Adds support for /32 in @ipMatch cidr notation.

/32 is the representation of the ip itself. Not sure if it is needed, but there is a complaint for that: #849
2025-08-13 13:26:01 +03:00 · 2018-10-15 09:58:19 -03:00 · 2018-10-15 09:58:19 -03:00 · 120108fd33
commit 120108fd33
parent a5a40a71a9
4 changed files with 105 additions and 7 deletions
--- a/2
+++ b/2
@ -1,6 +1,8 @@
 v3.0.3 - YYYY-MMM-DD (to be released)
 -------------------------------------

+ - @ipMatch "Could not add entry" on slash/32 notation in 2.9.0
+   [Issue #849 - @zimmerle, @dune73]
 - Using values after transformation at MATCHED_VARS
   [0x14316 - @zimmerle]
 - Adds support to UpdateActionById.
--- a/Makefile.am
+++ b/Makefile.am
@ -218,6 +218,7 @@ TESTS+=test/test-cases/regression/variable-ARGS_GET.json
 TESTS+=test/test-cases/regression/config-update-target-by-msg.json
 TESTS+=test/test-cases/regression/variable-UNIQUE_ID.json
 TESTS+=test/test-cases/regression/issue-1528.json
+TESTS+=test/test-cases/regression/issue-849.json
 TESTS+=test/test-cases/regression/variable-REQBODY_PROCESSOR_ERROR.json
 TESTS+=test/test-cases/regression/operator-detectxss.json
 TESTS+=test/test-cases/regression/config-update-target-by-tag.json
--- a/src/utils/msc_tree.cc
+++ b/src/utils/msc_tree.cc
@ -846,16 +846,14 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) {
                ptr = NULL;
                return NULL;
            }
-
-            if(ptr != NULL) {
+            if (ptr != NULL) {
                free(ptr);
                ptr = NULL;
            }
-
-            if(netmask_v4 == 0) {
+            if (netmask_v4 == 0) {
                return NULL;
            }
-            else if (netmask_v4 != NETMASK_32 && pos < strlen(ip_strv4)) {
+            else if (pos < strlen(ip_strv4)) {
                ip_strv4[pos] = '\0';
            }

@ -864,11 +862,9 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) {
            if (ret <= 0) {
                return NULL;
            }
-
            ip = addr4.s_addr;

            tree->count++;
-
            return CPTAddElement((unsigned char *)&ip, NETMASK_32, tree, netmask_v4);

        case IPV6_TREE:
@ -1067,6 +1063,9 @@ unsigned char is_netmask_v4(char *ip_strv4) {
        }

        cidr = atoi(mask_str);
+        if (cidr == 32) {
+            return 32;
+        }
        if ((cidr < 0) || (cidr > 32)) {
            return 0;
        }
--- a/test/test-cases/regression/issue-849.json
+++ b/test/test-cases/regression/issue-849.json
@ -0,0 +1,96 @@
+[
+  {
+    "enabled": 1,
+    "version_min": 209000,
+    "version_max": -1,
+    "title": "@ipMatch \"Could not add entry\" on slash\/32 notation in 2.9.0 (1/2)",
+    "url": "https:\/\/github.com\/SpiderLabs\/ModSecurity\/issues\/849",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 2313
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "net.tutsplus.com",
+        "User-Agent": "",
+        "Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
+        "Accept-Language": "en-us,en;q=0.5",
+        "Accept-Encoding": "gzip,deflate",
+        "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
+        "Keep-Alive": "300",
+        "Connection": "keep-alive",
+        "Cookie": "PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120",
+        "Pragma": "no-cache",
+        "Cache-Control": "no-cache"
+      },
+      "uri": "\/test.pl?foo=bar",
+      "method": "GET",
+      "http_version": 1.1,
+      "body": ""
+    },
+    "response": {
+      "headers": {
+        "Content-Type": "text\/xml; charset=utf-8\n\r",
+        "Content-Length": "length\n\r"
+      }
+    },
+    "expected": {
+      "http_code": 403
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule REMOTE_ADDR \"@ipMatch 200.249.12.31\/32\" \"phase:1,nolog,pass,msg:'Localhost connection',id:1,deny,status:403\""
+    ]
+  },
+  {
+    "enabled": 1,
+    "version_min": 209000,
+    "version_max": -1,
+    "title": "@ipMatch \"Could not add entry\" on slash\/32 notation in 2.9.0 (2/2)",
+    "url": "https:\/\/github.com\/SpiderLabs\/ModSecurity\/issues\/849",
+    "client": {
+      "ip": "200.249.12.31",
+      "port": 2313
+    },
+    "server": {
+      "ip": "200.249.12.31",
+      "port": 80
+    },
+    "request": {
+      "headers": {
+        "Host": "net.tutsplus.com",
+        "User-Agent": "",
+        "Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
+        "Accept-Language": "en-us,en;q=0.5",
+        "Accept-Encoding": "gzip,deflate",
+        "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
+        "Keep-Alive": "300",
+        "Connection": "keep-alive",
+        "Cookie": "PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120",
+        "Pragma": "no-cache",
+        "Cache-Control": "no-cache"
+      },
+      "uri": "\/test.pl?foo=bar",
+      "method": "GET",
+      "http_version": 1.1,
+      "body": ""
+    },
+    "response": {
+      "headers": {
+        "Content-Type": "text\/xml; charset=utf-8\n\r",
+        "Content-Length": "length\n\r"
+      }
+    },
+    "expected": {
+      "http_code": 403
+    },
+    "rules": [
+      "SecRuleEngine On",
+      "SecRule REMOTE_ADDR \"@ipMatch 200.249.12.31\" \"phase:1,nolog,pass,msg:'Localhost connection',id:1,deny,status:403\""
+    ]
+  }
+]