Changes - j0ke.net Open Build Service

@@ -1,3 +1,39 @@ +28 Mar 2013 - 2.7.3 +------------------- + + * Fixed IIS version race condition when module is initialized. + + * Fixed IIS version failing config commands in libapr. + + * Nginx version is now RC quality. The rule engine should works for all phases. + We fixed many issues and missing features (for more information please check jira). + Code is running well with latest Nginx 1.2.7 stable. + Thanks chaizhenhua for your help. + + * Added MULTIPART_NAME and MULTIPART_FILENAME. Should be used soon by CRS + and will help prevent attacks using multipart data. + + * Added --enable-htaccess-config configure option. It will allow the follow directives + to be used into .htaccess files when AllowOverride Options is set: + + - SecAction + - SecRule + + - SecRuleRemoveByMsg + - SecRuleRemoveByTag + - SecRuleRemoveById + + - SecRuleUpdateActionById + - SecRuleUpdateTargetById + - SecRuleUpdateTargetByTag + - SecRuleUpdateTargetByMsg + + * Improvements in the ID duplicate code checking. Should be faster now. + + * SECURITY: Added SecXmlExternalEntity (On|Off - default it Off) that will disable + by default the external entity load task executed by LibXml2. This is a security issue + reported by Timur Yunusov, Alexey Osipov (Positive Technologies). + 21 Jan 2013 - 2.7.2 -------------------

@@ -64,6 +64,7 @@ dcfg->cookie_format = NOT_SET; dcfg->argument_separator = NOT_SET; + dcfg->cookiev0_separator = NOT_SET_P; dcfg->rule_inheritance = NOT_SET; dcfg->rule_exceptions = apr_array_make(mp, 16, sizeof(rule_exception *)); @@ -127,6 +128,8 @@ dcfg->cache_trans_max = NOT_SET; dcfg->cache_trans_maxitems = NOT_SET; + /* Rule ids */ + dcfg->rule_id_htab = apr_hash_make(mp); dcfg->component_signatures = apr_array_make(mp, 16, sizeof(char *)); dcfg->request_encoding = NOT_SET_P; @@ -153,6 +156,9 @@ dcfg->crypto_hash_framesrc_pm = NOT_SET; + /* xml external entity */ + dcfg->xml_external_entity = NOT_SET; + return dcfg; } @@ -366,6 +372,8 @@ ? parent->cookie_format : child->cookie_format); merged->argument_separator = (child->argument_separator == NOT_SET ? parent->argument_separator : child->argument_separator); + merged->cookiev0_separator = (child->cookiev0_separator == NOT_SET_P + ? parent->cookiev0_separator : child->cookiev0_separator); /* rule inheritance */ @@ -586,6 +594,10 @@ merged->crypto_hash_framesrc_pm = (child->crypto_hash_framesrc_pm == NOT_SET ? parent->crypto_hash_framesrc_pm : child->crypto_hash_framesrc_pm); + /* xml external entity */ + merged->xml_external_entity = (child->xml_external_entity == NOT_SET + ? parent->xml_external_entity : child->xml_external_entity); + return merged; } @@ -627,6 +639,7 @@ if (dcfg->cookie_format == NOT_SET) dcfg->cookie_format = 0; if (dcfg->argument_separator == NOT_SET) dcfg->argument_separator = '&'; + if (dcfg->cookiev0_separator == NOT_SET_P) dcfg->cookiev0_separator = NULL; if (dcfg->rule_inheritance == NOT_SET) dcfg->rule_inheritance = 1; @@ -705,6 +718,9 @@ if (dcfg->crypto_hash_iframesrc_pm == NOT_SET) dcfg->crypto_hash_iframesrc_pm = 0; if (dcfg->crypto_hash_framesrc_pm == NOT_SET) dcfg->crypto_hash_framesrc_pm = 0; + /* xml external entity */ + if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0; + } /** @@ -714,7 +730,9 @@ const char *p1, const char *p2, const char *p3) { char *my_error_msg = NULL; - msre_rule *rule = NULL, *tmp_rule = NULL; + //msre_rule *rule = NULL, *tmp_rule = NULL; + char *rid = NULL; + msre_rule *rule = NULL; extern msc_engine *modsecurity; int offset = 0; @@ -767,9 +785,16 @@ if(type != RULE_TYPE_LUA) #endif { - tmp_rule = msre_ruleset_fetch_rule(dcfg->ruleset, rule->actionset->id, offset); - if(tmp_rule != NULL) + rid = apr_hash_get(dcfg->rule_id_htab, rule->actionset->id, APR_HASH_KEY_STRING); + if(rid != NULL) { return "ModSecurity: Found another rule with the same id"; + } else { + apr_hash_set(dcfg->rule_id_htab, apr_pstrdup(dcfg->mp, rule->actionset->id), APR_HASH_KEY_STRING, apr_pstrdup(dcfg->mp, "1")); + } + + //tmp_rule = msre_ruleset_fetch_rule(dcfg->ruleset, rule->actionset->id, offset); + //if(tmp_rule != NULL) + // return "ModSecurity: Found another rule with the same id"; } } @@ -1084,6 +1109,20 @@ return add_marker(cmd, (directory_config *)_dcfg, SECMARKER_TARGETS, SECMARKER_ARGS, action); } +static const char *cmd_cookiev0_separator(cmd_parms *cmd, void *_dcfg, + const char *p1) +{ + directory_config *dcfg = (directory_config *)_dcfg; + + if (strlen(p1) != 1) { + return apr_psprintf(cmd->pool, "ModSecurity: Invalid cookie v0 separator: %s", p1); + } + + dcfg->cookiev0_separator = p1; + + return NULL; +} + static const char *cmd_argument_separator(cmd_parms *cmd, void *_dcfg, const char *p1) { @@ -1919,6 +1958,10 @@ /* TODO: Validate the range here, while we can still tell the user if it's invalid */ re->param = p1; + if(dcfg->ruleset == NULL) { + return apr_psprintf(cmd->pool, "Updating target by ID with no ruleset in this context"); + } + return msre_ruleset_rule_update_target_matching_exception(NULL, dcfg->ruleset, re, p2, p3); } @@ -2253,9 +2296,35 @@ return NULL; } +/** +* \brief Add SecXmlExternalEntity configuration option +* +* \param cmd Pointer to configuration data +* \param _dcfg Pointer to directory configuration +* \param p1 Pointer to configuration option +* +* \retval NULL On failure +* \retval apr_psprintf On Success +*/ +static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1) +{ + directory_config *dcfg = (directory_config *)_dcfg; + if (dcfg == NULL) return NULL; + + if (strcasecmp(p1, "on") == 0) { + dcfg->xml_external_entity = 1; + } + else if (strcasecmp(p1, "off") == 0) { + dcfg->xml_external_entity = 0; + } + else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1); + + return NULL; +} + /** -* \brief Add SecHash configuration option +* \brief Add SecHashEngine configuration option * * \param cmd Pointer to configuration data * \param _dcfg Pointer to directory configuration @@ -2277,7 +2346,7 @@ dcfg->hash_is_enabled = HASH_DISABLED; dcfg->hash_enforcement = HASH_DISABLED; } - else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1); + else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SexHashEngine: %s", p1); return NULL; } @@ -2767,8 +2836,21 @@ #define CMD_SCOPE_MAIN (RSRC_CONF) #define CMD_SCOPE_ANY (RSRC_CONF | ACCESS_CONF) +#if defined(HTACCESS_CONFIG) +#define CMD_SCOPE_HTACCESS (OR_OPTIONS) +#endif + const command_rec module_directives[] = { +#ifdef HTACCESS_CONFIG + AP_INIT_TAKE1 ( + "SecAction", + cmd_action, + NULL, + CMD_SCOPE_HTACCESS, + "an action list" + ), +#else AP_INIT_TAKE1 ( "SecAction", cmd_action, @@ -2776,6 +2858,7 @@ CMD_SCOPE_ANY, "an action list" ), +#endif AP_INIT_TAKE1 ( "SecArgumentSeparator", @@ -2786,6 +2869,14 @@ ), AP_INIT_TAKE1 ( + "SecCookiev0Separator", + cmd_cookiev0_separator, + NULL, + CMD_SCOPE_ANY, + "character that will be used as separator when parsing cookie v0 content." + ), + + AP_INIT_TAKE1 ( "SecAuditEngine", cmd_audit_engine, NULL, @@ -3146,6 +3237,15 @@ "clears the list of MIME types that will be buffered on output" ), +#ifdef HTACCESS_CONFIG + AP_INIT_TAKE23 ( + "SecRule", + cmd_rule, + NULL, + CMD_SCOPE_HTACCESS, + "rule target, operator and optional action list" + ), +#else AP_INIT_TAKE23 ( "SecRule", cmd_rule, @@ -3153,6 +3253,7 @@ CMD_SCOPE_ANY, "rule target, operator and optional action list" ), +#endif AP_INIT_TAKE1 ( "SecRuleEngine", @@ -3162,6 +3263,14 @@ "On or Off" ), + AP_INIT_TAKE1 ( + "SecXmlExternalEntity", + cmd_xml_external_entity, + NULL, + CMD_SCOPE_ANY, + "On or Off" + ), + AP_INIT_FLAG ( "SecRuleInheritance", cmd_rule_inheritance, @@ -3178,6 +3287,31 @@ "rule script and optional actionlist" ), +#ifdef HTACCESS_CONFIG + AP_INIT_ITERATE ( + "SecRuleRemoveById", + cmd_rule_remove_by_id, + NULL, + CMD_SCOPE_HTACCESS, + "rule ID for removal" + ), + + AP_INIT_ITERATE ( + "SecRuleRemoveByTag", + cmd_rule_remove_by_tag, + NULL, + CMD_SCOPE_HTACCESS, + "rule tag for removal" + ), + + AP_INIT_ITERATE ( + "SecRuleRemoveByMsg", + cmd_rule_remove_by_msg, + NULL, + CMD_SCOPE_HTACCESS, + "rule message for removal" + ), +#else AP_INIT_ITERATE ( "SecRuleRemoveById", cmd_rule_remove_by_id, @@ -3201,6 +3335,7 @@ CMD_SCOPE_ANY, "rule message for removal" ), +#endif AP_INIT_TAKE2 ( "SecHashMethodPm", @@ -3218,6 +3353,39 @@ "Hash method and regex" ), +#ifdef HTACCESS_CONFIG + AP_INIT_TAKE2 ( + "SecRuleUpdateActionById", + cmd_rule_update_action_by_id, + NULL, + CMD_SCOPE_HTACCESS, + "updated action list" + ), + + AP_INIT_TAKE23 ( + "SecRuleUpdateTargetById", + cmd_rule_update_target_by_id, + NULL, + CMD_SCOPE_HTACCESS, + "updated target list" + ), + + AP_INIT_TAKE23 ( + "SecRuleUpdateTargetByTag", + cmd_rule_update_target_by_tag, + NULL, + CMD_SCOPE_HTACCESS, + "rule tag pattern and updated target list" + ), + + AP_INIT_TAKE23 ( + "SecRuleUpdateTargetByMsg", + cmd_rule_update_target_by_msg, + NULL, + CMD_SCOPE_HTACCESS, + "rule message pattern and updated target list" + ), +#else AP_INIT_TAKE2 ( "SecRuleUpdateActionById", cmd_rule_update_action_by_id, @@ -3249,7 +3417,7 @@ CMD_SCOPE_ANY, "rule message pattern and updated target list" ), - +#endif AP_INIT_TAKE1 ( "SecServerSignature",

@@ -440,7 +440,11 @@ #if defined(WITH_LUA) #ifdef CACHE_LUA +#if LUA_VERSION_NUM > 501 + msr->L = luaL_newstate(); +#else msr->L = lua_open(); +#endif luaL_openlibs(msr->L); #endif #endif

@@ -355,6 +355,8 @@ apr_size_t msc_reqbody_no_files_length; + char *multipart_filename; + char *multipart_name; multipart_data *mpd; /* MULTIPART processor data structure */ xml_data *xml; /* XML processor data structure */ @@ -468,6 +470,7 @@ int cookie_format; int argument_separator; + const char *cookiev0_separator; int rule_inheritance; apr_array_header_t *rule_exceptions; @@ -571,6 +574,9 @@ /* Collection timeout */ int col_timeout; + /* hash of ids */ + apr_hash_t *rule_id_htab; + /* Hash */ apr_array_header_t *hash_method; const char *crypto_key; @@ -589,6 +595,9 @@ int crypto_hash_location_pm; int crypto_hash_iframesrc_pm; int crypto_hash_framesrc_pm; + + /* xml */ + int xml_external_entity; }; struct error_message_t {

@@ -94,7 +94,11 @@ msc_lua_dumpw_t dump; /* Initialise state. */ +#if LUA_VERSION_NUM > 501 + L = luaL_newstate(); +#else L = lua_open(); +#endif luaL_openlibs(L); /* Find script. */ @@ -158,7 +162,11 @@ if (lua_isuserdata(L, idx) || lua_isnoneornil(L, idx)) { /* No second parameter */ return tfn_arr; } else if (lua_istable(L, idx)) { /* Is the second parameter an array? */ +#if LUA_VERSION_NUM > 501 + int i, n = lua_rawlen(L, idx); +#else int i, n = lua_objlen(L, idx); +#endif for(i = 1; i <= n; i++) { lua_rawgeti(L, idx, i); @@ -415,7 +423,11 @@ lua_pop(L, rc); #else /* Create new state. */ +#if LUA_VERSION_NUM > 501 + L = luaL_newstate(); +#else L = lua_open(); +#endif luaL_openlibs(L); #endif @@ -433,7 +445,12 @@ } /* Register functions. */ +#if LUA_VERSION_NUM > 501 + luaL_setfuncs(L,mylib,0); + lua_setglobal(L,"m"); +#else luaL_register(L, "m", mylib); +#endif rc = lua_restore(L, script); if (rc) {

@@ -184,6 +184,8 @@ validate_quotes(msr, value); + msr->multipart_name = apr_pstrdup(msr->mp, value); + if (msr->mpd->mpp->name != NULL) { msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition name: %s", log_escape_nq(msr->mp, value)); @@ -201,6 +203,8 @@ validate_quotes(msr, value); + msr->multipart_filename = apr_pstrdup(msr->mp, value); + if (msr->mpd->mpp->filename != NULL) { msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition filename: %s", log_escape_nq(msr->mp, value));

@@ -35,7 +35,11 @@ cookie_header = strdup(_cookie_header); if (cookie_header == NULL) return -1; - p = apr_strtok(cookie_header, delim, &saveptr); + if(msr->txcfg->cookiev0_separator == NULL) { + p = apr_strtok(cookie_header, delim, &saveptr); + } else { + p = apr_strtok(cookie_header, msr->txcfg->cookiev0_separator, &saveptr); + } while(p != NULL) { attr_name = NULL; @@ -74,7 +78,11 @@ cookie_count++; } - p = apr_strtok(NULL, delim, &saveptr); + if(msr->txcfg->cookiev0_separator == NULL) { + p = apr_strtok(NULL, delim, &saveptr); + } else { + p = apr_strtok(NULL, msr->txcfg->cookiev0_separator, &saveptr); + } } free(cookie_header);

@@ -21,7 +21,11 @@ static apr_status_t msc_pcre_cleanup(msc_regex_t *regex) { if (regex != NULL) { if (regex->pe != NULL) { +#if defined(VERSION_NGINX) + pcre_free(regex->pe); +#else free(regex->pe); +#endif regex->pe = NULL; } if (regex->re != NULL) { @@ -71,7 +75,11 @@ /* Setup the pcre_extra record if pcre_study did not already do it */ if (pe == NULL) { +#if defined(VERSION_NGINX) + pe = pcre_malloc(sizeof(pcre_extra)); +#else pe = malloc(sizeof(pcre_extra)); +#endif if (pe == NULL) { return NULL; }

@@ -38,7 +38,7 @@ #define MODSEC_VERSION_MAJOR "2" #define MODSEC_VERSION_MINOR "7" -#define MODSEC_VERSION_MAINT "2" +#define MODSEC_VERSION_MAINT "3" #define MODSEC_VERSION_TYPE "" #define MODSEC_VERSION_RELEASE "" @@ -53,10 +53,10 @@ #define MODSEC_MODULE_NAME "ModSecurity for IIS (STABLE)" #else #ifdef VERSION_NGINX -#define MODSEC_MODULE_NAME "ModSecurity for nginx (Beta)" +#define MODSEC_MODULE_NAME "ModSecurity for nginx (RC)" #else #ifdef VERSION_STANDALONE -#define MODSEC_MODULE_NAME "ModSecurity Standalone (Beta)" +#define MODSEC_MODULE_NAME "ModSecurity Standalone (RC)" #else #define MODSEC_MODULE_NAME "ModSecurity for Apache" #endif

@@ -14,17 +14,28 @@ #include "msc_xml.h" +static xmlParserInputBufferPtr +xml_unload_external_entity(const char *URI, xmlCharEncoding enc) { + return NULL; +} + /** * Initialise XML parser. */ int xml_init(modsec_rec *msr, char **error_msg) { + xmlParserInputBufferCreateFilenameFunc entity; + if (error_msg == NULL) return -1; *error_msg = NULL; msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data)); if (msr->xml == NULL) return -1; + if(msr->txcfg->xml_external_entity == 0) { + entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity); + } + return 1; }

@@ -41,9 +41,9 @@ * includes the terminating NUL and should be 1 for "" */ if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset)); + msr_log(msr, 9, "collection_unpack: BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset)); } - msr_log(msr, 4, "Possibly corrupted database: var name length = 0 at blob offset %u-%u.", blob_offset, blob_offset + 1); + msr_log(msr, 4, "collection_unpack: Possibly corrupted database: var name length = 0 at blob offset %u-%u.", blob_offset, blob_offset + 1); } break; } @@ -52,9 +52,9 @@ * to 65536. */ if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset)); + msr_log(msr, 9, "collection_unpack: BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset)); } - msr_log(msr, 4, "Possibly corrupted database: var name length > 65536 (0x%04x) at blob offset %u-%u.", var->name_len, blob_offset, blob_offset + 1); + msr_log(msr, 4, "collection_unpack: Possibly corrupted database: var name length > 65536 (0x%04x) at blob offset %u-%u.", var->name_len, blob_offset, blob_offset + 1); break; } @@ -73,7 +73,7 @@ var->value_len--; if (log_vars && (msr->txcfg->debuglog_level >= 9)) { - msr_log(msr, 9, "Read variable: name \"%s\", value \"%s\".", + msr_log(msr, 9, "collection_unpack: Read variable: name \"%s\", value \"%s\".", log_escape_ex(msr->mp, var->name, var->name_len), log_escape_ex(msr->mp, var->value, var->value_len)); } @@ -102,7 +102,7 @@ int i; if (msr->txcfg->data_dir == NULL) { - msr_log(msr, 1, "Unable to retrieve collection (name \"%s\", key \"%s\"). Use " + msr_log(msr, 1, "collection_retrieve_ex: Unable to retrieve collection (name \"%s\", key \"%s\"). Use " "SecDataDir to define data directory first.", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len)); goto cleanup; @@ -111,7 +111,7 @@ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", col_name, NULL); if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "collection_retrieve_ex: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name), + msr_log(msr, 9, "collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name), log_escape(msr->mp, dbm_filename)); } @@ -133,7 +133,7 @@ value = (apr_sdbm_datum_t *)apr_pcalloc(msr->mp, sizeof(apr_sdbm_datum_t)); rc = apr_sdbm_fetch(dbm, value, key); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to read from DBM file \"%s\": %s", log_escape(msr->mp, + msr_log(msr, 1, "collection_retrieve_ex: Failed to read from DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); goto cleanup; } @@ -177,15 +177,15 @@ } if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Removing key \"%s\" from collection.", key_to_expire + 9); - msr_log(msr, 9, "Removing key \"%s\" from collection.", key_to_expire); + msr_log(msr, 9, "collection_retrieve_ex: Removing key \"%s\" from collection.", key_to_expire + 9); + msr_log(msr, 9, "collection_retrieve_ex: Removing key \"%s\" from collection.", key_to_expire); } apr_table_unset(col, key_to_expire + 9); apr_table_unset(col, key_to_expire); if (msr->txcfg->debuglog_level >= 4) { - msr_log(msr, 4, "Removed expired variable \"%s\".", key_to_expire + 9); + msr_log(msr, 4, "collection_retrieve_ex: Removed expired variable \"%s\".", key_to_expire + 9); } break; @@ -205,7 +205,7 @@ rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE | APR_WRITE | APR_SHARELOCK, CREATEMODE, msr->mp); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to access DBM file \"%s\": %s", + msr_log(msr, 1, "collection_retrieve_ex: Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); dbm = NULL; goto cleanup; @@ -217,7 +217,7 @@ rc = apr_sdbm_delete(dbm, key); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed deleting collection (name \"%s\", " + msr_log(msr, 1, "collection_retrieve_ex: Failed deleting collection (name \"%s\", " "key \"%s\"): %s", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len), get_apr_error(msr->mp, rc)); goto cleanup; @@ -230,11 +230,11 @@ } if (expired && (msr->txcfg->debuglog_level >= 9)) { - msr_log(msr, 9, "Collection expired (name \"%s\", key \"%s\").", col_name, + msr_log(msr, 9, "collection_retrieve_ex: Collection expired (name \"%s\", key \"%s\").", col_name, log_escape_ex(msr->mp, col_key, col_key_len)); } if (msr->txcfg->debuglog_level >= 4) { - msr_log(msr, 4, "Deleted collection (name \"%s\", key \"%s\").", + msr_log(msr, 4, "collection_retrieve_ex: Deleted collection (name \"%s\", key \"%s\").", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len)); } goto cleanup; @@ -278,13 +278,13 @@ } if (msr->txcfg->debuglog_level >= 4) { - msr_log(msr, 4, "Retrieved collection (name \"%s\", key \"%s\").", + msr_log(msr, 4, "collection_retrieve_ex: Retrieved collection (name \"%s\", key \"%s\").", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len)); } if ((existing_dbm == NULL) && dbm) { /* Should not ever get here */ - msr_log(msr, 1, "Internal Error: Collection remained open (name \"%s\", key \"%s\").", + msr_log(msr, 1, "collection_retrieve_ex: Internal Error: Collection remained open (name \"%s\", key \"%s\").", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len)); apr_sdbm_close(dbm); @@ -346,7 +346,7 @@ } if (msr->txcfg->data_dir == NULL) { - msr_log(msr, 1, "Unable to store collection (name \"%s\", key \"%s\"). Use " + msr_log(msr, 1, "collection_store: Unable to store collection (name \"%s\", key \"%s\"). Use " "SecDataDir to define data directory first.", log_escape_ex(msr->mp, var_name->value, var_name->value_len), log_escape_ex(msr->mp, var_key->value, var_key->value_len)); goto error; @@ -416,7 +416,7 @@ rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE | APR_WRITE | APR_SHARELOCK, CREATEMODE, msr->mp); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), + msr_log(msr, 1, "collection_store: Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); dbm = NULL; goto error; @@ -425,7 +425,7 @@ /* Need to lock to pull in the stored data again and apply deltas. */ rc = apr_sdbm_lock(dbm, APR_FLOCK_EXCLUSIVE); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to exclusivly lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), + msr_log(msr, 1, "collection_store: Failed to exclusivly lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); goto error; } @@ -435,7 +435,7 @@ orig_col = (const apr_table_t *)apr_table_get(msr->collections_original, var_name->value); if (orig_col != NULL) { if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Re-retrieving collection prior to store: %s", + msr_log(msr, 9, "collection_store: Re-retrieving collection prior to store: %s", apr_psprintf(msr->mp, "%.*s", var_name->value_len, var_name->value)); } @@ -469,7 +469,7 @@ var->value_len = strlen(var->value); if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Delta applied for %s.%s %d->%d (%d): %d + (%d) = %d [%s,%d]", + msr_log(msr, 9, "collection_store: Delta applied for %s.%s %d->%d (%d): %d + (%d) = %d [%s,%d]", log_escape_ex(msr->mp, var_name->value, var_name->value_len), log_escape_ex(msr->mp, var->name, var->name_len), origval, ourval, delta, storedval, delta, newval, var->value, var->value_len); @@ -523,7 +523,7 @@ blob_offset += 2 + len; if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Wrote variable: name \"%s\", value \"%s\".", + msr_log(msr, 9, "collection_store: Wrote variable: name \"%s\", value \"%s\".", log_escape_ex(msr->mp, var->name, var->name_len), log_escape_ex(msr->mp, var->value, var->value_len)); } @@ -541,7 +541,7 @@ rc = apr_sdbm_store(dbm, key, value, APR_SDBM_REPLACE); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to write to DBM file \"%s\": %s", dbm_filename, + msr_log(msr, 1, "collection_store: Failed to write to DBM file \"%s\": %s", dbm_filename, get_apr_error(msr->mp, rc)); goto error; } @@ -549,7 +549,7 @@ apr_sdbm_close(dbm); if (msr->txcfg->debuglog_level >= 4) { - msr_log(msr, 4, "Persisted collection (name \"%s\", key \"%s\").", + msr_log(msr, 4, "collection_store: Persisted collection (name \"%s\", key \"%s\").", log_escape_ex(msr->mp, var_name->value, var_name->value_len), log_escape_ex(msr->mp, var_key->value, var_key->value_len)); } @@ -599,7 +599,7 @@ rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE | APR_WRITE | APR_SHARELOCK, CREATEMODE, msr->mp); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), + msr_log(msr, 1, "collections_remove_stale: Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); dbm = NULL; goto error; @@ -609,7 +609,7 @@ keys_arr = apr_array_make(msr->mp, 256, sizeof(char *)); rc = apr_sdbm_lock(dbm, APR_FLOCK_SHARED); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), + msr_log(msr, 1, "collections_remove_stale: Failed to lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); goto error; } @@ -626,7 +626,7 @@ apr_sdbm_unlock(dbm); if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Found %d record(s) in file \"%s\".", keys_arr->nelts, + msr_log(msr, 9, "collections_remove_stale: Found %d record(s) in file \"%s\".", keys_arr->nelts, log_escape(msr->mp, dbm_filename)); } @@ -638,7 +638,7 @@ rc = apr_sdbm_fetch(dbm, &value, key); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed reading DBM file \"%s\": %s", + msr_log(msr, 1, "collections_remove_stale: Failed reading DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); goto error; } @@ -654,14 +654,14 @@ var = (msc_string *)apr_table_get(col, "__expire_KEY"); if (var == NULL) { - msr_log(msr, 1, "Collection cleanup discovered entry with no " + msr_log(msr, 1, "collections_remove_stale: Collection cleanup discovered entry with no " "__expire_KEY (name \"%s\", key \"%s\").", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1)); } else { unsigned int expiry_time = atoi(var->value); if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Record (name \"%s\", key \"%s\") set to expire in %" APR_TIME_T_FMT " seconds.", + msr_log(msr, 9, "collections_remove_stale: Record (name \"%s\", key \"%s\") set to expire in %" APR_TIME_T_FMT " seconds.", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1), expiry_time - now); } @@ -669,14 +669,14 @@ if (expiry_time <= now) { rc = apr_sdbm_delete(dbm, key); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed deleting collection (name \"%s\", " + msr_log(msr, 1, "collections_remove_stale: Failed deleting collection (name \"%s\", " "key \"%s\"): %s", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1), get_apr_error(msr->mp, rc)); goto error; } if (msr->txcfg->debuglog_level >= 4) { - msr_log(msr, 4, "Removed stale collection (name \"%s\", " + msr_log(msr, 4, "collections_remove_stale: Removed stale collection (name \"%s\", " "key \"%s\").", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1)); }

@@ -161,7 +161,7 @@ char *err; if(ruleset == NULL) - return apr_psprintf(ruleset->mp, "No ruleset present"); + return NULL; if(p2 == NULL) { return apr_psprintf(ruleset->mp, "Trying to update without a target"); @@ -353,7 +353,7 @@ } #if !defined(MSC_TEST) else { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: Error parseing rule targets to replace variable"); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: Error parsing rule targets to replace variable"); } #endif goto end;

@@ -1289,6 +1289,22 @@ return var_simple_generate(var, vartab, mptmp, modsec_build(mptmp)); } +/* MULTIPART_FILENAME */ + +static int var_multipart_filename_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, + apr_table_t *vartab, apr_pool_t *mptmp) +{ + return var_simple_generate(var, vartab, mptmp, msr->multipart_filename); +} + +/* MULTIPART_NAME */ + +static int var_multipart_name_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, + apr_table_t *vartab, apr_pool_t *mptmp) +{ + return var_simple_generate(var, vartab, mptmp, msr->multipart_name); +} + /* MULTIPART_BOUNDARY_QUOTED */ static int var_multipart_boundary_quoted_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, @@ -2813,6 +2829,28 @@ PHASE_REQUEST_HEADERS ); + /* MULTIPART_FILENAME */ + msre_engine_variable_register(engine, + "MULTIPART_FILENAME", + VAR_SIMPLE, + 0, 0, + NULL, + var_multipart_filename_generate, + VAR_CACHE, + PHASE_REQUEST_BODY + ); + + /* MULTIPART_NAME */ + msre_engine_variable_register(engine, + "MULTIPART_NAME", + VAR_SIMPLE, + 0, 0, + NULL, + var_multipart_name_generate, + VAR_CACHE, + PHASE_REQUEST_BODY + ); + /* MULTIPART_BOUNDARY_QUOTED */ msre_engine_variable_register(engine, "MULTIPART_BOUNDARY_QUOTED",

@@ -970,6 +970,7 @@ enable_pcre_match_limit enable_pcre_match_limit_recursion enable_lua_cache +enable_htaccess_config enable_request_early enable_errors enable_verbose_output @@ -1640,6 +1641,9 @@ Enable PCRE regex match limit recursion during configure. --enable-lua-cache Enable Lua per transaction cache. + --enable-htaccess-config + Enable some mod_security directives into htaccess + files. --enable-request-early Place phase1 into post_read_request hook. --disable-errors Disable errors during configure. --enable-verbose-output Enable more verbose configure output. @@ -4742,13 +4746,13 @@ else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:4745: $ac_compile\"" >&5) + (eval echo "\"\$as_me:4749: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:4748: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:4752: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:4751: output\"" >&5) + (eval echo "\"\$as_me:4755: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -5954,7 +5958,7 @@ ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 5957 "configure"' > conftest.$ac_ext + echo '#line 5961 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -7483,11 +7487,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7486: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7490: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7490: \$? = $ac_status" >&5 + echo "$as_me:7494: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -7822,11 +7826,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7825: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7829: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7829: \$? = $ac_status" >&5 + echo "$as_me:7833: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -7927,11 +7931,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7930: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7934: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:7934: \$? = $ac_status" >&5 + echo "$as_me:7938: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -7982,11 +7986,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7985: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7989: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:7989: \$? = $ac_status" >&5 + echo "$as_me:7993: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10366,7 +10370,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10369 "configure" +#line 10373 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -10462,7 +10466,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10465 "configure" +#line 10469 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12681,6 +12685,24 @@ # Enable phase-1 in post_read_request +# Check whether --enable-htaccess-config was given. +if test "${enable_htaccess_config+set}" = set; then : + enableval=$enable_htaccess_config; + if test "$enableval" != "no"; then + htaccess_config="-DHTACCESS_CONFIG" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $htaccess_config" + else + htaccess_config= + fi + +else + + htaccess_config= + +fi + + +# Enable phase-1 in post_read_request # Check whether --enable-request-early was given. if test "${enable_request_early+set}" = set; then : enableval=$enable_request_early; @@ -13010,7 +13032,7 @@ fi fi -MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type" +MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type" APXS_WRAPPER=build/apxs-wrapper APXS_EXTRA_CFLAGS=""

@@ -356,6 +356,22 @@ ]) # Enable phase-1 in post_read_request +AC_ARG_ENABLE(htaccess-config, + AS_HELP_STRING([--enable-htaccess-config], + [Enable some mod_security directives into htaccess files.]), +[ + if test "$enableval" != "no"; then + htaccess_config="-DHTACCESS_CONFIG" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $htaccess_config" + else + htaccess_config= + fi +], +[ + htaccess_config= +]) + +# Enable phase-1 in post_read_request AC_ARG_ENABLE(request-early, AS_HELP_STRING([--enable-request-early], [Place phase1 into post_read_request hook.]), @@ -634,7 +650,7 @@ fi fi -MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type" +MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type" APXS_WRAPPER=build/apxs-wrapper APXS_EXTRA_CFLAGS=""

@@ -4132,6 +4132,8 @@ TCHAR dstfull[MAX_PATH]; _tcscpy(dstfull, rootdir); _tcscat(dstfull, (const TCHAR *)dst); + SetFileAttributes( dstfull, GetFileAttributes(dstfull) & ~FILE_ATTRIBUTE_READONLY); + ::DeleteFile(dstfull); h = ::CreateFile(dstfull, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, ze.attr, NULL); }

@@ -2,9 +2,6 @@ Microsoft Visual Studio Solution File, Format Version 11.00 # Visual Studio 2010 Project("{54435603-DBB4-11D2-8724-00A0C9A8B90C}") = "ModSecurityIIS", "ModSecurityIIS\ModSecurityIIS.vdproj", "{3352AEF1-9F2A-47CD-9F63-658553063040}" - ProjectSection(ProjectDependencies) = postProject - {990BB195-6716-4DE3-B5E4-DCFCB1BD7D9C} = {990BB195-6716-4DE3-B5E4-DCFCB1BD7D9C} - EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Installer", "Installer\Installer.vcxproj", "{990BB195-6716-4DE3-B5E4-DCFCB1BD7D9C}" EndProject

@@ -15,25 +15,25 @@ { "Entry" { - "MsmKey" = "8:_0593BBFCC6154162A5F7E88C4967D8E8" + "MsmKey" = "8:_009A580142D04FE980ED45947D355FE7" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } "Entry" { - "MsmKey" = "8:_170CE3CF68BE4944BF485C45F31146A0" + "MsmKey" = "8:_0593BBFCC6154162A5F7E88C4967D8E8" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } "Entry" { - "MsmKey" = "8:_17390F12AE3C4CD7A8BFA284458C87BB" + "MsmKey" = "8:_170CE3CF68BE4944BF485C45F31146A0" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } "Entry" { - "MsmKey" = "8:_2422B61EFBF047FFBBE92CB70714E99C" + "MsmKey" = "8:_17390F12AE3C4CD7A8BFA284458C87BB" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } @@ -45,12 +45,6 @@ } "Entry" { - "MsmKey" = "8:_3CE93C3FC5AC3E954253889334FBCDA8" - "OwnerKey" = "8:_CB8446F7ADCD4E3DA3F2C6246FA844A0" - "MsmSig" = "8:_UNDEFINED" - } - "Entry" - { "MsmKey" = "8:_51AF671FCA3544DEA3E5756B5D450275" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" @@ -87,12 +81,6 @@ } "Entry" { - "MsmKey" = "8:_764D5BE911464BEFBCC3BC3B25068987" - "OwnerKey" = "8:_UNDEFINED" - "MsmSig" = "8:_UNDEFINED" - } - "Entry" - { "MsmKey" = "8:_7C2A420982404573B53BE273BC730435" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" @@ -147,12 +135,6 @@ } "Entry" { - "MsmKey" = "8:_CB8446F7ADCD4E3DA3F2C6246FA844A0" - "OwnerKey" = "8:_UNDEFINED" - "MsmSig" = "8:_UNDEFINED" - } - "Entry" - { "MsmKey" = "8:_CEB23D021A2E4EEF9245EEDC143AFBA8" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" @@ -165,13 +147,13 @@ } "Entry" { - "MsmKey" = "8:_DB58E622510C458A81C3B850EDFC782C" + "MsmKey" = "8:_DE7847BDBDC046F29E13230DCDD4F6E3" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } "Entry" { - "MsmKey" = "8:_DE7847BDBDC046F29E13230DCDD4F6E3" + "MsmKey" = "8:_E86FB9D69F2946038E7BBDD01D619813" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } @@ -193,18 +175,6 @@ "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } - "Entry" - { - "MsmKey" = "8:_UNDEFINED" - "OwnerKey" = "8:_764D5BE911464BEFBCC3BC3B25068987" - "MsmSig" = "8:_UNDEFINED" - } - "Entry" - { - "MsmKey" = "8:_UNDEFINED" - "OwnerKey" = "8:_CB8446F7ADCD4E3DA3F2C6246FA844A0" - "MsmSig" = "8:_UNDEFINED" - } } "Configurations" { @@ -279,11 +249,6 @@ "ComponentsUrl" = "8:" "Items" { - "{EDC2488A-8267-493A-A98E-7D9C3B36CDF3}:.NETFramework,Version=v4.0,Profile=Client" - { - "Name" = "8:Microsoft .NET Framework 4 Client Profile (x86 and x64)" - "ProductCode" = "8:.NETFramework,Version=v4.0,Profile=Client" - } "{EDC2488A-8267-493A-A98E-7D9C3B36CDF3}:Microsoft.Visual.C++.10.0.x64" { "Name" = "8:Visual C++ 2010 Runtime Libraries (x64)" @@ -307,62 +272,34 @@ { "CustomAction" { - "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_6AC6216B16A740BFBCF4DFF1FC4FB1CF" + "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_08431F489ECB46FB908D9C6006906D0E" { - "Name" = "8:Primary output from configure (Active)" + "Name" = "8:Installer.exe" "Condition" = "8:" - "Object" = "8:_764D5BE911464BEFBCC3BC3B25068987" + "Object" = "8:_009A580142D04FE980ED45947D355FE7" "FileType" = "3:2" "InstallAction" = "3:4" "Arguments" = "8:uninstall" "EntryPoint" = "8:" "Sequence" = "3:1" - "Identifier" = "8:_F76041EE_48F4_4DC8_9EF8_47ADAD87FEA2" + "Identifier" = "8:_A708DE11_BE76_4BD9_BF40_5243FE900066" "InstallerClass" = "11:FALSE" "CustomActionData" = "8:" } - "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_B8F3E049FAB34050978646B3CC6549F5" - { - "Name" = "8:install.vbs" - "Condition" = "8:" - "Object" = "8:_2422B61EFBF047FFBBE92CB70714E99C" - "FileType" = "3:4" - "InstallAction" = "3:1" - "Arguments" = "8:" - "EntryPoint" = "8:" - "Sequence" = "3:2" - "Identifier" = "8:_CB90C8D4_3928_4ACA_9263_454FD47BB545" - "InstallerClass" = "11:FALSE" - "CustomActionData" = "8:[TARGETDIR]" - } - "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_C6B6E1FCC7E6471F914483477DA0D4B6" + "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_9C73118A4CD14A65BD57D7CC552AAD79" { - "Name" = "8:Primary output from configure (Active)" + "Name" = "8:Installer.exe" "Condition" = "8:" - "Object" = "8:_764D5BE911464BEFBCC3BC3B25068987" + "Object" = "8:_009A580142D04FE980ED45947D355FE7" "FileType" = "3:2" "InstallAction" = "3:1" "Arguments" = "8:\"[TARGETDIR]\"" "EntryPoint" = "8:" "Sequence" = "3:1" - "Identifier" = "8:_6EC4042E_4AC8_4584_A326_BE8E22FF087D" + "Identifier" = "8:_166E62F8_D2C0_4A30_A2FE_EF5B53066941" "InstallerClass" = "11:FALSE" "CustomActionData" = "8:" } - "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_C9D5851C213E4B928C42AC01EEF1458A" - { - "Name" = "8:uninstall.vbs" - "Condition" = "8:" - "Object" = "8:_DB58E622510C458A81C3B850EDFC782C" - "FileType" = "3:4" - "InstallAction" = "3:4" - "Arguments" = "8:" - "EntryPoint" = "8:" - "Sequence" = "3:2" - "Identifier" = "8:_1DC83628_1D76_474B_92FD_C7C13056C010" - "InstallerClass" = "11:FALSE" - "CustomActionData" = "8:[TARGETDIR]" - } } "DefaultFeature" { @@ -374,24 +311,16 @@ { "LaunchCondition" { - "{A06ECF26-33A3-4562-8140-9B0E340D4F24}:_147B76BCD529406A806B4AD361E520C1" - { - "Name" = "8:.NET Framework" - "Message" = "8:[VSDNETMSG]" - "FrameworkVersion" = "8:.NETFramework,Version=v4.0,Profile=Client" - "AllowLaterVersions" = "11:FALSE" - "InstallUrl" = "8:http://go.microsoft.com/fwlink/?LinkId=131000" - } } } "File" { - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_0593BBFCC6154162A5F7E88C4967D8E8" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_009A580142D04FE980ED45947D355FE7" { - "SourcePath" = "8:x86\\pcre.dll" - "TargetName" = "8:pcre.dll" + "SourcePath" = "8:..\\Release\\Installer.exe" + "TargetName" = "8:Installer.exe" "Tag" = "8:" - "Folder" = "8:_D7AEA61DD2D746158A1F5660E4C59AB8" + "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" "Condition" = "8:" "Transitive" = "11:FALSE" "Vital" = "11:TRUE" @@ -406,10 +335,10 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_170CE3CF68BE4944BF485C45F31146A0" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_0593BBFCC6154162A5F7E88C4967D8E8" { - "SourcePath" = "8:x86\\libapr-1.dll" - "TargetName" = "8:libapr-1.dll" + "SourcePath" = "8:x86\\pcre.dll" + "TargetName" = "8:pcre.dll" "Tag" = "8:" "Folder" = "8:_D7AEA61DD2D746158A1F5660E4C59AB8" "Condition" = "8:" @@ -426,12 +355,12 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_17390F12AE3C4CD7A8BFA284458C87BB" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_170CE3CF68BE4944BF485C45F31146A0" { - "SourcePath" = "8:ModSecurity.xml" - "TargetName" = "8:ModSecurity.xml" + "SourcePath" = "8:x86\\libapr-1.dll" + "TargetName" = "8:libapr-1.dll" "Tag" = "8:" - "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" + "Folder" = "8:_D7AEA61DD2D746158A1F5660E4C59AB8" "Condition" = "8:" "Transitive" = "11:FALSE" "Vital" = "11:TRUE" @@ -446,10 +375,10 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_2422B61EFBF047FFBBE92CB70714E99C" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_17390F12AE3C4CD7A8BFA284458C87BB" { - "SourcePath" = "8:install.vbs" - "TargetName" = "8:install.vbs" + "SourcePath" = "8:ModSecurity.xml" + "TargetName" = "8:ModSecurity.xml" "Tag" = "8:" "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" "Condition" = "8:" @@ -462,7 +391,7 @@ "SharedLegacy" = "11:FALSE" "PackageAs" = "3:1" "Register" = "3:1" - "Exclude" = "11:TRUE" + "Exclude" = "11:FALSE" "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } @@ -486,26 +415,6 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_3CE93C3FC5AC3E954253889334FBCDA8" - { - "SourcePath" = "8:nativerd.dll" - "TargetName" = "8:nativerd.dll" - "Tag" = "8:" - "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" - "Condition" = "8:" - "Transitive" = "11:FALSE" - "Vital" = "11:TRUE" - "ReadOnly" = "11:FALSE" - "Hidden" = "11:FALSE" - "System" = "11:FALSE" - "Permanent" = "11:FALSE" - "SharedLegacy" = "11:FALSE" - "PackageAs" = "3:1" - "Register" = "3:1" - "Exclude" = "11:FALSE" - "IsDependency" = "11:TRUE" - "IsolateTo" = "8:" - } "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_51AF671FCA3544DEA3E5756B5D450275" { "SourcePath" = "8:x86\\ModSecurityIIS.dll" @@ -806,37 +715,6 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{9F6F8455-1EF1-4B85-886A-4223BCC8E7F7}:_CB8446F7ADCD4E3DA3F2C6246FA844A0" - { - "AssemblyRegister" = "3:1" - "AssemblyIsInGAC" = "11:FALSE" - "AssemblyAsmDisplayName" = "8:Interop.AppHostAdminLibrary, Version=1.0.0.0, Culture=neutral, processorArchitecture=x86" - "ScatterAssemblies" - { - "_CB8446F7ADCD4E3DA3F2C6246FA844A0" - { - "Name" = "8:Interop.AppHostAdminLibrary.dll" - "Attributes" = "3:512" - } - } - "SourcePath" = "8:installer project\\bin\\Release\\Interop.AppHostAdminLibrary.dll" - "TargetName" = "8:" - "Tag" = "8:" - "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" - "Condition" = "8:" - "Transitive" = "11:FALSE" - "Vital" = "11:TRUE" - "ReadOnly" = "11:FALSE" - "Hidden" = "11:FALSE" - "System" = "11:FALSE" - "Permanent" = "11:FALSE" - "SharedLegacy" = "11:FALSE" - "PackageAs" = "3:1" - "Register" = "3:1" - "Exclude" = "11:FALSE" - "IsDependency" = "11:FALSE" - "IsolateTo" = "8:" - } "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_CEB23D021A2E4EEF9245EEDC143AFBA8" { "SourcePath" = "8:amd64\\ModSecurityIIS.dll" @@ -877,12 +755,12 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_DB58E622510C458A81C3B850EDFC782C" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_DE7847BDBDC046F29E13230DCDD4F6E3" { - "SourcePath" = "8:uninstall.vbs" - "TargetName" = "8:uninstall.vbs" + "SourcePath" = "8:x86\\lua5.1.dll" + "TargetName" = "8:lua5.1.dll" "Tag" = "8:" - "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" + "Folder" = "8:_D7AEA61DD2D746158A1F5660E4C59AB8" "Condition" = "8:" "Transitive" = "11:FALSE" "Vital" = "11:TRUE" @@ -893,16 +771,16 @@ "SharedLegacy" = "11:FALSE" "PackageAs" = "3:1" "Register" = "3:1" - "Exclude" = "11:TRUE" + "Exclude" = "11:FALSE" "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_DE7847BDBDC046F29E13230DCDD4F6E3" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_E86FB9D69F2946038E7BBDD01D619813" { - "SourcePath" = "8:x86\\lua5.1.dll" - "TargetName" = "8:lua5.1.dll" + "SourcePath" = "8:owasp_crs.zip" + "TargetName" = "8:owasp_crs.zip" "Tag" = "8:" - "Folder" = "8:_D7AEA61DD2D746158A1F5660E4C59AB8" + "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" "Condition" = "8:" "Transitive" = "11:FALSE" "Vital" = "11:TRUE" @@ -1056,7 +934,7 @@ "Name" = "8:Microsoft Visual Studio" "ProductName" = "8:ModSecurity IIS" "ProductCode" = "8:{81EE8A4A-5128-4CDB-97B2-06B147E8B4B8}" - "PackageCode" = "8:{B5E59B35-BF44-4075-B9F5-C251002DF58E}" + "PackageCode" = "8:{4F65AFE0-1E8A-4F79-98D5-1D7C1C39ABCC}" "UpgradeCode" = "8:{7B32CF94-443C-47BB-91C3-0E9D3D12DF8B}" "AspNetVersion" = "8:4.0.30319.0" "RestartWWWService" = "11:FALSE" @@ -1777,34 +1655,6 @@ } "ProjectOutput" { - "{5259A561-127C-4D43-A0A1-72F10C7B3BF8}:_764D5BE911464BEFBCC3BC3B25068987" - { - "SourcePath" = "8:installer project\\obj\\x86\\Release\\configure.exe" - "TargetName" = "8:" - "Tag" = "8:" - "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" - "Condition" = "8:" - "Transitive" = "11:FALSE" - "Vital" = "11:TRUE" - "ReadOnly" = "11:FALSE" - "Hidden" = "11:FALSE" - "System" = "11:FALSE" - "Permanent" = "11:FALSE" - "SharedLegacy" = "11:FALSE" - "PackageAs" = "3:1" - "Register" = "3:1" - "Exclude" = "11:FALSE" - "IsDependency" = "11:FALSE" - "IsolateTo" = "8:" - "ProjectOutputGroupRegister" = "3:1" - "OutputConfiguration" = "8:" - "OutputGroupCanonicalName" = "8:Built" - "OutputProjectGuid" = "8:{023E10BD-4FF6-4401-9A40-AED9717073F2}" - "ShowKeyOutput" = "11:TRUE" - "ExcludeFilters" - { - } - } } } }

@@ -58,9 +58,9 @@ \leveltemplateid1225817962\'01\'95;}{\levelnumbers;}\f1\fbias0 \fi-360\li5760\jclisttab\tx5760\lin5760 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0\levelindent0{\leveltext \leveltemplateid1897401684\'01\'95;}{\levelnumbers;}\f1\fbias0 \fi-360\li6480\jclisttab\tx6480\lin6480 }{\listname ;}\listid652101753}}{\*\listoverridetable{\listoverride\listid625282538\listoverridecount0\ls1}{\listoverride\listid652101753 \listoverridecount0\ls2}}{\*\pgptbl {\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp6\itap0\li0\ri0\sb0\sa0}{\pgp\ipgp8\itap0\li0\ri0\sb0 -\sa0}{\pgp\ipgp0\itap0\li0\ri0\sb0\sa0}{\pgp\ipgp7\itap0\li0\ri0\sb0\sa0}{\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp0\itap0\li0\ri0\sb0\sa0}}{\*\rsidtbl \rsid1197496\rsid2315486\rsid3168183\rsid4593034\rsid6385683\rsid6633290\rsid6754893\rsid6967166 -\rsid9512544\rsid10098429\rsid12742482\rsid13639667\rsid16350125\rsid16593896}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author Suha Can}{\operator Greg} -{\creatim\yr2012\mo6\dy4\hr11\min43}{\revtim\yr2013\mo1\dy17\hr16\min15}{\version9}{\edmins12}{\nofpages1}{\nofwords173}{\nofchars992}{\*\company Microsoft Corporation}{\nofcharsws1163}{\vern49275}}{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office +\sa0}{\pgp\ipgp0\itap0\li0\ri0\sb0\sa0}{\pgp\ipgp7\itap0\li0\ri0\sb0\sa0}{\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp0\itap0\li0\ri0\sb0\sa0}}{\*\rsidtbl \rsid1197496\rsid2315486\rsid3168183\rsid4593034\rsid6385683\rsid6633290\rsid6967166\rsid9512544 +\rsid10098429\rsid12742482\rsid13639667\rsid16350125\rsid16593896}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author Suha Can}{\operator Greg} +{\creatim\yr2012\mo6\dy4\hr11\min43}{\revtim\yr2013\mo1\dy15\hr9\min48}{\version8}{\edmins11}{\nofpages1}{\nofwords176}{\nofchars1008}{\*\company Microsoft Corporation}{\nofcharsws1182}{\vern49275}}{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office /word/2003/wordml}}\paperw12240\paperh15840\margl1440\margr1440\margt1440\margb1440\gutter0\ltrsect \widowctrl\ftnbj\aenddoc\trackmoves0\trackformatting1\donotembedsysfont1\relyonvml0\donotembedlingdata0\grfdocevents0\validatexml1\showplaceholdtext0\ignoremixedcontent0\saveinvalidxml0\showxmlerrors1\noxlattoyen \expshrtn\noultrlspc\dntblnsbdb\nospaceforul\formshade\horzdoc\dgmargin\dghspace180\dgvspace180\dghorigin1440\dgvorigin1440\dghshow1\dgvshow1 @@ -75,44 +75,44 @@ \par }\pard\plain \ltrpar\ql \li0\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid16350125 \rtlch\fcs1 \af0\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 { \rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 ModSecurity home page }{\field\fldedit{\*\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486 HYPERLINK "http://www.modsecurity.org"}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\*\datafield -00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f007700770077002e006d006f006400730065006300750072006900740079002e006f00720067002f000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000} -}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 http://www.modsecurity.org}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\field\fldedit{\*\fldinst {\rtlch\fcs1 \af0\afs24 +00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f007700770077002e006d006f006400730065006300750072006900740079002e006f00720067002f000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}} +}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 http://www.modsecurity.org}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\field\fldedit{\*\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 HYPERLINK "http://engineering/" }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\*\datafield -00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b4000000068007400740070003a002f002f0065006e00670069006e0065006500720069006e0067002f000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000}}}{\fldrslt {\rtlch\fcs1 +00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b4000000068007400740070003a002f002f0065006e00670069006e0065006500720069006e0067002f000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 /}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 \par OWASP Core Rule Set for ModSecurity: }{\field\fldedit{\*\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 HYPERLINK "https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project" }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\*\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90bba000000680074007400700073003a002f002f007700770077002e006f0077006100730070002e006f00720067002f0069006e006400650078002e007000680070002f00430061007400650067006f00720079003a00 -4f0057004100530050005f004d006f006400530065006300750072006900740079005f0043006f00720065005f00520075006c0065005f005300650074005f00500072006f006a006500630074000000795881f43b1d7f48af2c825dc485276300000000a5ab00000016}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 +4f0057004100530050005f004d006f006400530065006300750072006900740079005f0043006f00720065005f00520075006c0065005f005300650074005f00500072006f006a006500630074000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 https://}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\field\fldedit{\*\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486 HYPERLINK "https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project"}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\*\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90bba000000680074007400700073003a002f002f007700770077002e006f0077006100730070002e006f00720067002f0069006e006400650078002e007000680070002f00430061007400650067006f00720079003a00 -4f0057004100530050005f004d006f006400530065006300750072006900740079005f0043006f00720065005f00520075006c0065005f005300650074005f00500072006f006a006500630074000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 +4f0057004100530050005f004d006f006400530065006300750072006900740079005f0043006f00720065005f00520075006c0065005f005300650074005f00500072006f006a006500630074000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 \par }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 The OWASP CRS was installed on your system drive, under }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \b\f0\fs24\insrsid6633290\charrsid6633290 inetpub\\wwwroot\\owasp_crs}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 \par You can include it in your website by adding to your }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \b\f0\fs24\insrsid6633290\charrsid6633290 web.config}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 file, in }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \b\f0\fs24\insrsid6633290\charrsid6633290 system.webServer}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 section: -\par }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290\charrsid6633290 <ModSecurity enabled="true" configFile="}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 owasp_crs\\}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 -\f0\fs24\insrsid6633290\charrsid6633290 modsecurity}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 _iis}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290\charrsid6633290 .conf" /> +\par }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290\charrsid6633290 <ModSecurity enabled="true" configFile="c:\\inetpub\\wwwroot\\}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 owasp_crs\\}{\rtlch\fcs1 \af0\afs24 +\ltrch\fcs0 \f0\fs24\insrsid6633290\charrsid6633290 modsecurity}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 _iis}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290\charrsid6633290 .conf" /> \par }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid16350125 MSRC blog }{\field\fldedit{\*\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid16350125 HYPERLINK "http://blogs.technet.com/b/srd/" }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\lang1045\langfe1033\langnp1045\insrsid2315486\charrsid16350125 {\*\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5800000068007400740070003a002f002f0062006c006f00670073002e0074006500630068006e00650074002e0063006f006d002f0062002f007300720064002f000000795881f43b1d7f48af2c825dc48527630000 -0000a5ab00000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid16350125 http://blogs.technet.com/b/srd/}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj { +0000a5ab000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid16350125 http://blogs.technet.com/b/srd/}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj { \rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid16350125 }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid6633290 \par }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 Trustwave SpiderLabs blog: }{\field\fldedit{\*\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486 HYPERLINK "http://blog.spiderlabs.com/"}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\*\datafield -00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f0062006c006f0067002e007300700069006400650072006c006100620073002e0063006f006d002f000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000} -}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 http://blog.spiderlabs.com}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\field\fldedit{\*\fldinst {\rtlch\fcs1 \af0\afs24 +00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f0062006c006f0067002e007300700069006400650072006c006100620073002e0063006f006d002f000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}} +}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 http://blog.spiderlabs.com}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\field\fldedit{\*\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 HYPERLINK "http://blog.spiderlabs.com/" }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\*\datafield -00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f0062006c006f0067002e007300700069006400650072006c006100620073002e0063006f006d002f000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000} -}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 /}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 +00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f0062006c006f0067002e007300700069006400650072006c006100620073002e0063006f006d002f000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}} +}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 /}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 \par Trustwave Commercial Rule Set for ModSecurity: }{\field\fldedit{\*\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486 HYPERLINK "https://www.trustwave.com/modsecurity-rules-support.php"}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\*\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b88000000680074007400700073003a002f002f007700770077002e007400720075007300740077006100760065002e0063006f006d002f006d006f006400730065006300750072006900740079002d00720075006c00 -650073002d0073007500700070006f00720074002e007000680070000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 +650073002d0073007500700070006f00720074002e007000680070000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 https://www.trustwave.com/modsecurity-rules-support.php}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 \par }\pard \ltrpar\ql \li0\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 {\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid6967166 \par }{\*\themedata 504b030414000600080000002100e9de0fbfff0000001c020000130000005b436f6e74656e745f54797065735d2e786d6cac91cb4ec3301045f748fc83e52d4a @@ -220,8 +220,8 @@ ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff -ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffffffffffff0c6ad98892f1d411a65f0040963251e5000000000000000000000000f0d5 -16df10f5cd01feffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000 +ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffffffffffff0c6ad98892f1d411a65f0040963251e5000000000000000000000000e065 +dc7748f3cd01feffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000105000000000000}} \ No newline at end of file

@@ -20,14 +20,17 @@ // of CMyHttpModule for each request. class CMyHttpModuleFactory : public IHttpModuleFactory { - CMyHttpModule * m_pModule; + CMyHttpModule * m_pModule; + CRITICAL_SECTION m_csLock; public: CMyHttpModuleFactory() { m_pModule = NULL; + + InitializeCriticalSection(&m_csLock); } - + virtual HRESULT GetHttpModule( @@ -43,6 +46,8 @@ goto Finished; } + EnterCriticalSection(&m_csLock); + if(m_pModule == NULL) { m_pModule = new CMyHttpModule(); @@ -54,6 +59,8 @@ } } + LeaveCriticalSection(&m_csLock); + *ppModule = m_pModule; Finished:

@@ -0,0 +1,239 @@ + +#include <apr_bucket_nginx.h> + +static apr_status_t nginx_bucket_read(apr_bucket *b, const char **str, + apr_size_t *len, apr_read_type_e block); +static void nginx_bucket_destroy(void *data); + +static const apr_bucket_type_t apr_bucket_type_nginx = { + "NGINX", 5, APR_BUCKET_DATA, + nginx_bucket_destroy, + nginx_bucket_read, + apr_bucket_setaside_noop, + apr_bucket_shared_split, + apr_bucket_shared_copy +}; + + +typedef struct apr_bucket_nginx { + apr_bucket_refcount refcount; + ngx_buf_t *buf; +} apr_bucket_nginx; + +/* ngx_buf_t to apr_bucket */ +apr_bucket * apr_bucket_nginx_create(ngx_buf_t *buf, + apr_pool_t *p, + apr_bucket_alloc_t *list) +{ + + apr_bucket *b = apr_bucket_alloc(sizeof(*b), list); + + APR_BUCKET_INIT(b); /* link */ + b->free = apr_bucket_free; + b->list = list; + return apr_bucket_nginx_make(b, buf, p); +} + +apr_bucket * apr_bucket_nginx_make(apr_bucket *b, ngx_buf_t *buf, + apr_pool_t *pool) +{ + apr_bucket_nginx *n; + + n = apr_bucket_alloc(sizeof(*n), b->list); + + n->buf = buf; + + b = apr_bucket_shared_make(b, n, 0, ngx_buf_size(buf)); + b->type = &apr_bucket_type_nginx; + return b; +} + +static apr_status_t nginx_bucket_read(apr_bucket *b, const char **str, + apr_size_t *len, apr_read_type_e block) +{ + apr_bucket_nginx *n = b->data; + ngx_buf_t *buf = n->buf; + u_char *data; + ssize_t size; + + if (buf->pos == NULL && ngx_buf_size(buf) != 0) { + data = apr_bucket_alloc(ngx_buf_size(buf), b->list); + if (data == NULL) { + return APR_EGENERAL; + } + + size = ngx_read_file(buf->file, data, ngx_buf_size(buf), buf->file_pos); + if (size != ngx_buf_size(buf)) { + apr_bucket_free(data); + return APR_EGENERAL; + } + buf->pos = data; + } + + *str = (char *)buf->pos + b->start; + *len = b->length; + + return APR_SUCCESS; +} + + +static void nginx_bucket_destroy(void *data) +{ + apr_bucket_nginx *n = data; + ngx_buf_t *buf = n->buf; + + if (apr_bucket_shared_destroy(n)) { + if (!ngx_buf_in_memory(buf) && buf->pos != NULL) { + apr_bucket_free(buf->pos); + buf->pos = NULL; + } + apr_bucket_free(n); + } +} + +ngx_buf_t * apr_bucket_to_ngx_buf(apr_bucket *e, ngx_pool_t *pool) { + ngx_buf_t *buf, *b; + apr_bucket_nginx *n; + ngx_uint_t len; + u_char *data; + + if (e->type->is_metadata) { + return NULL; + } + + if (e->type == &apr_bucket_type_nginx) { + n = e->data; + b = n->buf; + + /* whole buf */ + if (e->length == (apr_size_t)ngx_buf_size(b)) { + b->last_buf = 0; + return b; + } + + buf = ngx_palloc(pool, sizeof(ngx_buf_t)); + if (buf == NULL) { + return NULL; + } + ngx_memcpy(buf, b, sizeof(ngx_buf_t)); + + if (ngx_buf_in_memory(buf)) { + buf->start = buf->pos = buf->pos + e->start; + buf->end = buf->last = buf->pos + e->length; + } else { + buf->pos = NULL; + buf->file_pos += e->start; + buf->file_last = buf->file_pos + e->length; + } + + buf->last_buf = 0; + return buf; + } + + if (apr_bucket_read(e, (const char **)&data, + &len, APR_BLOCK_READ) != APR_SUCCESS) { + return NULL; + } + + buf = ngx_calloc_buf(pool); + if (buf == NULL) { + return NULL; + } + + if (e->type == &apr_bucket_type_pool) { + buf->start = data; + } else if (len != 0) { + buf->start = ngx_palloc(pool, len); + ngx_memcpy(buf->start, data, len); + } + + buf->pos = buf->start; + buf->end = buf->last = buf->start + len; + buf->temporary = 1; + return buf; +} + +ngx_int_t +move_chain_to_brigade(ngx_chain_t *chain, apr_bucket_brigade *bb, ngx_pool_t *pool, ngx_int_t last_buf) { + apr_bucket *e; + ngx_chain_t *cl; + + while (chain) { + e = ngx_buf_to_apr_bucket(chain->buf, bb->p, bb->bucket_alloc); + if (e == NULL) { + return NGX_ERROR; + } + + APR_BRIGADE_INSERT_TAIL(bb, e); + if (chain->buf->last_buf) { + e = apr_bucket_eos_create(bb->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + chain->buf->last_buf = 0; + return NGX_OK; + } + cl = chain; + chain = chain->next; + ngx_free_chain(pool, cl); + } + + if (last_buf) { + e = apr_bucket_eos_create(bb->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + return NGX_OK; + } + + return NGX_AGAIN; +} + +ngx_int_t +move_brigade_to_chain(apr_bucket_brigade *bb, ngx_chain_t **ll, ngx_pool_t *pool) { + apr_bucket *e; + ngx_buf_t *buf; + ngx_chain_t *cl; + + cl = NULL; + + if (APR_BRIGADE_EMPTY(bb)) { + *ll = NULL; + return NGX_OK; + } + + for (e = APR_BRIGADE_FIRST(bb); + e != APR_BRIGADE_SENTINEL(bb); + e = APR_BUCKET_NEXT(e)) { + + if (APR_BUCKET_IS_EOS(e)) { + if (cl == NULL) { + *ll = cl; + } else { + cl->buf->last_buf = 1; + } + apr_brigade_cleanup(bb); + return NGX_OK; + } + + if (APR_BUCKET_IS_METADATA(e)) { + continue; + } + + buf = apr_bucket_to_ngx_buf(e, pool); + if (buf == NULL) { + break; + } + + cl = ngx_alloc_chain_link(pool); + if (cl == NULL) { + break; + } + + cl->buf = buf; + cl->next = NULL; + *ll = cl; + ll = &cl->next; + } + + apr_brigade_cleanup(bb); + /* no eos or error */ + return NGX_ERROR; +} +

@@ -0,0 +1,18 @@ +#pragma once +#include <ngx_core.h> +#include "apr_buckets.h" + +apr_bucket * apr_bucket_nginx_create(ngx_buf_t *buf, + apr_pool_t *p, + apr_bucket_alloc_t *list); + +apr_bucket * apr_bucket_nginx_make(apr_bucket *e, ngx_buf_t *buf, + apr_pool_t *pool); + +#define ngx_buf_to_apr_bucket apr_bucket_nginx_create + +ngx_buf_t * apr_bucket_to_ngx_buf(apr_bucket *e, ngx_pool_t *pool); + +ngx_int_t move_chain_to_brigade(ngx_chain_t *chain, apr_bucket_brigade *bb, ngx_pool_t *pool, ngx_int_t last_buf); +ngx_int_t move_brigade_to_chain(apr_bucket_brigade *bb, ngx_chain_t **chain, ngx_pool_t *pool); +

@@ -1,6 +1,7 @@ ngx_addon_name=ngx_http_modsecurity -HTTP_MODULES="$HTTP_MODULES ngx_http_modsecurity" -NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_modsecurity.c" -NGX_ADDON_DEPS="$NGX_ADDON_DEPS" -CORE_LIBS="$CORE_LIBS $ngx_addon_dir/../../standalone/.libs/standalone.a -lapr-1 -laprutil-1 -lxml2 -lm" -CORE_INCS="$CORE_INCS /usr/include/apache2 /usr/include/apr-1.0 /usr/include/httpd /usr/include/apr-1 $ngx_addon_dir/../../standalone $ngx_addon_dir/../../apache2 /usr/include/libxml2" +CORE_MODULES="$CORE_MODULES ngx_pool_context_module" +HTTP_AUX_FILTER_MODULES="ngx_http_modsecurity $HTTP_AUX_FILTER_MODULES" +NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_modsecurity.c $ngx_addon_dir/apr_bucket_nginx.c $ngx_addon_dir/ngx_pool_context.c" +NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_addon_dir/apr_bucket_nginx.h $ngx_addon_dir/ngx_pool_context.h" +CORE_LIBS="$CORE_LIBS $ngx_addon_dir/../../standalone/.libs/standalone.a -lapr-1 -laprutil-1 -lxml2 -lm " +CORE_INCS="$CORE_INCS /usr/include/apache2 /usr/include/apr-1.0 /usr/include/httpd /usr/include/apr-1 $ngx_addon_dir $ngx_addon_dir/../../standalone $ngx_addon_dir/../../apache2 /usr/include/libxml2 "

@@ -12,14 +12,9 @@ * directly using the email address security@modsecurity.org. */ -#include <nginx.h> -#include <ngx_config.h> -#include <ngx_core.h> #include <ngx_http.h> -#include <ngx_event.h> -#include <ngx_http_core_module.h> -#include <ctype.h> -#include <sys/times.h> +#include <apr_bucket_nginx.h> +#include <ngx_pool_context.h> #undef CR #undef LF @@ -32,17 +27,18 @@ typedef struct { ngx_flag_t enable; directory_config *config; + + ngx_str_t *file; + ngx_uint_t line; } ngx_http_modsecurity_loc_conf_t; typedef struct { ngx_http_request_t *r; conn_rec *connection; request_rec *req; - ngx_chain_t *chain; - ngx_buf_t buf; - void **loc_conf; - unsigned request_body_in_single_buf:1; - unsigned request_body_in_file_only:1; + + apr_bucket_brigade *brigade; + unsigned complete; } ngx_http_modsecurity_ctx_t; @@ -50,7 +46,9 @@ ** Module's registred function/handlers. */ static ngx_int_t ngx_http_modsecurity_handler(ngx_http_request_t *r); -static void ngx_http_modsecurity_request_body_handler(ngx_http_request_t *r); +static void ngx_http_modsecurity_body_handler(ngx_http_request_t *r); +static ngx_int_t ngx_http_modsecurity_header_filter(ngx_http_request_t *r); +static ngx_int_t ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in); static ngx_int_t ngx_http_modsecurity_preconfiguration(ngx_conf_t *cf); static ngx_int_t ngx_http_modsecurity_init(ngx_conf_t *cf); static ngx_int_t ngx_http_modsecurity_init_process(ngx_cycle_t *cycle); @@ -58,14 +56,16 @@ static void *ngx_http_modsecurity_create_loc_conf(ngx_conf_t *cf); static char *ngx_http_modsecurity_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child); static char *ngx_http_modsecurity_config(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); -apr_status_t modsecurity_read_body_cb(request_rec *r, char *buf, unsigned int length, - unsigned int *readcnt, int *is_eos); -apr_status_t modsecurity_write_body_cb(request_rec *rec, char *buf, unsigned int length); +static char *ngx_http_modsecurity_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static ngx_http_modsecurity_ctx_t * ngx_http_modsecurity_create_ctx(ngx_http_request_t *r); static int ngx_http_modsecurity_drop_action(request_rec *r); static void ngx_http_modsecurity_cleanup(void *data); +static int ngx_http_modsecurity_save_headers_in_visitor(void *data, const char *key, const char *value); +static int ngx_http_modsecurity_save_headers_out_visitor(void *data, const char *key, const char *value); + + /* command handled by the module */ static ngx_command_t ngx_http_modsecurity_commands[] = { { ngx_string("ModSecurityConfig"), @@ -77,7 +77,7 @@ { ngx_string("ModSecurityEnabled"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF |NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1, - ngx_conf_set_flag_slot, + ngx_http_modsecurity_enable, NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_modsecurity_loc_conf_t, enable), NULL }, @@ -103,21 +103,688 @@ }; -ngx_module_t ngx_http_modsecurity = { - NGX_MODULE_V1, - &ngx_http_modsecurity_ctx, /* module context */ - ngx_http_modsecurity_commands, /* module directives */ - NGX_HTTP_MODULE, /* module type */ - NULL, /* init master */ - NULL, /* init module */ - ngx_http_modsecurity_init_process, /* init process */ - NULL, /* init thread */ - NULL, /* exit thread */ - ngx_http_modsecurity_exit_process, /* exit process */ - ngx_http_modsecurity_exit_process, /* exit master */ - NGX_MODULE_V1_PADDING -}; +ngx_module_t ngx_http_modsecurity = { + NGX_MODULE_V1, + &ngx_http_modsecurity_ctx, /* module context */ + ngx_http_modsecurity_commands, /* module directives */ + NGX_HTTP_MODULE, /* module type */ + NULL, /* init master */ + NULL, /* init module */ + ngx_http_modsecurity_init_process, /* init process */ + NULL, /* init thread */ + NULL, /* exit thread */ + ngx_http_modsecurity_exit_process, /* exit process */ + ngx_http_modsecurity_exit_process, /* exit master */ + NGX_MODULE_V1_PADDING +}; + +static ngx_http_output_header_filter_pt ngx_http_next_header_filter; +static ngx_http_output_body_filter_pt ngx_http_next_body_filter; + +static ngx_http_upstream_t ngx_http_modsecurity_upstream; + +static struct { + char *name; + ngx_str_t variable_name; +} special_headers_out[] = { + {"Content-Type", ngx_string("sent_http_content_type") }, + {"Content-Length", ngx_string("sent_http_content_length")}, + {"Location", ngx_string("sent_http_location")}, + {"Last-Modified", ngx_string("sent_http_last_modified")}, + {"Connection", ngx_string("sent_http_connection")}, + {"Keep-Alive", ngx_string("sent_http_keep_alive")}, + {"Transfer-Encoding", ngx_string("sent_http_transfer_encoding")}, + {"Cache-Control", ngx_string("sent_http_cache_control")}, + {NULL, ngx_null_string} +}; + + +static inline u_char * +ngx_pstrdup0(ngx_pool_t *pool, ngx_str_t *src) +{ + u_char *dst; + + dst = ngx_pnalloc(pool, src->len + 1); + if (dst == NULL) { + return NULL; + } + + ngx_memcpy(dst, src->data, src->len); + dst[src->len] = '\0'; + + return dst; +} + + +static inline int ngx_http_modsecurity_method_number(unsigned int nginx) +{ + /* + * http://graphics.stanford.edu/~seander/bithacks.html#ZerosOnRightMultLookup + */ + static const int MultiplyDeBruijnBitPosition[32] = { + M_INVALID, /* 1 >> 0 */ + M_GET, + M_INVALID, /* 1 >> 28 */ + M_GET, /* NGX_HTTP_HEAD */ + M_INVALID, /* 1 >> 29 */ + M_PATCH, + M_INVALID, /* 1 >> 24 */ + M_POST, + M_INVALID, /* 1 >> 30 */ + M_INVALID, /* 1 >> 22 */ + M_INVALID, /* 1 >> 20 */ + M_TRACE, + M_INVALID, /* 1 >> 25 */ + M_INVALID, /* 1 >> 17 */ + M_PUT, + M_MOVE, + M_INVALID, /* 1 >> 31 */ + M_INVALID, /* 1 >> 27 */ + M_UNLOCK, + M_INVALID, /* 1 >> 23 */ + M_INVALID, /* 1 >> 21 */ + M_INVALID, /* 1 >> 19 */ + M_INVALID, /* 1 >> 16 */ + M_COPY, + M_INVALID, /* 1 >> 26 */ + M_LOCK, + M_INVALID, /* 1 >> 18 */ + M_MKCOL, + M_PROPPATCH, + M_DELETE, + M_PROPFIND, + M_OPTIONS + }; + + return MultiplyDeBruijnBitPosition[((uint32_t)((nginx & -nginx) * 0x077CB531U)) >> 27]; +} + +static ngx_inline ngx_int_t +ngx_http_modsecurity_load_request(ngx_http_request_t *r) +{ + ngx_http_modsecurity_ctx_t *ctx; + request_rec *req; + ngx_str_t str; + size_t root; + ngx_str_t path; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + req = ctx->req; + + /* request line */ + req->method = (char *)ngx_pstrdup0(r->pool, &r->method_name); + + /* TODO: how to use ap_method_number_of ? + * req->method_number = ap_method_number_of(req->method); + */ + + req->method_number = ngx_http_modsecurity_method_number(r->method); + + /* ngx_http_map_uri_to_path() allocates memory for terminating '\0' */ + if (ngx_http_map_uri_to_path(r, &path, &root, 0) == NULL) { + return NGX_ERROR; + } + + req->filename = (char *) path.data; + req->path_info = req->filename; + + req->args = (char *)ngx_pstrdup0(r->pool, &r->args); + + req->proto_num = r->http_major *1000 + r->http_minor; + req->protocol = (char *)ngx_pstrdup0(r->pool, &r->http_protocol); + req->request_time = apr_time_make(r->start_sec, r->start_msec); + req->the_request = (char *)ngx_pstrdup0(r->pool, &r->request_line); + + req->unparsed_uri = (char *)ngx_pstrdup0(r->pool, &r->unparsed_uri); + req->uri = (char *)ngx_pstrdup0(r->pool, &r->uri); + + req->parsed_uri.scheme = "http"; + +#if (NGX_HTTP_SSL) + if (r->connection->ssl) { + req->parsed_uri.scheme = "https"; + } +#endif + + req->parsed_uri.path = req->path_info; + req->parsed_uri.is_initialized = 1; + + str.data = r->port_start; + str.len = r->port_end - r->port_start; + req->parsed_uri.port = ngx_atoi(str.data, str.len); + req->parsed_uri.port_str = (char *)ngx_pstrdup0(r->pool, &str); + + req->parsed_uri.query = req->args; + req->parsed_uri.dns_looked_up = 0; + req->parsed_uri.dns_resolved = 0; + + // req->parsed_uri.password = (char *)ngx_pstrdup0(r->pool, &r->headers_in.passwd); + // req->parsed_uri.user = (char *)ngx_pstrdup0(r->pool, &r->headers_in.user); + req->parsed_uri.fragment = (char *)ngx_pstrdup0(r->pool, &r->exten); + + req->hostname = (char *)ngx_pstrdup0(r->pool, (ngx_str_t *)&ngx_cycle->hostname); + + req->header_only = r->header_only ? r->header_only : (r->method == NGX_HTTP_HEAD); + + return NGX_OK; +} + + +/* + * TODO: deal more headers. + */ + +static ngx_inline ngx_int_t +ngx_http_modsecurity_load_headers_in(ngx_http_request_t *r) +{ + ngx_http_modsecurity_ctx_t *ctx; + const char *lang; + request_rec *req; + ngx_list_part_t *part; + ngx_table_elt_t *h; + ngx_uint_t i; + + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + req = ctx->req; + + part = &r->headers_in.headers.part; + h = part->elts; + + for (i = 0; ; i++) { + if (i >= part->nelts) { + if (part->next == NULL) + break; + + part = part->next; + h = part->elts; + i = 0; + } + + apr_table_setn(req->headers_in, (char *)h[i].key.data, (char *)h[i].value.data); + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: load headers in: \"%V: %V\"", + &h[i].key, &h[i].value); + } + + req->clength = r->headers_in.content_length_n; + + + req->range = apr_table_get(req->headers_in, "Range"); + req->content_type = apr_table_get(req->headers_in, "Content-Type"); + req->content_encoding = apr_table_get(req->headers_in, "Content-Encoding"); + + lang = apr_table_get(ctx->req->headers_in, "Content-Languages"); + if(lang != NULL) + { + ctx->req->content_languages = apr_array_make(ctx->req->pool, 1, sizeof(const char *)); + + *(const char **)apr_array_push(ctx->req->content_languages) = lang; + } + + req->ap_auth_type = (char *)apr_table_get(req->headers_in, "Authorization"); + + req->user = (char *)ngx_pstrdup0(r->pool, &r->headers_in.user); + + + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: load headers in done"); + + return NGX_OK; +} + +static ngx_inline ngx_int_t +ngx_http_modsecurity_save_headers_in(ngx_http_request_t *r) +{ + ngx_http_modsecurity_ctx_t *ctx; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + /* clean up headers_in */ + ngx_memzero(&r->headers_in, sizeof(ngx_http_headers_in_t)); + + if (ngx_list_init(&r->headers_in.headers, r->pool, 20, + sizeof(ngx_table_elt_t)) + != NGX_OK) + { + return NGX_ERROR; + } + + + if (ngx_array_init(&r->headers_in.cookies, r->pool, 2, + sizeof(ngx_table_elt_t *)) + != NGX_OK) + { + return NGX_ERROR; + } + + r->headers_in.content_length_n = -1; + r->headers_in.keep_alive_n = -1; + + r->headers_in.headers.part.nelts = 0; + r->headers_in.headers.part.next = NULL; + r->headers_in.headers.last = &r->headers_in.headers.part; + + /* shadow copy */ + if (apr_table_do(ngx_http_modsecurity_save_headers_in_visitor, + r, ctx->req->headers_in, NULL) == 0) { + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers in error"); + + return NGX_ERROR; + } + + if (r->headers_in.content_length) { + r->headers_in.content_length_n = + ngx_atoof(r->headers_in.content_length->value.data, + r->headers_in.content_length->value.len); + + if (r->headers_in.content_length_n == NGX_ERROR) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "ModSecurity: invalid \"Content-Length\" header"); + return NGX_ERROR; + } + } + + if (r->headers_in.connection_type == NGX_HTTP_CONNECTION_KEEP_ALIVE) { + if (r->headers_in.keep_alive) { + r->headers_in.keep_alive_n = + ngx_atotm(r->headers_in.keep_alive->value.data, + r->headers_in.keep_alive->value.len); + } + } + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers in done"); + + return NGX_OK; +} + + +static int +ngx_http_modsecurity_save_headers_in_visitor(void *data, const char *key, const char *value) +{ + ngx_http_request_t *r = data; + ngx_table_elt_t *h; + ngx_http_header_t *hh; + ngx_http_core_main_conf_t *cmcf; + + h = ngx_list_push(&r->headers_in.headers); + if (h == NULL) { + return 0; + } + + h->key.data = (u_char *)key; + h->key.len = ngx_strlen(key); + + h->value.data = (u_char *)value; + h->value.len = ngx_strlen(value); + + h->lowcase_key = ngx_pnalloc(r->pool, h->key.len); + + if (h->lowcase_key == NULL) { + return 0; + } + + ngx_strlow(h->lowcase_key, h->key.data, h->key.len); + + h->hash = ngx_hash_key(h->lowcase_key, h->key.len); + + cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module); + + hh = ngx_hash_find(&cmcf->headers_in_hash, h->hash, + h->lowcase_key, h->key.len); + + if (hh && hh->handler(r, h, hh->offset) != NGX_OK) { + return 0; + } + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers in: \"%V: %V\"", + &h->key, &h->value); + + return 1; +} + + +static ngx_inline ngx_int_t +ngx_http_modsecurity_load_request_body(ngx_http_request_t *r) +{ + ngx_http_modsecurity_ctx_t *ctx; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + modsecSetBodyBrigade(ctx->req, ctx->brigade); + + if (r->request_body == NULL || r->request_body->bufs == NULL) { + + return move_chain_to_brigade(NULL, ctx->brigade, r->pool, 1); + } + + if (move_chain_to_brigade(r->request_body->bufs, ctx->brigade, r->pool, 1) != NGX_OK) { + return NGX_ERROR; + } + + r->request_body = NULL; + + return NGX_OK; +} + + +static ngx_inline ngx_int_t +ngx_http_modsecurity_save_request_body(ngx_http_request_t *r) +{ + ngx_http_modsecurity_ctx_t *ctx; + apr_off_t content_length; + ngx_buf_t *buf; + ngx_http_core_srv_conf_t *cscf; + size_t size; + ngx_http_connection_t *hc; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + apr_brigade_length(ctx->brigade, 0, &content_length); + + if (r->header_in->end - r->header_in->last >= content_length) { + /* use r->header_in */ + + if (ngx_buf_size(r->header_in)) { + /* move to the end */ + ngx_memmove(r->header_in->pos + content_length, + r->header_in->pos, + ngx_buf_size(r->header_in)); + } + + if (apr_brigade_flatten(ctx->brigade, + (char *)r->header_in->pos, + (apr_size_t *)&content_length) != APR_SUCCESS) { + return NGX_ERROR; + } + + apr_brigade_cleanup(ctx->brigade); + + r->header_in->last += content_length; + + return NGX_OK; + } + + if (ngx_buf_size(r->header_in)) { + + /* + * ngx_http_set_keepalive will reuse r->header_in if + * (r->header_in != c->buffer && r->header_in.last != r->header_in.end), + * so we need this code block. + * see ngx_http_set_keepalive, ngx_http_alloc_large_header_buffer + */ + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); + + size = ngx_max(cscf->large_client_header_buffers.size, + (size_t)content_length + ngx_buf_size(r->header_in)); + + hc = r->http_connection; + + if (hc->nfree && size == cscf->large_client_header_buffers.size) { + + buf = hc->free[--hc->nfree]; + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: use http free large header buffer: %p %uz", + buf->pos, buf->end - buf->last); + + } else if (hc->nbusy < cscf->large_client_header_buffers.num) { + + if (hc->busy == NULL) { + hc->busy = ngx_palloc(r->connection->pool, + cscf->large_client_header_buffers.num * sizeof(ngx_buf_t *)); + } + + if (hc->busy == NULL) { + return NGX_ERROR; + } else { + buf = ngx_create_temp_buf(r->connection->pool, size); + } + } else { + /* TODO: how to deal this case ? */ + return NGX_ERROR; + } + + } else { + + buf = ngx_create_temp_buf(r->pool, (size_t) content_length); + } + + if (buf == NULL) { + return NGX_ERROR; + } + + if (apr_brigade_flatten(ctx->brigade, (char *)buf->pos, + (apr_size_t *)&content_length) != APR_SUCCESS) { + return NGX_ERROR; + } + + apr_brigade_cleanup(ctx->brigade); + buf->last += content_length; + + ngx_memcpy(buf->last, r->header_in->pos, ngx_buf_size(r->header_in)); + buf->last += ngx_buf_size(r->header_in); + + r->header_in = buf; + + return NGX_OK; +} + + +static ngx_inline ngx_int_t +ngx_http_modsecurity_load_headers_out(ngx_http_request_t *r) +{ + + ngx_http_modsecurity_ctx_t *ctx; + char *data; + request_rec *req; + u_char *content_type; + ngx_uint_t content_type_len; + ngx_http_variable_value_t *vv; + ngx_list_part_t *part; + ngx_table_elt_t *h; + ngx_uint_t i; + char *key, *value; + u_char *buf = NULL; + size_t size = 0; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + req = ctx->req; + + req->status = r->headers_out.status; + req->status_line = (char *)ngx_pstrdup0(r->pool, &r->headers_out.status_line); + + if (r->headers_out.charset.len) { + + content_type_len = r->headers_out.content_type.len + + r->headers_out.charset.len + + ngx_strlen("; charset=") + 1; + + content_type = ngx_palloc(r->pool, content_type_len); + + if (content_type == NULL) { + return NGX_ERROR; + } + + ngx_snprintf(content_type, content_type_len, + "%V; charset=%V", + &r->headers_out.content_type, + &r->headers_out.charset); + + r->headers_out.content_type.data = content_type; + r->headers_out.content_type.len = content_type_len; + } + + /* deep copy */ + part = &r->headers_out.headers.part; + h = part->elts; + + for (i = 0; ; i++) { + if (i >= part->nelts) { + if (part->next == NULL) + break; + + part = part->next; + h = part->elts; + i = 0; + } + size += h[i].key.len + h[i].value.len + 2; + + buf = ngx_palloc(r->pool, size); + + if (buf == NULL) { + return NGX_ERROR; + } + + key = (char *)buf; + buf = ngx_cpymem(buf, h[i].key.data, h[i].key.len); + *buf++ = '\0'; + + value = (char *)buf; + buf = ngx_cpymem(buf, h[i].value.data, h[i].value.len); + *buf++ = '\0'; + + apr_table_setn(req->headers_out, key, value); + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: load headers out: \"%V: %V\"", + &h[i].key, &h[i].value); + + } + + for (i = 0; special_headers_out[i].name; i++) { + + vv = ngx_http_get_variable(r, &special_headers_out[i].variable_name, + ngx_hash_key(special_headers_out[i].variable_name.data, + special_headers_out[i].variable_name.len)); + + if (vv && !vv->not_found) { + + data = ngx_palloc(r->pool, vv->len + 1); + if (data == NULL) { + return NGX_ERROR; + } + + ngx_memcpy(data,vv->data, vv->len); + data[vv->len] = '\0'; + + apr_table_setn(req->headers_out, special_headers_out[i].name, data); + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: load headers out: \"%s: %s\"", + special_headers_out[i].name, data); + } + } + + req->content_type = apr_table_get(ctx->req->headers_out, "Content-Type"); + req->content_encoding = apr_table_get(ctx->req->headers_out, "Content-Encoding"); + + data = (char *)apr_table_get(ctx->req->headers_out, "Content-Languages"); + + if(data != NULL) + { + ctx->req->content_languages = apr_array_make(ctx->req->pool, 1, sizeof(const char *)); + *(const char **)apr_array_push(ctx->req->content_languages) = data; + } + + /* req->chunked = r->chunked; may be useless */ + req->clength = r->headers_out.content_length_n; + req->mtime = apr_time_make(r->headers_out.last_modified_time, 0); + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: load headers out done"); + + return NGX_OK; +} + + +static ngx_inline ngx_int_t +ngx_http_modsecurity_save_headers_out(ngx_http_request_t *r) +{ + ngx_http_modsecurity_ctx_t *ctx; + ngx_http_upstream_t *upstream; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + /* r->chunked = ctx->req->chunked; */ + + ngx_http_clean_header(r); + + upstream = r->upstream; + r->upstream = &ngx_http_modsecurity_upstream; + + if (apr_table_do(ngx_http_modsecurity_save_headers_out_visitor, + r, ctx->req->headers_out, NULL) == 0) { + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers out error"); + + return NGX_ERROR; + } + + r->upstream = upstream; + + r->headers_out.status = ctx->req->status; + r->headers_out.status_line.data = (u_char *)ctx->req->status_line; + r->headers_out.status_line.len = ctx->req->status_line ? + ngx_strlen(ctx->req->status_line) : 0; + + r->headers_out.content_length_n = ctx->req->clength; + r->headers_out.last_modified_time = apr_time_sec(ctx->req->mtime); + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers out done"); + + return NGX_OK; +} + + +static int +ngx_http_modsecurity_save_headers_out_visitor(void *data, const char *key, const char *value) +{ + ngx_http_request_t *r = data; + ngx_table_elt_t *h, he; + ngx_http_upstream_header_t *hh; + ngx_http_upstream_main_conf_t *umcf; + + umcf = ngx_http_get_module_main_conf(r, ngx_http_upstream_module); + + h = &he; + + h->key.data = (u_char *)key; + h->key.len = ngx_strlen(key); + + h->value.data = (u_char *)value; + h->value.len = ngx_strlen(value); + + h->lowcase_key = ngx_palloc(r->pool, h->key.len); + if (h->lowcase_key == NULL) { + return 0; + } + + ngx_strlow(h->lowcase_key, h->key.data, h->key.len); + + h->hash = ngx_hash_key(h->lowcase_key, h->key.len); + + hh = ngx_hash_find(&umcf->headers_in_hash, h->hash, + h->lowcase_key, h->key.len); + + if (hh) { + /* copy all */ + if (hh->copy_handler(r, h, hh->conf) != NGX_OK) { + return 0; + } + } + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers out: \"%V: %V\"", + &h->key, &h->value); + return 1; +} /* create loc conf struct */ static void * @@ -125,10 +792,12 @@ { ngx_http_modsecurity_loc_conf_t *conf; - conf = (ngx_http_modsecurity_loc_conf_t *) ngx_pcalloc(cf->pool, sizeof(ngx_http_modsecurity_loc_conf_t)); + conf = (ngx_http_modsecurity_loc_conf_t *) + ngx_palloc(cf->pool, sizeof(ngx_http_modsecurity_loc_conf_t)); if (conf == NULL) return NULL; + conf->config = NGX_CONF_UNSET_PTR; conf->enable = NGX_CONF_UNSET; return conf; @@ -136,22 +805,28 @@ /* merge loc conf */ static char * -ngx_http_modsecurity_merge_loc_conf(ngx_conf_t *cf, void *parent, - void *child) +ngx_http_modsecurity_merge_loc_conf(ngx_conf_t *cf, void *parent, + void *child) { ngx_http_modsecurity_loc_conf_t *prev = parent; ngx_http_modsecurity_loc_conf_t *conf = child; - if (conf->config == NULL) { - conf->config = prev->config; - } - ngx_conf_merge_value(conf->enable, prev->enable, 0); + ngx_conf_merge_ptr_value(conf->config, prev->config, NULL); + + if (conf->enable && conf->config == NULL) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "\"ModSecurityEnabled\" in %V:%ui is set to \"on\"" + " while directive \"ModSecurityConfig\" is not found" + " in the same location", + conf->file, conf->line); + return NGX_CONF_ERROR; + } return NGX_CONF_OK; } -void +static void modsecLog(void *obj, int level, char *str) { if (obj != NULL) { @@ -169,13 +844,13 @@ */ extern apr_pool_t *pool; -void * +static void * modsec_pcre_malloc(size_t size) { return apr_palloc(pool, size); } -void +static void modsec_pcre_free(void *ptr) { } @@ -183,6 +858,7 @@ static ngx_int_t ngx_http_modsecurity_preconfiguration(ngx_conf_t *cf) { + server_rec *s; /* XXX: temporary hack, nginx uses pcre as well and hijacks these two */ pcre_malloc = modsec_pcre_malloc; @@ -190,16 +866,28 @@ modsecSetLogHook(cf->log, modsecLog); modsecSetDropAction(ngx_http_modsecurity_drop_action); - modsecSetReadBody(modsecurity_read_body_cb); - modsecSetWriteBody(modsecurity_write_body_cb); - modsecInit(); - modsecStartConfig(); + /* TODO: server_rec per server conf */ + s = modsecInit(); + if (s == NULL) { + return NGX_ERROR; + } + + /* set host name */ + s->server_hostname = ngx_palloc(cf->pool, ngx_cycle->hostname.len + 1); + if (s->server_hostname == NULL) { + return NGX_ERROR; + } + ngx_memcpy(s->server_hostname, ngx_cycle->hostname.data, ngx_cycle->hostname.len); + s->server_hostname[ ngx_cycle->hostname.len] = '\0'; + modsecStartConfig(); return NGX_OK; } -static ngx_int_t + + +static ngx_int_t ngx_http_modsecurity_init(ngx_conf_t *cf) { ngx_http_handler_pt *h; @@ -207,7 +895,7 @@ modsecFinalizeConfig(); - cmcf = (ngx_http_core_main_conf_t *) ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); + cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); if (cmcf == NULL) { return NGX_ERROR; } @@ -218,20 +906,14 @@ } *h = ngx_http_modsecurity_handler; -#ifdef PROCESS_RESPONSE - /* - ** This function sets up handlers for CONTENT_PHASE, - ** XXX: not implemented yet - */ + ngx_http_next_header_filter = ngx_http_top_header_filter; + ngx_http_top_header_filter = ngx_http_modsecurity_header_filter; - /* Register for CONTENT phase ?? */ - h = ngx_array_push(&cmcf->phases[NGX_HTTP_CONTENT_PHASE].handlers); - if (h == NULL) { - return NGX_ERROR; - } - *h = ngx_http_modsecurity_content_handler; -#endif + ngx_http_next_body_filter = ngx_http_top_body_filter; + ngx_http_top_body_filter = ngx_http_modsecurity_body_filter; + ngx_memzero(&ngx_http_modsecurity_upstream, sizeof(ngx_http_upstream_t)); + ngx_http_modsecurity_upstream.cacheable = 1; return NGX_OK; } @@ -251,341 +933,359 @@ } -char * -ConvertNgxStringToUTF8(ngx_str_t str, apr_pool_t *pool) +/* +** [ENTRY POINT] does : this function called by nginx from the request handler +*/ +static ngx_int_t +ngx_http_modsecurity_handler(ngx_http_request_t *r) { - char *t = (char *) apr_palloc(pool, str.len + 1); + ngx_http_modsecurity_loc_conf_t *cf; + ngx_http_modsecurity_ctx_t *ctx; + ngx_int_t rc; - ngx_memcpy(t, str.data, str.len); - t[str.len] = 0; + cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); - return t; -} + /* Process only main request */ + if (r != r->main || !cf->enable) { + return NGX_DECLINED; + } -/* -** request body callback, passing body to mod security -*/ -apr_status_t -modsecurity_read_body_cb(request_rec *r, char *outpos, unsigned int length, - unsigned int *outlen, int *is_eos) -{ - size_t len, rest; - ssize_t size; - ngx_http_modsecurity_ctx_t *ctx; + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: handler"); - ctx = (ngx_http_modsecurity_ctx_t *) apr_table_get(r->notes, NOTE_NGINX_REQUEST_CTX); + if (r->internal) { + /* we have already processed the request headers with previous loc conf */ + + /* TODO: do we need update ctx and process headers again? */ + ctx = ngx_http_get_module_pool_ctx(r, ngx_http_modsecurity); + + if (ctx) { + ngx_http_set_ctx(r, ctx, ngx_http_modsecurity); + return NGX_DECLINED; + } + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: get internel request ctx failed"); + } + + ctx = ngx_http_modsecurity_create_ctx(r); if (ctx == NULL) { - return APR_EINVAL; + + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + ngx_http_set_ctx(r, ctx, ngx_http_modsecurity); + + if (ngx_http_set_pool_ctx(r, ctx, ngx_http_modsecurity) != NGX_OK) { + return NGX_ERROR; } - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "modSecurity: read_body_cb"); - ngx_buf_t *buf = &ctx->buf; - rest = length; - *is_eos = 0; - - while (rest) { - - if (ngx_buf_size(buf) == 0) { - if (ctx->chain == NULL) { - *outlen = length - rest; - *is_eos = 1; - // END - return APR_SUCCESS; + ngx_http_modsecurity_load_request(r); + + if (ngx_http_modsecurity_load_headers_in(r) != NGX_OK) { + + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + /* processing request headers */ + rc = modsecProcessRequestHeaders(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestHeaders %d", rc); + + if (rc == DECLINED) { + + if (modsecIsRequestBodyAccessEnabled(ctx->req) + && r->method == NGX_HTTP_POST) { + + /* Processing POST request body, should we process PUT? */ + rc = ngx_http_read_client_request_body(r, ngx_http_modsecurity_body_handler); + if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { + return rc; } - ngx_memcpy(buf, ctx->chain->buf, sizeof(ngx_buf_t)); - ctx->chain = ctx->chain->next; + return NGX_DONE; } - - len = (size_t) ngx_min((size_t)ngx_buf_size(buf), rest); - - if (ngx_buf_in_memory(buf)) { - - outpos = (char *) ngx_cpymem(outpos, buf->pos, len); - rest -= len; - buf->pos += len; - } else if (buf->in_file) { - - size = ngx_read_file(buf->file, (u_char*)outpos, len, buf->file_pos); - - if (size < 0) { - return NGX_ERROR; - } - outpos += size; - rest -= size; - buf->file_pos += size; - } else { - return -1; + /* other method */ + rc = modsecProcessRequestBody(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestBody %d", rc); + } + + if (rc != DECLINED) { + + /* Nginx and Apache share same response code */ + if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; } + return rc; + } + + /* + if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK) { + + return NGX_HTTP_INTERNAL_SERVER_ERROR; } - - *outlen = length - rest; - return APR_SUCCESS; + */ + + return NGX_DECLINED; } -apr_status_t -modsecurity_write_body_cb(request_rec *rec, char *buf, unsigned int length) + +static void +ngx_http_modsecurity_body_handler(ngx_http_request_t *r) { - ngx_buf_t *b; - ngx_http_modsecurity_ctx_t *ctx; - ngx_http_request_t *r; - ngx_str_t *str; + ngx_http_modsecurity_ctx_t *ctx; + ngx_int_t rc; - ctx = (ngx_http_modsecurity_ctx_t *) apr_table_get(rec->notes, NOTE_NGINX_REQUEST_CTX); - if (ctx == NULL) { - return APR_EINVAL; - } + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: body handler"); - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "modSecurity: write_body_cb"); + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + if (ngx_http_modsecurity_load_request_body(r) != NGX_OK) { + + return ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + } - r = ctx->r; + rc = modsecProcessRequestBody(ctx->req); - /* set request body */ - b = r->header_in; + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestBody %d", rc); - if (b->end < b->pos + length) { - b->start = ngx_palloc(ctx->r->pool, length); - if (b->start == NULL) { - return APR_EINVAL; + if (rc != DECLINED) { + /* Nginx and Apache share same response code */ + if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) { + rc = NGX_HTTP_INTERNAL_SERVER_ERROR; } - b->end = b->start + length; - b->pos = b->start; + return ngx_http_finalize_request(r, rc); } - - b->last = ngx_cpymem(b->pos, buf, length); - /* set content_length_n */ - r->headers_in.content_length_n = length; + if (ngx_http_modsecurity_save_request_body(r) != NGX_OK + || ngx_http_modsecurity_save_headers_in(r) != NGX_OK ) { - /* set headers_in.content_length */ - str = &r->headers_in.content_length->value; - str->data = ngx_palloc(r->pool, NGX_OFF_T_LEN); - if (str->data == NULL) { - return NGX_ERROR; + return ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); } - - str->len = ngx_snprintf(str->data, NGX_OFF_T_LEN, "%O", length) - str->data; - return APR_SUCCESS; + r->phase_handler++; + ngx_http_core_run_phases(r); + ngx_http_finalize_request(r, NGX_DONE); } -apr_sockaddr_t *CopySockAddr(apr_pool_t *pool, struct sockaddr *pAddr) { - apr_sockaddr_t *addr = (apr_sockaddr_t *)apr_palloc(pool, sizeof(apr_sockaddr_t)); - int adrlen = 16, iplen = 4; - if(pAddr->sa_family == AF_INET6) { - adrlen = 46; - iplen = 16; +static ngx_int_t +ngx_http_modsecurity_header_filter(ngx_http_request_t *r) { + ngx_http_modsecurity_loc_conf_t *cf; + ngx_http_modsecurity_ctx_t *ctx; + ngx_int_t rc; + + cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + if (r != r->main || !cf->enable || ctx->complete) { + return ngx_http_next_header_filter(r); } - addr->addr_str_len = adrlen; - addr->family = pAddr->sa_family; + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: header filter"); - addr->hostname = "unknown"; -#ifdef WIN32 - addr->ipaddr_len = sizeof(IN_ADDR); -#else - addr->ipaddr_len = sizeof(struct in_addr); -#endif - addr->ipaddr_ptr = &addr->sa.sin.sin_addr; - addr->pool = pool; - addr->port = 80; -#ifdef WIN32 - memcpy(&addr->sa.sin.sin_addr.S_un.S_addr, pAddr->sa_data, iplen); -#else - memcpy(&addr->sa.sin.sin_addr.s_addr, pAddr->sa_data, iplen); -#endif - addr->sa.sin.sin_family = pAddr->sa_family; - addr->sa.sin.sin_port = 80; - addr->salen = sizeof(addr->sa); - addr->servname = addr->hostname; + if (r->method == NGX_HTTP_HEAD || r->header_only) { + + ctx->complete = 1; + + if (ngx_http_modsecurity_load_headers_in(r) != NGX_OK + || ngx_http_modsecurity_load_headers_out(r) != NGX_OK) { - return addr; + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + rc = modsecProcessResponse(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessResponse %d", rc); + + if (rc == DECLINED || rc == APR_SUCCESS) { + + if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK + || ngx_http_modsecurity_save_headers_out(r) != NGX_OK) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + return ngx_http_next_header_filter(r); + } + + if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) { + rc = NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + return rc; + } + + return NGX_OK; } -/* -** [ENTRY POINT] does : this function called by nginx from the request handler -*/ static ngx_int_t -ngx_http_modsecurity_handler(ngx_http_request_t *r) +ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in) { ngx_http_modsecurity_loc_conf_t *cf; - ngx_http_core_loc_conf_t *clcf, *lcf; ngx_http_modsecurity_ctx_t *ctx; ngx_int_t rc; - void **loc_conf; + apr_off_t content_length; - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: handler"); + cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); - /* Process only main request */ - if (r != r->main || r->internal) { - return NGX_DECLINED; + if (r != r->main || !cf->enable || ctx->complete) { + return ngx_http_next_body_filter(r, in); } - cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: body filter"); - if (!cf->enable) { - return NGX_DECLINED; + if (in == NULL) { + return NGX_AGAIN; } - ctx = ngx_http_modsecurity_create_ctx(r); - if (ctx == NULL) { - return NGX_ERROR; + rc = move_chain_to_brigade(in, ctx->brigade, r->pool, 0); + if (rc != NGX_OK) { + return rc; } - ngx_http_set_ctx(r, ctx, ngx_http_modsecurity); - - if (r->method == NGX_HTTP_POST) { - /* Processing POST request body, should we process PUT? */ - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: method POST"); - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - if (clcf == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; + /* last buf has been saved */ + + ctx->complete = 1; + modsecSetResponseBrigade(ctx->req, ctx->brigade); + + // TODO: do we need reload headers_in ? + // + if (ngx_http_modsecurity_load_headers_in(r) != NGX_OK + || ngx_http_modsecurity_load_headers_out(r) != NGX_OK) { + + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + rc = modsecProcessResponse(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessResponse %d", rc); + + if (rc == DECLINED || rc == APR_SUCCESS) { + + in = NULL; + + apr_brigade_length(ctx->brigade, 0, &content_length); + + rc = move_brigade_to_chain(ctx->brigade, &in, r->pool); + if (rc == NGX_ERROR) { + return NGX_ERROR; } - ctx->loc_conf = r->loc_conf; - /* hijack loc_conf so that we can receive any body length - * TODO: nonblocking process & chuncked body - */ - if (clcf->client_body_buffer_size < (size_t)r->headers_in.content_length_n) { - - loc_conf = ngx_pcalloc(r->pool, sizeof(void *) * ngx_http_max_module); - if (loc_conf == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; - } + if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK + ||ngx_http_modsecurity_save_headers_out(r) != NGX_OK) { - lcf = ngx_pcalloc(r->pool, sizeof(ngx_http_core_loc_conf_t)); - if (lcf == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; - } - - ngx_memcpy(loc_conf, r->loc_conf, sizeof(void *) * ngx_http_max_module); - ngx_memcpy(lcf, clcf, sizeof(ngx_http_core_loc_conf_t)); - - ctx->loc_conf = r->loc_conf; - r->loc_conf = loc_conf; - - ngx_http_get_module_loc_conf(r, ngx_http_core_module) = lcf; - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - clcf->client_body_buffer_size = r->headers_in.content_length_n; - } - - ctx->request_body_in_single_buf = r->request_body_in_single_buf; - ctx->request_body_in_file_only = r->request_body_in_file_only; - r->request_body_in_single_buf = 1; - r->request_body_in_file_only = 0; - - rc = ngx_http_read_client_request_body(r, ngx_http_modsecurity_request_body_handler); - if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { - return rc; + return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR); } - return NGX_DONE; + if (r->headers_out.content_length_n != -1) { - } else { - /* processing all the other methods */ - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: method is not POST"); - - rc = modsecProcessRequest(ctx->req); - - if (rc != DECLINED) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: status: %d, need action", rc); - - ngx_http_clear_accept_ranges(r); - ngx_http_clear_last_modified(r); - ngx_http_clear_content_length(r); + r->headers_out.content_length_n = content_length; + r->headers_out.content_length = NULL; /* header filter will set this */ + } - /* Nginx and Apache share same response code */ - if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { - return rc; - } - return NGX_HTTP_INTERNAL_SERVER_ERROR; - } + rc = ngx_http_next_header_filter(r); + + if (rc == NGX_ERROR || rc > NGX_OK) { + return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc); + } + + return ngx_http_next_body_filter(r, in); } - return NGX_DECLINED; + if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) { + rc = NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc); } + static ngx_http_modsecurity_ctx_t * ngx_http_modsecurity_create_ctx(ngx_http_request_t *r) { ngx_http_modsecurity_loc_conf_t *cf; ngx_pool_cleanup_t *cln; ngx_http_modsecurity_ctx_t *ctx; - ngx_list_part_t *part; - ngx_table_elt_t *h; - ngx_uint_t i; + apr_sockaddr_t *asa; + struct sockaddr_in *sin; +#if (NGX_HAVE_INET6) + struct sockaddr_in6 *sin6; +#endif + + ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_modsecurity_ctx_t)); + if (ctx == NULL) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "modSecurity: ctx memory allocation error"); + return NULL; + } cln = ngx_pool_cleanup_add(r->pool, sizeof(ngx_http_modsecurity_ctx_t)); if (cln == NULL) { ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "modSecurity: ctx memory allocation error"); return NULL; } cln->handler = ngx_http_modsecurity_cleanup; - ngx_memzero(cln->data, sizeof(ngx_http_modsecurity_ctx_t)); - - ctx = cln->data; + cln->data = ctx; + ctx->r = r; - + if (r->connection->requests == 0 || ctx->connection == NULL) { + + /* TODO: set server_rec, why igonre return value? */ ctx->connection = modsecNewConnection(); + + /* fill apr_sockaddr_t */ + asa = ngx_palloc(r->pool, sizeof(apr_sockaddr_t)); + asa->pool = ctx->connection->pool; + asa->hostname = (char *)ngx_pstrdup0(r->pool, &r->connection->addr_text); + asa->servname = asa->hostname; + asa->next = NULL; + asa->salen = r->connection->socklen; + ngx_memcpy(&asa->sa, r->connection->sockaddr, asa->salen); + + asa->family = ((struct sockaddr *)&asa->sa)->sa_family; + switch ( asa->family) { + +#if (NGX_HAVE_INET6) + case AF_INET6: + sin6 = (struct sockaddr_in6 *)&asa->sa; + asa->ipaddr_ptr = &sin6->sin6_addr; + asa->ipaddr_len = sizeof(sin6->sin6_addr); + asa->port = ntohs(sin6->sin6_port); + asa->addr_str_len = NGX_INET6_ADDRSTRLEN + 1; + break; +#endif + + default: /* AF_INET */ + sin = (struct sockaddr_in *) &asa->sa; + asa->ipaddr_ptr = &sin->sin_addr; + asa->ipaddr_len = sizeof(sin->sin_addr); + asa->port = ntohs(sin->sin_port); + asa->addr_str_len = NGX_INET_ADDRSTRLEN + 1; + break; + } + + #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 - ctx->connection->remote_addr = CopySockAddr(ctx->connection->pool, r->connection->sockaddr); - ctx->connection->remote_ip = ConvertNgxStringToUTF8(r->connection->addr_text, ctx->connection->pool); + ctx->connection->remote_addr = asa; + ctx->connection->remote_ip = asa->hostname; #else - ctx->connection->client_addr = CopySockAddr(ctx->connection->pool, r->connection->sockaddr); - ctx->connection->client_ip = ConvertNgxStringToUTF8(r->connection->addr_text, ctx->connection->pool); + ctx->connection->client_addr = asa; + ctx->connection->client_ip = asa->hostname; #endif ctx->connection->remote_host = NULL; modsecProcessConnection(ctx->connection); } cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); - ctx->req = modsecNewRequest(ctx->connection, cf->config); - ctx->req->request_time = apr_time_now(); - ctx->req->method = ConvertNgxStringToUTF8(r->method_name, ctx->req->pool); - ctx->req->path_info = ConvertNgxStringToUTF8(r->unparsed_uri, ctx->req->pool); - ctx->req->unparsed_uri = ConvertNgxStringToUTF8(r->unparsed_uri, ctx->req->pool); - ctx->req->uri = ctx->req->unparsed_uri; - ctx->req->the_request = ConvertNgxStringToUTF8(r->request_line, ctx->req->pool); - ctx->req->args = ConvertNgxStringToUTF8(r->args, ctx->req->pool); - ctx->req->filename = ctx->req->path_info; - - ctx->req->parsed_uri.scheme = "http"; - ctx->req->parsed_uri.path = ctx->req->path_info; - ctx->req->parsed_uri.is_initialized = 1; - ctx->req->parsed_uri.port = 80; - ctx->req->parsed_uri.port_str = "80"; - ctx->req->parsed_uri.query = ctx->req->args; - ctx->req->parsed_uri.dns_looked_up = 0; - ctx->req->parsed_uri.dns_resolved = 0; - ctx->req->parsed_uri.password = NULL; - ctx->req->parsed_uri.user = NULL; - ctx->req->parsed_uri.fragment = ConvertNgxStringToUTF8(r->exten, ctx->req->pool); - part = &r->headers_in.headers.part; - h = part->elts; + ctx->req = modsecNewRequest(ctx->connection, cf->config); - for (i = 0; ; i++) { - if (i >= part->nelts) { - if (part->next == NULL) - break; + apr_table_setn(ctx->req->notes, NOTE_NGINX_REQUEST_CTX, (const char *) ctx); + apr_table_setn(ctx->req->subprocess_env, "UNIQUE_ID", "12345"); - part = part->next; - h = part->elts; - i = 0; - } + ctx->brigade = apr_brigade_create(ctx->req->pool, ctx->req->connection->bucket_alloc); - apr_table_setn(ctx->req->headers_in, ConvertNgxStringToUTF8(h[i].key, ctx->req->pool), - ConvertNgxStringToUTF8(h[i].value, ctx->req->pool)); + if (ctx->brigade == NULL) { + return NULL; } - /* XXX: if mod_uniqid enabled - use it's value */ - apr_table_setn(ctx->req->subprocess_env, "UNIQUE_ID", "12345"); - /* actually, we need ctx only for POST request body handling - don't like this part */ - apr_table_setn(ctx->req->notes, NOTE_NGINX_REQUEST_CTX, (const char *) ctx); return ctx; } @@ -593,58 +1293,12 @@ ngx_http_modsecurity_cleanup(void *data) { ngx_http_modsecurity_ctx_t *ctx = data; - + if (ctx->req != NULL) { (void) modsecFinishRequest(ctx->req); } } - -static void -ngx_http_modsecurity_request_body_handler(ngx_http_request_t *r) -{ - ngx_http_modsecurity_ctx_t *ctx; - ngx_int_t rc; - - ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); - - if (ctx == NULL - || r->request_body->bufs == NULL - || r->request_body->bufs->next != NULL) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - r->request_body_in_single_buf = ctx->request_body_in_single_buf; - r->request_body_in_file_only = ctx->request_body_in_file_only; - r->header_in = r->request_body->bufs->buf; - ctx->chain = r->request_body->bufs; - r->request_body = NULL; - r->loc_conf = ctx->loc_conf; - - rc = modsecProcessRequest(ctx->req); - - if (rc != DECLINED) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: status: %d, need action", rc); - - ngx_http_clear_accept_ranges(r); - ngx_http_clear_last_modified(r); - ngx_http_clear_content_length(r); - - /* Nginx and Apache share same response code */ - if (rc < NGX_HTTP_SPECIAL_RESPONSE) { - rc = NGX_HTTP_INTERNAL_SERVER_ERROR; - } - - ngx_http_finalize_request(r, rc); - } - - r->phase_handler++; - ngx_http_core_run_phases(r); - ngx_http_finalize_request(r, NGX_DONE); -} - - static char * ngx_http_modsecurity_config(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { @@ -652,7 +1306,7 @@ ngx_str_t *value; const char *msg; - if (mscf->config != NULL) { + if (mscf->config != NGX_CONF_UNSET_PTR) { return "is duplicate"; } @@ -664,15 +1318,39 @@ mscf->config = modsecGetDefaultConfig(); - msg = modsecProcessConfig(mscf->config, (const char *)value[1].data, ""); + if (mscf->config == NULL) { + return NGX_CONF_ERROR; + } + + msg = modsecProcessConfig(mscf->config, (const char *)value[1].data, NULL); if (msg != NULL) { - ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "modSecurity: modsecProcessConfig() %s", msg); + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "ModSecurityConfig in %s:%ui: %s", + cf->conf_file->file.name.data, cf->conf_file->line, msg); return NGX_CONF_ERROR; } return NGX_CONF_OK; } + +static char * +ngx_http_modsecurity_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + ngx_http_modsecurity_loc_conf_t *mscf = conf; + char *rc; + + rc = ngx_conf_set_flag_slot(cf, cmd, conf); + if (rc != NGX_CONF_OK) { + return rc; + } + if (mscf->enable) { + mscf->file = &cf->conf_file->file.name; + mscf->line = cf->conf_file->line; + } + return NGX_CONF_OK; +} + + static int ngx_http_modsecurity_drop_action(request_rec *r) { @@ -685,3 +1363,4 @@ ctx->r->connection->error = 1; return 0; } +

@@ -0,0 +1,212 @@ + + +#include <ngx_core.h> + +#define NGX_POOL_CTX_SIZE 1024 + +typedef struct ngx_pool_context_node_s ngx_pool_context_node_t; +struct ngx_pool_context_node_s +{ + ngx_pool_context_node_t *next; + ngx_pool_context_node_t **prev; + ngx_pool_t *pool; + ngx_uint_t index; + void *data; +}; + +static void +ngx_pool_context_cleanup(void *data); + +typedef struct { + ngx_uint_t size; +} ngx_pool_context_conf_t; + +static void * ngx_pool_context_create_conf(ngx_cycle_t *cycle); +static char * ngx_pool_context_init_conf(ngx_cycle_t *cycle, void *conf); + +static ngx_core_module_t ngx_pool_context_module_ctx = { + ngx_string("pool_context"), + ngx_pool_context_create_conf, + ngx_pool_context_init_conf, +}; + +static ngx_command_t ngx_pool_context_commands[] = { + + { ngx_string("pool_context_hash_size"), + NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + 0, + offsetof(ngx_pool_context_conf_t, size), + NULL + }, + ngx_null_command +}; + + +ngx_module_t ngx_pool_context_module = { + NGX_MODULE_V1, + &ngx_pool_context_module_ctx, /* module context */ + ngx_pool_context_commands, /* module directives */ + NGX_CORE_MODULE, /* module type */ + NULL, /* init master */ + NULL, /* init module */ + NULL, /* init process */ + NULL, /* init thread */ + NULL, /* exit thread */ + NULL, /* exit process */ + NULL, /* exit master */ + NGX_MODULE_V1_PADDING +}; + + +#define ngx_pool_context_hash_key(r, ctx_index) ((ngx_uint_t) r + ctx_index) + +#define ngx_pool_context_unlink(node) \ + \ + *(node->prev) = node->next; \ + \ + if (node->next) { \ + node->next->prev = node->prev; \ + } \ + \ + node->prev = NULL; \ + + +#define ngx_pool_context_link(queue, node) \ + \ + if (node->prev != NULL) { \ + ngx_pool_context_unlink(node); \ + } \ + node->next = (ngx_pool_context_node_t *) *queue; \ + node->prev = (ngx_pool_context_node_t **) queue; \ + *queue = node; \ + \ + if (node->next) { \ + node->next->prev = &node->next; \ + } + + +static ngx_pool_context_node_t **ngx_pool_context_hash; +static ngx_uint_t ngx_pool_context_hash_size; + +/* Nginx has removed multi-thread support, so we do not need mutex */ + +void * +ngx_pool_get_ctx(ngx_pool_t *pool, ngx_uint_t index) +{ + ngx_uint_t hash; + uint32_t key; + ngx_pool_context_node_t *node; + + hash = (ngx_uint_t) pool + index; + key = ngx_murmur_hash2((u_char *)&hash, sizeof(hash)) % ngx_pool_context_hash_size; + + node = ngx_pool_context_hash[key]; + + while (node) { + + if (node->pool == pool && node->index == index) { + + return node->data; + } + node = node->next; + } + + return NULL; + +} + + +ngx_int_t +ngx_pool_set_ctx(ngx_pool_t *pool, ngx_uint_t index, void *data) +{ + ngx_uint_t hash; + uint32_t key; + ngx_pool_context_node_t *node; + ngx_pool_cleanup_t *cln; + + hash = (ngx_uint_t) pool + index; + key = ngx_murmur_hash2((u_char *)&hash, sizeof(hash)) % ngx_pool_context_hash_size; + + node = ngx_pool_context_hash[key]; + + while (node) { + + if (node->pool == pool + && node->index == index) { + + + node->data = data; + return NGX_OK; + } + node = node->next; + } + + cln = ngx_pool_cleanup_add(pool, sizeof(ngx_pool_context_node_t)); + + if (cln == NULL) { + + return NGX_ERROR; + } + + cln->handler = ngx_pool_context_cleanup; + node = cln->data; + + node->prev = NULL; + node->next = NULL; + node->pool = pool; + node->index = index; + node->data = data; + + ngx_pool_context_link(&ngx_pool_context_hash[key], node); + + return NGX_OK; +} + + +static void +ngx_pool_context_cleanup(void *data) +{ + ngx_pool_context_node_t *node = data; + + ngx_pool_context_unlink(node); + +} + + +static void * +ngx_pool_context_create_conf(ngx_cycle_t *cycle) +{ + ngx_pool_context_conf_t *pcf; + + /* create config */ + pcf = ngx_pcalloc(cycle->pool, sizeof(ngx_pool_context_conf_t)); + if (pcf == NULL) { + return NULL; + } + + pcf->size = NGX_CONF_UNSET_UINT; + + return pcf; +} + + +static char * +ngx_pool_context_init_conf(ngx_cycle_t *cycle, void *conf) +{ + ngx_pool_context_conf_t *pcf = conf; + + ngx_conf_init_uint_value(pcf->size, NGX_POOL_CTX_SIZE); + + ngx_pool_context_hash_size = pcf->size; + + ngx_pool_context_hash = ngx_pcalloc(cycle->pool, sizeof(ngx_pool_context_node_t *) * ngx_pool_context_hash_size); + + if (ngx_pool_context_hash == NULL) { + return NGX_CONF_ERROR; + } + + return NGX_CONF_OK; +} + +

@@ -0,0 +1,12 @@ + + +#ifndef _NGX_POOL_CONTEXT_H_INCLUDE_ +#define _NGX_POOL_CONTEXT_H_INCLUDE_ + +void* ngx_pool_get_ctx(ngx_pool_t * pool, ngx_uint_t index); +ngx_int_t ngx_pool_set_ctx(ngx_pool_t * pool, ngx_uint_t index,void * data); + +#define ngx_http_get_module_pool_ctx(r, module) ngx_pool_get_ctx(r->pool, module.index) +#define ngx_http_set_pool_ctx(r, c, module) ngx_pool_set_ctx(r->pool, module.index, c) + +#endif /* _NGX_POOL_CONTEXT_H_INCLUDE_ */

@@ -73,7 +73,16 @@ endif install-exec-hook: $(pkglib_LTLIBRARIES) - @echo "Removing unused static libraries..."; \ + @echo "Creating Nginx config file..."; \ + rm -f ../nginx/modsecurity/config; \ + echo "ngx_addon_name=ngx_http_modsecurity" >> ../nginx/modsecurity/config; \ + echo "CORE_MODULES=\"\$$CORE_MODULES ngx_pool_context_module\"" >> ../nginx/modsecurity/config; \ + echo "HTTP_AUX_FILTER_MODULES=\"ngx_http_modsecurity \$$HTTP_AUX_FILTER_MODULES\"" >> ../nginx/modsecurity/config; \ + echo "NGX_ADDON_SRCS=\"\$$NGX_ADDON_SRCS \$$ngx_addon_dir/ngx_http_modsecurity.c \$$ngx_addon_dir/apr_bucket_nginx.c \$$ngx_addon_dir/ngx_pool_context.c\"" >> ../nginx/modsecurity/config;\ + echo "NGX_ADDON_DEPS=\"\$$NGX_ADDON_DEPS \$$ngx_addon_dir/apr_bucket_nginx.h \$$ngx_addon_dir/ngx_pool_context.h\"" >> ../nginx/modsecurity/config; \ + echo "CORE_LIBS=\"\$$CORE_LIBS \$$ngx_addon_dir/../../standalone/.libs/standalone.a -lapr-1 -laprutil-1 -lxml2 -lm @LUA_LDADD@\"" >> ../nginx/modsecurity/config; \ + echo "CORE_INCS=\"\$$CORE_INCS /usr/include/apache2 /usr/include/apr-1.0 /usr/include/httpd /usr/include/apr-1 \$$ngx_addon_dir \$$ngx_addon_dir/../../standalone \$$ngx_addon_dir/../../apache2 /usr/include/libxml2 `echo @LUA_CFLAGS@ | cut -d "I" -f3`\"" >> ../nginx/modsecurity/config; \ + echo "Removing unused static libraries..."; \ for m in $(pkglib_LTLIBRARIES); do \ base=`echo $$m | sed 's/\..*//'`; \ rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \

@@ -920,7 +920,16 @@ install-exec-hook: $(pkglib_LTLIBRARIES) - @echo "Removing unused static libraries..."; \ + @echo "Creating Nginx config file..."; \ + rm -f ../nginx/modsecurity/config; \ + echo "ngx_addon_name=ngx_http_modsecurity" >> ../nginx/modsecurity/config; \ + echo "CORE_MODULES=\"\$$CORE_MODULES ngx_pool_context_module\"" >> ../nginx/modsecurity/config; \ + echo "HTTP_AUX_FILTER_MODULES=\"ngx_http_modsecurity \$$HTTP_AUX_FILTER_MODULES\"" >> ../nginx/modsecurity/config; \ + echo "NGX_ADDON_SRCS=\"\$$NGX_ADDON_SRCS \$$ngx_addon_dir/ngx_http_modsecurity.c \$$ngx_addon_dir/apr_bucket_nginx.c \$$ngx_addon_dir/ngx_pool_context.c\"" >> ../nginx/modsecurity/config;\ + echo "NGX_ADDON_DEPS=\"\$$NGX_ADDON_DEPS \$$ngx_addon_dir/apr_bucket_nginx.h \$$ngx_addon_dir/ngx_pool_context.h\"" >> ../nginx/modsecurity/config; \ + echo "CORE_LIBS=\"\$$CORE_LIBS \$$ngx_addon_dir/../../standalone/.libs/standalone.a -lapr-1 -laprutil-1 -lxml2 -lm @LUA_LDADD@\"" >> ../nginx/modsecurity/config; \ + echo "CORE_INCS=\"\$$CORE_INCS /usr/include/apache2 /usr/include/apr-1.0 /usr/include/httpd /usr/include/apr-1 \$$ngx_addon_dir \$$ngx_addon_dir/../../standalone \$$ngx_addon_dir/../../apache2 /usr/include/libxml2 `echo @LUA_CFLAGS@ | cut -d "I" -f3`\"" >> ../nginx/modsecurity/config; \ + echo "Removing unused static libraries..."; \ for m in $(pkglib_LTLIBRARIES); do \ base=`echo $$m | sed 's/\..*//'`; \ rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \

@@ -1,578 +1,662 @@ -/* -* ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) -* -* You may not use this file except in compliance with -* the License. You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* If any of the files related to licensing are missing or if you have any -* other questions related to licensing please contact Trustwave Holdings, Inc. -* directly using the email address security@modsecurity.org. -*/ - -#include <limits.h> -#include <stdio.h> - -#include "http_core.h" -#include "http_request.h" - -#include "modsecurity.h" -#include "apache2.h" -#include "http_main.h" -#include "http_connection.h" - -#include "apr_optional.h" -#include "mod_log_config.h" - -#include "msc_logging.h" -#include "msc_util.h" - -#include "ap_mpm.h" -#include "scoreboard.h" - -#include "apr_version.h" - -#include "apr_lib.h" -#include "ap_config.h" -#include "http_config.h" - - -extern void *modsecLogObj; -extern void (*modsecLogHook)(void *obj, int level, char *str); -extern int (*modsecDropAction)(request_rec *r); -apr_status_t (*modsecReadBody)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos); -apr_status_t (*modsecReadResponse)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos); -apr_status_t (*modsecWriteBody)(request_rec *r, char *buf, unsigned int length); -apr_status_t (*modsecWriteResponse)(request_rec *r, char *buf, unsigned int length); - -extern const char *process_command_config(server_rec *s, - void *mconfig, - apr_pool_t *p, - apr_pool_t *ptemp, - const char *filename); - -#define DECLARE_EXTERNAL_HOOK(ns,link,ret,name,args) \ -extern ns##_HOOK_##name##_t *hookfn_##name; - -#define DECLARE_HOOK(ret,name,args) \ - DECLARE_EXTERNAL_HOOK(ap,AP,ret,name,args) - -DECLARE_HOOK(int,pre_config,(apr_pool_t *pconf,apr_pool_t *plog, apr_pool_t *ptemp)) -DECLARE_HOOK(int,post_config,(apr_pool_t *pconf,apr_pool_t *plog, apr_pool_t *ptemp,server_rec *s)) -DECLARE_HOOK(void,child_init,(apr_pool_t *pchild, server_rec *s)) -DECLARE_HOOK(int,process_connection,(conn_rec *c)) -DECLARE_HOOK(int,post_read_request,(request_rec *r)) -DECLARE_HOOK(int,fixups,(request_rec *r)) -DECLARE_HOOK(void, error_log, (const char *file, int line, int level, - apr_status_t status, const server_rec *s, - const request_rec *r, apr_pool_t *pool, - const char *errstr)) -DECLARE_HOOK(int,log_transaction,(request_rec *r)) -DECLARE_HOOK(void,insert_filter,(request_rec *r)) -DECLARE_HOOK(void,insert_error_filter,(request_rec *r)) - -char *sa_name = "standalone"; -server_rec *server; -apr_pool_t *pool = NULL; - -apr_status_t ap_http_in_filter(ap_filter_t *f, apr_bucket_brigade *b, - ap_input_mode_t mode, apr_read_type_e block, - apr_off_t readbytes); -apr_status_t ap_http_out_filter(ap_filter_t *f, apr_bucket_brigade *b); - -server_rec *modsecInit() { - apr_initialize(); - - apr_pool_create(&pool, NULL); - - apr_hook_global_pool = pool; - - server = apr_palloc(pool, sizeof(server_rec)); - - server->addrs = apr_palloc(pool, sizeof(server_addr_rec)); - server->addrs->host_addr = apr_palloc(pool, sizeof(apr_sockaddr_t)); - server->addrs->host_addr->addr_str_len = 16; - server->addrs->host_addr->family = AF_INET; - server->addrs->host_addr->hostname = sa_name; -#ifdef WIN32 - server->addrs->host_addr->ipaddr_len = sizeof(IN_ADDR); -#else - server->addrs->host_addr->ipaddr_len = sizeof(struct in_addr); -#endif - server->addrs->host_addr->ipaddr_ptr = &server->addrs->host_addr->sa.sin.sin_addr; - server->addrs->host_addr->pool = pool; - server->addrs->host_addr->port = 80; -#ifdef WIN32 - server->addrs->host_addr->sa.sin.sin_addr.S_un.S_addr = 0x0100007f; -#else - server->addrs->host_addr->sa.sin.sin_addr.s_addr = 0x0100007f; -#endif - server->addrs->host_addr->sa.sin.sin_family = AF_INET; - server->addrs->host_addr->sa.sin.sin_port = 80; - server->addrs->host_addr->salen = sizeof(server->addrs->host_addr->sa); - server->addrs->host_addr->servname = sa_name; - server->addrs->host_port = 80; - server->error_fname = "error.log"; - server->error_log = NULL; - server->limit_req_fields = 1024; - server->limit_req_fieldsize = 1024; - server->limit_req_line = 1024; -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 - server->loglevel = APLOG_DEBUG; -#endif - server->lookup_defaults = NULL; - server->module_config = NULL; - server->names = NULL; -#ifdef WIN32 - server->path = "c:\\inetpub\\wwwroot"; -#else - server->path = "/var/www"; -#endif - server->pathlen = strlen(server->path); - server->port = 80; - server->process = apr_palloc(pool, sizeof(process_rec)); - server->process->argc = 1; - server->process->argv = &sa_name; - server->process->pconf = pool; - server->process->pool = pool; - server->process->short_name = sa_name; - server->server_admin = sa_name; - server->server_hostname = sa_name; - server->server_scheme = ""; - server->timeout = 60 * 1000000;// 60 seconds - server->wild_names = NULL; - server->is_virtual = 0; - - ap_server_config_defines = apr_array_make(pool, 1, sizeof(char *)); - - // here we should add scoreboard handling for multiple processes and threads - // - ap_scoreboard_image = (scoreboard *)apr_palloc(pool, sizeof(scoreboard)); - - memset(ap_scoreboard_image, 0, sizeof(scoreboard)); - - // ---------- - - security2_module.module_index = 0; - - security2_module.register_hooks(pool); - - ap_register_input_filter("HTTP_IN", ap_http_in_filter, NULL, AP_FTYPE_RESOURCE); - ap_register_output_filter("HTTP_OUT", ap_http_out_filter, NULL, AP_FTYPE_CONTENT_SET); - - return server; -} - -apr_status_t ap_http_in_filter(ap_filter_t *f, apr_bucket_brigade *b, - ap_input_mode_t mode, apr_read_type_e block, - apr_off_t readbytes) { - char *tmp = NULL; - apr_bucket *e = NULL; - unsigned int readcnt = 0; - int is_eos = 0; - - if(modsecReadBody == NULL) - return AP_NOBODY_READ; - - tmp = (char *)apr_palloc(f->r->pool, readbytes); - modsecReadBody(f->r, tmp, readbytes, &readcnt, &is_eos); - - e = apr_bucket_pool_create(tmp, readcnt, f->r->pool, f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(b, e); - - if(is_eos) { - e = apr_bucket_eos_create(f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(b, e); - } - - return APR_SUCCESS; -} - -apr_status_t ap_http_out_filter(ap_filter_t *f, apr_bucket_brigade *b) { - modsec_rec *msr = (modsec_rec *)f->ctx; - apr_status_t rc; - - // is there a way to tell whether the response body was modified or not? - // - if((msr->txcfg->content_injection_enabled || msr->content_prepend_len != 0 || msr->content_append_len != 0) - && modsecWriteResponse != NULL && msr->txcfg->resbody_access) { - char *data = NULL; - apr_size_t length; - - rc = apr_brigade_pflatten(msr->of_brigade, &data, &length, msr->mp); - - if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Output filter: Failed to flatten brigade (%d): %s", rc, - get_apr_error(msr->mp, rc)); - return -1; - } - - modsecWriteResponse(msr->r, data, msr->stream_output_length); - } - - return APR_SUCCESS; -} - -void modsecTerminate() { - apr_pool_destroy(pool); - pool = NULL; - apr_terminate(); -} - -void modsecStartConfig() { - apr_pool_t *ptemp = NULL; - - apr_pool_create(&ptemp, pool); - - hookfn_pre_config(pool, pool, ptemp); - - apr_pool_destroy(ptemp); -} - -directory_config *modsecGetDefaultConfig() { - return (directory_config *)security2_module.create_dir_config(pool, NULL); -} - -const char *modsecProcessConfig(directory_config *config, const char *file, const char *dir) { - apr_pool_t *ptemp = NULL; - const char *err; - apr_status_t status; - const char *rootpath, *incpath; - - if(dir == NULL || strlen(dir) == 0) -#ifdef WIN32 - dir = "\\"; -#else - dir = "/"; -#endif - - incpath = file; - - /* locate the start of the directories proper */ - status = apr_filepath_root(&rootpath, &incpath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, pool); - - /* we allow APR_SUCCESS and APR_EINCOMPLETE */ - if (APR_ERELATIVE == status) { - int li = strlen(dir) - 1; - - if(dir[li] != '/' && dir[li] != '\\') -#ifdef WIN32 - file = apr_pstrcat(pool, dir, "\\", file, NULL); -#else - file = apr_pstrcat(pool, dir, "/", file, NULL); -#endif - else - file = apr_pstrcat(pool, dir, file, NULL); - } - else if (APR_EBADPATH == status) { - return apr_pstrcat(pool, "Config file has a bad path, ", file, NULL); - } - - apr_pool_create(&ptemp, pool); - - err = process_command_config(server, config, pool, ptemp, file); - - apr_pool_destroy(ptemp); - - return err; -} - -void modsecFinalizeConfig() { - apr_pool_t *ptemp = NULL; - - apr_pool_create(&ptemp, pool); - - hookfn_post_config(pool, pool, ptemp, server); - hookfn_post_config(pool, pool, ptemp, server); - - apr_pool_destroy(ptemp); -} - -void modsecInitProcess() { - hookfn_child_init(pool, server); -} - -conn_rec *modsecNewConnection() { - conn_rec *c; - apr_pool_t *pc = NULL; - - apr_pool_create(&pc, pool); - - c = apr_pcalloc(pc, sizeof(conn_rec)); - - c->base_server = server; - c->id = 1; - c->local_addr = server->addrs->host_addr; - c->local_host = sa_name; - c->local_ip = "127.0.0.1"; - c->pool = pc; - c->remote_host = sa_name; -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 - c->remote_ip = "127.0.0.1"; - c->remote_addr = server->addrs->host_addr; -#else - c->client_ip = "127.0.0.1"; - c->client_addr = server->addrs->host_addr; -#endif - c->input_filters = NULL; - c->output_filters = NULL; - c->bucket_alloc = apr_bucket_alloc_create(pc); - - return c; -} - -void modsecProcessConnection(conn_rec *c) { - hookfn_process_connection(c); -} - -request_rec *modsecNewRequest(conn_rec *connection, directory_config *config) { - request_rec *r; - apr_pool_t *pr = NULL; - - apr_pool_create(&pr, connection->pool); - - r = apr_pcalloc(pr, sizeof(request_rec)); - - r->connection = connection; - r->server = server; - r->pool = pr; - r->main = NULL; - r->next = NULL; - r->notes = apr_table_make(pr, 10); - r->per_dir_config = apr_palloc(pr, sizeof(void *)); - ((void **)r->per_dir_config)[0] = config; - r->prev = NULL; - r->subprocess_env = apr_table_make(pr, 10); - apr_table_setn(r->subprocess_env, "UNIQUE_ID", "unique_id"); - r->user = NULL; - - r->headers_in = apr_table_make(pr, 10); - r->headers_out = apr_table_make(pr, 10); - r->err_headers_out = apr_table_make(pr, 10); - //apr_table_setn(r->headers_in, "Host", "www.google.com"); - //apr_table_setn(r->headers_in, "", ""); - - r->the_request = "GET /../../index.html HTTP/1.1"; - r->method = "GET"; - r->method_number = M_GET; - r->protocol = "HTTP/1.1"; - r->uri = "http://www.google.com/../../index.html"; - r->args = ""; - r->filename = "/../../index.html"; - r->handler = "IIS"; - - r->parsed_uri.scheme = "http"; - r->parsed_uri.path = "/../../index.html"; - r->parsed_uri.hostname = "www.google.com"; - r->parsed_uri.is_initialized = 1; - r->parsed_uri.port = 1234; - r->parsed_uri.port_str = "1234"; - r->parsed_uri.query = ""; - r->parsed_uri.dns_looked_up = 0; - r->parsed_uri.dns_resolved = 0; - r->parsed_uri.password = NULL; - r->parsed_uri.user = NULL; - r->parsed_uri.fragment = ""; - - r->input_filters = NULL; - r->output_filters = NULL; - - return r; -} - -static modsec_rec *retrieve_msr(request_rec *r) { - modsec_rec *msr = NULL; - request_rec *rx = NULL; - - /* Look in the current request first. */ - msr = (modsec_rec *)apr_table_get(r->notes, NOTE_MSR); - if (msr != NULL) { - msr->r = r; - return msr; - } - - /* If this is a subrequest then look in the main request. */ - if (r->main != NULL) { - msr = (modsec_rec *)apr_table_get(r->main->notes, NOTE_MSR); - if (msr != NULL) { - msr->r = r; - return msr; - } - } - - /* If the request was redirected then look in the previous requests. */ - rx = r->prev; - while(rx != NULL) { - msr = (modsec_rec *)apr_table_get(rx->notes, NOTE_MSR); - if (msr != NULL) { - msr->r = r; - return msr; - } - rx = rx->prev; - } - - return NULL; -} - -int modsecProcessRequest(request_rec *r) { - int status = DECLINED; - modsec_rec *msr = NULL; - - ap_filter_t *f = ap_add_input_filter("HTTP_IN", NULL, r, r->connection); - - status = hookfn_post_read_request(r); - status = hookfn_fixups(r); - - ap_remove_input_filter(f); - - hookfn_insert_filter(r); - - /* Find the transaction context first. */ - msr = retrieve_msr(r); - - if (msr == NULL) - return status; - - if(msr->stream_input_data != NULL && modsecWriteBody != NULL) - { - // target is responsible for copying the data into correctly managed buffer - // - modsecWriteBody(r, msr->stream_input_data, msr->stream_input_length); - - free(msr->stream_input_data); - - msr->stream_input_data = NULL; - } - - // leftover code possibly for future use - // - //if(r->input_filters != NULL && r->input_filters->frec->filter_init_func != NULL) - //r->input_filters->frec->filter_init_func(r->input_filters); - //if(r->input_filters != NULL && r->input_filters->frec->filter_func.in_func != NULL) - //r->input_filters->frec->filter_func.in_func(r->input_filters, NULL, 0, 0, 0); - - return status; -} - -void modsecSetConfigForIISRequestBody(request_rec *r) -{ - modsec_rec *msr = retrieve_msr(r); - - if(msr == NULL || msr->txcfg == NULL) - return; - - if(msr->txcfg->reqbody_access) - msr->txcfg->stream_inbody_inspection = 1; -} - -int modsecIsResponseBodyAccessEnabled(request_rec *r) -{ - modsec_rec *msr = retrieve_msr(r); - - if(msr == NULL || msr->txcfg == NULL) - return 0; - - return msr->txcfg->resbody_access; -} - -int modsecProcessResponse(request_rec *r) { - int status = DECLINED; - - if(r->output_filters != NULL) { - modsec_rec *msr = (modsec_rec *)r->output_filters->ctx; - char buf[8192]; - char *tmp = NULL; - apr_bucket *e = NULL; - unsigned int readcnt = 0; - int is_eos = 0; - ap_filter_t *f = NULL; - apr_bucket_brigade *bb = NULL; - - if (msr == NULL) { - ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server, - "ModSecurity: Internal Error: msr is null in output filter."); - ap_remove_output_filter(r->output_filters); - return send_error_bucket(msr, r->output_filters, HTTP_INTERNAL_SERVER_ERROR); - } - - bb = apr_brigade_create(msr->mp, r->connection->bucket_alloc); - - if (bb == NULL) { - msr_log(msr, 1, "Process response: Failed to create brigade."); - return -1; - } - - msr->r = r; - - if(modsecReadResponse == NULL) - return AP_NOBODY_WROTE; - - f = ap_add_output_filter("HTTP_OUT", msr, r, r->connection); - - while(!is_eos) { - modsecReadResponse(r, buf, 8192, &readcnt, &is_eos); - - if(readcnt > 0) { - tmp = (char *)apr_palloc(r->pool, readcnt); - memcpy(tmp, buf, readcnt); - - e = apr_bucket_pool_create(tmp, readcnt, r->pool, r->connection->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, e); - } - - if(is_eos) { - e = apr_bucket_eos_create(r->connection->bucket_alloc); - - APR_BRIGADE_INSERT_TAIL(bb, e); - } - } - - status = ap_pass_brigade(r->output_filters, bb); - - ap_remove_output_filter(f); - } - - return status; -} - -int modsecFinishRequest(request_rec *r) { - // run output filter - //if(r->output_filters != NULL && r->output_filters->frec->filter_init_func != NULL) - //r->output_filters->frec->filter_init_func(r->output_filters); - - hookfn_log_transaction(r); - - // make sure you cleanup before calling apr_terminate() - // otherwise double-free might occur, because of the request body pool cleanup function - // - apr_pool_destroy(r->connection->pool); - - return DECLINED; -} - -void modsecSetLogHook(void *obj, void (*hook)(void *obj, int level, char *str)) { - modsecLogObj = obj; - modsecLogHook = hook; -} - -void modsecSetReadBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)) { - modsecReadBody = func; -} - -void modsecSetReadResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)) { - modsecReadResponse = func; -} - -void modsecSetWriteBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length)) { - modsecWriteBody = func; -} - -void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length)) { - modsecWriteResponse = func; -} - -void modsecSetDropAction(int (*func)(request_rec *r)) { - modsecDropAction = func; -} +/* +* ModSecurity for Apache 2.x, http://www.modsecurity.org/ +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* +* You may not use this file except in compliance with +* the License. You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* If any of the files related to licensing are missing or if you have any +* other questions related to licensing please contact Trustwave Holdings, Inc. +* directly using the email address security@modsecurity.org. +*/ + +#include <limits.h> +#include <stdio.h> + +#include "http_core.h" +#include "http_request.h" + +#include "modsecurity.h" +#include "apache2.h" +#include "http_main.h" +#include "http_connection.h" + +#include "apr_optional.h" +#include "mod_log_config.h" + +#include "msc_logging.h" +#include "msc_util.h" + +#include "ap_mpm.h" +#include "scoreboard.h" + +#include "apr_version.h" + +#include "apr_lib.h" +#include "ap_config.h" +#include "http_config.h" + +#include "api.h" + +extern void *modsecLogObj; +extern void (*modsecLogHook)(void *obj, int level, char *str); +extern int (*modsecDropAction)(request_rec *r); +apr_status_t (*modsecReadBody)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos); +apr_status_t (*modsecReadResponse)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos); +apr_status_t (*modsecWriteBody)(request_rec *r, char *buf, unsigned int length); +apr_status_t (*modsecWriteResponse)(request_rec *r, char *buf, unsigned int length); + +extern const char *process_command_config(server_rec *s, + void *mconfig, + apr_pool_t *p, + apr_pool_t *ptemp, + const char *filename); + +#define DECLARE_EXTERNAL_HOOK(ns,link,ret,name,args) \ +extern ns##_HOOK_##name##_t *hookfn_##name; + +#define DECLARE_HOOK(ret,name,args) \ + DECLARE_EXTERNAL_HOOK(ap,AP,ret,name,args) + +DECLARE_HOOK(int,pre_config,(apr_pool_t *pconf,apr_pool_t *plog, apr_pool_t *ptemp)) +DECLARE_HOOK(int,post_config,(apr_pool_t *pconf,apr_pool_t *plog, apr_pool_t *ptemp,server_rec *s)) +DECLARE_HOOK(void,child_init,(apr_pool_t *pchild, server_rec *s)) +DECLARE_HOOK(int,process_connection,(conn_rec *c)) +DECLARE_HOOK(int,post_read_request,(request_rec *r)) +DECLARE_HOOK(int,fixups,(request_rec *r)) +DECLARE_HOOK(void, error_log, (const char *file, int line, int level, + apr_status_t status, const server_rec *s, + const request_rec *r, apr_pool_t *pool, + const char *errstr)) +DECLARE_HOOK(int,log_transaction,(request_rec *r)) +DECLARE_HOOK(void,insert_filter,(request_rec *r)) +DECLARE_HOOK(void,insert_error_filter,(request_rec *r)) + +char *sa_name = "standalone"; +server_rec *server; +apr_pool_t *pool = NULL; + +apr_status_t ap_http_in_filter(ap_filter_t *f, apr_bucket_brigade *b, + ap_input_mode_t mode, apr_read_type_e block, + apr_off_t readbytes); +apr_status_t ap_http_out_filter(ap_filter_t *f, apr_bucket_brigade *b); + +server_rec *modsecInit() { + apr_initialize(); + + apr_pool_create(&pool, NULL); + + apr_hook_global_pool = pool; + + server = apr_palloc(pool, sizeof(server_rec)); + + server->addrs = apr_palloc(pool, sizeof(server_addr_rec)); + server->addrs->host_addr = apr_palloc(pool, sizeof(apr_sockaddr_t)); + server->addrs->host_addr->addr_str_len = 16; + server->addrs->host_addr->family = AF_INET; + server->addrs->host_addr->hostname = sa_name; +#ifdef WIN32 + server->addrs->host_addr->ipaddr_len = sizeof(IN_ADDR); +#else + server->addrs->host_addr->ipaddr_len = sizeof(struct in_addr); +#endif + server->addrs->host_addr->ipaddr_ptr = &server->addrs->host_addr->sa.sin.sin_addr; + server->addrs->host_addr->pool = pool; + server->addrs->host_addr->port = 80; +#ifdef WIN32 + server->addrs->host_addr->sa.sin.sin_addr.S_un.S_addr = 0x0100007f; +#else + server->addrs->host_addr->sa.sin.sin_addr.s_addr = 0x0100007f; +#endif + server->addrs->host_addr->sa.sin.sin_family = AF_INET; + server->addrs->host_addr->sa.sin.sin_port = 80; + server->addrs->host_addr->salen = sizeof(server->addrs->host_addr->sa); + server->addrs->host_addr->servname = sa_name; + server->addrs->host_port = 80; + server->error_fname = "error.log"; + server->error_log = NULL; + server->limit_req_fields = 1024; + server->limit_req_fieldsize = 1024; + server->limit_req_line = 1024; +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 + server->loglevel = APLOG_DEBUG; +#endif + server->lookup_defaults = NULL; + server->module_config = NULL; + server->names = NULL; +#ifdef WIN32 + server->path = "c:\\inetpub\\wwwroot"; +#else + server->path = "/var/www"; +#endif + server->pathlen = strlen(server->path); + server->port = 80; + server->process = apr_palloc(pool, sizeof(process_rec)); + server->process->argc = 1; + server->process->argv = &sa_name; + server->process->pconf = pool; + server->process->pool = pool; + server->process->short_name = sa_name; + server->server_admin = sa_name; + server->server_hostname = sa_name; + server->server_scheme = ""; + server->timeout = 60 * 1000000;// 60 seconds + server->wild_names = NULL; + server->is_virtual = 0; + + ap_server_config_defines = apr_array_make(pool, 1, sizeof(char *)); + + // here we should add scoreboard handling for multiple processes and threads + // + ap_scoreboard_image = (scoreboard *)apr_palloc(pool, sizeof(scoreboard)); + + memset(ap_scoreboard_image, 0, sizeof(scoreboard)); + + // ---------- + + security2_module.module_index = 0; + + security2_module.register_hooks(pool); + + ap_register_input_filter("HTTP_IN", ap_http_in_filter, NULL, AP_FTYPE_RESOURCE); + ap_register_output_filter("HTTP_OUT", ap_http_out_filter, NULL, AP_FTYPE_CONTENT_SET); + + return server; +} + +apr_status_t ap_http_in_filter(ap_filter_t *f, apr_bucket_brigade *bb_out, + ap_input_mode_t mode, apr_read_type_e block, + apr_off_t readbytes) { + char *tmp = NULL; + apr_bucket *e = NULL; + unsigned int readcnt = 0; + int is_eos = 0; + apr_bucket_brigade *bb_in; + apr_bucket *after; + apr_status_t rv; + + bb_in = modsecGetBodyBrigade(f->r); + + /* use request brigade */ + if (bb_in != NULL) { + if (!APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb_in))) { + e = apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb_in, e); + } + + rv = apr_brigade_partition(bb_in, readbytes, &after); + if (rv != APR_SUCCESS && rv != APR_INCOMPLETE) { + return rv; + } + + for (e = APR_BRIGADE_FIRST(bb_in); e != after; e = APR_BRIGADE_FIRST(bb_in)) { + APR_BUCKET_REMOVE(e); + APR_BRIGADE_INSERT_TAIL(bb_out, e); + } + + return APR_SUCCESS; + } + + /* call the callback */ + if(modsecReadBody != NULL) { + + tmp = (char *)apr_palloc(f->r->pool, readbytes); + modsecReadBody(f->r, tmp, readbytes, &readcnt, &is_eos); + + e = apr_bucket_pool_create(tmp, readcnt, f->r->pool, f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb_out, e); + + if(is_eos) { + e = apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb_out, e); + } + return APR_SUCCESS; + } + + /* cannot read request body */ + e = apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb_out, e); + + return APR_SUCCESS; +} + +apr_status_t ap_http_out_filter(ap_filter_t *f, apr_bucket_brigade *b) { + modsec_rec *msr = (modsec_rec *)f->ctx; + apr_status_t rc; + apr_bucket_brigade *bb_out; + + bb_out = modsecGetResponseBrigade(f->r); + + + if (bb_out) { + APR_BRIGADE_CONCAT(bb_out, b); + return APR_SUCCESS; + } + + // is there a way to tell whether the response body was modified or not? + // + if((msr->txcfg->content_injection_enabled || msr->content_prepend_len != 0 || msr->content_append_len != 0) + && msr->txcfg->resbody_access) { + + if (modsecWriteResponse != NULL) { + char *data = NULL; + apr_size_t length; + + rc = apr_brigade_pflatten(msr->of_brigade, &data, &length, msr->mp); + + if (rc != APR_SUCCESS) { + msr_log(msr, 1, "Output filter: Failed to flatten brigade (%d): %s", rc, + get_apr_error(msr->mp, rc)); + return -1; + } + + /* TODO: return ?*/ + modsecWriteResponse(msr->r, data, msr->stream_output_length); + } + } + + return APR_SUCCESS; +} + +void modsecTerminate() { + apr_pool_destroy(pool); + pool = NULL; + apr_terminate(); +} + +void modsecStartConfig() { + apr_pool_t *ptemp = NULL; + + apr_pool_create(&ptemp, pool); + + hookfn_pre_config(pool, pool, ptemp); + + apr_pool_destroy(ptemp); +} + +directory_config *modsecGetDefaultConfig() { + return (directory_config *)security2_module.create_dir_config(pool, NULL); +} + +const char *modsecProcessConfig(directory_config *config, const char *file, const char *dir) { + apr_pool_t *ptemp = NULL; + const char *err; + apr_status_t status; + const char *rootpath, *incpath; + + if(dir == NULL || strlen(dir) == 0) +#ifdef WIN32 + dir = "\\"; +#else + dir = "/"; +#endif + + incpath = file; + + /* locate the start of the directories proper */ + status = apr_filepath_root(&rootpath, &incpath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, pool); + + /* we allow APR_SUCCESS and APR_EINCOMPLETE */ + if (APR_ERELATIVE == status) { + int li = strlen(dir) - 1; + + if(dir[li] != '/' && dir[li] != '\\') +#ifdef WIN32 + file = apr_pstrcat(pool, dir, "\\", file, NULL); +#else + file = apr_pstrcat(pool, dir, "/", file, NULL); +#endif + else + file = apr_pstrcat(pool, dir, file, NULL); + } + else if (APR_EBADPATH == status) { + return apr_pstrcat(pool, "Config file has a bad path, ", file, NULL); + } + + apr_pool_create(&ptemp, pool); + + err = process_command_config(server, config, pool, ptemp, file); + + apr_pool_destroy(ptemp); + + return err; +} + +void modsecFinalizeConfig() { + apr_pool_t *ptemp = NULL; + + apr_pool_create(&ptemp, pool); + + hookfn_post_config(pool, pool, ptemp, server); + hookfn_post_config(pool, pool, ptemp, server); + + apr_pool_destroy(ptemp); +} + +void modsecInitProcess() { + hookfn_child_init(pool, server); +} + +conn_rec *modsecNewConnection() { + conn_rec *c; + apr_pool_t *pc = NULL; + + apr_pool_create(&pc, pool); + + c = apr_pcalloc(pc, sizeof(conn_rec)); + + c->base_server = server; + c->id = 1; + c->local_addr = server->addrs->host_addr; + c->local_host = sa_name; + c->local_ip = "127.0.0.1"; + c->pool = pc; + c->remote_host = sa_name; +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 + c->remote_ip = "127.0.0.1"; + c->remote_addr = server->addrs->host_addr; +#else + c->client_ip = "127.0.0.1"; + c->client_addr = server->addrs->host_addr; +#endif + c->input_filters = NULL; + c->output_filters = NULL; + c->bucket_alloc = apr_bucket_alloc_create(pc); + + return c; +} + +void modsecProcessConnection(conn_rec *c) { + hookfn_process_connection(c); +} + +request_rec *modsecNewRequest(conn_rec *connection, directory_config *config) { + request_rec *r; + apr_pool_t *pr = NULL; + + apr_pool_create(&pr, connection->pool); + + r = apr_pcalloc(pr, sizeof(request_rec)); + + r->connection = connection; + r->server = server; + r->pool = pr; + r->main = NULL; + r->next = NULL; + r->notes = apr_table_make(pr, 10); + r->per_dir_config = apr_palloc(pr, sizeof(void *)); + ((void **)r->per_dir_config)[0] = config; + r->prev = NULL; + r->subprocess_env = apr_table_make(pr, 10); + apr_table_setn(r->subprocess_env, "UNIQUE_ID", "unique_id"); + r->user = NULL; + + r->headers_in = apr_table_make(pr, 10); + r->headers_out = apr_table_make(pr, 10); + r->err_headers_out = apr_table_make(pr, 10); + //apr_table_setn(r->headers_in, "Host", "www.google.com"); + //apr_table_setn(r->headers_in, "", ""); + + r->the_request = "GET /../../index.html HTTP/1.1"; + r->method = "GET"; + r->method_number = M_GET; + r->protocol = "HTTP/1.1"; + r->uri = "http://www.google.com/../../index.html"; + r->args = ""; + r->filename = "/../../index.html"; + r->handler = "IIS"; + + r->parsed_uri.scheme = "http"; + r->parsed_uri.path = "/../../index.html"; + r->parsed_uri.hostname = "www.google.com"; + r->parsed_uri.is_initialized = 1; + r->parsed_uri.port = 1234; + r->parsed_uri.port_str = "1234"; + r->parsed_uri.query = ""; + r->parsed_uri.dns_looked_up = 0; + r->parsed_uri.dns_resolved = 0; + r->parsed_uri.password = NULL; + r->parsed_uri.user = NULL; + r->parsed_uri.fragment = ""; + + r->input_filters = NULL; + r->output_filters = NULL; + + return r; +} + +static modsec_rec *retrieve_msr(request_rec *r) { + modsec_rec *msr = NULL; + request_rec *rx = NULL; + + /* Look in the current request first. */ + msr = (modsec_rec *)apr_table_get(r->notes, NOTE_MSR); + if (msr != NULL) { + msr->r = r; + return msr; + } + + /* If this is a subrequest then look in the main request. */ + if (r->main != NULL) { + msr = (modsec_rec *)apr_table_get(r->main->notes, NOTE_MSR); + if (msr != NULL) { + msr->r = r; + return msr; + } + } + + /* If the request was redirected then look in the previous requests. */ + rx = r->prev; + while(rx != NULL) { + msr = (modsec_rec *)apr_table_get(rx->notes, NOTE_MSR); + if (msr != NULL) { + msr->r = r; + return msr; + } + rx = rx->prev; + } + + return NULL; +} + +int modsecProcessRequestHeaders(request_rec *r) { + return hookfn_post_read_request(r); +} + +int modsecProcessRequestBody(request_rec *r) { + int status = DECLINED; + modsec_rec *msr = NULL; + + ap_filter_t *f = ap_add_input_filter("HTTP_IN", NULL, r, r->connection); + apr_bucket_brigade* bb_out; + + status = hookfn_fixups(r); + + ap_remove_input_filter(f); + + if (status != DECLINED) { + return status; + } + + hookfn_insert_filter(r); + + /* Find the transaction context first. */ + msr = retrieve_msr(r); + + if (msr == NULL) + return status; + + bb_out = modsecGetBodyBrigade(r); + if (bb_out) { + (void) apr_brigade_cleanup(bb_out); + status = ap_get_brigade(r->input_filters, bb_out, AP_MODE_READBYTES, APR_BLOCK_READ, -1); + if (status == APR_SUCCESS) { + return DECLINED; + } + return status; + } + + if(msr->stream_input_data != NULL && modsecWriteBody != NULL) + { + // target is responsible for copying the data into correctly managed buffer + // + modsecWriteBody(r, msr->stream_input_data, msr->stream_input_length); + + free(msr->stream_input_data); + + msr->stream_input_data = NULL; + } + + // leftover code possibly for future use + // + //if(r->input_filters != NULL && r->input_filters->frec->filter_init_func != NULL) + //r->input_filters->frec->filter_init_func(r->input_filters); + //if(r->input_filters != NULL && r->input_filters->frec->filter_func.in_func != NULL) + //r->input_filters->frec->filter_func.in_func(r->input_filters, NULL, 0, 0, 0); + + return status; +} + +void modsecSetConfigForIISRequestBody(request_rec *r) +{ + modsec_rec *msr = retrieve_msr(r); + + if(msr == NULL || msr->txcfg == NULL) + return; + + if(msr->txcfg->reqbody_access) + msr->txcfg->stream_inbody_inspection = 1; +} + +int modsecIsRequestBodyAccessEnabled(request_rec *r) +{ + modsec_rec *msr = retrieve_msr(r); + + if(msr == NULL || msr->txcfg == NULL) + return 0; + + return msr->txcfg->reqbody_access; +} + +int modsecIsResponseBodyAccessEnabled(request_rec *r) +{ + modsec_rec *msr = retrieve_msr(r); + + if(msr == NULL || msr->txcfg == NULL) + return 0; + + return msr->txcfg->resbody_access; +} + +int modsecProcessResponse(request_rec *r) { + int status = DECLINED; + + if(r->output_filters != NULL) { + modsec_rec *msr = (modsec_rec *)r->output_filters->ctx; + char buf[8192]; + char *tmp = NULL; + apr_bucket *e = NULL; + unsigned int readcnt = 0; + int is_eos = 0; + ap_filter_t *f = NULL; + apr_bucket_brigade *bb_in, *bb = NULL; + + if (msr == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server, + "ModSecurity: Internal Error: msr is null in output filter."); + ap_remove_output_filter(r->output_filters); + return send_error_bucket(msr, r->output_filters, HTTP_INTERNAL_SERVER_ERROR); + } + + bb = apr_brigade_create(msr->mp, r->connection->bucket_alloc); + + if (bb == NULL) { + msr_log(msr, 1, "Process response: Failed to create brigade."); + return APR_EGENERAL; + } + + msr->r = r; + + bb_in = modsecGetResponseBrigade(r); + + if (bb_in != NULL) { + APR_BRIGADE_CONCAT(bb, bb_in); + if (!APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) { + e = apr_bucket_eos_create(bb->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + } + } else if (modsecReadResponse != NULL) { + while(!is_eos) { + modsecReadResponse(r, buf, 8192, &readcnt, &is_eos); + + if(readcnt > 0) { + tmp = (char *)apr_palloc(r->pool, readcnt); + memcpy(tmp, buf, readcnt); + e = apr_bucket_pool_create(tmp, readcnt, r->pool, r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + } + } + + e = apr_bucket_eos_create(r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + } else { + /* cannot read response body process header only */ + + e = apr_bucket_eos_create(r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + } + + f = ap_add_output_filter("HTTP_OUT", msr, r, r->connection); + status = ap_pass_brigade(r->output_filters, bb); + ap_remove_output_filter(f); + if(status > 0 + && msr->intercept_actionset->intercept_status != 0) { + status = msr->intercept_actionset->intercept_status; + } + return status; + } + + return status; +} + +int modsecFinishRequest(request_rec *r) { + // run output filter + //if(r->output_filters != NULL && r->output_filters->frec->filter_init_func != NULL) + //r->output_filters->frec->filter_init_func(r->output_filters); + + hookfn_log_transaction(r); + + // make sure you cleanup before calling apr_terminate() + // otherwise double-free might occur, because of the request body pool cleanup function + // + apr_pool_destroy(r->connection->pool); + + return DECLINED; +} + +void modsecSetLogHook(void *obj, void (*hook)(void *obj, int level, char *str)) { + modsecLogObj = obj; + modsecLogHook = hook; +} + +void modsecSetReadBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)) { + modsecReadBody = func; +} + +void modsecSetReadResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)) { + modsecReadResponse = func; +} + +void modsecSetWriteBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length)) { + modsecWriteBody = func; +} + +void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length)) { + modsecWriteResponse = func; +} + +void modsecSetDropAction(int (*func)(request_rec *r)) { + modsecDropAction = func; +}

@@ -60,12 +60,49 @@ void modsecProcessConnection(conn_rec *c); request_rec *modsecNewRequest(conn_rec *connection, directory_config *config); -int modsecProcessRequest(request_rec *r); + +int modsecProcessRequestBody(request_rec *r); +int modsecProcessRequestHeaders(request_rec *r); + +static inline int modsecProcessRequest(request_rec *r) { + int status; + status = modsecProcessRequestHeaders(r); + if (status != DECLINED) { + return status; + } + + return modsecProcessRequestBody(r); +} + + int modsecProcessResponse(request_rec *r); int modsecFinishRequest(request_rec *r); void modsecSetLogHook(void *obj, void (*hook)(void *obj, int level, char *str)); +#define NOTE_MSR_BRIGADE_REQUEST "modsecurity-brigade-request" +#define NOTE_MSR_BRIGADE_RESPONSE "modsecurity-brigade-response" + +static inline void +modsecSetBodyBrigade(request_rec *r, apr_bucket_brigade *b) { + apr_table_setn(r->notes, NOTE_MSR_BRIGADE_REQUEST, (char *)b); +}; + +static inline apr_bucket_brigade * +modsecGetBodyBrigade(request_rec *r) { + return (apr_bucket_brigade *)apr_table_get(r->notes, NOTE_MSR_BRIGADE_REQUEST); +}; + +static inline void +modsecSetResponseBrigade(request_rec *r, apr_bucket_brigade *b) { + apr_table_setn(r->notes, NOTE_MSR_BRIGADE_RESPONSE, (char *)b); +}; + +static inline apr_bucket_brigade * +modsecGetResponseBrigade(request_rec *r) { + return (apr_bucket_brigade *)apr_table_get(r->notes, NOTE_MSR_BRIGADE_RESPONSE); +}; + void modsecSetReadBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)); void modsecSetReadResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)); void modsecSetWriteBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length)); @@ -73,6 +110,7 @@ void modsecSetDropAction(int (*func)(request_rec *r)); int modsecIsResponseBodyAccessEnabled(request_rec *r); +int modsecIsRequestBodyAccessEnabled(request_rec *r); void modsecSetConfigForIISRequestBody(request_rec *r);

@@ -1,1188 +1,1202 @@ -/* -* ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) -* -* You may not use this file except in compliance with -* the License. You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* If any of the files related to licensing are missing or if you have any -* other questions related to licensing please contact Trustwave Holdings, Inc. -* directly using the email address security@modsecurity.org. -*/ - -#include <limits.h> -#include <stdio.h> - -#include "http_core.h" -#include "http_request.h" - -#include "modsecurity.h" -#include "apache2.h" -#include "http_main.h" -#include "http_connection.h" - -#include "apr_optional.h" -#include "mod_log_config.h" - -#include "msc_logging.h" -#include "msc_util.h" - -#include "ap_mpm.h" -#include "scoreboard.h" - -#include "apr_version.h" - -#include "apr_lib.h" -#include "ap_config.h" -#include "http_config.h" -#include "apr_fnmatch.h" - -AP_DECLARE(int) ap_cfg_closefile(ap_configfile_t *cfp) -{ -#ifdef DEBUG - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, - "Done with config file %s", cfp->name); -#endif - return (cfp->close == NULL) ? 0 : cfp->close(cfp->param); -} - -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 -static apr_status_t cfg_close(void *param) -{ - apr_file_t *cfp = (apr_file_t *) param; - return (apr_file_close(cfp)); -} - -static int cfg_getch(void *param) -{ - char ch; - apr_file_t *cfp = (apr_file_t *) param; - if (apr_file_getc(&ch, cfp) == APR_SUCCESS) - return ch; - return (int)EOF; -} - -static void *cfg_getstr(void *buf, size_t bufsiz, void *param) -{ - apr_file_t *cfp = (apr_file_t *) param; - apr_status_t rv; - rv = apr_file_gets(buf, bufsiz, cfp); - if (rv == APR_SUCCESS) { - return buf; - } - return NULL; -} -#else -/* we can't use apr_file_* directly because of linking issues on Windows */ -static apr_status_t cfg_close(void *param) -{ - return apr_file_close(param); -} - -static apr_status_t cfg_getch(char *ch, void *param) -{ - return apr_file_getc(ch, param); -} - -static apr_status_t cfg_getstr(void *buf, apr_size_t bufsiz, void *param) -{ - return apr_file_gets(buf, bufsiz, param); -} -#endif - -/* Read one line from open ap_configfile_t, strip LF, increase line number */ -/* If custom handler does not define a getstr() function, read char by char */ - -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 -AP_DECLARE(int) ap_cfg_getline(char *buf, size_t bufsize, ap_configfile_t *cfp) -{ - /* If a "get string" function is defined, use it */ - if (cfp->getstr != NULL) { - char *src, *dst; - char *cp; - char *cbuf = buf; - size_t cbufsize = bufsize; - - while (1) { - ++cfp->line_number; - if (cfp->getstr(cbuf, cbufsize, cfp->param) == NULL) - return 1; - - /* - * check for line continuation, - * i.e. match [^\\]\\[\r]\n only - */ - cp = cbuf; - while (cp < cbuf+cbufsize && *cp != '\0') - cp++; - if (cp > cbuf && cp[-1] == LF) { - cp--; - if (cp > cbuf && cp[-1] == CR) - cp--; - if (cp > cbuf && cp[-1] == '\\') { - cp--; - if (!(cp > cbuf && cp[-1] == '\\')) { - /* - * line continuation requested - - * then remove backslash and continue - */ - cbufsize -= (cp-cbuf); - cbuf = cp; - continue; - } - else { - /* - * no real continuation because escaped - - * then just remove escape character - */ - for ( ; cp < cbuf+cbufsize && *cp != '\0'; cp++) - cp[0] = cp[1]; - } - } - } - break; - } - - /* - * Leading and trailing white space is eliminated completely - */ - src = buf; - while (apr_isspace(*src)) - ++src; - /* blast trailing whitespace */ - dst = &src[strlen(src)]; - while (--dst >= src && apr_isspace(*dst)) - *dst = '\0'; - /* Zap leading whitespace by shifting */ - if (src != buf) - for (dst = buf; (*dst++ = *src++) != '\0'; ) - ; - -#ifdef DEBUG_CFG_LINES - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "Read config: %s", buf); -#endif - return 0; - } else { - /* No "get string" function defined; read character by character */ - register int c; - register size_t i = 0; - - buf[0] = '\0'; - /* skip leading whitespace */ - do { - c = cfp->getch(cfp->param); - } while (c == '\t' || c == ' '); - - if (c == EOF) - return 1; - - if(bufsize < 2) { - /* too small, assume caller is crazy */ - return 1; - } - - while (1) { - if ((c == '\t') || (c == ' ')) { - buf[i++] = ' '; - while ((c == '\t') || (c == ' ')) - c = cfp->getch(cfp->param); - } - if (c == CR) { - /* silently ignore CR (_assume_ that a LF follows) */ - c = cfp->getch(cfp->param); - } - if (c == LF) { - /* increase line number and return on LF */ - ++cfp->line_number; - } - if (c == EOF || c == 0x4 || c == LF || i >= (bufsize - 2)) { - /* - * check for line continuation - */ - if (i > 0 && buf[i-1] == '\\') { - i--; - if (!(i > 0 && buf[i-1] == '\\')) { - /* line is continued */ - c = cfp->getch(cfp->param); - continue; - } - /* else nothing needs be done because - * then the backslash is escaped and - * we just strip to a single one - */ - } - /* blast trailing whitespace */ - while (i > 0 && apr_isspace(buf[i - 1])) - --i; - buf[i] = '\0'; -#ifdef DEBUG_CFG_LINES - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, - "Read config: %s", buf); -#endif - return 0; - } - buf[i] = c; - ++i; - c = cfp->getch(cfp->param); - } - } -} -#else -static apr_status_t ap_cfg_getline_core(char *buf, apr_size_t bufsize, - ap_configfile_t *cfp) -{ - apr_status_t rc; - /* If a "get string" function is defined, use it */ - if (cfp->getstr != NULL) { - char *cp; - char *cbuf = buf; - apr_size_t cbufsize = bufsize; - - while (1) { - ++cfp->line_number; - rc = cfp->getstr(cbuf, cbufsize, cfp->param); - if (rc == APR_EOF) { - if (cbuf != buf) { - *cbuf = '\0'; - break; - } - else { - return APR_EOF; - } - } - if (rc != APR_SUCCESS) { - return rc; - } - - /* - * check for line continuation, - * i.e. match [^\\]\\[\r]\n only - */ - cp = cbuf; - cp += strlen(cp); - if (cp > cbuf && cp[-1] == LF) { - cp--; - if (cp > cbuf && cp[-1] == CR) - cp--; - if (cp > cbuf && cp[-1] == '\\') { - cp--; - /* - * line continuation requested - - * then remove backslash and continue - */ - cbufsize -= (cp-cbuf); - cbuf = cp; - continue; - } - } - else if (cp - buf >= bufsize - 1) { - return APR_ENOSPC; - } - break; - } - } else { - /* No "get string" function defined; read character by character */ - apr_size_t i = 0; - - if (bufsize < 2) { - /* too small, assume caller is crazy */ - return APR_EINVAL; - } - buf[0] = '\0'; - - while (1) { - char c; - rc = cfp->getch(&c, cfp->param); - if (rc == APR_EOF) { - if (i > 0) - break; - else - return APR_EOF; - } - if (rc != APR_SUCCESS) - return rc; - if (c == LF) { - ++cfp->line_number; - /* check for line continuation */ - if (i > 0 && buf[i-1] == '\\') { - i--; - continue; - } - else { - break; - } - } - else if (i >= bufsize - 2) { - return APR_ENOSPC; - } - buf[i] = c; - ++i; - } - buf[i] = '\0'; - } - return APR_SUCCESS; -} - -static int cfg_trim_line(char *buf) -{ - char *start, *end; - /* - * Leading and trailing white space is eliminated completely - */ - start = buf; - while (apr_isspace(*start)) - ++start; - /* blast trailing whitespace */ - end = &start[strlen(start)]; - while (--end >= start && apr_isspace(*end)) - *end = '\0'; - /* Zap leading whitespace by shifting */ - if (start != buf) - memmove(buf, start, end - start + 2); -#ifdef DEBUG_CFG_LINES - ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, APLOGNO(00555) "Read config: '%s'", buf); -#endif - return end - start + 1; -} - -AP_DECLARE(apr_status_t) ap_cfg_getline(char *buf, apr_size_t bufsize, - ap_configfile_t *cfp) -{ - apr_status_t rc = ap_cfg_getline_core(buf, bufsize, cfp); - if (rc == APR_SUCCESS) - cfg_trim_line(buf); - return rc; -} -#endif - -static char *substring_conf(apr_pool_t *p, const char *start, int len, - char quote) -{ - char *result = apr_palloc(p, len + 2); - char *resp = result; - int i; - - for (i = 0; i < len; ++i) { - if (start[i] == '\\' && (start[i + 1] == '\\' - || (quote && start[i + 1] == quote))) - *resp++ = start[++i]; - else - *resp++ = start[i]; - } - - *resp++ = '\0'; -#if RESOLVE_ENV_PER_TOKEN - return (char *)ap_resolve_env(p,result); -#else - return result; -#endif -} - -AP_DECLARE(char *) ap_getword_conf(apr_pool_t *p, const char **line) -{ - const char *str = *line, *strend; - char *res; - char quote; - - while (*str && apr_isspace(*str)) - ++str; - - if (!*str) { - *line = str; - return ""; - } - - if ((quote = *str) == '"' || quote == '\'') { - strend = str + 1; - while (*strend && *strend != quote) { - if (*strend == '\\' && strend[1] && - (strend[1] == quote || strend[1] == '\\')) { - strend += 2; - } - else { - ++strend; - } - } - res = substring_conf(p, str + 1, strend - str - 1, quote); - - if (*strend == quote) - ++strend; - } - else { - strend = str; - while (*strend && !apr_isspace(*strend)) - ++strend; - - res = substring_conf(p, str, strend - str, 0); - } - - while (*strend && apr_isspace(*strend)) - ++strend; - *line = strend; - return res; -} - -/* Open a ap_configfile_t as FILE, return open ap_configfile_t struct pointer */ -AP_DECLARE(apr_status_t) ap_pcfg_openfile(ap_configfile_t **ret_cfg, - apr_pool_t *p, const char *name) -{ - ap_configfile_t *new_cfg; - apr_file_t *file = NULL; - apr_finfo_t finfo; - apr_status_t status; -#ifdef DEBUG - char buf[120]; -#endif - - if (name == NULL) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Internal error: pcfg_openfile() called with NULL filename"); - return APR_EBADF; - } - - status = apr_file_open(&file, name, APR_READ | APR_BUFFERED, - APR_OS_DEFAULT, p); -#ifdef DEBUG - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, - "Opening config file %s (%s)", - name, (status != APR_SUCCESS) ? - apr_strerror(status, buf, sizeof(buf)) : "successful"); -#endif - if (status != APR_SUCCESS) - return status; - - status = apr_file_info_get(&finfo, APR_FINFO_TYPE, file); - if (status != APR_SUCCESS) - return status; - - if (finfo.filetype != APR_REG && -#if defined(WIN32) || defined(OS2) || defined(NETWARE) - strcasecmp(apr_filepath_name_get(name), "nul") != 0) { -#else - strcmp(name, "/dev/null") != 0) { -#endif /* WIN32 || OS2 */ - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Access to file %s denied by server: not a regular file", - name); - apr_file_close(file); - return APR_EBADF; - } - -#ifdef WIN32 - /* Some twisted character [no pun intended] at MS decided that a - * zero width joiner as the lead wide character would be ideal for - * describing Unicode text files. This was further convoluted to - * another MSism that the same character mapped into utf-8, EF BB BF - * would signify utf-8 text files. - * - * Since MS configuration files are all protecting utf-8 encoded - * Unicode path, file and resource names, we already have the correct - * WinNT encoding. But at least eat the stupid three bytes up front. - */ - { - unsigned char buf[4]; - apr_size_t len = 3; - status = apr_file_read(file, buf, &len); - if ((status != APR_SUCCESS) || (len < 3) - || memcmp(buf, "\xEF\xBB\xBF", 3) != 0) { - apr_off_t zero = 0; - apr_file_seek(file, APR_SET, &zero); - } - } -#endif - - new_cfg = apr_palloc(p, sizeof(*new_cfg)); - new_cfg->param = file; - new_cfg->name = apr_pstrdup(p, name); -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 - new_cfg->getch = (int (*)(void *)) cfg_getch; - new_cfg->getstr = (void *(*)(void *, size_t, void *)) cfg_getstr; - new_cfg->close = (int (*)(void *)) cfg_close; -#else - new_cfg->getch = cfg_getch; - new_cfg->getstr = cfg_getstr; - new_cfg->close = cfg_close; -#endif - new_cfg->line_number = 0; - *ret_cfg = new_cfg; - return APR_SUCCESS; -} - -AP_CORE_DECLARE(const command_rec *) ap_find_command(const char *name, - const command_rec *cmds) -{ - while (cmds->name) { - if (!strcasecmp(name, cmds->name)) - return cmds; - - ++cmds; - } - - return NULL; -} - -#define AP_MAX_ARGC 64 - -static const char *invoke_cmd(const command_rec *cmd, cmd_parms *parms, - void *mconfig, const char *args) -{ - char *w, *w2, *w3; - const char *errmsg = NULL; - - if ((parms->override & cmd->req_override) == 0) - return apr_pstrcat(parms->pool, cmd->name, " not allowed here", NULL); - - parms->info = cmd->cmd_data; - parms->cmd = cmd; - - switch (cmd->args_how) { - case RAW_ARGS: -#ifdef RESOLVE_ENV_PER_TOKEN - args = ap_resolve_env(parms->pool,args); -#endif - return cmd->AP_RAW_ARGS(parms, mconfig, args); - - case TAKE_ARGV: - { - char *argv[AP_MAX_ARGC]; - int argc = 0; - - do { - w = ap_getword_conf(parms->pool, &args); - if (*w == '\0' && *args == '\0') { - break; - } - argv[argc] = w; - argc++; - } while (argc < AP_MAX_ARGC && *args != '\0'); - - return cmd->AP_TAKE_ARGV(parms, mconfig, argc, argv); - } - - case NO_ARGS: - if (*args != 0) - return apr_pstrcat(parms->pool, cmd->name, " takes no arguments", - NULL); - - return cmd->AP_NO_ARGS(parms, mconfig); - - case TAKE1: - w = ap_getword_conf(parms->pool, &args); - - if (*w == '\0' || *args != 0) - return apr_pstrcat(parms->pool, cmd->name, " takes one argument", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE1(parms, mconfig, w); - - case TAKE2: - w = ap_getword_conf(parms->pool, &args); - w2 = ap_getword_conf(parms->pool, &args); - - if (*w == '\0' || *w2 == '\0' || *args != 0) - return apr_pstrcat(parms->pool, cmd->name, " takes two arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE2(parms, mconfig, w, w2); - - case TAKE12: - w = ap_getword_conf(parms->pool, &args); - w2 = ap_getword_conf(parms->pool, &args); - - if (*w == '\0' || *args != 0) - return apr_pstrcat(parms->pool, cmd->name, " takes 1-2 arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE2(parms, mconfig, w, *w2 ? w2 : NULL); - - case TAKE3: - w = ap_getword_conf(parms->pool, &args); - w2 = ap_getword_conf(parms->pool, &args); - w3 = ap_getword_conf(parms->pool, &args); - - if (*w == '\0' || *w2 == '\0' || *w3 == '\0' || *args != 0) - return apr_pstrcat(parms->pool, cmd->name, " takes three arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); - - case TAKE23: - w = ap_getword_conf(parms->pool, &args); - w2 = ap_getword_conf(parms->pool, &args); - w3 = *args ? ap_getword_conf(parms->pool, &args) : NULL; - - if (*w == '\0' || *w2 == '\0' || *args != 0) - return apr_pstrcat(parms->pool, cmd->name, - " takes two or three arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); - - case TAKE123: - w = ap_getword_conf(parms->pool, &args); - w2 = *args ? ap_getword_conf(parms->pool, &args) : NULL; - w3 = *args ? ap_getword_conf(parms->pool, &args) : NULL; - - if (*w == '\0' || *args != 0) - return apr_pstrcat(parms->pool, cmd->name, - " takes one, two or three arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); - - case TAKE13: - w = ap_getword_conf(parms->pool, &args); - w2 = *args ? ap_getword_conf(parms->pool, &args) : NULL; - w3 = *args ? ap_getword_conf(parms->pool, &args) : NULL; - - if (*w == '\0' || (w2 && *w2 && !w3) || *args != 0) - return apr_pstrcat(parms->pool, cmd->name, - " takes one or three arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); - - case ITERATE: - while (*(w = ap_getword_conf(parms->pool, &args)) != '\0') { - - errmsg = cmd->AP_TAKE1(parms, mconfig, w); - - if (errmsg && strcmp(errmsg, DECLINE_CMD) != 0) - return errmsg; - } - - return errmsg; - - case ITERATE2: - w = ap_getword_conf(parms->pool, &args); - - if (*w == '\0' || *args == 0) - return apr_pstrcat(parms->pool, cmd->name, - " requires at least two arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - while (*(w2 = ap_getword_conf(parms->pool, &args)) != '\0') { - - errmsg = cmd->AP_TAKE2(parms, mconfig, w, w2); - - if (errmsg && strcmp(errmsg, DECLINE_CMD) != 0) - return errmsg; - } - - return errmsg; - - case FLAG: - w = ap_getword_conf(parms->pool, &args); - - if (*w == '\0' || (strcasecmp(w, "on") && strcasecmp(w, "off"))) - return apr_pstrcat(parms->pool, cmd->name, " must be On or Off", - NULL); - - return cmd->AP_FLAG(parms, mconfig, strcasecmp(w, "off") != 0); - - default: - return apr_pstrcat(parms->pool, cmd->name, - " is improperly configured internally (server bug)", - NULL); - } -} - -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 -static cmd_parms default_parms = -{NULL, 0, -1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}; -#endif - -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 3 -static cmd_parms default_parms = -{NULL, 0, 0, NULL, -1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}; -#endif - -typedef struct { - const char *fname; -} fnames; - -AP_DECLARE(int) ap_is_directory(apr_pool_t *p, const char *path) -{ - apr_finfo_t finfo; - - if (apr_stat(&finfo, path, APR_FINFO_TYPE, p) != APR_SUCCESS) - return 0; /* in error condition, just return no */ - - return (finfo.filetype == APR_DIR); -} - -AP_DECLARE(char *) ap_make_full_path(apr_pool_t *a, const char *src1, - const char *src2) -{ - apr_size_t len1, len2; - char *path; - - len1 = strlen(src1); - len2 = strlen(src2); - /* allocate +3 for '/' delimiter, trailing NULL and overallocate - * one extra byte to allow the caller to add a trailing '/' - */ - path = (char *)apr_palloc(a, len1 + len2 + 3); - if (len1 == 0) { - *path = '/'; - memcpy(path + 1, src2, len2 + 1); - } - else { - char *next; - memcpy(path, src1, len1); - next = path + len1; - if (next[-1] != '/') { - *next++ = '/'; - } - memcpy(next, src2, len2 + 1); - } - return path; -} - -static int fname_alphasort(const void *fn1, const void *fn2) -{ - const fnames *f1 = fn1; - const fnames *f2 = fn2; - - return strcmp(f1->fname,f2->fname); -} - -int fnmatch_test(const char *pattern) -{ - int nesting; - - nesting = 0; - while (*pattern) { - switch (*pattern) { - case '?': - case '*': - return 1; - -/* case '\\': - if (*++pattern == '\0') { - return 0; - } - break;*/ // this breaks on Windows - - case '[': /* '[' is only a glob if it has a matching ']' */ - ++nesting; - break; - - case ']': - if (nesting) { - return 1; - } - break; - } - ++pattern; } - return 0; -} - -AP_DECLARE(const char *) process_resource_config(const char *fname, - apr_array_header_t *ari, - apr_pool_t *ptemp) -{ - *(char **)apr_array_push(ari) = (char *)fname; - - return NULL; -} - -static const char *process_resource_config_nofnmatch(const char *fname, - apr_array_header_t *ari, - apr_pool_t *p, - apr_pool_t *ptemp, - unsigned depth, - int optional) -{ - const char *error; - apr_status_t rv; - - if (ap_is_directory(ptemp, fname)) { - apr_dir_t *dirp; - apr_finfo_t dirent; - int current; - apr_array_header_t *candidates = NULL; - fnames *fnew; - char *path = apr_pstrdup(ptemp, fname); - - if (++depth > 100) { - return apr_psprintf(p, "Directory %s exceeds the maximum include " - "directory nesting level of %u. You have " - "probably a recursion somewhere.", path, - 100); - } - - /* - * first course of business is to grok all the directory - * entries here and store 'em away. Recall we need full pathnames - * for this. - */ - rv = apr_dir_open(&dirp, path, ptemp); - if (rv != APR_SUCCESS) { - char errmsg[120]; - return apr_psprintf(p, "Could not open config directory %s: %s", - path, apr_strerror(rv, errmsg, sizeof errmsg)); - } - - candidates = apr_array_make(ptemp, 1, sizeof(fnames)); - while (apr_dir_read(&dirent, APR_FINFO_DIRENT, dirp) == APR_SUCCESS) { - /* strip out '.' and '..' */ - if (strcmp(dirent.name, ".") - && strcmp(dirent.name, "..")) { - fnew = (fnames *) apr_array_push(candidates); - fnew->fname = ap_make_full_path(ptemp, path, dirent.name); - } - } - - apr_dir_close(dirp); - if (candidates->nelts != 0) { - qsort((void *) candidates->elts, candidates->nelts, - sizeof(fnames), fname_alphasort); - - /* - * Now recurse these... we handle errors and subdirectories - * via the recursion, which is nice - */ - for (current = 0; current < candidates->nelts; ++current) { - fnew = &((fnames *) candidates->elts)[current]; - error = process_resource_config_nofnmatch(fnew->fname, - ari, p, ptemp, - depth, optional); - if (error) { - return error; - } - } - } - - return NULL; - } - - return process_resource_config(fname, ari, ptemp); -} - -static const char *process_resource_config_fnmatch(const char *path, - const char *fname, - apr_array_header_t *ari, - apr_pool_t *p, - apr_pool_t *ptemp, - unsigned depth, - int optional) -{ - const char *rest; - apr_status_t rv; - apr_dir_t *dirp; - apr_finfo_t dirent; - apr_array_header_t *candidates = NULL; - fnames *fnew; - int current; - - /* find the first part of the filename */ - rest = ap_strchr_c(fname, '/'); - - if(rest == NULL) - rest = ap_strchr_c(fname, '\\'); - - if (rest) { - fname = apr_pstrndup(ptemp, fname, rest - fname); - rest++; - } - - /* optimisation - if the filename isn't a wildcard, process it directly */ - if (!fnmatch_test(fname)) { - path = ap_make_full_path(ptemp, path, fname); - if (!rest) { - return process_resource_config_nofnmatch(path, - ari, p, - ptemp, 0, optional); - } - else { - return process_resource_config_fnmatch(path, rest, - ari, p, - ptemp, 0, optional); - } - } - - /* - * first course of business is to grok all the directory - * entries here and store 'em away. Recall we need full pathnames - * for this. - */ - rv = apr_dir_open(&dirp, path, ptemp); - if (rv != APR_SUCCESS) { - char errmsg[120]; - return apr_psprintf(p, "Could not open config directory %s: %s", - path, apr_strerror(rv, errmsg, sizeof errmsg)); - } - - candidates = apr_array_make(ptemp, 1, sizeof(fnames)); - while (apr_dir_read(&dirent, APR_FINFO_DIRENT | APR_FINFO_TYPE, dirp) == APR_SUCCESS) { - /* strip out '.' and '..' */ - if (strcmp(dirent.name, ".") - && strcmp(dirent.name, "..") - && (apr_fnmatch(fname, dirent.name, - APR_FNM_PERIOD | APR_FNM_NOESCAPE | APR_FNM_PATHNAME) == APR_SUCCESS)) { - const char *full_path = ap_make_full_path(ptemp, path, dirent.name); - /* If matching internal to path, and we happen to match something - * other than a directory, skip it - */ - if (rest && (rv == APR_SUCCESS) && (dirent.filetype != APR_DIR)) { - continue; - } - fnew = (fnames *) apr_array_push(candidates); - fnew->fname = full_path; - } - } - - apr_dir_close(dirp); - if (candidates->nelts != 0) { - const char *error; - - qsort((void *) candidates->elts, candidates->nelts, - sizeof(fnames), fname_alphasort); - - /* - * Now recurse these... we handle errors and subdirectories - * via the recursion, which is nice - */ - for (current = 0; current < candidates->nelts; ++current) { - fnew = &((fnames *) candidates->elts)[current]; - if (!rest) { - error = process_resource_config_nofnmatch(fnew->fname, - ari, p, - ptemp, 0, optional); - } - else { - error = process_resource_config_fnmatch(fnew->fname, rest, - ari, p, - ptemp, 0, optional); - } - if (error) { - return error; - } - } - } - else { - - if (!optional) { - return apr_psprintf(p, "No matches for the wildcard '%s' in '%s', failing " - "(use IncludeOptional if required)", fname, path); - } - } - - return NULL; -} - -AP_DECLARE(const char *) process_fnmatch_configs(apr_array_header_t *ari, - const char *fname, - apr_pool_t *p, - apr_pool_t *ptemp, - int optional) -{ - if (!fnmatch_test(fname)) { - return process_resource_config(fname, ari, p); - } - else { - apr_status_t status; - const char *rootpath, *filepath = fname; - - /* locate the start of the directories proper */ - status = apr_filepath_root(&rootpath, &filepath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp); - - /* we allow APR_SUCCESS and APR_EINCOMPLETE */ - if (APR_ERELATIVE == status) { - return apr_pstrcat(p, "Include must have an absolute path, ", fname, NULL); - } - else if (APR_EBADPATH == status) { - return apr_pstrcat(p, "Include has a bad path, ", fname, NULL); - } - - /* walk the filepath */ - return process_resource_config_fnmatch(rootpath, filepath, ari, p, ptemp, - 0, optional); - } -} - -const char *populate_include_files(apr_pool_t *p, apr_pool_t *ptemp, apr_array_header_t *ari, const char *fname, int optional) -{ - return process_fnmatch_configs(ari, fname, p, ptemp, optional); -} - -const char *process_command_config(server_rec *s, - void *mconfig, - apr_pool_t *p, - apr_pool_t *ptemp, - const char *filename) -{ - const char *errmsg; - char *l = apr_palloc (ptemp, MAX_STRING_LEN); - const char *args = l; - char *cmd_name, *w; - const command_rec *cmd; - apr_array_header_t *arr = apr_array_make(p, 1, sizeof(cmd_parms)); - apr_array_header_t *ari = apr_array_make(p, 1, sizeof(char *)); - cmd_parms *parms; - apr_status_t status; - ap_directive_t *newdir; - int optional; - char *err = NULL; - char *rootpath, *incpath; - int li; - - errmsg = populate_include_files(p, ptemp, ari, filename, 0); - - if(errmsg != NULL) - goto Exit; - - while(ari->nelts != 0 || arr->nelts != 0) - { - if(ari->nelts > 0) - { - char *fn = *(char **)apr_array_pop(ari); - - parms = (cmd_parms *)apr_array_push(arr); - *parms = default_parms; - parms->pool = p; - parms->temp_pool = ptemp; - parms->server = s; - parms->override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); - parms->override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; - - status = ap_pcfg_openfile(&parms->config_file, p, fn); - - if(status != APR_SUCCESS) - { - apr_array_pop(arr); - errmsg = apr_pstrcat(p, "Cannot open config file: ", fn, NULL); - goto Exit; - } - } - - if (arr->nelts > 1024) { - errmsg = "Exceeded the maximum include directory nesting level. You have " - "probably a recursion somewhere."; - goto Exit; - } - - parms = (cmd_parms *)apr_array_pop(arr); - - if(parms == NULL) - break; - - while (!(ap_cfg_getline(l, MAX_STRING_LEN, parms->config_file))) { - if (*l == '#' || *l == '\0') - continue; - - args = l; - - cmd_name = ap_getword_conf(p, &args); - - if (*cmd_name == '\0') - continue; - - if (!strcasecmp(cmd_name, "IncludeOptional")) - { - optional = 1; - goto ProcessInclude; - } - - if (!strcasecmp(cmd_name, "Include")) - { - optional = 0; -ProcessInclude: - w = ap_getword_conf(parms->pool, &args); - - if (*w == '\0' || *args != 0) - { - ap_cfg_closefile(parms->config_file); - errmsg = apr_pstrcat(parms->pool, "Include takes one argument", NULL); - goto Exit; - } - - incpath = w; - - /* locate the start of the directories proper */ - status = apr_filepath_root(&rootpath, &incpath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp); - - /* we allow APR_SUCCESS and APR_EINCOMPLETE */ - if (APR_ERELATIVE == status) { - rootpath = apr_pstrdup(ptemp, parms->config_file->name); - li = strlen(rootpath) - 1; - - while(li >= 0 && rootpath[li] != '/' && rootpath[li] != '\\') - rootpath[li--] = 0; - - w = apr_pstrcat(p, rootpath, w, NULL); - } - else if (APR_EBADPATH == status) { - ap_cfg_closefile(parms->config_file); - errmsg = apr_pstrcat(p, "Include file has a bad path, ", w, NULL); - goto Exit; - } - - errmsg = populate_include_files(p, ptemp, ari, w, optional); - - *(cmd_parms *)apr_array_push(arr) = *parms; - - if(errmsg != NULL) - goto Exit; - - // we don't want to close the current file yet - // - parms = NULL; - break; - } - - cmd = ap_find_command(cmd_name, security2_module.cmds); - - if(cmd == NULL) - { - // unknown command, should error - // - ap_cfg_closefile(parms->config_file); - errmsg = apr_pstrcat(p, "Unknown command in config: ", cmd_name, NULL); - goto Exit; - } - - newdir = apr_pcalloc(p, sizeof(ap_directive_t)); - newdir->filename = parms->config_file->name; - newdir->line_num = parms->config_file->line_number; - newdir->directive = cmd_name; - newdir->args = apr_pstrdup(p, args); - - parms->directive = newdir; - - errmsg = invoke_cmd(cmd, parms, mconfig, args); - - if(errmsg != NULL) - break; - } - - if(parms != NULL) - ap_cfg_closefile(parms->config_file); - - if(errmsg != NULL) - break; - } - - if (errmsg) { - err = (char *)apr_palloc(p, 1024); - - if(parms != NULL) - apr_snprintf(err, 1024, "Syntax error in config file %s, line %d: %s", parms->config_file->name, - parms->config_file->line_number, errmsg); - else - apr_snprintf(err, 1024, "Syntax error in config file: %s", errmsg); - } - - errmsg = err; - -Exit: - while((parms = (cmd_parms *)apr_array_pop(arr)) != NULL) - { - ap_cfg_closefile(parms->config_file); - } - - return errmsg; -} +/* +* ModSecurity for Apache 2.x, http://www.modsecurity.org/ +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* +* You may not use this file except in compliance with +* the License. You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* If any of the files related to licensing are missing or if you have any +* other questions related to licensing please contact Trustwave Holdings, Inc. +* directly using the email address security@modsecurity.org. +*/ + +#include <limits.h> +#include <stdio.h> + +#include "http_core.h" +#include "http_request.h" + +#include "modsecurity.h" +#include "apache2.h" +#include "http_main.h" +#include "http_connection.h" + +#include "apr_optional.h" +#include "mod_log_config.h" + +#include "msc_logging.h" +#include "msc_util.h" + +#include "ap_mpm.h" +#include "scoreboard.h" + +#include "apr_version.h" + +#include "apr_lib.h" +#include "ap_config.h" +#include "http_config.h" +#include "apr_fnmatch.h" + +AP_DECLARE(int) ap_cfg_closefile(ap_configfile_t *cfp) +{ +#ifdef DEBUG + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "Done with config file %s", cfp->name); +#endif + return (cfp->close == NULL) ? 0 : cfp->close(cfp->param); +} + +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 +static apr_status_t cfg_close(void *param) +{ + apr_file_t *cfp = (apr_file_t *) param; + return (apr_file_close(cfp)); +} + +static int cfg_getch(void *param) +{ + char ch; + apr_file_t *cfp = (apr_file_t *) param; + if (apr_file_getc(&ch, cfp) == APR_SUCCESS) + return ch; + return (int)EOF; +} + +static void *cfg_getstr(void *buf, size_t bufsiz, void *param) +{ + apr_file_t *cfp = (apr_file_t *) param; + apr_status_t rv; + rv = apr_file_gets(buf, bufsiz, cfp); + if (rv == APR_SUCCESS) { + return buf; + } + return NULL; +} +#else +/* we can't use apr_file_* directly because of linking issues on Windows */ +static apr_status_t cfg_close(void *param) +{ + return apr_file_close(param); +} + +static apr_status_t cfg_getch(char *ch, void *param) +{ + return apr_file_getc(ch, param); +} + +static apr_status_t cfg_getstr(void *buf, apr_size_t bufsiz, void *param) +{ + return apr_file_gets(buf, bufsiz, param); +} +#endif + +/* Read one line from open ap_configfile_t, strip LF, increase line number */ +/* If custom handler does not define a getstr() function, read char by char */ + +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 +AP_DECLARE(int) ap_cfg_getline(char *buf, size_t bufsize, ap_configfile_t *cfp) +{ + /* If a "get string" function is defined, use it */ + if (cfp->getstr != NULL) { + char *src, *dst; + char *cp; + char *cbuf = buf; + size_t cbufsize = bufsize; + + while (1) { + ++cfp->line_number; + if (cfp->getstr(cbuf, cbufsize, cfp->param) == NULL) + return 1; + + /* + * check for line continuation, + * i.e. match [^\\]\\[\r]\n only + */ + cp = cbuf; + while (cp < cbuf+cbufsize && *cp != '\0') + cp++; + if (cp > cbuf && cp[-1] == LF) { + cp--; + if (cp > cbuf && cp[-1] == CR) + cp--; + if (cp > cbuf && cp[-1] == '\\') { + cp--; + if (!(cp > cbuf && cp[-1] == '\\')) { + /* + * line continuation requested - + * then remove backslash and continue + */ + cbufsize -= (cp-cbuf); + cbuf = cp; + continue; + } + else { + /* + * no real continuation because escaped - + * then just remove escape character + */ + for ( ; cp < cbuf+cbufsize && *cp != '\0'; cp++) + cp[0] = cp[1]; + } + } + } + break; + } + + /* + * Leading and trailing white space is eliminated completely + */ + src = buf; + while (apr_isspace(*src)) + ++src; + /* blast trailing whitespace */ + dst = &src[strlen(src)]; + while (--dst >= src && apr_isspace(*dst)) + *dst = '\0'; + /* Zap leading whitespace by shifting */ + if (src != buf) + for (dst = buf; (*dst++ = *src++) != '\0'; ) + ; + +#ifdef DEBUG_CFG_LINES + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "Read config: %s", buf); +#endif + return 0; + } else { + /* No "get string" function defined; read character by character */ + register int c; + register size_t i = 0; + + buf[0] = '\0'; + /* skip leading whitespace */ + do { + c = cfp->getch(cfp->param); + } while (c == '\t' || c == ' '); + + if (c == EOF) + return 1; + + if(bufsize < 2) { + /* too small, assume caller is crazy */ + return 1; + } + + while (1) { + if ((c == '\t') || (c == ' ')) { + buf[i++] = ' '; + while ((c == '\t') || (c == ' ')) + c = cfp->getch(cfp->param); + } + if (c == CR) { + /* silently ignore CR (_assume_ that a LF follows) */ + c = cfp->getch(cfp->param); + } + if (c == LF) { + /* increase line number and return on LF */ + ++cfp->line_number; + } + if (c == EOF || c == 0x4 || c == LF || i >= (bufsize - 2)) { + /* + * check for line continuation + */ + if (i > 0 && buf[i-1] == '\\') { + i--; + if (!(i > 0 && buf[i-1] == '\\')) { + /* line is continued */ + c = cfp->getch(cfp->param); + continue; + } + /* else nothing needs be done because + * then the backslash is escaped and + * we just strip to a single one + */ + } + /* blast trailing whitespace */ + while (i > 0 && apr_isspace(buf[i - 1])) + --i; + buf[i] = '\0'; +#ifdef DEBUG_CFG_LINES + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "Read config: %s", buf); +#endif + return 0; + } + buf[i] = c; + ++i; + c = cfp->getch(cfp->param); + } + } +} +#else +static apr_status_t ap_cfg_getline_core(char *buf, apr_size_t bufsize, + ap_configfile_t *cfp) +{ + apr_status_t rc; + /* If a "get string" function is defined, use it */ + if (cfp->getstr != NULL) { + char *cp; + char *cbuf = buf; + apr_size_t cbufsize = bufsize; + + while (1) { + ++cfp->line_number; + rc = cfp->getstr(cbuf, cbufsize, cfp->param); + if (rc == APR_EOF) { + if (cbuf != buf) { + *cbuf = '\0'; + break; + } + else { + return APR_EOF; + } + } + if (rc != APR_SUCCESS) { + return rc; + } + + /* + * check for line continuation, + * i.e. match [^\\]\\[\r]\n only + */ + cp = cbuf; + cp += strlen(cp); + if (cp > cbuf && cp[-1] == LF) { + cp--; + if (cp > cbuf && cp[-1] == CR) + cp--; + if (cp > cbuf && cp[-1] == '\\') { + cp--; + /* + * line continuation requested - + * then remove backslash and continue + */ + cbufsize -= (cp-cbuf); + cbuf = cp; + continue; + } + } + else if (cp - buf >= bufsize - 1) { + return APR_ENOSPC; + } + break; + } + } else { + /* No "get string" function defined; read character by character */ + apr_size_t i = 0; + + if (bufsize < 2) { + /* too small, assume caller is crazy */ + return APR_EINVAL; + } + buf[0] = '\0'; + + while (1) { + char c; + rc = cfp->getch(&c, cfp->param); + if (rc == APR_EOF) { + if (i > 0) + break; + else + return APR_EOF; + } + if (rc != APR_SUCCESS) + return rc; + if (c == LF) { + ++cfp->line_number; + /* check for line continuation */ + if (i > 0 && buf[i-1] == '\\') { + i--; + continue; + } + else { + break; + } + } + else if (i >= bufsize - 2) { + return APR_ENOSPC; + } + buf[i] = c; + ++i; + } + buf[i] = '\0'; + } + return APR_SUCCESS; +} + +static int cfg_trim_line(char *buf) +{ + char *start, *end; + /* + * Leading and trailing white space is eliminated completely + */ + start = buf; + while (apr_isspace(*start)) + ++start; + /* blast trailing whitespace */ + end = &start[strlen(start)]; + while (--end >= start && apr_isspace(*end)) + *end = '\0'; + /* Zap leading whitespace by shifting */ + if (start != buf) + memmove(buf, start, end - start + 2); +#ifdef DEBUG_CFG_LINES + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, APLOGNO(00555) "Read config: '%s'", buf); +#endif + return end - start + 1; +} + +AP_DECLARE(apr_status_t) ap_cfg_getline(char *buf, apr_size_t bufsize, + ap_configfile_t *cfp) +{ + apr_status_t rc = ap_cfg_getline_core(buf, bufsize, cfp); + if (rc == APR_SUCCESS) + cfg_trim_line(buf); + return rc; +} +#endif + +static char *substring_conf(apr_pool_t *p, const char *start, int len, + char quote) +{ + char *result = apr_palloc(p, len + 2); + char *resp = result; + int i; + + for (i = 0; i < len; ++i) { + if (start[i] == '\\' && (start[i + 1] == '\\' + || (quote && start[i + 1] == quote))) + *resp++ = start[++i]; + else + *resp++ = start[i]; + } + + *resp++ = '\0'; +#if RESOLVE_ENV_PER_TOKEN + return (char *)ap_resolve_env(p,result); +#else + return result; +#endif +} + +AP_DECLARE(char *) ap_getword_conf(apr_pool_t *p, const char **line) +{ + const char *str = *line, *strend; + char *res; + char quote; + + while (*str && apr_isspace(*str)) + ++str; + + if (!*str) { + *line = str; + return ""; + } + + if ((quote = *str) == '"' || quote == '\'') { + strend = str + 1; + while (*strend && *strend != quote) { + if (*strend == '\\' && strend[1] && + (strend[1] == quote || strend[1] == '\\')) { + strend += 2; + } + else { + ++strend; + } + } + res = substring_conf(p, str + 1, strend - str - 1, quote); + + if (*strend == quote) + ++strend; + } + else { + strend = str; + while (*strend && !apr_isspace(*strend)) + ++strend; + + res = substring_conf(p, str, strend - str, 0); + } + + while (*strend && apr_isspace(*strend)) + ++strend; + *line = strend; + return res; +} + +/* Open a ap_configfile_t as FILE, return open ap_configfile_t struct pointer */ +AP_DECLARE(apr_status_t) ap_pcfg_openfile(ap_configfile_t **ret_cfg, + apr_pool_t *p, const char *name) +{ + ap_configfile_t *new_cfg; + apr_file_t *file = NULL; + apr_finfo_t finfo; + apr_status_t status; +#ifdef DEBUG + char buf[120]; +#endif + + if (name == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Internal error: pcfg_openfile() called with NULL filename"); + return APR_EBADF; + } + + status = apr_file_open(&file, name, APR_READ | APR_BUFFERED, + APR_OS_DEFAULT, p); +#ifdef DEBUG + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "Opening config file %s (%s)", + name, (status != APR_SUCCESS) ? + apr_strerror(status, buf, sizeof(buf)) : "successful"); +#endif + if (status != APR_SUCCESS) + return status; + + status = apr_file_info_get(&finfo, APR_FINFO_TYPE, file); + if (status != APR_SUCCESS) + return status; + + if (finfo.filetype != APR_REG && +#if defined(WIN32) || defined(OS2) || defined(NETWARE) + strcasecmp(apr_filepath_name_get(name), "nul") != 0) { +#else + strcmp(name, "/dev/null") != 0) { +#endif /* WIN32 || OS2 */ + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Access to file %s denied by server: not a regular file", + name); + apr_file_close(file); + return APR_EBADF; + } + +#ifdef WIN32 + /* Some twisted character [no pun intended] at MS decided that a + * zero width joiner as the lead wide character would be ideal for + * describing Unicode text files. This was further convoluted to + * another MSism that the same character mapped into utf-8, EF BB BF + * would signify utf-8 text files. + * + * Since MS configuration files are all protecting utf-8 encoded + * Unicode path, file and resource names, we already have the correct + * WinNT encoding. But at least eat the stupid three bytes up front. + */ + { + unsigned char buf[4]; + apr_size_t len = 3; + status = apr_file_read(file, buf, &len); + if ((status != APR_SUCCESS) || (len < 3) + || memcmp(buf, "\xEF\xBB\xBF", 3) != 0) { + apr_off_t zero = 0; + apr_file_seek(file, APR_SET, &zero); + } + } +#endif + + new_cfg = apr_palloc(p, sizeof(*new_cfg)); + new_cfg->param = file; + new_cfg->name = apr_pstrdup(p, name); +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 + new_cfg->getch = (int (*)(void *)) cfg_getch; + new_cfg->getstr = (void *(*)(void *, size_t, void *)) cfg_getstr; + new_cfg->close = (int (*)(void *)) cfg_close; +#else + new_cfg->getch = cfg_getch; + new_cfg->getstr = cfg_getstr; + new_cfg->close = cfg_close; +#endif + new_cfg->line_number = 0; + *ret_cfg = new_cfg; + return APR_SUCCESS; +} + +AP_CORE_DECLARE(const command_rec *) ap_find_command(const char *name, + const command_rec *cmds) +{ + while (cmds->name) { + if (!strcasecmp(name, cmds->name)) + return cmds; + + ++cmds; + } + + return NULL; +} + +#define AP_MAX_ARGC 64 + +static const char *invoke_cmd(const command_rec *cmd, cmd_parms *parms, + void *mconfig, const char *args) +{ + char *w, *w2, *w3; + const char *errmsg = NULL; + + if ((parms->override & cmd->req_override) == 0) + return apr_pstrcat(parms->pool, cmd->name, " not allowed here", NULL); + + parms->info = cmd->cmd_data; + parms->cmd = cmd; + + switch (cmd->args_how) { + case RAW_ARGS: +#ifdef RESOLVE_ENV_PER_TOKEN + args = ap_resolve_env(parms->pool,args); +#endif + return cmd->AP_RAW_ARGS(parms, mconfig, args); + + case TAKE_ARGV: + { + char *argv[AP_MAX_ARGC]; + int argc = 0; + + do { + w = ap_getword_conf(parms->pool, &args); + if (*w == '\0' && *args == '\0') { + break; + } + argv[argc] = w; + argc++; + } while (argc < AP_MAX_ARGC && *args != '\0'); + + return cmd->AP_TAKE_ARGV(parms, mconfig, argc, argv); + } + + case NO_ARGS: + if (*args != 0) + return apr_pstrcat(parms->pool, cmd->name, " takes no arguments", + NULL); + + return cmd->AP_NO_ARGS(parms, mconfig); + + case TAKE1: + w = ap_getword_conf(parms->pool, &args); + + if (*w == '\0' || *args != 0) + return apr_pstrcat(parms->pool, cmd->name, " takes one argument", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE1(parms, mconfig, w); + + case TAKE2: + w = ap_getword_conf(parms->pool, &args); + w2 = ap_getword_conf(parms->pool, &args); + + if (*w == '\0' || *w2 == '\0' || *args != 0) + return apr_pstrcat(parms->pool, cmd->name, " takes two arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE2(parms, mconfig, w, w2); + + case TAKE12: + w = ap_getword_conf(parms->pool, &args); + w2 = ap_getword_conf(parms->pool, &args); + + if (*w == '\0' || *args != 0) + return apr_pstrcat(parms->pool, cmd->name, " takes 1-2 arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE2(parms, mconfig, w, *w2 ? w2 : NULL); + + case TAKE3: + w = ap_getword_conf(parms->pool, &args); + w2 = ap_getword_conf(parms->pool, &args); + w3 = ap_getword_conf(parms->pool, &args); + + if (*w == '\0' || *w2 == '\0' || *w3 == '\0' || *args != 0) + return apr_pstrcat(parms->pool, cmd->name, " takes three arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); + + case TAKE23: + w = ap_getword_conf(parms->pool, &args); + w2 = ap_getword_conf(parms->pool, &args); + w3 = *args ? ap_getword_conf(parms->pool, &args) : NULL; + + if (*w == '\0' || *w2 == '\0' || *args != 0) + return apr_pstrcat(parms->pool, cmd->name, + " takes two or three arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); + + case TAKE123: + w = ap_getword_conf(parms->pool, &args); + w2 = *args ? ap_getword_conf(parms->pool, &args) : NULL; + w3 = *args ? ap_getword_conf(parms->pool, &args) : NULL; + + if (*w == '\0' || *args != 0) + return apr_pstrcat(parms->pool, cmd->name, + " takes one, two or three arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); + + case TAKE13: + w = ap_getword_conf(parms->pool, &args); + w2 = *args ? ap_getword_conf(parms->pool, &args) : NULL; + w3 = *args ? ap_getword_conf(parms->pool, &args) : NULL; + + if (*w == '\0' || (w2 && *w2 && !w3) || *args != 0) + return apr_pstrcat(parms->pool, cmd->name, + " takes one or three arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); + + case ITERATE: + while (*(w = ap_getword_conf(parms->pool, &args)) != '\0') { + + errmsg = cmd->AP_TAKE1(parms, mconfig, w); + + if (errmsg && strcmp(errmsg, DECLINE_CMD) != 0) + return errmsg; + } + + return errmsg; + + case ITERATE2: + w = ap_getword_conf(parms->pool, &args); + + if (*w == '\0' || *args == 0) + return apr_pstrcat(parms->pool, cmd->name, + " requires at least two arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + while (*(w2 = ap_getword_conf(parms->pool, &args)) != '\0') { + + errmsg = cmd->AP_TAKE2(parms, mconfig, w, w2); + + if (errmsg && strcmp(errmsg, DECLINE_CMD) != 0) + return errmsg; + } + + return errmsg; + + case FLAG: + w = ap_getword_conf(parms->pool, &args); + + if (*w == '\0' || (strcasecmp(w, "on") && strcasecmp(w, "off"))) + return apr_pstrcat(parms->pool, cmd->name, " must be On or Off", + NULL); + + return cmd->AP_FLAG(parms, mconfig, strcasecmp(w, "off") != 0); + + default: + return apr_pstrcat(parms->pool, cmd->name, + " is improperly configured internally (server bug)", + NULL); + } +} + +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 +static cmd_parms default_parms = +{NULL, 0, -1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}; +#endif + +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 3 +static cmd_parms default_parms = +{NULL, 0, 0, NULL, -1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}; +#endif + +typedef struct { + const char *fname; +} fnames; + +AP_DECLARE(int) ap_is_directory(apr_pool_t *p, const char *path) +{ + apr_finfo_t finfo; + + if (apr_stat(&finfo, path, APR_FINFO_TYPE, p) != APR_SUCCESS) + return 0; /* in error condition, just return no */ + + return (finfo.filetype == APR_DIR); +} + +AP_DECLARE(char *) ap_make_full_path(apr_pool_t *a, const char *src1, + const char *src2) +{ + apr_size_t len1, len2; + char *path; + + len1 = strlen(src1); + len2 = strlen(src2); + /* allocate +3 for '/' delimiter, trailing NULL and overallocate + * one extra byte to allow the caller to add a trailing '/' + */ + path = (char *)apr_palloc(a, len1 + len2 + 3); + if (len1 == 0) { + *path = '/'; + memcpy(path + 1, src2, len2 + 1); + } + else { + char *next; + memcpy(path, src1, len1); + next = path + len1; + if (next[-1] != '/') { + *next++ = '/'; + } + memcpy(next, src2, len2 + 1); + } + return path; +} + +static int fname_alphasort(const void *fn1, const void *fn2) +{ + const fnames *f1 = fn1; + const fnames *f2 = fn2; + + return strcmp(f1->fname,f2->fname); +} + +int fnmatch_test(const char *pattern) +{ + int nesting; + + nesting = 0; + while (*pattern) { + switch (*pattern) { + case '?': + case '*': + return 1; + +/* case '\\': + if (*++pattern == '\0') { + return 0; + } + break;*/ // this breaks on Windows + + case '[': /* '[' is only a glob if it has a matching ']' */ + ++nesting; + break; + + case ']': + if (nesting) { + return 1; + } + break; + } + ++pattern; } + return 0; +} + +AP_DECLARE(const char *) process_resource_config(const char *fname, + apr_array_header_t *ari, + apr_pool_t *ptemp) +{ + *(char **)apr_array_push(ari) = (char *)fname; + + return NULL; +} + +static const char *process_resource_config_nofnmatch(const char *fname, + apr_array_header_t *ari, + apr_pool_t *p, + apr_pool_t *ptemp, + unsigned depth, + int optional) +{ + const char *error; + apr_status_t rv; + + if (ap_is_directory(ptemp, fname)) { + apr_dir_t *dirp; + apr_finfo_t dirent; + int current; + apr_array_header_t *candidates = NULL; + fnames *fnew; + char *path = apr_pstrdup(ptemp, fname); + + if (++depth > 100) { + return apr_psprintf(p, "Directory %s exceeds the maximum include " + "directory nesting level of %u. You have " + "probably a recursion somewhere.", path, + 100); + } + + /* + * first course of business is to grok all the directory + * entries here and store 'em away. Recall we need full pathnames + * for this. + */ + rv = apr_dir_open(&dirp, path, ptemp); + if (rv != APR_SUCCESS) { + char errmsg[120]; + return apr_psprintf(p, "Could not open config directory %s: %s", + path, apr_strerror(rv, errmsg, sizeof errmsg)); + } + + candidates = apr_array_make(ptemp, 1, sizeof(fnames)); + while (apr_dir_read(&dirent, APR_FINFO_DIRENT, dirp) == APR_SUCCESS) { + /* strip out '.' and '..' */ + if (strcmp(dirent.name, ".") + && strcmp(dirent.name, "..")) { + fnew = (fnames *) apr_array_push(candidates); + fnew->fname = ap_make_full_path(ptemp, path, dirent.name); + } + } + + apr_dir_close(dirp); + if (candidates->nelts != 0) { + qsort((void *) candidates->elts, candidates->nelts, + sizeof(fnames), fname_alphasort); + + /* + * Now recurse these... we handle errors and subdirectories + * via the recursion, which is nice + */ + for (current = 0; current < candidates->nelts; ++current) { + fnew = &((fnames *) candidates->elts)[current]; + error = process_resource_config_nofnmatch(fnew->fname, + ari, p, ptemp, + depth, optional); + if (error) { + return error; + } + } + } + + return NULL; + } + + return process_resource_config(fname, ari, ptemp); +} + +static const char *process_resource_config_fnmatch(const char *path, + const char *fname, + apr_array_header_t *ari, + apr_pool_t *p, + apr_pool_t *ptemp, + unsigned depth, + int optional) +{ + const char *rest; + apr_status_t rv; + apr_dir_t *dirp; + apr_finfo_t dirent; + apr_array_header_t *candidates = NULL; + fnames *fnew; + int current; + + /* find the first part of the filename */ + rest = ap_strchr_c(fname, '/'); + + if(rest == NULL) + rest = ap_strchr_c(fname, '\\'); + + if (rest) { + fname = apr_pstrndup(ptemp, fname, rest - fname); + rest++; + } + + /* optimisation - if the filename isn't a wildcard, process it directly */ + if (!fnmatch_test(fname)) { + path = ap_make_full_path(ptemp, path, fname); + if (!rest) { + return process_resource_config_nofnmatch(path, + ari, p, + ptemp, 0, optional); + } + else { + return process_resource_config_fnmatch(path, rest, + ari, p, + ptemp, 0, optional); + } + } + + /* + * first course of business is to grok all the directory + * entries here and store 'em away. Recall we need full pathnames + * for this. + */ + rv = apr_dir_open(&dirp, path, ptemp); + if (rv != APR_SUCCESS) { + char errmsg[120]; + return apr_psprintf(p, "Could not open config directory %s: %s", + path, apr_strerror(rv, errmsg, sizeof errmsg)); + } + + candidates = apr_array_make(ptemp, 1, sizeof(fnames)); + while (apr_dir_read(&dirent, APR_FINFO_DIRENT | APR_FINFO_TYPE, dirp) == APR_SUCCESS) { + /* strip out '.' and '..' */ + if (strcmp(dirent.name, ".") + && strcmp(dirent.name, "..") + && (apr_fnmatch(fname, dirent.name, + APR_FNM_PERIOD | APR_FNM_NOESCAPE | APR_FNM_PATHNAME) == APR_SUCCESS)) { + const char *full_path = ap_make_full_path(ptemp, path, dirent.name); + /* If matching internal to path, and we happen to match something + * other than a directory, skip it + */ + if (rest && (rv == APR_SUCCESS) && (dirent.filetype != APR_DIR)) { + continue; + } + fnew = (fnames *) apr_array_push(candidates); + fnew->fname = full_path; + } + } + + apr_dir_close(dirp); + if (candidates->nelts != 0) { + const char *error; + + qsort((void *) candidates->elts, candidates->nelts, + sizeof(fnames), fname_alphasort); + + /* + * Now recurse these... we handle errors and subdirectories + * via the recursion, which is nice + */ + for (current = 0; current < candidates->nelts; ++current) { + fnew = &((fnames *) candidates->elts)[current]; + if (!rest) { + error = process_resource_config_nofnmatch(fnew->fname, + ari, p, + ptemp, 0, optional); + } + else { + error = process_resource_config_fnmatch(fnew->fname, rest, + ari, p, + ptemp, 0, optional); + } + if (error) { + return error; + } + } + } + else { + + if (!optional) { + return apr_psprintf(p, "No matches for the wildcard '%s' in '%s', failing " + "(use IncludeOptional if required)", fname, path); + } + } + + return NULL; +} + +AP_DECLARE(const char *) process_fnmatch_configs(apr_array_header_t *ari, + const char *fname, + apr_pool_t *p, + apr_pool_t *ptemp, + int optional) +{ + if (!fnmatch_test(fname)) { + return process_resource_config(fname, ari, p); + } + else { + apr_status_t status; + const char *rootpath, *filepath = fname; + + /* locate the start of the directories proper */ + status = apr_filepath_root(&rootpath, &filepath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp); + + /* we allow APR_SUCCESS and APR_EINCOMPLETE */ + if (APR_ERELATIVE == status) { + return apr_pstrcat(p, "Include must have an absolute path, ", fname, NULL); + } + else if (APR_EBADPATH == status) { + return apr_pstrcat(p, "Include has a bad path, ", fname, NULL); + } + + /* walk the filepath */ + return process_resource_config_fnmatch(rootpath, filepath, ari, p, ptemp, + 0, optional); + } +} + +const char *populate_include_files(apr_pool_t *p, apr_pool_t *ptemp, apr_array_header_t *ari, const char *fname, int optional) +{ + return process_fnmatch_configs(ari, fname, p, ptemp, optional); +} + +const char *process_command_config(server_rec *s, + void *mconfig, + apr_pool_t *p, + apr_pool_t *ptemp, + const char *filename) +{ + const char *errmsg; + char *l = apr_palloc (ptemp, MAX_STRING_LEN); + const char *args = l; + char *cmd_name, *w; + const command_rec *cmd; + apr_array_header_t *arr = apr_array_make(p, 1, sizeof(cmd_parms)); + apr_array_header_t *ari = apr_array_make(p, 1, sizeof(char *)); + cmd_parms *parms; + apr_status_t status; + ap_directive_t *newdir; + int optional; + char *err = NULL; + char *rootpath, *incpath; + int li; + + errmsg = populate_include_files(p, ptemp, ari, filename, 0); + + if(errmsg != NULL) + goto Exit; + + while(ari->nelts != 0 || arr->nelts != 0) + { + if(ari->nelts > 0) + { + char *fn = *(char **)apr_array_pop(ari); + + parms = (cmd_parms *)apr_array_push(arr); + *parms = default_parms; + parms->pool = p; + parms->temp_pool = ptemp; + parms->server = s; + parms->override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); + parms->override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; + + status = ap_pcfg_openfile(&parms->config_file, p, fn); + + if(status != APR_SUCCESS) + { + apr_array_pop(arr); + errmsg = apr_pstrcat(p, "Cannot open config file: ", fn, NULL); + goto Exit; + } + } + + if (arr->nelts > 1024) { + errmsg = "Exceeded the maximum include directory nesting level. You have " + "probably a recursion somewhere."; + goto Exit; + } + + parms = (cmd_parms *)apr_array_pop(arr); + + if(parms == NULL) + break; + + while (!(ap_cfg_getline(l, MAX_STRING_LEN, parms->config_file))) { + if (*l == '#' || *l == '\0') + continue; + + args = l; + + cmd_name = ap_getword_conf(p, &args); + + if (*cmd_name == '\0') + continue; + + if (!strcasecmp(cmd_name, "IncludeOptional")) + { + optional = 1; + goto ProcessInclude; + } + + if (!strcasecmp(cmd_name, "Include")) + { + optional = 0; +ProcessInclude: + w = ap_getword_conf(parms->pool, &args); + + if (*w == '\0' || *args != 0) + { + ap_cfg_closefile(parms->config_file); + errmsg = apr_pstrcat(parms->pool, "Include takes one argument", NULL); + goto Exit; + } + + incpath = w; + + /* locate the start of the directories proper */ + status = apr_filepath_root(&rootpath, &incpath, APR_FILEPATH_TRUENAME | APR_FILEPATH_NATIVE, ptemp); + + /* we allow APR_SUCCESS and APR_EINCOMPLETE */ + if (APR_ERELATIVE == status) { + rootpath = apr_pstrdup(ptemp, parms->config_file->name); + li = strlen(rootpath) - 1; + + while(li >= 0 && rootpath[li] != '/' && rootpath[li] != '\\') + rootpath[li--] = 0; + + w = apr_pstrcat(p, rootpath, w, NULL); + } + else if (APR_EBADPATH == status) { + ap_cfg_closefile(parms->config_file); + errmsg = apr_pstrcat(p, "Include file has a bad path, ", w, NULL); + goto Exit; + } + + errmsg = populate_include_files(p, ptemp, ari, w, optional); + + *(cmd_parms *)apr_array_push(arr) = *parms; + + if(errmsg != NULL) + goto Exit; + + // we don't want to close the current file yet + // + parms = NULL; + break; + } + + cmd = ap_find_command(cmd_name, security2_module.cmds); + + if(cmd == NULL) + { + // unknown command, should error + // + ap_cfg_closefile(parms->config_file); + errmsg = apr_pstrcat(p, "Unknown command in config: ", cmd_name, NULL); + goto Exit; + } + + newdir = apr_pcalloc(p, sizeof(ap_directive_t)); + newdir->filename = parms->config_file->name; + newdir->line_num = parms->config_file->line_number; + newdir->directive = cmd_name; + newdir->args = apr_pstrdup(p, args); + + parms->directive = newdir; + +#ifdef WIN32 + // some config commands fail in APR when there are file + // permission issues or other OS-specific problems + // + __try + { +#endif + errmsg = invoke_cmd(cmd, parms, mconfig, args); +#ifdef WIN32 + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + errmsg = "Command failed to execute (check file/folder permissions, syntax, etc.)."; + } +#endif + + if(errmsg != NULL) + break; + } + + if(parms != NULL) + ap_cfg_closefile(parms->config_file); + + if(errmsg != NULL) + break; + } + + if (errmsg) { + err = (char *)apr_palloc(p, 1024); + + if(parms != NULL) + apr_snprintf(err, 1024, "Syntax error in config file %s, line %d: %s", parms->config_file->name, + parms->config_file->line_number, errmsg); + else + apr_snprintf(err, 1024, "Syntax error in config file: %s", errmsg); + } + + errmsg = err; + +Exit: + while((parms = (cmd_parms *)apr_array_pop(arr)) != NULL) + { + ap_cfg_closefile(parms->config_file); + } + + return errmsg; +}

@@ -21,6 +21,7 @@ char *config_file = NULL; +char *url_file = NULL; char *event_files[1024]; int event_file_cnt; char *event_file = NULL; @@ -31,6 +32,11 @@ #define EVENT_FILE_MAX_SIZE (16*1024*1024) +#define MAX_URLS 4096 + +char urls[MAX_URLS][4096]; +int url_cnt = 0; + void readeventfile(char *name) { if(event_file == NULL) @@ -119,6 +125,12 @@ i += 2; continue; } + if(argv[i][1] == 'u' && i < argc - 1) + { + url_file = argv[i + 1]; + i += 2; + continue; + } i++; continue; } @@ -224,7 +236,7 @@ if(config_file == NULL || argc < 3) { printf("Usage:\n"); - printf("standalone.exe -c <config_file> <event_file1> [<event_file2> <event_file3> ...]\n"); + printf("standalone.exe -c <config_file> [-u <text_file_with_urls>] <event_file1> [<event_file2> <event_file3> ...]\n"); return; } @@ -250,133 +262,171 @@ modsecInitProcess(); + if(url_file != NULL) + { + FILE *fr = fopen(url_file, "rb"); + int i = 0; + + while(fgets(urls[i],4096,fr) != NULL) + { + urls[i][4095] = 0; + + int l = strlen(urls[i]) - 1; + + if(l < 8) + continue; + + while(urls[i][l] == 10 || urls[i][l] == 13) + l--; + + urls[i++][l + 1] = 0; + } + + url_cnt = i; + fclose(fr); + } + for(int i = 0; i < event_file_cnt; i++) { - readeventfile(event_files[i]); - parseeventfile(); + if(url_cnt == 0) + { + urls[0][0] = 0; + url_cnt = 1; + } - bodypos = 0; - responsepos = 0; + for(int ui = 0; ui < url_cnt; ui++) + { + readeventfile(event_files[i]); + parseeventfile(); - c = modsecNewConnection(); + bodypos = 0; + responsepos = 0; - modsecProcessConnection(c); + c = modsecNewConnection(); - r = modsecNewRequest(c, config); + modsecProcessConnection(c); - int j = event_file_blocks['B']; + r = modsecNewRequest(c, config); - if(j < 0) - continue; + int j = event_file_blocks['B']; - j++; + if(j < 0) + continue; - if(event_file_lines[j][0] == 0) - continue; + j++; + + if(event_file_lines[j][0] == 0) + continue; - char *method = event_file_lines[j]; - char *url = strchr(method, 32); - char *proto = strchr(url + 1, 32); + char *method = event_file_lines[j]; + char *url = strchr(method, 32); + char *proto = strchr(url + 1, 32); - if(url == NULL || proto == NULL) - continue; + if(url == NULL || proto == NULL) + continue; - *url++=0; - *proto++=0; + *url++=0; + *proto++=0; + + if(urls[ui][0] != 0) + { + url = urls[ui]; + } #define SETMETHOD(m) if(strcmp(method,#m) == 0){ r->method = method; r->method_number = M_##m; } - r->method = "INVALID"; - r->method_number = M_INVALID; + r->method = "INVALID"; + r->method_number = M_INVALID; - SETMETHOD(OPTIONS) - SETMETHOD(GET) - SETMETHOD(POST) - SETMETHOD(PUT) - SETMETHOD(DELETE) - SETMETHOD(TRACE) - SETMETHOD(CONNECT) - SETMETHOD(MOVE) - SETMETHOD(COPY) - SETMETHOD(PROPFIND) - SETMETHOD(PROPPATCH) - SETMETHOD(MKCOL) - SETMETHOD(LOCK) - SETMETHOD(UNLOCK) + SETMETHOD(OPTIONS) + SETMETHOD(GET) + SETMETHOD(POST) + SETMETHOD(PUT) + SETMETHOD(DELETE) + SETMETHOD(TRACE) + SETMETHOD(CONNECT) + SETMETHOD(MOVE) + SETMETHOD(COPY) + SETMETHOD(PROPFIND) + SETMETHOD(PROPPATCH) + SETMETHOD(MKCOL) + SETMETHOD(LOCK) + SETMETHOD(UNLOCK) - r->protocol = proto; + r->protocol = proto; - while(event_file_lines[++j][0] != 0) - { - char *value = strchr(event_file_lines[j], ':'); + while(event_file_lines[++j][0] != 0) + { + char *value = strchr(event_file_lines[j], ':'); - if(value == NULL) - break; + if(value == NULL) + break; - *value++ = 0; + *value++ = 0; - while(*value <=32 && *value != 0) - value++; + while(*value <=32 && *value != 0) + value++; - apr_table_setn(r->headers_in, event_file_lines[j], value); - } + apr_table_setn(r->headers_in, event_file_lines[j], value); + } - r->content_encoding = apr_table_get(r->headers_in, "Content-Encoding"); - r->content_type = apr_table_get(r->headers_in, "Content-Type"); - r->hostname = apr_table_get(r->headers_in, "Host"); - r->path_info = url; + r->content_encoding = apr_table_get(r->headers_in, "Content-Encoding"); + r->content_type = apr_table_get(r->headers_in, "Content-Type"); + r->hostname = apr_table_get(r->headers_in, "Host"); + r->path_info = url; - char *query = strchr(url, '?'); - char *rawurl = url; + char *query = strchr(url, '?'); + char *rawurl = url; - if(query != NULL) - { - rawurl = (char *)apr_palloc(r->pool, strlen(url) + 1); - strcpy(rawurl, url); - *query++ = 0; - r->args = query; - } + if(query != NULL) + { + rawurl = (char *)apr_palloc(r->pool, strlen(url) + 1); + strcpy(rawurl, url); + *query++ = 0; + r->args = query; + } - const char *lng = apr_table_get(r->headers_in, "Content-Languages"); + const char *lng = apr_table_get(r->headers_in, "Content-Languages"); - if(lng != NULL) - { - r->content_languages = apr_array_make(r->pool, 1, sizeof(const char *)); + if(lng != NULL) + { + r->content_languages = apr_array_make(r->pool, 1, sizeof(const char *)); - *(const char **)apr_array_push(r->content_languages) = lng; - } + *(const char **)apr_array_push(r->content_languages) = lng; + } - r->request_time = apr_time_now(); + r->request_time = apr_time_now(); - r->parsed_uri.scheme = "http"; - r->parsed_uri.path = r->path_info; - r->parsed_uri.hostname = (char *)r->hostname; - r->parsed_uri.is_initialized = 1; - r->parsed_uri.port = 80; - r->parsed_uri.port_str = "80"; - r->parsed_uri.query = r->args; - r->parsed_uri.dns_looked_up = 0; - r->parsed_uri.dns_resolved = 0; - r->parsed_uri.password = NULL; - r->parsed_uri.user = NULL; - r->parsed_uri.fragment = NULL; - - r->unparsed_uri = rawurl; - r->uri = r->unparsed_uri; - - r->the_request = (char *)apr_palloc(r->pool, strlen(r->method) + 1 + strlen(r->uri) + 1 + strlen(r->protocol) + 1); - - strcpy(r->the_request, r->method); - strcat(r->the_request, " "); - strcat(r->the_request, r->uri); - strcat(r->the_request, " "); - strcat(r->the_request, r->protocol); - - apr_table_setn(r->subprocess_env, "UNIQUE_ID", "1"); - - modsecProcessRequest(r); - modsecProcessResponse(r); - modsecFinishRequest(r); + r->parsed_uri.scheme = "http"; + r->parsed_uri.path = r->path_info; + r->parsed_uri.hostname = (char *)r->hostname; + r->parsed_uri.is_initialized = 1; + r->parsed_uri.port = 80; + r->parsed_uri.port_str = "80"; + r->parsed_uri.query = r->args; + r->parsed_uri.dns_looked_up = 0; + r->parsed_uri.dns_resolved = 0; + r->parsed_uri.password = NULL; + r->parsed_uri.user = NULL; + r->parsed_uri.fragment = NULL; + + r->unparsed_uri = rawurl; + r->uri = r->unparsed_uri; + + r->the_request = (char *)apr_palloc(r->pool, strlen(r->method) + 1 + strlen(r->uri) + 1 + strlen(r->protocol) + 1); + + strcpy(r->the_request, r->method); + strcat(r->the_request, " "); + strcat(r->the_request, r->uri); + strcat(r->the_request, " "); + strcat(r->the_request, r->protocol); + + apr_table_setn(r->subprocess_env, "UNIQUE_ID", "1"); + + modsecProcessRequest(r); + modsecProcessResponse(r); + modsecFinishRequest(r); + } } modsecTerminate();

@@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8"?> <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> - <LocalDebuggerCommandArguments>-c owasp_crs\modsecurity_iis.conf d:\test.dat</LocalDebuggerCommandArguments> + <LocalDebuggerCommandArguments>-c d:\temp\antixss.conf -u d:\temp\modsec_urls.txt d:\temp\test1.dat</LocalDebuggerCommandArguments> <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor> <LocalDebuggerCommand>$(TargetPath)</LocalDebuggerCommand> <LocalDebuggerAttach>false</LocalDebuggerAttach>

@@ -9,8 +9,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,pass" - SecAction "phase:1,deny" + SecAction "phase:1,pass,id:500033" + SecAction "phase:1,deny,id:500034" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ], @@ -30,8 +30,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,pass" - SecAction "phase:2,deny" + SecAction "phase:2,pass,id:500035" + SecAction "phase:2,deny,id:500036" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ], @@ -53,8 +53,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:3,pass" - SecAction "phase:3,deny" + SecAction "phase:3,pass,id:500037" + SecAction "phase:3,deny,id:500038" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ], @@ -76,8 +76,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:4,pass" - SecAction "phase:4,deny" + SecAction "phase:4,pass,id:500039" + SecAction "phase:4,deny,id:500040" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ], @@ -99,8 +99,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,allow" - SecAction "phase:1,deny" + SecAction "phase:1,allow,id:500041" + SecAction "phase:1,deny,id:500042" ), match_log => { error => [ qr/ModSecurity: Access allowed $phase 1$. Unconditional match in SecAction/, 1 ], @@ -120,8 +120,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,allow" - SecAction "phase:2,deny" + SecAction "phase:2,allow,id:500043" + SecAction "phase:2,deny,id:500044" ), match_log => { error => [ qr/ModSecurity: Access allowed $phase 2$. Unconditional match in SecAction/, 1 ], @@ -143,8 +143,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:3,allow" - SecAction "phase:3,deny" + SecAction "phase:3,allow,id:500045" + SecAction "phase:3,deny,id:500046" ), match_log => { error => [ qr/ModSecurity: Access allowed $phase 3$. Unconditional match in SecAction/, 1 ], @@ -166,8 +166,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:4,allow" - SecAction "phase:4,deny" + SecAction "phase:4,allow,id:500047" + SecAction "phase:4,deny,id:500048" ), match_log => { error => [ qr/ModSecurity: Access allowed $phase 4$. Unconditional match in SecAction/, 1 ], @@ -189,7 +189,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,deny" + SecAction "phase:1,deny,id:500049" ), match_log => { error => [ qr/Access denied with code 403 $phase 1$. Unconditional match in SecAction./, 1 ], @@ -209,7 +209,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,deny" + SecAction "phase:2,deny,id:500050" ), match_log => { error => [ qr/Access denied with code 403 $phase 2$. Unconditional match in SecAction./, 1 ], @@ -231,7 +231,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:3,deny" + SecAction "phase:3,deny,id:500051" ), match_log => { error => [ qr/Access denied with code 403 $phase 3$. Unconditional match in SecAction./, 1 ], @@ -253,7 +253,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:4,deny" + SecAction "phase:4,deny,id:500052" ), match_log => { error => [ qr/Access denied with code 403 $phase 4$. Unconditional match in SecAction./, 1 ], @@ -275,7 +275,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,drop" + SecAction "phase:1,drop,id:500053" ), match_log => { error => [ qr/Access denied with connection close $phase 1$. Unconditional match in SecAction./, 1 ], @@ -295,7 +295,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,drop" + SecAction "phase:2,drop,id:500054" ), match_log => { error => [ qr/Access denied with connection close $phase 2$. Unconditional match in SecAction./, 1 ], @@ -317,7 +317,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:3,drop" + SecAction "phase:3,drop,id:500055" ), match_log => { error => [ qr/Access denied with connection close $phase 3$. Unconditional match in SecAction./, 1 ], @@ -339,7 +339,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:4,drop" + SecAction "phase:4,drop,id:500056" ), match_log => { error => [ qr/Access denied with connection close $phase 4$. Unconditional match in SecAction./, 1 ], @@ -361,7 +361,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500001" ), match_log => { error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 $phase 1$/, 1 ], @@ -382,7 +382,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500002" ), match_log => { error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 $phase 2$/, 1 ], @@ -405,7 +405,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500003" ), match_log => { error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 $phase 3$/, 1 ], @@ -428,7 +428,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500004" ), match_log => { error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 $phase 4$/, 1 ], @@ -451,7 +451,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500005" ), match_log => { error => [ qr/ModSecurity: Access denied using proxy to $phase 1$/, 1 ], @@ -472,7 +472,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500006" ), match_log => { error => [ qr/ModSecurity: Access denied using proxy to $phase 2$/, 1 ], @@ -495,7 +495,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500007" ), match_log => { error => [ qr/ModSecurity: Access denied with code 500 $phase 3$ $Configuration Error: Proxy action requested but it does not work in output phases$./, 1 ], @@ -517,7 +517,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500008" ), match_log => { error => [ qr/ModSecurity: Access denied with code 500 $phase 4$ $Configuration Error: Proxy action requested but it does not work in output phases$./, 1 ],

@@ -9,8 +9,8 @@ SecContentInjection On SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 9 - SecAction "phase:1,setvar:tx.test=test" - SecAction "phase:2,append:'APPEND: \%{tx.test}'" + SecAction "phase:1,setvar:tx.test=test,id:500002" + SecAction "phase:2,append:'APPEND: \%{tx.test}',id:500003" ), match_log => { debug => [ "Added content to bottom: APPEND: test", 1 ], @@ -33,8 +33,8 @@ SecContentInjection On SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 9 - SecAction "phase:1,setvar:tx.test=test" - SecAction "phase:2,prepend:'PREPEND: \%{tx.test}'" + SecAction "phase:1,setvar:tx.test=test,id:500004" + SecAction "phase:2,prepend:'PREPEND: \%{tx.test}',id:500005" ), match_log => { debug => [ "Added content to top: PREPEND: test", 1 ],

@@ -7,7 +7,7 @@ conf => qq( SecRuleEngine On SecAction "phase:2,id:666,deny" - SecAction "phase:1,pass,ctl:ruleRemoveById=666" + SecAction "phase:1,pass,ctl:ruleRemoveById=666,id:500030" ), match_log => { }, @@ -23,7 +23,7 @@ comment => "ruleRemoveById future rule across phases", conf => qq( SecRuleEngine On - SecAction "phase:1,pass,ctl:ruleRemoveById=666" + SecAction "phase:1,pass,ctl:ruleRemoveById=666,id:500031" SecAction "phase:2,id:666,deny" ), match_log => { @@ -40,7 +40,7 @@ comment => "ruleRemoveById future rule same phase", conf => qq( SecRuleEngine On - SecAction "phase:1,pass,ctl:ruleRemoveById=666" + SecAction "phase:1,pass,ctl:ruleRemoveById=666,id:500032" SecAction "phase:1,id:666,deny" ), match_log => {

@@ -11,8 +11,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 9 - SecAction "phase:1,pass,msg:'PASSED'" - SecAction "phase:1,deny,msg:'DENIED'" + SecAction "phase:1,pass,msg:'PASSED',id:500057" + SecAction "phase:1,deny,msg:'DENIED',id:500058" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*PASSED/, 1 ], @@ -32,8 +32,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,pass,msg:'PASSED'" - SecAction "phase:2,deny,msg:'DENIED'" + SecAction "phase:2,pass,msg:'PASSED',id:500059" + SecAction "phase:2,deny,msg:'DENIED',id:500060" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*PASSED/, 1 ], @@ -55,8 +55,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:3,pass,msg:'PASSED'" - SecAction "phase:3,deny,msg:'DENIED'" + SecAction "phase:3,pass,msg:'PASSED',id:500061" + SecAction "phase:3,deny,msg:'DENIED',id:500062" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*PASSED/, 1 ], @@ -78,8 +78,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:4,pass,msg:'PASSED'" - SecAction "phase:4,deny,msg:'DENIED'" + SecAction "phase:4,pass,msg:'PASSED',id:500063" + SecAction "phase:4,deny,msg:'DENIED',id:500064" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*PASSED/, 1 ], @@ -101,8 +101,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,allow,msg:'ALLOWED'" - SecAction "phase:1,deny,msg:'DENIED'" + SecAction "phase:1,allow,msg:'ALLOWED',id:500065" + SecAction "phase:1,deny,msg:'DENIED',id:500066" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*ALLOWED/, 1 ], @@ -125,8 +125,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,allow,msg:'ALLOWED'" - SecAction "phase:2,deny,msg:'DENIED'" + SecAction "phase:2,allow,msg:'ALLOWED',id:500067" + SecAction "phase:2,deny,msg:'DENIED',id:500068" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*ALLOWED/, 1 ], @@ -149,8 +149,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:3,allow,msg:'ALLOWED'" - SecAction "phase:3,deny,msg:'DENIED'" + SecAction "phase:3,allow,msg:'ALLOWED',id:500069" + SecAction "phase:3,deny,msg:'DENIED',id:500070" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*ALLOWED/, 1 ], @@ -173,8 +173,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:4,allow,msg:'ALLOWED'" - SecAction "phase:4,deny,msg:'DENIED'" + SecAction "phase:4,allow,msg:'ALLOWED',id:500071" + SecAction "phase:4,deny,msg:'DENIED',id:500072" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*ALLOWED/, 1 ], @@ -199,7 +199,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,deny,msg:'DENIED'" + SecAction "phase:1,deny,msg:'DENIED',id:500073" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*DENIED/, 1 ], @@ -220,7 +220,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,deny,msg:'DENIED'" + SecAction "phase:2,deny,msg:'DENIED',id:500074" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*DENIED/, 1 ], @@ -241,7 +241,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:3,deny,msg:'DENIED'" + SecAction "phase:3,deny,msg:'DENIED',id:500075" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*DENIED/, 1 ], @@ -262,7 +262,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:4,deny,msg:'DENIED'" + SecAction "phase:4,deny,msg:'DENIED',id:500076" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*DENIED/, 1 ], @@ -285,7 +285,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,drop,msg:'DROPPED'" + SecAction "phase:1,drop,msg:'DROPPED',id:500077" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*DROPPED/, 1 ], @@ -306,7 +306,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,drop,msg:'DROPPED'" + SecAction "phase:2,drop,msg:'DROPPED',id:500078" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*DROPPED/, 1 ], @@ -327,7 +327,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:3,drop,msg:'DROPPED'" + SecAction "phase:3,drop,msg:'DROPPED',id:500079" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*DROPPED/, 1 ], @@ -348,7 +348,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:4,drop,msg:'DROPPED'" + SecAction "phase:4,drop,msg:'DROPPED',id:500080" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.*DROPPED/, 1 ], @@ -371,7 +371,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED',id:500009" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.*REDIRECTED/, 1 ], @@ -393,7 +393,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED',id:500010" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.*REDIRECTED/, 1 ], @@ -415,7 +415,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED',id:500011" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.*REDIRECTED/, 1 ], @@ -437,7 +437,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED',id:500012" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.*REDIRECTED/, 1 ], @@ -461,7 +461,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED',id:500013" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.*PROXIED/, 1 ], @@ -483,7 +483,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED',id:500014" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.*PROXIED/, 1 ], @@ -507,7 +507,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED',id:500015" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.*PROXIED/, 1 ], @@ -530,7 +530,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED',id:500016" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.*PROXIED/, 1 ],

@@ -11,7 +11,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,log" + SecAction "phase:1,pass,log,id:500006" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -34,7 +34,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,nolog" + SecAction "phase:1,pass,nolog,id:500007" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -59,7 +59,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,log" + SecAction "phase:1,deny,status:403,log,id:500008" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 $phase 1$\. Unconditional match in SecAction\./, 1 ], @@ -82,7 +82,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,nolog" + SecAction "phase:1,deny,status:403,nolog,id:500009" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -107,7 +107,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,auditlog" + SecAction "phase:1,pass,auditlog,id:500010" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -130,7 +130,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,noauditlog" + SecAction "phase:1,pass,noauditlog,id:500011" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -155,7 +155,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,auditlog" + SecAction "phase:1,deny,status:403,auditlog,id:500012" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 $phase 1$\. Unconditional match in SecAction\./, 1 ], @@ -178,7 +178,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,noauditlog" + SecAction "phase:1,deny,status:403,noauditlog,id:500013" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 $phase 1$\. Unconditional match in SecAction\./, 1 ], @@ -203,7 +203,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,log,auditlog" + SecAction "phase:1,pass,log,auditlog,id:500014" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -226,7 +226,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,log,noauditlog" + SecAction "phase:1,pass,log,noauditlog,id:500015" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -249,7 +249,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,nolog,auditlog" + SecAction "phase:1,pass,nolog,auditlog,id:500016" ), match_log => { audit => [ qr/-H--\s+Message: .*Stopwatch: /s, 1 ], @@ -271,7 +271,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,nolog,noauditlog" + SecAction "phase:1,pass,nolog,noauditlog,id:500017" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -294,7 +294,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,auditlog,log" + SecAction "phase:1,pass,auditlog,log,id:500018" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -317,7 +317,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,auditlog,nolog" + SecAction "phase:1,pass,auditlog,nolog,id:500019" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -340,7 +340,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,noauditlog,log" + SecAction "phase:1,pass,noauditlog,log,id:500020" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -363,7 +363,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,noauditlog,nolog" + SecAction "phase:1,pass,noauditlog,nolog,id:500021" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -388,7 +388,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,log,auditlog" + SecAction "phase:1,deny,status:403,log,auditlog,id:500022" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 $phase 1$\. Unconditional match in SecAction\./, 1 ], @@ -411,7 +411,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,log,noauditlog" + SecAction "phase:1,deny,status:403,log,noauditlog,id:500023" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 $phase 1$\. Unconditional match in SecAction\./, 1 ], @@ -434,7 +434,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,nolog,auditlog" + SecAction "phase:1,deny,status:403,nolog,auditlog,id:500024" ), match_log => { audit => [ qr/-H--\s+Message: .*Stopwatch: /s, 1 ], @@ -457,7 +457,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,nolog,noauditlog" + SecAction "phase:1,deny,status:403,nolog,noauditlog,id:500025" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -480,7 +480,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,auditlog,log" + SecAction "phase:1,deny,status:403,auditlog,log,id:500026" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 $phase 1$\. Unconditional match in SecAction\./, 1 ], @@ -503,7 +503,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,auditlog,nolog" + SecAction "phase:1,deny,status:403,auditlog,nolog,id:500027" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -526,7 +526,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,noauditlog,log" + SecAction "phase:1,deny,status:403,noauditlog,log,id:500028" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 $phase 1$\. Unconditional match in SecAction\./, 1 ], @@ -549,7 +549,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,noauditlog,nolog" + SecAction "phase:1,deny,status:403,noauditlog,nolog,id:500029" ), match_log => { -error => [ qr/ModSecurity: /, 1 ],

@@ -46,7 +46,7 @@ SecDebugLogLevel 9 SecResponseBodyAccess On SecDefaultAction "phase:2,log,auditlog,pass" - SecRule REQUEST_URI "." "phase:4,deny" + SecRule REQUEST_URI "." "phase:4,deny,id:500251" ), match_log => { audit => [ qr/./, 1 ], @@ -246,7 +246,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecAuditLogParts "ABCDEFGHIJKZ" - SecAction "phase:4,log,auditlog,allow" + SecAction "phase:4,log,auditlog,allow,id:500086" ), match_log => { audit => [ qr/-A--.*-B--.*-C--.*-F--.*-E--.*-H--.*-K--.*-Z--/s, 1 ],

@@ -40,7 +40,7 @@ SecRuleEngine On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 0 - SecRule REQUEST_URI "." "phase:1,deny" + SecRule REQUEST_URI "." "phase:1,deny,id:500241" ), match_log => { -debug => [ qr/./, 1 ], @@ -60,7 +60,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 1 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500242" ), match_log => { debug => [ qr/\]\[[1]\] /, 1 ], @@ -85,7 +85,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 2 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500243" ), match_log => { debug => [ qr/\]\[2\] /, 1 ], @@ -110,7 +110,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 3 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500244" ), match_log => { debug => [ qr/\]\[3\] /, 1 ], @@ -135,7 +135,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 4 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500245" ), match_log => { debug => [ qr/\]\[4\] /, 1 ], @@ -160,7 +160,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500246" ), match_log => { debug => [ qr/\]\[5\] /, 1 ], @@ -185,7 +185,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 6 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500247" ), match_log => { debug => [ qr/\]\[6\] /, 1 ], @@ -210,7 +210,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 7 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500248" ), match_log => { debug => [ qr/\]\[7\] /, 1 ], @@ -235,7 +235,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 8 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500249" ), match_log => { debug => [ qr/\]\[8\] /, 1 ], @@ -260,7 +260,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500250" ), match_log => { debug => [ qr/\]\[9\] /, 1 ],

@@ -13,7 +13,7 @@ conf => qq( SecRuleEngine on SecDefaultAction "phase:1,deny,status:500" - SecRule REQUEST_URI "test.txt" + SecRule REQUEST_URI "test.txt,id:500240" ), match_log => { error => [ qr/ModSecurity: Access denied with code 500 $phase 1$/, 1 ], @@ -52,7 +52,7 @@ conf => qq( SecRuleEngine On SecDataDir "$ENV{DATA_DIR}" - SecAction initcol:ip=%{REMOTE_ADDR},setvar:ip.dummy=1,pass + SecAction initcol:ip=%{REMOTE_ADDR},setvar:ip.dummy=1,pass,id:500085 ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction\./, 1 ],

@@ -7,8 +7,8 @@ conf => q( SecRuleEngine On SecArgumentSeparator ";" - SecRule ARGS:a "@streq 1" "phase:1,deny,chain" - SecRule ARGS:b "@streq 2" + SecRule ARGS:a "@streq 1" "phase:1,deny,chain,id:500215" + SecRule ARGS:b "@streq 2,id:500216" ), match_log => { error => [ qr/Access denied with code 403 $phase 1$\. String match "2" at ARGS:b\./, 1 ], @@ -25,8 +25,8 @@ comment => "SecArgumentSeparator (get-neg)", conf => q( SecRuleEngine On - SecRule ARGS:a "@streq 1" "phase:1,deny,chain" - SecRule ARGS:b "@streq 2" + SecRule ARGS:a "@streq 1" "phase:1,deny,chain,id:500217" + SecRule ARGS:b "@streq 2,id:500218" ), match_log => { -error => [ qr/Access denied/, 1 ], @@ -45,8 +45,8 @@ SecRuleEngine On SecRequestBodyAccess On SecArgumentSeparator ";" - SecRule ARGS:a "@streq 1" "phase:2,deny,chain" - SecRule ARGS:b "@streq 2" + SecRule ARGS:a "@streq 1" "phase:2,deny,chain,id:500219" + SecRule ARGS:b "@streq 2,id:500220" ), match_log => { error => [ qr/Access denied with code 403 $phase 2$\. String match "2" at ARGS:b\./, 1 ], @@ -68,8 +68,8 @@ conf => q( SecRuleEngine On SecRequestBodyAccess On - SecRule ARGS:a "@streq 1" "phase:2,deny" - SecRule ARGS:b "@streq 2" "phase:2,deny" + SecRule ARGS:a "@streq 1" "phase:2,deny,id:500221" + SecRule ARGS:b "@streq 2" "phase:2,deny,id:500222" ), match_log => { -error => [ qr/Access denied/, 1 ], @@ -93,8 +93,8 @@ conf => qq( SecRuleEngine On SecRequestBodyAccess On - SecRule ARGS:a "\@streq 1" "phase:2,deny,chain" - SecRule ARGS:b "\@streq 2" + SecRule ARGS:a "\@streq 1" "phase:2,deny,chain,id:500223" + SecRule ARGS:b "\@streq 2,id:500224" ), match_log => { error => [ qr/Access denied with code 403 $phase 2$\. String match "2" at ARGS:b\./, 1 ], @@ -116,8 +116,8 @@ conf => qq( SecRuleEngine On SecRequestBodyAccess Off - SecRule ARGS:a "\@streq 1" "phase:2,deny" - SecRule ARGS:b "\@streq 2" "phase:2,deny" + SecRule ARGS:a "\@streq 1" "phase:2,deny,id:500225" + SecRule ARGS:b "\@streq 2" "phase:2,deny,id:500226" ), match_log => { -error => [ qr/Access denied/, 1 ], @@ -269,8 +269,8 @@ SecRequestBodyAccess On SecRequestBodyLimit 5 - SecAction "phase:1,pass,nolog,ctl:ruleEngine=off" - SecRule REQUEST_BODY "." "phase:2,deny" + SecAction "phase:1,pass,nolog,ctl:ruleEngine=off,id:500081" + SecRule REQUEST_BODY "." "phase:2,deny,id:500227" ), match_log => { -error => [ qr/Request body .*is larger than the configured limit/, 1 ], @@ -294,8 +294,8 @@ SecRequestBodyAccess On SecRequestBodyLimit 5 - SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off" - SecRule REQUEST_BODY "." "phase:2,deny" + SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off,id:500082" + SecRule REQUEST_BODY "." "phase:2,deny,id:500228" ), match_log => { -error => [ qr/Request body .*is larger than the configured limit/, 1 ], @@ -319,8 +319,8 @@ SecRequestBodyAccess On SecRequestBodyLimit 256 - SecAction "phase:1,pass,nolog,ctl:ruleEngine=off" - SecRule REQUEST_BODY "." "phase:2,deny" + SecAction "phase:1,pass,nolog,ctl:ruleEngine=off,id:500083" + SecRule REQUEST_BODY "." "phase:2,deny,id:500229" ), match_log => { -error => [ qr/Request body .*is larger than the configured limit/, 1 ], @@ -363,8 +363,8 @@ SecRequestBodyAccess On SecRequestBodyLimit 256 - SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off" - SecRule REQUEST_BODY "." "phase:2,deny" + SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off,id:500084" + SecRule REQUEST_BODY "." "phase:2,deny,id:500230" ), match_log => { -error => [ qr/Request body .*is larger than the configured limit $256$\./, 1 ], @@ -499,9 +499,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecCookieFormat 1 - SecRule REQUEST_COOKIES_NAMES "\@streq SESSIONID" "phase:1,deny,chain" - SecRule REQUEST_COOKIES:\$SESSIONID_PATH "\@streq /" "chain" - SecRule REQUEST_COOKIES:SESSIONID "\@streq cookieval" + SecRule REQUEST_COOKIES_NAMES "\@streq SESSIONID" "phase:1,deny,chain,id:500231" + SecRule REQUEST_COOKIES:\$SESSIONID_PATH "\@streq /" "chain,id:500232" + SecRule REQUEST_COOKIES:SESSIONID "\@streq cookieval,id:500233" ), match_log => { error => [ qr/Access denied with code 403 $phase 1$\. String match "cookieval" at REQUEST_COOKIES:SESSIONID\./, 1 ], @@ -526,9 +526,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecCookieFormat 0 - SecRule REQUEST_COOKIES_NAMES "\@streq SESSIONID" "phase:1,deny,chain" - SecRule REQUEST_COOKIES:\$SESSIONID_PATH "\@streq /" "chain" - SecRule REQUEST_COOKIES:SESSIONID "\@streq cookieval" + SecRule REQUEST_COOKIES_NAMES "\@streq SESSIONID" "phase:1,deny,chain,id:500234" + SecRule REQUEST_COOKIES:\$SESSIONID_PATH "\@streq /" "chain,id:500235" + SecRule REQUEST_COOKIES:SESSIONID "\@streq cookieval,id:500236" ), match_log => { -error => [ qr/Access denied/, 1 ],

@@ -10,7 +10,7 @@ SecResponseBodyMimeTypesClear SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule RESPONSE_BODY "TEST" "phase:4,deny" + SecRule RESPONSE_BODY "TEST" "phase:4,deny,id:500237" ), match_log => { -error => [ qr/Access denied/, 1 ], @@ -34,7 +34,7 @@ SecDebugLogLevel 9 SecResponseBodyAccess On SecResponseBodyMimeType text/plain null - SecRule RESPONSE_BODY "TEST" "phase:4,deny" + SecRule RESPONSE_BODY "TEST" "phase:4,deny,id:500238" ), match_log => { error => [ qr/Access denied with code 403 $phase 4$\. Pattern match "TEST" at RESPONSE_BODY\./, 1 ], @@ -55,7 +55,7 @@ SecDebugLogLevel 9 SecResponseBodyAccess Off SecResponseBodyMimeType text/plain null - SecRule RESPONSE_BODY "TEST" "phase:4,deny" + SecRule RESPONSE_BODY "TEST" "phase:4,deny,id:500239" ), match_log => { -error => [ qr/Access denied/, 1 ],

@@ -9,9 +9,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500055" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500056" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500057" ), match_log => { debug => [ qr/Added file part [0-9a-h]+ to the list: name "image" file name "image.jpg" $offset 258, length 10$.*Adding request argument $BODY$: name "name", value "Brian Rectanus".*Adding request argument $BODY$: name "email", value "brian.rectanus\@breach.com"/s, 1 ], @@ -55,9 +55,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500058" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500059" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500060" ), match_log => { debug => [ qr/Adding request argument $BODY$: name "a", value "1".*Adding request argument $BODY$: name "b", value "2"/s, 1 ], @@ -97,9 +97,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500061" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500062" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500063" ), match_log => { debug => [ qr/Adding request argument $BODY$: name "a", value "1".*Adding request argument $BODY$: name "b", value "2"/s, 1 ], @@ -138,9 +138,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500064" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500065" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500066" ), match_log => { debug => [ qr/Adding request argument $BODY$: name "a", value "1".*Adding request argument $BODY$: name "b", value "2"/s, 1 ], @@ -181,9 +181,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500067" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500068" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500069" ), match_log => { debug => [ qr/Adding request argument $BODY$: name "a", value "1".*Adding request argument $BODY$: name "b", value "2"/s, 1 ], @@ -223,8 +223,8 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500070" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500071" ), match_log => { debug => [ qr/Adding request argument $BODY$: name "a", value "--test".*Adding request argument $BODY$: name "b", value "--"/s, 1 ], @@ -420,8 +420,8 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "!\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,id:500072" + SecRule REQBODY_PROCESSOR_ERROR "!\@eq 1" "phase:2,deny,id:500073" ), match_log => { debug => [ qr/name: a.*variable: 1.*Invalid part header $header name missing$/s, 1 ], @@ -462,10 +462,10 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403,id:500074" + SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500075" + SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403,id:500076" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403,id:500077" ), match_log => { debug => [ qr/name: a.*variable: 1.*name: b.*variable: 2/s, 1 ], @@ -503,10 +503,10 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403,id:500078" + SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500079" + SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403,id:500080" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403,id:500081" ), match_log => { debug => [ qr/name: a.*variable: 1.*name: b.*variable: 2/s, 1 ], @@ -544,10 +544,10 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403,id:500082" + SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500083" + SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403,id:500084" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403,id:500085" ), match_log => { debug => [ qr/name: a.*variable: 1.*name: b.*variable: 2/s, 1 ], @@ -584,10 +584,10 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403,id:500086" + SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500087" + SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500088" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403,id:500089" ), match_log => { debug => [ qr/name: a.*variable: 1.*name: b.*variable: 2/s, 1 ], @@ -624,10 +624,10 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403,id:500090" + SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500091" + SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500092" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403,id:500093" ), match_log => { debug => [ qr/name: a.*variable: 1.*name: b.*variable: 2/s, 1 ], @@ -666,7 +666,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_DATA_AFTER "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_DATA_AFTER "\@eq 1" "phase:2,deny,status:403,id:500094" ), match_log => { debug => [ qr/name: a.*variable: 1.*Ignoring data after last boundary/s, 1 ], @@ -706,9 +706,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny" - SecRule MULTIPART_INVALID_QUOTING "!\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "chain,phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,id:500095" + SecRule MULTIPART_INVALID_QUOTING "!\@eq 1" "phase:2,deny,id:500096" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "chain,phase:2,deny,id:500097" ), match_log => { debug => [ qr/name: a.*variable: 1.*Duplicate Content-Disposition name/s, 1 ], @@ -748,9 +748,9 @@ conf => qq( SecRuleEngine On SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500098" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500099" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500100" ), match_log => { error => [ qr/Invalid boundary in C-T $malformed$/, 1 ], @@ -795,9 +795,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500101" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500102" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500103" ), match_log => { }, @@ -842,9 +842,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500104" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500105" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500106" ), match_log => { error => [ qr/Invalid boundary in C-T $case sensitivity$/, 1 ], @@ -889,9 +889,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500107" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500108" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500109" ), match_log => { error => [ qr/Invalid boundary in C-T $parameter name$/, 1 ], @@ -938,9 +938,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500110" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500111" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500112" ), match_log => { debug => [ qr/Multiple boundary parameters in C-T/, 1 ], @@ -985,9 +985,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500113" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500114" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500115" ), match_log => { debug => [ qr/Multiple boundary parameters in C-T/, 1 ], @@ -1032,9 +1032,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500116" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500117" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500118" ), match_log => { }, @@ -1078,9 +1078,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500119" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500120" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500121" ), match_log => { debug => [ qr/boundary whitespace in C-T header/, 1 ], @@ -1125,9 +1125,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500122" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500123" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500124" ), match_log => { debug => [ qr/Added file part [0-9a-h]+ to the list: name "image" file name "image.jpg" $offset 258, length 10$.*Adding request argument $BODY$: name "name", value "Brian Rectanus".*Adding request argument $BODY$: name "email", value "brian.rectanus\@breach.com"/s, 1 ], @@ -1174,9 +1174,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500125" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500126" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500127" ), match_log => { debug => [ qr/No boundaries found in payload/, 1 ], @@ -1220,9 +1220,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500128" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500129" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500130" ), match_log => { debug => [ qr/Invalid boundary in C-T $characters$/, 1 ], @@ -1269,9 +1269,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500131" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500132" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500133" ), match_log => { debug => [ qr/boundary was quoted/, 1 ], @@ -1316,9 +1316,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500134" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500135" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500136" ), match_log => { debug => [ qr/boundary was quoted.*No boundaries found in payload/s, 1 ], @@ -1363,9 +1363,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500137" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500138" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500139" ), match_log => { debug => [ qr/boundary was quoted.*No boundaries found in payload/s, 1 ], @@ -1409,9 +1409,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500140" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500141" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500142" ), match_log => { debug => [ qr/boundary was quoted/s, 1 ], @@ -1456,9 +1456,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500143" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500144" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500145" ), match_log => { debug => [ qr/Invalid boundary in C-T $characters$/, 1 ], @@ -1502,9 +1502,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500146" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500147" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500148" ), match_log => { debug => [ qr/Invalid boundary in C-T $characters$/, 1 ], @@ -1548,9 +1548,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500149" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500150" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500151" ), match_log => { debug => [ qr/Invalid boundary in C-T $quote$/, 1 ], @@ -1594,9 +1594,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500152" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500153" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500154" ), match_log => { debug => [ qr/Invalid boundary in C-T $quote$/, 1 ], @@ -1639,9 +1639,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500155" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500156" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500157" ), match_log => { debug => [ qr/Invalid Content-Disposition header/, 1 ], @@ -1692,9 +1692,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500158" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500159" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500160" ), match_log => { debug => [ qr/Part missing Content-Disposition header/, 1 ], @@ -1752,20 +1752,20 @@ SecUploadFileLimit 2 # These should be set - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny" - SecRule MULTIPART_FILE_LIMIT_EXCEEDED "!\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,id:500161" + SecRule MULTIPART_FILE_LIMIT_EXCEEDED "!\@eq 1" "phase:2,deny,id:500162" # This should not be set - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500163" # Theses should still be accurate - SecRule &FILES "!\@eq 3" "phase:2,deny" - SecRule &FILES_NAMES "!\@eq 3" "phase:2,deny" - SecRule &FILES_SIZES "!\@eq 3" "phase:2,deny" - SecRule FILES_SIZES:/^image/ "\@eq 0" "phase:2,deny" + SecRule &FILES "!\@eq 3" "phase:2,deny,id:500164" + SecRule &FILES_NAMES "!\@eq 3" "phase:2,deny,id:500165" + SecRule &FILES_SIZES "!\@eq 3" "phase:2,deny,id:500166" + SecRule FILES_SIZES:/^image/ "\@eq 0" "phase:2,deny,id:500167" # This should be the SecUploadFileLimit - SecRule &FILES_TMPNAMES "!\@eq 2" "phase:2,deny" + SecRule &FILES_TMPNAMES "!\@eq 2" "phase:2,deny,id:500168" ), match_log => { debug => [ qr/Multipart: Upload file limit exceeded.*name: test.*variable: This is test data/s, 1 ],

@@ -9,10 +9,10 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain null - SecRule REQUEST_LINE "^POST" "phase:1,pass,log,auditlog" - SecRule ARGS "val1" "phase:1,pass,log,auditlog" - SecRule RESPONSE_HEADERS:Last-Modified "." "phase:1,pass,log,auditlog" - SecRule RESPONSE_BODY "TEST" "phase:1,pass,log,auditlog" + SecRule REQUEST_LINE "^POST" "phase:1,pass,log,auditlog,id:500169" + SecRule ARGS "val1" "phase:1,pass,log,auditlog,id:500170" + SecRule RESPONSE_HEADERS:Last-Modified "." "phase:1,pass,log,auditlog,id:500171" + SecRule RESPONSE_BODY "TEST" "phase:1,pass,log,auditlog,id:500172" ), match_log => { error => [ qr/Pattern match "\^POST" at REQUEST_LINE/, 1 ], @@ -39,10 +39,10 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain null - SecRule REQUEST_LINE "^POST" "phase:2,pass,log,auditlog" - SecRule ARGS "val1" "phase:2,pass,log,auditlog" - SecRule RESPONSE_HEADERS:Last-Modified "." "phase:2,pass,log,auditlog" - SecRule RESPONSE_BODY "TEST" "phase:2,pass,log,auditlog" + SecRule REQUEST_LINE "^POST" "phase:2,pass,log,auditlog,id:500173" + SecRule ARGS "val1" "phase:2,pass,log,auditlog,id:500174" + SecRule RESPONSE_HEADERS:Last-Modified "." "phase:2,pass,log,auditlog,id:500175" + SecRule RESPONSE_BODY "TEST" "phase:2,pass,log,auditlog,id:500176" ), match_log => { error => [ qr/Pattern match "\^POST" at REQUEST_LINE.*Pattern match "val1" at ARGS/s, 1 ], @@ -69,10 +69,10 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain null - SecRule REQUEST_LINE "^POST" "phase:3,pass,log,auditlog" - SecRule ARGS "val1" "phase:3,pass,log,auditlog" - SecRule RESPONSE_HEADERS:Last-Modified "." "phase:3,pass,log,auditlog" - SecRule RESPONSE_BODY "TEST" "phase:3,pass,log,auditlog" + SecRule REQUEST_LINE "^POST" "phase:3,pass,log,auditlog,id:500177" + SecRule ARGS "val1" "phase:3,pass,log,auditlog,id:500178" + SecRule RESPONSE_HEADERS:Last-Modified "." "phase:3,pass,log,auditlog,id:500179" + SecRule RESPONSE_BODY "TEST" "phase:3,pass,log,auditlog,id:500180" ), match_log => { error => [ qr/Pattern match "\^POST" at REQUEST_LINE.*Pattern match "val1" at ARGS.*Pattern match "\." at RESPONSE_HEADERS/s, 1 ], @@ -101,10 +101,10 @@ SecResponseBodyMimeType text/plain null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 9 - SecRule REQUEST_LINE "^POST" "phase:4,pass,log,auditlog" - SecRule ARGS "val1" "phase:4,pass,log,auditlog" - SecRule RESPONSE_HEADERS:Last-Modified "." "phase:4,pass,log,auditlog" - SecRule RESPONSE_BODY "TEST" "phase:4,pass,log,auditlog" + SecRule REQUEST_LINE "^POST" "phase:4,pass,log,auditlog,id:500181" + SecRule ARGS "val1" "phase:4,pass,log,auditlog,id:500182" + SecRule RESPONSE_HEADERS:Last-Modified "." "phase:4,pass,log,auditlog,id:500183" + SecRule RESPONSE_BODY "TEST" "phase:4,pass,log,auditlog,id:500184" ), match_log => { error => [ qr/Pattern match "\^POST" at REQUEST_LINE.*Pattern match "val1" at ARGS.*Pattern match "\." at RESPONSE_HEADERS.*Pattern match "TEST" at RESPONSE_BODY/s, 1 ], @@ -130,10 +130,10 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain null - SecRule REQUEST_LINE "^POST" "phase:5,pass,log,auditlog" - SecRule ARGS "val1" "phase:5,pass,log,auditlog" - SecRule RESPONSE_HEADERS:Last-Modified "." "phase:5,pass,log,auditlog" - SecRule RESPONSE_BODY "TEST" "phase:5,pass,log,auditlog" + SecRule REQUEST_LINE "^POST" "phase:5,pass,log,auditlog,id:500185" + SecRule ARGS "val1" "phase:5,pass,log,auditlog,id:500186" + SecRule RESPONSE_HEADERS:Last-Modified "." "phase:5,pass,log,auditlog,id:500187" + SecRule RESPONSE_BODY "TEST" "phase:5,pass,log,auditlog,id:500188" ), match_log => { error => [ qr/Pattern match "\^POST" at REQUEST_LINE.*Pattern match "val1" at ARGS.*Pattern match "\." at RESPONSE_HEADERS.*Pattern match "TEST" at RESPONSE_BODY/s, 1 ],

@@ -17,9 +17,9 @@ SecPcreMatchLimitRecursion 100 # Poor REGEX - SecRule ARGS "(?:(.{2,})\\1{32,})" "phase:2,deny,capture,msg:'REDoS'" + SecRule ARGS "(?:(.{2,})\\1{32,})" "phase:2,deny,capture,msg:'REDoS',id:500053" # Detect PCRE limits exceeded - SecRule TX:MSC_PCRE_LIMITS_EXCEEDED "!\@streq 0" "phase:2,deny,msg:'ModSecurity Internal Error Flagged: %{MATCHED_VAR_NAME}'" + SecRule TX:MSC_PCRE_LIMITS_EXCEEDED "!\@streq 0" "phase:2,deny,msg:'ModSecurity Internal Error Flagged: %{MATCHED_VAR_NAME}',id:500054" ), match_log => { debug => [ qr/PCRE limits exceeded/, 1 ],

@@ -12,10 +12,10 @@ SecCacheTransformations On "minlen:1,maxlen:0" # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" + SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500037" # This should use the cached value - SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny" + SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500038" ), match_log => { debug => [ qr/removeWhiteSpace,lowercase: "foobar" .*cached/, 1 ], @@ -40,10 +40,10 @@ SecCacheTransformations On "minlen:1,maxlen:0,incremental:off,maxitems:0" # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,pass,nolog" + SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,pass,nolog,id:500039" # This should use the partially cached value - SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny" + SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500040" ), match_log => { debug => [ qr/removeWhiteSpace: "FooBar" .*partially cached/, 1 ], @@ -67,10 +67,10 @@ SecCacheTransformations On "minlen:1,maxlen:0" # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" + SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500041" # This should use the cached value - SecRule ARGS_GET:test "foobar" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,deny" + SecRule ARGS_GET:test "foobar" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500042" ), match_log => { -debug => [ qr/removeWhiteSpace,lowercase: "foobar" .*cached/, 1 ], @@ -94,10 +94,10 @@ SecCacheTransformations On "minlen:1,maxlen:0" # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" + SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500043" # This should use the cached value - SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny" + SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500044" ), match_log => { debug => [ qr/removeWhiteSpace,lowercase: "foobar" .*cached/, 1 ], @@ -122,12 +122,12 @@ SecCacheTransformations On "minlen:1,maxlen:0" # This should cache it - SecRule ARGS "WillNotMatch" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,pass" + SecRule ARGS "WillNotMatch" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,pass,id:500045" # This should see cached versions of *both* ARGS_GET - SecRule ARGS:test "queryval" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,deny,chain" - SecRule ARGS:test "firstval" "t:none,t:removeWhiteSpace,t:lowercase,chain" - SecRule ARGS:test "secondval" "t:none,t:removeWhiteSpace,t:lowercase" + SecRule ARGS:test "queryval" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,deny,chain,id:500046" + SecRule ARGS:test "firstval" "t:none,t:removeWhiteSpace,t:lowercase,chain,id:500047" + SecRule ARGS:test "secondval" "t:none,t:removeWhiteSpace,t:lowercase,id:500017" ), match_log => { debug => [ qr/removeWhiteSpace,lowercase: "queryval" .*removeWhiteSpace,lowercase: "firstval" .*cached.*removeWhiteSpace,lowercase: "secondval" .*cached/s, 1 ], @@ -163,13 +163,13 @@ SecCacheTransformations On "minlen:1,maxlen:0,maxitems:0" # This should cache it in all phases - SecRule ARGS "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" - SecRule ARGS "WillNotMatch" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" - SecRule ARGS "WillNotMatch" "phase:3,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" - SecRule ARGS "WillNotMatch" "phase:4,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" + SecRule ARGS "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500048" + SecRule ARGS "WillNotMatch" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500049" + SecRule ARGS "WillNotMatch" "phase:3,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500050" + SecRule ARGS "WillNotMatch" "phase:4,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500051" # This should use the cached value - SecRule ARGS "foobar" "phase:4,t:none,t:removeWhiteSpace,t:lowercase,deny" + SecRule ARGS "foobar" "phase:4,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500052" ), match_log => { debug => [ qr/Adding request argument $BODY$: name "test", value "Foo Bar"/, 60, "Waiting for httpd to process request: "],

@@ -8,7 +8,7 @@ SecRuleEngine On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 4 - SecAction "nolog" + SecAction "nolog,id:500001" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -32,7 +32,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecDefaultAction "phase:2,deny,status:403" - SecRule ARGS:test "value" + SecRule ARGS:test "value,id:500032" ), match_log => { error => [ qr/ModSecurity: /, 1 ], @@ -53,7 +53,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecDefaultAction "phase:2,pass" - SecRule ARGS:test "value" "deny,status:403" + SecRule ARGS:test "value" "deny,status:403,id:500033" ), match_log => { error => [ qr/ModSecurity: /, 1 ], @@ -74,9 +74,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecDefaultAction "phase:2,log,noauditlog,pass,tag:foo" - SecRule ARGS:test "value" "chain,phase:2,deny,status:403" - SecRule &ARGS "\@eq 1" "chain,setenv:tx.foo=bar" - SecRule REQUEST_METHOD "\@streq GET" + SecRule ARGS:test "value" "chain,phase:2,deny,status:403,id:500034" + SecRule &ARGS "\@eq 1" "chain,setenv:tx.foo=bar,id:500035" + SecRule REQUEST_METHOD "\@streq GET,id:500036" ), match_log => { error => [ qr/ModSecurity: /, 1 ],

@@ -10,10 +10,10 @@ SecRequestBodyAccess On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500005 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500006 + SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\,id:500007 "phase:2,deny,id:12345" ), match_log => { @@ -59,10 +59,10 @@ SecDebugLogLevel 9 SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500008 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500009 + SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\,id:500010 "phase:2,deny,log,auditlog,id:12345" ), match_log => { @@ -108,10 +108,10 @@ SecDebugLogLevel 9 SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500011 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500012 + SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\,id:500013 "phase:2,deny,id:12345" ), match_log => { @@ -158,10 +158,10 @@ SecDebugLogLevel 9 SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500014 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500015 + SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\,id:500016 "phase:2,deny,id:12345" ), match_log => { @@ -208,10 +208,10 @@ SecDebugLogLevel 9 SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500017 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope-bad.xsd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500018 + SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope-bad.xsd" \\,id:500019 "phase:2,deny,id:12345" ), match_log => { @@ -256,10 +256,10 @@ SecRequestBodyAccess On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500020 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500021 + SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\,id:500022 "phase:2,deny,id:12345" ), match_log => { @@ -299,10 +299,10 @@ SecRequestBodyAccess On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500023 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500024 + SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\,id:500025 "phase:2,deny,id:12345" ), match_log => { @@ -342,10 +342,10 @@ SecRequestBodyAccess On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500026 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500027 + SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\,id:500028 "phase:2,deny,id:12345" ), match_log => { @@ -385,10 +385,10 @@ SecRequestBodyAccess On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500029 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope-bad.dtd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500030 + SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope-bad.dtd" \\,id:500031 "phase:2,deny,id:12345" ), match_log => {

@@ -109,7 +109,7 @@ SecRuleEngine On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule'" + SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule',id:500001" SecRuleRemoveByMsg "testing rule" ), match_log => { @@ -134,7 +134,7 @@ SecRuleEngine On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule'" + SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule',id:500002" SecRuleUpdateActionById 1 "pass,nolog" ), match_log => { @@ -157,8 +157,8 @@ SecRuleEngine On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule',chain" - SecRule ARGS "bar" + SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule',chain,id:500003" + SecRule ARGS "bar,id:500004" SecRuleUpdateActionById 1 "pass,nolog" ), match_log => {

@@ -11,8 +11,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS "val1" "phase:2,log,pass" - SecRule ARGS "val2" "phase:2,log,pass" + SecRule ARGS "val1" "phase:2,log,pass,id:500189" + SecRule ARGS "val2" "phase:2,log,pass,id:500190" ), match_log => { error => [ qr/Pattern match "val1" at ARGS.*Pattern match "val2" at ARGS/s, 1 ], @@ -35,8 +35,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS "val1" "phase:2,log,pass" - SecRule ARGS "val2" "phase:2,log,pass" + SecRule ARGS "val1" "phase:2,log,pass,id:500191" + SecRule ARGS "val2" "phase:2,log,pass,id:500192" ), match_log => { error => [ qr/Pattern match "val1" at ARGS.*Pattern match "val2" at ARGS/s, 1 ], @@ -63,7 +63,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule ARGS_COMBINED_SIZE "\@eq 16" "phase:2,log,pass" + SecRule ARGS_COMBINED_SIZE "\@eq 16" "phase:2,log,pass,id:500193" ), match_log => { error => [ qr/Operator EQ matched 16 at ARGS_COMBINED_SIZE\./s, 1 ], @@ -83,7 +83,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule ARGS_COMBINED_SIZE "\@eq 16" "phase:2,log,pass" + SecRule ARGS_COMBINED_SIZE "\@eq 16" "phase:2,log,pass,id:500194" ), match_log => { error => [ qr/Operator EQ matched 16 at ARGS_COMBINED_SIZE\./s, 1 ], @@ -111,8 +111,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_NAMES "arg1" "phase:2,log,pass,id:500195" + SecRule ARGS_NAMES "arg2" "phase:2,log,pass,id:500196" ), match_log => { error => [ qr/Pattern match "arg1" at ARGS.*Pattern match "arg2" at ARGS/s, 1 ], @@ -135,8 +135,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_NAMES "arg1" "phase:2,log,pass,id:500197" + SecRule ARGS_NAMES "arg2" "phase:2,log,pass,id:500198" ), match_log => { error => [ qr/Pattern match "arg1" at ARGS_NAMES.*Pattern match "arg2" at ARGS_NAMES/s, 1 ], @@ -165,8 +165,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_GET "val1" "phase:2,log,pass" - SecRule ARGS_GET "val2" "phase:2,log,pass" + SecRule ARGS_GET "val1" "phase:2,log,pass,id:500199" + SecRule ARGS_GET "val2" "phase:2,log,pass,id:500200" ), match_log => { error => [ qr/Pattern match "val1" at ARGS_GET.*Pattern match "val2" at ARGS_GET/s, 1 ], @@ -189,8 +189,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_GET "val1" "phase:2,log,pass" - SecRule ARGS_GET "val2" "phase:2,log,pass" + SecRule ARGS_GET "val1" "phase:2,log,pass,id:500201" + SecRule ARGS_GET "val2" "phase:2,log,pass,id:500202" ), match_log => { -error => [ qr/Pattern match/, 1 ], @@ -219,8 +219,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_GET_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_GET_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_GET_NAMES "arg1" "phase:2,log,pass,id:500203" + SecRule ARGS_GET_NAMES "arg2" "phase:2,log,pass,id:500204" ), match_log => { error => [ qr/Pattern match "arg1" at ARGS_GET.*Pattern match "arg2" at ARGS_GET/s, 1 ], @@ -243,8 +243,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_GET_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_GET_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_GET_NAMES "arg1" "phase:2,log,pass,id:500205" + SecRule ARGS_GET_NAMES "arg2" "phase:2,log,pass,id:500206" ), match_log => { -error => [ qr/Pattern match/, 1 ], @@ -273,8 +273,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_POST "val1" "phase:2,log,pass" - SecRule ARGS_POST "val2" "phase:2,log,pass" + SecRule ARGS_POST "val1" "phase:2,log,pass,id:500207" + SecRule ARGS_POST "val2" "phase:2,log,pass,id:500208" ), match_log => { -error => [ qr/Pattern match/, 1 ], @@ -297,8 +297,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_POST "val1" "phase:2,log,pass" - SecRule ARGS_POST "val2" "phase:2,log,pass" + SecRule ARGS_POST "val1" "phase:2,log,pass,id:500209" + SecRule ARGS_POST "val2" "phase:2,log,pass,id:500210" ), match_log => { error => [ qr/Pattern match "val1" at ARGS_POST.*Pattern match "val2" at ARGS_POST/s, 1 ], @@ -327,8 +327,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_POST_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_POST_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_POST_NAMES "arg1" "phase:2,log,pass,id:500211" + SecRule ARGS_POST_NAMES "arg2" "phase:2,log,pass,id:500212" ), match_log => { -error => [ qr/Pattern match/, 1 ], @@ -351,8 +351,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_POST_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_POST_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_POST_NAMES "arg1" "phase:2,log,pass,id:500213" + SecRule ARGS_POST_NAMES "arg2" "phase:2,log,pass,id:500214" ), match_log => { error => [ qr/Pattern match "arg1" at ARGS_POST.*Pattern match "arg2" at ARGS_POST/s, 1 ],

@@ -582,6 +582,7 @@ if (defined $out and $out ne "") { vrb(join(" ", map { quote_shell($_) } @p)); msg("Httpd start failed with error messages:\n$out"); + httpd_stop(); return -1 } @@ -590,6 +591,7 @@ vrb(join(" ", map { quote_shell($_) } @p)); vrb(match_log("error", qr/(^.*ModSecurity: .*)/sm, 10)); msg("Httpd server failed to start."); + httpd_stop(); return -1; }

[-] [+]	Changed	nginx-1.2.changes
@@ -1,4 +1,9 @@ ------------------------------------------------------------------- +Fri Mar 29 17:33:09 UTC 2013 - cs@linux-administrator.com + +- update modsecurity to 2.7.3 + +------------------------------------------------------------------- Fri Mar 29 10:10:21 UTC 2013 - cs@linux-administrator.com - update rtmp module to 0.9.13
[-] [+]	Changed	nginx-1.2.spec ^
@@ -15,7 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define modsec_name modsecurity-apache -%define modsec_version 2.7.2 +%define modsec_version 2.7.3 %define modsec %{modsec_name}_%{modsec_version} %define ajp_name yaoweibin-nginx_ajp_module
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/CHANGES ^
@@ -1,3 +1,39 @@ +28 Mar 2013 - 2.7.3 +------------------- + + * Fixed IIS version race condition when module is initialized. + + * Fixed IIS version failing config commands in libapr. + + * Nginx version is now RC quality. The rule engine should works for all phases. + We fixed many issues and missing features (for more information please check jira). + Code is running well with latest Nginx 1.2.7 stable. + Thanks chaizhenhua for your help. + + * Added MULTIPART_NAME and MULTIPART_FILENAME. Should be used soon by CRS + and will help prevent attacks using multipart data. + + * Added --enable-htaccess-config configure option. It will allow the follow directives + to be used into .htaccess files when AllowOverride Options is set: + + - SecAction + - SecRule + + - SecRuleRemoveByMsg + - SecRuleRemoveByTag + - SecRuleRemoveById + + - SecRuleUpdateActionById + - SecRuleUpdateTargetById + - SecRuleUpdateTargetByTag + - SecRuleUpdateTargetByMsg + + * Improvements in the ID duplicate code checking. Should be faster now. + + * SECURITY: Added SecXmlExternalEntity (On\|Off - default it Off) that will disable + by default the external entity load task executed by LibXml2. This is a security issue + reported by Timur Yunusov, Alexey Osipov (Positive Technologies). + 21 Jan 2013 - 2.7.2 -------------------
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/apache2_config.c ^
@@ -64,6 +64,7 @@ dcfg->cookie_format = NOT_SET; dcfg->argument_separator = NOT_SET; + dcfg->cookiev0_separator = NOT_SET_P; dcfg->rule_inheritance = NOT_SET; dcfg->rule_exceptions = apr_array_make(mp, 16, sizeof(rule_exception )); @@ -127,6 +128,8 @@ dcfg->cache_trans_max = NOT_SET; dcfg->cache_trans_maxitems = NOT_SET; + / Rule ids / + dcfg->rule_id_htab = apr_hash_make(mp); dcfg->component_signatures = apr_array_make(mp, 16, sizeof(char )); dcfg->request_encoding = NOT_SET_P; @@ -153,6 +156,9 @@ dcfg->crypto_hash_framesrc_pm = NOT_SET; + /* xml external entity / + dcfg->xml_external_entity = NOT_SET; + return dcfg; } @@ -366,6 +372,8 @@ ? parent->cookie_format : child->cookie_format); merged->argument_separator = (child->argument_separator == NOT_SET ? parent->argument_separator : child->argument_separator); + merged->cookiev0_separator = (child->cookiev0_separator == NOT_SET_P + ? parent->cookiev0_separator : child->cookiev0_separator); / rule inheritance / @@ -586,6 +594,10 @@ merged->crypto_hash_framesrc_pm = (child->crypto_hash_framesrc_pm == NOT_SET ? parent->crypto_hash_framesrc_pm : child->crypto_hash_framesrc_pm); + / xml external entity / + merged->xml_external_entity = (child->xml_external_entity == NOT_SET + ? parent->xml_external_entity : child->xml_external_entity); + return merged; } @@ -627,6 +639,7 @@ if (dcfg->cookie_format == NOT_SET) dcfg->cookie_format = 0; if (dcfg->argument_separator == NOT_SET) dcfg->argument_separator = '&'; + if (dcfg->cookiev0_separator == NOT_SET_P) dcfg->cookiev0_separator = NULL; if (dcfg->rule_inheritance == NOT_SET) dcfg->rule_inheritance = 1; @@ -705,6 +718,9 @@ if (dcfg->crypto_hash_iframesrc_pm == NOT_SET) dcfg->crypto_hash_iframesrc_pm = 0; if (dcfg->crypto_hash_framesrc_pm == NOT_SET) dcfg->crypto_hash_framesrc_pm = 0; + / xml external entity / + if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0; + } /* @@ -714,7 +730,9 @@ const char p1, const char p2, const char p3) { char my_error_msg = NULL; - msre_rule rule = NULL, tmp_rule = NULL; + //msre_rule rule = NULL, tmp_rule = NULL; + char rid = NULL; + msre_rule rule = NULL; extern msc_engine modsecurity; int offset = 0; @@ -767,9 +785,16 @@ if(type != RULE_TYPE_LUA) #endif { - tmp_rule = msre_ruleset_fetch_rule(dcfg->ruleset, rule->actionset->id, offset); - if(tmp_rule != NULL) + rid = apr_hash_get(dcfg->rule_id_htab, rule->actionset->id, APR_HASH_KEY_STRING); + if(rid != NULL) { return "ModSecurity: Found another rule with the same id"; + } else { + apr_hash_set(dcfg->rule_id_htab, apr_pstrdup(dcfg->mp, rule->actionset->id), APR_HASH_KEY_STRING, apr_pstrdup(dcfg->mp, "1")); + } + + //tmp_rule = msre_ruleset_fetch_rule(dcfg->ruleset, rule->actionset->id, offset); + //if(tmp_rule != NULL) + // return "ModSecurity: Found another rule with the same id"; } } @@ -1084,6 +1109,20 @@ return add_marker(cmd, (directory_config )_dcfg, SECMARKER_TARGETS, SECMARKER_ARGS, action); } +static const char cmd_cookiev0_separator(cmd_parms cmd, void _dcfg, + const char p1) +{ + directory_config dcfg = (directory_config )_dcfg; + + if (strlen(p1) != 1) { + return apr_psprintf(cmd->pool, "ModSecurity: Invalid cookie v0 separator: %s", p1); + } + + dcfg->cookiev0_separator = p1; + + return NULL; +} + static const char cmd_argument_separator(cmd_parms cmd, void _dcfg, const char p1) { @@ -1919,6 +1958,10 @@ /* TODO: Validate the range here, while we can still tell the user if it's invalid / re->param = p1; + if(dcfg->ruleset == NULL) { + return apr_psprintf(cmd->pool, "Updating target by ID with no ruleset in this context"); + } + return msre_ruleset_rule_update_target_matching_exception(NULL, dcfg->ruleset, re, p2, p3); } @@ -2253,9 +2296,35 @@ return NULL; } +/* +* \brief Add SecXmlExternalEntity configuration option +* +* \param cmd Pointer to configuration data +* \param _dcfg Pointer to directory configuration +* \param p1 Pointer to configuration option +* +* \retval NULL On failure +* \retval apr_psprintf On Success +/ +static const char cmd_xml_external_entity(cmd_parms cmd, void _dcfg, const char p1) +{ + directory_config dcfg = (directory_config )_dcfg; + if (dcfg == NULL) return NULL; + + if (strcasecmp(p1, "on") == 0) { + dcfg->xml_external_entity = 1; + } + else if (strcasecmp(p1, "off") == 0) { + dcfg->xml_external_entity = 0; + } + else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1); + + return NULL; +} + /* -* \brief Add SecHash configuration option +* \brief Add SecHashEngine configuration option * * \param cmd Pointer to configuration data * \param _dcfg Pointer to directory configuration @@ -2277,7 +2346,7 @@ dcfg->hash_is_enabled = HASH_DISABLED; dcfg->hash_enforcement = HASH_DISABLED; } - else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1); + else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SexHashEngine: %s", p1); return NULL; } @@ -2767,8 +2836,21 @@ #define CMD_SCOPE_MAIN (RSRC_CONF) #define CMD_SCOPE_ANY (RSRC_CONF \| ACCESS_CONF) +#if defined(HTACCESS_CONFIG) +#define CMD_SCOPE_HTACCESS (OR_OPTIONS) +#endif + const command_rec module_directives[] = { +#ifdef HTACCESS_CONFIG + AP_INIT_TAKE1 ( + "SecAction", + cmd_action, + NULL, + CMD_SCOPE_HTACCESS, + "an action list" + ), +#else AP_INIT_TAKE1 ( "SecAction", cmd_action, @@ -2776,6 +2858,7 @@ CMD_SCOPE_ANY, "an action list" ), +#endif AP_INIT_TAKE1 ( "SecArgumentSeparator", @@ -2786,6 +2869,14 @@ ), AP_INIT_TAKE1 ( + "SecCookiev0Separator", + cmd_cookiev0_separator, + NULL, + CMD_SCOPE_ANY, + "character that will be used as separator when parsing cookie v0 content." + ), + + AP_INIT_TAKE1 ( "SecAuditEngine", cmd_audit_engine, NULL, @@ -3146,6 +3237,15 @@ "clears the list of MIME types that will be buffered on output" ), +#ifdef HTACCESS_CONFIG + AP_INIT_TAKE23 ( + "SecRule", + cmd_rule, + NULL, + CMD_SCOPE_HTACCESS, + "rule target, operator and optional action list" + ), +#else AP_INIT_TAKE23 ( "SecRule", cmd_rule, @@ -3153,6 +3253,7 @@ CMD_SCOPE_ANY, "rule target, operator and optional action list" ), +#endif AP_INIT_TAKE1 ( "SecRuleEngine", @@ -3162,6 +3263,14 @@ "On or Off" ), + AP_INIT_TAKE1 ( + "SecXmlExternalEntity", + cmd_xml_external_entity, + NULL, + CMD_SCOPE_ANY, + "On or Off" + ), + AP_INIT_FLAG ( "SecRuleInheritance", cmd_rule_inheritance, @@ -3178,6 +3287,31 @@ "rule script and optional actionlist" ), +#ifdef HTACCESS_CONFIG + AP_INIT_ITERATE ( + "SecRuleRemoveById", + cmd_rule_remove_by_id, + NULL, + CMD_SCOPE_HTACCESS, + "rule ID for removal" + ), + + AP_INIT_ITERATE ( + "SecRuleRemoveByTag", + cmd_rule_remove_by_tag, + NULL, + CMD_SCOPE_HTACCESS, + "rule tag for removal" + ), + + AP_INIT_ITERATE ( + "SecRuleRemoveByMsg", + cmd_rule_remove_by_msg, + NULL, + CMD_SCOPE_HTACCESS, + "rule message for removal" + ), +#else AP_INIT_ITERATE ( "SecRuleRemoveById", cmd_rule_remove_by_id, @@ -3201,6 +3335,7 @@ CMD_SCOPE_ANY, "rule message for removal" ), +#endif AP_INIT_TAKE2 ( "SecHashMethodPm", @@ -3218,6 +3353,39 @@ "Hash method and regex" ), +#ifdef HTACCESS_CONFIG + AP_INIT_TAKE2 ( + "SecRuleUpdateActionById", + cmd_rule_update_action_by_id, + NULL, + CMD_SCOPE_HTACCESS, + "updated action list" + ), + + AP_INIT_TAKE23 ( + "SecRuleUpdateTargetById", + cmd_rule_update_target_by_id, + NULL, + CMD_SCOPE_HTACCESS, + "updated target list" + ), + + AP_INIT_TAKE23 ( + "SecRuleUpdateTargetByTag", + cmd_rule_update_target_by_tag, + NULL, + CMD_SCOPE_HTACCESS, + "rule tag pattern and updated target list" + ), + + AP_INIT_TAKE23 ( + "SecRuleUpdateTargetByMsg", + cmd_rule_update_target_by_msg, + NULL, + CMD_SCOPE_HTACCESS, + "rule message pattern and updated target list" + ), +#else AP_INIT_TAKE2 ( "SecRuleUpdateActionById", cmd_rule_update_action_by_id, @@ -3249,7 +3417,7 @@ CMD_SCOPE_ANY, "rule message pattern and updated target list" ), - +#endif AP_INIT_TAKE1 ( "SecServerSignature",
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/mod_security2.c ^
@@ -440,7 +440,11 @@ #if defined(WITH_LUA) #ifdef CACHE_LUA +#if LUA_VERSION_NUM > 501 + msr->L = luaL_newstate(); +#else msr->L = lua_open(); +#endif luaL_openlibs(msr->L); #endif #endif
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/modsecurity.h ^
@@ -355,6 +355,8 @@ apr_size_t msc_reqbody_no_files_length; + char multipart_filename; + char multipart_name; multipart_data mpd; / MULTIPART processor data structure / xml_data xml; /* XML processor data structure / @@ -468,6 +470,7 @@ int cookie_format; int argument_separator; + const char cookiev0_separator; int rule_inheritance; apr_array_header_t rule_exceptions; @@ -571,6 +574,9 @@ / Collection timeout / int col_timeout; + / hash of ids / + apr_hash_t rule_id_htab; + /* Hash / apr_array_header_t hash_method; const char crypto_key; @@ -589,6 +595,9 @@ int crypto_hash_location_pm; int crypto_hash_iframesrc_pm; int crypto_hash_framesrc_pm; + + / xml */ + int xml_external_entity; }; struct error_message_t {
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/msc_lua.c ^
@@ -94,7 +94,11 @@ msc_lua_dumpw_t dump; /* Initialise state. / +#if LUA_VERSION_NUM > 501 + L = luaL_newstate(); +#else L = lua_open(); +#endif luaL_openlibs(L); / Find script. / @@ -158,7 +162,11 @@ if (lua_isuserdata(L, idx) \|\| lua_isnoneornil(L, idx)) { / No second parameter / return tfn_arr; } else if (lua_istable(L, idx)) { / Is the second parameter an array? / +#if LUA_VERSION_NUM > 501 + int i, n = lua_rawlen(L, idx); +#else int i, n = lua_objlen(L, idx); +#endif for(i = 1; i <= n; i++) { lua_rawgeti(L, idx, i); @@ -415,7 +423,11 @@ lua_pop(L, rc); #else / Create new state. / +#if LUA_VERSION_NUM > 501 + L = luaL_newstate(); +#else L = lua_open(); +#endif luaL_openlibs(L); #endif @@ -433,7 +445,12 @@ } / Register functions. */ +#if LUA_VERSION_NUM > 501 + luaL_setfuncs(L,mylib,0); + lua_setglobal(L,"m"); +#else luaL_register(L, "m", mylib); +#endif rc = lua_restore(L, script); if (rc) {
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/msc_multipart.c ^
@@ -184,6 +184,8 @@ validate_quotes(msr, value); + msr->multipart_name = apr_pstrdup(msr->mp, value); + if (msr->mpd->mpp->name != NULL) { msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition name: %s", log_escape_nq(msr->mp, value)); @@ -201,6 +203,8 @@ validate_quotes(msr, value); + msr->multipart_filename = apr_pstrdup(msr->mp, value); + if (msr->mpd->mpp->filename != NULL) { msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition filename: %s", log_escape_nq(msr->mp, value));
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/msc_parsers.c ^
@@ -35,7 +35,11 @@ cookie_header = strdup(_cookie_header); if (cookie_header == NULL) return -1; - p = apr_strtok(cookie_header, delim, &saveptr); + if(msr->txcfg->cookiev0_separator == NULL) { + p = apr_strtok(cookie_header, delim, &saveptr); + } else { + p = apr_strtok(cookie_header, msr->txcfg->cookiev0_separator, &saveptr); + } while(p != NULL) { attr_name = NULL; @@ -74,7 +78,11 @@ cookie_count++; } - p = apr_strtok(NULL, delim, &saveptr); + if(msr->txcfg->cookiev0_separator == NULL) { + p = apr_strtok(NULL, delim, &saveptr); + } else { + p = apr_strtok(NULL, msr->txcfg->cookiev0_separator, &saveptr); + } } free(cookie_header);
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/msc_pcre.c ^
@@ -21,7 +21,11 @@ static apr_status_t msc_pcre_cleanup(msc_regex_t regex) { if (regex != NULL) { if (regex->pe != NULL) { +#if defined(VERSION_NGINX) + pcre_free(regex->pe); +#else free(regex->pe); +#endif regex->pe = NULL; } if (regex->re != NULL) { @@ -71,7 +75,11 @@ / Setup the pcre_extra record if pcre_study did not already do it */ if (pe == NULL) { +#if defined(VERSION_NGINX) + pe = pcre_malloc(sizeof(pcre_extra)); +#else pe = malloc(sizeof(pcre_extra)); +#endif if (pe == NULL) { return NULL; }
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/msc_release.h ^
@@ -38,7 +38,7 @@ #define MODSEC_VERSION_MAJOR "2" #define MODSEC_VERSION_MINOR "7" -#define MODSEC_VERSION_MAINT "2" +#define MODSEC_VERSION_MAINT "3" #define MODSEC_VERSION_TYPE "" #define MODSEC_VERSION_RELEASE "" @@ -53,10 +53,10 @@ #define MODSEC_MODULE_NAME "ModSecurity for IIS (STABLE)" #else #ifdef VERSION_NGINX -#define MODSEC_MODULE_NAME "ModSecurity for nginx (Beta)" +#define MODSEC_MODULE_NAME "ModSecurity for nginx (RC)" #else #ifdef VERSION_STANDALONE -#define MODSEC_MODULE_NAME "ModSecurity Standalone (Beta)" +#define MODSEC_MODULE_NAME "ModSecurity Standalone (RC)" #else #define MODSEC_MODULE_NAME "ModSecurity for Apache" #endif
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/msc_xml.c ^
@@ -14,17 +14,28 @@ #include "msc_xml.h" +static xmlParserInputBufferPtr +xml_unload_external_entity(const char URI, xmlCharEncoding enc) { + return NULL; +} + /* * Initialise XML parser. / int xml_init(modsec_rec msr, char *error_msg) { + xmlParserInputBufferCreateFilenameFunc entity; + if (error_msg == NULL) return -1; error_msg = NULL; msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data)); if (msr->xml == NULL) return -1; + if(msr->txcfg->xml_external_entity == 0) { + entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity); + } + return 1; }
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/persist_dbm.c ^
@@ -41,9 +41,9 @@ * includes the terminating NUL and should be 1 for "" / if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset)); + msr_log(msr, 9, "collection_unpack: BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset)); } - msr_log(msr, 4, "Possibly corrupted database: var name length = 0 at blob offset %u-%u.", blob_offset, blob_offset + 1); + msr_log(msr, 4, "collection_unpack: Possibly corrupted database: var name length = 0 at blob offset %u-%u.", blob_offset, blob_offset + 1); } break; } @@ -52,9 +52,9 @@ to 65536. / if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset)); + msr_log(msr, 9, "collection_unpack: BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset)); } - msr_log(msr, 4, "Possibly corrupted database: var name length > 65536 (0x%04x) at blob offset %u-%u.", var->name_len, blob_offset, blob_offset + 1); + msr_log(msr, 4, "collection_unpack: Possibly corrupted database: var name length > 65536 (0x%04x) at blob offset %u-%u.", var->name_len, blob_offset, blob_offset + 1); break; } @@ -73,7 +73,7 @@ var->value_len--; if (log_vars && (msr->txcfg->debuglog_level >= 9)) { - msr_log(msr, 9, "Read variable: name \"%s\", value \"%s\".", + msr_log(msr, 9, "collection_unpack: Read variable: name \"%s\", value \"%s\".", log_escape_ex(msr->mp, var->name, var->name_len), log_escape_ex(msr->mp, var->value, var->value_len)); } @@ -102,7 +102,7 @@ int i; if (msr->txcfg->data_dir == NULL) { - msr_log(msr, 1, "Unable to retrieve collection (name \"%s\", key \"%s\"). Use " + msr_log(msr, 1, "collection_retrieve_ex: Unable to retrieve collection (name \"%s\", key \"%s\"). Use " "SecDataDir to define data directory first.", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len)); goto cleanup; @@ -111,7 +111,7 @@ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", col_name, NULL); if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "collection_retrieve_ex: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name), + msr_log(msr, 9, "collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name), log_escape(msr->mp, dbm_filename)); } @@ -133,7 +133,7 @@ value = (apr_sdbm_datum_t )apr_pcalloc(msr->mp, sizeof(apr_sdbm_datum_t)); rc = apr_sdbm_fetch(dbm, value, key); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to read from DBM file \"%s\": %s", log_escape(msr->mp, + msr_log(msr, 1, "collection_retrieve_ex: Failed to read from DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); goto cleanup; } @@ -177,15 +177,15 @@ } if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Removing key \"%s\" from collection.", key_to_expire + 9); - msr_log(msr, 9, "Removing key \"%s\" from collection.", key_to_expire); + msr_log(msr, 9, "collection_retrieve_ex: Removing key \"%s\" from collection.", key_to_expire + 9); + msr_log(msr, 9, "collection_retrieve_ex: Removing key \"%s\" from collection.", key_to_expire); } apr_table_unset(col, key_to_expire + 9); apr_table_unset(col, key_to_expire); if (msr->txcfg->debuglog_level >= 4) { - msr_log(msr, 4, "Removed expired variable \"%s\".", key_to_expire + 9); + msr_log(msr, 4, "collection_retrieve_ex: Removed expired variable \"%s\".", key_to_expire + 9); } break; @@ -205,7 +205,7 @@ rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE \| APR_WRITE \| APR_SHARELOCK, CREATEMODE, msr->mp); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to access DBM file \"%s\": %s", + msr_log(msr, 1, "collection_retrieve_ex: Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); dbm = NULL; goto cleanup; @@ -217,7 +217,7 @@ rc = apr_sdbm_delete(dbm, key); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed deleting collection (name \"%s\", " + msr_log(msr, 1, "collection_retrieve_ex: Failed deleting collection (name \"%s\", " "key \"%s\"): %s", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len), get_apr_error(msr->mp, rc)); goto cleanup; @@ -230,11 +230,11 @@ } if (expired && (msr->txcfg->debuglog_level >= 9)) { - msr_log(msr, 9, "Collection expired (name \"%s\", key \"%s\").", col_name, + msr_log(msr, 9, "collection_retrieve_ex: Collection expired (name \"%s\", key \"%s\").", col_name, log_escape_ex(msr->mp, col_key, col_key_len)); } if (msr->txcfg->debuglog_level >= 4) { - msr_log(msr, 4, "Deleted collection (name \"%s\", key \"%s\").", + msr_log(msr, 4, "collection_retrieve_ex: Deleted collection (name \"%s\", key \"%s\").", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len)); } goto cleanup; @@ -278,13 +278,13 @@ } if (msr->txcfg->debuglog_level >= 4) { - msr_log(msr, 4, "Retrieved collection (name \"%s\", key \"%s\").", + msr_log(msr, 4, "collection_retrieve_ex: Retrieved collection (name \"%s\", key \"%s\").", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len)); } if ((existing_dbm == NULL) && dbm) { /* Should not ever get here / - msr_log(msr, 1, "Internal Error: Collection remained open (name \"%s\", key \"%s\").", + msr_log(msr, 1, "collection_retrieve_ex: Internal Error: Collection remained open (name \"%s\", key \"%s\").", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len)); apr_sdbm_close(dbm); @@ -346,7 +346,7 @@ } if (msr->txcfg->data_dir == NULL) { - msr_log(msr, 1, "Unable to store collection (name \"%s\", key \"%s\"). Use " + msr_log(msr, 1, "collection_store: Unable to store collection (name \"%s\", key \"%s\"). Use " "SecDataDir to define data directory first.", log_escape_ex(msr->mp, var_name->value, var_name->value_len), log_escape_ex(msr->mp, var_key->value, var_key->value_len)); goto error; @@ -416,7 +416,7 @@ rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE \| APR_WRITE \| APR_SHARELOCK, CREATEMODE, msr->mp); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), + msr_log(msr, 1, "collection_store: Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); dbm = NULL; goto error; @@ -425,7 +425,7 @@ / Need to lock to pull in the stored data again and apply deltas. / rc = apr_sdbm_lock(dbm, APR_FLOCK_EXCLUSIVE); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to exclusivly lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), + msr_log(msr, 1, "collection_store: Failed to exclusivly lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); goto error; } @@ -435,7 +435,7 @@ orig_col = (const apr_table_t )apr_table_get(msr->collections_original, var_name->value); if (orig_col != NULL) { if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Re-retrieving collection prior to store: %s", + msr_log(msr, 9, "collection_store: Re-retrieving collection prior to store: %s", apr_psprintf(msr->mp, "%.s", var_name->value_len, var_name->value)); } @@ -469,7 +469,7 @@ var->value_len = strlen(var->value); if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Delta applied for %s.%s %d->%d (%d): %d + (%d) = %d [%s,%d]", + msr_log(msr, 9, "collection_store: Delta applied for %s.%s %d->%d (%d): %d + (%d) = %d [%s,%d]", log_escape_ex(msr->mp, var_name->value, var_name->value_len), log_escape_ex(msr->mp, var->name, var->name_len), origval, ourval, delta, storedval, delta, newval, var->value, var->value_len); @@ -523,7 +523,7 @@ blob_offset += 2 + len; if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Wrote variable: name \"%s\", value \"%s\".", + msr_log(msr, 9, "collection_store: Wrote variable: name \"%s\", value \"%s\".", log_escape_ex(msr->mp, var->name, var->name_len), log_escape_ex(msr->mp, var->value, var->value_len)); } @@ -541,7 +541,7 @@ rc = apr_sdbm_store(dbm, key, value, APR_SDBM_REPLACE); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to write to DBM file \"%s\": %s", dbm_filename, + msr_log(msr, 1, "collection_store: Failed to write to DBM file \"%s\": %s", dbm_filename, get_apr_error(msr->mp, rc)); goto error; } @@ -549,7 +549,7 @@ apr_sdbm_close(dbm); if (msr->txcfg->debuglog_level >= 4) { - msr_log(msr, 4, "Persisted collection (name \"%s\", key \"%s\").", + msr_log(msr, 4, "collection_store: Persisted collection (name \"%s\", key \"%s\").", log_escape_ex(msr->mp, var_name->value, var_name->value_len), log_escape_ex(msr->mp, var_key->value, var_key->value_len)); } @@ -599,7 +599,7 @@ rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE \| APR_WRITE \| APR_SHARELOCK, CREATEMODE, msr->mp); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), + msr_log(msr, 1, "collections_remove_stale: Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); dbm = NULL; goto error; @@ -609,7 +609,7 @@ keys_arr = apr_array_make(msr->mp, 256, sizeof(char )); rc = apr_sdbm_lock(dbm, APR_FLOCK_SHARED); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed to lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), + msr_log(msr, 1, "collections_remove_stale: Failed to lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); goto error; } @@ -626,7 +626,7 @@ apr_sdbm_unlock(dbm); if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Found %d record(s) in file \"%s\".", keys_arr->nelts, + msr_log(msr, 9, "collections_remove_stale: Found %d record(s) in file \"%s\".", keys_arr->nelts, log_escape(msr->mp, dbm_filename)); } @@ -638,7 +638,7 @@ rc = apr_sdbm_fetch(dbm, &value, key); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed reading DBM file \"%s\": %s", + msr_log(msr, 1, "collections_remove_stale: Failed reading DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc)); goto error; } @@ -654,14 +654,14 @@ var = (msc_string *)apr_table_get(col, "__expire_KEY"); if (var == NULL) { - msr_log(msr, 1, "Collection cleanup discovered entry with no " + msr_log(msr, 1, "collections_remove_stale: Collection cleanup discovered entry with no " "__expire_KEY (name \"%s\", key \"%s\").", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1)); } else { unsigned int expiry_time = atoi(var->value); if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Record (name \"%s\", key \"%s\") set to expire in %" APR_TIME_T_FMT " seconds.", + msr_log(msr, 9, "collections_remove_stale: Record (name \"%s\", key \"%s\") set to expire in %" APR_TIME_T_FMT " seconds.", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1), expiry_time - now); } @@ -669,14 +669,14 @@ if (expiry_time <= now) { rc = apr_sdbm_delete(dbm, key); if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Failed deleting collection (name \"%s\", " + msr_log(msr, 1, "collections_remove_stale: Failed deleting collection (name \"%s\", " "key \"%s\"): %s", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1), get_apr_error(msr->mp, rc)); goto error; } if (msr->txcfg->debuglog_level >= 4) { - msr_log(msr, 4, "Removed stale collection (name \"%s\", " + msr_log(msr, 4, "collections_remove_stale: Removed stale collection (name \"%s\", " "key \"%s\").", log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1)); }
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/re.c ^
@@ -161,7 +161,7 @@ char *err; if(ruleset == NULL) - return apr_psprintf(ruleset->mp, "No ruleset present"); + return NULL; if(p2 == NULL) { return apr_psprintf(ruleset->mp, "Trying to update without a target"); @@ -353,7 +353,7 @@ } #if !defined(MSC_TEST) else { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: Error parseing rule targets to replace variable"); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: Error parsing rule targets to replace variable"); } #endif goto end;
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/apache2/re_variables.c ^
@@ -1289,6 +1289,22 @@ return var_simple_generate(var, vartab, mptmp, modsec_build(mptmp)); } +/* MULTIPART_FILENAME / + +static int var_multipart_filename_generate(modsec_rec msr, msre_var var, msre_rule rule, + apr_table_t vartab, apr_pool_t mptmp) +{ + return var_simple_generate(var, vartab, mptmp, msr->multipart_filename); +} + +/* MULTIPART_NAME / + +static int var_multipart_name_generate(modsec_rec msr, msre_var var, msre_rule rule, + apr_table_t vartab, apr_pool_t mptmp) +{ + return var_simple_generate(var, vartab, mptmp, msr->multipart_name); +} + /* MULTIPART_BOUNDARY_QUOTED / static int var_multipart_boundary_quoted_generate(modsec_rec msr, msre_var var, msre_rule rule, @@ -2813,6 +2829,28 @@ PHASE_REQUEST_HEADERS ); + /* MULTIPART_FILENAME / + msre_engine_variable_register(engine, + "MULTIPART_FILENAME", + VAR_SIMPLE, + 0, 0, + NULL, + var_multipart_filename_generate, + VAR_CACHE, + PHASE_REQUEST_BODY + ); + + / MULTIPART_NAME / + msre_engine_variable_register(engine, + "MULTIPART_NAME", + VAR_SIMPLE, + 0, 0, + NULL, + var_multipart_name_generate, + VAR_CACHE, + PHASE_REQUEST_BODY + ); + / MULTIPART_BOUNDARY_QUOTED */ msre_engine_variable_register(engine, "MULTIPART_BOUNDARY_QUOTED",
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/configure ^
@@ -970,6 +970,7 @@ enable_pcre_match_limit enable_pcre_match_limit_recursion enable_lua_cache +enable_htaccess_config enable_request_early enable_errors enable_verbose_output @@ -1640,6 +1641,9 @@ Enable PCRE regex match limit recursion during configure. --enable-lua-cache Enable Lua per transaction cache. + --enable-htaccess-config + Enable some mod_security directives into htaccess + files. --enable-request-early Place phase1 into post_read_request hook. --disable-errors Disable errors during configure. --enable-verbose-output Enable more verbose configure output. @@ -4742,13 +4746,13 @@ else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:4745: $ac_compile\"" >&5) + (eval echo "\"\$as_me:4749: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:4748: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:4752: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:4751: output\"" >&5) + (eval echo "\"\$as_me:4755: output\"" >&5) cat conftest.out >&5 if $GREP 'External.some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -5954,7 +5958,7 @@ ;; --irix6) # Find out which ABI we are using. - echo '#line 5957 "configure"' > conftest.$ac_ext + echo '#line 5961 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -7483,11 +7487,11 @@ -e 's:.FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7486: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7490: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7490: \$? = $ac_status" >&5 + echo "$as_me:7494: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -7822,11 +7826,11 @@ -e 's:.FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7825: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7829: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7829: \$? = $ac_status" >&5 + echo "$as_me:7833: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -7927,11 +7931,11 @@ -e 's:.FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7930: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7934: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:7934: \$? = $ac_status" >&5 + echo "$as_me:7938: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -7982,11 +7986,11 @@ -e 's:.FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7985: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7989: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:7989: \$? = $ac_status" >&5 + echo "$as_me:7993: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10366,7 +10370,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10369 "configure" +#line 10373 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -10462,7 +10466,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10465 "configure" +#line 10469 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12681,6 +12685,24 @@ # Enable phase-1 in post_read_request +# Check whether --enable-htaccess-config was given. +if test "${enable_htaccess_config+set}" = set; then : + enableval=$enable_htaccess_config; + if test "$enableval" != "no"; then + htaccess_config="-DHTACCESS_CONFIG" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $htaccess_config" + else + htaccess_config= + fi + +else + + htaccess_config= + +fi + + +# Enable phase-1 in post_read_request # Check whether --enable-request-early was given. if test "${enable_request_early+set}" = set; then : enableval=$enable_request_early; @@ -13010,7 +13032,7 @@ fi fi -MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type" +MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type" APXS_WRAPPER=build/apxs-wrapper APXS_EXTRA_CFLAGS=""
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/configure.ac ^
@@ -356,6 +356,22 @@ ]) # Enable phase-1 in post_read_request +AC_ARG_ENABLE(htaccess-config, + AS_HELP_STRING([--enable-htaccess-config], + [Enable some mod_security directives into htaccess files.]), +[ + if test "$enableval" != "no"; then + htaccess_config="-DHTACCESS_CONFIG" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $htaccess_config" + else + htaccess_config= + fi +], +[ + htaccess_config= +]) + +# Enable phase-1 in post_read_request AC_ARG_ENABLE(request-early, AS_HELP_STRING([--enable-request-early], [Place phase1 into post_read_request hook.]), @@ -634,7 +650,7 @@ fi fi -MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type" +MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type" APXS_WRAPPER=build/apxs-wrapper APXS_EXTRA_CFLAGS=""
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/iis/ModSecurityIIS/Installer/XUnzip.cpp ^
@@ -4132,6 +4132,8 @@ TCHAR dstfull[MAX_PATH]; _tcscpy(dstfull, rootdir); _tcscat(dstfull, (const TCHAR *)dst); + SetFileAttributes( dstfull, GetFileAttributes(dstfull) & ~FILE_ATTRIBUTE_READONLY); + ::DeleteFile(dstfull); h = ::CreateFile(dstfull, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, ze.attr, NULL); }
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/iis/ModSecurityIIS/ModSecurityIIS.sln ^
@@ -2,9 +2,6 @@ Microsoft Visual Studio Solution File, Format Version 11.00 # Visual Studio 2010 Project("{54435603-DBB4-11D2-8724-00A0C9A8B90C}") = "ModSecurityIIS", "ModSecurityIIS\ModSecurityIIS.vdproj", "{3352AEF1-9F2A-47CD-9F63-658553063040}" - ProjectSection(ProjectDependencies) = postProject - {990BB195-6716-4DE3-B5E4-DCFCB1BD7D9C} = {990BB195-6716-4DE3-B5E4-DCFCB1BD7D9C} - EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Installer", "Installer\Installer.vcxproj", "{990BB195-6716-4DE3-B5E4-DCFCB1BD7D9C}" EndProject
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/iis/ModSecurityIIS/ModSecurityIIS/ModSecurityIIS.vdproj ^
@@ -15,25 +15,25 @@ { "Entry" { - "MsmKey" = "8:_0593BBFCC6154162A5F7E88C4967D8E8" + "MsmKey" = "8:_009A580142D04FE980ED45947D355FE7" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } "Entry" { - "MsmKey" = "8:_170CE3CF68BE4944BF485C45F31146A0" + "MsmKey" = "8:_0593BBFCC6154162A5F7E88C4967D8E8" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } "Entry" { - "MsmKey" = "8:_17390F12AE3C4CD7A8BFA284458C87BB" + "MsmKey" = "8:_170CE3CF68BE4944BF485C45F31146A0" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } "Entry" { - "MsmKey" = "8:_2422B61EFBF047FFBBE92CB70714E99C" + "MsmKey" = "8:_17390F12AE3C4CD7A8BFA284458C87BB" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } @@ -45,12 +45,6 @@ } "Entry" { - "MsmKey" = "8:_3CE93C3FC5AC3E954253889334FBCDA8" - "OwnerKey" = "8:_CB8446F7ADCD4E3DA3F2C6246FA844A0" - "MsmSig" = "8:_UNDEFINED" - } - "Entry" - { "MsmKey" = "8:_51AF671FCA3544DEA3E5756B5D450275" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" @@ -87,12 +81,6 @@ } "Entry" { - "MsmKey" = "8:_764D5BE911464BEFBCC3BC3B25068987" - "OwnerKey" = "8:_UNDEFINED" - "MsmSig" = "8:_UNDEFINED" - } - "Entry" - { "MsmKey" = "8:_7C2A420982404573B53BE273BC730435" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" @@ -147,12 +135,6 @@ } "Entry" { - "MsmKey" = "8:_CB8446F7ADCD4E3DA3F2C6246FA844A0" - "OwnerKey" = "8:_UNDEFINED" - "MsmSig" = "8:_UNDEFINED" - } - "Entry" - { "MsmKey" = "8:_CEB23D021A2E4EEF9245EEDC143AFBA8" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" @@ -165,13 +147,13 @@ } "Entry" { - "MsmKey" = "8:_DB58E622510C458A81C3B850EDFC782C" + "MsmKey" = "8:_DE7847BDBDC046F29E13230DCDD4F6E3" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } "Entry" { - "MsmKey" = "8:_DE7847BDBDC046F29E13230DCDD4F6E3" + "MsmKey" = "8:_E86FB9D69F2946038E7BBDD01D619813" "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } @@ -193,18 +175,6 @@ "OwnerKey" = "8:_UNDEFINED" "MsmSig" = "8:_UNDEFINED" } - "Entry" - { - "MsmKey" = "8:_UNDEFINED" - "OwnerKey" = "8:_764D5BE911464BEFBCC3BC3B25068987" - "MsmSig" = "8:_UNDEFINED" - } - "Entry" - { - "MsmKey" = "8:_UNDEFINED" - "OwnerKey" = "8:_CB8446F7ADCD4E3DA3F2C6246FA844A0" - "MsmSig" = "8:_UNDEFINED" - } } "Configurations" { @@ -279,11 +249,6 @@ "ComponentsUrl" = "8:" "Items" { - "{EDC2488A-8267-493A-A98E-7D9C3B36CDF3}:.NETFramework,Version=v4.0,Profile=Client" - { - "Name" = "8:Microsoft .NET Framework 4 Client Profile (x86 and x64)" - "ProductCode" = "8:.NETFramework,Version=v4.0,Profile=Client" - } "{EDC2488A-8267-493A-A98E-7D9C3B36CDF3}:Microsoft.Visual.C++.10.0.x64" { "Name" = "8:Visual C++ 2010 Runtime Libraries (x64)" @@ -307,62 +272,34 @@ { "CustomAction" { - "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_6AC6216B16A740BFBCF4DFF1FC4FB1CF" + "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_08431F489ECB46FB908D9C6006906D0E" { - "Name" = "8:Primary output from configure (Active)" + "Name" = "8:Installer.exe" "Condition" = "8:" - "Object" = "8:_764D5BE911464BEFBCC3BC3B25068987" + "Object" = "8:_009A580142D04FE980ED45947D355FE7" "FileType" = "3:2" "InstallAction" = "3:4" "Arguments" = "8:uninstall" "EntryPoint" = "8:" "Sequence" = "3:1" - "Identifier" = "8:_F76041EE_48F4_4DC8_9EF8_47ADAD87FEA2" + "Identifier" = "8:_A708DE11_BE76_4BD9_BF40_5243FE900066" "InstallerClass" = "11:FALSE" "CustomActionData" = "8:" } - "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_B8F3E049FAB34050978646B3CC6549F5" - { - "Name" = "8:install.vbs" - "Condition" = "8:" - "Object" = "8:_2422B61EFBF047FFBBE92CB70714E99C" - "FileType" = "3:4" - "InstallAction" = "3:1" - "Arguments" = "8:" - "EntryPoint" = "8:" - "Sequence" = "3:2" - "Identifier" = "8:_CB90C8D4_3928_4ACA_9263_454FD47BB545" - "InstallerClass" = "11:FALSE" - "CustomActionData" = "8:[TARGETDIR]" - } - "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_C6B6E1FCC7E6471F914483477DA0D4B6" + "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_9C73118A4CD14A65BD57D7CC552AAD79" { - "Name" = "8:Primary output from configure (Active)" + "Name" = "8:Installer.exe" "Condition" = "8:" - "Object" = "8:_764D5BE911464BEFBCC3BC3B25068987" + "Object" = "8:_009A580142D04FE980ED45947D355FE7" "FileType" = "3:2" "InstallAction" = "3:1" "Arguments" = "8:\"[TARGETDIR]\"" "EntryPoint" = "8:" "Sequence" = "3:1" - "Identifier" = "8:_6EC4042E_4AC8_4584_A326_BE8E22FF087D" + "Identifier" = "8:_166E62F8_D2C0_4A30_A2FE_EF5B53066941" "InstallerClass" = "11:FALSE" "CustomActionData" = "8:" } - "{4AA51A2D-7D85-4A59-BA75-B0809FC8B380}:_C9D5851C213E4B928C42AC01EEF1458A" - { - "Name" = "8:uninstall.vbs" - "Condition" = "8:" - "Object" = "8:_DB58E622510C458A81C3B850EDFC782C" - "FileType" = "3:4" - "InstallAction" = "3:4" - "Arguments" = "8:" - "EntryPoint" = "8:" - "Sequence" = "3:2" - "Identifier" = "8:_1DC83628_1D76_474B_92FD_C7C13056C010" - "InstallerClass" = "11:FALSE" - "CustomActionData" = "8:[TARGETDIR]" - } } "DefaultFeature" { @@ -374,24 +311,16 @@ { "LaunchCondition" { - "{A06ECF26-33A3-4562-8140-9B0E340D4F24}:_147B76BCD529406A806B4AD361E520C1" - { - "Name" = "8:.NET Framework" - "Message" = "8:[VSDNETMSG]" - "FrameworkVersion" = "8:.NETFramework,Version=v4.0,Profile=Client" - "AllowLaterVersions" = "11:FALSE" - "InstallUrl" = "8:http://go.microsoft.com/fwlink/?LinkId=131000" - } } } "File" { - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_0593BBFCC6154162A5F7E88C4967D8E8" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_009A580142D04FE980ED45947D355FE7" { - "SourcePath" = "8:x86\\pcre.dll" - "TargetName" = "8:pcre.dll" + "SourcePath" = "8:..\\Release\\Installer.exe" + "TargetName" = "8:Installer.exe" "Tag" = "8:" - "Folder" = "8:_D7AEA61DD2D746158A1F5660E4C59AB8" + "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" "Condition" = "8:" "Transitive" = "11:FALSE" "Vital" = "11:TRUE" @@ -406,10 +335,10 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_170CE3CF68BE4944BF485C45F31146A0" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_0593BBFCC6154162A5F7E88C4967D8E8" { - "SourcePath" = "8:x86\\libapr-1.dll" - "TargetName" = "8:libapr-1.dll" + "SourcePath" = "8:x86\\pcre.dll" + "TargetName" = "8:pcre.dll" "Tag" = "8:" "Folder" = "8:_D7AEA61DD2D746158A1F5660E4C59AB8" "Condition" = "8:" @@ -426,12 +355,12 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_17390F12AE3C4CD7A8BFA284458C87BB" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_170CE3CF68BE4944BF485C45F31146A0" { - "SourcePath" = "8:ModSecurity.xml" - "TargetName" = "8:ModSecurity.xml" + "SourcePath" = "8:x86\\libapr-1.dll" + "TargetName" = "8:libapr-1.dll" "Tag" = "8:" - "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" + "Folder" = "8:_D7AEA61DD2D746158A1F5660E4C59AB8" "Condition" = "8:" "Transitive" = "11:FALSE" "Vital" = "11:TRUE" @@ -446,10 +375,10 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_2422B61EFBF047FFBBE92CB70714E99C" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_17390F12AE3C4CD7A8BFA284458C87BB" { - "SourcePath" = "8:install.vbs" - "TargetName" = "8:install.vbs" + "SourcePath" = "8:ModSecurity.xml" + "TargetName" = "8:ModSecurity.xml" "Tag" = "8:" "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" "Condition" = "8:" @@ -462,7 +391,7 @@ "SharedLegacy" = "11:FALSE" "PackageAs" = "3:1" "Register" = "3:1" - "Exclude" = "11:TRUE" + "Exclude" = "11:FALSE" "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } @@ -486,26 +415,6 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_3CE93C3FC5AC3E954253889334FBCDA8" - { - "SourcePath" = "8:nativerd.dll" - "TargetName" = "8:nativerd.dll" - "Tag" = "8:" - "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" - "Condition" = "8:" - "Transitive" = "11:FALSE" - "Vital" = "11:TRUE" - "ReadOnly" = "11:FALSE" - "Hidden" = "11:FALSE" - "System" = "11:FALSE" - "Permanent" = "11:FALSE" - "SharedLegacy" = "11:FALSE" - "PackageAs" = "3:1" - "Register" = "3:1" - "Exclude" = "11:FALSE" - "IsDependency" = "11:TRUE" - "IsolateTo" = "8:" - } "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_51AF671FCA3544DEA3E5756B5D450275" { "SourcePath" = "8:x86\\ModSecurityIIS.dll" @@ -806,37 +715,6 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{9F6F8455-1EF1-4B85-886A-4223BCC8E7F7}:_CB8446F7ADCD4E3DA3F2C6246FA844A0" - { - "AssemblyRegister" = "3:1" - "AssemblyIsInGAC" = "11:FALSE" - "AssemblyAsmDisplayName" = "8:Interop.AppHostAdminLibrary, Version=1.0.0.0, Culture=neutral, processorArchitecture=x86" - "ScatterAssemblies" - { - "_CB8446F7ADCD4E3DA3F2C6246FA844A0" - { - "Name" = "8:Interop.AppHostAdminLibrary.dll" - "Attributes" = "3:512" - } - } - "SourcePath" = "8:installer project\\bin\\Release\\Interop.AppHostAdminLibrary.dll" - "TargetName" = "8:" - "Tag" = "8:" - "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" - "Condition" = "8:" - "Transitive" = "11:FALSE" - "Vital" = "11:TRUE" - "ReadOnly" = "11:FALSE" - "Hidden" = "11:FALSE" - "System" = "11:FALSE" - "Permanent" = "11:FALSE" - "SharedLegacy" = "11:FALSE" - "PackageAs" = "3:1" - "Register" = "3:1" - "Exclude" = "11:FALSE" - "IsDependency" = "11:FALSE" - "IsolateTo" = "8:" - } "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_CEB23D021A2E4EEF9245EEDC143AFBA8" { "SourcePath" = "8:amd64\\ModSecurityIIS.dll" @@ -877,12 +755,12 @@ "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_DB58E622510C458A81C3B850EDFC782C" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_DE7847BDBDC046F29E13230DCDD4F6E3" { - "SourcePath" = "8:uninstall.vbs" - "TargetName" = "8:uninstall.vbs" + "SourcePath" = "8:x86\\lua5.1.dll" + "TargetName" = "8:lua5.1.dll" "Tag" = "8:" - "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" + "Folder" = "8:_D7AEA61DD2D746158A1F5660E4C59AB8" "Condition" = "8:" "Transitive" = "11:FALSE" "Vital" = "11:TRUE" @@ -893,16 +771,16 @@ "SharedLegacy" = "11:FALSE" "PackageAs" = "3:1" "Register" = "3:1" - "Exclude" = "11:TRUE" + "Exclude" = "11:FALSE" "IsDependency" = "11:FALSE" "IsolateTo" = "8:" } - "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_DE7847BDBDC046F29E13230DCDD4F6E3" + "{1FB2D0AE-D3B9-43D4-B9DD-F88EC61E35DE}:_E86FB9D69F2946038E7BBDD01D619813" { - "SourcePath" = "8:x86\\lua5.1.dll" - "TargetName" = "8:lua5.1.dll" + "SourcePath" = "8:owasp_crs.zip" + "TargetName" = "8:owasp_crs.zip" "Tag" = "8:" - "Folder" = "8:_D7AEA61DD2D746158A1F5660E4C59AB8" + "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" "Condition" = "8:" "Transitive" = "11:FALSE" "Vital" = "11:TRUE" @@ -1056,7 +934,7 @@ "Name" = "8:Microsoft Visual Studio" "ProductName" = "8:ModSecurity IIS" "ProductCode" = "8:{81EE8A4A-5128-4CDB-97B2-06B147E8B4B8}" - "PackageCode" = "8:{B5E59B35-BF44-4075-B9F5-C251002DF58E}" + "PackageCode" = "8:{4F65AFE0-1E8A-4F79-98D5-1D7C1C39ABCC}" "UpgradeCode" = "8:{7B32CF94-443C-47BB-91C3-0E9D3D12DF8B}" "AspNetVersion" = "8:4.0.30319.0" "RestartWWWService" = "11:FALSE" @@ -1777,34 +1655,6 @@ } "ProjectOutput" { - "{5259A561-127C-4D43-A0A1-72F10C7B3BF8}:_764D5BE911464BEFBCC3BC3B25068987" - { - "SourcePath" = "8:installer project\\obj\\x86\\Release\\configure.exe" - "TargetName" = "8:" - "Tag" = "8:" - "Folder" = "8:_565C3432A64049EAA7CA6E8C007B2188" - "Condition" = "8:" - "Transitive" = "11:FALSE" - "Vital" = "11:TRUE" - "ReadOnly" = "11:FALSE" - "Hidden" = "11:FALSE" - "System" = "11:FALSE" - "Permanent" = "11:FALSE" - "SharedLegacy" = "11:FALSE" - "PackageAs" = "3:1" - "Register" = "3:1" - "Exclude" = "11:FALSE" - "IsDependency" = "11:FALSE" - "IsolateTo" = "8:" - "ProjectOutputGroupRegister" = "3:1" - "OutputConfiguration" = "8:" - "OutputGroupCanonicalName" = "8:Built" - "OutputProjectGuid" = "8:{023E10BD-4FF6-4401-9A40-AED9717073F2}" - "ShowKeyOutput" = "11:TRUE" - "ExcludeFilters" - { - } - } } } }
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/iis/ModSecurityIIS/ModSecurityIIS/readme.rtf ^
@@ -58,9 +58,9 @@ \leveltemplateid1225817962\'01\'95;}{\levelnumbers;}\f1\fbias0 \fi-360\li5760\jclisttab\tx5760\lin5760 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0\levelindent0{\leveltext \leveltemplateid1897401684\'01\'95;}{\levelnumbers;}\f1\fbias0 \fi-360\li6480\jclisttab\tx6480\lin6480 }{\listname ;}\listid652101753}}{\\listoverridetable{\listoverride\listid625282538\listoverridecount0\ls1}{\listoverride\listid652101753 \listoverridecount0\ls2}}{\\pgptbl {\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp6\itap0\li0\ri0\sb0\sa0}{\pgp\ipgp8\itap0\li0\ri0\sb0 -\sa0}{\pgp\ipgp0\itap0\li0\ri0\sb0\sa0}{\pgp\ipgp7\itap0\li0\ri0\sb0\sa0}{\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp0\itap0\li0\ri0\sb0\sa0}}{\\rsidtbl \rsid1197496\rsid2315486\rsid3168183\rsid4593034\rsid6385683\rsid6633290\rsid6754893\rsid6967166 -\rsid9512544\rsid10098429\rsid12742482\rsid13639667\rsid16350125\rsid16593896}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author Suha Can}{\operator Greg} -{\creatim\yr2012\mo6\dy4\hr11\min43}{\revtim\yr2013\mo1\dy17\hr16\min15}{\version9}{\edmins12}{\nofpages1}{\nofwords173}{\nofchars992}{\\company Microsoft Corporation}{\nofcharsws1163}{\vern49275}}{\\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office +\sa0}{\pgp\ipgp0\itap0\li0\ri0\sb0\sa0}{\pgp\ipgp7\itap0\li0\ri0\sb0\sa0}{\pgp\ipgp10\itap0\li720\ri0\sb0\sa240}{\pgp\ipgp0\itap0\li0\ri0\sb0\sa0}}{\\rsidtbl \rsid1197496\rsid2315486\rsid3168183\rsid4593034\rsid6385683\rsid6633290\rsid6967166\rsid9512544 +\rsid10098429\rsid12742482\rsid13639667\rsid16350125\rsid16593896}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author Suha Can}{\operator Greg} +{\creatim\yr2012\mo6\dy4\hr11\min43}{\revtim\yr2013\mo1\dy15\hr9\min48}{\version8}{\edmins11}{\nofpages1}{\nofwords176}{\nofchars1008}{\\company Microsoft Corporation}{\nofcharsws1182}{\vern49275}}{\\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office /word/2003/wordml}}\paperw12240\paperh15840\margl1440\margr1440\margt1440\margb1440\gutter0\ltrsect \widowctrl\ftnbj\aenddoc\trackmoves0\trackformatting1\donotembedsysfont1\relyonvml0\donotembedlingdata0\grfdocevents0\validatexml1\showplaceholdtext0\ignoremixedcontent0\saveinvalidxml0\showxmlerrors1\noxlattoyen \expshrtn\noultrlspc\dntblnsbdb\nospaceforul\formshade\horzdoc\dgmargin\dghspace180\dgvspace180\dghorigin1440\dgvorigin1440\dghshow1\dgvshow1 @@ -75,44 +75,44 @@ \par }\pard\plain \ltrpar\ql \li0\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid16350125 \rtlch\fcs1 \af0\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 { \rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 ModSecurity home page }{\field\fldedit{\\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486 HYPERLINK "http://www.modsecurity.org"}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\\datafield -00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f007700770077002e006d006f006400730065006300750072006900740079002e006f00720067002f000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000} -}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 http://www.modsecurity.org}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\field\fldedit{\\fldinst {\rtlch\fcs1 \af0\afs24 +00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f007700770077002e006d006f006400730065006300750072006900740079002e006f00720067002f000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}} +}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 http://www.modsecurity.org}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\field\fldedit{\\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 HYPERLINK "http://engineering/" }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\\datafield -00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b4000000068007400740070003a002f002f0065006e00670069006e0065006500720069006e0067002f000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000}}}{\fldrslt {\rtlch\fcs1 +00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b4000000068007400740070003a002f002f0065006e00670069006e0065006500720069006e0067002f000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 /}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 \par OWASP Core Rule Set for ModSecurity: }{\field\fldedit{\\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 HYPERLINK "https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project" }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90bba000000680074007400700073003a002f002f007700770077002e006f0077006100730070002e006f00720067002f0069006e006400650078002e007000680070002f00430061007400650067006f00720079003a00 -4f0057004100530050005f004d006f006400530065006300750072006900740079005f0043006f00720065005f00520075006c0065005f005300650074005f00500072006f006a006500630074000000795881f43b1d7f48af2c825dc485276300000000a5ab00000016}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 +4f0057004100530050005f004d006f006400530065006300750072006900740079005f0043006f00720065005f00520075006c0065005f005300650074005f00500072006f006a006500630074000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 https://}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\field\fldedit{\\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486 HYPERLINK "https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project"}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90bba000000680074007400700073003a002f002f007700770077002e006f0077006100730070002e006f00720067002f0069006e006400650078002e007000680070002f00430061007400650067006f00720079003a00 -4f0057004100530050005f004d006f006400530065006300750072006900740079005f0043006f00720065005f00520075006c0065005f005300650074005f00500072006f006a006500630074000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 +4f0057004100530050005f004d006f006400530065006300750072006900740079005f0043006f00720065005f00520075006c0065005f005300650074005f00500072006f006a006500630074000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 \par }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 The OWASP CRS was installed on your system drive, under }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \b\f0\fs24\insrsid6633290\charrsid6633290 inetpub\\wwwroot\\owasp_crs}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 \par You can include it in your website by adding to your }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \b\f0\fs24\insrsid6633290\charrsid6633290 web.config}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 file, in }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \b\f0\fs24\insrsid6633290\charrsid6633290 system.webServer}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 section: -\par }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290\charrsid6633290 <ModSecurity enabled="true" configFile="}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 owasp_crs\\}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 -\f0\fs24\insrsid6633290\charrsid6633290 modsecurity}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 _iis}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290\charrsid6633290 .conf" /> +\par }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290\charrsid6633290 <ModSecurity enabled="true" configFile="c:\\inetpub\\wwwroot\\}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 owasp_crs\\}{\rtlch\fcs1 \af0\afs24 +\ltrch\fcs0 \f0\fs24\insrsid6633290\charrsid6633290 modsecurity}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290 _iis}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6633290\charrsid6633290 .conf" /> \par }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid16350125 MSRC blog }{\field\fldedit{\\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid16350125 HYPERLINK "http://blogs.technet.com/b/srd/" }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\lang1045\langfe1033\langnp1045\insrsid2315486\charrsid16350125 {\\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5800000068007400740070003a002f002f0062006c006f00670073002e0074006500630068006e00650074002e0063006f006d002f0062002f007300720064002f000000795881f43b1d7f48af2c825dc48527630000 -0000a5ab00000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid16350125 http://blogs.technet.com/b/srd/}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj { +0000a5ab000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid16350125 http://blogs.technet.com/b/srd/}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj { \rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid16350125 }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\lang1045\langfe1033\langnp1045\insrsid6385683\charrsid6633290 \par }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 Trustwave SpiderLabs blog: }{\field\fldedit{\\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486 HYPERLINK "http://blog.spiderlabs.com/"}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\\datafield -00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f0062006c006f0067002e007300700069006400650072006c006100620073002e0063006f006d002f000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000} -}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 http://blog.spiderlabs.com}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\field\fldedit{\\fldinst {\rtlch\fcs1 \af0\afs24 +00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f0062006c006f0067002e007300700069006400650072006c006100620073002e0063006f006d002f000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}} +}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 http://blog.spiderlabs.com}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\field\fldedit{\\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 HYPERLINK "http://blog.spiderlabs.com/" }{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\\datafield -00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f0062006c006f0067002e007300700069006400650072006c006100620073002e0063006f006d002f000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000} -}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 /}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 +00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b5000000068007400740070003a002f002f0062006c006f0067002e007300700069006400650072006c006100620073002e0063006f006d002f000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}} +}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 /}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 \par Trustwave Commercial Rule Set for ModSecurity: }{\field\fldedit{\\fldinst {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486 HYPERLINK "https://www.trustwave.com/modsecurity-rules-support.php"}{\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid2315486\charrsid16350125 {\\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b88000000680074007400700073003a002f002f007700770077002e007400720075007300740077006100760065002e0063006f006d002f006d006f006400730065006300750072006900740079002d00720075006c00 -650073002d0073007500700070006f00720074002e007000680070000000795881f43b1d7f48af2c825dc485276300000000a5ab00000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 +650073002d0073007500700070006f00720074002e007000680070000000795881f43b1d7f48af2c825dc485276300000000a5ab000000}}}{\fldrslt {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \cs16\f0\fs24\ul\cf2\insrsid6385683\charrsid16350125 https://www.trustwave.com/modsecurity-rules-support.php}}}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af0\afs24 \ltrch\fcs0 \f0\fs24\insrsid6385683\charrsid16350125 \par }\pard \ltrpar\ql \li0\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 {\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid6967166 \par }{\*\themedata 504b030414000600080000002100e9de0fbfff0000001c020000130000005b436f6e74656e745f54797065735d2e786d6cac91cb4ec3301045f748fc83e52d4a @@ -220,8 +220,8 @@ ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff -ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffffffffffff0c6ad98892f1d411a65f0040963251e5000000000000000000000000f0d5 -16df10f5cd01feffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000 +ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffffffffffff0c6ad98892f1d411a65f0040963251e5000000000000000000000000e065 +dc7748f3cd01feffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000105000000000000}} \ No newline at end of file
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/iis/mymodulefactory.h ^
@@ -20,14 +20,17 @@ // of CMyHttpModule for each request. class CMyHttpModuleFactory : public IHttpModuleFactory { - CMyHttpModule * m_pModule; + CMyHttpModule * m_pModule; + CRITICAL_SECTION m_csLock; public: CMyHttpModuleFactory() { m_pModule = NULL; + + InitializeCriticalSection(&m_csLock); } - + virtual HRESULT GetHttpModule( @@ -43,6 +46,8 @@ goto Finished; } + EnterCriticalSection(&m_csLock); + if(m_pModule == NULL) { m_pModule = new CMyHttpModule(); @@ -54,6 +59,8 @@ } } + LeaveCriticalSection(&m_csLock); + *ppModule = m_pModule; Finished:
[-] [+]	Added	modsecurity-apache_2.7.3.tar.bz2/nginx/modsecurity/apr_bucket_nginx.c ^
@@ -0,0 +1,239 @@ + +#include <apr_bucket_nginx.h> + +static apr_status_t nginx_bucket_read(apr_bucket b, const char str, + apr_size_t len, apr_read_type_e block); +static void nginx_bucket_destroy(void data); + +static const apr_bucket_type_t apr_bucket_type_nginx = { + "NGINX", 5, APR_BUCKET_DATA, + nginx_bucket_destroy, + nginx_bucket_read, + apr_bucket_setaside_noop, + apr_bucket_shared_split, + apr_bucket_shared_copy +}; + + +typedef struct apr_bucket_nginx { + apr_bucket_refcount refcount; + ngx_buf_t buf; +} apr_bucket_nginx; + +/* ngx_buf_t to apr_bucket / +apr_bucket apr_bucket_nginx_create(ngx_buf_t buf, + apr_pool_t p, + apr_bucket_alloc_t list) +{ + + apr_bucket b = apr_bucket_alloc(sizeof(b), list); + + APR_BUCKET_INIT(b); / link / + b->free = apr_bucket_free; + b->list = list; + return apr_bucket_nginx_make(b, buf, p); +} + +apr_bucket apr_bucket_nginx_make(apr_bucket b, ngx_buf_t buf, + apr_pool_t pool) +{ + apr_bucket_nginx n; + + n = apr_bucket_alloc(sizeof(n), b->list); + + n->buf = buf; + + b = apr_bucket_shared_make(b, n, 0, ngx_buf_size(buf)); + b->type = &apr_bucket_type_nginx; + return b; +} + +static apr_status_t nginx_bucket_read(apr_bucket b, const char *str, + apr_size_t len, apr_read_type_e block) +{ + apr_bucket_nginx n = b->data; + ngx_buf_t buf = n->buf; + u_char data; + ssize_t size; + + if (buf->pos == NULL && ngx_buf_size(buf) != 0) { + data = apr_bucket_alloc(ngx_buf_size(buf), b->list); + if (data == NULL) { + return APR_EGENERAL; + } + + size = ngx_read_file(buf->file, data, ngx_buf_size(buf), buf->file_pos); + if (size != ngx_buf_size(buf)) { + apr_bucket_free(data); + return APR_EGENERAL; + } + buf->pos = data; + } + + str = (char )buf->pos + b->start; + len = b->length; + + return APR_SUCCESS; +} + + +static void nginx_bucket_destroy(void data) +{ + apr_bucket_nginx n = data; + ngx_buf_t buf = n->buf; + + if (apr_bucket_shared_destroy(n)) { + if (!ngx_buf_in_memory(buf) && buf->pos != NULL) { + apr_bucket_free(buf->pos); + buf->pos = NULL; + } + apr_bucket_free(n); + } +} + +ngx_buf_t apr_bucket_to_ngx_buf(apr_bucket e, ngx_pool_t pool) { + ngx_buf_t buf, b; + apr_bucket_nginx n; + ngx_uint_t len; + u_char data; + + if (e->type->is_metadata) { + return NULL; + } + + if (e->type == &apr_bucket_type_nginx) { + n = e->data; + b = n->buf; + + /* whole buf / + if (e->length == (apr_size_t)ngx_buf_size(b)) { + b->last_buf = 0; + return b; + } + + buf = ngx_palloc(pool, sizeof(ngx_buf_t)); + if (buf == NULL) { + return NULL; + } + ngx_memcpy(buf, b, sizeof(ngx_buf_t)); + + if (ngx_buf_in_memory(buf)) { + buf->start = buf->pos = buf->pos + e->start; + buf->end = buf->last = buf->pos + e->length; + } else { + buf->pos = NULL; + buf->file_pos += e->start; + buf->file_last = buf->file_pos + e->length; + } + + buf->last_buf = 0; + return buf; + } + + if (apr_bucket_read(e, (const char )&data, + &len, APR_BLOCK_READ) != APR_SUCCESS) { + return NULL; + } + + buf = ngx_calloc_buf(pool); + if (buf == NULL) { + return NULL; + } + + if (e->type == &apr_bucket_type_pool) { + buf->start = data; + } else if (len != 0) { + buf->start = ngx_palloc(pool, len); + ngx_memcpy(buf->start, data, len); + } + + buf->pos = buf->start; + buf->end = buf->last = buf->start + len; + buf->temporary = 1; + return buf; +} + +ngx_int_t +move_chain_to_brigade(ngx_chain_t chain, apr_bucket_brigade bb, ngx_pool_t pool, ngx_int_t last_buf) { + apr_bucket e; + ngx_chain_t cl; + + while (chain) { + e = ngx_buf_to_apr_bucket(chain->buf, bb->p, bb->bucket_alloc); + if (e == NULL) { + return NGX_ERROR; + } + + APR_BRIGADE_INSERT_TAIL(bb, e); + if (chain->buf->last_buf) { + e = apr_bucket_eos_create(bb->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + chain->buf->last_buf = 0; + return NGX_OK; + } + cl = chain; + chain = chain->next; + ngx_free_chain(pool, cl); + } + + if (last_buf) { + e = apr_bucket_eos_create(bb->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + return NGX_OK; + } + + return NGX_AGAIN; +} + +ngx_int_t +move_brigade_to_chain(apr_bucket_brigade bb, ngx_chain_t ll, ngx_pool_t pool) { + apr_bucket e; + ngx_buf_t buf; + ngx_chain_t cl; + + cl = NULL; + + if (APR_BRIGADE_EMPTY(bb)) { + ll = NULL; + return NGX_OK; + } + + for (e = APR_BRIGADE_FIRST(bb); + e != APR_BRIGADE_SENTINEL(bb); + e = APR_BUCKET_NEXT(e)) { + + if (APR_BUCKET_IS_EOS(e)) { + if (cl == NULL) { + ll = cl; + } else { + cl->buf->last_buf = 1; + } + apr_brigade_cleanup(bb); + return NGX_OK; + } + + if (APR_BUCKET_IS_METADATA(e)) { + continue; + } + + buf = apr_bucket_to_ngx_buf(e, pool); + if (buf == NULL) { + break; + } + + cl = ngx_alloc_chain_link(pool); + if (cl == NULL) { + break; + } + + cl->buf = buf; + cl->next = NULL; + ll = cl; + ll = &cl->next; + } + + apr_brigade_cleanup(bb); + /* no eos or error */ + return NGX_ERROR; +} +
[-] [+]	Added	modsecurity-apache_2.7.3.tar.bz2/nginx/modsecurity/apr_bucket_nginx.h ^
@@ -0,0 +1,18 @@ +#pragma once +#include <ngx_core.h> +#include "apr_buckets.h" + +apr_bucket * apr_bucket_nginx_create(ngx_buf_t buf, + apr_pool_t p, + apr_bucket_alloc_t list); + +apr_bucket apr_bucket_nginx_make(apr_bucket e, ngx_buf_t buf, + apr_pool_t pool); + +#define ngx_buf_to_apr_bucket apr_bucket_nginx_create + +ngx_buf_t apr_bucket_to_ngx_buf(apr_bucket e, ngx_pool_t pool); + +ngx_int_t move_chain_to_brigade(ngx_chain_t chain, apr_bucket_brigade bb, ngx_pool_t pool, ngx_int_t last_buf); +ngx_int_t move_brigade_to_chain(apr_bucket_brigade bb, ngx_chain_t *chain, ngx_pool_t pool); +
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/nginx/modsecurity/config ^
@@ -1,6 +1,7 @@ ngx_addon_name=ngx_http_modsecurity -HTTP_MODULES="$HTTP_MODULES ngx_http_modsecurity" -NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_modsecurity.c" -NGX_ADDON_DEPS="$NGX_ADDON_DEPS" -CORE_LIBS="$CORE_LIBS $ngx_addon_dir/../../standalone/.libs/standalone.a -lapr-1 -laprutil-1 -lxml2 -lm" -CORE_INCS="$CORE_INCS /usr/include/apache2 /usr/include/apr-1.0 /usr/include/httpd /usr/include/apr-1 $ngx_addon_dir/../../standalone $ngx_addon_dir/../../apache2 /usr/include/libxml2" +CORE_MODULES="$CORE_MODULES ngx_pool_context_module" +HTTP_AUX_FILTER_MODULES="ngx_http_modsecurity $HTTP_AUX_FILTER_MODULES" +NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_modsecurity.c $ngx_addon_dir/apr_bucket_nginx.c $ngx_addon_dir/ngx_pool_context.c" +NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_addon_dir/apr_bucket_nginx.h $ngx_addon_dir/ngx_pool_context.h" +CORE_LIBS="$CORE_LIBS $ngx_addon_dir/../../standalone/.libs/standalone.a -lapr-1 -laprutil-1 -lxml2 -lm " +CORE_INCS="$CORE_INCS /usr/include/apache2 /usr/include/apr-1.0 /usr/include/httpd /usr/include/apr-1 $ngx_addon_dir $ngx_addon_dir/../../standalone $ngx_addon_dir/../../apache2 /usr/include/libxml2 "
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/nginx/modsecurity/ngx_http_modsecurity.c ^
@@ -12,14 +12,9 @@ * directly using the email address security@modsecurity.org. / -#include <nginx.h> -#include <ngx_config.h> -#include <ngx_core.h> #include <ngx_http.h> -#include <ngx_event.h> -#include <ngx_http_core_module.h> -#include <ctype.h> -#include <sys/times.h> +#include <apr_bucket_nginx.h> +#include <ngx_pool_context.h> #undef CR #undef LF @@ -32,17 +27,18 @@ typedef struct { ngx_flag_t enable; directory_config config; + + ngx_str_t file; + ngx_uint_t line; } ngx_http_modsecurity_loc_conf_t; typedef struct { ngx_http_request_t r; conn_rec connection; request_rec req; - ngx_chain_t chain; - ngx_buf_t buf; - void loc_conf; - unsigned request_body_in_single_buf:1; - unsigned request_body_in_file_only:1; + + apr_bucket_brigade brigade; + unsigned complete; } ngx_http_modsecurity_ctx_t; @@ -50,7 +46,9 @@ ** Module's registred function/handlers. / static ngx_int_t ngx_http_modsecurity_handler(ngx_http_request_t r); -static void ngx_http_modsecurity_request_body_handler(ngx_http_request_t r); +static void ngx_http_modsecurity_body_handler(ngx_http_request_t r); +static ngx_int_t ngx_http_modsecurity_header_filter(ngx_http_request_t r); +static ngx_int_t ngx_http_modsecurity_body_filter(ngx_http_request_t r, ngx_chain_t in); static ngx_int_t ngx_http_modsecurity_preconfiguration(ngx_conf_t cf); static ngx_int_t ngx_http_modsecurity_init(ngx_conf_t cf); static ngx_int_t ngx_http_modsecurity_init_process(ngx_cycle_t cycle); @@ -58,14 +56,16 @@ static void ngx_http_modsecurity_create_loc_conf(ngx_conf_t cf); static char ngx_http_modsecurity_merge_loc_conf(ngx_conf_t cf, void parent, void child); static char ngx_http_modsecurity_config(ngx_conf_t cf, ngx_command_t cmd, void conf); -apr_status_t modsecurity_read_body_cb(request_rec r, char buf, unsigned int length, - unsigned int readcnt, int is_eos); -apr_status_t modsecurity_write_body_cb(request_rec rec, char buf, unsigned int length); +static char ngx_http_modsecurity_enable(ngx_conf_t cf, ngx_command_t cmd, void conf); static ngx_http_modsecurity_ctx_t * ngx_http_modsecurity_create_ctx(ngx_http_request_t r); static int ngx_http_modsecurity_drop_action(request_rec r); static void ngx_http_modsecurity_cleanup(void data); +static int ngx_http_modsecurity_save_headers_in_visitor(void data, const char key, const char value); +static int ngx_http_modsecurity_save_headers_out_visitor(void data, const char key, const char value); + + / command handled by the module / static ngx_command_t ngx_http_modsecurity_commands[] = { { ngx_string("ModSecurityConfig"), @@ -77,7 +77,7 @@ { ngx_string("ModSecurityEnabled"), NGX_HTTP_MAIN_CONF\|NGX_HTTP_SRV_CONF\|NGX_HTTP_SIF_CONF \|NGX_HTTP_LOC_CONF\|NGX_HTTP_LIF_CONF\|NGX_CONF_TAKE1, - ngx_conf_set_flag_slot, + ngx_http_modsecurity_enable, NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_modsecurity_loc_conf_t, enable), NULL }, @@ -103,21 +103,688 @@ }; -ngx_module_t ngx_http_modsecurity = { - NGX_MODULE_V1, - &ngx_http_modsecurity_ctx, / module context / - ngx_http_modsecurity_commands, / module directives / - NGX_HTTP_MODULE, / module type / - NULL, / init master / - NULL, / init module / - ngx_http_modsecurity_init_process, / init process / - NULL, / init thread / - NULL, / exit thread / - ngx_http_modsecurity_exit_process, / exit process / - ngx_http_modsecurity_exit_process, / exit master / - NGX_MODULE_V1_PADDING -}; +ngx_module_t ngx_http_modsecurity = { + NGX_MODULE_V1, + &ngx_http_modsecurity_ctx, / module context / + ngx_http_modsecurity_commands, / module directives / + NGX_HTTP_MODULE, / module type / + NULL, / init master / + NULL, / init module / + ngx_http_modsecurity_init_process, / init process / + NULL, / init thread / + NULL, / exit thread / + ngx_http_modsecurity_exit_process, / exit process / + ngx_http_modsecurity_exit_process, / exit master / + NGX_MODULE_V1_PADDING +}; + +static ngx_http_output_header_filter_pt ngx_http_next_header_filter; +static ngx_http_output_body_filter_pt ngx_http_next_body_filter; + +static ngx_http_upstream_t ngx_http_modsecurity_upstream; + +static struct { + char name; + ngx_str_t variable_name; +} special_headers_out[] = { + {"Content-Type", ngx_string("sent_http_content_type") }, + {"Content-Length", ngx_string("sent_http_content_length")}, + {"Location", ngx_string("sent_http_location")}, + {"Last-Modified", ngx_string("sent_http_last_modified")}, + {"Connection", ngx_string("sent_http_connection")}, + {"Keep-Alive", ngx_string("sent_http_keep_alive")}, + {"Transfer-Encoding", ngx_string("sent_http_transfer_encoding")}, + {"Cache-Control", ngx_string("sent_http_cache_control")}, + {NULL, ngx_null_string} +}; + + +static inline u_char * +ngx_pstrdup0(ngx_pool_t pool, ngx_str_t src) +{ + u_char dst; + + dst = ngx_pnalloc(pool, src->len + 1); + if (dst == NULL) { + return NULL; + } + + ngx_memcpy(dst, src->data, src->len); + dst[src->len] = '\0'; + + return dst; +} + + +static inline int ngx_http_modsecurity_method_number(unsigned int nginx) +{ + / + * http://graphics.stanford.edu/~seander/bithacks.html#ZerosOnRightMultLookup + / + static const int MultiplyDeBruijnBitPosition[32] = { + M_INVALID, / 1 >> 0 / + M_GET, + M_INVALID, / 1 >> 28 / + M_GET, / NGX_HTTP_HEAD / + M_INVALID, / 1 >> 29 / + M_PATCH, + M_INVALID, / 1 >> 24 / + M_POST, + M_INVALID, / 1 >> 30 / + M_INVALID, / 1 >> 22 / + M_INVALID, / 1 >> 20 / + M_TRACE, + M_INVALID, / 1 >> 25 / + M_INVALID, / 1 >> 17 / + M_PUT, + M_MOVE, + M_INVALID, / 1 >> 31 / + M_INVALID, / 1 >> 27 / + M_UNLOCK, + M_INVALID, / 1 >> 23 / + M_INVALID, / 1 >> 21 / + M_INVALID, / 1 >> 19 / + M_INVALID, / 1 >> 16 / + M_COPY, + M_INVALID, / 1 >> 26 / + M_LOCK, + M_INVALID, / 1 >> 18 / + M_MKCOL, + M_PROPPATCH, + M_DELETE, + M_PROPFIND, + M_OPTIONS + }; + + return MultiplyDeBruijnBitPosition[((uint32_t)((nginx & -nginx) 0x077CB531U)) >> 27]; +} + +static ngx_inline ngx_int_t +ngx_http_modsecurity_load_request(ngx_http_request_t r) +{ + ngx_http_modsecurity_ctx_t ctx; + request_rec req; + ngx_str_t str; + size_t root; + ngx_str_t path; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + req = ctx->req; + + / request line / + req->method = (char )ngx_pstrdup0(r->pool, &r->method_name); + + /* TODO: how to use ap_method_number_of ? + * req->method_number = ap_method_number_of(req->method); + / + + req->method_number = ngx_http_modsecurity_method_number(r->method); + + / ngx_http_map_uri_to_path() allocates memory for terminating '\0' / + if (ngx_http_map_uri_to_path(r, &path, &root, 0) == NULL) { + return NGX_ERROR; + } + + req->filename = (char ) path.data; + req->path_info = req->filename; + + req->args = (char )ngx_pstrdup0(r->pool, &r->args); + + req->proto_num = r->http_major 1000 + r->http_minor; + req->protocol = (char )ngx_pstrdup0(r->pool, &r->http_protocol); + req->request_time = apr_time_make(r->start_sec, r->start_msec); + req->the_request = (char )ngx_pstrdup0(r->pool, &r->request_line); + + req->unparsed_uri = (char )ngx_pstrdup0(r->pool, &r->unparsed_uri); + req->uri = (char )ngx_pstrdup0(r->pool, &r->uri); + + req->parsed_uri.scheme = "http"; + +#if (NGX_HTTP_SSL) + if (r->connection->ssl) { + req->parsed_uri.scheme = "https"; + } +#endif + + req->parsed_uri.path = req->path_info; + req->parsed_uri.is_initialized = 1; + + str.data = r->port_start; + str.len = r->port_end - r->port_start; + req->parsed_uri.port = ngx_atoi(str.data, str.len); + req->parsed_uri.port_str = (char )ngx_pstrdup0(r->pool, &str); + + req->parsed_uri.query = req->args; + req->parsed_uri.dns_looked_up = 0; + req->parsed_uri.dns_resolved = 0; + + // req->parsed_uri.password = (char )ngx_pstrdup0(r->pool, &r->headers_in.passwd); + // req->parsed_uri.user = (char )ngx_pstrdup0(r->pool, &r->headers_in.user); + req->parsed_uri.fragment = (char )ngx_pstrdup0(r->pool, &r->exten); + + req->hostname = (char )ngx_pstrdup0(r->pool, (ngx_str_t )&ngx_cycle->hostname); + + req->header_only = r->header_only ? r->header_only : (r->method == NGX_HTTP_HEAD); + + return NGX_OK; +} + + +/* + * TODO: deal more headers. + / + +static ngx_inline ngx_int_t +ngx_http_modsecurity_load_headers_in(ngx_http_request_t r) +{ + ngx_http_modsecurity_ctx_t ctx; + const char lang; + request_rec req; + ngx_list_part_t part; + ngx_table_elt_t h; + ngx_uint_t i; + + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + req = ctx->req; + + part = &r->headers_in.headers.part; + h = part->elts; + + for (i = 0; ; i++) { + if (i >= part->nelts) { + if (part->next == NULL) + break; + + part = part->next; + h = part->elts; + i = 0; + } + + apr_table_setn(req->headers_in, (char )h[i].key.data, (char )h[i].value.data); + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: load headers in: \"%V: %V\"", + &h[i].key, &h[i].value); + } + + req->clength = r->headers_in.content_length_n; + + + req->range = apr_table_get(req->headers_in, "Range"); + req->content_type = apr_table_get(req->headers_in, "Content-Type"); + req->content_encoding = apr_table_get(req->headers_in, "Content-Encoding"); + + lang = apr_table_get(ctx->req->headers_in, "Content-Languages"); + if(lang != NULL) + { + ctx->req->content_languages = apr_array_make(ctx->req->pool, 1, sizeof(const char )); + + (const char )apr_array_push(ctx->req->content_languages) = lang; + } + + req->ap_auth_type = (char )apr_table_get(req->headers_in, "Authorization"); + + req->user = (char )ngx_pstrdup0(r->pool, &r->headers_in.user); + + + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: load headers in done"); + + return NGX_OK; +} + +static ngx_inline ngx_int_t +ngx_http_modsecurity_save_headers_in(ngx_http_request_t r) +{ + ngx_http_modsecurity_ctx_t ctx; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + / clean up headers_in / + ngx_memzero(&r->headers_in, sizeof(ngx_http_headers_in_t)); + + if (ngx_list_init(&r->headers_in.headers, r->pool, 20, + sizeof(ngx_table_elt_t)) + != NGX_OK) + { + return NGX_ERROR; + } + + + if (ngx_array_init(&r->headers_in.cookies, r->pool, 2, + sizeof(ngx_table_elt_t )) + != NGX_OK) + { + return NGX_ERROR; + } + + r->headers_in.content_length_n = -1; + r->headers_in.keep_alive_n = -1; + + r->headers_in.headers.part.nelts = 0; + r->headers_in.headers.part.next = NULL; + r->headers_in.headers.last = &r->headers_in.headers.part; + + /* shadow copy / + if (apr_table_do(ngx_http_modsecurity_save_headers_in_visitor, + r, ctx->req->headers_in, NULL) == 0) { + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers in error"); + + return NGX_ERROR; + } + + if (r->headers_in.content_length) { + r->headers_in.content_length_n = + ngx_atoof(r->headers_in.content_length->value.data, + r->headers_in.content_length->value.len); + + if (r->headers_in.content_length_n == NGX_ERROR) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "ModSecurity: invalid \"Content-Length\" header"); + return NGX_ERROR; + } + } + + if (r->headers_in.connection_type == NGX_HTTP_CONNECTION_KEEP_ALIVE) { + if (r->headers_in.keep_alive) { + r->headers_in.keep_alive_n = + ngx_atotm(r->headers_in.keep_alive->value.data, + r->headers_in.keep_alive->value.len); + } + } + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers in done"); + + return NGX_OK; +} + + +static int +ngx_http_modsecurity_save_headers_in_visitor(void data, const char key, const char value) +{ + ngx_http_request_t r = data; + ngx_table_elt_t h; + ngx_http_header_t hh; + ngx_http_core_main_conf_t cmcf; + + h = ngx_list_push(&r->headers_in.headers); + if (h == NULL) { + return 0; + } + + h->key.data = (u_char )key; + h->key.len = ngx_strlen(key); + + h->value.data = (u_char )value; + h->value.len = ngx_strlen(value); + + h->lowcase_key = ngx_pnalloc(r->pool, h->key.len); + + if (h->lowcase_key == NULL) { + return 0; + } + + ngx_strlow(h->lowcase_key, h->key.data, h->key.len); + + h->hash = ngx_hash_key(h->lowcase_key, h->key.len); + + cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module); + + hh = ngx_hash_find(&cmcf->headers_in_hash, h->hash, + h->lowcase_key, h->key.len); + + if (hh && hh->handler(r, h, hh->offset) != NGX_OK) { + return 0; + } + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers in: \"%V: %V\"", + &h->key, &h->value); + + return 1; +} + + +static ngx_inline ngx_int_t +ngx_http_modsecurity_load_request_body(ngx_http_request_t r) +{ + ngx_http_modsecurity_ctx_t ctx; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + modsecSetBodyBrigade(ctx->req, ctx->brigade); + + if (r->request_body == NULL \|\| r->request_body->bufs == NULL) { + + return move_chain_to_brigade(NULL, ctx->brigade, r->pool, 1); + } + + if (move_chain_to_brigade(r->request_body->bufs, ctx->brigade, r->pool, 1) != NGX_OK) { + return NGX_ERROR; + } + + r->request_body = NULL; + + return NGX_OK; +} + + +static ngx_inline ngx_int_t +ngx_http_modsecurity_save_request_body(ngx_http_request_t r) +{ + ngx_http_modsecurity_ctx_t ctx; + apr_off_t content_length; + ngx_buf_t buf; + ngx_http_core_srv_conf_t cscf; + size_t size; + ngx_http_connection_t hc; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + apr_brigade_length(ctx->brigade, 0, &content_length); + + if (r->header_in->end - r->header_in->last >= content_length) { + / use r->header_in / + + if (ngx_buf_size(r->header_in)) { + / move to the end / + ngx_memmove(r->header_in->pos + content_length, + r->header_in->pos, + ngx_buf_size(r->header_in)); + } + + if (apr_brigade_flatten(ctx->brigade, + (char )r->header_in->pos, + (apr_size_t )&content_length) != APR_SUCCESS) { + return NGX_ERROR; + } + + apr_brigade_cleanup(ctx->brigade); + + r->header_in->last += content_length; + + return NGX_OK; + } + + if (ngx_buf_size(r->header_in)) { + + / + * ngx_http_set_keepalive will reuse r->header_in if + * (r->header_in != c->buffer && r->header_in.last != r->header_in.end), + * so we need this code block. + * see ngx_http_set_keepalive, ngx_http_alloc_large_header_buffer + / + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); + + size = ngx_max(cscf->large_client_header_buffers.size, + (size_t)content_length + ngx_buf_size(r->header_in)); + + hc = r->http_connection; + + if (hc->nfree && size == cscf->large_client_header_buffers.size) { + + buf = hc->free[--hc->nfree]; + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: use http free large header buffer: %p %uz", + buf->pos, buf->end - buf->last); + + } else if (hc->nbusy < cscf->large_client_header_buffers.num) { + + if (hc->busy == NULL) { + hc->busy = ngx_palloc(r->connection->pool, + cscf->large_client_header_buffers.num sizeof(ngx_buf_t )); + } + + if (hc->busy == NULL) { + return NGX_ERROR; + } else { + buf = ngx_create_temp_buf(r->connection->pool, size); + } + } else { + / TODO: how to deal this case ? / + return NGX_ERROR; + } + + } else { + + buf = ngx_create_temp_buf(r->pool, (size_t) content_length); + } + + if (buf == NULL) { + return NGX_ERROR; + } + + if (apr_brigade_flatten(ctx->brigade, (char )buf->pos, + (apr_size_t )&content_length) != APR_SUCCESS) { + return NGX_ERROR; + } + + apr_brigade_cleanup(ctx->brigade); + buf->last += content_length; + + ngx_memcpy(buf->last, r->header_in->pos, ngx_buf_size(r->header_in)); + buf->last += ngx_buf_size(r->header_in); + + r->header_in = buf; + + return NGX_OK; +} + + +static ngx_inline ngx_int_t +ngx_http_modsecurity_load_headers_out(ngx_http_request_t r) +{ + + ngx_http_modsecurity_ctx_t ctx; + char data; + request_rec req; + u_char content_type; + ngx_uint_t content_type_len; + ngx_http_variable_value_t vv; + ngx_list_part_t part; + ngx_table_elt_t h; + ngx_uint_t i; + char key, value; + u_char buf = NULL; + size_t size = 0; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + req = ctx->req; + + req->status = r->headers_out.status; + req->status_line = (char )ngx_pstrdup0(r->pool, &r->headers_out.status_line); + + if (r->headers_out.charset.len) { + + content_type_len = r->headers_out.content_type.len + + r->headers_out.charset.len + + ngx_strlen("; charset=") + 1; + + content_type = ngx_palloc(r->pool, content_type_len); + + if (content_type == NULL) { + return NGX_ERROR; + } + + ngx_snprintf(content_type, content_type_len, + "%V; charset=%V", + &r->headers_out.content_type, + &r->headers_out.charset); + + r->headers_out.content_type.data = content_type; + r->headers_out.content_type.len = content_type_len; + } + + / deep copy / + part = &r->headers_out.headers.part; + h = part->elts; + + for (i = 0; ; i++) { + if (i >= part->nelts) { + if (part->next == NULL) + break; + + part = part->next; + h = part->elts; + i = 0; + } + size += h[i].key.len + h[i].value.len + 2; + + buf = ngx_palloc(r->pool, size); + + if (buf == NULL) { + return NGX_ERROR; + } + + key = (char )buf; + buf = ngx_cpymem(buf, h[i].key.data, h[i].key.len); + buf++ = '\0'; + + value = (char )buf; + buf = ngx_cpymem(buf, h[i].value.data, h[i].value.len); + buf++ = '\0'; + + apr_table_setn(req->headers_out, key, value); + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: load headers out: \"%V: %V\"", + &h[i].key, &h[i].value); + + } + + for (i = 0; special_headers_out[i].name; i++) { + + vv = ngx_http_get_variable(r, &special_headers_out[i].variable_name, + ngx_hash_key(special_headers_out[i].variable_name.data, + special_headers_out[i].variable_name.len)); + + if (vv && !vv->not_found) { + + data = ngx_palloc(r->pool, vv->len + 1); + if (data == NULL) { + return NGX_ERROR; + } + + ngx_memcpy(data,vv->data, vv->len); + data[vv->len] = '\0'; + + apr_table_setn(req->headers_out, special_headers_out[i].name, data); + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: load headers out: \"%s: %s\"", + special_headers_out[i].name, data); + } + } + + req->content_type = apr_table_get(ctx->req->headers_out, "Content-Type"); + req->content_encoding = apr_table_get(ctx->req->headers_out, "Content-Encoding"); + + data = (char )apr_table_get(ctx->req->headers_out, "Content-Languages"); + + if(data != NULL) + { + ctx->req->content_languages = apr_array_make(ctx->req->pool, 1, sizeof(const char )); + (const char *)apr_array_push(ctx->req->content_languages) = data; + } + + / req->chunked = r->chunked; may be useless / + req->clength = r->headers_out.content_length_n; + req->mtime = apr_time_make(r->headers_out.last_modified_time, 0); + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: load headers out done"); + + return NGX_OK; +} + + +static ngx_inline ngx_int_t +ngx_http_modsecurity_save_headers_out(ngx_http_request_t r) +{ + ngx_http_modsecurity_ctx_t ctx; + ngx_http_upstream_t upstream; + + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + /* r->chunked = ctx->req->chunked; / + + ngx_http_clean_header(r); + + upstream = r->upstream; + r->upstream = &ngx_http_modsecurity_upstream; + + if (apr_table_do(ngx_http_modsecurity_save_headers_out_visitor, + r, ctx->req->headers_out, NULL) == 0) { + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers out error"); + + return NGX_ERROR; + } + + r->upstream = upstream; + + r->headers_out.status = ctx->req->status; + r->headers_out.status_line.data = (u_char )ctx->req->status_line; + r->headers_out.status_line.len = ctx->req->status_line ? + ngx_strlen(ctx->req->status_line) : 0; + + r->headers_out.content_length_n = ctx->req->clength; + r->headers_out.last_modified_time = apr_time_sec(ctx->req->mtime); + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers out done"); + + return NGX_OK; +} + + +static int +ngx_http_modsecurity_save_headers_out_visitor(void data, const char key, const char value) +{ + ngx_http_request_t r = data; + ngx_table_elt_t h, he; + ngx_http_upstream_header_t hh; + ngx_http_upstream_main_conf_t umcf; + + umcf = ngx_http_get_module_main_conf(r, ngx_http_upstream_module); + + h = &he; + + h->key.data = (u_char )key; + h->key.len = ngx_strlen(key); + + h->value.data = (u_char )value; + h->value.len = ngx_strlen(value); + + h->lowcase_key = ngx_palloc(r->pool, h->key.len); + if (h->lowcase_key == NULL) { + return 0; + } + + ngx_strlow(h->lowcase_key, h->key.data, h->key.len); + + h->hash = ngx_hash_key(h->lowcase_key, h->key.len); + + hh = ngx_hash_find(&umcf->headers_in_hash, h->hash, + h->lowcase_key, h->key.len); + + if (hh) { + / copy all / + if (hh->copy_handler(r, h, hh->conf) != NGX_OK) { + return 0; + } + } + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "ModSecurity: save headers out: \"%V: %V\"", + &h->key, &h->value); + return 1; +} / create loc conf struct / static void @@ -125,10 +792,12 @@ { ngx_http_modsecurity_loc_conf_t conf; - conf = (ngx_http_modsecurity_loc_conf_t ) ngx_pcalloc(cf->pool, sizeof(ngx_http_modsecurity_loc_conf_t)); + conf = (ngx_http_modsecurity_loc_conf_t ) + ngx_palloc(cf->pool, sizeof(ngx_http_modsecurity_loc_conf_t)); if (conf == NULL) return NULL; + conf->config = NGX_CONF_UNSET_PTR; conf->enable = NGX_CONF_UNSET; return conf; @@ -136,22 +805,28 @@ / merge loc conf / static char -ngx_http_modsecurity_merge_loc_conf(ngx_conf_t cf, void parent, - void child) +ngx_http_modsecurity_merge_loc_conf(ngx_conf_t cf, void parent, + void child) { ngx_http_modsecurity_loc_conf_t prev = parent; ngx_http_modsecurity_loc_conf_t conf = child; - if (conf->config == NULL) { - conf->config = prev->config; - } - ngx_conf_merge_value(conf->enable, prev->enable, 0); + ngx_conf_merge_ptr_value(conf->config, prev->config, NULL); + + if (conf->enable && conf->config == NULL) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "\"ModSecurityEnabled\" in %V:%ui is set to \"on\"" + " while directive \"ModSecurityConfig\" is not found" + " in the same location", + conf->file, conf->line); + return NGX_CONF_ERROR; + } return NGX_CONF_OK; } -void +static void modsecLog(void obj, int level, char str) { if (obj != NULL) { @@ -169,13 +844,13 @@ / extern apr_pool_t pool; -void * +static void * modsec_pcre_malloc(size_t size) { return apr_palloc(pool, size); } -void +static void modsec_pcre_free(void ptr) { } @@ -183,6 +858,7 @@ static ngx_int_t ngx_http_modsecurity_preconfiguration(ngx_conf_t cf) { + server_rec s; / XXX: temporary hack, nginx uses pcre as well and hijacks these two / pcre_malloc = modsec_pcre_malloc; @@ -190,16 +866,28 @@ modsecSetLogHook(cf->log, modsecLog); modsecSetDropAction(ngx_http_modsecurity_drop_action); - modsecSetReadBody(modsecurity_read_body_cb); - modsecSetWriteBody(modsecurity_write_body_cb); - modsecInit(); - modsecStartConfig(); + / TODO: server_rec per server conf / + s = modsecInit(); + if (s == NULL) { + return NGX_ERROR; + } + + / set host name / + s->server_hostname = ngx_palloc(cf->pool, ngx_cycle->hostname.len + 1); + if (s->server_hostname == NULL) { + return NGX_ERROR; + } + ngx_memcpy(s->server_hostname, ngx_cycle->hostname.data, ngx_cycle->hostname.len); + s->server_hostname[ ngx_cycle->hostname.len] = '\0'; + modsecStartConfig(); return NGX_OK; } -static ngx_int_t + + +static ngx_int_t ngx_http_modsecurity_init(ngx_conf_t cf) { ngx_http_handler_pt h; @@ -207,7 +895,7 @@ modsecFinalizeConfig(); - cmcf = (ngx_http_core_main_conf_t ) ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); + cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); if (cmcf == NULL) { return NGX_ERROR; } @@ -218,20 +906,14 @@ } h = ngx_http_modsecurity_handler; -#ifdef PROCESS_RESPONSE - / - This function sets up handlers for CONTENT_PHASE, - XXX: not implemented yet - / + ngx_http_next_header_filter = ngx_http_top_header_filter; + ngx_http_top_header_filter = ngx_http_modsecurity_header_filter; - / Register for CONTENT phase ?? / - h = ngx_array_push(&cmcf->phases[NGX_HTTP_CONTENT_PHASE].handlers); - if (h == NULL) { - return NGX_ERROR; - } - h = ngx_http_modsecurity_content_handler; -#endif + ngx_http_next_body_filter = ngx_http_top_body_filter; + ngx_http_top_body_filter = ngx_http_modsecurity_body_filter; + ngx_memzero(&ngx_http_modsecurity_upstream, sizeof(ngx_http_upstream_t)); + ngx_http_modsecurity_upstream.cacheable = 1; return NGX_OK; } @@ -251,341 +933,359 @@ } -char * -ConvertNgxStringToUTF8(ngx_str_t str, apr_pool_t pool) +/ +** [ENTRY POINT] does : this function called by nginx from the request handler +/ +static ngx_int_t +ngx_http_modsecurity_handler(ngx_http_request_t r) { - char t = (char ) apr_palloc(pool, str.len + 1); + ngx_http_modsecurity_loc_conf_t cf; + ngx_http_modsecurity_ctx_t ctx; + ngx_int_t rc; - ngx_memcpy(t, str.data, str.len); - t[str.len] = 0; + cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); - return t; -} + /* Process only main request / + if (r != r->main \|\| !cf->enable) { + return NGX_DECLINED; + } -/ -** request body callback, passing body to mod security -/ -apr_status_t -modsecurity_read_body_cb(request_rec r, char outpos, unsigned int length, - unsigned int outlen, int is_eos) -{ - size_t len, rest; - ssize_t size; - ngx_http_modsecurity_ctx_t ctx; + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: handler"); - ctx = (ngx_http_modsecurity_ctx_t ) apr_table_get(r->notes, NOTE_NGINX_REQUEST_CTX); + if (r->internal) { + / we have already processed the request headers with previous loc conf / + + / TODO: do we need update ctx and process headers again? / + ctx = ngx_http_get_module_pool_ctx(r, ngx_http_modsecurity); + + if (ctx) { + ngx_http_set_ctx(r, ctx, ngx_http_modsecurity); + return NGX_DECLINED; + } + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: get internel request ctx failed"); + } + + ctx = ngx_http_modsecurity_create_ctx(r); if (ctx == NULL) { - return APR_EINVAL; + + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + ngx_http_set_ctx(r, ctx, ngx_http_modsecurity); + + if (ngx_http_set_pool_ctx(r, ctx, ngx_http_modsecurity) != NGX_OK) { + return NGX_ERROR; } - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "modSecurity: read_body_cb"); - ngx_buf_t buf = &ctx->buf; - rest = length; - is_eos = 0; - - while (rest) { - - if (ngx_buf_size(buf) == 0) { - if (ctx->chain == NULL) { - outlen = length - rest; - is_eos = 1; - // END - return APR_SUCCESS; + ngx_http_modsecurity_load_request(r); + + if (ngx_http_modsecurity_load_headers_in(r) != NGX_OK) { + + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + / processing request headers / + rc = modsecProcessRequestHeaders(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestHeaders %d", rc); + + if (rc == DECLINED) { + + if (modsecIsRequestBodyAccessEnabled(ctx->req) + && r->method == NGX_HTTP_POST) { + + / Processing POST request body, should we process PUT? / + rc = ngx_http_read_client_request_body(r, ngx_http_modsecurity_body_handler); + if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { + return rc; } - ngx_memcpy(buf, ctx->chain->buf, sizeof(ngx_buf_t)); - ctx->chain = ctx->chain->next; + return NGX_DONE; } - - len = (size_t) ngx_min((size_t)ngx_buf_size(buf), rest); - - if (ngx_buf_in_memory(buf)) { - - outpos = (char ) ngx_cpymem(outpos, buf->pos, len); - rest -= len; - buf->pos += len; - } else if (buf->in_file) { - - size = ngx_read_file(buf->file, (u_char)outpos, len, buf->file_pos); - - if (size < 0) { - return NGX_ERROR; - } - outpos += size; - rest -= size; - buf->file_pos += size; - } else { - return -1; + / other method / + rc = modsecProcessRequestBody(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestBody %d", rc); + } + + if (rc != DECLINED) { + + / Nginx and Apache share same response code / + if (rc < NGX_HTTP_SPECIAL_RESPONSE \|\| rc >= 600) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; } + return rc; + } + + / + if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK) { + + return NGX_HTTP_INTERNAL_SERVER_ERROR; } - - outlen = length - rest; - return APR_SUCCESS; + / + + return NGX_DECLINED; } -apr_status_t -modsecurity_write_body_cb(request_rec rec, char buf, unsigned int length) + +static void +ngx_http_modsecurity_body_handler(ngx_http_request_t r) { - ngx_buf_t b; - ngx_http_modsecurity_ctx_t ctx; - ngx_http_request_t r; - ngx_str_t str; + ngx_http_modsecurity_ctx_t ctx; + ngx_int_t rc; - ctx = (ngx_http_modsecurity_ctx_t ) apr_table_get(rec->notes, NOTE_NGINX_REQUEST_CTX); - if (ctx == NULL) { - return APR_EINVAL; - } + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: body handler"); - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "modSecurity: write_body_cb"); + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + if (ngx_http_modsecurity_load_request_body(r) != NGX_OK) { + + return ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + } - r = ctx->r; + rc = modsecProcessRequestBody(ctx->req); - / set request body / - b = r->header_in; + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestBody %d", rc); - if (b->end < b->pos + length) { - b->start = ngx_palloc(ctx->r->pool, length); - if (b->start == NULL) { - return APR_EINVAL; + if (rc != DECLINED) { + / Nginx and Apache share same response code / + if (rc < NGX_HTTP_SPECIAL_RESPONSE \|\| rc >= 600) { + rc = NGX_HTTP_INTERNAL_SERVER_ERROR; } - b->end = b->start + length; - b->pos = b->start; + return ngx_http_finalize_request(r, rc); } - - b->last = ngx_cpymem(b->pos, buf, length); - / set content_length_n / - r->headers_in.content_length_n = length; + if (ngx_http_modsecurity_save_request_body(r) != NGX_OK + \|\| ngx_http_modsecurity_save_headers_in(r) != NGX_OK ) { - / set headers_in.content_length / - str = &r->headers_in.content_length->value; - str->data = ngx_palloc(r->pool, NGX_OFF_T_LEN); - if (str->data == NULL) { - return NGX_ERROR; + return ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); } - - str->len = ngx_snprintf(str->data, NGX_OFF_T_LEN, "%O", length) - str->data; - return APR_SUCCESS; + r->phase_handler++; + ngx_http_core_run_phases(r); + ngx_http_finalize_request(r, NGX_DONE); } -apr_sockaddr_t CopySockAddr(apr_pool_t pool, struct sockaddr pAddr) { - apr_sockaddr_t addr = (apr_sockaddr_t )apr_palloc(pool, sizeof(apr_sockaddr_t)); - int adrlen = 16, iplen = 4; - if(pAddr->sa_family == AF_INET6) { - adrlen = 46; - iplen = 16; +static ngx_int_t +ngx_http_modsecurity_header_filter(ngx_http_request_t r) { + ngx_http_modsecurity_loc_conf_t cf; + ngx_http_modsecurity_ctx_t ctx; + ngx_int_t rc; + + cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); + + if (r != r->main \|\| !cf->enable \|\| ctx->complete) { + return ngx_http_next_header_filter(r); } - addr->addr_str_len = adrlen; - addr->family = pAddr->sa_family; + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: header filter"); - addr->hostname = "unknown"; -#ifdef WIN32 - addr->ipaddr_len = sizeof(IN_ADDR); -#else - addr->ipaddr_len = sizeof(struct in_addr); -#endif - addr->ipaddr_ptr = &addr->sa.sin.sin_addr; - addr->pool = pool; - addr->port = 80; -#ifdef WIN32 - memcpy(&addr->sa.sin.sin_addr.S_un.S_addr, pAddr->sa_data, iplen); -#else - memcpy(&addr->sa.sin.sin_addr.s_addr, pAddr->sa_data, iplen); -#endif - addr->sa.sin.sin_family = pAddr->sa_family; - addr->sa.sin.sin_port = 80; - addr->salen = sizeof(addr->sa); - addr->servname = addr->hostname; + if (r->method == NGX_HTTP_HEAD \|\| r->header_only) { + + ctx->complete = 1; + + if (ngx_http_modsecurity_load_headers_in(r) != NGX_OK + \|\| ngx_http_modsecurity_load_headers_out(r) != NGX_OK) { - return addr; + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + rc = modsecProcessResponse(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessResponse %d", rc); + + if (rc == DECLINED \|\| rc == APR_SUCCESS) { + + if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK + \|\| ngx_http_modsecurity_save_headers_out(r) != NGX_OK) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + return ngx_http_next_header_filter(r); + } + + if (rc < NGX_HTTP_SPECIAL_RESPONSE \|\| rc >= 600) { + rc = NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + return rc; + } + + return NGX_OK; } -/ -** [ENTRY POINT] does : this function called by nginx from the request handler -/ static ngx_int_t -ngx_http_modsecurity_handler(ngx_http_request_t r) +ngx_http_modsecurity_body_filter(ngx_http_request_t r, ngx_chain_t in) { ngx_http_modsecurity_loc_conf_t cf; - ngx_http_core_loc_conf_t clcf, lcf; ngx_http_modsecurity_ctx_t ctx; ngx_int_t rc; - void *loc_conf; + apr_off_t content_length; - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: handler"); + cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); + ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); - / Process only main request / - if (r != r->main \|\| r->internal) { - return NGX_DECLINED; + if (r != r->main \|\| !cf->enable \|\| ctx->complete) { + return ngx_http_next_body_filter(r, in); } - cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: body filter"); - if (!cf->enable) { - return NGX_DECLINED; + if (in == NULL) { + return NGX_AGAIN; } - ctx = ngx_http_modsecurity_create_ctx(r); - if (ctx == NULL) { - return NGX_ERROR; + rc = move_chain_to_brigade(in, ctx->brigade, r->pool, 0); + if (rc != NGX_OK) { + return rc; } - ngx_http_set_ctx(r, ctx, ngx_http_modsecurity); - - if (r->method == NGX_HTTP_POST) { - / Processing POST request body, should we process PUT? / - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: method POST"); - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - if (clcf == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; + / last buf has been saved / + + ctx->complete = 1; + modsecSetResponseBrigade(ctx->req, ctx->brigade); + + // TODO: do we need reload headers_in ? + // + if (ngx_http_modsecurity_load_headers_in(r) != NGX_OK + \|\| ngx_http_modsecurity_load_headers_out(r) != NGX_OK) { + + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + rc = modsecProcessResponse(ctx->req); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessResponse %d", rc); + + if (rc == DECLINED \|\| rc == APR_SUCCESS) { + + in = NULL; + + apr_brigade_length(ctx->brigade, 0, &content_length); + + rc = move_brigade_to_chain(ctx->brigade, &in, r->pool); + if (rc == NGX_ERROR) { + return NGX_ERROR; } - ctx->loc_conf = r->loc_conf; - / hijack loc_conf so that we can receive any body length - * TODO: nonblocking process & chuncked body - / - if (clcf->client_body_buffer_size < (size_t)r->headers_in.content_length_n) { - - loc_conf = ngx_pcalloc(r->pool, sizeof(void ) * ngx_http_max_module); - if (loc_conf == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; - } + if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK + \|\|ngx_http_modsecurity_save_headers_out(r) != NGX_OK) { - lcf = ngx_pcalloc(r->pool, sizeof(ngx_http_core_loc_conf_t)); - if (lcf == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; - } - - ngx_memcpy(loc_conf, r->loc_conf, sizeof(void ) ngx_http_max_module); - ngx_memcpy(lcf, clcf, sizeof(ngx_http_core_loc_conf_t)); - - ctx->loc_conf = r->loc_conf; - r->loc_conf = loc_conf; - - ngx_http_get_module_loc_conf(r, ngx_http_core_module) = lcf; - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - clcf->client_body_buffer_size = r->headers_in.content_length_n; - } - - ctx->request_body_in_single_buf = r->request_body_in_single_buf; - ctx->request_body_in_file_only = r->request_body_in_file_only; - r->request_body_in_single_buf = 1; - r->request_body_in_file_only = 0; - - rc = ngx_http_read_client_request_body(r, ngx_http_modsecurity_request_body_handler); - if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { - return rc; + return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR); } - return NGX_DONE; + if (r->headers_out.content_length_n != -1) { - } else { - /* processing all the other methods / - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: method is not POST"); - - rc = modsecProcessRequest(ctx->req); - - if (rc != DECLINED) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: status: %d, need action", rc); - - ngx_http_clear_accept_ranges(r); - ngx_http_clear_last_modified(r); - ngx_http_clear_content_length(r); + r->headers_out.content_length_n = content_length; + r->headers_out.content_length = NULL; / header filter will set this / + } - / Nginx and Apache share same response code / - if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { - return rc; - } - return NGX_HTTP_INTERNAL_SERVER_ERROR; - } + rc = ngx_http_next_header_filter(r); + + if (rc == NGX_ERROR \|\| rc > NGX_OK) { + return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc); + } + + return ngx_http_next_body_filter(r, in); } - return NGX_DECLINED; + if (rc < NGX_HTTP_SPECIAL_RESPONSE \|\| rc >= 600) { + rc = NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc); } + static ngx_http_modsecurity_ctx_t ngx_http_modsecurity_create_ctx(ngx_http_request_t r) { ngx_http_modsecurity_loc_conf_t cf; ngx_pool_cleanup_t cln; ngx_http_modsecurity_ctx_t ctx; - ngx_list_part_t part; - ngx_table_elt_t h; - ngx_uint_t i; + apr_sockaddr_t asa; + struct sockaddr_in sin; +#if (NGX_HAVE_INET6) + struct sockaddr_in6 sin6; +#endif + + ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_modsecurity_ctx_t)); + if (ctx == NULL) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "modSecurity: ctx memory allocation error"); + return NULL; + } cln = ngx_pool_cleanup_add(r->pool, sizeof(ngx_http_modsecurity_ctx_t)); if (cln == NULL) { ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "modSecurity: ctx memory allocation error"); return NULL; } cln->handler = ngx_http_modsecurity_cleanup; - ngx_memzero(cln->data, sizeof(ngx_http_modsecurity_ctx_t)); - - ctx = cln->data; + cln->data = ctx; + ctx->r = r; - + if (r->connection->requests == 0 \|\| ctx->connection == NULL) { + + / TODO: set server_rec, why igonre return value? / ctx->connection = modsecNewConnection(); + + / fill apr_sockaddr_t / + asa = ngx_palloc(r->pool, sizeof(apr_sockaddr_t)); + asa->pool = ctx->connection->pool; + asa->hostname = (char )ngx_pstrdup0(r->pool, &r->connection->addr_text); + asa->servname = asa->hostname; + asa->next = NULL; + asa->salen = r->connection->socklen; + ngx_memcpy(&asa->sa, r->connection->sockaddr, asa->salen); + + asa->family = ((struct sockaddr )&asa->sa)->sa_family; + switch ( asa->family) { + +#if (NGX_HAVE_INET6) + case AF_INET6: + sin6 = (struct sockaddr_in6 )&asa->sa; + asa->ipaddr_ptr = &sin6->sin6_addr; + asa->ipaddr_len = sizeof(sin6->sin6_addr); + asa->port = ntohs(sin6->sin6_port); + asa->addr_str_len = NGX_INET6_ADDRSTRLEN + 1; + break; +#endif + + default: /* AF_INET / + sin = (struct sockaddr_in ) &asa->sa; + asa->ipaddr_ptr = &sin->sin_addr; + asa->ipaddr_len = sizeof(sin->sin_addr); + asa->port = ntohs(sin->sin_port); + asa->addr_str_len = NGX_INET_ADDRSTRLEN + 1; + break; + } + + #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 - ctx->connection->remote_addr = CopySockAddr(ctx->connection->pool, r->connection->sockaddr); - ctx->connection->remote_ip = ConvertNgxStringToUTF8(r->connection->addr_text, ctx->connection->pool); + ctx->connection->remote_addr = asa; + ctx->connection->remote_ip = asa->hostname; #else - ctx->connection->client_addr = CopySockAddr(ctx->connection->pool, r->connection->sockaddr); - ctx->connection->client_ip = ConvertNgxStringToUTF8(r->connection->addr_text, ctx->connection->pool); + ctx->connection->client_addr = asa; + ctx->connection->client_ip = asa->hostname; #endif ctx->connection->remote_host = NULL; modsecProcessConnection(ctx->connection); } cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); - ctx->req = modsecNewRequest(ctx->connection, cf->config); - ctx->req->request_time = apr_time_now(); - ctx->req->method = ConvertNgxStringToUTF8(r->method_name, ctx->req->pool); - ctx->req->path_info = ConvertNgxStringToUTF8(r->unparsed_uri, ctx->req->pool); - ctx->req->unparsed_uri = ConvertNgxStringToUTF8(r->unparsed_uri, ctx->req->pool); - ctx->req->uri = ctx->req->unparsed_uri; - ctx->req->the_request = ConvertNgxStringToUTF8(r->request_line, ctx->req->pool); - ctx->req->args = ConvertNgxStringToUTF8(r->args, ctx->req->pool); - ctx->req->filename = ctx->req->path_info; - - ctx->req->parsed_uri.scheme = "http"; - ctx->req->parsed_uri.path = ctx->req->path_info; - ctx->req->parsed_uri.is_initialized = 1; - ctx->req->parsed_uri.port = 80; - ctx->req->parsed_uri.port_str = "80"; - ctx->req->parsed_uri.query = ctx->req->args; - ctx->req->parsed_uri.dns_looked_up = 0; - ctx->req->parsed_uri.dns_resolved = 0; - ctx->req->parsed_uri.password = NULL; - ctx->req->parsed_uri.user = NULL; - ctx->req->parsed_uri.fragment = ConvertNgxStringToUTF8(r->exten, ctx->req->pool); - part = &r->headers_in.headers.part; - h = part->elts; + ctx->req = modsecNewRequest(ctx->connection, cf->config); - for (i = 0; ; i++) { - if (i >= part->nelts) { - if (part->next == NULL) - break; + apr_table_setn(ctx->req->notes, NOTE_NGINX_REQUEST_CTX, (const char ) ctx); + apr_table_setn(ctx->req->subprocess_env, "UNIQUE_ID", "12345"); - part = part->next; - h = part->elts; - i = 0; - } + ctx->brigade = apr_brigade_create(ctx->req->pool, ctx->req->connection->bucket_alloc); - apr_table_setn(ctx->req->headers_in, ConvertNgxStringToUTF8(h[i].key, ctx->req->pool), - ConvertNgxStringToUTF8(h[i].value, ctx->req->pool)); + if (ctx->brigade == NULL) { + return NULL; } - / XXX: if mod_uniqid enabled - use it's value / - apr_table_setn(ctx->req->subprocess_env, "UNIQUE_ID", "12345"); - / actually, we need ctx only for POST request body handling - don't like this part / - apr_table_setn(ctx->req->notes, NOTE_NGINX_REQUEST_CTX, (const char ) ctx); return ctx; } @@ -593,58 +1293,12 @@ ngx_http_modsecurity_cleanup(void data) { ngx_http_modsecurity_ctx_t ctx = data; - + if (ctx->req != NULL) { (void) modsecFinishRequest(ctx->req); } } - -static void -ngx_http_modsecurity_request_body_handler(ngx_http_request_t r) -{ - ngx_http_modsecurity_ctx_t ctx; - ngx_int_t rc; - - ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity); - - if (ctx == NULL - \|\| r->request_body->bufs == NULL - \|\| r->request_body->bufs->next != NULL) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - r->request_body_in_single_buf = ctx->request_body_in_single_buf; - r->request_body_in_file_only = ctx->request_body_in_file_only; - r->header_in = r->request_body->bufs->buf; - ctx->chain = r->request_body->bufs; - r->request_body = NULL; - r->loc_conf = ctx->loc_conf; - - rc = modsecProcessRequest(ctx->req); - - if (rc != DECLINED) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: status: %d, need action", rc); - - ngx_http_clear_accept_ranges(r); - ngx_http_clear_last_modified(r); - ngx_http_clear_content_length(r); - - /* Nginx and Apache share same response code / - if (rc < NGX_HTTP_SPECIAL_RESPONSE) { - rc = NGX_HTTP_INTERNAL_SERVER_ERROR; - } - - ngx_http_finalize_request(r, rc); - } - - r->phase_handler++; - ngx_http_core_run_phases(r); - ngx_http_finalize_request(r, NGX_DONE); -} - - static char ngx_http_modsecurity_config(ngx_conf_t cf, ngx_command_t cmd, void conf) { @@ -652,7 +1306,7 @@ ngx_str_t value; const char msg; - if (mscf->config != NULL) { + if (mscf->config != NGX_CONF_UNSET_PTR) { return "is duplicate"; } @@ -664,15 +1318,39 @@ mscf->config = modsecGetDefaultConfig(); - msg = modsecProcessConfig(mscf->config, (const char )value[1].data, ""); + if (mscf->config == NULL) { + return NGX_CONF_ERROR; + } + + msg = modsecProcessConfig(mscf->config, (const char )value[1].data, NULL); if (msg != NULL) { - ngx_conf_log_error(NGX_LOG_INFO, cf, 0, "modSecurity: modsecProcessConfig() %s", msg); + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "ModSecurityConfig in %s:%ui: %s", + cf->conf_file->file.name.data, cf->conf_file->line, msg); return NGX_CONF_ERROR; } return NGX_CONF_OK; } + +static char +ngx_http_modsecurity_enable(ngx_conf_t cf, ngx_command_t cmd, void conf) +{ + ngx_http_modsecurity_loc_conf_t mscf = conf; + char rc; + + rc = ngx_conf_set_flag_slot(cf, cmd, conf); + if (rc != NGX_CONF_OK) { + return rc; + } + if (mscf->enable) { + mscf->file = &cf->conf_file->file.name; + mscf->line = cf->conf_file->line; + } + return NGX_CONF_OK; +} + + static int ngx_http_modsecurity_drop_action(request_rec r) { @@ -685,3 +1363,4 @@ ctx->r->connection->error = 1; return 0; } +
[-] [+]	Added	modsecurity-apache_2.7.3.tar.bz2/nginx/modsecurity/ngx_pool_context.c ^
@@ -0,0 +1,212 @@ + + +#include <ngx_core.h> + +#define NGX_POOL_CTX_SIZE 1024 + +typedef struct ngx_pool_context_node_s ngx_pool_context_node_t; +struct ngx_pool_context_node_s +{ + ngx_pool_context_node_t next; + ngx_pool_context_node_t prev; + ngx_pool_t pool; + ngx_uint_t index; + void data; +}; + +static void +ngx_pool_context_cleanup(void data); + +typedef struct { + ngx_uint_t size; +} ngx_pool_context_conf_t; + +static void * ngx_pool_context_create_conf(ngx_cycle_t cycle); +static char ngx_pool_context_init_conf(ngx_cycle_t cycle, void conf); + +static ngx_core_module_t ngx_pool_context_module_ctx = { + ngx_string("pool_context"), + ngx_pool_context_create_conf, + ngx_pool_context_init_conf, +}; + +static ngx_command_t ngx_pool_context_commands[] = { + + { ngx_string("pool_context_hash_size"), + NGX_MAIN_CONF\|NGX_DIRECT_CONF\|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + 0, + offsetof(ngx_pool_context_conf_t, size), + NULL + }, + ngx_null_command +}; + + +ngx_module_t ngx_pool_context_module = { + NGX_MODULE_V1, + &ngx_pool_context_module_ctx, /* module context / + ngx_pool_context_commands, / module directives / + NGX_CORE_MODULE, / module type / + NULL, / init master / + NULL, / init module / + NULL, / init process / + NULL, / init thread / + NULL, / exit thread / + NULL, / exit process / + NULL, / exit master / + NGX_MODULE_V1_PADDING +}; + + +#define ngx_pool_context_hash_key(r, ctx_index) ((ngx_uint_t) r + ctx_index) + +#define ngx_pool_context_unlink(node) \ + \ + (node->prev) = node->next; \ + \ + if (node->next) { \ + node->next->prev = node->prev; \ + } \ + \ + node->prev = NULL; \ + + +#define ngx_pool_context_link(queue, node) \ + \ + if (node->prev != NULL) { \ + ngx_pool_context_unlink(node); \ + } \ + node->next = (ngx_pool_context_node_t ) queue; \ + node->prev = (ngx_pool_context_node_t *) queue; \ + queue = node; \ + \ + if (node->next) { \ + node->next->prev = &node->next; \ + } + + +static ngx_pool_context_node_t *ngx_pool_context_hash; +static ngx_uint_t ngx_pool_context_hash_size; + +/ Nginx has removed multi-thread support, so we do not need mutex / + +void +ngx_pool_get_ctx(ngx_pool_t pool, ngx_uint_t index) +{ + ngx_uint_t hash; + uint32_t key; + ngx_pool_context_node_t node; + + hash = (ngx_uint_t) pool + index; + key = ngx_murmur_hash2((u_char )&hash, sizeof(hash)) % ngx_pool_context_hash_size; + + node = ngx_pool_context_hash[key]; + + while (node) { + + if (node->pool == pool && node->index == index) { + + return node->data; + } + node = node->next; + } + + return NULL; + +} + + +ngx_int_t +ngx_pool_set_ctx(ngx_pool_t pool, ngx_uint_t index, void data) +{ + ngx_uint_t hash; + uint32_t key; + ngx_pool_context_node_t node; + ngx_pool_cleanup_t cln; + + hash = (ngx_uint_t) pool + index; + key = ngx_murmur_hash2((u_char )&hash, sizeof(hash)) % ngx_pool_context_hash_size; + + node = ngx_pool_context_hash[key]; + + while (node) { + + if (node->pool == pool + && node->index == index) { + + + node->data = data; + return NGX_OK; + } + node = node->next; + } + + cln = ngx_pool_cleanup_add(pool, sizeof(ngx_pool_context_node_t)); + + if (cln == NULL) { + + return NGX_ERROR; + } + + cln->handler = ngx_pool_context_cleanup; + node = cln->data; + + node->prev = NULL; + node->next = NULL; + node->pool = pool; + node->index = index; + node->data = data; + + ngx_pool_context_link(&ngx_pool_context_hash[key], node); + + return NGX_OK; +} + + +static void +ngx_pool_context_cleanup(void data) +{ + ngx_pool_context_node_t node = data; + + ngx_pool_context_unlink(node); + +} + + +static void * +ngx_pool_context_create_conf(ngx_cycle_t cycle) +{ + ngx_pool_context_conf_t pcf; + + /* create config / + pcf = ngx_pcalloc(cycle->pool, sizeof(ngx_pool_context_conf_t)); + if (pcf == NULL) { + return NULL; + } + + pcf->size = NGX_CONF_UNSET_UINT; + + return pcf; +} + + +static char +ngx_pool_context_init_conf(ngx_cycle_t cycle, void conf) +{ + ngx_pool_context_conf_t pcf = conf; + + ngx_conf_init_uint_value(pcf->size, NGX_POOL_CTX_SIZE); + + ngx_pool_context_hash_size = pcf->size; + + ngx_pool_context_hash = ngx_pcalloc(cycle->pool, sizeof(ngx_pool_context_node_t ) * ngx_pool_context_hash_size); + + if (ngx_pool_context_hash == NULL) { + return NGX_CONF_ERROR; + } + + return NGX_CONF_OK; +} + +
[-] [+]	Added	modsecurity-apache_2.7.3.tar.bz2/nginx/modsecurity/ngx_pool_context.h ^
@@ -0,0 +1,12 @@ + + +#ifndef _NGX_POOL_CONTEXT_H_INCLUDE_ +#define _NGX_POOL_CONTEXT_H_INCLUDE_ + +void* ngx_pool_get_ctx(ngx_pool_t * pool, ngx_uint_t index); +ngx_int_t ngx_pool_set_ctx(ngx_pool_t * pool, ngx_uint_t index,void * data); + +#define ngx_http_get_module_pool_ctx(r, module) ngx_pool_get_ctx(r->pool, module.index) +#define ngx_http_set_pool_ctx(r, c, module) ngx_pool_set_ctx(r->pool, module.index, c) + +#endif /* _NGX_POOL_CONTEXT_H_INCLUDE_ */
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/standalone/Makefile.am ^
@@ -73,7 +73,16 @@ endif install-exec-hook: $(pkglib_LTLIBRARIES) - @echo "Removing unused static libraries..."; \ + @echo "Creating Nginx config file..."; \ + rm -f ../nginx/modsecurity/config; \ + echo "ngx_addon_name=ngx_http_modsecurity" >> ../nginx/modsecurity/config; \ + echo "CORE_MODULES=\"\$$CORE_MODULES ngx_pool_context_module\"" >> ../nginx/modsecurity/config; \ + echo "HTTP_AUX_FILTER_MODULES=\"ngx_http_modsecurity \$$HTTP_AUX_FILTER_MODULES\"" >> ../nginx/modsecurity/config; \ + echo "NGX_ADDON_SRCS=\"\$$NGX_ADDON_SRCS \$$ngx_addon_dir/ngx_http_modsecurity.c \$$ngx_addon_dir/apr_bucket_nginx.c \$$ngx_addon_dir/ngx_pool_context.c\"" >> ../nginx/modsecurity/config;\ + echo "NGX_ADDON_DEPS=\"\$$NGX_ADDON_DEPS \$$ngx_addon_dir/apr_bucket_nginx.h \$$ngx_addon_dir/ngx_pool_context.h\"" >> ../nginx/modsecurity/config; \ + echo "CORE_LIBS=\"\$$CORE_LIBS \$$ngx_addon_dir/../../standalone/.libs/standalone.a -lapr-1 -laprutil-1 -lxml2 -lm @LUA_LDADD@\"" >> ../nginx/modsecurity/config; \ + echo "CORE_INCS=\"\$$CORE_INCS /usr/include/apache2 /usr/include/apr-1.0 /usr/include/httpd /usr/include/apr-1 \$$ngx_addon_dir \$$ngx_addon_dir/../../standalone \$$ngx_addon_dir/../../apache2 /usr/include/libxml2 `echo @LUA_CFLAGS@ \| cut -d "I" -f3`\"" >> ../nginx/modsecurity/config; \ + echo "Removing unused static libraries..."; \ for m in $(pkglib_LTLIBRARIES); do \ base=`echo $$m \| sed 's/\..//'`; \ rm -f $(DESTDIR)$(pkglibdir)/$$base.a; \
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/standalone/Makefile.in ^
@@ -920,7 +920,16 @@ install-exec-hook: $(pkglib_LTLIBRARIES) - @echo "Removing unused static libraries..."; \ + @echo "Creating Nginx config file..."; \ + rm -f ../nginx/modsecurity/config; \ + echo "ngx_addon_name=ngx_http_modsecurity" >> ../nginx/modsecurity/config; \ + echo "CORE_MODULES=\"\$$CORE_MODULES ngx_pool_context_module\"" >> ../nginx/modsecurity/config; \ + echo "HTTP_AUX_FILTER_MODULES=\"ngx_http_modsecurity \$$HTTP_AUX_FILTER_MODULES\"" >> ../nginx/modsecurity/config; \ + echo "NGX_ADDON_SRCS=\"\$$NGX_ADDON_SRCS \$$ngx_addon_dir/ngx_http_modsecurity.c \$$ngx_addon_dir/apr_bucket_nginx.c \$$ngx_addon_dir/ngx_pool_context.c\"" >> ../nginx/modsecurity/config;\ + echo "NGX_ADDON_DEPS=\"\$$NGX_ADDON_DEPS \$$ngx_addon_dir/apr_bucket_nginx.h \$$ngx_addon_dir/ngx_pool_context.h\"" >> ../nginx/modsecurity/config; \ + echo "CORE_LIBS=\"\$$CORE_LIBS \$$ngx_addon_dir/../../standalone/.libs/standalone.a -lapr-1 -laprutil-1 -lxml2 -lm @LUA_LDADD@\"" >> ../nginx/modsecurity/config; \ + echo "CORE_INCS=\"\$$CORE_INCS /usr/include/apache2 /usr/include/apr-1.0 /usr/include/httpd /usr/include/apr-1 \$$ngx_addon_dir \$$ngx_addon_dir/../../standalone \$$ngx_addon_dir/../../apache2 /usr/include/libxml2 `echo @LUA_CFLAGS@ \| cut -d "I" -f3`\"" >> ../nginx/modsecurity/config; \ + echo "Removing unused static libraries..."; \ for m in $(pkglib_LTLIBRARIES); do \ base=`echo $$m \| sed 's/\..//'`; \ rm -f $(DESTDIR)$(pkglibdir)/$$base.a; \
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/standalone/api.c ^
@@ -1,578 +1,662 @@ -/* -* ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) -* -* You may not use this file except in compliance with -* the License. You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* If any of the files related to licensing are missing or if you have any -* other questions related to licensing please contact Trustwave Holdings, Inc. -* directly using the email address security@modsecurity.org. -/ - -#include <limits.h> -#include <stdio.h> - -#include "http_core.h" -#include "http_request.h" - -#include "modsecurity.h" -#include "apache2.h" -#include "http_main.h" -#include "http_connection.h" - -#include "apr_optional.h" -#include "mod_log_config.h" - -#include "msc_logging.h" -#include "msc_util.h" - -#include "ap_mpm.h" -#include "scoreboard.h" - -#include "apr_version.h" - -#include "apr_lib.h" -#include "ap_config.h" -#include "http_config.h" - - -extern void modsecLogObj; -extern void (modsecLogHook)(void obj, int level, char str); -extern int (modsecDropAction)(request_rec r); -apr_status_t (modsecReadBody)(request_rec r, char buf, unsigned int length, unsigned int readcnt, int is_eos); -apr_status_t (modsecReadResponse)(request_rec r, char buf, unsigned int length, unsigned int readcnt, int is_eos); -apr_status_t (modsecWriteBody)(request_rec r, char buf, unsigned int length); -apr_status_t (modsecWriteResponse)(request_rec r, char buf, unsigned int length); - -extern const char process_command_config(server_rec s, - void mconfig, - apr_pool_t p, - apr_pool_t ptemp, - const char filename); - -#define DECLARE_EXTERNAL_HOOK(ns,link,ret,name,args) \ -extern ns##_HOOK_##name##_t hookfn_##name; - -#define DECLARE_HOOK(ret,name,args) \ - DECLARE_EXTERNAL_HOOK(ap,AP,ret,name,args) - -DECLARE_HOOK(int,pre_config,(apr_pool_t pconf,apr_pool_t plog, apr_pool_t ptemp)) -DECLARE_HOOK(int,post_config,(apr_pool_t pconf,apr_pool_t plog, apr_pool_t ptemp,server_rec s)) -DECLARE_HOOK(void,child_init,(apr_pool_t pchild, server_rec s)) -DECLARE_HOOK(int,process_connection,(conn_rec c)) -DECLARE_HOOK(int,post_read_request,(request_rec r)) -DECLARE_HOOK(int,fixups,(request_rec r)) -DECLARE_HOOK(void, error_log, (const char file, int line, int level, - apr_status_t status, const server_rec s, - const request_rec r, apr_pool_t pool, - const char errstr)) -DECLARE_HOOK(int,log_transaction,(request_rec r)) -DECLARE_HOOK(void,insert_filter,(request_rec r)) -DECLARE_HOOK(void,insert_error_filter,(request_rec r)) - -char sa_name = "standalone"; -server_rec server; -apr_pool_t pool = NULL; - -apr_status_t ap_http_in_filter(ap_filter_t f, apr_bucket_brigade b, - ap_input_mode_t mode, apr_read_type_e block, - apr_off_t readbytes); -apr_status_t ap_http_out_filter(ap_filter_t f, apr_bucket_brigade b); - -server_rec modsecInit() { - apr_initialize(); - - apr_pool_create(&pool, NULL); - - apr_hook_global_pool = pool; - - server = apr_palloc(pool, sizeof(server_rec)); - - server->addrs = apr_palloc(pool, sizeof(server_addr_rec)); - server->addrs->host_addr = apr_palloc(pool, sizeof(apr_sockaddr_t)); - server->addrs->host_addr->addr_str_len = 16; - server->addrs->host_addr->family = AF_INET; - server->addrs->host_addr->hostname = sa_name; -#ifdef WIN32 - server->addrs->host_addr->ipaddr_len = sizeof(IN_ADDR); -#else - server->addrs->host_addr->ipaddr_len = sizeof(struct in_addr); -#endif - server->addrs->host_addr->ipaddr_ptr = &server->addrs->host_addr->sa.sin.sin_addr; - server->addrs->host_addr->pool = pool; - server->addrs->host_addr->port = 80; -#ifdef WIN32 - server->addrs->host_addr->sa.sin.sin_addr.S_un.S_addr = 0x0100007f; -#else - server->addrs->host_addr->sa.sin.sin_addr.s_addr = 0x0100007f; -#endif - server->addrs->host_addr->sa.sin.sin_family = AF_INET; - server->addrs->host_addr->sa.sin.sin_port = 80; - server->addrs->host_addr->salen = sizeof(server->addrs->host_addr->sa); - server->addrs->host_addr->servname = sa_name; - server->addrs->host_port = 80; - server->error_fname = "error.log"; - server->error_log = NULL; - server->limit_req_fields = 1024; - server->limit_req_fieldsize = 1024; - server->limit_req_line = 1024; -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 - server->loglevel = APLOG_DEBUG; -#endif - server->lookup_defaults = NULL; - server->module_config = NULL; - server->names = NULL; -#ifdef WIN32 - server->path = "c:\\inetpub\\wwwroot"; -#else - server->path = "/var/www"; -#endif - server->pathlen = strlen(server->path); - server->port = 80; - server->process = apr_palloc(pool, sizeof(process_rec)); - server->process->argc = 1; - server->process->argv = &sa_name; - server->process->pconf = pool; - server->process->pool = pool; - server->process->short_name = sa_name; - server->server_admin = sa_name; - server->server_hostname = sa_name; - server->server_scheme = ""; - server->timeout = 60 * 1000000;// 60 seconds - server->wild_names = NULL; - server->is_virtual = 0; - - ap_server_config_defines = apr_array_make(pool, 1, sizeof(char )); - - // here we should add scoreboard handling for multiple processes and threads - // - ap_scoreboard_image = (scoreboard )apr_palloc(pool, sizeof(scoreboard)); - - memset(ap_scoreboard_image, 0, sizeof(scoreboard)); - - // ---------- - - security2_module.module_index = 0; - - security2_module.register_hooks(pool); - - ap_register_input_filter("HTTP_IN", ap_http_in_filter, NULL, AP_FTYPE_RESOURCE); - ap_register_output_filter("HTTP_OUT", ap_http_out_filter, NULL, AP_FTYPE_CONTENT_SET); - - return server; -} - -apr_status_t ap_http_in_filter(ap_filter_t f, apr_bucket_brigade b, - ap_input_mode_t mode, apr_read_type_e block, - apr_off_t readbytes) { - char tmp = NULL; - apr_bucket e = NULL; - unsigned int readcnt = 0; - int is_eos = 0; - - if(modsecReadBody == NULL) - return AP_NOBODY_READ; - - tmp = (char )apr_palloc(f->r->pool, readbytes); - modsecReadBody(f->r, tmp, readbytes, &readcnt, &is_eos); - - e = apr_bucket_pool_create(tmp, readcnt, f->r->pool, f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(b, e); - - if(is_eos) { - e = apr_bucket_eos_create(f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(b, e); - } - - return APR_SUCCESS; -} - -apr_status_t ap_http_out_filter(ap_filter_t f, apr_bucket_brigade b) { - modsec_rec msr = (modsec_rec )f->ctx; - apr_status_t rc; - - // is there a way to tell whether the response body was modified or not? - // - if((msr->txcfg->content_injection_enabled \|\| msr->content_prepend_len != 0 \|\| msr->content_append_len != 0) - && modsecWriteResponse != NULL && msr->txcfg->resbody_access) { - char data = NULL; - apr_size_t length; - - rc = apr_brigade_pflatten(msr->of_brigade, &data, &length, msr->mp); - - if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Output filter: Failed to flatten brigade (%d): %s", rc, - get_apr_error(msr->mp, rc)); - return -1; - } - - modsecWriteResponse(msr->r, data, msr->stream_output_length); - } - - return APR_SUCCESS; -} - -void modsecTerminate() { - apr_pool_destroy(pool); - pool = NULL; - apr_terminate(); -} - -void modsecStartConfig() { - apr_pool_t ptemp = NULL; - - apr_pool_create(&ptemp, pool); - - hookfn_pre_config(pool, pool, ptemp); - - apr_pool_destroy(ptemp); -} - -directory_config modsecGetDefaultConfig() { - return (directory_config )security2_module.create_dir_config(pool, NULL); -} - -const char modsecProcessConfig(directory_config config, const char file, const char dir) { - apr_pool_t ptemp = NULL; - const char err; - apr_status_t status; - const char rootpath, incpath; - - if(dir == NULL \|\| strlen(dir) == 0) -#ifdef WIN32 - dir = "\\"; -#else - dir = "/"; -#endif - - incpath = file; - - / locate the start of the directories proper / - status = apr_filepath_root(&rootpath, &incpath, APR_FILEPATH_TRUENAME \| APR_FILEPATH_NATIVE, pool); - - / we allow APR_SUCCESS and APR_EINCOMPLETE / - if (APR_ERELATIVE == status) { - int li = strlen(dir) - 1; - - if(dir[li] != '/' && dir[li] != '\\') -#ifdef WIN32 - file = apr_pstrcat(pool, dir, "\\", file, NULL); -#else - file = apr_pstrcat(pool, dir, "/", file, NULL); -#endif - else - file = apr_pstrcat(pool, dir, file, NULL); - } - else if (APR_EBADPATH == status) { - return apr_pstrcat(pool, "Config file has a bad path, ", file, NULL); - } - - apr_pool_create(&ptemp, pool); - - err = process_command_config(server, config, pool, ptemp, file); - - apr_pool_destroy(ptemp); - - return err; -} - -void modsecFinalizeConfig() { - apr_pool_t ptemp = NULL; - - apr_pool_create(&ptemp, pool); - - hookfn_post_config(pool, pool, ptemp, server); - hookfn_post_config(pool, pool, ptemp, server); - - apr_pool_destroy(ptemp); -} - -void modsecInitProcess() { - hookfn_child_init(pool, server); -} - -conn_rec modsecNewConnection() { - conn_rec c; - apr_pool_t pc = NULL; - - apr_pool_create(&pc, pool); - - c = apr_pcalloc(pc, sizeof(conn_rec)); - - c->base_server = server; - c->id = 1; - c->local_addr = server->addrs->host_addr; - c->local_host = sa_name; - c->local_ip = "127.0.0.1"; - c->pool = pc; - c->remote_host = sa_name; -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 - c->remote_ip = "127.0.0.1"; - c->remote_addr = server->addrs->host_addr; -#else - c->client_ip = "127.0.0.1"; - c->client_addr = server->addrs->host_addr; -#endif - c->input_filters = NULL; - c->output_filters = NULL; - c->bucket_alloc = apr_bucket_alloc_create(pc); - - return c; -} - -void modsecProcessConnection(conn_rec c) { - hookfn_process_connection(c); -} - -request_rec modsecNewRequest(conn_rec connection, directory_config config) { - request_rec r; - apr_pool_t pr = NULL; - - apr_pool_create(&pr, connection->pool); - - r = apr_pcalloc(pr, sizeof(request_rec)); - - r->connection = connection; - r->server = server; - r->pool = pr; - r->main = NULL; - r->next = NULL; - r->notes = apr_table_make(pr, 10); - r->per_dir_config = apr_palloc(pr, sizeof(void )); - ((void *)r->per_dir_config)[0] = config; - r->prev = NULL; - r->subprocess_env = apr_table_make(pr, 10); - apr_table_setn(r->subprocess_env, "UNIQUE_ID", "unique_id"); - r->user = NULL; - - r->headers_in = apr_table_make(pr, 10); - r->headers_out = apr_table_make(pr, 10); - r->err_headers_out = apr_table_make(pr, 10); - //apr_table_setn(r->headers_in, "Host", "www.google.com"); - //apr_table_setn(r->headers_in, "", ""); - - r->the_request = "GET /../../index.html HTTP/1.1"; - r->method = "GET"; - r->method_number = M_GET; - r->protocol = "HTTP/1.1"; - r->uri = "http://www.google.com/../../index.html"; - r->args = ""; - r->filename = "/../../index.html"; - r->handler = "IIS"; - - r->parsed_uri.scheme = "http"; - r->parsed_uri.path = "/../../index.html"; - r->parsed_uri.hostname = "www.google.com"; - r->parsed_uri.is_initialized = 1; - r->parsed_uri.port = 1234; - r->parsed_uri.port_str = "1234"; - r->parsed_uri.query = ""; - r->parsed_uri.dns_looked_up = 0; - r->parsed_uri.dns_resolved = 0; - r->parsed_uri.password = NULL; - r->parsed_uri.user = NULL; - r->parsed_uri.fragment = ""; - - r->input_filters = NULL; - r->output_filters = NULL; - - return r; -} - -static modsec_rec retrieve_msr(request_rec r) { - modsec_rec msr = NULL; - request_rec rx = NULL; - - / Look in the current request first. / - msr = (modsec_rec )apr_table_get(r->notes, NOTE_MSR); - if (msr != NULL) { - msr->r = r; - return msr; - } - - /* If this is a subrequest then look in the main request. / - if (r->main != NULL) { - msr = (modsec_rec )apr_table_get(r->main->notes, NOTE_MSR); - if (msr != NULL) { - msr->r = r; - return msr; - } - } - - /* If the request was redirected then look in the previous requests. / - rx = r->prev; - while(rx != NULL) { - msr = (modsec_rec )apr_table_get(rx->notes, NOTE_MSR); - if (msr != NULL) { - msr->r = r; - return msr; - } - rx = rx->prev; - } - - return NULL; -} - -int modsecProcessRequest(request_rec r) { - int status = DECLINED; - modsec_rec msr = NULL; - - ap_filter_t f = ap_add_input_filter("HTTP_IN", NULL, r, r->connection); - - status = hookfn_post_read_request(r); - status = hookfn_fixups(r); - - ap_remove_input_filter(f); - - hookfn_insert_filter(r); - - / Find the transaction context first. / - msr = retrieve_msr(r); - - if (msr == NULL) - return status; - - if(msr->stream_input_data != NULL && modsecWriteBody != NULL) - { - // target is responsible for copying the data into correctly managed buffer - // - modsecWriteBody(r, msr->stream_input_data, msr->stream_input_length); - - free(msr->stream_input_data); - - msr->stream_input_data = NULL; - } - - // leftover code possibly for future use - // - //if(r->input_filters != NULL && r->input_filters->frec->filter_init_func != NULL) - //r->input_filters->frec->filter_init_func(r->input_filters); - //if(r->input_filters != NULL && r->input_filters->frec->filter_func.in_func != NULL) - //r->input_filters->frec->filter_func.in_func(r->input_filters, NULL, 0, 0, 0); - - return status; -} - -void modsecSetConfigForIISRequestBody(request_rec r) -{ - modsec_rec msr = retrieve_msr(r); - - if(msr == NULL \|\| msr->txcfg == NULL) - return; - - if(msr->txcfg->reqbody_access) - msr->txcfg->stream_inbody_inspection = 1; -} - -int modsecIsResponseBodyAccessEnabled(request_rec r) -{ - modsec_rec msr = retrieve_msr(r); - - if(msr == NULL \|\| msr->txcfg == NULL) - return 0; - - return msr->txcfg->resbody_access; -} - -int modsecProcessResponse(request_rec r) { - int status = DECLINED; - - if(r->output_filters != NULL) { - modsec_rec msr = (modsec_rec )r->output_filters->ctx; - char buf[8192]; - char tmp = NULL; - apr_bucket e = NULL; - unsigned int readcnt = 0; - int is_eos = 0; - ap_filter_t f = NULL; - apr_bucket_brigade bb = NULL; - - if (msr == NULL) { - ap_log_error(APLOG_MARK, APLOG_ERR \| APLOG_NOERRNO, 0, r->server, - "ModSecurity: Internal Error: msr is null in output filter."); - ap_remove_output_filter(r->output_filters); - return send_error_bucket(msr, r->output_filters, HTTP_INTERNAL_SERVER_ERROR); - } - - bb = apr_brigade_create(msr->mp, r->connection->bucket_alloc); - - if (bb == NULL) { - msr_log(msr, 1, "Process response: Failed to create brigade."); - return -1; - } - - msr->r = r; - - if(modsecReadResponse == NULL) - return AP_NOBODY_WROTE; - - f = ap_add_output_filter("HTTP_OUT", msr, r, r->connection); - - while(!is_eos) { - modsecReadResponse(r, buf, 8192, &readcnt, &is_eos); - - if(readcnt > 0) { - tmp = (char )apr_palloc(r->pool, readcnt); - memcpy(tmp, buf, readcnt); - - e = apr_bucket_pool_create(tmp, readcnt, r->pool, r->connection->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, e); - } - - if(is_eos) { - e = apr_bucket_eos_create(r->connection->bucket_alloc); - - APR_BRIGADE_INSERT_TAIL(bb, e); - } - } - - status = ap_pass_brigade(r->output_filters, bb); - - ap_remove_output_filter(f); - } - - return status; -} - -int modsecFinishRequest(request_rec r) { - // run output filter - //if(r->output_filters != NULL && r->output_filters->frec->filter_init_func != NULL) - //r->output_filters->frec->filter_init_func(r->output_filters); - - hookfn_log_transaction(r); - - // make sure you cleanup before calling apr_terminate() - // otherwise double-free might occur, because of the request body pool cleanup function - // - apr_pool_destroy(r->connection->pool); - - return DECLINED; -} - -void modsecSetLogHook(void obj, void (hook)(void obj, int level, char str)) { - modsecLogObj = obj; - modsecLogHook = hook; -} - -void modsecSetReadBody(apr_status_t (func)(request_rec r, char buf, unsigned int length, unsigned int readcnt, int is_eos)) { - modsecReadBody = func; -} - -void modsecSetReadResponse(apr_status_t (func)(request_rec r, char buf, unsigned int length, unsigned int readcnt, int is_eos)) { - modsecReadResponse = func; -} - -void modsecSetWriteBody(apr_status_t (func)(request_rec r, char buf, unsigned int length)) { - modsecWriteBody = func; -} - -void modsecSetWriteResponse(apr_status_t (func)(request_rec r, char buf, unsigned int length)) { - modsecWriteResponse = func; -} - -void modsecSetDropAction(int (func)(request_rec r)) { - modsecDropAction = func; -} +/* +* ModSecurity for Apache 2.x, http://www.modsecurity.org/ +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* +* You may not use this file except in compliance with +* the License. You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* If any of the files related to licensing are missing or if you have any +* other questions related to licensing please contact Trustwave Holdings, Inc. +* directly using the email address security@modsecurity.org. +/ + +#include <limits.h> +#include <stdio.h> + +#include "http_core.h" +#include "http_request.h" + +#include "modsecurity.h" +#include "apache2.h" +#include "http_main.h" +#include "http_connection.h" + +#include "apr_optional.h" +#include "mod_log_config.h" + +#include "msc_logging.h" +#include "msc_util.h" + +#include "ap_mpm.h" +#include "scoreboard.h" + +#include "apr_version.h" + +#include "apr_lib.h" +#include "ap_config.h" +#include "http_config.h" + +#include "api.h" + +extern void modsecLogObj; +extern void (modsecLogHook)(void obj, int level, char str); +extern int (modsecDropAction)(request_rec r); +apr_status_t (modsecReadBody)(request_rec r, char buf, unsigned int length, unsigned int readcnt, int is_eos); +apr_status_t (modsecReadResponse)(request_rec r, char buf, unsigned int length, unsigned int readcnt, int is_eos); +apr_status_t (modsecWriteBody)(request_rec r, char buf, unsigned int length); +apr_status_t (modsecWriteResponse)(request_rec r, char buf, unsigned int length); + +extern const char process_command_config(server_rec s, + void mconfig, + apr_pool_t p, + apr_pool_t ptemp, + const char filename); + +#define DECLARE_EXTERNAL_HOOK(ns,link,ret,name,args) \ +extern ns##_HOOK_##name##_t hookfn_##name; + +#define DECLARE_HOOK(ret,name,args) \ + DECLARE_EXTERNAL_HOOK(ap,AP,ret,name,args) + +DECLARE_HOOK(int,pre_config,(apr_pool_t pconf,apr_pool_t plog, apr_pool_t ptemp)) +DECLARE_HOOK(int,post_config,(apr_pool_t pconf,apr_pool_t plog, apr_pool_t ptemp,server_rec s)) +DECLARE_HOOK(void,child_init,(apr_pool_t pchild, server_rec s)) +DECLARE_HOOK(int,process_connection,(conn_rec c)) +DECLARE_HOOK(int,post_read_request,(request_rec r)) +DECLARE_HOOK(int,fixups,(request_rec r)) +DECLARE_HOOK(void, error_log, (const char file, int line, int level, + apr_status_t status, const server_rec s, + const request_rec r, apr_pool_t pool, + const char errstr)) +DECLARE_HOOK(int,log_transaction,(request_rec r)) +DECLARE_HOOK(void,insert_filter,(request_rec r)) +DECLARE_HOOK(void,insert_error_filter,(request_rec r)) + +char sa_name = "standalone"; +server_rec server; +apr_pool_t pool = NULL; + +apr_status_t ap_http_in_filter(ap_filter_t f, apr_bucket_brigade b, + ap_input_mode_t mode, apr_read_type_e block, + apr_off_t readbytes); +apr_status_t ap_http_out_filter(ap_filter_t f, apr_bucket_brigade b); + +server_rec modsecInit() { + apr_initialize(); + + apr_pool_create(&pool, NULL); + + apr_hook_global_pool = pool; + + server = apr_palloc(pool, sizeof(server_rec)); + + server->addrs = apr_palloc(pool, sizeof(server_addr_rec)); + server->addrs->host_addr = apr_palloc(pool, sizeof(apr_sockaddr_t)); + server->addrs->host_addr->addr_str_len = 16; + server->addrs->host_addr->family = AF_INET; + server->addrs->host_addr->hostname = sa_name; +#ifdef WIN32 + server->addrs->host_addr->ipaddr_len = sizeof(IN_ADDR); +#else + server->addrs->host_addr->ipaddr_len = sizeof(struct in_addr); +#endif + server->addrs->host_addr->ipaddr_ptr = &server->addrs->host_addr->sa.sin.sin_addr; + server->addrs->host_addr->pool = pool; + server->addrs->host_addr->port = 80; +#ifdef WIN32 + server->addrs->host_addr->sa.sin.sin_addr.S_un.S_addr = 0x0100007f; +#else + server->addrs->host_addr->sa.sin.sin_addr.s_addr = 0x0100007f; +#endif + server->addrs->host_addr->sa.sin.sin_family = AF_INET; + server->addrs->host_addr->sa.sin.sin_port = 80; + server->addrs->host_addr->salen = sizeof(server->addrs->host_addr->sa); + server->addrs->host_addr->servname = sa_name; + server->addrs->host_port = 80; + server->error_fname = "error.log"; + server->error_log = NULL; + server->limit_req_fields = 1024; + server->limit_req_fieldsize = 1024; + server->limit_req_line = 1024; +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 + server->loglevel = APLOG_DEBUG; +#endif + server->lookup_defaults = NULL; + server->module_config = NULL; + server->names = NULL; +#ifdef WIN32 + server->path = "c:\\inetpub\\wwwroot"; +#else + server->path = "/var/www"; +#endif + server->pathlen = strlen(server->path); + server->port = 80; + server->process = apr_palloc(pool, sizeof(process_rec)); + server->process->argc = 1; + server->process->argv = &sa_name; + server->process->pconf = pool; + server->process->pool = pool; + server->process->short_name = sa_name; + server->server_admin = sa_name; + server->server_hostname = sa_name; + server->server_scheme = ""; + server->timeout = 60 * 1000000;// 60 seconds + server->wild_names = NULL; + server->is_virtual = 0; + + ap_server_config_defines = apr_array_make(pool, 1, sizeof(char )); + + // here we should add scoreboard handling for multiple processes and threads + // + ap_scoreboard_image = (scoreboard )apr_palloc(pool, sizeof(scoreboard)); + + memset(ap_scoreboard_image, 0, sizeof(scoreboard)); + + // ---------- + + security2_module.module_index = 0; + + security2_module.register_hooks(pool); + + ap_register_input_filter("HTTP_IN", ap_http_in_filter, NULL, AP_FTYPE_RESOURCE); + ap_register_output_filter("HTTP_OUT", ap_http_out_filter, NULL, AP_FTYPE_CONTENT_SET); + + return server; +} + +apr_status_t ap_http_in_filter(ap_filter_t f, apr_bucket_brigade bb_out, + ap_input_mode_t mode, apr_read_type_e block, + apr_off_t readbytes) { + char tmp = NULL; + apr_bucket e = NULL; + unsigned int readcnt = 0; + int is_eos = 0; + apr_bucket_brigade bb_in; + apr_bucket after; + apr_status_t rv; + + bb_in = modsecGetBodyBrigade(f->r); + + /* use request brigade / + if (bb_in != NULL) { + if (!APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb_in))) { + e = apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb_in, e); + } + + rv = apr_brigade_partition(bb_in, readbytes, &after); + if (rv != APR_SUCCESS && rv != APR_INCOMPLETE) { + return rv; + } + + for (e = APR_BRIGADE_FIRST(bb_in); e != after; e = APR_BRIGADE_FIRST(bb_in)) { + APR_BUCKET_REMOVE(e); + APR_BRIGADE_INSERT_TAIL(bb_out, e); + } + + return APR_SUCCESS; + } + + / call the callback / + if(modsecReadBody != NULL) { + + tmp = (char )apr_palloc(f->r->pool, readbytes); + modsecReadBody(f->r, tmp, readbytes, &readcnt, &is_eos); + + e = apr_bucket_pool_create(tmp, readcnt, f->r->pool, f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb_out, e); + + if(is_eos) { + e = apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb_out, e); + } + return APR_SUCCESS; + } + + /* cannot read request body / + e = apr_bucket_eos_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb_out, e); + + return APR_SUCCESS; +} + +apr_status_t ap_http_out_filter(ap_filter_t f, apr_bucket_brigade b) { + modsec_rec msr = (modsec_rec )f->ctx; + apr_status_t rc; + apr_bucket_brigade bb_out; + + bb_out = modsecGetResponseBrigade(f->r); + + + if (bb_out) { + APR_BRIGADE_CONCAT(bb_out, b); + return APR_SUCCESS; + } + + // is there a way to tell whether the response body was modified or not? + // + if((msr->txcfg->content_injection_enabled \|\| msr->content_prepend_len != 0 \|\| msr->content_append_len != 0) + && msr->txcfg->resbody_access) { + + if (modsecWriteResponse != NULL) { + char data = NULL; + apr_size_t length; + + rc = apr_brigade_pflatten(msr->of_brigade, &data, &length, msr->mp); + + if (rc != APR_SUCCESS) { + msr_log(msr, 1, "Output filter: Failed to flatten brigade (%d): %s", rc, + get_apr_error(msr->mp, rc)); + return -1; + } + + / TODO: return ?/ + modsecWriteResponse(msr->r, data, msr->stream_output_length); + } + } + + return APR_SUCCESS; +} + +void modsecTerminate() { + apr_pool_destroy(pool); + pool = NULL; + apr_terminate(); +} + +void modsecStartConfig() { + apr_pool_t ptemp = NULL; + + apr_pool_create(&ptemp, pool); + + hookfn_pre_config(pool, pool, ptemp); + + apr_pool_destroy(ptemp); +} + +directory_config modsecGetDefaultConfig() { + return (directory_config )security2_module.create_dir_config(pool, NULL); +} + +const char modsecProcessConfig(directory_config config, const char file, const char dir) { + apr_pool_t ptemp = NULL; + const char err; + apr_status_t status; + const char rootpath, incpath; + + if(dir == NULL \|\| strlen(dir) == 0) +#ifdef WIN32 + dir = "\\"; +#else + dir = "/"; +#endif + + incpath = file; + + /* locate the start of the directories proper / + status = apr_filepath_root(&rootpath, &incpath, APR_FILEPATH_TRUENAME \| APR_FILEPATH_NATIVE, pool); + + / we allow APR_SUCCESS and APR_EINCOMPLETE / + if (APR_ERELATIVE == status) { + int li = strlen(dir) - 1; + + if(dir[li] != '/' && dir[li] != '\\') +#ifdef WIN32 + file = apr_pstrcat(pool, dir, "\\", file, NULL); +#else + file = apr_pstrcat(pool, dir, "/", file, NULL); +#endif + else + file = apr_pstrcat(pool, dir, file, NULL); + } + else if (APR_EBADPATH == status) { + return apr_pstrcat(pool, "Config file has a bad path, ", file, NULL); + } + + apr_pool_create(&ptemp, pool); + + err = process_command_config(server, config, pool, ptemp, file); + + apr_pool_destroy(ptemp); + + return err; +} + +void modsecFinalizeConfig() { + apr_pool_t ptemp = NULL; + + apr_pool_create(&ptemp, pool); + + hookfn_post_config(pool, pool, ptemp, server); + hookfn_post_config(pool, pool, ptemp, server); + + apr_pool_destroy(ptemp); +} + +void modsecInitProcess() { + hookfn_child_init(pool, server); +} + +conn_rec modsecNewConnection() { + conn_rec c; + apr_pool_t pc = NULL; + + apr_pool_create(&pc, pool); + + c = apr_pcalloc(pc, sizeof(conn_rec)); + + c->base_server = server; + c->id = 1; + c->local_addr = server->addrs->host_addr; + c->local_host = sa_name; + c->local_ip = "127.0.0.1"; + c->pool = pc; + c->remote_host = sa_name; +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 + c->remote_ip = "127.0.0.1"; + c->remote_addr = server->addrs->host_addr; +#else + c->client_ip = "127.0.0.1"; + c->client_addr = server->addrs->host_addr; +#endif + c->input_filters = NULL; + c->output_filters = NULL; + c->bucket_alloc = apr_bucket_alloc_create(pc); + + return c; +} + +void modsecProcessConnection(conn_rec c) { + hookfn_process_connection(c); +} + +request_rec modsecNewRequest(conn_rec connection, directory_config config) { + request_rec r; + apr_pool_t pr = NULL; + + apr_pool_create(&pr, connection->pool); + + r = apr_pcalloc(pr, sizeof(request_rec)); + + r->connection = connection; + r->server = server; + r->pool = pr; + r->main = NULL; + r->next = NULL; + r->notes = apr_table_make(pr, 10); + r->per_dir_config = apr_palloc(pr, sizeof(void )); + ((void *)r->per_dir_config)[0] = config; + r->prev = NULL; + r->subprocess_env = apr_table_make(pr, 10); + apr_table_setn(r->subprocess_env, "UNIQUE_ID", "unique_id"); + r->user = NULL; + + r->headers_in = apr_table_make(pr, 10); + r->headers_out = apr_table_make(pr, 10); + r->err_headers_out = apr_table_make(pr, 10); + //apr_table_setn(r->headers_in, "Host", "www.google.com"); + //apr_table_setn(r->headers_in, "", ""); + + r->the_request = "GET /../../index.html HTTP/1.1"; + r->method = "GET"; + r->method_number = M_GET; + r->protocol = "HTTP/1.1"; + r->uri = "http://www.google.com/../../index.html"; + r->args = ""; + r->filename = "/../../index.html"; + r->handler = "IIS"; + + r->parsed_uri.scheme = "http"; + r->parsed_uri.path = "/../../index.html"; + r->parsed_uri.hostname = "www.google.com"; + r->parsed_uri.is_initialized = 1; + r->parsed_uri.port = 1234; + r->parsed_uri.port_str = "1234"; + r->parsed_uri.query = ""; + r->parsed_uri.dns_looked_up = 0; + r->parsed_uri.dns_resolved = 0; + r->parsed_uri.password = NULL; + r->parsed_uri.user = NULL; + r->parsed_uri.fragment = ""; + + r->input_filters = NULL; + r->output_filters = NULL; + + return r; +} + +static modsec_rec retrieve_msr(request_rec r) { + modsec_rec msr = NULL; + request_rec rx = NULL; + + / Look in the current request first. / + msr = (modsec_rec )apr_table_get(r->notes, NOTE_MSR); + if (msr != NULL) { + msr->r = r; + return msr; + } + + /* If this is a subrequest then look in the main request. / + if (r->main != NULL) { + msr = (modsec_rec )apr_table_get(r->main->notes, NOTE_MSR); + if (msr != NULL) { + msr->r = r; + return msr; + } + } + + /* If the request was redirected then look in the previous requests. / + rx = r->prev; + while(rx != NULL) { + msr = (modsec_rec )apr_table_get(rx->notes, NOTE_MSR); + if (msr != NULL) { + msr->r = r; + return msr; + } + rx = rx->prev; + } + + return NULL; +} + +int modsecProcessRequestHeaders(request_rec r) { + return hookfn_post_read_request(r); +} + +int modsecProcessRequestBody(request_rec r) { + int status = DECLINED; + modsec_rec msr = NULL; + + ap_filter_t f = ap_add_input_filter("HTTP_IN", NULL, r, r->connection); + apr_bucket_brigade* bb_out; + + status = hookfn_fixups(r); + + ap_remove_input_filter(f); + + if (status != DECLINED) { + return status; + } + + hookfn_insert_filter(r); + + /* Find the transaction context first. / + msr = retrieve_msr(r); + + if (msr == NULL) + return status; + + bb_out = modsecGetBodyBrigade(r); + if (bb_out) { + (void) apr_brigade_cleanup(bb_out); + status = ap_get_brigade(r->input_filters, bb_out, AP_MODE_READBYTES, APR_BLOCK_READ, -1); + if (status == APR_SUCCESS) { + return DECLINED; + } + return status; + } + + if(msr->stream_input_data != NULL && modsecWriteBody != NULL) + { + // target is responsible for copying the data into correctly managed buffer + // + modsecWriteBody(r, msr->stream_input_data, msr->stream_input_length); + + free(msr->stream_input_data); + + msr->stream_input_data = NULL; + } + + // leftover code possibly for future use + // + //if(r->input_filters != NULL && r->input_filters->frec->filter_init_func != NULL) + //r->input_filters->frec->filter_init_func(r->input_filters); + //if(r->input_filters != NULL && r->input_filters->frec->filter_func.in_func != NULL) + //r->input_filters->frec->filter_func.in_func(r->input_filters, NULL, 0, 0, 0); + + return status; +} + +void modsecSetConfigForIISRequestBody(request_rec r) +{ + modsec_rec msr = retrieve_msr(r); + + if(msr == NULL \|\| msr->txcfg == NULL) + return; + + if(msr->txcfg->reqbody_access) + msr->txcfg->stream_inbody_inspection = 1; +} + +int modsecIsRequestBodyAccessEnabled(request_rec r) +{ + modsec_rec msr = retrieve_msr(r); + + if(msr == NULL \|\| msr->txcfg == NULL) + return 0; + + return msr->txcfg->reqbody_access; +} + +int modsecIsResponseBodyAccessEnabled(request_rec r) +{ + modsec_rec msr = retrieve_msr(r); + + if(msr == NULL \|\| msr->txcfg == NULL) + return 0; + + return msr->txcfg->resbody_access; +} + +int modsecProcessResponse(request_rec r) { + int status = DECLINED; + + if(r->output_filters != NULL) { + modsec_rec msr = (modsec_rec )r->output_filters->ctx; + char buf[8192]; + char tmp = NULL; + apr_bucket e = NULL; + unsigned int readcnt = 0; + int is_eos = 0; + ap_filter_t f = NULL; + apr_bucket_brigade bb_in, bb = NULL; + + if (msr == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR \| APLOG_NOERRNO, 0, r->server, + "ModSecurity: Internal Error: msr is null in output filter."); + ap_remove_output_filter(r->output_filters); + return send_error_bucket(msr, r->output_filters, HTTP_INTERNAL_SERVER_ERROR); + } + + bb = apr_brigade_create(msr->mp, r->connection->bucket_alloc); + + if (bb == NULL) { + msr_log(msr, 1, "Process response: Failed to create brigade."); + return APR_EGENERAL; + } + + msr->r = r; + + bb_in = modsecGetResponseBrigade(r); + + if (bb_in != NULL) { + APR_BRIGADE_CONCAT(bb, bb_in); + if (!APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) { + e = apr_bucket_eos_create(bb->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + } + } else if (modsecReadResponse != NULL) { + while(!is_eos) { + modsecReadResponse(r, buf, 8192, &readcnt, &is_eos); + + if(readcnt > 0) { + tmp = (char )apr_palloc(r->pool, readcnt); + memcpy(tmp, buf, readcnt); + e = apr_bucket_pool_create(tmp, readcnt, r->pool, r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + } + } + + e = apr_bucket_eos_create(r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + } else { + /* cannot read response body process header only / + + e = apr_bucket_eos_create(r->connection->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, e); + } + + f = ap_add_output_filter("HTTP_OUT", msr, r, r->connection); + status = ap_pass_brigade(r->output_filters, bb); + ap_remove_output_filter(f); + if(status > 0 + && msr->intercept_actionset->intercept_status != 0) { + status = msr->intercept_actionset->intercept_status; + } + return status; + } + + return status; +} + +int modsecFinishRequest(request_rec r) { + // run output filter + //if(r->output_filters != NULL && r->output_filters->frec->filter_init_func != NULL) + //r->output_filters->frec->filter_init_func(r->output_filters); + + hookfn_log_transaction(r); + + // make sure you cleanup before calling apr_terminate() + // otherwise double-free might occur, because of the request body pool cleanup function + // + apr_pool_destroy(r->connection->pool); + + return DECLINED; +} + +void modsecSetLogHook(void obj, void (hook)(void obj, int level, char str)) { + modsecLogObj = obj; + modsecLogHook = hook; +} + +void modsecSetReadBody(apr_status_t (func)(request_rec r, char buf, unsigned int length, unsigned int readcnt, int is_eos)) { + modsecReadBody = func; +} + +void modsecSetReadResponse(apr_status_t (func)(request_rec r, char buf, unsigned int length, unsigned int readcnt, int is_eos)) { + modsecReadResponse = func; +} + +void modsecSetWriteBody(apr_status_t (func)(request_rec r, char buf, unsigned int length)) { + modsecWriteBody = func; +} + +void modsecSetWriteResponse(apr_status_t (func)(request_rec r, char buf, unsigned int length)) { + modsecWriteResponse = func; +} + +void modsecSetDropAction(int (func)(request_rec r)) { + modsecDropAction = func; +}
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/standalone/api.h ^
@@ -60,12 +60,49 @@ void modsecProcessConnection(conn_rec c); request_rec modsecNewRequest(conn_rec connection, directory_config config); -int modsecProcessRequest(request_rec r); + +int modsecProcessRequestBody(request_rec r); +int modsecProcessRequestHeaders(request_rec r); + +static inline int modsecProcessRequest(request_rec r) { + int status; + status = modsecProcessRequestHeaders(r); + if (status != DECLINED) { + return status; + } + + return modsecProcessRequestBody(r); +} + + int modsecProcessResponse(request_rec r); int modsecFinishRequest(request_rec r); void modsecSetLogHook(void obj, void (hook)(void obj, int level, char str)); +#define NOTE_MSR_BRIGADE_REQUEST "modsecurity-brigade-request" +#define NOTE_MSR_BRIGADE_RESPONSE "modsecurity-brigade-response" + +static inline void +modsecSetBodyBrigade(request_rec r, apr_bucket_brigade b) { + apr_table_setn(r->notes, NOTE_MSR_BRIGADE_REQUEST, (char )b); +}; + +static inline apr_bucket_brigade +modsecGetBodyBrigade(request_rec r) { + return (apr_bucket_brigade )apr_table_get(r->notes, NOTE_MSR_BRIGADE_REQUEST); +}; + +static inline void +modsecSetResponseBrigade(request_rec r, apr_bucket_brigade b) { + apr_table_setn(r->notes, NOTE_MSR_BRIGADE_RESPONSE, (char )b); +}; + +static inline apr_bucket_brigade +modsecGetResponseBrigade(request_rec r) { + return (apr_bucket_brigade )apr_table_get(r->notes, NOTE_MSR_BRIGADE_RESPONSE); +}; + void modsecSetReadBody(apr_status_t (func)(request_rec r, char buf, unsigned int length, unsigned int readcnt, int is_eos)); void modsecSetReadResponse(apr_status_t (func)(request_rec r, char buf, unsigned int length, unsigned int readcnt, int is_eos)); void modsecSetWriteBody(apr_status_t (func)(request_rec r, char buf, unsigned int length)); @@ -73,6 +110,7 @@ void modsecSetDropAction(int (func)(request_rec r)); int modsecIsResponseBodyAccessEnabled(request_rec r); +int modsecIsRequestBodyAccessEnabled(request_rec r); void modsecSetConfigForIISRequestBody(request_rec r);
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/standalone/config.c ^
@@ -1,1188 +1,1202 @@ -/* -* ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) -* -* You may not use this file except in compliance with -* the License. You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* If any of the files related to licensing are missing or if you have any -* other questions related to licensing please contact Trustwave Holdings, Inc. -* directly using the email address security@modsecurity.org. -/ - -#include <limits.h> -#include <stdio.h> - -#include "http_core.h" -#include "http_request.h" - -#include "modsecurity.h" -#include "apache2.h" -#include "http_main.h" -#include "http_connection.h" - -#include "apr_optional.h" -#include "mod_log_config.h" - -#include "msc_logging.h" -#include "msc_util.h" - -#include "ap_mpm.h" -#include "scoreboard.h" - -#include "apr_version.h" - -#include "apr_lib.h" -#include "ap_config.h" -#include "http_config.h" -#include "apr_fnmatch.h" - -AP_DECLARE(int) ap_cfg_closefile(ap_configfile_t cfp) -{ -#ifdef DEBUG - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, - "Done with config file %s", cfp->name); -#endif - return (cfp->close == NULL) ? 0 : cfp->close(cfp->param); -} - -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 -static apr_status_t cfg_close(void param) -{ - apr_file_t cfp = (apr_file_t ) param; - return (apr_file_close(cfp)); -} - -static int cfg_getch(void param) -{ - char ch; - apr_file_t cfp = (apr_file_t ) param; - if (apr_file_getc(&ch, cfp) == APR_SUCCESS) - return ch; - return (int)EOF; -} - -static void cfg_getstr(void buf, size_t bufsiz, void param) -{ - apr_file_t cfp = (apr_file_t ) param; - apr_status_t rv; - rv = apr_file_gets(buf, bufsiz, cfp); - if (rv == APR_SUCCESS) { - return buf; - } - return NULL; -} -#else -/ we can't use apr_file_* directly because of linking issues on Windows / -static apr_status_t cfg_close(void param) -{ - return apr_file_close(param); -} - -static apr_status_t cfg_getch(char ch, void param) -{ - return apr_file_getc(ch, param); -} - -static apr_status_t cfg_getstr(void buf, apr_size_t bufsiz, void param) -{ - return apr_file_gets(buf, bufsiz, param); -} -#endif - -/* Read one line from open ap_configfile_t, strip LF, increase line number / -/ If custom handler does not define a getstr() function, read char by char / - -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 -AP_DECLARE(int) ap_cfg_getline(char buf, size_t bufsize, ap_configfile_t cfp) -{ - / If a "get string" function is defined, use it / - if (cfp->getstr != NULL) { - char src, dst; - char cp; - char cbuf = buf; - size_t cbufsize = bufsize; - - while (1) { - ++cfp->line_number; - if (cfp->getstr(cbuf, cbufsize, cfp->param) == NULL) - return 1; - - / - * check for line continuation, - * i.e. match [^\\]\\[\r]\n only - / - cp = cbuf; - while (cp < cbuf+cbufsize && cp != '\0') - cp++; - if (cp > cbuf && cp[-1] == LF) { - cp--; - if (cp > cbuf && cp[-1] == CR) - cp--; - if (cp > cbuf && cp[-1] == '\\') { - cp--; - if (!(cp > cbuf && cp[-1] == '\\')) { - /* - * line continuation requested - - * then remove backslash and continue - / - cbufsize -= (cp-cbuf); - cbuf = cp; - continue; - } - else { - / - * no real continuation because escaped - - * then just remove escape character - / - for ( ; cp < cbuf+cbufsize && cp != '\0'; cp++) - cp[0] = cp[1]; - } - } - } - break; - } - - /* - * Leading and trailing white space is eliminated completely - / - src = buf; - while (apr_isspace(src)) - ++src; - /* blast trailing whitespace / - dst = &src[strlen(src)]; - while (--dst >= src && apr_isspace(dst)) - dst = '\0'; - / Zap leading whitespace by shifting / - if (src != buf) - for (dst = buf; (dst++ = src++) != '\0'; ) - ; - -#ifdef DEBUG_CFG_LINES - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "Read config: %s", buf); -#endif - return 0; - } else { - / No "get string" function defined; read character by character / - register int c; - register size_t i = 0; - - buf[0] = '\0'; - / skip leading whitespace / - do { - c = cfp->getch(cfp->param); - } while (c == '\t' \|\| c == ' '); - - if (c == EOF) - return 1; - - if(bufsize < 2) { - / too small, assume caller is crazy / - return 1; - } - - while (1) { - if ((c == '\t') \|\| (c == ' ')) { - buf[i++] = ' '; - while ((c == '\t') \|\| (c == ' ')) - c = cfp->getch(cfp->param); - } - if (c == CR) { - / silently ignore CR (_assume_ that a LF follows) / - c = cfp->getch(cfp->param); - } - if (c == LF) { - / increase line number and return on LF / - ++cfp->line_number; - } - if (c == EOF \|\| c == 0x4 \|\| c == LF \|\| i >= (bufsize - 2)) { - / - * check for line continuation - / - if (i > 0 && buf[i-1] == '\\') { - i--; - if (!(i > 0 && buf[i-1] == '\\')) { - / line is continued / - c = cfp->getch(cfp->param); - continue; - } - / else nothing needs be done because - * then the backslash is escaped and - * we just strip to a single one - / - } - / blast trailing whitespace / - while (i > 0 && apr_isspace(buf[i - 1])) - --i; - buf[i] = '\0'; -#ifdef DEBUG_CFG_LINES - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, - "Read config: %s", buf); -#endif - return 0; - } - buf[i] = c; - ++i; - c = cfp->getch(cfp->param); - } - } -} -#else -static apr_status_t ap_cfg_getline_core(char buf, apr_size_t bufsize, - ap_configfile_t cfp) -{ - apr_status_t rc; - / If a "get string" function is defined, use it / - if (cfp->getstr != NULL) { - char cp; - char cbuf = buf; - apr_size_t cbufsize = bufsize; - - while (1) { - ++cfp->line_number; - rc = cfp->getstr(cbuf, cbufsize, cfp->param); - if (rc == APR_EOF) { - if (cbuf != buf) { - cbuf = '\0'; - break; - } - else { - return APR_EOF; - } - } - if (rc != APR_SUCCESS) { - return rc; - } - - /* - * check for line continuation, - * i.e. match [^\\]\\[\r]\n only - / - cp = cbuf; - cp += strlen(cp); - if (cp > cbuf && cp[-1] == LF) { - cp--; - if (cp > cbuf && cp[-1] == CR) - cp--; - if (cp > cbuf && cp[-1] == '\\') { - cp--; - / - * line continuation requested - - * then remove backslash and continue - / - cbufsize -= (cp-cbuf); - cbuf = cp; - continue; - } - } - else if (cp - buf >= bufsize - 1) { - return APR_ENOSPC; - } - break; - } - } else { - / No "get string" function defined; read character by character / - apr_size_t i = 0; - - if (bufsize < 2) { - / too small, assume caller is crazy / - return APR_EINVAL; - } - buf[0] = '\0'; - - while (1) { - char c; - rc = cfp->getch(&c, cfp->param); - if (rc == APR_EOF) { - if (i > 0) - break; - else - return APR_EOF; - } - if (rc != APR_SUCCESS) - return rc; - if (c == LF) { - ++cfp->line_number; - / check for line continuation / - if (i > 0 && buf[i-1] == '\\') { - i--; - continue; - } - else { - break; - } - } - else if (i >= bufsize - 2) { - return APR_ENOSPC; - } - buf[i] = c; - ++i; - } - buf[i] = '\0'; - } - return APR_SUCCESS; -} - -static int cfg_trim_line(char buf) -{ - char start, end; - /* - * Leading and trailing white space is eliminated completely - / - start = buf; - while (apr_isspace(start)) - ++start; - /* blast trailing whitespace / - end = &start[strlen(start)]; - while (--end >= start && apr_isspace(end)) - end = '\0'; - / Zap leading whitespace by shifting / - if (start != buf) - memmove(buf, start, end - start + 2); -#ifdef DEBUG_CFG_LINES - ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, APLOGNO(00555) "Read config: '%s'", buf); -#endif - return end - start + 1; -} - -AP_DECLARE(apr_status_t) ap_cfg_getline(char buf, apr_size_t bufsize, - ap_configfile_t cfp) -{ - apr_status_t rc = ap_cfg_getline_core(buf, bufsize, cfp); - if (rc == APR_SUCCESS) - cfg_trim_line(buf); - return rc; -} -#endif - -static char substring_conf(apr_pool_t p, const char start, int len, - char quote) -{ - char result = apr_palloc(p, len + 2); - char resp = result; - int i; - - for (i = 0; i < len; ++i) { - if (start[i] == '\\' && (start[i + 1] == '\\' - \|\| (quote && start[i + 1] == quote))) - resp++ = start[++i]; - else - resp++ = start[i]; - } - - resp++ = '\0'; -#if RESOLVE_ENV_PER_TOKEN - return (char )ap_resolve_env(p,result); -#else - return result; -#endif -} - -AP_DECLARE(char ) ap_getword_conf(apr_pool_t p, const char *line) -{ - const char str = line, strend; - char res; - char quote; - - while (str && apr_isspace(str)) - ++str; - - if (!str) { - line = str; - return ""; - } - - if ((quote = str) == '"' \|\| quote == '\'') { - strend = str + 1; - while (strend && strend != quote) { - if (strend == '\\' && strend[1] && - (strend[1] == quote \|\| strend[1] == '\\')) { - strend += 2; - } - else { - ++strend; - } - } - res = substring_conf(p, str + 1, strend - str - 1, quote); - - if (strend == quote) - ++strend; - } - else { - strend = str; - while (strend && !apr_isspace(strend)) - ++strend; - - res = substring_conf(p, str, strend - str, 0); - } - - while (strend && apr_isspace(strend)) - ++strend; - line = strend; - return res; -} - -/ Open a ap_configfile_t as FILE, return open ap_configfile_t struct pointer / -AP_DECLARE(apr_status_t) ap_pcfg_openfile(ap_configfile_t ret_cfg, - apr_pool_t p, const char name) -{ - ap_configfile_t new_cfg; - apr_file_t file = NULL; - apr_finfo_t finfo; - apr_status_t status; -#ifdef DEBUG - char buf[120]; -#endif - - if (name == NULL) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Internal error: pcfg_openfile() called with NULL filename"); - return APR_EBADF; - } - - status = apr_file_open(&file, name, APR_READ \| APR_BUFFERED, - APR_OS_DEFAULT, p); -#ifdef DEBUG - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, - "Opening config file %s (%s)", - name, (status != APR_SUCCESS) ? - apr_strerror(status, buf, sizeof(buf)) : "successful"); -#endif - if (status != APR_SUCCESS) - return status; - - status = apr_file_info_get(&finfo, APR_FINFO_TYPE, file); - if (status != APR_SUCCESS) - return status; - - if (finfo.filetype != APR_REG && -#if defined(WIN32) \|\| defined(OS2) \|\| defined(NETWARE) - strcasecmp(apr_filepath_name_get(name), "nul") != 0) { -#else - strcmp(name, "/dev/null") != 0) { -#endif / WIN32 \|\| OS2 / - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "Access to file %s denied by server: not a regular file", - name); - apr_file_close(file); - return APR_EBADF; - } - -#ifdef WIN32 - / Some twisted character [no pun intended] at MS decided that a - * zero width joiner as the lead wide character would be ideal for - * describing Unicode text files. This was further convoluted to - * another MSism that the same character mapped into utf-8, EF BB BF - * would signify utf-8 text files. - * - * Since MS configuration files are all protecting utf-8 encoded - * Unicode path, file and resource names, we already have the correct - * WinNT encoding. But at least eat the stupid three bytes up front. - / - { - unsigned char buf[4]; - apr_size_t len = 3; - status = apr_file_read(file, buf, &len); - if ((status != APR_SUCCESS) \|\| (len < 3) - \|\| memcmp(buf, "\xEF\xBB\xBF", 3) != 0) { - apr_off_t zero = 0; - apr_file_seek(file, APR_SET, &zero); - } - } -#endif - - new_cfg = apr_palloc(p, sizeof(new_cfg)); - new_cfg->param = file; - new_cfg->name = apr_pstrdup(p, name); -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 - new_cfg->getch = (int ()(void )) cfg_getch; - new_cfg->getstr = (void ()(void , size_t, void )) cfg_getstr; - new_cfg->close = (int ()(void )) cfg_close; -#else - new_cfg->getch = cfg_getch; - new_cfg->getstr = cfg_getstr; - new_cfg->close = cfg_close; -#endif - new_cfg->line_number = 0; - ret_cfg = new_cfg; - return APR_SUCCESS; -} - -AP_CORE_DECLARE(const command_rec ) ap_find_command(const char name, - const command_rec cmds) -{ - while (cmds->name) { - if (!strcasecmp(name, cmds->name)) - return cmds; - - ++cmds; - } - - return NULL; -} - -#define AP_MAX_ARGC 64 - -static const char invoke_cmd(const command_rec cmd, cmd_parms parms, - void mconfig, const char args) -{ - char w, w2, w3; - const char errmsg = NULL; - - if ((parms->override & cmd->req_override) == 0) - return apr_pstrcat(parms->pool, cmd->name, " not allowed here", NULL); - - parms->info = cmd->cmd_data; - parms->cmd = cmd; - - switch (cmd->args_how) { - case RAW_ARGS: -#ifdef RESOLVE_ENV_PER_TOKEN - args = ap_resolve_env(parms->pool,args); -#endif - return cmd->AP_RAW_ARGS(parms, mconfig, args); - - case TAKE_ARGV: - { - char argv[AP_MAX_ARGC]; - int argc = 0; - - do { - w = ap_getword_conf(parms->pool, &args); - if (w == '\0' && args == '\0') { - break; - } - argv[argc] = w; - argc++; - } while (argc < AP_MAX_ARGC && args != '\0'); - - return cmd->AP_TAKE_ARGV(parms, mconfig, argc, argv); - } - - case NO_ARGS: - if (args != 0) - return apr_pstrcat(parms->pool, cmd->name, " takes no arguments", - NULL); - - return cmd->AP_NO_ARGS(parms, mconfig); - - case TAKE1: - w = ap_getword_conf(parms->pool, &args); - - if (w == '\0' \|\| args != 0) - return apr_pstrcat(parms->pool, cmd->name, " takes one argument", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE1(parms, mconfig, w); - - case TAKE2: - w = ap_getword_conf(parms->pool, &args); - w2 = ap_getword_conf(parms->pool, &args); - - if (w == '\0' \|\| w2 == '\0' \|\| args != 0) - return apr_pstrcat(parms->pool, cmd->name, " takes two arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE2(parms, mconfig, w, w2); - - case TAKE12: - w = ap_getword_conf(parms->pool, &args); - w2 = ap_getword_conf(parms->pool, &args); - - if (w == '\0' \|\| args != 0) - return apr_pstrcat(parms->pool, cmd->name, " takes 1-2 arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE2(parms, mconfig, w, w2 ? w2 : NULL); - - case TAKE3: - w = ap_getword_conf(parms->pool, &args); - w2 = ap_getword_conf(parms->pool, &args); - w3 = ap_getword_conf(parms->pool, &args); - - if (w == '\0' \|\| w2 == '\0' \|\| w3 == '\0' \|\| args != 0) - return apr_pstrcat(parms->pool, cmd->name, " takes three arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); - - case TAKE23: - w = ap_getword_conf(parms->pool, &args); - w2 = ap_getword_conf(parms->pool, &args); - w3 = args ? ap_getword_conf(parms->pool, &args) : NULL; - - if (w == '\0' \|\| w2 == '\0' \|\| args != 0) - return apr_pstrcat(parms->pool, cmd->name, - " takes two or three arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); - - case TAKE123: - w = ap_getword_conf(parms->pool, &args); - w2 = args ? ap_getword_conf(parms->pool, &args) : NULL; - w3 = args ? ap_getword_conf(parms->pool, &args) : NULL; - - if (w == '\0' \|\| args != 0) - return apr_pstrcat(parms->pool, cmd->name, - " takes one, two or three arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); - - case TAKE13: - w = ap_getword_conf(parms->pool, &args); - w2 = args ? ap_getword_conf(parms->pool, &args) : NULL; - w3 = args ? ap_getword_conf(parms->pool, &args) : NULL; - - if (w == '\0' \|\| (w2 && w2 && !w3) \|\| args != 0) - return apr_pstrcat(parms->pool, cmd->name, - " takes one or three arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); - - case ITERATE: - while ((w = ap_getword_conf(parms->pool, &args)) != '\0') { - - errmsg = cmd->AP_TAKE1(parms, mconfig, w); - - if (errmsg && strcmp(errmsg, DECLINE_CMD) != 0) - return errmsg; - } - - return errmsg; - - case ITERATE2: - w = ap_getword_conf(parms->pool, &args); - - if (w == '\0' \|\| args == 0) - return apr_pstrcat(parms->pool, cmd->name, - " requires at least two arguments", - cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); - - while ((w2 = ap_getword_conf(parms->pool, &args)) != '\0') { - - errmsg = cmd->AP_TAKE2(parms, mconfig, w, w2); - - if (errmsg && strcmp(errmsg, DECLINE_CMD) != 0) - return errmsg; - } - - return errmsg; - - case FLAG: - w = ap_getword_conf(parms->pool, &args); - - if (w == '\0' \|\| (strcasecmp(w, "on") && strcasecmp(w, "off"))) - return apr_pstrcat(parms->pool, cmd->name, " must be On or Off", - NULL); - - return cmd->AP_FLAG(parms, mconfig, strcasecmp(w, "off") != 0); - - default: - return apr_pstrcat(parms->pool, cmd->name, - " is improperly configured internally (server bug)", - NULL); - } -} - -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 -static cmd_parms default_parms = -{NULL, 0, -1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}; -#endif - -#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 3 -static cmd_parms default_parms = -{NULL, 0, 0, NULL, -1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}; -#endif - -typedef struct { - const char fname; -} fnames; - -AP_DECLARE(int) ap_is_directory(apr_pool_t p, const char path) -{ - apr_finfo_t finfo; - - if (apr_stat(&finfo, path, APR_FINFO_TYPE, p) != APR_SUCCESS) - return 0; / in error condition, just return no / - - return (finfo.filetype == APR_DIR); -} - -AP_DECLARE(char ) ap_make_full_path(apr_pool_t a, const char src1, - const char src2) -{ - apr_size_t len1, len2; - char path; - - len1 = strlen(src1); - len2 = strlen(src2); - /* allocate +3 for '/' delimiter, trailing NULL and overallocate - * one extra byte to allow the caller to add a trailing '/' - / - path = (char )apr_palloc(a, len1 + len2 + 3); - if (len1 == 0) { - path = '/'; - memcpy(path + 1, src2, len2 + 1); - } - else { - char next; - memcpy(path, src1, len1); - next = path + len1; - if (next[-1] != '/') { - next++ = '/'; - } - memcpy(next, src2, len2 + 1); - } - return path; -} - -static int fname_alphasort(const void fn1, const void fn2) -{ - const fnames f1 = fn1; - const fnames f2 = fn2; - - return strcmp(f1->fname,f2->fname); -} - -int fnmatch_test(const char pattern) -{ - int nesting; - - nesting = 0; - while (pattern) { - switch (pattern) { - case '?': - case '': - return 1; - -/ case '\\': - if (++pattern == '\0') { - return 0; - } - break;/ // this breaks on Windows - - case '[': /* '[' is only a glob if it has a matching ']' / - ++nesting; - break; - - case ']': - if (nesting) { - return 1; - } - break; - } - ++pattern; } - return 0; -} - -AP_DECLARE(const char ) process_resource_config(const char fname, - apr_array_header_t ari, - apr_pool_t ptemp) -{ - (char *)apr_array_push(ari) = (char )fname; - - return NULL; -} - -static const char process_resource_config_nofnmatch(const char fname, - apr_array_header_t ari, - apr_pool_t p, - apr_pool_t ptemp, - unsigned depth, - int optional) -{ - const char error; - apr_status_t rv; - - if (ap_is_directory(ptemp, fname)) { - apr_dir_t dirp; - apr_finfo_t dirent; - int current; - apr_array_header_t candidates = NULL; - fnames fnew; - char path = apr_pstrdup(ptemp, fname); - - if (++depth > 100) { - return apr_psprintf(p, "Directory %s exceeds the maximum include " - "directory nesting level of %u. You have " - "probably a recursion somewhere.", path, - 100); - } - - /* - * first course of business is to grok all the directory - * entries here and store 'em away. Recall we need full pathnames - * for this. - / - rv = apr_dir_open(&dirp, path, ptemp); - if (rv != APR_SUCCESS) { - char errmsg[120]; - return apr_psprintf(p, "Could not open config directory %s: %s", - path, apr_strerror(rv, errmsg, sizeof errmsg)); - } - - candidates = apr_array_make(ptemp, 1, sizeof(fnames)); - while (apr_dir_read(&dirent, APR_FINFO_DIRENT, dirp) == APR_SUCCESS) { - / strip out '.' and '..' / - if (strcmp(dirent.name, ".") - && strcmp(dirent.name, "..")) { - fnew = (fnames ) apr_array_push(candidates); - fnew->fname = ap_make_full_path(ptemp, path, dirent.name); - } - } - - apr_dir_close(dirp); - if (candidates->nelts != 0) { - qsort((void ) candidates->elts, candidates->nelts, - sizeof(fnames), fname_alphasort); - - / - * Now recurse these... we handle errors and subdirectories - * via the recursion, which is nice - / - for (current = 0; current < candidates->nelts; ++current) { - fnew = &((fnames ) candidates->elts)[current]; - error = process_resource_config_nofnmatch(fnew->fname, - ari, p, ptemp, - depth, optional); - if (error) { - return error; - } - } - } - - return NULL; - } - - return process_resource_config(fname, ari, ptemp); -} - -static const char process_resource_config_fnmatch(const char path, - const char fname, - apr_array_header_t ari, - apr_pool_t p, - apr_pool_t ptemp, - unsigned depth, - int optional) -{ - const char rest; - apr_status_t rv; - apr_dir_t dirp; - apr_finfo_t dirent; - apr_array_header_t candidates = NULL; - fnames fnew; - int current; - - /* find the first part of the filename / - rest = ap_strchr_c(fname, '/'); - - if(rest == NULL) - rest = ap_strchr_c(fname, '\\'); - - if (rest) { - fname = apr_pstrndup(ptemp, fname, rest - fname); - rest++; - } - - / optimisation - if the filename isn't a wildcard, process it directly / - if (!fnmatch_test(fname)) { - path = ap_make_full_path(ptemp, path, fname); - if (!rest) { - return process_resource_config_nofnmatch(path, - ari, p, - ptemp, 0, optional); - } - else { - return process_resource_config_fnmatch(path, rest, - ari, p, - ptemp, 0, optional); - } - } - - / - * first course of business is to grok all the directory - * entries here and store 'em away. Recall we need full pathnames - * for this. - / - rv = apr_dir_open(&dirp, path, ptemp); - if (rv != APR_SUCCESS) { - char errmsg[120]; - return apr_psprintf(p, "Could not open config directory %s: %s", - path, apr_strerror(rv, errmsg, sizeof errmsg)); - } - - candidates = apr_array_make(ptemp, 1, sizeof(fnames)); - while (apr_dir_read(&dirent, APR_FINFO_DIRENT \| APR_FINFO_TYPE, dirp) == APR_SUCCESS) { - / strip out '.' and '..' / - if (strcmp(dirent.name, ".") - && strcmp(dirent.name, "..") - && (apr_fnmatch(fname, dirent.name, - APR_FNM_PERIOD \| APR_FNM_NOESCAPE \| APR_FNM_PATHNAME) == APR_SUCCESS)) { - const char full_path = ap_make_full_path(ptemp, path, dirent.name); - /* If matching internal to path, and we happen to match something - * other than a directory, skip it - / - if (rest && (rv == APR_SUCCESS) && (dirent.filetype != APR_DIR)) { - continue; - } - fnew = (fnames ) apr_array_push(candidates); - fnew->fname = full_path; - } - } - - apr_dir_close(dirp); - if (candidates->nelts != 0) { - const char error; - - qsort((void ) candidates->elts, candidates->nelts, - sizeof(fnames), fname_alphasort); - - /* - * Now recurse these... we handle errors and subdirectories - * via the recursion, which is nice - / - for (current = 0; current < candidates->nelts; ++current) { - fnew = &((fnames ) candidates->elts)[current]; - if (!rest) { - error = process_resource_config_nofnmatch(fnew->fname, - ari, p, - ptemp, 0, optional); - } - else { - error = process_resource_config_fnmatch(fnew->fname, rest, - ari, p, - ptemp, 0, optional); - } - if (error) { - return error; - } - } - } - else { - - if (!optional) { - return apr_psprintf(p, "No matches for the wildcard '%s' in '%s', failing " - "(use IncludeOptional if required)", fname, path); - } - } - - return NULL; -} - -AP_DECLARE(const char ) process_fnmatch_configs(apr_array_header_t ari, - const char fname, - apr_pool_t p, - apr_pool_t ptemp, - int optional) -{ - if (!fnmatch_test(fname)) { - return process_resource_config(fname, ari, p); - } - else { - apr_status_t status; - const char rootpath, filepath = fname; - - / locate the start of the directories proper / - status = apr_filepath_root(&rootpath, &filepath, APR_FILEPATH_TRUENAME \| APR_FILEPATH_NATIVE, ptemp); - - / we allow APR_SUCCESS and APR_EINCOMPLETE / - if (APR_ERELATIVE == status) { - return apr_pstrcat(p, "Include must have an absolute path, ", fname, NULL); - } - else if (APR_EBADPATH == status) { - return apr_pstrcat(p, "Include has a bad path, ", fname, NULL); - } - - / walk the filepath / - return process_resource_config_fnmatch(rootpath, filepath, ari, p, ptemp, - 0, optional); - } -} - -const char populate_include_files(apr_pool_t p, apr_pool_t ptemp, apr_array_header_t ari, const char fname, int optional) -{ - return process_fnmatch_configs(ari, fname, p, ptemp, optional); -} - -const char process_command_config(server_rec s, - void mconfig, - apr_pool_t p, - apr_pool_t ptemp, - const char filename) -{ - const char errmsg; - char l = apr_palloc (ptemp, MAX_STRING_LEN); - const char args = l; - char cmd_name, w; - const command_rec cmd; - apr_array_header_t arr = apr_array_make(p, 1, sizeof(cmd_parms)); - apr_array_header_t ari = apr_array_make(p, 1, sizeof(char )); - cmd_parms parms; - apr_status_t status; - ap_directive_t newdir; - int optional; - char err = NULL; - char rootpath, incpath; - int li; - - errmsg = populate_include_files(p, ptemp, ari, filename, 0); - - if(errmsg != NULL) - goto Exit; - - while(ari->nelts != 0 \|\| arr->nelts != 0) - { - if(ari->nelts > 0) - { - char fn = (char *)apr_array_pop(ari); - - parms = (cmd_parms )apr_array_push(arr); - parms = default_parms; - parms->pool = p; - parms->temp_pool = ptemp; - parms->server = s; - parms->override = (RSRC_CONF \| OR_ALL) & ~(OR_AUTHCFG \| OR_LIMIT); - parms->override_opts = OPT_ALL \| OPT_SYM_OWNER \| OPT_MULTI; - - status = ap_pcfg_openfile(&parms->config_file, p, fn); - - if(status != APR_SUCCESS) - { - apr_array_pop(arr); - errmsg = apr_pstrcat(p, "Cannot open config file: ", fn, NULL); - goto Exit; - } - } - - if (arr->nelts > 1024) { - errmsg = "Exceeded the maximum include directory nesting level. You have " - "probably a recursion somewhere."; - goto Exit; - } - - parms = (cmd_parms )apr_array_pop(arr); - - if(parms == NULL) - break; - - while (!(ap_cfg_getline(l, MAX_STRING_LEN, parms->config_file))) { - if (l == '#' \|\| l == '\0') - continue; - - args = l; - - cmd_name = ap_getword_conf(p, &args); - - if (cmd_name == '\0') - continue; - - if (!strcasecmp(cmd_name, "IncludeOptional")) - { - optional = 1; - goto ProcessInclude; - } - - if (!strcasecmp(cmd_name, "Include")) - { - optional = 0; -ProcessInclude: - w = ap_getword_conf(parms->pool, &args); - - if (w == '\0' \|\| args != 0) - { - ap_cfg_closefile(parms->config_file); - errmsg = apr_pstrcat(parms->pool, "Include takes one argument", NULL); - goto Exit; - } - - incpath = w; - - / locate the start of the directories proper / - status = apr_filepath_root(&rootpath, &incpath, APR_FILEPATH_TRUENAME \| APR_FILEPATH_NATIVE, ptemp); - - / we allow APR_SUCCESS and APR_EINCOMPLETE / - if (APR_ERELATIVE == status) { - rootpath = apr_pstrdup(ptemp, parms->config_file->name); - li = strlen(rootpath) - 1; - - while(li >= 0 && rootpath[li] != '/' && rootpath[li] != '\\') - rootpath[li--] = 0; - - w = apr_pstrcat(p, rootpath, w, NULL); - } - else if (APR_EBADPATH == status) { - ap_cfg_closefile(parms->config_file); - errmsg = apr_pstrcat(p, "Include file has a bad path, ", w, NULL); - goto Exit; - } - - errmsg = populate_include_files(p, ptemp, ari, w, optional); - - (cmd_parms )apr_array_push(arr) = parms; - - if(errmsg != NULL) - goto Exit; - - // we don't want to close the current file yet - // - parms = NULL; - break; - } - - cmd = ap_find_command(cmd_name, security2_module.cmds); - - if(cmd == NULL) - { - // unknown command, should error - // - ap_cfg_closefile(parms->config_file); - errmsg = apr_pstrcat(p, "Unknown command in config: ", cmd_name, NULL); - goto Exit; - } - - newdir = apr_pcalloc(p, sizeof(ap_directive_t)); - newdir->filename = parms->config_file->name; - newdir->line_num = parms->config_file->line_number; - newdir->directive = cmd_name; - newdir->args = apr_pstrdup(p, args); - - parms->directive = newdir; - - errmsg = invoke_cmd(cmd, parms, mconfig, args); - - if(errmsg != NULL) - break; - } - - if(parms != NULL) - ap_cfg_closefile(parms->config_file); - - if(errmsg != NULL) - break; - } - - if (errmsg) { - err = (char )apr_palloc(p, 1024); - - if(parms != NULL) - apr_snprintf(err, 1024, "Syntax error in config file %s, line %d: %s", parms->config_file->name, - parms->config_file->line_number, errmsg); - else - apr_snprintf(err, 1024, "Syntax error in config file: %s", errmsg); - } - - errmsg = err; - -Exit: - while((parms = (cmd_parms )apr_array_pop(arr)) != NULL) - { - ap_cfg_closefile(parms->config_file); - } - - return errmsg; -} +/* +* ModSecurity for Apache 2.x, http://www.modsecurity.org/ +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* +* You may not use this file except in compliance with +* the License. You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* If any of the files related to licensing are missing or if you have any +* other questions related to licensing please contact Trustwave Holdings, Inc. +* directly using the email address security@modsecurity.org. +/ + +#include <limits.h> +#include <stdio.h> + +#include "http_core.h" +#include "http_request.h" + +#include "modsecurity.h" +#include "apache2.h" +#include "http_main.h" +#include "http_connection.h" + +#include "apr_optional.h" +#include "mod_log_config.h" + +#include "msc_logging.h" +#include "msc_util.h" + +#include "ap_mpm.h" +#include "scoreboard.h" + +#include "apr_version.h" + +#include "apr_lib.h" +#include "ap_config.h" +#include "http_config.h" +#include "apr_fnmatch.h" + +AP_DECLARE(int) ap_cfg_closefile(ap_configfile_t cfp) +{ +#ifdef DEBUG + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "Done with config file %s", cfp->name); +#endif + return (cfp->close == NULL) ? 0 : cfp->close(cfp->param); +} + +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 +static apr_status_t cfg_close(void param) +{ + apr_file_t cfp = (apr_file_t ) param; + return (apr_file_close(cfp)); +} + +static int cfg_getch(void param) +{ + char ch; + apr_file_t cfp = (apr_file_t ) param; + if (apr_file_getc(&ch, cfp) == APR_SUCCESS) + return ch; + return (int)EOF; +} + +static void cfg_getstr(void buf, size_t bufsiz, void param) +{ + apr_file_t cfp = (apr_file_t ) param; + apr_status_t rv; + rv = apr_file_gets(buf, bufsiz, cfp); + if (rv == APR_SUCCESS) { + return buf; + } + return NULL; +} +#else +/ we can't use apr_file_* directly because of linking issues on Windows / +static apr_status_t cfg_close(void param) +{ + return apr_file_close(param); +} + +static apr_status_t cfg_getch(char ch, void param) +{ + return apr_file_getc(ch, param); +} + +static apr_status_t cfg_getstr(void buf, apr_size_t bufsiz, void param) +{ + return apr_file_gets(buf, bufsiz, param); +} +#endif + +/* Read one line from open ap_configfile_t, strip LF, increase line number / +/ If custom handler does not define a getstr() function, read char by char / + +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 +AP_DECLARE(int) ap_cfg_getline(char buf, size_t bufsize, ap_configfile_t cfp) +{ + / If a "get string" function is defined, use it / + if (cfp->getstr != NULL) { + char src, dst; + char cp; + char cbuf = buf; + size_t cbufsize = bufsize; + + while (1) { + ++cfp->line_number; + if (cfp->getstr(cbuf, cbufsize, cfp->param) == NULL) + return 1; + + / + * check for line continuation, + * i.e. match [^\\]\\[\r]\n only + / + cp = cbuf; + while (cp < cbuf+cbufsize && cp != '\0') + cp++; + if (cp > cbuf && cp[-1] == LF) { + cp--; + if (cp > cbuf && cp[-1] == CR) + cp--; + if (cp > cbuf && cp[-1] == '\\') { + cp--; + if (!(cp > cbuf && cp[-1] == '\\')) { + /* + * line continuation requested - + * then remove backslash and continue + / + cbufsize -= (cp-cbuf); + cbuf = cp; + continue; + } + else { + / + * no real continuation because escaped - + * then just remove escape character + / + for ( ; cp < cbuf+cbufsize && cp != '\0'; cp++) + cp[0] = cp[1]; + } + } + } + break; + } + + /* + * Leading and trailing white space is eliminated completely + / + src = buf; + while (apr_isspace(src)) + ++src; + /* blast trailing whitespace / + dst = &src[strlen(src)]; + while (--dst >= src && apr_isspace(dst)) + dst = '\0'; + / Zap leading whitespace by shifting / + if (src != buf) + for (dst = buf; (dst++ = src++) != '\0'; ) + ; + +#ifdef DEBUG_CFG_LINES + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "Read config: %s", buf); +#endif + return 0; + } else { + / No "get string" function defined; read character by character / + register int c; + register size_t i = 0; + + buf[0] = '\0'; + / skip leading whitespace / + do { + c = cfp->getch(cfp->param); + } while (c == '\t' \|\| c == ' '); + + if (c == EOF) + return 1; + + if(bufsize < 2) { + / too small, assume caller is crazy / + return 1; + } + + while (1) { + if ((c == '\t') \|\| (c == ' ')) { + buf[i++] = ' '; + while ((c == '\t') \|\| (c == ' ')) + c = cfp->getch(cfp->param); + } + if (c == CR) { + / silently ignore CR (_assume_ that a LF follows) / + c = cfp->getch(cfp->param); + } + if (c == LF) { + / increase line number and return on LF / + ++cfp->line_number; + } + if (c == EOF \|\| c == 0x4 \|\| c == LF \|\| i >= (bufsize - 2)) { + / + * check for line continuation + / + if (i > 0 && buf[i-1] == '\\') { + i--; + if (!(i > 0 && buf[i-1] == '\\')) { + / line is continued / + c = cfp->getch(cfp->param); + continue; + } + / else nothing needs be done because + * then the backslash is escaped and + * we just strip to a single one + / + } + / blast trailing whitespace / + while (i > 0 && apr_isspace(buf[i - 1])) + --i; + buf[i] = '\0'; +#ifdef DEBUG_CFG_LINES + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "Read config: %s", buf); +#endif + return 0; + } + buf[i] = c; + ++i; + c = cfp->getch(cfp->param); + } + } +} +#else +static apr_status_t ap_cfg_getline_core(char buf, apr_size_t bufsize, + ap_configfile_t cfp) +{ + apr_status_t rc; + / If a "get string" function is defined, use it / + if (cfp->getstr != NULL) { + char cp; + char cbuf = buf; + apr_size_t cbufsize = bufsize; + + while (1) { + ++cfp->line_number; + rc = cfp->getstr(cbuf, cbufsize, cfp->param); + if (rc == APR_EOF) { + if (cbuf != buf) { + cbuf = '\0'; + break; + } + else { + return APR_EOF; + } + } + if (rc != APR_SUCCESS) { + return rc; + } + + /* + * check for line continuation, + * i.e. match [^\\]\\[\r]\n only + / + cp = cbuf; + cp += strlen(cp); + if (cp > cbuf && cp[-1] == LF) { + cp--; + if (cp > cbuf && cp[-1] == CR) + cp--; + if (cp > cbuf && cp[-1] == '\\') { + cp--; + / + * line continuation requested - + * then remove backslash and continue + / + cbufsize -= (cp-cbuf); + cbuf = cp; + continue; + } + } + else if (cp - buf >= bufsize - 1) { + return APR_ENOSPC; + } + break; + } + } else { + / No "get string" function defined; read character by character / + apr_size_t i = 0; + + if (bufsize < 2) { + / too small, assume caller is crazy / + return APR_EINVAL; + } + buf[0] = '\0'; + + while (1) { + char c; + rc = cfp->getch(&c, cfp->param); + if (rc == APR_EOF) { + if (i > 0) + break; + else + return APR_EOF; + } + if (rc != APR_SUCCESS) + return rc; + if (c == LF) { + ++cfp->line_number; + / check for line continuation / + if (i > 0 && buf[i-1] == '\\') { + i--; + continue; + } + else { + break; + } + } + else if (i >= bufsize - 2) { + return APR_ENOSPC; + } + buf[i] = c; + ++i; + } + buf[i] = '\0'; + } + return APR_SUCCESS; +} + +static int cfg_trim_line(char buf) +{ + char start, end; + /* + * Leading and trailing white space is eliminated completely + / + start = buf; + while (apr_isspace(start)) + ++start; + /* blast trailing whitespace / + end = &start[strlen(start)]; + while (--end >= start && apr_isspace(end)) + end = '\0'; + / Zap leading whitespace by shifting / + if (start != buf) + memmove(buf, start, end - start + 2); +#ifdef DEBUG_CFG_LINES + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, APLOGNO(00555) "Read config: '%s'", buf); +#endif + return end - start + 1; +} + +AP_DECLARE(apr_status_t) ap_cfg_getline(char buf, apr_size_t bufsize, + ap_configfile_t cfp) +{ + apr_status_t rc = ap_cfg_getline_core(buf, bufsize, cfp); + if (rc == APR_SUCCESS) + cfg_trim_line(buf); + return rc; +} +#endif + +static char substring_conf(apr_pool_t p, const char start, int len, + char quote) +{ + char result = apr_palloc(p, len + 2); + char resp = result; + int i; + + for (i = 0; i < len; ++i) { + if (start[i] == '\\' && (start[i + 1] == '\\' + \|\| (quote && start[i + 1] == quote))) + resp++ = start[++i]; + else + resp++ = start[i]; + } + + resp++ = '\0'; +#if RESOLVE_ENV_PER_TOKEN + return (char )ap_resolve_env(p,result); +#else + return result; +#endif +} + +AP_DECLARE(char ) ap_getword_conf(apr_pool_t p, const char *line) +{ + const char str = line, strend; + char res; + char quote; + + while (str && apr_isspace(str)) + ++str; + + if (!str) { + line = str; + return ""; + } + + if ((quote = str) == '"' \|\| quote == '\'') { + strend = str + 1; + while (strend && strend != quote) { + if (strend == '\\' && strend[1] && + (strend[1] == quote \|\| strend[1] == '\\')) { + strend += 2; + } + else { + ++strend; + } + } + res = substring_conf(p, str + 1, strend - str - 1, quote); + + if (strend == quote) + ++strend; + } + else { + strend = str; + while (strend && !apr_isspace(strend)) + ++strend; + + res = substring_conf(p, str, strend - str, 0); + } + + while (strend && apr_isspace(strend)) + ++strend; + line = strend; + return res; +} + +/ Open a ap_configfile_t as FILE, return open ap_configfile_t struct pointer / +AP_DECLARE(apr_status_t) ap_pcfg_openfile(ap_configfile_t ret_cfg, + apr_pool_t p, const char name) +{ + ap_configfile_t new_cfg; + apr_file_t file = NULL; + apr_finfo_t finfo; + apr_status_t status; +#ifdef DEBUG + char buf[120]; +#endif + + if (name == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Internal error: pcfg_openfile() called with NULL filename"); + return APR_EBADF; + } + + status = apr_file_open(&file, name, APR_READ \| APR_BUFFERED, + APR_OS_DEFAULT, p); +#ifdef DEBUG + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, + "Opening config file %s (%s)", + name, (status != APR_SUCCESS) ? + apr_strerror(status, buf, sizeof(buf)) : "successful"); +#endif + if (status != APR_SUCCESS) + return status; + + status = apr_file_info_get(&finfo, APR_FINFO_TYPE, file); + if (status != APR_SUCCESS) + return status; + + if (finfo.filetype != APR_REG && +#if defined(WIN32) \|\| defined(OS2) \|\| defined(NETWARE) + strcasecmp(apr_filepath_name_get(name), "nul") != 0) { +#else + strcmp(name, "/dev/null") != 0) { +#endif / WIN32 \|\| OS2 / + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, + "Access to file %s denied by server: not a regular file", + name); + apr_file_close(file); + return APR_EBADF; + } + +#ifdef WIN32 + / Some twisted character [no pun intended] at MS decided that a + * zero width joiner as the lead wide character would be ideal for + * describing Unicode text files. This was further convoluted to + * another MSism that the same character mapped into utf-8, EF BB BF + * would signify utf-8 text files. + * + * Since MS configuration files are all protecting utf-8 encoded + * Unicode path, file and resource names, we already have the correct + * WinNT encoding. But at least eat the stupid three bytes up front. + / + { + unsigned char buf[4]; + apr_size_t len = 3; + status = apr_file_read(file, buf, &len); + if ((status != APR_SUCCESS) \|\| (len < 3) + \|\| memcmp(buf, "\xEF\xBB\xBF", 3) != 0) { + apr_off_t zero = 0; + apr_file_seek(file, APR_SET, &zero); + } + } +#endif + + new_cfg = apr_palloc(p, sizeof(new_cfg)); + new_cfg->param = file; + new_cfg->name = apr_pstrdup(p, name); +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 + new_cfg->getch = (int ()(void )) cfg_getch; + new_cfg->getstr = (void ()(void , size_t, void )) cfg_getstr; + new_cfg->close = (int ()(void )) cfg_close; +#else + new_cfg->getch = cfg_getch; + new_cfg->getstr = cfg_getstr; + new_cfg->close = cfg_close; +#endif + new_cfg->line_number = 0; + ret_cfg = new_cfg; + return APR_SUCCESS; +} + +AP_CORE_DECLARE(const command_rec ) ap_find_command(const char name, + const command_rec cmds) +{ + while (cmds->name) { + if (!strcasecmp(name, cmds->name)) + return cmds; + + ++cmds; + } + + return NULL; +} + +#define AP_MAX_ARGC 64 + +static const char invoke_cmd(const command_rec cmd, cmd_parms parms, + void mconfig, const char args) +{ + char w, w2, w3; + const char errmsg = NULL; + + if ((parms->override & cmd->req_override) == 0) + return apr_pstrcat(parms->pool, cmd->name, " not allowed here", NULL); + + parms->info = cmd->cmd_data; + parms->cmd = cmd; + + switch (cmd->args_how) { + case RAW_ARGS: +#ifdef RESOLVE_ENV_PER_TOKEN + args = ap_resolve_env(parms->pool,args); +#endif + return cmd->AP_RAW_ARGS(parms, mconfig, args); + + case TAKE_ARGV: + { + char argv[AP_MAX_ARGC]; + int argc = 0; + + do { + w = ap_getword_conf(parms->pool, &args); + if (w == '\0' && args == '\0') { + break; + } + argv[argc] = w; + argc++; + } while (argc < AP_MAX_ARGC && args != '\0'); + + return cmd->AP_TAKE_ARGV(parms, mconfig, argc, argv); + } + + case NO_ARGS: + if (args != 0) + return apr_pstrcat(parms->pool, cmd->name, " takes no arguments", + NULL); + + return cmd->AP_NO_ARGS(parms, mconfig); + + case TAKE1: + w = ap_getword_conf(parms->pool, &args); + + if (w == '\0' \|\| args != 0) + return apr_pstrcat(parms->pool, cmd->name, " takes one argument", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE1(parms, mconfig, w); + + case TAKE2: + w = ap_getword_conf(parms->pool, &args); + w2 = ap_getword_conf(parms->pool, &args); + + if (w == '\0' \|\| w2 == '\0' \|\| args != 0) + return apr_pstrcat(parms->pool, cmd->name, " takes two arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE2(parms, mconfig, w, w2); + + case TAKE12: + w = ap_getword_conf(parms->pool, &args); + w2 = ap_getword_conf(parms->pool, &args); + + if (w == '\0' \|\| args != 0) + return apr_pstrcat(parms->pool, cmd->name, " takes 1-2 arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE2(parms, mconfig, w, w2 ? w2 : NULL); + + case TAKE3: + w = ap_getword_conf(parms->pool, &args); + w2 = ap_getword_conf(parms->pool, &args); + w3 = ap_getword_conf(parms->pool, &args); + + if (w == '\0' \|\| w2 == '\0' \|\| w3 == '\0' \|\| args != 0) + return apr_pstrcat(parms->pool, cmd->name, " takes three arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); + + case TAKE23: + w = ap_getword_conf(parms->pool, &args); + w2 = ap_getword_conf(parms->pool, &args); + w3 = args ? ap_getword_conf(parms->pool, &args) : NULL; + + if (w == '\0' \|\| w2 == '\0' \|\| args != 0) + return apr_pstrcat(parms->pool, cmd->name, + " takes two or three arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); + + case TAKE123: + w = ap_getword_conf(parms->pool, &args); + w2 = args ? ap_getword_conf(parms->pool, &args) : NULL; + w3 = args ? ap_getword_conf(parms->pool, &args) : NULL; + + if (w == '\0' \|\| args != 0) + return apr_pstrcat(parms->pool, cmd->name, + " takes one, two or three arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); + + case TAKE13: + w = ap_getword_conf(parms->pool, &args); + w2 = args ? ap_getword_conf(parms->pool, &args) : NULL; + w3 = args ? ap_getword_conf(parms->pool, &args) : NULL; + + if (w == '\0' \|\| (w2 && w2 && !w3) \|\| args != 0) + return apr_pstrcat(parms->pool, cmd->name, + " takes one or three arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + return cmd->AP_TAKE3(parms, mconfig, w, w2, w3); + + case ITERATE: + while ((w = ap_getword_conf(parms->pool, &args)) != '\0') { + + errmsg = cmd->AP_TAKE1(parms, mconfig, w); + + if (errmsg && strcmp(errmsg, DECLINE_CMD) != 0) + return errmsg; + } + + return errmsg; + + case ITERATE2: + w = ap_getword_conf(parms->pool, &args); + + if (w == '\0' \|\| args == 0) + return apr_pstrcat(parms->pool, cmd->name, + " requires at least two arguments", + cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL); + + while ((w2 = ap_getword_conf(parms->pool, &args)) != '\0') { + + errmsg = cmd->AP_TAKE2(parms, mconfig, w, w2); + + if (errmsg && strcmp(errmsg, DECLINE_CMD) != 0) + return errmsg; + } + + return errmsg; + + case FLAG: + w = ap_getword_conf(parms->pool, &args); + + if (w == '\0' \|\| (strcasecmp(w, "on") && strcasecmp(w, "off"))) + return apr_pstrcat(parms->pool, cmd->name, " must be On or Off", + NULL); + + return cmd->AP_FLAG(parms, mconfig, strcasecmp(w, "off") != 0); + + default: + return apr_pstrcat(parms->pool, cmd->name, + " is improperly configured internally (server bug)", + NULL); + } +} + +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3 +static cmd_parms default_parms = +{NULL, 0, -1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}; +#endif + +#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 3 +static cmd_parms default_parms = +{NULL, 0, 0, NULL, -1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}; +#endif + +typedef struct { + const char fname; +} fnames; + +AP_DECLARE(int) ap_is_directory(apr_pool_t p, const char path) +{ + apr_finfo_t finfo; + + if (apr_stat(&finfo, path, APR_FINFO_TYPE, p) != APR_SUCCESS) + return 0; / in error condition, just return no / + + return (finfo.filetype == APR_DIR); +} + +AP_DECLARE(char ) ap_make_full_path(apr_pool_t a, const char src1, + const char src2) +{ + apr_size_t len1, len2; + char path; + + len1 = strlen(src1); + len2 = strlen(src2); + /* allocate +3 for '/' delimiter, trailing NULL and overallocate + * one extra byte to allow the caller to add a trailing '/' + / + path = (char )apr_palloc(a, len1 + len2 + 3); + if (len1 == 0) { + path = '/'; + memcpy(path + 1, src2, len2 + 1); + } + else { + char next; + memcpy(path, src1, len1); + next = path + len1; + if (next[-1] != '/') { + next++ = '/'; + } + memcpy(next, src2, len2 + 1); + } + return path; +} + +static int fname_alphasort(const void fn1, const void fn2) +{ + const fnames f1 = fn1; + const fnames f2 = fn2; + + return strcmp(f1->fname,f2->fname); +} + +int fnmatch_test(const char pattern) +{ + int nesting; + + nesting = 0; + while (pattern) { + switch (pattern) { + case '?': + case '': + return 1; + +/ case '\\': + if (++pattern == '\0') { + return 0; + } + break;/ // this breaks on Windows + + case '[': /* '[' is only a glob if it has a matching ']' / + ++nesting; + break; + + case ']': + if (nesting) { + return 1; + } + break; + } + ++pattern; } + return 0; +} + +AP_DECLARE(const char ) process_resource_config(const char fname, + apr_array_header_t ari, + apr_pool_t ptemp) +{ + (char *)apr_array_push(ari) = (char )fname; + + return NULL; +} + +static const char process_resource_config_nofnmatch(const char fname, + apr_array_header_t ari, + apr_pool_t p, + apr_pool_t ptemp, + unsigned depth, + int optional) +{ + const char error; + apr_status_t rv; + + if (ap_is_directory(ptemp, fname)) { + apr_dir_t dirp; + apr_finfo_t dirent; + int current; + apr_array_header_t candidates = NULL; + fnames fnew; + char path = apr_pstrdup(ptemp, fname); + + if (++depth > 100) { + return apr_psprintf(p, "Directory %s exceeds the maximum include " + "directory nesting level of %u. You have " + "probably a recursion somewhere.", path, + 100); + } + + /* + * first course of business is to grok all the directory + * entries here and store 'em away. Recall we need full pathnames + * for this. + / + rv = apr_dir_open(&dirp, path, ptemp); + if (rv != APR_SUCCESS) { + char errmsg[120]; + return apr_psprintf(p, "Could not open config directory %s: %s", + path, apr_strerror(rv, errmsg, sizeof errmsg)); + } + + candidates = apr_array_make(ptemp, 1, sizeof(fnames)); + while (apr_dir_read(&dirent, APR_FINFO_DIRENT, dirp) == APR_SUCCESS) { + / strip out '.' and '..' / + if (strcmp(dirent.name, ".") + && strcmp(dirent.name, "..")) { + fnew = (fnames ) apr_array_push(candidates); + fnew->fname = ap_make_full_path(ptemp, path, dirent.name); + } + } + + apr_dir_close(dirp); + if (candidates->nelts != 0) { + qsort((void ) candidates->elts, candidates->nelts, + sizeof(fnames), fname_alphasort); + + / + * Now recurse these... we handle errors and subdirectories + * via the recursion, which is nice + / + for (current = 0; current < candidates->nelts; ++current) { + fnew = &((fnames ) candidates->elts)[current]; + error = process_resource_config_nofnmatch(fnew->fname, + ari, p, ptemp, + depth, optional); + if (error) { + return error; + } + } + } + + return NULL; + } + + return process_resource_config(fname, ari, ptemp); +} + +static const char process_resource_config_fnmatch(const char path, + const char fname, + apr_array_header_t ari, + apr_pool_t p, + apr_pool_t ptemp, + unsigned depth, + int optional) +{ + const char rest; + apr_status_t rv; + apr_dir_t dirp; + apr_finfo_t dirent; + apr_array_header_t candidates = NULL; + fnames fnew; + int current; + + /* find the first part of the filename / + rest = ap_strchr_c(fname, '/'); + + if(rest == NULL) + rest = ap_strchr_c(fname, '\\'); + + if (rest) { + fname = apr_pstrndup(ptemp, fname, rest - fname); + rest++; + } + + / optimisation - if the filename isn't a wildcard, process it directly / + if (!fnmatch_test(fname)) { + path = ap_make_full_path(ptemp, path, fname); + if (!rest) { + return process_resource_config_nofnmatch(path, + ari, p, + ptemp, 0, optional); + } + else { + return process_resource_config_fnmatch(path, rest, + ari, p, + ptemp, 0, optional); + } + } + + / + * first course of business is to grok all the directory + * entries here and store 'em away. Recall we need full pathnames + * for this. + / + rv = apr_dir_open(&dirp, path, ptemp); + if (rv != APR_SUCCESS) { + char errmsg[120]; + return apr_psprintf(p, "Could not open config directory %s: %s", + path, apr_strerror(rv, errmsg, sizeof errmsg)); + } + + candidates = apr_array_make(ptemp, 1, sizeof(fnames)); + while (apr_dir_read(&dirent, APR_FINFO_DIRENT \| APR_FINFO_TYPE, dirp) == APR_SUCCESS) { + / strip out '.' and '..' / + if (strcmp(dirent.name, ".") + && strcmp(dirent.name, "..") + && (apr_fnmatch(fname, dirent.name, + APR_FNM_PERIOD \| APR_FNM_NOESCAPE \| APR_FNM_PATHNAME) == APR_SUCCESS)) { + const char full_path = ap_make_full_path(ptemp, path, dirent.name); + /* If matching internal to path, and we happen to match something + * other than a directory, skip it + / + if (rest && (rv == APR_SUCCESS) && (dirent.filetype != APR_DIR)) { + continue; + } + fnew = (fnames ) apr_array_push(candidates); + fnew->fname = full_path; + } + } + + apr_dir_close(dirp); + if (candidates->nelts != 0) { + const char error; + + qsort((void ) candidates->elts, candidates->nelts, + sizeof(fnames), fname_alphasort); + + /* + * Now recurse these... we handle errors and subdirectories + * via the recursion, which is nice + / + for (current = 0; current < candidates->nelts; ++current) { + fnew = &((fnames ) candidates->elts)[current]; + if (!rest) { + error = process_resource_config_nofnmatch(fnew->fname, + ari, p, + ptemp, 0, optional); + } + else { + error = process_resource_config_fnmatch(fnew->fname, rest, + ari, p, + ptemp, 0, optional); + } + if (error) { + return error; + } + } + } + else { + + if (!optional) { + return apr_psprintf(p, "No matches for the wildcard '%s' in '%s', failing " + "(use IncludeOptional if required)", fname, path); + } + } + + return NULL; +} + +AP_DECLARE(const char ) process_fnmatch_configs(apr_array_header_t ari, + const char fname, + apr_pool_t p, + apr_pool_t ptemp, + int optional) +{ + if (!fnmatch_test(fname)) { + return process_resource_config(fname, ari, p); + } + else { + apr_status_t status; + const char rootpath, filepath = fname; + + / locate the start of the directories proper / + status = apr_filepath_root(&rootpath, &filepath, APR_FILEPATH_TRUENAME \| APR_FILEPATH_NATIVE, ptemp); + + / we allow APR_SUCCESS and APR_EINCOMPLETE / + if (APR_ERELATIVE == status) { + return apr_pstrcat(p, "Include must have an absolute path, ", fname, NULL); + } + else if (APR_EBADPATH == status) { + return apr_pstrcat(p, "Include has a bad path, ", fname, NULL); + } + + / walk the filepath / + return process_resource_config_fnmatch(rootpath, filepath, ari, p, ptemp, + 0, optional); + } +} + +const char populate_include_files(apr_pool_t p, apr_pool_t ptemp, apr_array_header_t ari, const char fname, int optional) +{ + return process_fnmatch_configs(ari, fname, p, ptemp, optional); +} + +const char process_command_config(server_rec s, + void mconfig, + apr_pool_t p, + apr_pool_t ptemp, + const char filename) +{ + const char errmsg; + char l = apr_palloc (ptemp, MAX_STRING_LEN); + const char args = l; + char cmd_name, w; + const command_rec cmd; + apr_array_header_t arr = apr_array_make(p, 1, sizeof(cmd_parms)); + apr_array_header_t ari = apr_array_make(p, 1, sizeof(char )); + cmd_parms parms; + apr_status_t status; + ap_directive_t newdir; + int optional; + char err = NULL; + char rootpath, incpath; + int li; + + errmsg = populate_include_files(p, ptemp, ari, filename, 0); + + if(errmsg != NULL) + goto Exit; + + while(ari->nelts != 0 \|\| arr->nelts != 0) + { + if(ari->nelts > 0) + { + char fn = (char *)apr_array_pop(ari); + + parms = (cmd_parms )apr_array_push(arr); + parms = default_parms; + parms->pool = p; + parms->temp_pool = ptemp; + parms->server = s; + parms->override = (RSRC_CONF \| OR_ALL) & ~(OR_AUTHCFG \| OR_LIMIT); + parms->override_opts = OPT_ALL \| OPT_SYM_OWNER \| OPT_MULTI; + + status = ap_pcfg_openfile(&parms->config_file, p, fn); + + if(status != APR_SUCCESS) + { + apr_array_pop(arr); + errmsg = apr_pstrcat(p, "Cannot open config file: ", fn, NULL); + goto Exit; + } + } + + if (arr->nelts > 1024) { + errmsg = "Exceeded the maximum include directory nesting level. You have " + "probably a recursion somewhere."; + goto Exit; + } + + parms = (cmd_parms )apr_array_pop(arr); + + if(parms == NULL) + break; + + while (!(ap_cfg_getline(l, MAX_STRING_LEN, parms->config_file))) { + if (l == '#' \|\| l == '\0') + continue; + + args = l; + + cmd_name = ap_getword_conf(p, &args); + + if (cmd_name == '\0') + continue; + + if (!strcasecmp(cmd_name, "IncludeOptional")) + { + optional = 1; + goto ProcessInclude; + } + + if (!strcasecmp(cmd_name, "Include")) + { + optional = 0; +ProcessInclude: + w = ap_getword_conf(parms->pool, &args); + + if (w == '\0' \|\| args != 0) + { + ap_cfg_closefile(parms->config_file); + errmsg = apr_pstrcat(parms->pool, "Include takes one argument", NULL); + goto Exit; + } + + incpath = w; + + / locate the start of the directories proper / + status = apr_filepath_root(&rootpath, &incpath, APR_FILEPATH_TRUENAME \| APR_FILEPATH_NATIVE, ptemp); + + / we allow APR_SUCCESS and APR_EINCOMPLETE / + if (APR_ERELATIVE == status) { + rootpath = apr_pstrdup(ptemp, parms->config_file->name); + li = strlen(rootpath) - 1; + + while(li >= 0 && rootpath[li] != '/' && rootpath[li] != '\\') + rootpath[li--] = 0; + + w = apr_pstrcat(p, rootpath, w, NULL); + } + else if (APR_EBADPATH == status) { + ap_cfg_closefile(parms->config_file); + errmsg = apr_pstrcat(p, "Include file has a bad path, ", w, NULL); + goto Exit; + } + + errmsg = populate_include_files(p, ptemp, ari, w, optional); + + (cmd_parms )apr_array_push(arr) = parms; + + if(errmsg != NULL) + goto Exit; + + // we don't want to close the current file yet + // + parms = NULL; + break; + } + + cmd = ap_find_command(cmd_name, security2_module.cmds); + + if(cmd == NULL) + { + // unknown command, should error + // + ap_cfg_closefile(parms->config_file); + errmsg = apr_pstrcat(p, "Unknown command in config: ", cmd_name, NULL); + goto Exit; + } + + newdir = apr_pcalloc(p, sizeof(ap_directive_t)); + newdir->filename = parms->config_file->name; + newdir->line_num = parms->config_file->line_number; + newdir->directive = cmd_name; + newdir->args = apr_pstrdup(p, args); + + parms->directive = newdir; + +#ifdef WIN32 + // some config commands fail in APR when there are file + // permission issues or other OS-specific problems + // + __try + { +#endif + errmsg = invoke_cmd(cmd, parms, mconfig, args); +#ifdef WIN32 + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + errmsg = "Command failed to execute (check file/folder permissions, syntax, etc.)."; + } +#endif + + if(errmsg != NULL) + break; + } + + if(parms != NULL) + ap_cfg_closefile(parms->config_file); + + if(errmsg != NULL) + break; + } + + if (errmsg) { + err = (char )apr_palloc(p, 1024); + + if(parms != NULL) + apr_snprintf(err, 1024, "Syntax error in config file %s, line %d: %s", parms->config_file->name, + parms->config_file->line_number, errmsg); + else + apr_snprintf(err, 1024, "Syntax error in config file: %s", errmsg); + } + + errmsg = err; + +Exit: + while((parms = (cmd_parms )apr_array_pop(arr)) != NULL) + { + ap_cfg_closefile(parms->config_file); + } + + return errmsg; +}
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/standalone/main.cpp ^
@@ -21,6 +21,7 @@ char config_file = NULL; +char url_file = NULL; char event_files[1024]; int event_file_cnt; char event_file = NULL; @@ -31,6 +32,11 @@ #define EVENT_FILE_MAX_SIZE (1610241024) +#define MAX_URLS 4096 + +char urls[MAX_URLS][4096]; +int url_cnt = 0; + void readeventfile(char name) { if(event_file == NULL) @@ -119,6 +125,12 @@ i += 2; continue; } + if(argv[i][1] == 'u' && i < argc - 1) + { + url_file = argv[i + 1]; + i += 2; + continue; + } i++; continue; } @@ -224,7 +236,7 @@ if(config_file == NULL \|\| argc < 3) { printf("Usage:\n"); - printf("standalone.exe -c <config_file> <event_file1> [<event_file2> <event_file3> ...]\n"); + printf("standalone.exe -c <config_file> [-u <text_file_with_urls>] <event_file1> [<event_file2> <event_file3> ...]\n"); return; } @@ -250,133 +262,171 @@ modsecInitProcess(); + if(url_file != NULL) + { + FILE fr = fopen(url_file, "rb"); + int i = 0; + + while(fgets(urls[i],4096,fr) != NULL) + { + urls[i][4095] = 0; + + int l = strlen(urls[i]) - 1; + + if(l < 8) + continue; + + while(urls[i][l] == 10 \|\| urls[i][l] == 13) + l--; + + urls[i++][l + 1] = 0; + } + + url_cnt = i; + fclose(fr); + } + for(int i = 0; i < event_file_cnt; i++) { - readeventfile(event_files[i]); - parseeventfile(); + if(url_cnt == 0) + { + urls[0][0] = 0; + url_cnt = 1; + } - bodypos = 0; - responsepos = 0; + for(int ui = 0; ui < url_cnt; ui++) + { + readeventfile(event_files[i]); + parseeventfile(); - c = modsecNewConnection(); + bodypos = 0; + responsepos = 0; - modsecProcessConnection(c); + c = modsecNewConnection(); - r = modsecNewRequest(c, config); + modsecProcessConnection(c); - int j = event_file_blocks['B']; + r = modsecNewRequest(c, config); - if(j < 0) - continue; + int j = event_file_blocks['B']; - j++; + if(j < 0) + continue; - if(event_file_lines[j][0] == 0) - continue; + j++; + + if(event_file_lines[j][0] == 0) + continue; - char method = event_file_lines[j]; - char url = strchr(method, 32); - char proto = strchr(url + 1, 32); + char method = event_file_lines[j]; + char url = strchr(method, 32); + char proto = strchr(url + 1, 32); - if(url == NULL \|\| proto == NULL) - continue; + if(url == NULL \|\| proto == NULL) + continue; - url++=0; - proto++=0; + url++=0; + proto++=0; + + if(urls[ui][0] != 0) + { + url = urls[ui]; + } #define SETMETHOD(m) if(strcmp(method,#m) == 0){ r->method = method; r->method_number = M_##m; } - r->method = "INVALID"; - r->method_number = M_INVALID; + r->method = "INVALID"; + r->method_number = M_INVALID; - SETMETHOD(OPTIONS) - SETMETHOD(GET) - SETMETHOD(POST) - SETMETHOD(PUT) - SETMETHOD(DELETE) - SETMETHOD(TRACE) - SETMETHOD(CONNECT) - SETMETHOD(MOVE) - SETMETHOD(COPY) - SETMETHOD(PROPFIND) - SETMETHOD(PROPPATCH) - SETMETHOD(MKCOL) - SETMETHOD(LOCK) - SETMETHOD(UNLOCK) + SETMETHOD(OPTIONS) + SETMETHOD(GET) + SETMETHOD(POST) + SETMETHOD(PUT) + SETMETHOD(DELETE) + SETMETHOD(TRACE) + SETMETHOD(CONNECT) + SETMETHOD(MOVE) + SETMETHOD(COPY) + SETMETHOD(PROPFIND) + SETMETHOD(PROPPATCH) + SETMETHOD(MKCOL) + SETMETHOD(LOCK) + SETMETHOD(UNLOCK) - r->protocol = proto; + r->protocol = proto; - while(event_file_lines[++j][0] != 0) - { - char value = strchr(event_file_lines[j], ':'); + while(event_file_lines[++j][0] != 0) + { + char value = strchr(event_file_lines[j], ':'); - if(value == NULL) - break; + if(value == NULL) + break; - value++ = 0; + value++ = 0; - while(value <=32 && value != 0) - value++; + while(value <=32 && value != 0) + value++; - apr_table_setn(r->headers_in, event_file_lines[j], value); - } + apr_table_setn(r->headers_in, event_file_lines[j], value); + } - r->content_encoding = apr_table_get(r->headers_in, "Content-Encoding"); - r->content_type = apr_table_get(r->headers_in, "Content-Type"); - r->hostname = apr_table_get(r->headers_in, "Host"); - r->path_info = url; + r->content_encoding = apr_table_get(r->headers_in, "Content-Encoding"); + r->content_type = apr_table_get(r->headers_in, "Content-Type"); + r->hostname = apr_table_get(r->headers_in, "Host"); + r->path_info = url; - char query = strchr(url, '?'); - char rawurl = url; + char query = strchr(url, '?'); + char rawurl = url; - if(query != NULL) - { - rawurl = (char )apr_palloc(r->pool, strlen(url) + 1); - strcpy(rawurl, url); - query++ = 0; - r->args = query; - } + if(query != NULL) + { + rawurl = (char )apr_palloc(r->pool, strlen(url) + 1); + strcpy(rawurl, url); + query++ = 0; + r->args = query; + } - const char lng = apr_table_get(r->headers_in, "Content-Languages"); + const char lng = apr_table_get(r->headers_in, "Content-Languages"); - if(lng != NULL) - { - r->content_languages = apr_array_make(r->pool, 1, sizeof(const char )); + if(lng != NULL) + { + r->content_languages = apr_array_make(r->pool, 1, sizeof(const char )); - (const char )apr_array_push(r->content_languages) = lng; - } + (const char *)apr_array_push(r->content_languages) = lng; + } - r->request_time = apr_time_now(); + r->request_time = apr_time_now(); - r->parsed_uri.scheme = "http"; - r->parsed_uri.path = r->path_info; - r->parsed_uri.hostname = (char )r->hostname; - r->parsed_uri.is_initialized = 1; - r->parsed_uri.port = 80; - r->parsed_uri.port_str = "80"; - r->parsed_uri.query = r->args; - r->parsed_uri.dns_looked_up = 0; - r->parsed_uri.dns_resolved = 0; - r->parsed_uri.password = NULL; - r->parsed_uri.user = NULL; - r->parsed_uri.fragment = NULL; - - r->unparsed_uri = rawurl; - r->uri = r->unparsed_uri; - - r->the_request = (char )apr_palloc(r->pool, strlen(r->method) + 1 + strlen(r->uri) + 1 + strlen(r->protocol) + 1); - - strcpy(r->the_request, r->method); - strcat(r->the_request, " "); - strcat(r->the_request, r->uri); - strcat(r->the_request, " "); - strcat(r->the_request, r->protocol); - - apr_table_setn(r->subprocess_env, "UNIQUE_ID", "1"); - - modsecProcessRequest(r); - modsecProcessResponse(r); - modsecFinishRequest(r); + r->parsed_uri.scheme = "http"; + r->parsed_uri.path = r->path_info; + r->parsed_uri.hostname = (char )r->hostname; + r->parsed_uri.is_initialized = 1; + r->parsed_uri.port = 80; + r->parsed_uri.port_str = "80"; + r->parsed_uri.query = r->args; + r->parsed_uri.dns_looked_up = 0; + r->parsed_uri.dns_resolved = 0; + r->parsed_uri.password = NULL; + r->parsed_uri.user = NULL; + r->parsed_uri.fragment = NULL; + + r->unparsed_uri = rawurl; + r->uri = r->unparsed_uri; + + r->the_request = (char *)apr_palloc(r->pool, strlen(r->method) + 1 + strlen(r->uri) + 1 + strlen(r->protocol) + 1); + + strcpy(r->the_request, r->method); + strcat(r->the_request, " "); + strcat(r->the_request, r->uri); + strcat(r->the_request, " "); + strcat(r->the_request, r->protocol); + + apr_table_setn(r->subprocess_env, "UNIQUE_ID", "1"); + + modsecProcessRequest(r); + modsecProcessResponse(r); + modsecFinishRequest(r); + } } modsecTerminate();
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/standalone/standalone.vcxproj.user ^
@@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8"?> <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'"> - <LocalDebuggerCommandArguments>-c owasp_crs\modsecurity_iis.conf d:\test.dat</LocalDebuggerCommandArguments> + <LocalDebuggerCommandArguments>-c d:\temp\antixss.conf -u d:\temp\modsec_urls.txt d:\temp\test1.dat</LocalDebuggerCommandArguments> <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor> <LocalDebuggerCommand>$(TargetPath)</LocalDebuggerCommand> <LocalDebuggerAttach>false</LocalDebuggerAttach>
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/action/00-disruptive-actions.t ^
@@ -9,8 +9,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,pass" - SecAction "phase:1,deny" + SecAction "phase:1,pass,id:500033" + SecAction "phase:1,deny,id:500034" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ], @@ -30,8 +30,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,pass" - SecAction "phase:2,deny" + SecAction "phase:2,pass,id:500035" + SecAction "phase:2,deny,id:500036" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ], @@ -53,8 +53,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:3,pass" - SecAction "phase:3,deny" + SecAction "phase:3,pass,id:500037" + SecAction "phase:3,deny,id:500038" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ], @@ -76,8 +76,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:4,pass" - SecAction "phase:4,deny" + SecAction "phase:4,pass,id:500039" + SecAction "phase:4,deny,id:500040" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ], @@ -99,8 +99,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,allow" - SecAction "phase:1,deny" + SecAction "phase:1,allow,id:500041" + SecAction "phase:1,deny,id:500042" ), match_log => { error => [ qr/ModSecurity: Access allowed \(phase 1\). Unconditional match in SecAction/, 1 ], @@ -120,8 +120,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,allow" - SecAction "phase:2,deny" + SecAction "phase:2,allow,id:500043" + SecAction "phase:2,deny,id:500044" ), match_log => { error => [ qr/ModSecurity: Access allowed \(phase 2\). Unconditional match in SecAction/, 1 ], @@ -143,8 +143,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:3,allow" - SecAction "phase:3,deny" + SecAction "phase:3,allow,id:500045" + SecAction "phase:3,deny,id:500046" ), match_log => { error => [ qr/ModSecurity: Access allowed \(phase 3\). Unconditional match in SecAction/, 1 ], @@ -166,8 +166,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:4,allow" - SecAction "phase:4,deny" + SecAction "phase:4,allow,id:500047" + SecAction "phase:4,deny,id:500048" ), match_log => { error => [ qr/ModSecurity: Access allowed \(phase 4\). Unconditional match in SecAction/, 1 ], @@ -189,7 +189,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,deny" + SecAction "phase:1,deny,id:500049" ), match_log => { error => [ qr/Access denied with code 403 \(phase 1\). Unconditional match in SecAction./, 1 ], @@ -209,7 +209,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,deny" + SecAction "phase:2,deny,id:500050" ), match_log => { error => [ qr/Access denied with code 403 \(phase 2\). Unconditional match in SecAction./, 1 ], @@ -231,7 +231,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:3,deny" + SecAction "phase:3,deny,id:500051" ), match_log => { error => [ qr/Access denied with code 403 \(phase 3\). Unconditional match in SecAction./, 1 ], @@ -253,7 +253,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:4,deny" + SecAction "phase:4,deny,id:500052" ), match_log => { error => [ qr/Access denied with code 403 \(phase 4\). Unconditional match in SecAction./, 1 ], @@ -275,7 +275,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,drop" + SecAction "phase:1,drop,id:500053" ), match_log => { error => [ qr/Access denied with connection close \(phase 1\). Unconditional match in SecAction./, 1 ], @@ -295,7 +295,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,drop" + SecAction "phase:2,drop,id:500054" ), match_log => { error => [ qr/Access denied with connection close \(phase 2\). Unconditional match in SecAction./, 1 ], @@ -317,7 +317,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:3,drop" + SecAction "phase:3,drop,id:500055" ), match_log => { error => [ qr/Access denied with connection close \(phase 3\). Unconditional match in SecAction./, 1 ], @@ -339,7 +339,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:4,drop" + SecAction "phase:4,drop,id:500056" ), match_log => { error => [ qr/Access denied with connection close \(phase 4\). Unconditional match in SecAction./, 1 ], @@ -361,7 +361,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500001" ), match_log => { error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 1\)/, 1 ], @@ -382,7 +382,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500002" ), match_log => { error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 2\)/, 1 ], @@ -405,7 +405,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500003" ), match_log => { error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 3\)/, 1 ], @@ -428,7 +428,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500004" ), match_log => { error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 4\)/, 1 ], @@ -451,7 +451,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500005" ), match_log => { error => [ qr/ModSecurity: Access denied using proxy to \(phase 1\)/, 1 ], @@ -472,7 +472,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500006" ), match_log => { error => [ qr/ModSecurity: Access denied using proxy to \(phase 2\)/, 1 ], @@ -495,7 +495,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500007" ), match_log => { error => [ qr/ModSecurity: Access denied with code 500 \(phase 3\) \(Configuration Error: Proxy action requested but it does not work in output phases\)./, 1 ], @@ -517,7 +517,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500008" ), match_log => { error => [ qr/ModSecurity: Access denied with code 500 \(phase 4\) \(Configuration Error: Proxy action requested but it does not work in output phases\)./, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/action/10-append-prepend.t ^
@@ -9,8 +9,8 @@ SecContentInjection On SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 9 - SecAction "phase:1,setvar:tx.test=test" - SecAction "phase:2,append:'APPEND: \%{tx.test}'" + SecAction "phase:1,setvar:tx.test=test,id:500002" + SecAction "phase:2,append:'APPEND: \%{tx.test}',id:500003" ), match_log => { debug => [ "Added content to bottom: APPEND: test", 1 ], @@ -33,8 +33,8 @@ SecContentInjection On SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 9 - SecAction "phase:1,setvar:tx.test=test" - SecAction "phase:2,prepend:'PREPEND: \%{tx.test}'" + SecAction "phase:1,setvar:tx.test=test,id:500004" + SecAction "phase:2,prepend:'PREPEND: \%{tx.test}',id:500005" ), match_log => { debug => [ "Added content to top: PREPEND: test", 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/action/10-ctl.t ^
@@ -7,7 +7,7 @@ conf => qq( SecRuleEngine On SecAction "phase:2,id:666,deny" - SecAction "phase:1,pass,ctl:ruleRemoveById=666" + SecAction "phase:1,pass,ctl:ruleRemoveById=666,id:500030" ), match_log => { }, @@ -23,7 +23,7 @@ comment => "ruleRemoveById future rule across phases", conf => qq( SecRuleEngine On - SecAction "phase:1,pass,ctl:ruleRemoveById=666" + SecAction "phase:1,pass,ctl:ruleRemoveById=666,id:500031" SecAction "phase:2,id:666,deny" ), match_log => { @@ -40,7 +40,7 @@ comment => "ruleRemoveById future rule same phase", conf => qq( SecRuleEngine On - SecAction "phase:1,pass,ctl:ruleRemoveById=666" + SecAction "phase:1,pass,ctl:ruleRemoveById=666,id:500032" SecAction "phase:1,id:666,deny" ), match_log => {
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/action/10-detectiononly-actions.t ^
@@ -11,8 +11,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 9 - SecAction "phase:1,pass,msg:'PASSED'" - SecAction "phase:1,deny,msg:'DENIED'" + SecAction "phase:1,pass,msg:'PASSED',id:500057" + SecAction "phase:1,deny,msg:'DENIED',id:500058" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.PASSED/, 1 ], @@ -32,8 +32,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,pass,msg:'PASSED'" - SecAction "phase:2,deny,msg:'DENIED'" + SecAction "phase:2,pass,msg:'PASSED',id:500059" + SecAction "phase:2,deny,msg:'DENIED',id:500060" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.PASSED/, 1 ], @@ -55,8 +55,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:3,pass,msg:'PASSED'" - SecAction "phase:3,deny,msg:'DENIED'" + SecAction "phase:3,pass,msg:'PASSED',id:500061" + SecAction "phase:3,deny,msg:'DENIED',id:500062" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.PASSED/, 1 ], @@ -78,8 +78,8 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecAction "phase:4,pass,msg:'PASSED'" - SecAction "phase:4,deny,msg:'DENIED'" + SecAction "phase:4,pass,msg:'PASSED',id:500063" + SecAction "phase:4,deny,msg:'DENIED',id:500064" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.PASSED/, 1 ], @@ -101,8 +101,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,allow,msg:'ALLOWED'" - SecAction "phase:1,deny,msg:'DENIED'" + SecAction "phase:1,allow,msg:'ALLOWED',id:500065" + SecAction "phase:1,deny,msg:'DENIED',id:500066" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.ALLOWED/, 1 ], @@ -125,8 +125,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,allow,msg:'ALLOWED'" - SecAction "phase:2,deny,msg:'DENIED'" + SecAction "phase:2,allow,msg:'ALLOWED',id:500067" + SecAction "phase:2,deny,msg:'DENIED',id:500068" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.ALLOWED/, 1 ], @@ -149,8 +149,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:3,allow,msg:'ALLOWED'" - SecAction "phase:3,deny,msg:'DENIED'" + SecAction "phase:3,allow,msg:'ALLOWED',id:500069" + SecAction "phase:3,deny,msg:'DENIED',id:500070" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.ALLOWED/, 1 ], @@ -173,8 +173,8 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:4,allow,msg:'ALLOWED'" - SecAction "phase:4,deny,msg:'DENIED'" + SecAction "phase:4,allow,msg:'ALLOWED',id:500071" + SecAction "phase:4,deny,msg:'DENIED',id:500072" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.ALLOWED/, 1 ], @@ -199,7 +199,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,deny,msg:'DENIED'" + SecAction "phase:1,deny,msg:'DENIED',id:500073" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.DENIED/, 1 ], @@ -220,7 +220,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,deny,msg:'DENIED'" + SecAction "phase:2,deny,msg:'DENIED',id:500074" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.DENIED/, 1 ], @@ -241,7 +241,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:3,deny,msg:'DENIED'" + SecAction "phase:3,deny,msg:'DENIED',id:500075" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.DENIED/, 1 ], @@ -262,7 +262,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:4,deny,msg:'DENIED'" + SecAction "phase:4,deny,msg:'DENIED',id:500076" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.DENIED/, 1 ], @@ -285,7 +285,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:1,drop,msg:'DROPPED'" + SecAction "phase:1,drop,msg:'DROPPED',id:500077" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.DROPPED/, 1 ], @@ -306,7 +306,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:2,drop,msg:'DROPPED'" + SecAction "phase:2,drop,msg:'DROPPED',id:500078" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.DROPPED/, 1 ], @@ -327,7 +327,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:3,drop,msg:'DROPPED'" + SecAction "phase:3,drop,msg:'DROPPED',id:500079" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.DROPPED/, 1 ], @@ -348,7 +348,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecAction "phase:4,drop,msg:'DROPPED'" + SecAction "phase:4,drop,msg:'DROPPED',id:500080" ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction.DROPPED/, 1 ], @@ -371,7 +371,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED',id:500009" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.REDIRECTED/, 1 ], @@ -393,7 +393,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED',id:500010" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.REDIRECTED/, 1 ], @@ -415,7 +415,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED',id:500011" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.REDIRECTED/, 1 ], @@ -437,7 +437,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'REDIRECTED',id:500012" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.REDIRECTED/, 1 ], @@ -461,7 +461,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED',id:500013" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.PROXIED/, 1 ], @@ -483,7 +483,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED',id:500014" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.PROXIED/, 1 ], @@ -507,7 +507,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED',id:500015" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.PROXIED/, 1 ], @@ -530,7 +530,7 @@ SecResponseBodyMimeType null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 4 - SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED'" + SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',msg:'PROXIED',id:500016" ), match_log => { error => [ qr/ModSecurity: Warning. String match "\/test2.txt" at REQUEST_URI.PROXIED/, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/action/10-logging.t ^
@@ -11,7 +11,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,log" + SecAction "phase:1,pass,log,id:500006" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -34,7 +34,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,nolog" + SecAction "phase:1,pass,nolog,id:500007" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -59,7 +59,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,log" + SecAction "phase:1,deny,status:403,log,id:500008" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 \(phase 1\)\. Unconditional match in SecAction\./, 1 ], @@ -82,7 +82,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,nolog" + SecAction "phase:1,deny,status:403,nolog,id:500009" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -107,7 +107,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,auditlog" + SecAction "phase:1,pass,auditlog,id:500010" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -130,7 +130,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,noauditlog" + SecAction "phase:1,pass,noauditlog,id:500011" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -155,7 +155,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,auditlog" + SecAction "phase:1,deny,status:403,auditlog,id:500012" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 \(phase 1\)\. Unconditional match in SecAction\./, 1 ], @@ -178,7 +178,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,noauditlog" + SecAction "phase:1,deny,status:403,noauditlog,id:500013" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 \(phase 1\)\. Unconditional match in SecAction\./, 1 ], @@ -203,7 +203,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,log,auditlog" + SecAction "phase:1,pass,log,auditlog,id:500014" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -226,7 +226,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,log,noauditlog" + SecAction "phase:1,pass,log,noauditlog,id:500015" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -249,7 +249,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,nolog,auditlog" + SecAction "phase:1,pass,nolog,auditlog,id:500016" ), match_log => { audit => [ qr/-H--\s+Message: .Stopwatch: /s, 1 ], @@ -271,7 +271,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,nolog,noauditlog" + SecAction "phase:1,pass,nolog,noauditlog,id:500017" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -294,7 +294,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,auditlog,log" + SecAction "phase:1,pass,auditlog,log,id:500018" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -317,7 +317,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,auditlog,nolog" + SecAction "phase:1,pass,auditlog,nolog,id:500019" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -340,7 +340,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,noauditlog,log" + SecAction "phase:1,pass,noauditlog,log,id:500020" ), match_log => { error => [ qr/ModSecurity: Warning\. Unconditional match in SecAction\./, 1 ], @@ -363,7 +363,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,pass,noauditlog,nolog" + SecAction "phase:1,pass,noauditlog,nolog,id:500021" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -388,7 +388,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,log,auditlog" + SecAction "phase:1,deny,status:403,log,auditlog,id:500022" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 \(phase 1\)\. Unconditional match in SecAction\./, 1 ], @@ -411,7 +411,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,log,noauditlog" + SecAction "phase:1,deny,status:403,log,noauditlog,id:500023" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 \(phase 1\)\. Unconditional match in SecAction\./, 1 ], @@ -434,7 +434,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,nolog,auditlog" + SecAction "phase:1,deny,status:403,nolog,auditlog,id:500024" ), match_log => { audit => [ qr/-H--\s+Message: .Stopwatch: /s, 1 ], @@ -457,7 +457,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,nolog,noauditlog" + SecAction "phase:1,deny,status:403,nolog,noauditlog,id:500025" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -480,7 +480,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,auditlog,log" + SecAction "phase:1,deny,status:403,auditlog,log,id:500026" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 \(phase 1\)\. Unconditional match in SecAction\./, 1 ], @@ -503,7 +503,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,auditlog,nolog" + SecAction "phase:1,deny,status:403,auditlog,nolog,id:500027" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -526,7 +526,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,noauditlog,log" + SecAction "phase:1,deny,status:403,noauditlog,log,id:500028" ), match_log => { error => [ qr/ModSecurity: Access denied with code 403 \(phase 1\)\. Unconditional match in SecAction\./, 1 ], @@ -549,7 +549,7 @@ SecAuditLogRelevantStatus xxx SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecAction "phase:1,deny,status:403,noauditlog,nolog" + SecAction "phase:1,deny,status:403,noauditlog,nolog,id:500029" ), match_log => { -error => [ qr/ModSecurity: /, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/config/10-audit-directives.t ^
@@ -46,7 +46,7 @@ SecDebugLogLevel 9 SecResponseBodyAccess On SecDefaultAction "phase:2,log,auditlog,pass" - SecRule REQUEST_URI "." "phase:4,deny" + SecRule REQUEST_URI "." "phase:4,deny,id:500251" ), match_log => { audit => [ qr/./, 1 ], @@ -246,7 +246,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecAuditLogParts "ABCDEFGHIJKZ" - SecAction "phase:4,log,auditlog,allow" + SecAction "phase:4,log,auditlog,allow,id:500086" ), match_log => { audit => [ qr/-A--.-B--.-C--.-F--.-E--.-H--.-K--.*-Z--/s, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/config/10-debug-directives.t ^
@@ -40,7 +40,7 @@ SecRuleEngine On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 0 - SecRule REQUEST_URI "." "phase:1,deny" + SecRule REQUEST_URI "." "phase:1,deny,id:500241" ), match_log => { -debug => [ qr/./, 1 ], @@ -60,7 +60,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 1 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500242" ), match_log => { debug => [ qr/\]\[[1]\] /, 1 ], @@ -85,7 +85,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 2 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500243" ), match_log => { debug => [ qr/\]\[2\] /, 1 ], @@ -110,7 +110,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 3 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500244" ), match_log => { debug => [ qr/\]\[3\] /, 1 ], @@ -135,7 +135,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 4 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500245" ), match_log => { debug => [ qr/\]\[4\] /, 1 ], @@ -160,7 +160,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500246" ), match_log => { debug => [ qr/\]\[5\] /, 1 ], @@ -185,7 +185,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 6 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500247" ), match_log => { debug => [ qr/\]\[6\] /, 1 ], @@ -210,7 +210,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 7 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500248" ), match_log => { debug => [ qr/\]\[7\] /, 1 ], @@ -235,7 +235,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 8 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500249" ), match_log => { debug => [ qr/\]\[8\] /, 1 ], @@ -260,7 +260,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRuleScript "test.lua" "phase:1" - SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus" + SecRule REQUEST_URI "(.)" "phase:4,deny,deprecatevar:bogus,id:500250" ), match_log => { debug => [ qr/\]\[9\] /, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/config/10-misc-directives.t ^
@@ -13,7 +13,7 @@ conf => qq( SecRuleEngine on SecDefaultAction "phase:1,deny,status:500" - SecRule REQUEST_URI "test.txt" + SecRule REQUEST_URI "test.txt,id:500240" ), match_log => { error => [ qr/ModSecurity: Access denied with code 500 \(phase 1\)/, 1 ], @@ -52,7 +52,7 @@ conf => qq( SecRuleEngine On SecDataDir "$ENV{DATA_DIR}" - SecAction initcol:ip=%{REMOTE_ADDR},setvar:ip.dummy=1,pass + SecAction initcol:ip=%{REMOTE_ADDR},setvar:ip.dummy=1,pass,id:500085 ), match_log => { error => [ qr/ModSecurity: Warning. Unconditional match in SecAction\./, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/config/10-request-directives.t ^
@@ -7,8 +7,8 @@ conf => q( SecRuleEngine On SecArgumentSeparator ";" - SecRule ARGS:a "@streq 1" "phase:1,deny,chain" - SecRule ARGS:b "@streq 2" + SecRule ARGS:a "@streq 1" "phase:1,deny,chain,id:500215" + SecRule ARGS:b "@streq 2,id:500216" ), match_log => { error => [ qr/Access denied with code 403 \(phase 1\)\. String match "2" at ARGS:b\./, 1 ], @@ -25,8 +25,8 @@ comment => "SecArgumentSeparator (get-neg)", conf => q( SecRuleEngine On - SecRule ARGS:a "@streq 1" "phase:1,deny,chain" - SecRule ARGS:b "@streq 2" + SecRule ARGS:a "@streq 1" "phase:1,deny,chain,id:500217" + SecRule ARGS:b "@streq 2,id:500218" ), match_log => { -error => [ qr/Access denied/, 1 ], @@ -45,8 +45,8 @@ SecRuleEngine On SecRequestBodyAccess On SecArgumentSeparator ";" - SecRule ARGS:a "@streq 1" "phase:2,deny,chain" - SecRule ARGS:b "@streq 2" + SecRule ARGS:a "@streq 1" "phase:2,deny,chain,id:500219" + SecRule ARGS:b "@streq 2,id:500220" ), match_log => { error => [ qr/Access denied with code 403 \(phase 2\)\. String match "2" at ARGS:b\./, 1 ], @@ -68,8 +68,8 @@ conf => q( SecRuleEngine On SecRequestBodyAccess On - SecRule ARGS:a "@streq 1" "phase:2,deny" - SecRule ARGS:b "@streq 2" "phase:2,deny" + SecRule ARGS:a "@streq 1" "phase:2,deny,id:500221" + SecRule ARGS:b "@streq 2" "phase:2,deny,id:500222" ), match_log => { -error => [ qr/Access denied/, 1 ], @@ -93,8 +93,8 @@ conf => qq( SecRuleEngine On SecRequestBodyAccess On - SecRule ARGS:a "\@streq 1" "phase:2,deny,chain" - SecRule ARGS:b "\@streq 2" + SecRule ARGS:a "\@streq 1" "phase:2,deny,chain,id:500223" + SecRule ARGS:b "\@streq 2,id:500224" ), match_log => { error => [ qr/Access denied with code 403 \(phase 2\)\. String match "2" at ARGS:b\./, 1 ], @@ -116,8 +116,8 @@ conf => qq( SecRuleEngine On SecRequestBodyAccess Off - SecRule ARGS:a "\@streq 1" "phase:2,deny" - SecRule ARGS:b "\@streq 2" "phase:2,deny" + SecRule ARGS:a "\@streq 1" "phase:2,deny,id:500225" + SecRule ARGS:b "\@streq 2" "phase:2,deny,id:500226" ), match_log => { -error => [ qr/Access denied/, 1 ], @@ -269,8 +269,8 @@ SecRequestBodyAccess On SecRequestBodyLimit 5 - SecAction "phase:1,pass,nolog,ctl:ruleEngine=off" - SecRule REQUEST_BODY "." "phase:2,deny" + SecAction "phase:1,pass,nolog,ctl:ruleEngine=off,id:500081" + SecRule REQUEST_BODY "." "phase:2,deny,id:500227" ), match_log => { -error => [ qr/Request body .is larger than the configured limit/, 1 ], @@ -294,8 +294,8 @@ SecRequestBodyAccess On SecRequestBodyLimit 5 - SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off" - SecRule REQUEST_BODY "." "phase:2,deny" + SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off,id:500082" + SecRule REQUEST_BODY "." "phase:2,deny,id:500228" ), match_log => { -error => [ qr/Request body .is larger than the configured limit/, 1 ], @@ -319,8 +319,8 @@ SecRequestBodyAccess On SecRequestBodyLimit 256 - SecAction "phase:1,pass,nolog,ctl:ruleEngine=off" - SecRule REQUEST_BODY "." "phase:2,deny" + SecAction "phase:1,pass,nolog,ctl:ruleEngine=off,id:500083" + SecRule REQUEST_BODY "." "phase:2,deny,id:500229" ), match_log => { -error => [ qr/Request body .is larger than the configured limit/, 1 ], @@ -363,8 +363,8 @@ SecRequestBodyAccess On SecRequestBodyLimit 256 - SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off" - SecRule REQUEST_BODY "." "phase:2,deny" + SecAction "phase:1,pass,nolog,ctl:requestBodyAccess=off,id:500084" + SecRule REQUEST_BODY "." "phase:2,deny,id:500230" ), match_log => { -error => [ qr/Request body .is larger than the configured limit \(256\)\./, 1 ], @@ -499,9 +499,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecCookieFormat 1 - SecRule REQUEST_COOKIES_NAMES "\@streq SESSIONID" "phase:1,deny,chain" - SecRule REQUEST_COOKIES:\$SESSIONID_PATH "\@streq /" "chain" - SecRule REQUEST_COOKIES:SESSIONID "\@streq cookieval" + SecRule REQUEST_COOKIES_NAMES "\@streq SESSIONID" "phase:1,deny,chain,id:500231" + SecRule REQUEST_COOKIES:\$SESSIONID_PATH "\@streq /" "chain,id:500232" + SecRule REQUEST_COOKIES:SESSIONID "\@streq cookieval,id:500233" ), match_log => { error => [ qr/Access denied with code 403 \(phase 1\)\. String match "cookieval" at REQUEST_COOKIES:SESSIONID\./, 1 ], @@ -526,9 +526,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecCookieFormat 0 - SecRule REQUEST_COOKIES_NAMES "\@streq SESSIONID" "phase:1,deny,chain" - SecRule REQUEST_COOKIES:\$SESSIONID_PATH "\@streq /" "chain" - SecRule REQUEST_COOKIES:SESSIONID "\@streq cookieval" + SecRule REQUEST_COOKIES_NAMES "\@streq SESSIONID" "phase:1,deny,chain,id:500234" + SecRule REQUEST_COOKIES:\$SESSIONID_PATH "\@streq /" "chain,id:500235" + SecRule REQUEST_COOKIES:SESSIONID "\@streq cookieval,id:500236" ), match_log => { -error => [ qr/Access denied/, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/config/10-response-directives.t ^
@@ -10,7 +10,7 @@ SecResponseBodyMimeTypesClear SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule RESPONSE_BODY "TEST" "phase:4,deny" + SecRule RESPONSE_BODY "TEST" "phase:4,deny,id:500237" ), match_log => { -error => [ qr/Access denied/, 1 ], @@ -34,7 +34,7 @@ SecDebugLogLevel 9 SecResponseBodyAccess On SecResponseBodyMimeType text/plain null - SecRule RESPONSE_BODY "TEST" "phase:4,deny" + SecRule RESPONSE_BODY "TEST" "phase:4,deny,id:500238" ), match_log => { error => [ qr/Access denied with code 403 \(phase 4\)\. Pattern match "TEST" at RESPONSE_BODY\./, 1 ], @@ -55,7 +55,7 @@ SecDebugLogLevel 9 SecResponseBodyAccess Off SecResponseBodyMimeType text/plain null - SecRule RESPONSE_BODY "TEST" "phase:4,deny" + SecRule RESPONSE_BODY "TEST" "phase:4,deny,id:500239" ), match_log => { -error => [ qr/Access denied/, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/misc/00-multipart-parser.t ^
@@ -9,9 +9,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500055" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500056" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500057" ), match_log => { debug => [ qr/Added file part [0-9a-h]+ to the list: name "image" file name "image.jpg" \(offset 258, length 10\).Adding request argument \(BODY\): name "name", value "Brian Rectanus".Adding request argument \(BODY\): name "email", value "brian.rectanus\@breach.com"/s, 1 ], @@ -55,9 +55,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500058" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500059" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500060" ), match_log => { debug => [ qr/Adding request argument \(BODY\): name "a", value "1".Adding request argument \(BODY\): name "b", value "2"/s, 1 ], @@ -97,9 +97,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500061" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500062" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500063" ), match_log => { debug => [ qr/Adding request argument \(BODY\): name "a", value "1".Adding request argument \(BODY\): name "b", value "2"/s, 1 ], @@ -138,9 +138,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500064" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500065" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500066" ), match_log => { debug => [ qr/Adding request argument \(BODY\): name "a", value "1".Adding request argument \(BODY\): name "b", value "2"/s, 1 ], @@ -181,9 +181,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500067" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500068" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500069" ), match_log => { debug => [ qr/Adding request argument \(BODY\): name "a", value "1".Adding request argument \(BODY\): name "b", value "2"/s, 1 ], @@ -223,8 +223,8 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500070" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500071" ), match_log => { debug => [ qr/Adding request argument \(BODY\): name "a", value "--test".Adding request argument \(BODY\): name "b", value "--"/s, 1 ], @@ -420,8 +420,8 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "!\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,id:500072" + SecRule REQBODY_PROCESSOR_ERROR "!\@eq 1" "phase:2,deny,id:500073" ), match_log => { debug => [ qr/name: a.variable: 1.Invalid part header \(header name missing\)/s, 1 ], @@ -462,10 +462,10 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403,id:500074" + SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500075" + SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403,id:500076" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403,id:500077" ), match_log => { debug => [ qr/name: a.variable: 1.name: b.variable: 2/s, 1 ], @@ -503,10 +503,10 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403,id:500078" + SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500079" + SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403,id:500080" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403,id:500081" ), match_log => { debug => [ qr/name: a.variable: 1.name: b.variable: 2/s, 1 ], @@ -544,10 +544,10 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403,id:500082" + SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500083" + SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 0" "phase:2,deny,status:403,id:500084" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403,id:500085" ), match_log => { debug => [ qr/name: a.variable: 1.name: b.variable: 2/s, 1 ], @@ -584,10 +584,10 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403,id:500086" + SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500087" + SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500088" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403,id:500089" ), match_log => { debug => [ qr/name: a.variable: 1.name: b.variable: 2/s, 1 ], @@ -624,10 +624,10 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,status:403,id:500090" + SecRule MULTIPART_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500091" + SecRule MULTIPART_INVALID_HEADER_FOLDING "!\@eq 1" "phase:2,deny,status:403,id:500092" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:403,id:500093" ), match_log => { debug => [ qr/name: a.variable: 1.name: b.variable: 2/s, 1 ], @@ -666,7 +666,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_DATA_AFTER "\@eq 1" "phase:2,deny,status:403" + SecRule MULTIPART_DATA_AFTER "\@eq 1" "phase:2,deny,status:403,id:500094" ), match_log => { debug => [ qr/name: a.variable: 1.Ignoring data after last boundary/s, 1 ], @@ -706,9 +706,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny" - SecRule MULTIPART_INVALID_QUOTING "!\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "chain,phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,id:500095" + SecRule MULTIPART_INVALID_QUOTING "!\@eq 1" "phase:2,deny,id:500096" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "chain,phase:2,deny,id:500097" ), match_log => { debug => [ qr/name: a.variable: 1.Duplicate Content-Disposition name/s, 1 ], @@ -748,9 +748,9 @@ conf => qq( SecRuleEngine On SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500098" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500099" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500100" ), match_log => { error => [ qr/Invalid boundary in C-T \(malformed\)/, 1 ], @@ -795,9 +795,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500101" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500102" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500103" ), match_log => { }, @@ -842,9 +842,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500104" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500105" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500106" ), match_log => { error => [ qr/Invalid boundary in C-T \(case sensitivity\)/, 1 ], @@ -889,9 +889,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500107" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500108" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500109" ), match_log => { error => [ qr/Invalid boundary in C-T \(parameter name\)/, 1 ], @@ -938,9 +938,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500110" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500111" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500112" ), match_log => { debug => [ qr/Multiple boundary parameters in C-T/, 1 ], @@ -985,9 +985,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500113" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500114" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500115" ), match_log => { debug => [ qr/Multiple boundary parameters in C-T/, 1 ], @@ -1032,9 +1032,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500116" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500117" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500118" ), match_log => { }, @@ -1078,9 +1078,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500119" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500120" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500121" ), match_log => { debug => [ qr/boundary whitespace in C-T header/, 1 ], @@ -1125,9 +1125,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500122" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500123" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500124" ), match_log => { debug => [ qr/Added file part [0-9a-h]+ to the list: name "image" file name "image.jpg" \(offset 258, length 10\).Adding request argument \(BODY\): name "name", value "Brian Rectanus".Adding request argument \(BODY\): name "email", value "brian.rectanus\@breach.com"/s, 1 ], @@ -1174,9 +1174,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500125" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500126" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500127" ), match_log => { debug => [ qr/No boundaries found in payload/, 1 ], @@ -1220,9 +1220,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500128" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500129" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500130" ), match_log => { debug => [ qr/Invalid boundary in C-T \(characters\)/, 1 ], @@ -1269,9 +1269,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500131" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500132" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500133" ), match_log => { debug => [ qr/boundary was quoted/, 1 ], @@ -1316,9 +1316,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500134" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500135" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500136" ), match_log => { debug => [ qr/boundary was quoted.No boundaries found in payload/s, 1 ], @@ -1363,9 +1363,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500137" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500138" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500139" ), match_log => { debug => [ qr/boundary was quoted.No boundaries found in payload/s, 1 ], @@ -1409,9 +1409,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500140" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500141" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500142" ), match_log => { debug => [ qr/boundary was quoted/s, 1 ], @@ -1456,9 +1456,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500143" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500144" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500145" ), match_log => { debug => [ qr/Invalid boundary in C-T \(characters\)/, 1 ], @@ -1502,9 +1502,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500146" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500147" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500148" ), match_log => { debug => [ qr/Invalid boundary in C-T \(characters\)/, 1 ], @@ -1548,9 +1548,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500149" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500150" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500151" ), match_log => { debug => [ qr/Invalid boundary in C-T \(quote\)/, 1 ], @@ -1594,9 +1594,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500152" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500153" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500154" ), match_log => { debug => [ qr/Invalid boundary in C-T \(quote\)/, 1 ], @@ -1639,9 +1639,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500155" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500156" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500157" ), match_log => { debug => [ qr/Invalid Content-Disposition header/, 1 ], @@ -1692,9 +1692,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 SecRequestBodyAccess On - SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny" - SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny" - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500158" + SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500159" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500160" ), match_log => { debug => [ qr/Part missing Content-Disposition header/, 1 ], @@ -1752,20 +1752,20 @@ SecUploadFileLimit 2 # These should be set - SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny" - SecRule MULTIPART_FILE_LIMIT_EXCEEDED "!\@eq 1" "phase:2,deny" + SecRule MULTIPART_STRICT_ERROR "!\@eq 1" "phase:2,deny,id:500161" + SecRule MULTIPART_FILE_LIMIT_EXCEEDED "!\@eq 1" "phase:2,deny,id:500162" # This should not be set - SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny" + SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500163" # Theses should still be accurate - SecRule &FILES "!\@eq 3" "phase:2,deny" - SecRule &FILES_NAMES "!\@eq 3" "phase:2,deny" - SecRule &FILES_SIZES "!\@eq 3" "phase:2,deny" - SecRule FILES_SIZES:/^image/ "\@eq 0" "phase:2,deny" + SecRule &FILES "!\@eq 3" "phase:2,deny,id:500164" + SecRule &FILES_NAMES "!\@eq 3" "phase:2,deny,id:500165" + SecRule &FILES_SIZES "!\@eq 3" "phase:2,deny,id:500166" + SecRule FILES_SIZES:/^image/ "\@eq 0" "phase:2,deny,id:500167" # This should be the SecUploadFileLimit - SecRule &FILES_TMPNAMES "!\@eq 2" "phase:2,deny" + SecRule &FILES_TMPNAMES "!\@eq 2" "phase:2,deny,id:500168" ), match_log => { debug => [ qr/Multipart: Upload file limit exceeded.name: test.variable: This is test data/s, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/misc/00-phases.t ^
@@ -9,10 +9,10 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain null - SecRule REQUEST_LINE "^POST" "phase:1,pass,log,auditlog" - SecRule ARGS "val1" "phase:1,pass,log,auditlog" - SecRule RESPONSE_HEADERS:Last-Modified "." "phase:1,pass,log,auditlog" - SecRule RESPONSE_BODY "TEST" "phase:1,pass,log,auditlog" + SecRule REQUEST_LINE "^POST" "phase:1,pass,log,auditlog,id:500169" + SecRule ARGS "val1" "phase:1,pass,log,auditlog,id:500170" + SecRule RESPONSE_HEADERS:Last-Modified "." "phase:1,pass,log,auditlog,id:500171" + SecRule RESPONSE_BODY "TEST" "phase:1,pass,log,auditlog,id:500172" ), match_log => { error => [ qr/Pattern match "\^POST" at REQUEST_LINE/, 1 ], @@ -39,10 +39,10 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain null - SecRule REQUEST_LINE "^POST" "phase:2,pass,log,auditlog" - SecRule ARGS "val1" "phase:2,pass,log,auditlog" - SecRule RESPONSE_HEADERS:Last-Modified "." "phase:2,pass,log,auditlog" - SecRule RESPONSE_BODY "TEST" "phase:2,pass,log,auditlog" + SecRule REQUEST_LINE "^POST" "phase:2,pass,log,auditlog,id:500173" + SecRule ARGS "val1" "phase:2,pass,log,auditlog,id:500174" + SecRule RESPONSE_HEADERS:Last-Modified "." "phase:2,pass,log,auditlog,id:500175" + SecRule RESPONSE_BODY "TEST" "phase:2,pass,log,auditlog,id:500176" ), match_log => { error => [ qr/Pattern match "\^POST" at REQUEST_LINE.Pattern match "val1" at ARGS/s, 1 ], @@ -69,10 +69,10 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain null - SecRule REQUEST_LINE "^POST" "phase:3,pass,log,auditlog" - SecRule ARGS "val1" "phase:3,pass,log,auditlog" - SecRule RESPONSE_HEADERS:Last-Modified "." "phase:3,pass,log,auditlog" - SecRule RESPONSE_BODY "TEST" "phase:3,pass,log,auditlog" + SecRule REQUEST_LINE "^POST" "phase:3,pass,log,auditlog,id:500177" + SecRule ARGS "val1" "phase:3,pass,log,auditlog,id:500178" + SecRule RESPONSE_HEADERS:Last-Modified "." "phase:3,pass,log,auditlog,id:500179" + SecRule RESPONSE_BODY "TEST" "phase:3,pass,log,auditlog,id:500180" ), match_log => { error => [ qr/Pattern match "\^POST" at REQUEST_LINE.Pattern match "val1" at ARGS.Pattern match "\." at RESPONSE_HEADERS/s, 1 ], @@ -101,10 +101,10 @@ SecResponseBodyMimeType text/plain null SecDebugLog "$ENV{DEBUG_LOG}" SecDebugLogLevel 9 - SecRule REQUEST_LINE "^POST" "phase:4,pass,log,auditlog" - SecRule ARGS "val1" "phase:4,pass,log,auditlog" - SecRule RESPONSE_HEADERS:Last-Modified "." "phase:4,pass,log,auditlog" - SecRule RESPONSE_BODY "TEST" "phase:4,pass,log,auditlog" + SecRule REQUEST_LINE "^POST" "phase:4,pass,log,auditlog,id:500181" + SecRule ARGS "val1" "phase:4,pass,log,auditlog,id:500182" + SecRule RESPONSE_HEADERS:Last-Modified "." "phase:4,pass,log,auditlog,id:500183" + SecRule RESPONSE_BODY "TEST" "phase:4,pass,log,auditlog,id:500184" ), match_log => { error => [ qr/Pattern match "\^POST" at REQUEST_LINE.Pattern match "val1" at ARGS.Pattern match "\." at RESPONSE_HEADERS.Pattern match "TEST" at RESPONSE_BODY/s, 1 ], @@ -130,10 +130,10 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain null - SecRule REQUEST_LINE "^POST" "phase:5,pass,log,auditlog" - SecRule ARGS "val1" "phase:5,pass,log,auditlog" - SecRule RESPONSE_HEADERS:Last-Modified "." "phase:5,pass,log,auditlog" - SecRule RESPONSE_BODY "TEST" "phase:5,pass,log,auditlog" + SecRule REQUEST_LINE "^POST" "phase:5,pass,log,auditlog,id:500185" + SecRule ARGS "val1" "phase:5,pass,log,auditlog,id:500186" + SecRule RESPONSE_HEADERS:Last-Modified "." "phase:5,pass,log,auditlog,id:500187" + SecRule RESPONSE_BODY "TEST" "phase:5,pass,log,auditlog,id:500188" ), match_log => { error => [ qr/Pattern match "\^POST" at REQUEST_LINE.Pattern match "val1" at ARGS.Pattern match "\." at RESPONSE_HEADERS.*Pattern match "TEST" at RESPONSE_BODY/s, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/misc/10-pcre.t ^
@@ -17,9 +17,9 @@ SecPcreMatchLimitRecursion 100 # Poor REGEX - SecRule ARGS "(?:(.{2,})\\1{32,})" "phase:2,deny,capture,msg:'REDoS'" + SecRule ARGS "(?:(.{2,})\\1{32,})" "phase:2,deny,capture,msg:'REDoS',id:500053" # Detect PCRE limits exceeded - SecRule TX:MSC_PCRE_LIMITS_EXCEEDED "!\@streq 0" "phase:2,deny,msg:'ModSecurity Internal Error Flagged: %{MATCHED_VAR_NAME}'" + SecRule TX:MSC_PCRE_LIMITS_EXCEEDED "!\@streq 0" "phase:2,deny,msg:'ModSecurity Internal Error Flagged: %{MATCHED_VAR_NAME}',id:500054" ), match_log => { debug => [ qr/PCRE limits exceeded/, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/misc/10-tfn-cache.t ^
@@ -12,10 +12,10 @@ SecCacheTransformations On "minlen:1,maxlen:0" # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" + SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500037" # This should use the cached value - SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny" + SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500038" ), match_log => { debug => [ qr/removeWhiteSpace,lowercase: "foobar" .cached/, 1 ], @@ -40,10 +40,10 @@ SecCacheTransformations On "minlen:1,maxlen:0,incremental:off,maxitems:0" # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,pass,nolog" + SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,pass,nolog,id:500039" # This should use the partially cached value - SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny" + SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500040" ), match_log => { debug => [ qr/removeWhiteSpace: "FooBar" .partially cached/, 1 ], @@ -67,10 +67,10 @@ SecCacheTransformations On "minlen:1,maxlen:0" # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" + SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500041" # This should use the cached value - SecRule ARGS_GET:test "foobar" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,deny" + SecRule ARGS_GET:test "foobar" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500042" ), match_log => { -debug => [ qr/removeWhiteSpace,lowercase: "foobar" .cached/, 1 ], @@ -94,10 +94,10 @@ SecCacheTransformations On "minlen:1,maxlen:0" # This should cache it - SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" + SecRule ARGS_GET "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500043" # This should use the cached value - SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny" + SecRule ARGS_GET:test "foobar" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500044" ), match_log => { debug => [ qr/removeWhiteSpace,lowercase: "foobar" .cached/, 1 ], @@ -122,12 +122,12 @@ SecCacheTransformations On "minlen:1,maxlen:0" # This should cache it - SecRule ARGS "WillNotMatch" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,pass" + SecRule ARGS "WillNotMatch" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,pass,id:500045" # This should see cached versions of both ARGS_GET - SecRule ARGS:test "queryval" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,deny,chain" - SecRule ARGS:test "firstval" "t:none,t:removeWhiteSpace,t:lowercase,chain" - SecRule ARGS:test "secondval" "t:none,t:removeWhiteSpace,t:lowercase" + SecRule ARGS:test "queryval" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,deny,chain,id:500046" + SecRule ARGS:test "firstval" "t:none,t:removeWhiteSpace,t:lowercase,chain,id:500047" + SecRule ARGS:test "secondval" "t:none,t:removeWhiteSpace,t:lowercase,id:500017" ), match_log => { debug => [ qr/removeWhiteSpace,lowercase: "queryval" .removeWhiteSpace,lowercase: "firstval" .cached.removeWhiteSpace,lowercase: "secondval" .cached/s, 1 ], @@ -163,13 +163,13 @@ SecCacheTransformations On "minlen:1,maxlen:0,maxitems:0" # This should cache it in all phases - SecRule ARGS "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" - SecRule ARGS "WillNotMatch" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" - SecRule ARGS "WillNotMatch" "phase:3,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" - SecRule ARGS "WillNotMatch" "phase:4,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog" + SecRule ARGS "WillNotMatch" "phase:1,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500048" + SecRule ARGS "WillNotMatch" "phase:2,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500049" + SecRule ARGS "WillNotMatch" "phase:3,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500050" + SecRule ARGS "WillNotMatch" "phase:4,t:none,t:removeWhiteSpace,t:lowercase,pass,nolog,id:500051" # This should use the cached value - SecRule ARGS "foobar" "phase:4,t:none,t:removeWhiteSpace,t:lowercase,deny" + SecRule ARGS "foobar" "phase:4,t:none,t:removeWhiteSpace,t:lowercase,deny,id:500052" ), match_log => { debug => [ qr/Adding request argument \(BODY\): name "test", value "Foo Bar"/, 60, "Waiting for httpd to process request: "],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/rule/00-basics.t ^
@@ -8,7 +8,7 @@ SecRuleEngine On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 4 - SecAction "nolog" + SecAction "nolog,id:500001" ), match_log => { -error => [ qr/ModSecurity: /, 1 ], @@ -32,7 +32,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecDefaultAction "phase:2,deny,status:403" - SecRule ARGS:test "value" + SecRule ARGS:test "value,id:500032" ), match_log => { error => [ qr/ModSecurity: /, 1 ], @@ -53,7 +53,7 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecDefaultAction "phase:2,pass" - SecRule ARGS:test "value" "deny,status:403" + SecRule ARGS:test "value" "deny,status:403,id:500033" ), match_log => { error => [ qr/ModSecurity: /, 1 ], @@ -74,9 +74,9 @@ SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 5 SecDefaultAction "phase:2,log,noauditlog,pass,tag:foo" - SecRule ARGS:test "value" "chain,phase:2,deny,status:403" - SecRule &ARGS "\@eq 1" "chain,setenv:tx.foo=bar" - SecRule REQUEST_METHOD "\@streq GET" + SecRule ARGS:test "value" "chain,phase:2,deny,status:403,id:500034" + SecRule &ARGS "\@eq 1" "chain,setenv:tx.foo=bar,id:500035" + SecRule REQUEST_METHOD "\@streq GET,id:500036" ), match_log => { error => [ qr/ModSecurity: /, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/rule/10-xml.t ^
@@ -10,10 +10,10 @@ SecRequestBodyAccess On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500005 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500006 + SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\,id:500007 "phase:2,deny,id:12345" ), match_log => { @@ -59,10 +59,10 @@ SecDebugLogLevel 9 SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500008 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500009 + SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\,id:500010 "phase:2,deny,log,auditlog,id:12345" ), match_log => { @@ -108,10 +108,10 @@ SecDebugLogLevel 9 SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500011 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500012 + SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\,id:500013 "phase:2,deny,id:12345" ), match_log => { @@ -158,10 +158,10 @@ SecDebugLogLevel 9 SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500014 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500015 + SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope.xsd" \\,id:500016 "phase:2,deny,id:12345" ), match_log => { @@ -208,10 +208,10 @@ SecDebugLogLevel 9 SecAuditEngine RelevantOnly SecAuditLog "$ENV{AUDIT_LOG}" - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500017 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope-bad.xsd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500018 + SecRule XML "\@validateSchema $ENV{CONF_DIR}/SoapEnvelope-bad.xsd" \\,id:500019 "phase:2,deny,id:12345" ), match_log => { @@ -256,10 +256,10 @@ SecRequestBodyAccess On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500020 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500021 + SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\,id:500022 "phase:2,deny,id:12345" ), match_log => { @@ -299,10 +299,10 @@ SecRequestBodyAccess On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500023 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500024 + SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\,id:500025 "phase:2,deny,id:12345" ), match_log => { @@ -342,10 +342,10 @@ SecRequestBodyAccess On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500026 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500027 + SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope.dtd" \\,id:500028 "phase:2,deny,id:12345" ), match_log => { @@ -385,10 +385,10 @@ SecRequestBodyAccess On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\ + SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" \\,id:500029 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML" - SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345 - SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope-bad.dtd" \\ + SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500030 + SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope-bad.dtd" \\,id:500031 "phase:2,deny,id:12345" ), match_log => {
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/rule/20-exceptions.t ^
@@ -109,7 +109,7 @@ SecRuleEngine On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule'" + SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule',id:500001" SecRuleRemoveByMsg "testing rule" ), match_log => { @@ -134,7 +134,7 @@ SecRuleEngine On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule'" + SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule',id:500002" SecRuleUpdateActionById 1 "pass,nolog" ), match_log => { @@ -157,8 +157,8 @@ SecRuleEngine On SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule',chain" - SecRule ARGS "bar" + SecRule REQUEST_URI "test" "phase:1,deny,status:500,id:1,msg:'testing rule',chain,id:500003" + SecRule ARGS "bar,id:500004" SecRuleUpdateActionById 1 "pass,nolog" ), match_log => {
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/regression/target/00-targets.t ^
@@ -11,8 +11,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS "val1" "phase:2,log,pass" - SecRule ARGS "val2" "phase:2,log,pass" + SecRule ARGS "val1" "phase:2,log,pass,id:500189" + SecRule ARGS "val2" "phase:2,log,pass,id:500190" ), match_log => { error => [ qr/Pattern match "val1" at ARGS.Pattern match "val2" at ARGS/s, 1 ], @@ -35,8 +35,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS "val1" "phase:2,log,pass" - SecRule ARGS "val2" "phase:2,log,pass" + SecRule ARGS "val1" "phase:2,log,pass,id:500191" + SecRule ARGS "val2" "phase:2,log,pass,id:500192" ), match_log => { error => [ qr/Pattern match "val1" at ARGS.Pattern match "val2" at ARGS/s, 1 ], @@ -63,7 +63,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule ARGS_COMBINED_SIZE "\@eq 16" "phase:2,log,pass" + SecRule ARGS_COMBINED_SIZE "\@eq 16" "phase:2,log,pass,id:500193" ), match_log => { error => [ qr/Operator EQ matched 16 at ARGS_COMBINED_SIZE\./s, 1 ], @@ -83,7 +83,7 @@ SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType null - SecRule ARGS_COMBINED_SIZE "\@eq 16" "phase:2,log,pass" + SecRule ARGS_COMBINED_SIZE "\@eq 16" "phase:2,log,pass,id:500194" ), match_log => { error => [ qr/Operator EQ matched 16 at ARGS_COMBINED_SIZE\./s, 1 ], @@ -111,8 +111,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_NAMES "arg1" "phase:2,log,pass,id:500195" + SecRule ARGS_NAMES "arg2" "phase:2,log,pass,id:500196" ), match_log => { error => [ qr/Pattern match "arg1" at ARGS.Pattern match "arg2" at ARGS/s, 1 ], @@ -135,8 +135,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_NAMES "arg1" "phase:2,log,pass,id:500197" + SecRule ARGS_NAMES "arg2" "phase:2,log,pass,id:500198" ), match_log => { error => [ qr/Pattern match "arg1" at ARGS_NAMES.Pattern match "arg2" at ARGS_NAMES/s, 1 ], @@ -165,8 +165,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_GET "val1" "phase:2,log,pass" - SecRule ARGS_GET "val2" "phase:2,log,pass" + SecRule ARGS_GET "val1" "phase:2,log,pass,id:500199" + SecRule ARGS_GET "val2" "phase:2,log,pass,id:500200" ), match_log => { error => [ qr/Pattern match "val1" at ARGS_GET.Pattern match "val2" at ARGS_GET/s, 1 ], @@ -189,8 +189,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_GET "val1" "phase:2,log,pass" - SecRule ARGS_GET "val2" "phase:2,log,pass" + SecRule ARGS_GET "val1" "phase:2,log,pass,id:500201" + SecRule ARGS_GET "val2" "phase:2,log,pass,id:500202" ), match_log => { -error => [ qr/Pattern match/, 1 ], @@ -219,8 +219,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_GET_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_GET_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_GET_NAMES "arg1" "phase:2,log,pass,id:500203" + SecRule ARGS_GET_NAMES "arg2" "phase:2,log,pass,id:500204" ), match_log => { error => [ qr/Pattern match "arg1" at ARGS_GET.Pattern match "arg2" at ARGS_GET/s, 1 ], @@ -243,8 +243,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_GET_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_GET_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_GET_NAMES "arg1" "phase:2,log,pass,id:500205" + SecRule ARGS_GET_NAMES "arg2" "phase:2,log,pass,id:500206" ), match_log => { -error => [ qr/Pattern match/, 1 ], @@ -273,8 +273,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_POST "val1" "phase:2,log,pass" - SecRule ARGS_POST "val2" "phase:2,log,pass" + SecRule ARGS_POST "val1" "phase:2,log,pass,id:500207" + SecRule ARGS_POST "val2" "phase:2,log,pass,id:500208" ), match_log => { -error => [ qr/Pattern match/, 1 ], @@ -297,8 +297,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_POST "val1" "phase:2,log,pass" - SecRule ARGS_POST "val2" "phase:2,log,pass" + SecRule ARGS_POST "val1" "phase:2,log,pass,id:500209" + SecRule ARGS_POST "val2" "phase:2,log,pass,id:500210" ), match_log => { error => [ qr/Pattern match "val1" at ARGS_POST.Pattern match "val2" at ARGS_POST/s, 1 ], @@ -327,8 +327,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_POST_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_POST_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_POST_NAMES "arg1" "phase:2,log,pass,id:500211" + SecRule ARGS_POST_NAMES "arg2" "phase:2,log,pass,id:500212" ), match_log => { -error => [ qr/Pattern match/, 1 ], @@ -351,8 +351,8 @@ SecResponseBodyMimeType null SecDebugLog $ENV{DEBUG_LOG} SecDebugLogLevel 9 - SecRule ARGS_POST_NAMES "arg1" "phase:2,log,pass" - SecRule ARGS_POST_NAMES "arg2" "phase:2,log,pass" + SecRule ARGS_POST_NAMES "arg1" "phase:2,log,pass,id:500213" + SecRule ARGS_POST_NAMES "arg2" "phase:2,log,pass,id:500214" ), match_log => { error => [ qr/Pattern match "arg1" at ARGS_POST.Pattern match "arg2" at ARGS_POST/s, 1 ],
[-] [+]	Changed	modsecurity-apache_2.7.3.tar.bz2/tests/run-regression-tests.pl.in ^
@@ -582,6 +582,7 @@ if (defined $out and $out ne "") { vrb(join(" ", map { quote_shell($_) } @p)); msg("Httpd start failed with error messages:\n$out"); + httpd_stop(); return -1 } @@ -590,6 +591,7 @@ vrb(join(" ", map { quote_shell($_) } @p)); vrb(match_log("error", qr/(^.ModSecurity: .)/sm, 10)); msg("Httpd server failed to start."); + httpd_stop(); return -1; }

Changes of Revision 39