Merge 2.5.x changes into trunk.

CHANGES

@@ -1,6 +1,9 @@
-31 May 2009 - trunk
+15 Jun 2009 - trunk
 -------------------
 
+ * Fixed mlogc issue seen on big endian machines where content type
+   could be listed as zero.
+
  * Removed extra newline from audit log message line when logging XML errors.
    This was causing problems parsing audit logs.
 

apache2/Makefile.in

@@ -73,12 +73,13 @@ clean-extras:
 	@rm -rf ../tools/mlogc ../tools/mlogc-batch-load.pl
 
 clean: clean-extras
-	@rm -rf *.la *.lo *.o *.slo .libs msc_test msc-test-debug.log
+	@rm -rf *.la *.lo *.loT *.o *.slo .libs msc_test msc-test-debug.log
 
-maintainer-clean: clean
+distclean: clean
-	@rm -rf Makefile mlogc-src/Makefile t/run-unit-tests.pl t/run-regression-tests.pl t/gen_rx-pm.pl t/csv_rx-pm.pl t/run-tests.pl t/regression/server_root/conf/httpd.conf t/regression/server_root/conf/config_*.t_*.conf config config.log config.status configure mod_security2_config.h ../tools/*.pl autoscan.log configure.scan build/libtool.m4 build/config.guess build/config.sub build/ltmain.sh build/apxs-wrapper
+	@rm -rf Makefile mlogc-src/Makefile mlogc-src/mlogc-batch-load.pl ../tools/*.pl t/run-unit-tests.pl t/run-regression-tests.pl t/gen_rx-pm.pl t/csv_rx-pm.pl t/run-tests.pl t/regression/server_root/conf/httpd.conf t/regression/server_root/conf/*.t_*.conf t/regression/server_root/tmp/* t/regression/server_root/logs/*.log t/regression/server_root/logs/audit/* t/regression/server_root/upload/* t/regression/server_root/data/* config config.log config.status build/apxs-wrapper
 
-distclean: maintainer-clean
+maintainer-clean: distclean
+	@rm -rf config config.log config.status configure mod_security2_config.h autoscan.log configure.scan build/libtool.m4 build/config.guess build/config.sub build/ltmain.sh
 
 install-mods: mod_security2.la
 	$(INSTALL_MOD_SHARED) mod_security2.la

apache2/apache2.h

@@ -87,6 +87,9 @@ char DSOLOCAL *get_apr_error(apr_pool_t *p, apr_status_t rc);
 
 char DSOLOCAL *get_env_var(request_rec *r, char *name);
 
+void DSOLOCAL internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *msr,
+    int level, int fixup, const char *text, va_list ap);
+
 void DSOLOCAL internal_log(request_rec *r, directory_config *dcfg, modsec_rec *msr,
     int level, const char *text, va_list ap);
 

apache2/apache2_util.c

@@ -226,12 +226,12 @@ char *get_env_var(request_rec *r, char *name) {
 }
 
 /**
- * Internal log helper function. Use msr_log instead. This function will
+ * Extended internal log helper function. Use msr_log instead. If fixup is
- * correctly handle both the messages that have a newline at the end, and
+ * true, the message will be stripped of any trailing newline and any
- * those that don't.
+ * required bytes will be escaped.
  */
-void internal_log(request_rec *r, directory_config *dcfg, modsec_rec *msr,
+void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *msr,
-    int level, const char *text, va_list ap)
+    int level, int fixup, const char *text, va_list ap)
 {
     apr_size_t nbytes, nbytes_written;
     apr_file_t *debuglog_fd = NULL;
@@ -258,13 +258,24 @@ void internal_log(request_rec *r, directory_config *dcfg, modsec_rec *msr,
 
     /* Construct the message. */
     apr_vsnprintf(str1, sizeof(str1), text, ap);
+    if (fixup) {
+        int len = strlen(str1);
+
+        /* Strip line ending. */
+        if (len && str1[len - 1] == '\n') {
+            str1[len - 1] = '\0';
+        }
+        if (len > 1 && str1[len - 2] == '\r') {
+            str1[len - 2] = '\0';
+        }
+    }
 
     /* Construct the log entry. */
     apr_snprintf(str2, sizeof(str2), 
         "[%s] [%s/sid#%pp][rid#%pp][%s][%d] %s\n",
         current_logtime(msr->mp), ap_get_server_name(r), (r->server),
         r, ((r->uri == NULL) ? "" : log_escape_nq(msr->mp, r->uri)),
-        level, str1);
+        level, (fixup ? log_escape_nq(msr->mp, str1) : str1));
 
     /* Write to the debug log. */
     if ((debuglog_fd != NULL)&&(level <= filter_debug_level)) {
@@ -272,7 +283,8 @@ void internal_log(request_rec *r, directory_config *dcfg, modsec_rec *msr,
         apr_file_write_full(debuglog_fd, str2, nbytes, &nbytes_written);
     }
 
-    /* Send message levels 1-3 to the Apache error log too. */
+    /* Send message levels 1-3 to the Apache error log and 
+     * add it to the message list in the audit log. */
     if (level <= 3) {
         char *unique_id = (char *)get_env_var(r, "UNIQUE_ID");
         char *hostname = (char *)msr->hostname;
@@ -305,6 +317,15 @@ void internal_log(request_rec *r, directory_config *dcfg, modsec_rec *msr,
     return;
 }
 
+/**
+ * Internal log helper function. Use msr_log instead.
+ */
+void internal_log(request_rec *r, directory_config *dcfg, modsec_rec *msr,
+    int level, const char *text, va_list ap)
+{
+    internal_log_ex(r, dcfg, msr, level, 0, text, ap);
+}
+
 /**
  * Logs one message at the given level to the debug log (and to the
  * Apache error log if the message is important enough.
@@ -313,7 +334,7 @@ void msr_log(modsec_rec *msr, int level, const char *text, ...) {
     va_list ap;
 
     va_start(ap, text);
-    internal_log(msr->r, msr->txcfg, msr, level, text, ap);
+    internal_log_ex(msr->r, msr->txcfg, msr, level, 0, text, ap);
     va_end(ap);
 }
 
@@ -321,30 +342,13 @@ void msr_log(modsec_rec *msr, int level, const char *text, ...) {
 /**
  * Logs one message at level 3 to the debug log and to the
  * Apache error log. This is intended for error callbacks.
- *
- * The 'text' will first be escaped.
  */
 void msr_log_error(modsec_rec *msr, const char *text, ...) {
     va_list ap;
-    int len;
-    char *str;
 
-    /* Generate the string. */
     va_start(ap, text);
-    str = apr_pvsprintf(msr->mp, text, ap);
+    internal_log_ex(msr->r, msr->txcfg, msr, 3, 1, text, ap);
     va_end(ap);
-
-    /* Strip line ending. */
-    len = strlen(str);
-    if (len && str[len - 1] == '\n') {
-        str[len - 1] = '\0';
-    }
-    if (len > 1 && str[len - 2] == '\r') {
-        str[len - 1] = '\0';
-    }
-
-    /* Log the escaped string. */
-    internal_log(msr->r, msr->txcfg, msr, 3, log_escape_nq(msr->mp,str), NULL);
 }
 
 /**
@@ -355,25 +359,10 @@ void msr_log_error(modsec_rec *msr, const char *text, ...) {
  */
 void msr_log_warn(modsec_rec *msr, const char *text, ...) {
     va_list ap;
-    int len;
-    char *str;
 
-    /* Generate the string. */
     va_start(ap, text);
-    str = apr_pvsprintf(msr->mp, text, ap);
+    internal_log_ex(msr->r, msr->txcfg, msr, 4, 1, text, ap);
     va_end(ap);
-
-    /* Strip line ending. */
-    len = strlen(str);
-    if (len && str[len - 1] == '\n') {
-        str[len - 1] = '\0';
-    }
-    if (len > 1 && str[len - 2] == '\r') {
-        str[len - 1] = '\0';
-    }
-
-    /* Log the escaped string. */
-    internal_log(msr->r, msr->txcfg, msr, 4, log_escape_nq(msr->mp,str), NULL);
 }
 
 

apache2/build/apxs-wrapper.in

@@ -5,6 +5,9 @@ for opt in "$@"; do
     case "$opt" in
         # Fix for -R not working w/apxs
         -R*) WRAPPED_OPTS="$WRAPPED_OPTS -Wl,$opt" ;;
+        # OSF1 compiler option
+        -pthread) WRAPPED_OPTS="$WRAPPED_OPTS -Wc,$opt" ;;
+        # Unwrapped
         *) WRAPPED_OPTS="$WRAPPED_OPTS $opt" ;;
     esac
 done

apache2/mlogc-src/mlogc.c

@@ -1086,7 +1086,6 @@ static void logc_init(void)
 
         /* Pre-configure the handle. */
         curl_easy_setopt(curl, CURLOPT_UPLOAD, TRUE);
-        curl_easy_setopt(curl, CURLOPT_PUT, TRUE);
         curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, (char *)NULL);
         curl_easy_setopt(curl, CURLOPT_URL, console_uri);
         curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
@@ -1156,6 +1155,8 @@ static void keep_entries_hack(apr_pool_t *mp, apr_thread_t *thread, const char *
         return;
     }
 
+    error_log(LOG_DEBUG, thread, "STAT \"%s\" {uid=%d; gid=%d; size=%" APR_OFF_T_FMT "; csize=%" APR_OFF_T_FMT "; atime=%" APR_TIME_T_FMT "; ctime=%" APR_TIME_T_FMT "; mtime=%" APR_TIME_T_FMT "}", fn, finfo.user, finfo.group, finfo.size, finfo.csize, finfo.atime, finfo.ctime, finfo.mtime);
+
     if (finfo.mtime != KEEP_ENTRIES_REMOVE_TIME) {
         error_log(LOG_DEBUG2, thread, "Set mtime: %s", fn);
         if ((rc = apr_file_mtime_set(fn, (apr_time_t)KEEP_ENTRIES_REMOVE_TIME, mp)) != APR_SUCCESS) {
@@ -1320,6 +1321,8 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
                 char response_buf[STATUSBUF_SIZE];
                 CURLcode res;
 
+                error_log(LOG_DEBUG, thread, "STAT \"%s\" {uid=%d; gid=%d; size=%" APR_OFF_T_FMT "; csize=%" APR_OFF_T_FMT "; atime=%" APR_TIME_T_FMT "; ctime=%" APR_TIME_T_FMT "; mtime=%" APR_TIME_T_FMT "}", auditlogentry, finfo.user, finfo.group, finfo.size, finfo.csize, finfo.atime, finfo.ctime, finfo.mtime);
+
                 /* Initialize the respone buffer with a hidden value */
                 response_buf[0] = 0;
                 response_buf[1] = 1;
@@ -1357,7 +1360,6 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
 
                 curl_easy_setopt(curl, CURLOPT_READDATA, hd_src);
                 curl_easy_setopt(curl, CURLOPT_INFILESIZE_LARGE, finfo.size);
-                curl_easy_setopt(curl, CURLOPT_INFILESIZE, finfo.size);
 #if 0
                 mandatory on win32?
                 curl_easy_setopt(curl, CURLOPT_READFUNCTION, read_callback);

apache2/msc_release.h

@@ -22,8 +22,8 @@
 #include <stdlib.h>
 #include <string.h>
 
-/* ENH: Clean this mess up */
+/* ENH: Clean this mess up by detecting this is possible */
-#if !(defined(_AIX) || defined(WIN32) || defined(CYGWIN) || defined(NETWARE) || defined(SOLARIS2) || defined(__osf1__))
+#if !(defined(_AIX) || defined(WIN32) || defined(CYGWIN) || defined(NETWARE) || defined(SOLARIS2) || defined(OSF1))
 #define DSOLOCAL __attribute__((visibility("hidden")))
 #else
 #define DSOLOCAL

doc/modsecurity2-apache-reference.xml

@@ -6,7 +6,7 @@
   Manual</title>
 
   <articleinfo>
-    <releaseinfo>Version 2.6.0-trunk (May 29, 2009)</releaseinfo>
+    <releaseinfo>Version 2.6.0-trunk (June 2, 2009)</releaseinfo>
 
     <copyright>
       <year>2004-2009</year>
@@ -2836,11 +2836,12 @@ SecRule <emphasis>ENV:tag</emphasis> "suspicious"</programlisting>
     <section>
       <title><literal moreinfo="none">GEO</literal></title>
 
-      <para><literal>GEO</literal> is a collection populated by the <literal
+      <para><literal>GEO</literal> is a collection populated by the results of
-      moreinfo="none">@geoLookup</literal> operator. It can be used to match
+      the last <literal moreinfo="none">@geoLookup</literal> operator. The
-      geographical fields looked up by an IP address or hostname.</para>
+      collection can be used to match geographical fields looked from an IP
+      address or hostname.</para>
 
-      <para>Available since 2.2.0.</para>
+      <para>Available since ModSecurity 2.5.0.</para>
 
       <para>Fields:</para>
 
@@ -2903,7 +2904,9 @@ SecRule <emphasis>ENV:tag</emphasis> "suspicious"</programlisting>
 
       <para>Example:</para>
 
-      <programlisting format="linespecific">SecRule REMOTE_ADDR "<emphasis>@geoLookup</emphasis>" "chain,drop,msg:'Non-GB IP address'"
+      <programlisting format="linespecific">SecGeoLookupDb /usr/local/geo/data/GeoLiteCity.dat
+...
+SecRule REMOTE_ADDR "<emphasis>@geoLookup</emphasis>" "chain,drop,msg:'Non-GB IP address'"
 SecRule GEO:COUNTRY_CODE "!@streq GB"</programlisting>
     </section>
 
@@ -5455,8 +5458,9 @@ SecRule ARGS:route "!<emphasis>@endsWith %{REQUEST_ADDR}</emphasis>" t:none,deny
       <title><literal>geoLookup</literal></title>
 
       <para><emphasis>Description:</emphasis> This operator looks up various
-      data fields from an IP address or hostname. The results will be captured
+      data fields from an IP address or hostname in the target data. The
-      in the <literal moreinfo="none">GEO</literal> collection.</para>
+      results will be captured in the <literal moreinfo="none">GEO</literal>
+      collection.</para>
 
       <para>You must provide a database via <literal
       moreinfo="none">SecGeoLookupDb</literal> before this operator can be
@@ -5471,7 +5475,9 @@ SecRule ARGS:route "!<emphasis>@endsWith %{REQUEST_ADDR}</emphasis>" t:none,deny
         lookup, then do something like this (look for an empty GEO
         collection):</para>
 
-        <programlisting format="linespecific">SecRule REMOTE_ADDR "@geoLookup" "pass,nolog"
+        <programlisting format="linespecific">SecGeoLookupDb /usr/local/geo/data/GeoLiteCity.dat
+...
+SecRule REMOTE_ADDR "@geoLookup" "pass,nolog"
 SecRule &amp;GEO "@eq 0" "deny,status:403,msg:'Failed to lookup IP'"</programlisting>
       </note>