;k1,", - "s;k1o", - "s;k;", - "s;k[k", - "s;k[n", - "s;kf(", - "s;kkn", - "s;kks", - "s;kkv", - "s;kn(", - "s;kn,", - "s;knc", - "s;knk", - "s;knn", - "s;ko(", - "s;kok", - "s;ks,", - "s;ksc", - "s;ksk", - "s;kso", - "s;kv,", - "s;kvc", - "s;kvk", - "s;kvo", - "s;n:k", - "sB1", - "sB1&s", - "sB1&v", - "sB1,1", - "sB1,n", - "sB1,s", - "sB1,v", - "sB1Uk", - "sB1c", - "sB1k1", - "sB1ks", - "sB1kv", - "sB1os", - "sB1ov", - "sBf(1", - "sBf(f", - "sBf(s", - "sBf(v", - "sBk(1", - "sBk(s", - "sBk(v", - "sBn,n", - "sBnk1", - "sBnks", - "sBnkv", - "sBs", - "sBs&s", - "sBs&v", - "sBs,1", - "sBs,n", - "sBs,s", - "sBs,v", - "sBsUk", - "sBsc", - "sBsk1", - "sBsks", - "sBskv", - "sBsos", - "sBsov", - "sBv", - "sBv&s", - "sBv&v", - "sBv,1", - "sBv,n", - "sBv,s", - "sBv,v", - "sBvUk", - "sBvc", - "sBvk1", - "sBvks", - "sBvkv", - "sBvos", - "sBvov", - "sU((k", - "sU(k(", - "sU(k1", - "sU(kf", - "sU(kk", - "sU(kn", - "sU(ks", - "sU(kv", - "sU1,1", - "sU1,s", - "sU1,v", - "sUc", - "sUk", - "sUk(1", - "sUk(k", - "sUk(n", - "sUk(s", - "sUk(v", - "sUk1", - "sUk1&", - "sUk1,", - "sUk1c", - "sUk1f", - "sUk1k", - "sUk1n", - "sUk1o", - "sUkf", - "sUkf(", - "sUkf,", - "sUkk(", - "sUkk,", - "sUkk1", - "sUkkk", - "sUkkn", - "sUkks", - "sUkkv", - "sUkn&", - "sUkn(", - "sUkn,", - "sUkn1", - "sUknc", - "sUknk", - "sUkno", - "sUkns", - "sUknv", - "sUko1", - "sUkok", - "sUkos", - "sUkov", - "sUks", - "sUks&", - "sUks,", - "sUksc", - "sUksf", - "sUksk", - "sUksn", - "sUkso", - "sUkv", - "sUkv&", - "sUkv,", - "sUkvc", - "sUkvf", - "sUkvk", - "sUkvn", - "sUkvo", - "sUn(k", - "sUn,1", - "sUn,s", - "sUn,v", - "sUn1,", - "sUnk(", - "sUnk1", - "sUnkf", - "sUnks", - "sUnkv", - "sUno1", - "sUnos", - "sUnov", - "sUns,", - "sUnv,", - "sUon1", - "sUons", - "sUonv", - "sUs,1", - "sUs,s", - "sUs,v", - "sUv,1", - "sUv,s", - "sUv,v", - "sc", - "sf()k", - "sf(1)", - "sf(n,", - "sf(s)", - "sf(v)", - "sk)&(", - "sk)&1", - "sk)&f", - "sk)&s", - "sk)&v", - "sk);k", - "sk)B1", - "sk)Bs", - "sk)Bv", - "sk)Uk", - "sk)Un", - "sk)k1", - "sk)kk", - "sk)ks", - "sk)kv", - "sk)o(", - "sk)o1", - "sk)of", - "sk)ok", - "sk)os", - "sk)ov", - "sk1&1", - "sk1&s", - "sk1&v", - "sk1U(", - "sk1Uk", - "sk1c", - "sk1o1", - "sk1os", - "sk1ov", - "skU1,", - "skUs,", - "skUv,", - "skf(1", - "skf(s", - "skf(v", - "skk(1", - "skk(s", - "skk(v", - "skks", - "skksc", - "skkv", - "skkvc", - "sknkn", - "sks&1", - "sks&s", - "sks&v", - "sksU(", - "sksUk", - "sksc", - "skso1", - "sksos", - "sksov", - "skv&1", - "skv&s", - "skv&v", - "skvU(", - "skvUk", - "skvc", - "skvo1", - "skvos", - "skvov", - "sn&f(", - "sn,f(", - "snUk1", - "snUkn", - "snUks", - "snUkv", - "snk1c", - "snkf(", - "snksc", - "snkvc", - "sno(s", - "sno(v", - "sno1U", - "snosU", - "snovU", - "so(((", - "so((1", - "so((f", - "so((k", - "so((s", - "so((v", - "so(1)", - "so(1o", - "so(f(", - "so(k(", - "so(k)", - "so(k1", - "so(kc", - "so(kf", - "so(kk", - "so(kn", - "so(ko", - "so(ks", - "so(kv", - "so(n)", - "so(o1", - "so(os", - "so(ov", - "so(s)", - "so(so", - "so(v)", - "so(vo", - "so1&1", - "so1&o", - "so1&s", - "so1&v", - "so1)&", - "so1)o", - "so1Bf", - "so1Uk", - "so1c", - "so1f(", - "so1kf", - "so1o(", - "so1o1", - "so1of", - "so1ok", - "so1oo", - "so1os", - "so1ov", - "sof()", - "sof(1", - "sof(f", - "sof(k", - "sof(n", - "sof(s", - "sof(v", - "sok&s", - "sok&v", - "sok(1", - "sok(k", - "sok(o", - "sok(s", - "sok(v", - "sok1", - "sok1,", - "sok1c", - "sok1k", - "sok1o", - "sokUk", - "sokc", - "sokf(", - "sokn,", - "soknk", - "soko(", - "soko1", - "sokok", - "sokos", - "sokov", - "soks", - "soks,", - "soksc", - "soksk", - "sokso", - "sokv", - "sokv,", - "sokvc", - "sokvk", - "sokvo", - "sonk1", - "sonks", - "sonkv", - "sonos", - "sonov", - "sos", - "sos&(", - "sos&1", - "sos&o", - "sos&s", - "sos&v", - "sos)&", - "sos)o", - "sos:o", - "sosBf", - "sosUk", - "sosc", - "sosf(", - "soskf", - "soso(", - "soso1", - "sosof", - "sosok", - "sosoo", - "sosos", - "sosov", - "sosvo", - "sov", - "sov&(", - "sov&1", - "sov&o", - "sov&s", - "sov&v", - "sov)&", - "sov)o", - "sov:o", - "sovBf", - "sovUk", - "sovc", - "sovf(", - "sovkf", - "sovo(", - "sovo1", - "sovof", - "sovok", - "sovoo", - "sovos", - "sovov", - "sovso", - "sovvo", - "v&((f", - "v&((k", - "v&(1)", - "v&(1,", - "v&(1o", - "v&(f(", - "v&(k(", - "v&(k)", - "v&(k1", - "v&(kc", - "v&(kf", - "v&(kk", - "v&(kn", - "v&(ko", - "v&(ks", - "v&(kv", - "v&(s)", - "v&(s,", - "v&(so", - "v&(v)", - "v&(v,", - "v&(vo", - "v&1", - "v&1Bf", - "v&1Uk", - "v&1c", - "v&1f(", - "v&1o(", - "v&1o1", - "v&1of", - "v&1ok", - "v&1on", - "v&1oo", - "v&1os", - "v&1ov", - "v&f((", - "v&f()", - "v&f(1", - "v&f(f", - "v&f(k", - "v&f(n", - "v&f(s", - "v&f(v", - "v&k&s", - "v&k&v", - "v&k(1", - "v&k(f", - "v&k(o", - "v&k(s", - "v&k(v", - "v&k1k", - "v&k1o", - "v&kUk", - "v&kc", - "v&kk1", - "v&kks", - "v&kkv", - "v&knk", - "v&ko(", - "v&ko1", - "v&kok", - "v&kos", - "v&kov", - "v&ksk", - "v&kso", - "v&kvk", - "v&kvo", - "v&n&s", - "v&n&v", - "v&n()", - "v&no1", - "v&nos", - "v&nov", - "v&o(1", - "v&o(k", - "v&o(s", - "v&o(v", - "v&o1o", - "v&okc", - "v&oko", - "v&os", - "v&oso", - "v&ov", - "v&ovo", - "v&s", - "v&s:o", - "v&sBf", - "v&sU(", - "v&sUk", - "v&sc", - "v&sf(", - "v&so(", - "v&so1", - "v&sof", - "v&sok", - "v&son", - "v&soo", - "v&sos", - "v&sov", - "v&svo", - "v&v", - "v&v:o", - "v&vBf", - "v&vU(", - "v&vUk", - "v&vc", - "v&vf(", - "v&vo(", - "v&vo1", - "v&vof", - "v&vok", - "v&von", - "v&voo", - "v&vos", - "v&vov", - "v&vso", - "v&vvo", - "v(c", - "v)&(1", - "v)&(f", - "v)&(k", - "v)&(n", - "v)&(s", - "v)&(v", - "v)&1B", - "v)&1U", - "v)&1f", - "v)&1o", - "v)&f(", - "v)&o(", - "v)&sB", - "v)&sU", - "v)&sf", - "v)&so", - "v)&vB", - "v)&vU", - "v)&vf", - "v)&vo", - "v)()s", - "v)()v", - "v))&(", - "v))&1", - "v))&f", - "v))&n", - "v))&o", - "v))&s", - "v))&v", - "v)))&", - "v))))", - "v)));", - "v)))B", - "v)))U", - "v)))c", - "v)))k", - "v)))o", - "v));c", - "v));k", - "v))B1", - "v))Bs", - "v))Bv", - "v))Uk", - "v))Un", - "v))c", - "v))k1", - "v))kk", - "v))ks", - "v))kv", - "v))o(", - "v))o1", - "v))of", - "v))ok", - "v))on", - "v))os", - "v))ov", - "v),(1", - "v),(s", - "v),(v", - "v);c", - "v);k&", - "v);k(", - "v);kf", - "v);kk", - "v);kn", - "v);ko", - "v)B1", - "v)B1&", - "v)B1c", - "v)B1o", - "v)Bs", - "v)Bs&", - "v)Bsc", - "v)Bso", - "v)Bv", - "v)Bv&", - "v)Bvc", - "v)Bvo", - "v)U(k", - "v)Uk(", - "v)Uk1", - "v)Ukf", - "v)Ukk", - "v)Ukn", - "v)Uko", - "v)Uks", - "v)Ukv", - "v)Unk", - "v)c", - "v)k1", - "v)k1c", - "v)k1o", - "v)kks", - "v)kkv", - "v)knk", - "v)ks", - "v)ksc", - "v)kso", - "v)kv", - "v)kvc", - "v)kvo", - "v)o(1", - "v)o(k", - "v)o(n", - "v)o(s", - "v)o(v", - "v)o1)", - "v)o1B", - "v)o1U", - "v)o1f", - "v)o1k", - "v)o1o", - "v)of(", - "v)ok(", - "v)ok1", - "v)oks", - "v)okv", - "v)on&", - "v)os)", - "v)osB", - "v)osU", - "v)osf", - "v)osk", - "v)oso", - "v)ov)", - "v)ovB", - "v)ovU", - "v)ovf", - "v)ovk", - "v)ovo", - "v,(f(", - "v,(k(", - "v,(k1", - "v,(kf", - "v,(ks", - "v,(kv", - "v,1),", - "v,1)o", - "v,1B1", - "v,1Bs", - "v,1Bv", - "v,1Uk", - "v,f(1", - "v,f(s", - "v,f(v", - "v,s),", - "v,s)o", - "v,sB1", - "v,sBs", - "v,sBv", - "v,sUk", - "v,v),", - "v,v)o", - "v,vB1", - "v,vBs", - "v,vBv", - "v,vUk", - "v:o1)", - "v:os)", - "v:ov)", - "v;c", - "v;k&k", - "v;k((", - "v;k(1", - "v;k(o", - "v;k(s", - "v;k(v", - "v;k1,", - "v;k1o", - "v;k;", - "v;k[k", - "v;k[n", - "v;kf(", - "v;kkn", - "v;kks", - "v;kkv", - "v;kn(", - "v;kn,", - "v;knc", - "v;knk", - "v;knn", - "v;ko(", - "v;kok", - "v;ks,", - "v;ksc", - "v;ksk", - "v;kso", - "v;kv,", - "v;kvc", - "v;kvk", - "v;kvo", - "v;n:k", - "vB1", - "vB1&s", - "vB1&v", - "vB1,1", - "vB1,n", - "vB1,s", - "vB1,v", - "vB1Uk", - "vB1c", - "vB1k1", - "vB1ks", - "vB1kv", - "vB1os", - "vB1ov", - "vBf(1", - "vBf(f", - "vBf(s", - "vBf(v", - "vBk(1", - "vBk(s", - "vBk(v", - "vBn,n", - "vBnk1", - "vBnks", - "vBnkv", - "vBs", - "vBs&s", - "vBs&v", - "vBs,1", - "vBs,n", - "vBs,s", - "vBs,v", - "vBsUk", - "vBsc", - "vBsk1", - "vBsks", - "vBskv", - "vBsos", - "vBsov", - "vBv", - "vBv&s", - "vBv&v", - "vBv,1", - "vBv,n", - "vBv,s", - "vBv,v", - "vBvUk", - "vBvc", - "vBvk1", - "vBvks", - "vBvkv", - "vBvos", - "vBvov", - "vU", - "vU((k", - "vU(k(", - "vU(k1", - "vU(kf", - "vU(kk", - "vU(kn", - "vU(ks", - "vU(kv", - "vU1,1", - "vU1,s", - "vU1,v", - "vUc", - "vUk", - "vUk(1", - "vUk(k", - "vUk(n", - "vUk(s", - "vUk(v", - "vUk1", - "vUk1&", - "vUk1,", - "vUk1c", - "vUk1f", - "vUk1k", - "vUk1n", - "vUk1o", - "vUkf", - "vUkf(", - "vUkf,", - "vUkk(", - "vUkk,", - "vUkk1", - "vUkkk", - "vUkkn", - "vUkks", - "vUkkv", - "vUkn&", - "vUkn(", - "vUkn,", - "vUkn1", - "vUknc", - "vUknk", - "vUkno", - "vUkns", - "vUknv", - "vUko1", - "vUkok", - "vUkos", - "vUkov", - "vUks", - "vUks&", - "vUks,", - "vUksc", - "vUksf", - "vUksk", - "vUksn", - "vUkso", - "vUkv", - "vUkv&", - "vUkv,", - "vUkvc", - "vUkvf", - "vUkvk", - "vUkvn", - "vUkvo", - "vUn(k", - "vUn,1", - "vUn,s", - "vUn,v", - "vUn1,", - "vUnk(", - "vUnk1", - "vUnkf", - "vUnks", - "vUnkv", - "vUno1", - "vUnos", - "vUnov", - "vUns,", - "vUnv,", - "vUon1", - "vUons", - "vUonv", - "vUs,1", - "vUs,s", - "vUs,v", - "vUv,1", - "vUv,s", - "vUv,v", - "vc", - "vf()k", - "vf(1)", - "vf(n,", - "vf(s)", - "vf(v)", - "vk)&(", - "vk)&1", - "vk)&f", - "vk)&s", - "vk)&v", - "vk);k", - "vk)B1", - "vk)Bs", - "vk)Bv", - "vk)Uk", - "vk)Un", - "vk)k1", - "vk)kk", - "vk)ks", - "vk)kv", - "vk)o(", - "vk)o1", - "vk)of", - "vk)ok", - "vk)os", - "vk)ov", - "vk1&1", - "vk1&s", - "vk1&v", - "vk1U(", - "vk1Uk", - "vk1c", - "vk1o1", - "vk1os", - "vk1ov", - "vkU1,", - "vkUs,", - "vkUv,", - "vkf(1", - "vkf(s", - "vkf(v", - "vkk(1", - "vkk(s", - "vkk(v", - "vkks", - "vkksc", - "vkkv", - "vkkvc", - "vknkn", - "vkno1", - "vknov", - "vkokn", - "vks&1", - "vks&s", - "vks&v", - "vksU(", - "vksUk", - "vksc", - "vkso1", - "vksos", - "vksov", - "vkv&1", - "vkv&s", - "vkv&v", - "vkvU(", - "vkvUk", - "vkvc", - "vkvo1", - "vkvos", - "vkvov", - "vn&f(", - "vn)Uk", - "vn,f(", - "vnUk1", - "vnUkn", - "vnUks", - "vnUkv", - "vnk1c", - "vnkf(", - "vnksc", - "vnkvc", - "vno(s", - "vno(v", - "vno1U", - "vnosU", - "vnovU", - "vo(((", - "vo((1", - "vo((f", - "vo((k", - "vo((s", - "vo((v", - "vo(1)", - "vo(1o", - "vo(f(", - "vo(k(", - "vo(k)", - "vo(k1", - "vo(kc", - "vo(kf", - "vo(kk", - "vo(kn", - "vo(ko", - "vo(ks", - "vo(kv", - "vo(n)", - "vo(o1", - "vo(os", - "vo(ov", - "vo(s)", - "vo(so", - "vo(v)", - "vo(vo", - "vo1&1", - "vo1&o", - "vo1&s", - "vo1&v", - "vo1)&", - "vo1)o", - "vo1Bf", - "vo1Uk", - "vo1c", - "vo1f(", - "vo1kf", - "vo1o(", - "vo1o1", - "vo1of", - "vo1ok", - "vo1oo", - "vo1os", - "vo1ov", - "vof()", - "vof(1", - "vof(f", - "vof(k", - "vof(n", - "vof(s", - "vof(v", - "vok&s", - "vok&v", - "vok(1", - "vok(k", - "vok(o", - "vok(s", - "vok(v", - "vok)U", - "vok)o", - "vok1", - "vok1,", - "vok1c", - "vok1k", - "vok1o", - "vokUk", - "vokc", - "vokf(", - "vokn,", - "voknk", - "voko(", - "voko1", - "vokok", - "vokos", - "vokov", - "voks", - "voks,", - "voksc", - "voksk", - "vokso", - "vokv", - "vokv,", - "vokvc", - "vokvk", - "vokvo", - "vonk1", - "vonks", - "vonkv", - "vono1", - "vonos", - "vonov", - "vos", - "vos&(", - "vos&1", - "vos&o", - "vos&s", - "vos&v", - "vos)&", - "vos)U", - "vos)o", - "vos:o", - "vosBf", - "vosUk", - "vosc", - "vosf(", - "voskf", - "voso(", - "voso1", - "vosof", - "vosok", - "vosoo", - "vosos", - "vosov", - "vosvo", - "vov", - "vov&(", - "vov&1", - "vov&o", - "vov&s", - "vov&v", - "vov)&", - "vov)U", - "vov)o", - "vov:o", - "vovBf", - "vovUk", - "vovc", - "vovf(", - "vovkf", - "vovo(", - "vovo1", - "vovof", - "vovok", - "vovoo", - "vovos", - "vovov", - "vovso", - "vovvo", -}; -static const size_t patmap_sz = 2298; - - -/* Simple binary search */ -int is_sqli_pattern(const char *key) -{ - int left = 0; - int right = (int)patmap_sz - 1; - - while (left <= right) { - int pos = (left + right) / 2; - int cmp = strcmp(patmap[pos], key); - if (cmp == 0) { - return 1; /* TRUE */ - } else if (cmp < 0) { - left = pos + 1; - } else { - right = pos - 1; - } - } - return 0; /* FALSE */ -} - -#endif | ||
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/apache2/libinjection/sqlparse.c ^ |
| @@ -1,1340 +0,0 @@ -/** - * Copyright 2012,2013 Nick Galbreath - * nickg@client9.com - * BSD License -- see COPYING.txt for details - * - * (setq-default indent-tabs-mode nil) - * (setq c-default-style "k&r" - * c-basic-offset 4) - * indent -kr -nut - */ - -#include <string.h> -#include <stdlib.h> -#include <stdio.h> -#include <ctype.h> -#include <assert.h> - -#ifndef TRUE -#define TRUE 1 -#endif -#ifndef FALSE -#define FALSE 0 -#endif - -#if 0 -#define FOLD_DEBUG printf("%d: Fold state = %d, current=%c, last=%c\n", __LINE__, sf->fold_state, current->type, last->type == CHAR_NULL ? '~': last->type) -#else -#define FOLD_DEBUG -#endif - -/* order is important here */ -#include "sqlparse_private.h" -#include "sqlparse_data.h" - -/* memchr2 finds a string of 2 characters inside another string - * This a specialized version of "memmem" or "memchr". - * 'memmem' doesn't exist on all platforms - * - * Porting notes: this is just a special version of - * astring.find("AB") - * - */ -const char * -memchr2(const char *haystack, size_t haystack_len, char c0, char c1) -{ - const char *cur = haystack; - const char *last = haystack + haystack_len - 1; - - if (haystack_len < 2) { - return NULL; - } - if (c0 == c1) { - return NULL; - } - - while (cur < last) { - if (cur[0] == c0) { - if (cur[1] == c1) { - return cur; - } else { - cur += 2; - } - } else { - cur += 1; - } - } - - return NULL; -} - -/** Find largest string containing certain characters. - * - * C Standard library 'strspn' only works for 'c-strings' (null terminated) - * This works on arbitrary length. - * - * Porting notes: - * if accept is 'ABC', then this function would be similar to - * a_regexp.match(a_str, '[ABC]*'), - */ -size_t strlenspn(const char *s, size_t len, const char *accept) -{ - size_t i; - for (i = 0; i < len; ++i) { - /* likely we can do better by inlining this function - * but this works for now - */ - if (strchr(accept, s[i]) == NULL) { - return i; - } - } - return len; -} - -/* - * ASCII case insenstive compare only! - */ -int cstrcasecmp(const char *a, const char *b) -{ - int ca, cb; - - do { - ca = *a++ & 0xff; - cb = *b++ & 0xff; - if (ca >= 'a' && ca <= 'z') - ca -= 0x20; - if (cb >= 'a' && cb <= 'z') - cb -= 0x20; - } while (ca == cb && ca != '\0'); - - return ca - cb; -} - -/** - * Case insentive string compare. - * Here only to make code more readable - */ -int streq(const char *a, const char *b) -{ - return cstrcasecmp(a, b) == 0; -} - -/* - * Case-sensitive binary search. - * - */ -int bsearch_cstr(const char *key, const char *base[], size_t nmemb) -{ - int left = 0; - int right = (int) nmemb - 1; - - while (left <= right) { - int pos = (left + right) / 2; - int cmp = strcmp(base[pos], key); - if (cmp == 0) { - return TRUE; - } else if (cmp < 0) { - left = pos + 1; - } else { - right = pos - 1; - } - } - return FALSE; -} - -/* - * Case-insensitive binary search - */ -int bsearch_cstrcase(const char *key, const char *base[], size_t nmemb) -{ - int left = 0; - int right = (int) nmemb - 1; - - while (left <= right) { - int pos = (left + right) / 2; - int cmp = cstrcasecmp(base[pos], key); - if (cmp == 0) { - return TRUE; - } else if (cmp < 0) { - left = pos + 1; - } else { - right = pos - 1; - } - } - return FALSE; -} - -/** - * - * - * - * Porting Notes: - * given a mapping/hash of string to char - * this is just - * mapping[key.upper()] - */ -char bsearch_keyword_type(const char *key, const keyword_t * keywords, - size_t numb) -{ - int left = 0; - int right = (int) numb - 1; - - while (left <= right) { - int pos = (left + right) / 2; - int cmp = cstrcasecmp(keywords[pos].word, key); - if (cmp == 0) { - return keywords[pos].type; - } else if (cmp < 0) { - left = pos + 1; - } else { - right = pos - 1; - } - } - return CHAR_NULL; -} - -/* st_token methods - * - * The folow just manipulates the stoken_t type - * - * - */ - -void st_clear(stoken_t * st) -{ - st->type = CHAR_NULL; - st->str_open = CHAR_NULL; - st->str_close = CHAR_NULL; - st->val[0] = CHAR_NULL; -} - -int st_is_empty(const stoken_t * st) -{ - return st->type == CHAR_NULL; -} - -void st_assign_char(stoken_t * st, const char stype, const char value) -{ - st->type = stype; - st->val[0] = value; - st->val[1] = CHAR_NULL; -} - -void st_assign(stoken_t * st, const char stype, const char *value, - size_t len) -{ - size_t last = len < ST_MAX_SIZE ? len : (ST_MAX_SIZE - 1); - st->type = stype; - memcpy(st->val, value, last); - st->val[last] = CHAR_NULL; -} - -void st_copy(stoken_t * dest, const stoken_t * src) -{ - memcpy(dest, src, sizeof(stoken_t)); -} - -int st_is_multiword_start(const stoken_t * st) -{ - return bsearch_cstrcase(st->val, - multikeywords_start, - multikeywords_start_sz); -} - -int st_is_unary_op(const stoken_t * st) -{ - return (st->type == 'o' && !(strcmp(st->val, "+") && - strcmp(st->val, "-") && - strcmp(st->val, "!") && - strcmp(st->val, "!!") && - cstrcasecmp(st->val, "NOT") && - strcmp(st->val, "~"))); -} - -int st_is_arith_op(const stoken_t * st) -{ - return (st->type == 'o' && !(strcmp(st->val, "-") && - strcmp(st->val, "+") && - strcmp(st->val, "~") && - strcmp(st->val, "!") && - strcmp(st->val, "/") && - strcmp(st->val, "%") && - strcmp(st->val, "*") && - strcmp(st->val, "|") && - strcmp(st->val, "&") && - cstrcasecmp(st->val, "MOD") && - cstrcasecmp(st->val, "DIV"))); -} - -/* Parsers - * - * - */ - - -size_t parse_white(sfilter * sf) -{ - return sf->pos + 1; -} - -size_t parse_operator1(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - size_t pos = sf->pos; - - st_assign_char(current, 'o', cs[pos]); - return pos + 1; -} - -size_t parse_other(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - size_t pos = sf->pos; - - st_assign_char(current, '?', cs[pos]); - return pos + 1; -} - -size_t parse_char(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - size_t pos = sf->pos; - - st_assign_char(current, cs[pos], cs[pos]); - return pos + 1; -} - -size_t parse_eol_comment(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - const size_t slen = sf->slen; - size_t pos = sf->pos; - - const char *endpos = - (const char *) memchr((const void *) (cs + pos), '\n', slen - pos); - if (endpos == NULL) { - st_assign(current, 'c', cs + pos, slen - pos); - return slen; - } else { - st_assign(current, 'c', cs + pos, endpos - cs - pos); - return (endpos - cs) + 1; - } -} - -size_t parse_dash(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - const size_t slen = sf->slen; - size_t pos = sf->pos; - - - size_t pos1 = pos + 1; - if (pos1 < slen && cs[pos1] == '-') { - return parse_eol_comment(sf); - } else { - st_assign_char(current, 'o', '-'); - return pos1; - } -} - -size_t is_mysql_comment(const char *cs, const size_t len, size_t pos) -{ - size_t i; - - if (pos + 2 >= len) { - return 0; - } - if (cs[pos + 2] != '!') { - return 0; - } - /* - * this is a mysql comment - * got "/x!" - */ - if (pos + 3 >= len) { - return 3; - } - - if (!isdigit(cs[pos + 3])) { - return 3; - } - /* - * handle odd case of /x!0SELECT - */ - if (!isdigit(cs[pos + 4])) { - return 4; - } - - if (pos + 7 >= len) { - return 4; - } - - for (i = pos + 5; i <= pos + 7; ++i) { - if (!isdigit(cs[i])) { - return 3; - } - } - return 8; -} - -size_t parse_slash(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - const size_t slen = sf->slen; - size_t pos = sf->pos; - const char* cur = cs + pos; - size_t inc; - - size_t pos1 = pos + 1; - if (pos1 == slen || cs[pos1] != '*') { - return parse_operator1(sf); - } - - inc = is_mysql_comment(cs, slen, pos); - if (inc == 0) { - - /* - * skip over initial '/x' - */ - const char *ptr = memchr2(cur + 2, slen - (pos + 2), '*', '/'); - if (ptr == NULL) { - /* - * unterminated comment - */ - st_assign(current, 'c', cs + pos, slen - pos); - return slen; - } else { - /* - * postgresql allows nested comments which makes - * this is incompatible with parsing so - * if we find a '/x' inside the coment, then - * make a new token. - */ - char ctype = 'c'; - const size_t clen = (ptr + 2) - (cur); - if (memchr2(cur + 2, ptr - (cur + 1), '/', '*') != NULL) { - ctype = 'X'; - } - st_assign(current, ctype, cs + pos, clen); - - return pos + clen; - } - } else { - /* - * MySQL Comment - */ - sf->in_comment = TRUE; - st_clear(current); - return pos + inc; - } -} - -size_t parse_backslash(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - const size_t slen = sf->slen; - size_t pos = sf->pos; - - /* - * Weird MySQL alias for NULL, "\N" (capital N only) - */ - if (pos + 1 < slen && cs[pos + 1] == 'N') { - st_assign(current, '1', "NULL", 4); - return pos + 2; - } else { - return parse_other(sf); - } -} - -/** Is input a 2-char operator? - * - */ -int is_operator2(const char *key) -{ - return bsearch_cstr(key, operators2, operators2_sz); -} - -size_t parse_operator2(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - const size_t slen = sf->slen; - size_t pos = sf->pos; - char op2[3]; - - if (pos + 1 >= slen) { - return parse_operator1(sf); - } - - op2[0] = cs[pos]; - op2[1] = cs[pos + 1]; - op2[2] = CHAR_NULL; - - /* - * Special Hack for MYSQL style comments - * instead of turning: - * /x! FOO x/ into FOO by rewriting the string, we - * turn it into FOO x/ and ignore the ending comment - */ - if (sf->in_comment && op2[0] == '*' && op2[1] == '/') { - sf->in_comment = FALSE; - st_clear(current); - return pos + 2; - } else if (pos + 2 < slen && op2[0] == '<' && op2[1] == '=' - && cs[pos + 2] == '>') { - /* - * special 3-char operator - */ - st_assign(current, 'o', "<=>", 3); - return pos + 3; - } else if (is_operator2(op2)) { - if (streq(op2, "&&") || streq(op2, "||")) { - st_assign(current, '&', op2, 2); - } else { - /* - * normal 2 char operator - */ - st_assign(current, 'o', op2, 2); - } - return pos + 2; - } else { - /* - * must be a single char operator - */ - return parse_operator1(sf); - } -} - -size_t parse_string_core(const char *cs, const size_t len, size_t pos, - stoken_t * st, char delim, size_t offset) -{ - /* - * offset is to skip the perhaps first quote char - */ - const char *qpos = - (const char *) memchr((const void *) (cs + pos + offset), delim, - len - pos - offset); - - /* - * then keep string open/close info - */ - if (offset == 1) { - /* - * this is real quote - */ - st->str_open = delim; - } else { - /* - * this was a simulated quote - */ - st->str_open = CHAR_NULL; - } - - while (TRUE) { - if (qpos == NULL) { - /* - * string ended with no trailing quote - * assign what we have - */ - st_assign(st, 's', cs + pos + offset, len - pos - offset); - st->str_close = CHAR_NULL; - return len; - } else if (*(qpos - 1) != '\\') { - /* - * ending quote is not escaped.. copy and end - */ - st_assign(st, 's', cs + pos + offset, - qpos - (cs + pos + offset)); - st->str_close = delim; - return qpos - cs + 1; - } else { - qpos = - (const char *) memchr((const void *) (qpos + 1), delim, - (cs + len) - (qpos + 1)); - } - } -} - -/** - * Used when first char is a ' or " - */ -size_t parse_string(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - const size_t slen = sf->slen; - size_t pos = sf->pos; - - /* - * assert cs[pos] == single or double quote - */ - return parse_string_core(cs, slen, pos, current, cs[pos], 1); -} - -size_t parse_word(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - size_t pos = sf->pos; - char *dot; - char ch; - size_t slen = - strlenspn(cs + pos, sf->slen - pos, - "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$."); - - st_assign(current, 'n', cs + pos, slen); - - dot = strchr(current->val, '.'); - if (dot != NULL) { - *dot = '\0'; - - ch = bsearch_keyword_type(current->val, sql_keywords, - sql_keywords_sz); - if (ch == 'k' || ch == 'o') { - /* - * we got something like "SELECT.1" - */ - current->type = ch; - return pos + strlen(current->val); - } else { - /* - * something else, put back dot - */ - *dot = '.'; - } - } - - /* - * do normal lookup with word including '.' - */ - if (slen < ST_MAX_SIZE) { - ch = bsearch_keyword_type(current->val, sql_keywords, - sql_keywords_sz); - if (ch == CHAR_NULL) { - ch = 'n'; - } - current->type = ch; - } - return pos + slen; -} - -size_t parse_var(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - const size_t slen = sf->slen; - size_t pos = sf->pos; - size_t pos1 = pos + 1; - size_t xlen; - - /* - * move past optional other '@' - */ - if (pos1 < slen && cs[pos1] == '@') { - pos1 += 1; - } - - xlen = strlenspn(cs + pos1, slen - pos1, - "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.$"); - if (xlen == 0) { - st_assign(current, 'v', cs + pos, (pos1 - pos)); - return pos1; - } else { - st_assign(current, 'v', cs + pos, xlen + (pos1 - pos)); - return pos1 + xlen; - } -} - -size_t parse_money(sfilter *sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - const size_t slen = sf->slen; - size_t pos = sf->pos; - size_t xlen; - - /* - * $1,000.00 or $1.000,00 ok! - * This also parses $....,,,111 but that's ok - */ - xlen = strlenspn(cs + pos + 1, slen - pos - 1, "0123456789.,"); - if (xlen == 0) { - /* - * just ignore '$' - */ - return pos + 1; - } else { - st_assign(current, '1', cs + pos, 1 + xlen); - return pos + 1 + xlen; - } -} - -size_t parse_number(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *cs = sf->s; - const size_t slen = sf->slen; - size_t pos = sf->pos; - size_t xlen; - size_t start; - - if (pos + 1 < slen && cs[pos] == '0' && (cs[pos + 1] == 'X' || cs[pos + 1] == 'x')) { - /* - * TBD compare if isxdigit - */ - xlen = - strlenspn(cs + pos + 2, slen - pos - 2, "0123456789ABCDEFabcdef"); - if (xlen == 0) { - st_assign(current, 'n', "0X", 2); - return pos + 2; - } else { - st_assign(current, '1', cs + pos, 2 + xlen); - return pos + 2 + xlen; - } - } - - start = pos; - while (pos < slen && isdigit(cs[pos])) { - pos += 1; - } - if (pos < slen && cs[pos] == '.') { - pos += 1; - while (pos < slen && isdigit(cs[pos])) { - pos += 1; - } - if (pos - start == 1) { - st_assign_char(current, 'n', '.'); - return pos; - } - } - - if (pos < slen) { - if (cs[pos] == 'E' || cs[pos] == 'e') { - pos += 1; - if (pos < slen && (cs[pos] == '+' || cs[pos] == '-')) { - pos += 1; - } - while (pos < slen && isdigit(cs[pos])) { - pos += 1; - } - } else if (isalpha(cs[pos])) { - /* - * oh no, we have something like '6FOO' - * use microsoft style parsing and take just - * the number part and leave the rest to be - * parsed later - */ - st_assign(current, '1', cs + start, pos - start); - return pos; - } - } - - st_assign(current, '1', cs + start, pos - start); - return pos; -} - -int parse_token(sfilter * sf) -{ - stoken_t *current = &sf->syntax_current; - const char *s = sf->s; - const size_t slen = sf->slen; - size_t *pos = &sf->pos; - pt2Function fnptr; - - st_clear(current); - - /* - * if we are at beginning of string - * and in single-quote or double quote mode - * then pretend the input starts with a quote - */ - if (*pos == 0 && sf->delim != CHAR_NULL) { - *pos = parse_string_core(s, slen, 0, current, sf->delim, 0); - return TRUE; - } - - while (*pos < slen) { - /* - * get current character - */ - const int ch = (int) (s[*pos]); - - /* - * if not ascii, then continue... - * actually probably need to just assuming - * it's a string - */ - if (ch < 0 || ch > 127) { - *pos += 1; - continue; - } - - /* - * look up the parser, and call it - * - * Porting Note: this is mapping of char to function - * charparsers[ch]() - */ - fnptr = char_parse_map[ch]; - *pos = (*fnptr) (sf); - - /* - * - */ - if (current->type != CHAR_NULL) { - return TRUE; - } - } - return FALSE; -} - -void sfilter_reset(sfilter * sf, const char *s, size_t len) -{ - memset(sf, 0, sizeof(sfilter)); - sf->s = s; - sf->slen = len; -} - -int syntax_merge_words(stoken_t * a, stoken_t * b) -{ - size_t sz1; - size_t sz2; - size_t sz3; - char tmp[ST_MAX_SIZE]; - char ch; - - if (! - (a->type == 'k' || a->type == 'n' || a->type == 'o' - || a->type == 'U')) { - return FALSE; - } - - sz1 = strlen(a->val); - sz2 = strlen(b->val); - sz3 = sz1 + sz2 + 1; - if (sz3 >= ST_MAX_SIZE) { - return FALSE; - } - /* - * oddly annoying last.val + ' ' + current.val - */ - memcpy(tmp, a->val, sz1); - tmp[sz1] = ' '; - memcpy(tmp + sz1 + 1, b->val, sz2); - tmp[sz3] = CHAR_NULL; - - ch = bsearch_keyword_type(tmp, multikeywords, multikeywords_sz); - if (ch != CHAR_NULL) { - /* - * -1, don't copy the null byte - */ - st_assign(a, ch, tmp, sz3); - return TRUE; - } else { - return FALSE; - } -} - -/* This does some simple syntax cleanup based on the token - * - * - */ -int sqli_tokenize(sfilter * sf, stoken_t * sout) -{ - stoken_t *last = &sf->syntax_last; - stoken_t *current = &sf->syntax_current; - - while (parse_token(sf)) { - char ttype = current->type; - - /* - * TBD: hmm forgot logic here. - */ - if (ttype == 'c') { - st_copy(&sf->syntax_comment, current); - continue; - } - st_clear(&sf->syntax_comment); - - /* - * If we don't have a saved token, and we have - * a string: save it. if the next token is also a string - * then merge them. e.g. "A" "B" in SQL is actually "AB" - * a n/k/U/o type: save since next token my be merged together - * for example: "LEFT" + "JOIN" = "LEFT JOIN" - * a o/& type: TBD need to review. - * - */ - if (last->type == CHAR_NULL) { - switch (ttype) { - - /* - * items that have special needs - */ - case 's': - st_copy(last, current); - continue; - case 'n': - case 'k': - case 'U': - case '&': - case 'o': - if (st_is_multiword_start(current)) { - st_copy(last, current); - continue; - } else if (current->type == 'o' || current->type == '&') { - /* } else if (st_is_unary_op(current)) { */ - st_copy(last, current); - continue; - } else { - /* - * copy to out - */ - st_copy(sout, current); - return TRUE; - } - default: - /* - * copy to out - */ - st_copy(sout, current); - return TRUE; - } - } - /* - * We have a saved token - */ - - switch (ttype) { - case 's': - if (last->type == 's') { - /* - * "FOO" "BAR" == "FOO" (skip second string) - */ - continue; - } else { - st_copy(sout, last); - st_copy(last, current); - return TRUE; - } - break; - - case 'o': - /* - * first case to handle "IS" + "NOT" - */ - if (syntax_merge_words(last, current)) { - continue; - } else if (st_is_unary_op(current) - && (last->type == 'o' || last->type == '&' - || last->type == 'U')) { - /* - * if an operator is followed by a unary operator, skip it. - * 1, + ==> "+" is not unary, it's arithmetic - * AND, + ==> "+" is unary - */ - continue; - } else { - /* - * no match - */ - st_copy(sout, last); - st_copy(last, current); - return TRUE; - } - break; - - case 'n': - case 'k': - if (syntax_merge_words(last, current)) { - continue; - } else { - /* - * total no match - */ - st_copy(sout, last); - st_copy(last, current); - return TRUE; - } - break; - - default: - /* - * fix up for ambigous "IN" - * handle case where IN is typically a function - * but used in compound "IN BOOLEAN MODE" jive - */ - if (last->type == 'n' && !cstrcasecmp(last->val, "IN")) { - st_copy(last, current); - st_assign(sout, 'f', "IN", 2); - return TRUE; - } else { - /* - * no match at all - */ - st_copy(sout, last); - st_copy(last, current); - return TRUE; - } - break; - } - } - - /* - * final cleanup - */ - if (last->type) { - st_copy(sout, last); - st_clear(last); - return TRUE; - } else if (sf->syntax_comment.type) { - /* - * TBD - */ - st_copy(sout, &sf->syntax_comment); - st_clear(&sf->syntax_comment); - return TRUE; - } else { - return FALSE; - } -} - -/* - * My apologies, this code is a mess - */ -int filter_fold(sfilter * sf, stoken_t * sout) -{ - stoken_t *last = &sf->fold_last; - stoken_t *current = &sf->fold_current; - - if (sf->fold_state == 4 && !st_is_empty(last)) { - st_copy(sout, last); - sf->fold_state = 2; - st_clear(last); - return FALSE; - } - - while (sqli_tokenize(sf, current)) { - /* - * 0 = start of statement - * skip ( and unary ops - */ - if (sf->fold_state == 0) { - if (current->type == '(') { - continue; - } - if (st_is_unary_op(current)) { - continue; - } - sf->fold_state = 1; - } - - if (st_is_empty(last)) { - FOLD_DEBUG; - if (current->type == '1' || current->type == 'n' - || current->type == '(') { - sf->fold_state = 2; - st_copy(last, current); - } - st_copy(sout, current); - return FALSE; - } else if (last->type == '(' && st_is_unary_op(current)) { - /* - * similar to beginning of statement - * an opening '(' resets state, and we should skip all - * unary operators - */ - continue; - } else if (last->type == '(' && current->type == '(') { - /* if we get another '(' after another - * emit 1, but keep state - */ - st_copy(sout, current); - return FALSE; - } else if ((last->type == '1' || last->type == 'n') - && st_is_arith_op(current)) { - FOLD_DEBUG; - st_copy(last, current); - } else if (last->type == 'o' - && (current->type == '1' || current->type == 'n')) { - FOLD_DEBUG; - st_copy(last, current); - } else { - if (sf->fold_state == 2) { - if (last->type != '1' && last->type != '(' - && last->type != 'n') { - FOLD_DEBUG; - st_copy(sout, last); - st_copy(last, current); - sf->fold_state = 4; - } else { - FOLD_DEBUG; - st_copy(sout, current); - st_clear(last); - } - return FALSE; - } else { - if (last->type == 'o') { - st_copy(sout, last); - st_copy(last, current); - sf->fold_state = 4; - } else { - sf->fold_state = 2; - st_copy(sout, current); - st_clear(last); - } - return FALSE; - } - } - } - - if (!st_is_empty(last)) { - if (st_is_arith_op(last)) { - st_copy(sout, last); - st_clear(last); - return FALSE; - } else { - st_clear(last); - } - } - - /* - * all done: nothing more to parse - */ - return TRUE; -} - -/* secondary api: detects SQLi in a string, GIVEN a context. - * - * A context can be: - * * CHAR_NULL (\0), process as is - * * CHAR_SINGLE ('), process pretending input started with a - * single quote. - * * CHAR_DOUBLE ("), process pretending input started with a - * double quote. - * - */ -int is_string_sqli(sfilter * sql_state, const char *s, size_t slen, - const char delim, ptr_fingerprints_fn fn) -{ - int tlen = 0; - char ch; - int patmatch; - int all_done; - - sfilter_reset(sql_state, s, slen); - sql_state->delim = delim; - - while (tlen < MAX_TOKENS) { - all_done = filter_fold(sql_state, &(sql_state->tokenvec[tlen])); - if (all_done) { - break; - } - - sql_state->pat[tlen] = sql_state->tokenvec[tlen].type; - tlen += 1; - } - - /* - * make the fingerprint pattern a c-string (null delimited) - */ - sql_state->pat[tlen] = CHAR_NULL; - - /* - * check for 'X' in pattern - * this means parsing could not be done - * accurately due to pgsql's double comments - * or other syntax that isn't consistent - * should be very rare false positive - */ - if (strchr(sql_state->pat, 'X')) { - return TRUE; - } - - patmatch = fn(sql_state->pat); - - /* - * No match. - * - * Set sql_state->reason to current line number - * only for debugging purposes. - */ - if (!patmatch) { - sql_state->reason = __LINE__; - return FALSE; - } - - /* - * We got a SQLi match - * This next part just helps reduce false positives. - * - */ - switch (tlen) { - case 2:{ - /* - * if 'comment' is '#' ignore.. too many FP - */ - if (sql_state->tokenvec[1].val[0] == '#') { - sql_state->reason = __LINE__; - return FALSE; - } - - /* - * for fingerprint like 'nc', only comments of /x are treated - * as SQL... ending comments of "--" and "#" are not sqli - */ - if (sql_state->tokenvec[0].type == 'n' && - sql_state->tokenvec[1].type == 'c' && - sql_state->tokenvec[1].val[0] != '/') { - sql_state->reason = __LINE__; - return FALSE; - } - - /** - * there are some odd base64-looking query string values - * 1234-ABCDEFEhfhihwuefi-- - * which evaluate to "1c"... these are not SQLi - * but 1234-- probably is. - * Make sure the "1" in "1c" is actually a true decimal number - * - * Need to check -original- string since the folding step - * may have merged tokens, e.g. "1+FOO" is folded into "1" - */ - if (sql_state->tokenvec[0].type == '1'&& sql_state->tokenvec[1].type == 'c') { - /* - * we check that next character after the number is either whitespace, - * or '/' or a '-' ==> sqli. - */ - ch = sql_state->s[strlen(sql_state->tokenvec[0].val)]; - if ( ch <= 32 ) { - /* next char was whitespace,e.g. "1234 --" - * this isn't exactly correct.. ideally we should skip over all whitespace - * but this seems to be ok for now - */ - return TRUE; - } - if (ch == '/' && sql_state->s[strlen(sql_state->tokenvec[0].val) + 1] == '*') { - return TRUE; - } - if (ch == '-' && sql_state->s[strlen(sql_state->tokenvec[0].val) + 1] == '-') { - return TRUE; - } - - sql_state->reason = __LINE__; - return FALSE; - } - - /* - * detect obvious sqli scans.. many people put '--' in plain text - * so only detect if input ends with '--', e.g. 1-- but not 1-- foo - */ - if ((strlen(sql_state->tokenvec[1].val) > 2) - && sql_state->tokenvec[1].val[0] == '-') { - sql_state->reason = __LINE__; - return FALSE; - } - - break; - } /* case 2 */ - case 3:{ - /* - * ...foo' + 'bar... - * no opening quote, no closing quote - * and each string has data - */ - if (streq(sql_state->pat, "sos") - || streq(sql_state->pat, "s&s")) { - if ((sql_state->tokenvec[0].str_open == CHAR_NULL) - && (sql_state->tokenvec[2].str_close == CHAR_NULL)) { - /* - * if ....foo" + "bar.... - */ - return TRUE; - } else { - /* - * not sqli - */ - sql_state->reason = __LINE__; - return FALSE; - } - break; - } - } /* case 3 */ - case 5: { - if (streq(sql_state->pat, "sosos")) { - if (sql_state->tokenvec[0].str_open == CHAR_NULL) { - /* - * if ....foo" + "bar.... - */ - return TRUE; - } else { - /* - * not sqli - */ - sql_state->reason = __LINE__; - return FALSE; - } - break; - } - } /* case 5 */ - } /* end switch */ - - return TRUE; -} - -/** Main API, detects SQLi in an input. - * - * - */ -int is_sqli(sfilter * sql_state, const char *s, size_t slen, - ptr_fingerprints_fn fn) -{ - - /* - * no input? not sqli - */ - if (slen == 0) { - return FALSE; - } - - /* - * test input "as-is" - */ - if (is_string_sqli(sql_state, s, slen, CHAR_NULL, fn)) { - return TRUE; - } - - /* - * if input has a single_quote, then - * test as if input was actually ' - * example: if input if "1' = 1", then pretend it's - * "'1' = 1" - * Porting Notes: example the same as doing - * is_string_sqli(sql_state, "'" + s, slen+1, NULL, fn) - * - */ - if (memchr(s, CHAR_SINGLE, slen) - && is_string_sqli(sql_state, s, slen, CHAR_SINGLE, fn)) { - return TRUE; - } - - /* - * same as above but with a double-quote " - */ - if (memchr(s, CHAR_DOUBLE, slen) - && is_string_sqli(sql_state, s, slen, CHAR_DOUBLE, fn)) { - return TRUE; - } - - /* - * Hurray, input is not SQLi - */ - return FALSE; -} | ||
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/apache2/libinjection/sqlparse.h ^ |
| @@ -1,113 +0,0 @@ -/** - * Copyright 2012, 2013 Nick Galbreath - * nickg@client9.com - * BSD License -- see COPYING.txt for details - * - * - * HOW TO USE: - * - * // Normalize query or postvar value - * // If it comes in urlencoded, then it's up to you - * // to urldecode it. If it's in correct form already - * // then nothing to do! - * - * sfilter s; - * int sqli = is_sqli(&s, user_string, new_len); - * - * // 0 = not sqli - * // 1 = is sqli - * - * // That's it! sfilter s has some data on how it matched or not - * // details to come! - * - */ - -#ifndef _SQLPARSE_H -#define _SQLPARSE_H - -#ifdef __cplusplus -extern "C" { -#endif - -/* - * Version info. - * See python's normalized version - * http://www.python.org/dev/peps/pep-0386/#normalizedversion - */ -#define LIBINJECTION_VERSION "1.2.0" - -#define ST_MAX_SIZE 32 -#define MAX_TOKENS 5 - -#define CHAR_NULL '\0' -#define CHAR_SINGLE '\'' -#define CHAR_DOUBLE '"' - -typedef struct { - char type; - char str_open; - char str_close; - char val[ST_MAX_SIZE]; -} stoken_t; - -typedef struct { - /* input */ - const char *s; - size_t slen; - - /* current tokenize state */ - size_t pos; - int in_comment; - - /* syntax fixups state */ - stoken_t syntax_current; - stoken_t syntax_last; - stoken_t syntax_comment; - - /* constant folding state */ - stoken_t fold_current; - stoken_t fold_last; - int fold_state; - - /* final sqli data */ - stoken_t tokenvec[MAX_TOKENS]; - - /* +1 for ending null */ - char pat[MAX_TOKENS + 1]; - char delim; - int reason; -} sfilter; - -/** - * Pointer to function, takes cstr input, return true/false - */ -typedef int (*ptr_fingerprints_fn)(const char*); - -/** - * Main API: tests for SQLi in three possible contexts, no quotes, - * single quote and double quote - * - * \return 1 (true) if SQLi, 0 (false) if benign - */ -int is_sqli(sfilter * sql_state, const char *s, size_t slen, - ptr_fingerprints_fn fn); - -/** - * This detects SQLi in a single context, mostly useful for custom - * logic and debugging. - * - * \param delim must be "NULL" (no context), single quote or double quote. - * Other values will likely be ignored. - * - * \return 1 (true) if SQLi, 0 (false) if not SQLi **in this context** - * - */ -int is_string_sqli(sfilter * sql_state, const char *s, size_t slen, - const char delim, - ptr_fingerprints_fn fn); - -#ifdef __cplusplus -} -#endif - -#endif /* _SQLPARSE_H */ | ||
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/apache2/libinjection/sqlparse_data.h ^ |
| @@ -1,983 +0,0 @@ -#ifndef _SQLPARSE_DATA_H -#define _SQLPARSE_DATA_H -#include "sqlparse.h" - -static const char* operators2[] = { - "!!", - "!<", - "!=", - "!>", - "!~", - "%=", - "&&", - "&=", - "*=", - "+=", - "-=", - "/=", - ":=", - "<<", - "<=", - "<>", - "<@", - ">=", - ">>", - "@>", - "^=", - "|/", - "|=", - "||", - "~*", -}; -static const size_t operators2_sz = 25; - -static const keyword_t sql_keywords[] = { - {"ABS", 'f'}, - {"ACCESSIBLE", 'k'}, - {"ACOS", 'f'}, - {"ADD", 'k'}, - {"ADDDATE", 'f'}, - {"ADDTIME", 'f'}, - {"AES_DECRYPT", 'f'}, - {"AES_ENCRYPT", 'f'}, - {"AGAINST", 'k'}, - {"AGE", 'f'}, - {"ALL_USERS", 'k'}, - {"ALTER", 'k'}, - {"ANALYZE", 'k'}, - {"AND", '&'}, - {"APPLOCK_MODE", 'f'}, - {"APPLOCK_TEST", 'f'}, - {"APP_NAME", 'f'}, - {"ARRAY_AGG", 'f'}, - {"ARRAY_CAT", 'f'}, - {"ARRAY_DIM", 'f'}, - {"ARRAY_FILL", 'f'}, - {"ARRAY_LENGTH", 'f'}, - {"ARRAY_LOWER", 'f'}, - {"ARRAY_NDIMS", 'f'}, - {"ARRAY_PREPEND", 'f'}, - {"ARRAY_TO_JSON", 'f'}, - {"ARRAY_TO_STRING", 'f'}, - {"ARRAY_UPPER", 'f'}, - {"AS", 'k'}, - {"ASC", 'k'}, - {"ASCII", 'f'}, - {"ASENSITIVE", 'k'}, - {"ASIN", 'f'}, - {"ASSEMBLYPROPERTY", 'f'}, - {"ASYMKEY_ID", 'f'}, - {"ATAN", 'f'}, - {"ATAN2", 'f'}, - {"AVG", 'f'}, - {"BEFORE", 'k'}, - {"BEGIN", 'k'}, - {"BENCHMARK", 'f'}, - {"BETWEEN", 'k'}, - {"BIGINT", 'k'}, - {"BIN", 'f'}, - {"BINARY", 'k'}, - {"BINARY_DOUBLE_INFINITY", '1'}, - {"BINARY_DOUBLE_NAN", '1'}, - {"BINARY_FLOAT_INFINITY", '1'}, - {"BINARY_FLOAT_NAN", '1'}, - {"BINBINARY", 'f'}, - {"BIT_AND", 'f'}, - {"BIT_COUNT", 'f'}, - {"BIT_LENGTH", 'f'}, - {"BIT_OR", 'f'}, - {"BIT_XOR", 'f'}, - {"BLOB", 'k'}, - {"BOOLEAN", 'k'}, - {"BOOL_AND", 'f'}, - {"BOOL_OR", 'f'}, - {"BOTH", 'k'}, - {"BTRIM", 'f'}, - {"BY", 'n'}, - {"CALL", 'k'}, - {"CASCADE", 'k'}, - {"CASE", 'o'}, - {"CAST", 'f'}, - {"CBOOL", 'f'}, - {"CBRT", 'f'}, - {"CBYTE", 'f'}, - {"CCUR", 'f'}, - {"CDATE", 'f'}, - {"CDBL", 'f'}, - {"CEIL", 'f'}, - {"CEILING", 'f'}, - {"CERTENCODED", 'f'}, - {"CERTPRIVATEKEY", 'f'}, - {"CERT_ID", 'f'}, - {"CERT_PROPERTY", 'f'}, - {"CHANGE", 'k'}, - {"CHAR", 'f'}, - {"CHARACTER", 'k'}, - {"CHARACTER_LENGTH", 'f'}, - {"CHARINDEX", 'f'}, - {"CHARSET", 'f'}, - {"CHAR_LENGTH", 'f'}, - {"CHDIR", 'f'}, - {"CHDRIVE", 'f'}, - {"CHECK", 'k'}, - {"CHECKSUM_AGG", 'f'}, - {"CHOOSE", 'f'}, - {"CHR", 'f'}, - {"CINT", 'f'}, - {"CLNG", 'f'}, - {"CLOCK_TIMESTAMP", 'f'}, - {"COALESCE", 'k'}, - {"COERCIBILITY", 'f'}, - {"COLLATE", 'k'}, - {"COLLATION", 'f'}, - {"COLLATIONPROPERTY", 'f'}, - {"COLUMN", 'k'}, - {"COLUMNPROPERTY", 'f'}, - {"COLUMNS_UPDATED", 'f'}, - {"COL_LENGTH", 'f'}, - {"COL_NAME", 'f'}, - {"COMPRESS", 'f'}, - {"CONCAT", 'f'}, - {"CONCAT_WS", 'f'}, - {"CONDITION", 'k'}, - {"CONNECTION_ID", 'f'}, - {"CONSTRAINT", 'k'}, - {"CONTINUE", 'k'}, - {"CONV", 'f'}, - {"CONVERT", 'f'}, - {"CONVERT_FROM", 'f'}, - {"CONVERT_TO", 'f'}, - {"CONVERT_TZ", 'f'}, - {"COS", 'f'}, - {"COT", 'f'}, - {"COUNT", 'f'}, - {"COUNT_BIG", 'k'}, - {"CRC32", 'f'}, - {"CREATE", 'k'}, - {"CSNG", 'f'}, - {"CTXSYS.DRITHSX.SN", 'f'}, - {"CUME_DIST", 'f'}, - {"CURDATE", 'f'}, - {"CURDIR", 'f'}, - {"CURRENTUSER", 'f'}, - {"CURRENT_DATABASE", 'f'}, - {"CURRENT_DATE", 'k'}, - {"CURRENT_QUERY", 'f'}, - {"CURRENT_SCHEMA", 'f'}, - {"CURRENT_SCHEMAS", 'f'}, - {"CURRENT_SETTING", 'p'}, - {"CURRENT_TIME", 'k'}, - {"CURRENT_TIMESTAMP", 'k'}, - {"CURRENT_USER", 'k'}, - {"CURRVAL", 'f'}, - {"CURSOR", 'k'}, - {"CURSOR_STATUS", 'f'}, - {"CURTIME", 'f'}, - {"CVAR", 'f'}, - {"DATABASE", 'k'}, - {"DATABASEPROPERTYEX", 'f'}, - {"DATABASES", 'k'}, - {"DATABASE_PRINCIPAL_ID", 'f'}, - {"DATALENGTH", 'f'}, - {"DATE", 'f'}, - {"DATEADD", 'f'}, - {"DATEDIFF", 'f'}, - {"DATEFROMPARTS", 'f'}, - {"DATENAME", 'f'}, - {"DATEPART", 'f'}, - {"DATESERIAL", 'f'}, - {"DATETIME2FROMPARTS", 'f'}, - {"DATETIMEFROMPARTS", 'f'}, - {"DATETIMEOFFSETFROMPARTS", 'f'}, - {"DATEVALUE", 'f'}, - {"DATE_ADD", 'f'}, - {"DATE_FORMAT", 'f'}, - {"DATE_PART", 'f'}, - {"DATE_SUB", 'f'}, - {"DATE_TRUNC", 'f'}, - {"DAVG", 'f'}, - {"DAY", 'f'}, - {"DAYNAME", 'f'}, - {"DAYOFMONTH", 'f'}, - {"DAYOFWEEK", 'f'}, - {"DAYOFYEAR", 'f'}, - {"DAY_HOUR", 'k'}, - {"DAY_MICROSECOND", 'k'}, - {"DAY_MINUTE", 'k'}, - {"DAY_SECOND", 'k'}, - {"DBMS_PIPE.RECEIVE_MESSAGE", 'f'}, - {"DB_ID", 'f'}, - {"DB_NAME", 'f'}, - {"DCOUNT", 'f'}, - {"DEC", 'k'}, - {"DECIMAL", 'k'}, - {"DECLARE", 'k'}, - {"DECODE", 'f'}, - {"DECRYPTBYASMKEY", 'f'}, - {"DECRYPTBYCERT", 'f'}, - {"DECRYPTBYKEY", 'f'}, - {"DECRYPTBYKEYAUTOCERT", 'f'}, - {"DECRYPTBYPASSPHRASE", 'f'}, - {"DEFAULT", 'k'}, - {"DEGREES", 'f'}, - {"DELAY", 'k'}, - {"DELAYED", 'k'}, - {"DELETE", 'k'}, - {"DENSE_RANK", 'f'}, - {"DESC", 'k'}, - {"DESCRIBE", 'k'}, - {"DES_DECRYPT", 'f'}, - {"DES_ENCRYPT", 'f'}, - {"DETERMINISTIC", 'k'}, - {"DFIRST", 'f'}, - {"DIFFERENCE", 'f'}, - {"DISTINCROW", 'k'}, - {"DISTINCT", 'k'}, - {"DIV", 'o'}, - {"DLAST", 'f'}, - {"DLOOKUP", 'f'}, - {"DMAX", 'f'}, - {"DMIN", 'f'}, - {"DROP", 'k'}, - {"DSUM", 'f'}, - {"DUAL", 'k'}, - {"EACH", 'k'}, - {"ELSE", 'k'}, - {"ELSEIF", 'k'}, - {"ELT", 'f'}, - {"ENCLOSED", 'k'}, - {"ENCODE", 'f'}, - {"ENCRYPT", 'f'}, - {"ENCRYPTBYASMKEY", 'f'}, - {"ENCRYPTBYCERT", 'f'}, - {"ENCRYPTBYKEY", 'f'}, - {"ENCRYPTBYPASSPHRASE", 'f'}, - {"ENUM_FIRST", 'f'}, - {"ENUM_LAST", 'f'}, - {"ENUM_RANGE", 'f'}, - {"EOMONTH", 'f'}, - {"ESCAPED", 'k'}, - {"EVENTDATA", 'f'}, - {"EXEC", 'k'}, - {"EXECUTE", 'k'}, - {"EXISTS", 'k'}, - {"EXIT", 'k'}, - {"EXP", 'f'}, - {"EXPLAIN", 'k'}, - {"EXPORT_SET", 'f'}, - {"EXTRACT", 'f'}, - {"EXTRACTVALUE", 'f'}, - {"EXTRACT_VALUE", 'f'}, - {"FALSE", '1'}, - {"FETCH", 'k'}, - {"FIELD", 'f'}, - {"FILEDATETIME", 'f'}, - {"FILEGROUPPROPERTY", 'f'}, - {"FILEGROUP_ID", 'f'}, - {"FILEGROUP_NAME", 'f'}, - {"FILELEN", 'f'}, - {"FILEPROPERTY", 'f'}, - {"FILE_ID", 'f'}, - {"FILE_IDEX", 'f'}, - {"FILE_NAME", 'f'}, - {"FIND_IN_SET", 'f'}, - {"FIRST_VALUE", 'f'}, - {"FLOOR", 'f'}, - {"FN_VIRTUALFILESTATS", 'f'}, - {"FOR", 'n'}, - {"FORCE", 'k'}, - {"FOREIGN", 'k'}, - {"FORMAT", 'f'}, - {"FOUND_ROWS", 'f'}, - {"FROM", 'k'}, - {"FROM_DAYS", 'f'}, - {"FROM_UNIXTIME", 'f'}, - {"FULLTEXT", 'k'}, - {"FULLTEXTCATALOGPROPERTY", 'f'}, - {"FULLTEXTSERVICEPROPERTY", 'f'}, - {"GENERATE_SERIES", 'f'}, - {"GENERATE_SUBSCRIPTS", 'f'}, - {"GETATTR", 'f'}, - {"GETDATE", 'f'}, - {"GETUTCDATE", 'f'}, - {"GET_BIT", 'f'}, - {"GET_BYTE", 'f'}, - {"GET_FORMAT", 'f'}, - {"GET_LOCK", 'f'}, - {"GOTO", 'k'}, - {"GRANT", 'k'}, - {"GREATEST", 'f'}, - {"GROUP", 'n'}, - {"GROUPING", 'f'}, - {"GROUPING_ID", 'f'}, - {"GROUP_CONCAT", 'f'}, - {"HASHBYTES", 'f'}, - {"HAS_PERMS_BY_NAME", 'f'}, - {"HAVING", 'k'}, - {"HEX", 'f'}, - {"HIGH_PRIORITY", 'k'}, - {"HOST_NAME", 'f'}, - {"HOUR", 'f'}, - {"HOUR_MICROSECOND", 'k'}, - {"HOUR_MINUTE", 'k'}, - {"HOUR_SECOND", 'k'}, - {"IDENTIFY", 'f'}, - {"IDENT_CURRENT", 'f'}, - {"IDENT_INCR", 'f'}, - {"IDENT_SEED", 'f'}, - {"IF", 'k'}, - {"IFF", 'f'}, - {"IFNULL", 'f'}, - {"IGNORE", 'k'}, - {"IIF", 'f'}, - {"IN", 'n'}, - {"INDEX", 'k'}, - {"INDEXKEY_PROPERTY", 'f'}, - {"INDEXPROPERTY", 'f'}, - {"INDEX_COL", 'f'}, - {"INET_ATON", 'f'}, - {"INET_NTOA", 'f'}, - {"INFILE", 'k'}, - {"INITCAP", 'f'}, - {"INNER", 'k'}, - {"INOUT", 'k'}, - {"INSENSITIVE", 'k'}, - {"INSERT", 'k'}, - {"INSTR", 'f'}, - {"INSTRREV", 'f'}, - {"INT", 'k'}, - {"INT1", 'k'}, - {"INT2", 'k'}, - {"INT3", 'k'}, - {"INT4", 'k'}, - {"INT8", 'k'}, - {"INTEGER", 'k'}, - {"INTERVAL", 'k'}, - {"INTO", 'k'}, - {"IS", 'o'}, - {"ISDATE", 'f'}, - {"ISEMPTY", 'f'}, - {"ISFINITE", 'f'}, - {"ISNULL", 'f'}, - {"ISNUMERIC", 'f'}, - {"IS_FREE_LOCK", 'f'}, - {"IS_MEMBER", 'f'}, - {"IS_OBJECTSIGNED", 'f'}, - {"IS_ROLEMEMBER", 'f'}, - {"IS_SRVROLEMEMBER", 'f'}, - {"IS_USED_LOCK", 'f'}, - {"ITERATE", 'k'}, - {"JOIN", 'k'}, - {"JUSTIFY_DAYS", 'f'}, - {"JUSTIFY_HOURS", 'f'}, - {"JUSTIFY_INTERVAL", 'f'}, - {"KEYS", 'k'}, - {"KEY_GUID", 'f'}, - {"KEY_ID", 'f'}, - {"KILL", 'k'}, - {"LAG", 'f'}, - {"LASTVAL", 'f'}, - {"LAST_INSERT_ID", 'f'}, - {"LAST_VALUE", 'f'}, - {"LCASE", 'f'}, - {"LEAD", 'f'}, - {"LEADING", 'k'}, - {"LEAST", 'f'}, - {"LEAVE", 'k'}, - {"LEFT", 'n'}, - {"LENGTH", 'f'}, - {"LIKE", 'o'}, - {"LIMIT", 'k'}, - {"LINEAR", 'k'}, - {"LINES", 'k'}, - {"LN", 'f'}, - {"LOAD", 'k'}, - {"LOAD_FILE", 'f'}, - {"LOCALTIME", 'k'}, - {"LOCALTIMESTAMP", 'k'}, - {"LOCATE", 'f'}, - {"LOCK", 'n'}, - {"LOG", 'f'}, - {"LOG10", 'f'}, - {"LOG2", 'f'}, - {"LONGBLOB", 'k'}, - {"LONGTEXT", 'k'}, - {"LOOP", 'k'}, - {"LOWER", 'f'}, - {"LOWER_INC", 'f'}, - {"LOWER_INF", 'f'}, - {"LOW_PRIORITY", 'k'}, - {"LPAD", 'f'}, - {"LTRIM", 'f'}, - {"MAKEDATE", 'f'}, - {"MAKE_SET", 'f'}, - {"MASKLEN", 'f'}, - {"MASTER_BIND", 'k'}, - {"MASTER_POS_WAIT", 'f'}, - {"MASTER_SSL_VERIFY_SERVER_CERT", 'k'}, - {"MATCH", 'k'}, - {"MAX", 'f'}, - {"MAXVALUE", 'k'}, - {"MD5", 'f'}, - {"MEDIUMBLOB", 'k'}, - {"MEDIUMINT", 'k'}, - {"MEDIUMTEXT", 'k'}, - {"MERGE", 'k'}, - {"MICROSECOND", 'f'}, - {"MID", 'f'}, - {"MIDDLEINT", 'k'}, - {"MIN", 'f'}, - {"MINUTE", 'f'}, - {"MINUTE_MICROSECOND", 'k'}, - {"MINUTE_SECOND", 'k'}, - {"MKDIR", 'f'}, - {"MOD", 'o'}, - {"MODE", 'n'}, - {"MODIFIES", 'k'}, - {"MONTH", 'f'}, - {"MONTHNAME", 'f'}, - {"NAME_CONST", 'f'}, - {"NETMASK", 'f'}, - {"NEXTVAL", 'f'}, - {"NOT", 'o'}, - {"NOW", 'f'}, - {"NO_WRITE_TO_BINLOG", 'k'}, - {"NTH_VALUE", 'f'}, - {"NTILE", 'f'}, - {"NULL", '1'}, - {"NULLIF", 'f'}, - {"NUMERIC", 'k'}, - {"NZ", 'f'}, - {"OBJECTPROPERTY", 'f'}, - {"OBJECTPROPERTYEX", 'f'}, - {"OBJECT_DEFINITION", 'f'}, - {"OBJECT_ID", 'f'}, - {"OBJECT_NAME", 'f'}, - {"OBJECT_SCHEMA_NAME", 'f'}, - {"OCT", 'f'}, - {"OCTET_LENGTH", 'f'}, - {"OFFSET", 'k'}, - {"OLD_PASSWORD", 'f'}, - {"ONE_SHOT", 'k'}, - {"OPEN", 'k'}, - {"OPENDATASOURCE", 'f'}, - {"OPENQUERY", 'f'}, - {"OPENROWSET", 'f'}, - {"OPENXML", 'f'}, - {"OPTIMIZE", 'k'}, - {"OPTION", 'k'}, - {"OPTIONALLY", 'k'}, - {"OR", '&'}, - {"ORD", 'f'}, - {"ORDER", 'n'}, - {"ORIGINAL_DB_NAME", 'f'}, - {"ORIGINAL_LOGIN", 'f'}, - {"OUT", 'k'}, - {"OUTFILE", 'k'}, - {"OVERLAPS", 'f'}, - {"OVERLAY", 'f'}, - {"OWN3D", 'k'}, - {"PARSENAME", 'f'}, - {"PARTITION", 'k'}, - {"PASSWORD", 'k'}, - {"PATHINDEX", 'f'}, - {"PATINDEX", 'f'}, - {"PERCENTILE_COUNT", 'f'}, - {"PERCENTILE_DISC", 'f'}, - {"PERCENTILE_RANK", 'f'}, - {"PERCENT_RANK", 'f'}, - {"PERIOD_ADD", 'f'}, - {"PERIOD_DIFF", 'f'}, - {"PERMISSIONS", 'f'}, - {"PG_ADVISORY_LOCK", 'f'}, - {"PG_BACKEND_PID", 'f'}, - {"PG_CANCEL_BACKEND", 'f'}, - {"PG_CLIENT_ENCODING", 'f'}, - {"PG_CONF_LOAD_TIME", 'f'}, - {"PG_CREATE_RESTORE_POINT", 'f'}, - {"PG_HAS_ROLE", 'f'}, - {"PG_IS_IN_RECOVERY", 'f'}, - {"PG_IS_OTHER_TEMP_SCHEMA", 'f'}, - {"PG_LISTENING_CHANNELS", 'f'}, - {"PG_LS_DIR", 'f'}, - {"PG_MY_TEMP_SCHEMA", 'f'}, - {"PG_POSTMASTER_START_TIME", 'f'}, - {"PG_READ_BINARY_FILE", 'f'}, - {"PG_READ_FILE", 'f'}, - {"PG_RELOAD_CONF", 'f'}, - {"PG_ROTATE_LOGFILE", 'f'}, - {"PG_SLEEP", 'f'}, - {"PG_START_BACKUP", 'f'}, - {"PG_STAT_FILE", 'f'}, - {"PG_STOP_BACKUP", 'f'}, - {"PG_SWITCH_XLOG", 'f'}, - {"PG_TERMINATE_BACKEND", 'f'}, - {"PG_TRIGGER_DEPTH", 'f'}, - {"PI", 'f'}, - {"POSITION", 'f'}, - {"POW", 'f'}, - {"POWER", 'f'}, - {"PRECISION", 'k'}, - {"PRIMARY", 'k'}, - {"PROCEDURE", 'k'}, - {"PUBLISHINGSERVERNAME", 'f'}, - {"PURGE", 'k'}, - {"PWDCOMPARE", 'f'}, - {"PWDENCRYPT", 'f'}, - {"QUARTER", 'f'}, - {"QUOTE", 'f'}, - {"QUOTENAME", 'f'}, - {"QUOTE_IDENT", 'f'}, - {"QUOTE_LITERAL", 'f'}, - {"QUOTE_NULLABLE", 'f'}, - {"RADIANS", 'f'}, - {"RAND", 'f'}, - {"RANDOM", 'f'}, - {"RANDOMBLOB", 'f'}, - {"RANGE", 'k'}, - {"RANK", 'f'}, - {"READ", 'k'}, - {"READS", 'k'}, - {"READ_WRITE", 'k'}, - {"REAL", 'n'}, - {"REFERENCES", 'k'}, - {"REGEXP", 'o'}, - {"REGEXP_MATCHES", 'f'}, - {"REGEXP_REPLACE", 'f'}, - {"REGEXP_SPLIT_TO_ARRAY", 'f'}, - {"REGEXP_SPLIT_TO_TABLE", 'f'}, - {"RELEASE", 'k'}, - {"RELEASE_LOCK", 'f'}, - {"RENAME", 'k'}, - {"REPEAT", 'k'}, - {"REPLACE", 'k'}, - {"REPLICATE", 'f'}, - {"REQUIRE", 'k'}, - {"RESIGNAL", 'k'}, - {"RESTRICT", 'k'}, - {"RETURN", 'k'}, - {"REVERSE", 'f'}, - {"REVOKE", 'k'}, - {"RIGHT", 'n'}, - {"RLIKE", 'o'}, - {"ROUND", 'f'}, - {"ROW", 'f'}, - {"ROW_COUNT", 'f'}, - {"ROW_NUMBER", 'f'}, - {"ROW_TO_JSON", 'f'}, - {"RPAD", 'f'}, - {"RTRIM", 'f'}, - {"SCHAMA_NAME", 'f'}, - {"SCHEMA", 'k'}, - {"SCHEMAS", 'k'}, - {"SCHEMA_ID", 'f'}, - {"SCOPE_IDENTITY", 'f'}, - {"SECOND_MICROSECOND", 'k'}, - {"SEC_TO_TIME", 'f'}, - {"SELECT", 'k'}, - {"SENSITIVE", 'k'}, - {"SEPARATOR", 'k'}, - {"SESSION_USER", 'f'}, - {"SET", 'k'}, - {"SETATTR", 'f'}, - {"SETSEED", 'f'}, - {"SETVAL", 'f'}, - {"SET_BIT", 'f'}, - {"SET_BYTE", 'f'}, - {"SET_CONFIG", 'f'}, - {"SET_MASKLEN", 'f'}, - {"SHA", 'f'}, - {"SHA1", 'f'}, - {"SHA2", 'f'}, - {"SHOW", 'n'}, - {"SHUTDOWN", 'k'}, - {"SIGN", 'f'}, - {"SIGNAL", 'k'}, - {"SIGNBYASMKEY", 'f'}, - {"SIGNBYCERT", 'f'}, - {"SIMILAR", 'k'}, - {"SIN", 'f'}, - {"SLEEP", 'f'}, - {"SMALLDATETIMEFROMPARTS", 'f'}, - {"SMALLINT", 'k'}, - {"SOUNDEX", 'f'}, - {"SOUNDS", 'o'}, - {"SPACE", 'f'}, - {"SPATIAL", 'k'}, - {"SPECIFIC", 'k'}, - {"SPLIT_PART", 'f'}, - {"SQL", 'k'}, - {"SQLEXCEPTION", 'k'}, - {"SQLSTATE", 'k'}, - {"SQLWARNING", 'k'}, - {"SQL_BIG_RESULT", 'k'}, - {"SQL_CALC_FOUND_ROWS", 'k'}, - {"SQL_SMALL_RESULT", 'k'}, - {"SQL_VARIANT_PROPERTY", 'f'}, - {"SQRT", 'f'}, - {"SSL", 'k'}, - {"STARTING", 'k'}, - {"STATEMENT_TIMESTAMP", 'f'}, - {"STATS_DATE", 'f'}, - {"STDDEV", 'p'}, - {"STDDEV_POP", 'f'}, - {"STDDEV_SAMP", 'f'}, - {"STRAIGHT_JOIN", 'k'}, - {"STRCMP", 'f'}, - {"STRCONV", 'f'}, - {"STRING_AGG", 'f'}, - {"STRING_TO_ARRAY", 'f'}, - {"STRPOS", 'f'}, - {"STR_TO_DATE", 'f'}, - {"STUFF", 'f'}, - {"SUBDATE", 'f'}, - {"SUBSTR", 'f'}, - {"SUBSTRING", 'f'}, - {"SUBSTRING_INDEX", 'f'}, - {"SUBTIME", 'f'}, - {"SUM", 'f'}, - {"SUSER_ID", 'f'}, - {"SUSER_NAME", 'f'}, - {"SUSER_SID", 'f'}, - {"SUSER_SNAME", 'f'}, - {"SWITCHOFFET", 'f'}, - {"SYS.FN_BUILTIN_PERMISSIONS", 'f'}, - {"SYS.FN_GET_AUDIT_FILE", 'f'}, - {"SYS.FN_MY_PERMISSIONS", 'f'}, - {"SYS.STRAGG", 'f'}, - {"SYSCOLUMNS", 'k'}, - {"SYSDATE", 'f'}, - {"SYSDATETIME", 'f'}, - {"SYSDATETIMEOFFSET", 'f'}, - {"SYSOBJECTS", 'k'}, - {"SYSTEM_USER", 'f'}, - {"SYSUSERS", 'k'}, - {"SYSUTCDATETME", 'f'}, - {"TABLE", 'k'}, - {"TAN", 'f'}, - {"TERMINATED", 'k'}, - {"TERTIARY_WEIGHTS", 'f'}, - {"TEXTPTR", 'f'}, - {"TEXTVALID", 'f'}, - {"THEN", 'k'}, - {"TIME", 'k'}, - {"TIMEDIFF", 'f'}, - {"TIMEFROMPARTS", 'f'}, - {"TIMEOFDAY", 'f'}, - {"TIMESERIAL", 'f'}, - {"TIMESTAMP", 'f'}, - {"TIMESTAMPADD", 'f'}, - {"TIMEVALUE", 'f'}, - {"TIME_FORMAT", 'f'}, - {"TIME_TO_SEC", 'f'}, - {"TINYBLOB", 'k'}, - {"TINYINT", 'k'}, - {"TINYTEXT", 'k'}, - {"TODATETIMEOFFSET", 'f'}, - {"TOP", 'k'}, - {"TO_ASCII", 'f'}, - {"TO_CHAR", 'f'}, - {"TO_DATE", 'f'}, - {"TO_DAYS", 'f'}, - {"TO_HEX", 'f'}, - {"TO_NUMBER", 'f'}, - {"TO_SECONDS", 'f'}, - {"TO_TIMESTAMP", 'f'}, - {"TRAILING", 'n'}, - {"TRANSACTION_TIMESTAMP", 'f'}, - {"TRANSLATE", 'f'}, - {"TRIGGER", 'k'}, - {"TRIGGER_NESTLEVEL", 'f'}, - {"TRIM", 'f'}, - {"TRUE", '1'}, - {"TRUNC", 'f'}, - {"TRUNCATE", 'f'}, - {"TRY_CAST", 'f'}, - {"TRY_CONVERT", 'f'}, - {"TRY_PARSE", 'f'}, - {"TYPEPROPERTY", 'f'}, - {"TYPE_ID", 'f'}, - {"TYPE_NAME", 'f'}, - {"UCASE", 'f'}, - {"UNCOMPRESS", 'f'}, - {"UNCOMPRESS_LENGTH", 'f'}, - {"UNDO", 'k'}, - {"UNHEX", 'f'}, - {"UNION", 'U'}, - {"UNIQUE", 'n'}, - {"UNIX_TIMESTAMP", 'f'}, - {"UNI_ON", 'U'}, - {"UNKNOWN", 'k'}, - {"UNLOCK", 'k'}, - {"UNNEST", 'f'}, - {"UNSIGNED", 'k'}, - {"UPDATE", 'k'}, - {"UPDATEXML", 'f'}, - {"UPPER", 'f'}, - {"UPPER_INC", 'f'}, - {"UPPER_INF", 'f'}, - {"USAGE", 'k'}, - {"USE", 'k'}, - {"USER_ID", 'n'}, - {"USER_NAME", 'f'}, - {"USING", 'f'}, - {"UTC_DATE", 'k'}, - {"UTC_TIME", 'k'}, - {"UTC_TIMESTAMP", 'k'}, - {"UTL_INADDR.GET_HOST_ADDRESS", 'f'}, - {"UUID", 'f'}, - {"UUID_SHORT", 'f'}, - {"VALUES", 'k'}, - {"VAR", 'f'}, - {"VARBINARY", 'k'}, - {"VARCHAR", 'k'}, - {"VARCHARACTER", 'k'}, - {"VARIANCE", 'f'}, - {"VARP", 'f'}, - {"VARYING", 'k'}, - {"VAR_POP", 'f'}, - {"VAR_SAMP", 'f'}, - {"VERIFYSIGNEDBYASMKEY", 'f'}, - {"VERIFYSIGNEDBYCERT", 'f'}, - {"VERSION", 'f'}, - {"WAITFOR", 'k'}, - {"WEEK", 'f'}, - {"WEEKDAY", 'f'}, - {"WEEKDAYNAME", 'f'}, - {"WEEKOFYEAR", 'f'}, - {"WHEN", 'k'}, - {"WHERE", 'k'}, - {"WHILE", 'k'}, - {"WIDTH_BUCKET", 'f'}, - {"WITH", 'k'}, - {"XMLAGG", 'f'}, - {"XMLCOMMENT", 'f'}, - {"XMLCONCAT", 'f'}, - {"XMLELEMENT", 'f'}, - {"XMLEXISTS", 'f'}, - {"XMLFOREST", 'f'}, - {"XMLFORMAT", 'f'}, - {"XMLPI", 'f'}, - {"XMLROOT", 'f'}, - {"XMLTYPE", 'f'}, - {"XML_IS_WELL_FORMED", 'f'}, - {"XOR", 'o'}, - {"XPATH", 'f'}, - {"XPATH_EXISTS", 'f'}, - {"XP_EXECRESULTSET", 'k'}, - {"YEAR", 'f'}, - {"YEARWEEK", 'f'}, - {"YEAR_MONTH", 'k'}, - {"ZEROFILL", 'k'}, -}; -static const size_t sql_keywords_sz = 737; -static const char* multikeywords_start[] = { - "ALTER", - "AT", - "AT TIME", - "CROSS", - "FULL", - "GROUP", - "IN", - "IN BOOLEAN", - "INTERSECT", - "IS", - "IS DISTINCT", - "IS NOT", - "LEFT", - "LOCK", - "NATURAL", - "NEXT", - "NEXT VALUE", - "NOT", - "NOT SIMILAR", - "ORDER", - "OWN3D", - "READ", - "RIGHT", - "SELECT", - "SIMILAR", - "SOUNDS", - "UNION", -}; -static const size_t multikeywords_start_sz = 27; -static const keyword_t multikeywords[] = { - {"ALTER DOMAIN", 'k'}, - {"ALTER TABLE", 'k'}, - {"AT TIME", 'n'}, - {"AT TIME ZONE", 'k'}, - {"CROSS JOIN", 'k'}, - {"FULL OUTER", 'k'}, - {"GROUP BY", 'B'}, - {"IN BOOLEAN", 'n'}, - {"IN BOOLEAN MODE", 'k'}, - {"INTERSECT ALL", 'o'}, - {"IS DISTINCT", 'n'}, - {"IS DISTINCT FROM", 'k'}, - {"IS NOT", 'o'}, - {"IS NOT DISTINCT", 'n'}, - {"IS NOT DISTINCT FROM", 'k'}, - {"LEFT JOIN", 'k'}, - {"LEFT OUTER", 'k'}, - {"LOCK TABLE", 'k'}, - {"LOCK TABLES", 'k'}, - {"NATURAL FULL", 'k'}, - {"NATURAL INNER", 'k'}, - {"NATURAL JOIN", 'k'}, - {"NATURAL LEFT", 'k'}, - {"NATURAL OUTER", 'k'}, - {"NATURAL RIGHT", 'k'}, - {"NEXT VALUE", 'n'}, - {"NEXT VALUE FOR", 'k'}, - {"NOT BETWEEN", 'o'}, - {"NOT IN", 'o'}, - {"NOT LIKE", 'o'}, - {"NOT REGEXP", 'o'}, - {"NOT RLIKE", 'o'}, - {"NOT SIMILAR", 'o'}, - {"NOT SIMILAR TO", 'o'}, - {"ORDER BY", 'B'}, - {"OWN3D BY", 'B'}, - {"READ WRITE", 'k'}, - {"RIGHT JOIN", 'k'}, - {"RIGHT OUTER", 'k'}, - {"SELECT ALL", 'k'}, - {"SIMILAR TO", 'o'}, - {"SOUNDS LIKE", 'o'}, - {"UNION ALL", 'U'}, -}; -static const size_t multikeywords_sz = 43; - -typedef size_t (*pt2Function)(sfilter *sf); -static const pt2Function char_parse_map[] = { - &parse_white, /* 0 */ - &parse_white, /* 1 */ - &parse_white, /* 2 */ - &parse_white, /* 3 */ - &parse_white, /* 4 */ - &parse_white, /* 5 */ - &parse_white, /* 6 */ - &parse_white, /* 7 */ - &parse_white, /* 8 */ - &parse_white, /* 9 */ - &parse_white, /* 10 */ - &parse_white, /* 11 */ - &parse_white, /* 12 */ - &parse_white, /* 13 */ - &parse_white, /* 14 */ - &parse_white, /* 15 */ - &parse_white, /* 16 */ - &parse_white, /* 17 */ - &parse_white, /* 18 */ - &parse_white, /* 19 */ - &parse_white, /* 20 */ - &parse_white, /* 21 */ - &parse_white, /* 22 */ - &parse_white, /* 23 */ - &parse_white, /* 24 */ - &parse_white, /* 25 */ - &parse_white, /* 26 */ - &parse_white, /* 27 */ - &parse_white, /* 28 */ - &parse_white, /* 29 */ - &parse_white, /* 30 */ - &parse_white, /* 31 */ - &parse_white, /* 32 */ - &parse_operator2, /* 33 */ - &parse_string, /* 34 */ - &parse_eol_comment, /* 35 */ - &parse_money, /* 36 */ - &parse_operator1, /* 37 */ - &parse_operator2, /* 38 */ - &parse_string, /* 39 */ - &parse_char, /* 40 */ - &parse_char, /* 41 */ - &parse_operator2, /* 42 */ - &parse_operator1, /* 43 */ - &parse_char, /* 44 */ - &parse_dash, /* 45 */ - &parse_number, /* 46 */ - &parse_slash, /* 47 */ - &parse_number, /* 48 */ - &parse_number, /* 49 */ - &parse_number, /* 50 */ - &parse_number, /* 51 */ - &parse_number, /* 52 */ - &parse_number, /* 53 */ - &parse_number, /* 54 */ - &parse_number, /* 55 */ - &parse_number, /* 56 */ - &parse_number, /* 57 */ - &parse_char, /* 58 */ - &parse_char, /* 59 */ - &parse_operator2, /* 60 */ - &parse_operator2, /* 61 */ - &parse_operator2, /* 62 */ - &parse_other, /* 63 */ - &parse_var, /* 64 */ - &parse_word, /* 65 */ - &parse_word, /* 66 */ - &parse_word, /* 67 */ - &parse_word, /* 68 */ - &parse_word, /* 69 */ - &parse_word, /* 70 */ - &parse_word, /* 71 */ - &parse_word, /* 72 */ - &parse_word, /* 73 */ - &parse_word, /* 74 */ - &parse_word, /* 75 */ - &parse_word, /* 76 */ - &parse_word, /* 77 */ - &parse_word, /* 78 */ - &parse_word, /* 79 */ - &parse_word, /* 80 */ - &parse_word, /* 81 */ - &parse_word, /* 82 */ - &parse_word, /* 83 */ - &parse_word, /* 84 */ - &parse_word, /* 85 */ - &parse_word, /* 86 */ - &parse_word, /* 87 */ - &parse_word, /* 88 */ - &parse_word, /* 89 */ - &parse_word, /* 90 */ - &parse_other, /* 91 */ - &parse_backslash, /* 92 */ - &parse_other, /* 93 */ - &parse_operator1, /* 94 */ - &parse_word, /* 95 */ - &parse_word, /* 96 */ - &parse_word, /* 97 */ - &parse_word, /* 98 */ - &parse_word, /* 99 */ - &parse_word, /* 100 */ - &parse_word, /* 101 */ - &parse_word, /* 102 */ - &parse_word, /* 103 */ - &parse_word, /* 104 */ - &parse_word, /* 105 */ - &parse_word, /* 106 */ - &parse_word, /* 107 */ - &parse_word, /* 108 */ - &parse_word, /* 109 */ - &parse_word, /* 110 */ - &parse_word, /* 111 */ - &parse_word, /* 112 */ - &parse_word, /* 113 */ - &parse_word, /* 114 */ - &parse_word, /* 115 */ - &parse_word, /* 116 */ - &parse_word, /* 117 */ - &parse_word, /* 118 */ - &parse_word, /* 119 */ - &parse_word, /* 120 */ - &parse_word, /* 121 */ - &parse_word, /* 122 */ - &parse_other, /* 123 */ - &parse_operator2, /* 124 */ - &parse_other, /* 125 */ - &parse_operator1, /* 126 */ - &parse_white, /* 127 */ -}; - -#endif | ||
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/apache2/libinjection/sqlparse_private.h ^ |
| @@ -1,70 +0,0 @@ -/** - * Copyright 2012, Nick Galbreath - * nickg@client9.com - * BSD License - see COPYING.txt for details - * - * (setq-default indent-tabs-mode nil) - * (setq c-default-style "k&r" - * c-basic-offset 4) - * indent -kr -nut - */ -#ifndef _SQLPARSE_PRIVATE_H -#define _SQLPARSE_PRIVATE_H - -#include "sqlparse.h" - -typedef struct { - const char *word; - char type; -} keyword_t; - -char bsearch_keyword_type(const char *key, const keyword_t keywords[], - size_t len); - -int is_operator2(const char *key); - -int is_sqli_pattern(const char *key); - -size_t parse_none(sfilter * sf); -size_t parse_money(sfilter * sf); -size_t parse_other(sfilter * sf); -size_t parse_white(sfilter * sf); -size_t parse_operator1(sfilter *sf); -size_t parse_char(sfilter *sf); -size_t parse_eol_comment(sfilter *sf); -size_t parse_dash(sfilter *sf); -size_t is_mysql_comment(const char *cs, const size_t len, size_t pos); -size_t parse_slash(sfilter *sf); -size_t parse_backslash(sfilter * sf); -size_t parse_operator2(sfilter *sf); -size_t parse_string_core(const char *cs, const size_t len, size_t pos, - stoken_t * st, char delim, size_t offset); -size_t parse_string(sfilter *sf); -size_t parse_word(sfilter * sf); -size_t parse_var(sfilter * sf); - -size_t parse_number(sfilter * sf); - -int parse_token(sfilter * sf); - -/** - * Looks at syntax_last and syntax_current to see - * if they can be merged into a multi-keyword - */ -int syntax_merge_words(stoken_t * a, stoken_t * b); - -void sfilter_reset(sfilter * sf, const char *s, size_t slen); - -/** - * Takes a raw stream of SQL tokens and does the following: - * * Merge mutliple strings into one "foo", "bar" --> "foo bar" - * * Remove comments except last one 1, +, -- foo, 1 ->> 1,+,1 - * * Merge multi-word keywords and operators into one - * e.g. "UNION", "ALL" --> "UNION ALL" - */ -int sqli_tokenize(sfilter * sf, stoken_t * sout); - -int filter_fold(sfilter * sf, stoken_t * sout); - - -#endif /* _SQLPARSE_PRIVATE_H */ | ||
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/tests/op/detectSQLi.t ^ |
| @@ -1,18 +0,0 @@ -{ - type => "op", - name => "detectSQLi", - input => "", - ret => 0 -}, -{ - type => "op", - name => "detectSQLi", - input => "this is not isqli", - ret => 0 -}, -{ - type => "op", - name => "detectSQLi", - input => "ascii(substring(version() from 1 for 1))", - ret => 1 -} | ||
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/tests/regression/nginx ^ |
| -(directory) | ||
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/tests/regression/nginx/conf ^ |
| -(directory) | ||
| Changed | modsecurity-apache_2.7.4.tar.bz2/tests/regression/nginx/conf/empty.conf ^ | |
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/tests/regression/nginx/conf/nginx.conf.template ^ |
| @@ -1,22 +0,0 @@ - -user root; -worker_processes 1; -daemon on; -error_log logs/error.log debug; -events { - worker_connections 1024; -} - -http { - ModSecurityEnabled [% enable %]; - ModSecurityConfig [% config %]; - server { - - listen [% listen %]; - server_name localhost; - location / { - } - } -} - - | ||
| [+] | Deleted | modsecurity-apache_2.7.4.tar.bz2/tests/run-regression-tests-nginx.pl ^ |
| @@ -1,736 +0,0 @@ -#!/usr/bin/perl -# -# Run regression tests. -# -# Syntax: run-regression-tests.pl [options] [file [N]] -# -# All: run-regression-tests.pl -# All in file: run-regression-tests.pl file -# Nth in file: run-regression-tests.pl file N -# -use strict; -use Time::HiRes qw(gettimeofday sleep); -use POSIX qw(WIFEXITED WEXITSTATUS WIFSIGNALED WTERMSIG); -use File::Spec qw(rel2abs); -use File::Basename qw(basename dirname); -use File::Path qw(make_path); -use FileHandle; -use IPC::Open2 qw(open2); -use IPC::Open3 qw(open3); -use Getopt::Std; -use Data::Dumper; -use IO::Socket; -use LWP::UserAgent; -use Cwd 'abs_path'; -use Template; -use File::Copy::Recursive qw(dircopy); - -my @TYPES = qw(action config misc rule target); -my $SCRIPT = basename($0); -my $SCRIPT_DIR = File::Spec->rel2abs(dirname($0)); -my $REG_DIR = "$SCRIPT_DIR/regression"; -my $NGINX_DIR = "$REG_DIR/nginx"; -my $NGINX_CONF_TEMP = "$REG_DIR/nginx/conf/nginx.conf.template"; -my $NGINX = q(/usr/local/nginx/sbin/nginx); - -my $PASSED = 0; -my $TOTAL = 0; -my $BUFSIZ = 32768; -my %C = (); -my %FILE = (); -my $UA_NAME = "ModSecurity Regression Tests/1.2.3"; -my $UA = LWP::UserAgent->new; -$UA->agent($UA_NAME); - -$SIG{TERM} = $SIG{INT} = \&handle_interrupt; - -my %opt; -getopts('A:E:D:C:T:H:a:p:dvh', \%opt); - -if ($opt{d}) { - $Data::Dumper::Indent = 1; - $Data::Dumper::Terse = 1; - $Data::Dumper::Pad = ""; - $Data::Dumper::Quotekeys = 0; -} - -sub usage { - print stderr <<"EOT"; -@_ - Usage: $SCRIPT [options] [file [N]] - - Options: - -P path Specify nginx prefix path (default: $NGINX_DIR) - -a file Specify nginx binary (default: $NGINX) - -p port Specify nginx port (default: 8088) - -v Enable verbose output (details on failure). - -d Enable debugging output. - -h This help. -EOT - - exit(1); -} - -usage() if ($opt{h}); - -### Check nginx binary -if (defined $opt{a}) { - $NGINX = $opt{a}; -} -else { - $opt{a} = $NGINX; -} -usage("Invalid Apache startup script: $NGINX\n") unless (-e $NGINX); - - -### Defaults -$opt{P} = "$NGINX_DIR" unless (defined $opt{P}); - -my $CONF_DIR = "$opt{P}/conf"; -my $FILES_DIR = "$opt{P}/logs"; -my $PID_FILE = "$FILES_DIR/nginx.pid"; - -$opt{A} = "$FILES_DIR/modsec_audit.log"; -$opt{D} = "$FILES_DIR/modsec_debug.log"; -$opt{E} = "$FILES_DIR/error.log"; -$opt{C} = "$CONF_DIR/nginx.conf"; -$opt{p} = 8088 unless (defined $opt{p}); -$opt{v} = 1 if ($opt{d}); - -if ( !-d "$opt{P}" ) { - make_path($opt{P}) or die $!; -} - -if ( !-d "$opt{P}/logs" ) { - make_path("$opt{P}/logs") or die $!; -} - -if ( !-d "$opt{P}/html" ) { - make_path("$opt{P}/html") or die $!; -} - -dircopy("$REG_DIR/server_root/htdocs","$opt{P}/html") or die $!; - -%ENV = ( - %ENV, - $NGINX_DIR => $opt{P}, - SERVER_PORT => $opt{p}, - SERVER_NAME => "localhost", -# TEST_NGX_PREFIX => $NGINX_DIR, -# DATA_DIR => $DATA_DIR, -# TEMP_DIR => $TEMP_DIR, -# UPLOAD_DIR => $UPLOAD_DIR, - CONF_DIR => $CONF_DIR, -# MODULES_DIR => $MODULES_DIR, - LOGS_DIR => $FILES_DIR, - SCRIPT_DIR => $SCRIPT_DIR, - REGRESSION_DIR => $REG_DIR, - DIST_ROOT => File::Spec->rel2abs(dirname("$SCRIPT_DIR/../../..")), - AUDIT_LOG => $opt{A}, - DEBUG_LOG => $opt{D}, - ERROR_LOG => $opt{E}, - NGINX_CONF => $opt{C}, -# HTDOCS => $opt{H}, - USER_AGENT => $UA_NAME, - ); - -#dbg("OPTIONS: ", \%opt); - -if (-e "$PID_FILE") { - msg("Shutting down previous instance: $PID_FILE"); - nginx_stop(); -} - -if (defined $ARGV[0]) { - runfile(dirname($ARGV[0]), basename($ARGV[0]), $ARGV[1]); - done(); -} - -for my $type (@TYPES) { - my $dir = "$SCRIPT_DIR/regression/$type"; - my @cfg = (); - -# Get test names - opendir(DIR, "$dir") or quit(1, "Failed to open \"$dir\": $!"); - @cfg = grep { /\.t$/ && -f "$dir/$_" } readdir(DIR); - closedir(DIR); - - for my $cfg (sort @cfg) { - runfile($dir, $cfg); - } -} -done(); - - -sub runfile { - my($dir, $cfg, $testnum) = @_; - my $fn = "$dir/$cfg"; - my @data = (); - my $edata; - my @C = (); - my @test = (); - my $teststr; - my $n = 0; - my $pass = 0; - - open(CFG, "<$fn") or quit(1, "Failed to open \"$fn\": $!"); - @data = <CFG>; - - $edata = q/@C = (/ . join("", @data) . q/)/; - eval $edata; - quit(1, "Failed to read test data \"$cfg\": $@") if ($@); - - unless (@C) { - msg("\nNo tests defined for $fn"); - return; - } - - msg("\nLoaded ".@C." tests from $fn"); - for my $t (@C) { - $n++; - next if (defined $testnum and $n != $testnum); - - my $nginx_up = 0; - my %t = %{$t || {}}; - my $id = sprintf("%3d", $n); - my $out = ""; - my $rc = 0; - my $conf_fn; - -# Startup nginx with optionally included conf. - if (exists $t{conf} and defined $t{conf}) { - $conf_fn = sprintf "%s/%s_%s_%06d.conf", - $CONF_DIR, $t{type}, $cfg, $n; -#dbg("Writing test config to: $conf_fn"); - open(CONF, ">$conf_fn") or die "Failed to open conf \"$conf_fn\": $!\n"; - print CONF (ref $t{conf} eq "CODE" ? eval { &{$t{conf}} } : $t{conf}); - msg("$@") if ($@); - close CONF; - my %conf=(config => $conf_fn, enable => "on"); - $nginx_up = nginx_start($t, \%conf) ? 0 : 1; - } - else { - $nginx_up = nginx_start($t) ? 0 : 1; - } - -# Run any prerun setup - if ($rc == 0 and exists $t{prerun} and defined $t{prerun}) { - vrb("Executing perl prerun..."); - $rc = &{$t{prerun}}; - vrb("Perl prerun returned: $rc"); - } - - if ($nginx_up) { -# Perform the request and check response - if (exists $t{request}) { - my $resp = do_request($t{request}); - if (!$resp) { - msg("invalid response"); - vrb("RESPONSE: ", $resp); - $rc = 1; - } - else { - for my $key (keys %{ $t{match_response} || {}}) { - my($neg,$mtype) = ($key =~ m/^(-?)(.*)$/); - my $m = $t{match_response}{$key}; - my $match = match_response($mtype, $resp, $m); - if ($neg and defined $match) { - $rc = 1; - msg("response $mtype matched: $m"); - vrb($resp); - last; - } - elsif (!$neg and !defined $match) { - $rc = 1; - msg("response $mtype failed to match: $m"); - vrb($resp); - last; - } - } - } - } - -# Run any arbitrary perl tests - if ($rc == 0 and exists $t{test} and defined $t{test}) { - dbg("Executing perl test(s)..."); - $rc = eval { &{$t{test}} }; - if (! defined $rc) { - msg("Error running test: $@"); - $rc = -1; - } - dbg("Perl tests returned: $rc"); - } - -# Search for all log matches - if ($rc == 0 and exists $t{match_log} and defined $t{match_log}) { - for my $key (keys %{ $t{match_log} || {}}) { - my($neg,$mtype) = ($key =~ m/^(-?)(.*)$/); - my $m = $t{match_log}{$key}; - my $match = match_log($mtype, @{$m || []}); - if ($neg and defined $match) { - $rc = 1; - msg("$mtype log matched: $m->[0]"); - last; - } - elsif (!$neg and !defined $match) { - $rc = 1; - msg("$mtype log failed to match: $m->[0]"); - last; - } - } - } - -# Search for all file matches - if ($rc == 0 and exists $t{match_file} and defined $t{match_file}) { - sleep 1; # Make sure the file exists - for my $key (keys %{ $t{match_file} || {}}) { - my($neg,$fn) = ($key =~ m/^(-?)(.*)$/); - my $m = $t{match_file}{$key}; - my $match = match_file($fn, $m); - if ($neg and defined $match) { - $rc = 1; - msg("$fn file matched: $m"); - last; - } - elsif (!$neg and !defined $match) { - $rc = 1; - msg("$fn file failed match: $m"); - last; - } - } - } - } - else { - msg("Failed to start nginx."); - $rc = 1; - } - - if ($rc == 0) { - $pass++; - } - else { - vrb("Test Config: $conf_fn"); - vrb("Debug Log: $FILE{debug}{fn}"); - dbg(escape("$FILE{debug}{buf}")); - vrb("Error Log: $FILE{error}{fn}"); - dbg(escape("$FILE{error}{buf}")); - } - - msg(sprintf("%s) %s%s: %s%s", $id, $t{type}, (exists($t{comment}) ? " - $t{comment}" : ""), ($rc ? "failed" : "passed"), ((defined($out) && $out ne "")? " ($out)" : ""))); - - if ($nginx_up) { - $nginx_up = nginx_stop(\%t) ? 0 : 1; - } - - } - - $TOTAL += $testnum ? 1 : $n; - $PASSED += $pass; - - msg(sprintf("Passed: %2d; Failed: %2d", $pass, $testnum ? (1 - $pass) : ($n - $pass))); -} - -# Take out any indenting and translate LF -> CRLF -sub normalize_raw_request_data { - my $r = $_[0]; - -# Allow for indenting in test file - $r =~ s/^[ \t]*\x0d?\x0a//s; - my($indention) = ($r =~ m/^([ \t]*)/s); # indention taken from first line - $r =~ s/^$indention//mg; - $r =~ s/(\x0d?\x0a)[ \t]+$/$1/s; - -# Translate LF to CRLF - $r =~ s/^\x0a/\x0d\x0a/mg; - $r =~ s/([^\x0d])\x0a/$1\x0d\x0a/mg; - - return $r; -} - -sub do_raw_request { - my $sock = new IO::Socket::INET( - Proto => "tcp", - PeerAddr => "localhost", - PeerPort => $opt{p}, - ) or msg("Failed to connect to localhost:$opt{p}: $@"); - return unless ($sock); - -# Join togeather the request - my $r = join("", @_); - dbg($r); - -# Write to socket - print $sock "$r"; - $sock->shutdown(1); - -# Read from socket - my @resp = <$sock>; - $sock->close(); - - return HTTP::Response->parse(join("", @resp)); -} - -sub do_request { - my $r = $_[0]; - -# Allow test to execute code - if (ref $r eq "CODE") { - $r = eval { &$r }; - msg("$@") unless (defined $r); - } - - if (ref $r eq "HTTP::Request") { - my $resp = $UA->request($r); - dbg($resp->request()->as_string()) if ($opt{d}); - return $resp - } - else { - return do_raw_request($r); - } - - return; -} - - -sub match_response { - my($name, $resp, $re) = @_; - - msg("Warning: Empty regular expression.") if (!defined $re or $re eq ""); - - if ($name eq "status") { - return $& if ($resp->code =~ m/$re/); - } - elsif ($name eq "content") { - return $& if ($resp->content =~ m/$re/m); - } - elsif ($name eq "raw") { - return $& if ($resp->as_string =~ m/$re/m); - } - - return; -} - -sub read_log { - my($name, $timeout, $graph) = @_; - return match_log($name, undef, $timeout, $graph); -} - -sub match_log { - my($name, $re, $timeout, $graph) = @_; - my $t0 = gettimeofday; - my($fh,$rbuf) = ($FILE{$name}{fd}, \$FILE{$name}{buf}); - my $n = length($$rbuf); - my $rc = undef; - - unless (defined $fh) { - msg("Error: File \"$name\" is not opened for matching."); - return; - } - - $timeout = 0 unless (defined $timeout); - - my $i = 0; - my $graphed = 0; -READ: { - do { - my $nbytes = $fh->sysread($$rbuf, $BUFSIZ, $n); - if (!defined($nbytes)) { - msg("Error: Could not read \"$name\" log: $!"); - last; - } - elsif (!defined($re) and $nbytes == 0) { - last; - } - -# Remove APR pool debugging - $$rbuf =~ s/POOL DEBUG:[^\n]+PALLOC[^\n]+\n//sg; - - $n = length($$rbuf); - -#dbg("Match \"$re\" in $name \"$$rbuf\" ($n)"); - if ($$rbuf =~ m/$re/m) { - $rc = $&; - last; - } -# TODO: Use select()/poll() - sleep 0.1 unless ($nbytes == $BUFSIZ); - if ($graph and $opt{d}) { - $i++; - if ($i == 10) { - $graphed++; - $i=0; - print STDERR $graph if ($graphed == 1); - print STDERR "." - } - } - } while (gettimeofday - $t0 < $timeout); - } - print STDERR "\n" if ($graphed); - - return $rc; -} - -sub match_file { - my($neg,$fn) = ($_[0] =~ m/^(-?)(.*)$/); - unless (exists $FILE{$fn}) { - eval { - $FILE{$fn}{fn} = $fn; - $FILE{$fn}{fd} = new FileHandle($fn, O_RDONLY) or die "$!\n"; - $FILE{$fn}{fd}->blocking(0); - $FILE{$fn}{buf} = ""; - }; - if ($@) { - msg("Warning: Failed to open file \"$fn\": $@"); - return; - } - } - return match_log($_[0], $_[1]); # timeout makes no sense -} - -sub quote_shell { - my($s) = @_; - return $s unless ($s =~ m|[^\w!%+,\-./:@^]|); - $s =~ s/(['\\])/\\$1/g; - return "'$s'"; -} - -sub escape { - my @new = (); - for my $c (split(//, $_[0])) { - my $oc = ord($c); - push @new, ((($oc >= 0x20 and $oc <= 0x7e) or $oc == 0x0a or $oc == 0x0d) ? $c : sprintf("\\x%02x", ord($c))); -} -join('', @new); -} - -sub dbg { - return unless(@_ and $opt{d}); - my $out = join "", map { - (ref $_ ne "" ? Dumper($_) : $_) - } @_; - $out =~ s/^/DBG: /mg; - print STDOUT "$out\n"; -} - -sub vrb { - return unless(@_ and $opt{v}); - msg(@_); -} - -sub msg { - return unless(@_); - my $out = join "", map { - (ref $_ ne "" ? Dumper($_) : $_) - } @_; - print STDOUT "$out\n"; -} - -sub handle_interrupt { - $SIG{TERM} = $SIG{INT} = \&handle_interrupt; - - msg("Interrupted via SIG$_[0]. Shutting down tests..."); - nginx_stop(); - - quit(1); -} - -sub quit { - my($ec,$msg) = @_; - $ec = 0 unless (defined $_[0]); - - msg("$msg") if (defined $msg); - - exit $ec; -} - -sub done { - if ($PASSED != $TOTAL) { - quit(1, "\n$PASSED/$TOTAL tests passed."); - } - - quit(0, "\nAll tests passed ($TOTAL)."); -} - -sub nginx_stop { - my $t = shift; - my @p = ( - $NGINX, - -p => $opt{P}, - -s => "quit", - ); - - my $nginx_out; - my $nginx_pid = open3(undef, $nginx_out, undef, @p) or quit(1); - my $out = join("\\n", grep(!/POOL DEBUG/, (<$nginx_out>))); - close $nginx_out; - waitpid($nginx_pid, 0); - - my $rc = $?; - if ( WIFEXITED($rc) ) { - $rc = WEXITSTATUS($rc); - vrb("Nginx stop returned with $rc.") if ($rc); - } - elsif( WIFSIGNALED($rc) ) { - msg("Nginx stop failed with signal " . WTERMSIG($rc) . "."); - $rc = -1; - } - else { - msg("Nginx stop failed with unknown error."); - $rc = -1; - } - - sleep 0.5; - if (-e $PID_FILE) { - msg("Nginx stop failed: $PID_FILE still exists"); - } - - return $rc; -} - - -sub nginx_reset_fd { - my($t) = @_; - -# Cleanup - for my $key (keys %FILE) { - if (exists $FILE{$key}{fd} and defined $FILE{$key}{fd}) { - $FILE{$key}{fd}->close(); - } - delete $FILE{$key}; - } - -# Error - eval { - $FILE{error}{fn} = $opt{E}; - $FILE{error}{fd} = new FileHandle($opt{E}, O_RDWR|O_CREAT) or die "$!\n"; - $FILE{error}{fd}->blocking(0); - $FILE{error}{fd}->sysseek(0, 2); - $FILE{error}{buf} = ""; - }; - if ($@) { - msg("Warning: Failed to open file \"$opt{E}\": $@"); - return undef; - } - -# Audit - eval { - $FILE{audit}{fn} = $opt{A}; - $FILE{audit}{fd} = new FileHandle($opt{A}, O_RDWR|O_CREAT) or die "$!\n"; - $FILE{audit}{fd}->blocking(0); - $FILE{audit}{fd}->sysseek(0, 2); - $FILE{audit}{buf} = ""; - }; - if ($@) { - msg("Warning: Failed to open file \"$opt{A}\": $@"); - return undef; - } - -# Debug - eval { - $FILE{debug}{fn} = $opt{D}; - $FILE{debug}{fd} = new FileHandle($opt{D}, O_RDWR|O_CREAT) or die "$!\n"; - $FILE{debug}{fd}->blocking(0); - $FILE{debug}{fd}->sysseek(0, 2); - $FILE{debug}{buf} = ""; - }; - if ($@) { - msg("Warning: Failed to open file \"$opt{D}\": $@"); - return undef; - } - -# Any extras listed in "match_log" - if ($t and exists $t->{match_log}) { - for my $k (keys %{ $t->{match_log} || {} }) { - my($neg,$fn) = ($k =~ m/^(-?)(.*)$/); - next if (!$fn or exists $FILE{$fn}); - eval { - $FILE{$fn}{fn} = $fn; - $FILE{$fn}{fd} = new FileHandle($fn, O_RDWR|O_CREAT) or die "$!\n"; - $FILE{$fn}{fd}->blocking(0); - $FILE{$fn}{fd}->sysseek(0, 2); - $FILE{$fn}{buf} = ""; - }; - if ($@) { - msg("Warning: Failed to open file \"$fn\": $@"); - return undef; - } - } - } -} - -sub encode_chunked { - my($data, $size) = @_; - $size = 128 unless ($size); - my $chunked = ""; - - my $n = 0; - my $bytes = length($data); - while ($bytes >= $size) { - $chunked .= sprintf "%x\x0d\x0a%s\x0d\x0a", $size, substr($data, $n, $size); - $n += $size; - $bytes -= $size; - } - if ($bytes) { - $chunked .= sprintf "%x\x0d\x0a%s\x0d\x0a", $bytes, substr($data, $n, $bytes); - } - $chunked .= "0\x0d\x0a\x0d\x0a" -} - -sub nginx_start { - my ($t) = shift; - my($C) = shift; - - my %conf = ( - listen => "$opt{p}", - config => "$REG_DIR/nginx/conf/empty.conf", - enable => "off", - ); - - while(my($k,$v)= each %$C){ - $conf{$k}=$v; - } - - my ($tt) = Template->new(INCLUDE_PATH => "$REG_DIR/nginx/conf/"); - my ($output); - $tt->process("nginx.conf.template", \%conf, \$output) || die $tt->error; - - open (OUTFILE, ">$opt{C}"); - print OUTFILE "$output"; - close(OUTFILE); - - nginx_reset_fd($t); - - my @p = ($NGINX, -p => $opt{P}); - - my $nginx_out; - my $nginx_pid = open3(undef, $nginx_out, undef, @p) or quit(1); - my $out = join("\\n", grep(!/POOL DEBUG/, (<$nginx_out>))); - close $nginx_out; - waitpid($nginx_pid, 0); - - my $rc = $?; - if ( WIFEXITED($rc) ) { - $rc = WEXITSTATUS($rc); - vrb("Nginx start returned with $rc.") if ($rc); - } - elsif( WIFSIGNALED($rc) ) { - msg("Nginx start failed with signal " . WTERMSIG($rc) . "."); - $rc = -1; - } - else { - msg("Nginx start failed with unknown error."); - $rc = -1; - } - -# Look for startup msg -# unless (defined match_log("error", qr/start worker process/, 60, "Waiting on nginx to start: ")) { -# vrb(join(" ", map { quote_shell($_) } @p)); -# vrb(match_log("error", qr/(^.*ModSecurity: .*)/sm, 10)); -# msg("Nginx server failed to start."); -# nginx_stop(); -# return -1; -# } - - return $rc; -} - | ||
| Deleted | modsecurity-apache_2.7.5.tar.bz2 ^ | |
| Deleted | modsecurity-apache_2.7.7.tar.bz2 ^ | |