github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 21:36:00 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge 2.5.x changes into trunk.

Browse Source
This commit is contained in:
b1v1r 2009-09-24 19:11:16 +00:00
parent aa1e053025
commit 21ecf99dab
13 changed files with 786 additions and 674 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
CHANGES
View File

@ -1,10 +1,17 @@
24 Aug 2009 - trunk
18 Sep 2009 - trunk
-------------------
18 Sep 2009 - 2.5.10
--------------------
* Cleanup mlogc so that it builds on Windows.
* Added more detailed messages to replace "Unknown error" in filters.
* Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
auditlog permissions (especially with mpm-itk).
* Cleaned up SecUploadFileMode implementation.
* Cleanup SecUploadFileMode implementation.
* Cleanup build scripts.

4
apache2/apache2_config.c
View File

@ -1049,7 +1049,7 @@ static const char *cmd_audit_log_dirmode(cmd_parms *cmd, void *_dcfg, const char
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecAuditLogDirMode: %s", p1);
}
dcfg->auditlog_dirperms = mode2fileperms((mode_t)mode);
dcfg->auditlog_dirperms = mode2fileperms(mode);
}
return NULL;
@ -1069,7 +1069,7 @@ static const char *cmd_audit_log_filemode(cmd_parms *cmd, void *_dcfg, const cha
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecAuditLogFileMode: %s", p1);
}
dcfg->auditlog_fileperms = mode2fileperms((mode_t)mode);
dcfg->auditlog_fileperms = mode2fileperms(mode);
}
return NULL;

26
apache2/apache2_io.c
View File

@ -16,6 +16,8 @@
* directly using the email address support@breach.com.
*
*/
#include <util_filter.h>
#include "modsecurity.h"
#include "apache2.h"
@ -182,14 +184,14 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
rc = ap_get_brigade(r->input_filters, bb_in, AP_MODE_READBYTES, APR_BLOCK_READ, HUGE_STRING_LEN);
if (rc != APR_SUCCESS) {
/* NOTE Apache returns -3 here when the request is too large
* and APR_EGENERAL when the client disconnects.
/* NOTE Apache returns AP_FILTER_ERROR here when the request is
* too large and APR_EGENERAL when the client disconnects.
*/
switch(rc) {
case APR_TIMEUP :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
return -4;
case -3 :
case AP_FILTER_ERROR :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)");
return -3;
case APR_EGENERAL :
@ -417,8 +419,22 @@ static apr_status_t send_of_brigade(modsec_rec *msr, ap_filter_t *f) {
}
if (msr->txcfg->debuglog_level >= log_level) {
msr_log(msr, log_level, "Output filter: Error while forwarding response data (%d): %s",
rc, get_apr_error(msr->mp, rc));
switch(rc) {
case AP_NOBODY_WROTE :
msr_log(msr, log_level, "Output filter: Error while forwarding response data (%d): No data", rc);
break;
case AP_FILTER_ERROR :
/* Look like this is caused by the error
* already being handled, so we should ignore it
*
msr_log(msr, log_level, "Output filter: Error while forwarding response data (%d): Filter error", rc);
*/
break;
default :
msr_log(msr, log_level, "Output filter: Error while forwarding response data (%d): %s",
rc, get_apr_error(msr->mp, rc));
break;
}
}
return rc;

2
apache2/build/find_apu.m4
View File

@ -26,7 +26,7 @@ AC_MSG_CHECKING([for libapu config script])
for x in ${test_paths}; do
dnl # Determine if the script was specified and use it directly
if test ! -d "$x" -a -e "$x"; then
APU_CONFIG="`basename $x`"
APU_CONFIG=$x
apu_path="no"
break
fi

2
apache2/build/find_lua.m4
View File

@ -25,7 +25,7 @@ AC_MSG_CHECKING([for liblua config script])
for x in ${test_paths}; do
dnl # Determine if the script was specified and use it directly
if test ! -d "$x" -a -e "$x"; then
LUA_CONFIG="$x"
LUA_CONFIG=$x
break
fi

4
apache2/configure vendored
View File

@ -5571,7 +5571,7 @@ $as_echo_n "checking for libapu config script... " >&6; }
for x in ${test_paths}; do
if test ! -d "$x" -a -e "$x"; then
APU_CONFIG="`basename $x`"
APU_CONFIG=$x
apu_path="no"
break
fi
@ -5721,7 +5721,7 @@ $as_echo_n "checking for liblua config script... " >&6; }
for x in ${test_paths}; do
if test ! -d "$x" -a -e "$x"; then
LUA_CONFIG="$x"
LUA_CONFIG=$x
break
fi

57
apache2/mlogc-src/Makefile.win Executable file
View File

@ -0,0 +1,57 @@
###########################################################################
### You Will need to modify the following variables for your system
###########################################################################
###########################################################################
# Path to Apache httpd installation
BASE = C:\Apache2
# Paths to required libraries
PCRE = C:\work\pcre-7.0-lib
CURL = C:\work\libcurl-7.19.3-win32-ssl-msvc
# Linking libraries
LIBS = $(BASE)\lib\libapr-1.lib \
$(BASE)\lib\libaprutil-1.lib \
$(PCRE)\lib\pcre.lib \
$(CURL)\lib\Release\curllib.lib \
wsock32.lib
###########################################################################
###########################################################################
CC = cL
MT = mt
DEFS = /nologo /O2 /W3 -DWIN32 -DWINNT -Dinline=APR_INLINE -D_CONSOLE
EXE = mlogc.exe
INCLUDES = -I. -I.. \
-I$(PCRE)\include -I$(PCRE) \
-I$(CURL)\include -I$(CURL) \
-I$(BASE)\include
CFLAGS= -MT $(INCLUDES) $(DEFS)
LDFLAGS =
OBJS = mlogc.obj
all: $(EXE)
.c.obj:
$(CC) $(CFLAGS) -c $< -Fo$@
.cpp.obj:
$(CC) $(CFLAGS) -c $< -Fo$@
$(EXE): $(OBJS)
$(CC) $(CFLAGS) $(LDFLAGS) $(OBJS) $(LIBS) /link /NODEFAULTLIB:MSVCRT.lib /subsystem:console
install: $(EXE)
copy $(EXE) $(BASE)\bin
clean:
del $(OBJS) $(EXE) *.dll *.lib *.pdb *.idb *.ilk *.exp *.res *.rc *.bin *.manifest

42
apache2/mlogc-src/mlogc.c
View File

@ -80,8 +80,8 @@ do { \
#define CMDLINE_OPTS "fvh"
#define IN 0
#define OUT 1
#define TXIN 0
#define TXOUT 1
#define STATUSBUF_SIZE 256
@ -549,7 +549,7 @@ static void transaction_log(int direction, const char *entry)
char msg[8196] = "";
apr_snprintf(msg, sizeof(msg), "%u %s: %s\n", (unsigned int)apr_time_sec(apr_time_now()),
(direction == IN ? "IN" : "OUT"), entry);
(direction == TXIN ? "IN" : "OUT"), entry);
nbytes = strlen(msg);
apr_file_write_full(transaction_log_fd, msg, nbytes, &nbytes_written);
}
@ -954,25 +954,30 @@ static void logc_shutdown(int rc)
static int handle_signals(int signum)
{
switch (signum) {
case SIGHUP:
error_log(LOG_NOTICE, NULL, "Caught SIGHUP, ignored.");
/* ENH: reload config? */
return 0;
case SIGINT:
error_log(LOG_NOTICE, NULL, "Caught SIGINT, shutting down.");
logc_shutdown(0);
case SIGTERM:
error_log(LOG_NOTICE, NULL, "Caught SIGTERM, shutting down.");
logc_shutdown(0);
#ifndef WIN32
case SIGHUP:
error_log(LOG_NOTICE, NULL, "Caught SIGHUP, ignored.");
/* ENH: reload config? */
return 0;
case SIGALRM:
error_log(LOG_DEBUG, NULL, "Caught SIGALRM, ignored.");
return 0;
case SIGTSTP:
error_log(LOG_DEBUG, NULL, "Caught SIGTSTP, ignored.");
return 0;
#endif /* WIN32 */
}
#ifndef WIN32
error_log(LOG_NOTICE, NULL, "Caught unexpected signal %d: %s", signum, apr_signal_description_get(signum));
#else
error_log(LOG_NOTICE, NULL, "Caught unexpected signal %d", signum);
#endif /* WIN32 */
logc_shutdown(1);
return 0; /* should never reach */
@ -1283,7 +1288,7 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
/* Deal with the previous entry. */
if (entry != NULL) {
error_log(LOG_DEBUG, thread, "Removing previous entry from storage.");
transaction_log(OUT, entry->line);
transaction_log(TXOUT, entry->line);
/* Remove previous entry from storage. */
apr_hash_set(in_progress, &entry->id, sizeof(entry->id), NULL);
@ -1539,7 +1544,7 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
*(entry_t **)apr_array_push(queue) = entry;
}
else {
transaction_log(OUT, entry->line);
transaction_log(TXOUT, entry->line);
free((void *)entry->line);
free(entry);
}
@ -1723,7 +1728,7 @@ static void * APR_THREAD_FUNC thread_manager(apr_thread_t *thread, void *data)
return NULL;
}
#ifndef WIN32
/**
* Thread to handle all signals
*/
@ -1740,7 +1745,7 @@ static void * APR_THREAD_FUNC thread_signals(apr_thread_t *thread, void *data)
return NULL;
}
#endif /* WIN32 */
/**
* The main loop where we receive log entries from
@ -1825,7 +1830,7 @@ static void receive_loop(void) {
drop_next = 0;
}
else {
transaction_log(IN, buf + evnt);
transaction_log(TXIN, buf + evnt);
error_log(LOG_DEBUG2, NULL, "Received audit log entry (count %lu queue %d workers %d): %s",
entry_counter, queue->nelts, current_workers, _log_escape(tmp_pool, (buf + evnt), strlen(buf + evnt)));
add_entry(buf + evnt, 1);
@ -1921,7 +1926,7 @@ static void start_management_thread(void)
logc_shutdown(1);
}
}
#ifndef WIN32
/**
* Creates a thread to handle all signals
*/
@ -1941,6 +1946,7 @@ static void start_signal_thread(void)
logc_shutdown(1);
}
}
#endif /* WIN32 */
/**
* Usage text.
@ -1982,7 +1988,13 @@ int main(int argc, const char * const argv[]) {
logc_pid = getpid();
apr_pool_create(&pool, NULL);
apr_pool_create(&recv_pool, NULL);
#ifndef WIN32
apr_setup_signal_thread();
#else
apr_signal(SIGINT, handle_signals);
apr_signal(SIGTERM, handle_signals);
#endif /* WIN32 */
if (argc < 2) {
usage();
@ -2034,7 +2046,9 @@ int main(int argc, const char * const argv[]) {
server_error = 0;
start_management_thread();
#ifndef WIN32
start_signal_thread();
#endif /* WIN32 */
/* Process stdin until EOF */
receive_loop();

24
apache2/msc_util.c
View File

@ -27,12 +27,28 @@
#include <apr_lib.h>
/* NOTE: Be careful as these can ONLY be used on static values for X.
/**
* NOTE: Be careful as these can ONLY be used on static values for X.
* (i.e. VALID_HEX(c++) will NOT work)
*/
#define VALID_HEX(X) (((X >= '0')&&(X <= '9')) || ((X >= 'a')&&(X <= 'f')) || ((X >= 'A')&&(X <= 'F')))
#define ISODIGIT(X) ((X >= '0')&&(X <= '7'))
#if (defined(WIN32) || defined(NETWARE))
/** Windows does not define all the octal modes */
#define S_IXOTH 00001
#define S_IWOTH 00002
#define S_IROTH 00004
#define S_IXGRP 00010
#define S_IWGRP 00020
#define S_IRGRP 00040
#define S_IXUSR 00100
#define S_IWUSR 00200
#define S_IRUSR 00400
#define S_ISVTX 01000
#define S_ISGID 02000
#define S_ISUID 04000
#endif /* defined(WIN32 || NETWARE) */
/**
*
@ -418,7 +434,7 @@ char *current_filetime(apr_pool_t *mp) {
/**
*
*/
int msc_mkstemp_ex(char *template, mode_t mode) {
int msc_mkstemp_ex(char *template, int mode) {
/* ENH Use apr_file_mktemp instead. */
#if !(defined(WIN32)||defined(NETWARE))
@ -669,7 +685,7 @@ int js_decode_nonstrict_inplace(unsigned char *input, long int input_len) {
j = 2;
buf[j] = '\0';
}
*d++ = strtol(buf, NULL, 8);
*d++ = (unsigned char)strtol(buf, NULL, 8);
i += 1 + j;
count++;
}
@ -1362,7 +1378,7 @@ int css_decode_inplace(unsigned char *input, long int input_len) {
/**
* Translate UNIX octal umask/mode to APR apr_fileperms_t
*/
apr_fileperms_t mode2fileperms(mode_t mode) {
apr_fileperms_t mode2fileperms(int mode) {
apr_fileperms_t perms = 0;
if (mode & S_IXOTH) perms |= APR_WEXECUTE;

4
apache2/msc_util.h
View File

@ -56,7 +56,7 @@ char DSOLOCAL *current_logtime(apr_pool_t *mp);
char DSOLOCAL *current_filetime(apr_pool_t *mp);
int DSOLOCAL msc_mkstemp_ex(char *template, mode_t mode);
int DSOLOCAL msc_mkstemp_ex(char *template, int mode);
int DSOLOCAL msc_mkstemp(char *template);
@ -99,6 +99,6 @@ char DSOLOCAL *resolve_relative_path(apr_pool_t *pool, const char *parent_filena
int DSOLOCAL css_decode_inplace(unsigned char *input, long int input_len);
apr_fileperms_t DSOLOCAL mode2fileperms(mode_t mode);
apr_fileperms_t DSOLOCAL mode2fileperms(int mode);
#endif

1080
apache2/t/run-regression-tests.pl.in
View File

File diff suppressed because it is too large Load Diff

202
apache2/t/run-unit-tests.pl.in
View File

@ -4,8 +4,8 @@
#
# Syntax:
# All: run-tests.pl
# All in file: run-tests.pl file
# Nth in file: run-tests.pl file N
# All in file: run-tests.pl file
# Nth in file: run-tests.pl file N
#
use strict;
use POSIX qw(WIFEXITED WEXITSTATUS WIFSIGNALED WTERMSIG);
@ -22,140 +22,140 @@ my $TOTAL = 0;
my $DEBUG = $ENV{MSC_TEST_DEBUG} || 0;
if (defined $ARGV[0]) {
runfile(dirname($ARGV[0]), basename($ARGV[0]), $ARGV[1]);
done();
runfile(dirname($ARGV[0]), basename($ARGV[0]), $ARGV[1]);
done();
}
for my $type (sort @TYPES) {
my $dir = "$SCRIPTDIR/$type";
my @cfg = ();
my $dir = "$SCRIPTDIR/$type";
my @cfg = ();
# Get test names
opendir(DIR, "$dir") or quit(1, "Failed to open \"$dir\": $!");
@cfg = grep { /\.t$/ && -f "$dir/$_" } readdir(DIR);
closedir(DIR);
# Get test names
opendir(DIR, "$dir") or quit(1, "Failed to open \"$dir\": $!");
@cfg = grep { /\.t$/ && -f "$dir/$_" } readdir(DIR);
closedir(DIR);
for my $cfg (sort @cfg) {
runfile($dir, $cfg);
}
for my $cfg (sort @cfg) {
runfile($dir, $cfg);
}
}
done();
sub runfile {
my($dir, $cfg, $testnum) = @_;
my $fn = "$dir/$cfg";
my @data = ();
my $edata;
my @C = ();
my @test = ();
my $teststr;
my $n = 0;
my $pass = 0;
my($dir, $cfg, $testnum) = @_;
my $fn = "$dir/$cfg";
my @data = ();
my $edata;
my @C = ();
my @test = ();
my $teststr;
my $n = 0;
my $pass = 0;
open(CFG, "<$fn") or quit(1, "Failed to open \"$fn\": $!");
@data = <CFG>;
$edata = q/@C = (/ . join("", @data) . q/)/;
eval $edata;
quit(1, "Failed to read test data \"$cfg\": $@") if ($@);
open(CFG, "<$fn") or quit(1, "Failed to open \"$fn\": $!");
@data = <CFG>;
$edata = q/@C = (/ . join("", @data) . q/)/;
eval $edata;
quit(1, "Failed to read test data \"$cfg\": $@") if ($@);
unless (@C) {
msg("\nNo tests defined for $fn");
return;
}
unless (@C) {
msg("\nNo tests defined for $fn");
return;
}
msg("\nLoaded ".@C." tests from $fn");
for my $t (@C) {
$n++;
next if (defined $testnum and $n != $testnum);
msg("\nLoaded ".@C." tests from $fn");
for my $t (@C) {
$n++;
next if (defined $testnum and $n != $testnum);
my %t = %{$t || {}};
my $id = sprintf("%6d", $n);
my $in = (exists($t{input}) and defined($t{input})) ? $t{input} : "";
my $out;
my $test_in = new FileHandle();
my $test_out = new FileHandle();
my $test_pid;
my $rc = 0;
my $param;
my %t = %{$t || {}};
my $id = sprintf("%6d", $n);
my $in = (exists($t{input}) and defined($t{input})) ? $t{input} : "";
my $out;
my $test_in = new FileHandle();
my $test_out = new FileHandle();
my $test_pid;
my $rc = 0;
my $param;
if ($t{type} eq "tfn") {
$param = escape($t{output});
}
elsif ($t{type} eq "op") {
$param = escape($t{param});
}
elsif ($t{type} eq "action") {
$param = escape($t{param});
}
else {
quit(1, "Unknown type \"$t{type}\" - should be one of: " . join(",",@TYPES));
}
if ($t{type} eq "tfn") {
$param = escape($t{output});
}
elsif ($t{type} eq "op") {
$param = escape($t{param});
}
elsif ($t{type} eq "action") {
$param = escape($t{param});
}
else {
quit(1, "Unknown type \"$t{type}\" - should be one of: " . join(",",@TYPES));
}
@test = ("-t", $t{type}, "-n", $t{name}, "-p", $param, "-D", "$DEBUG", (exists($t{ret}) ? ("-r", $t{ret}) : ()), (exists($t{iterations}) ? ("-I", $t{iterations}) : ()), (exists($t{prerun}) ? ("-P", $t{prerun}) : ()));
$teststr = "$TEST " . join(" ", map { "\"$_\"" } @test);
$test_pid = open2($test_out, $test_in, $TEST, @test) or quit(1, "Failed to execute test: $teststr\": $!");
print $test_in "$in";
close $test_in;
$out = join("\\n", split(/\n/, <$test_out>));
close $test_out;
waitpid($test_pid, 0);
@test = ("-t", $t{type}, "-n", $t{name}, "-p", $param, "-D", "$DEBUG", (exists($t{ret}) ? ("-r", $t{ret}) : ()), (exists($t{iterations}) ? ("-I", $t{iterations}) : ()), (exists($t{prerun}) ? ("-P", $t{prerun}) : ()));
$teststr = "$TEST " . join(" ", map { "\"$_\"" } @test);
$test_pid = open2($test_out, $test_in, $TEST, @test) or quit(1, "Failed to execute test: $teststr\": $!");
print $test_in "$in";
close $test_in;
$out = join("\\n", split(/\n/, <$test_out>));
close $test_out;
waitpid($test_pid, 0);
$rc = $?;
if ( WIFEXITED($rc) ) {
$rc = WEXITSTATUS($rc);
}
elsif( WIFSIGNALED($rc) ) {
msg("Test exited with signal " . WTERMSIG($rc) . ".");
msg("Executed: $teststr");
$rc = -1;
}
else {
msg("Test exited with unknown error.");
$rc = -1;
}
$rc = $?;
if ( WIFEXITED($rc) ) {
$rc = WEXITSTATUS($rc);
}
elsif( WIFSIGNALED($rc) ) {
msg("Test exited with signal " . WTERMSIG($rc) . ".");
msg("Executed: $teststr");
$rc = -1;
}
else {
msg("Test exited with unknown error.");
$rc = -1;
}
if ($rc == 0) {
$pass++;
}
if ($rc == 0) {
$pass++;
}
msg(sprintf("%s) %s \"%s\"%s: %s%s", $id, $t{type}, $t{name}, (exists($t{comment}) ? " $t{comment}" : ""), ($rc ? "failed" : "passed"), ((defined($out) && $out ne "")? " ($out)" : "")));
}
msg(sprintf("%s) %s \"%s\"%s: %s%s", $id, $t{type}, $t{name}, (exists($t{comment}) ? " $t{comment}" : ""), ($rc ? "failed" : "passed"), ((defined($out) && $out ne "")? " ($out)" : "")));
}
$TOTAL += $testnum ? 1 : $n;
$PASSED += $pass;
$TOTAL += $testnum ? 1 : $n;
$PASSED += $pass;
msg(sprintf("Passed: %2d; Failed: %2d", $pass, $testnum ? (1 - $pass) : ($n - $pass)));
msg(sprintf("Passed: %2d; Failed: %2d", $pass, $testnum ? (1 - $pass) : ($n - $pass)));
}
sub escape {
my @new = ();
for my $c (split(//, $_[0])) {
push @new, ((ord($c) >= 0x20 and ord($c) <= 0x7e) ? $c : sprintf("\\x%02x", ord($c)));
}
join('', @new);
my @new = ();
for my $c (split(//, $_[0])) {
push @new, ((ord($c) >= 0x20 and ord($c) <= 0x7e) ? $c : sprintf("\\x%02x", ord($c)));
}
join('', @new);
}
sub msg {
print STDOUT "@_\n" if (@_);
print STDOUT "@_\n" if (@_);
}
sub quit {
my($ec,$msg) = @_;
$ec = 0 unless (defined $_[0]);
my($ec,$msg) = @_;
$ec = 0 unless (defined $_[0]);
msg("$msg") if (defined $msg);
msg("$msg") if (defined $msg);
exit $ec;
exit $ec;
}
sub done {
if ($PASSED != $TOTAL) {
quit(1, "\n$PASSED/$TOTAL tests passed.");
}
if ($PASSED != $TOTAL) {
quit(1, "\n$PASSED/$TOTAL tests passed.");
}
quit(0, "\nAll tests passed ($TOTAL).");
quit(0, "\nAll tests passed ($TOTAL).");
}

2
doc/modsecurity2-apache-reference.xml
View File

@ -6,7 +6,7 @@
Manual</title>
<articleinfo>
<releaseinfo>Version 2.6.0-trunk (Aug 24, 2009)</releaseinfo>
<releaseinfo>Version 2.6.0-trunk (Sep 18, 2009)</releaseinfo>
<copyright>
<year>2004-2009</year>