github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 13:26:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adds support for /32 in @ipMatch cidr notation.

Browse Source 
/32 is the representation of the ip itself. Not sure if it is needed,
but there is a complaint for that: #849
This commit is contained in:
Felipe Zimmerle 2018-10-15 09:58:19 -03:00
parent a5a40a71a9
commit 120108fd33
No known key found for this signature in database
GPG Key ID: E6DFB08CE8B11277
4 changed files with 105 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@ -1,6 +1,8 @@
v3.0.3 - YYYY-MMM-DD (to be released) v3.0.3 - YYYY-MMM-DD (to be released)
------------------------------------- -------------------------------------
- @ipMatch "Could not add entry" on slash/32 notation in 2.9.0
[Issue #849 - @zimmerle, @dune73]
- Using values after transformation at MATCHED_VARS - Using values after transformation at MATCHED_VARS
[0x14316 - @zimmerle] [0x14316 - @zimmerle]
- Adds support to UpdateActionById. - Adds support to UpdateActionById.

1
Makefile.am
View File

@ -218,6 +218,7 @@ TESTS+=test/test-cases/regression/variable-ARGS_GET.json
TESTS+=test/test-cases/regression/config-update-target-by-msg.json TESTS+=test/test-cases/regression/config-update-target-by-msg.json
TESTS+=test/test-cases/regression/variable-UNIQUE_ID.json TESTS+=test/test-cases/regression/variable-UNIQUE_ID.json
TESTS+=test/test-cases/regression/issue-1528.json TESTS+=test/test-cases/regression/issue-1528.json
TESTS+=test/test-cases/regression/issue-849.json
TESTS+=test/test-cases/regression/variable-REQBODY_PROCESSOR_ERROR.json TESTS+=test/test-cases/regression/variable-REQBODY_PROCESSOR_ERROR.json
TESTS+=test/test-cases/regression/operator-detectxss.json TESTS+=test/test-cases/regression/operator-detectxss.json
TESTS+=test/test-cases/regression/config-update-target-by-tag.json TESTS+=test/test-cases/regression/config-update-target-by-tag.json

13
src/utils/msc_tree.cc
View File

@ -846,16 +846,14 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) {
ptr = NULL; ptr = NULL;
return NULL; return NULL;
} }
if (ptr != NULL) {
if(ptr != NULL) {
free(ptr); free(ptr);
ptr = NULL; ptr = NULL;
} }
if (netmask_v4 == 0) {
if(netmask_v4 == 0) {
return NULL; return NULL;
} }
else if (netmask_v4 != NETMASK_32 && pos < strlen(ip_strv4)) { else if (pos < strlen(ip_strv4)) {
ip_strv4[pos] = '\0'; ip_strv4[pos] = '\0';
} }
@ -864,11 +862,9 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) {
if (ret <= 0) { if (ret <= 0) {
return NULL; return NULL;
} }
ip = addr4.s_addr; ip = addr4.s_addr;
tree->count++; tree->count++;
return CPTAddElement((unsigned char *)&ip, NETMASK_32, tree, netmask_v4); return CPTAddElement((unsigned char *)&ip, NETMASK_32, tree, netmask_v4);
case IPV6_TREE: case IPV6_TREE:
@ -1067,6 +1063,9 @@ unsigned char is_netmask_v4(char *ip_strv4) {
} }
cidr = atoi(mask_str); cidr = atoi(mask_str);
if (cidr == 32) {
return 32;
}
if ((cidr < 0) || (cidr > 32)) { if ((cidr < 0) || (cidr > 32)) {
return 0; return 0;
} }

96
test/test-cases/regression/issue-849.json Normal file
View File

@ -0,0 +1,96 @@
[
{
"enabled": 1,
"version_min": 209000,
"version_max": -1,
"title": "@ipMatch \"Could not add entry\" on slash\/32 notation in 2.9.0 (1/2)",
"url": "https:\/\/github.com\/SpiderLabs\/ModSecurity\/issues\/849",
"client": {
"ip": "200.249.12.31",
"port": 2313
},
"server": {
"ip": "200.249.12.31",
"port": 80
},
"request": {
"headers": {
"Host": "net.tutsplus.com",
"User-Agent": "",
"Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip,deflate",
"Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
"Keep-Alive": "300",
"Connection": "keep-alive",
"Cookie": "PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
},
"uri": "\/test.pl?foo=bar",
"method": "GET",
"http_version": 1.1,
"body": ""
},
"response": {
"headers": {
"Content-Type": "text\/xml; charset=utf-8\n\r",
"Content-Length": "length\n\r"
}
},
"expected": {
"http_code": 403
},
"rules": [
"SecRuleEngine On",
"SecRule REMOTE_ADDR \"@ipMatch 200.249.12.31\/32\" \"phase:1,nolog,pass,msg:'Localhost connection',id:1,deny,status:403\""
]
},
{
"enabled": 1,
"version_min": 209000,
"version_max": -1,
"title": "@ipMatch \"Could not add entry\" on slash\/32 notation in 2.9.0 (2/2)",
"url": "https:\/\/github.com\/SpiderLabs\/ModSecurity\/issues\/849",
"client": {
"ip": "200.249.12.31",
"port": 2313
},
"server": {
"ip": "200.249.12.31",
"port": 80
},
"request": {
"headers": {
"Host": "net.tutsplus.com",
"User-Agent": "",
"Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip,deflate",
"Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
"Keep-Alive": "300",
"Connection": "keep-alive",
"Cookie": "PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
},
"uri": "\/test.pl?foo=bar",
"method": "GET",
"http_version": 1.1,
"body": ""
},
"response": {
"headers": {
"Content-Type": "text\/xml; charset=utf-8\n\r",
"Content-Length": "length\n\r"
}
},
"expected": {
"http_code": 403
},
"rules": [
"SecRuleEngine On",
"SecRule REMOTE_ADDR \"@ipMatch 200.249.12.31\" \"phase:1,nolog,pass,msg:'Localhost connection',id:1,deny,status:403\""
]
}
]