github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 21:36:00 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge 2.5.x changes into trunk.

Browse Source
This commit is contained in:
b1v1r 2009-09-24 19:11:16 +00:00
parent aa1e053025
commit 21ecf99dab
13 changed files with 786 additions and 674 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
CHANGES
View File

@ -1,10 +1,17 @@
24 Aug 2009 - trunk 18 Sep 2009 - trunk
------------------- -------------------
18 Sep 2009 - 2.5.10
--------------------
* Cleanup mlogc so that it builds on Windows.
* Added more detailed messages to replace "Unknown error" in filters.
* Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
auditlog permissions (especially with mpm-itk). auditlog permissions (especially with mpm-itk).
* Cleaned up SecUploadFileMode implementation. * Cleanup SecUploadFileMode implementation.
* Cleanup build scripts. * Cleanup build scripts.

4
apache2/apache2_config.c
View File

@ -1049,7 +1049,7 @@ static const char *cmd_audit_log_dirmode(cmd_parms *cmd, void *_dcfg, const char
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecAuditLogDirMode: %s", p1); return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecAuditLogDirMode: %s", p1);
} }
dcfg->auditlog_dirperms = mode2fileperms((mode_t)mode); dcfg->auditlog_dirperms = mode2fileperms(mode);
} }
return NULL; return NULL;
@ -1069,7 +1069,7 @@ static const char *cmd_audit_log_filemode(cmd_parms *cmd, void *_dcfg, const cha
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecAuditLogFileMode: %s", p1); return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecAuditLogFileMode: %s", p1);
} }
dcfg->auditlog_fileperms = mode2fileperms((mode_t)mode); dcfg->auditlog_fileperms = mode2fileperms(mode);
} }
return NULL; return NULL;

22
apache2/apache2_io.c
View File

@ -16,6 +16,8 @@
* directly using the email address support@breach.com. * directly using the email address support@breach.com.
* *
*/ */
#include <util_filter.h>
#include "modsecurity.h" #include "modsecurity.h"
#include "apache2.h" #include "apache2.h"
@ -182,14 +184,14 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
rc = ap_get_brigade(r->input_filters, bb_in, AP_MODE_READBYTES, APR_BLOCK_READ, HUGE_STRING_LEN); rc = ap_get_brigade(r->input_filters, bb_in, AP_MODE_READBYTES, APR_BLOCK_READ, HUGE_STRING_LEN);
if (rc != APR_SUCCESS) { if (rc != APR_SUCCESS) {
/* NOTE Apache returns -3 here when the request is too large /* NOTE Apache returns AP_FILTER_ERROR here when the request is
* and APR_EGENERAL when the client disconnects. * too large and APR_EGENERAL when the client disconnects.
*/ */
switch(rc) { switch(rc) {
case APR_TIMEUP : case APR_TIMEUP :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
return -4; return -4;
case -3 : case AP_FILTER_ERROR :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)"); *error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)");
return -3; return -3;
case APR_EGENERAL : case APR_EGENERAL :
@ -417,8 +419,22 @@ static apr_status_t send_of_brigade(modsec_rec *msr, ap_filter_t *f) {
} }
if (msr->txcfg->debuglog_level >= log_level) { if (msr->txcfg->debuglog_level >= log_level) {
switch(rc) {
case AP_NOBODY_WROTE :
msr_log(msr, log_level, "Output filter: Error while forwarding response data (%d): No data", rc);
break;
case AP_FILTER_ERROR :
/* Look like this is caused by the error
* already being handled, so we should ignore it
*
msr_log(msr, log_level, "Output filter: Error while forwarding response data (%d): Filter error", rc);
*/
break;
default :
msr_log(msr, log_level, "Output filter: Error while forwarding response data (%d): %s", msr_log(msr, log_level, "Output filter: Error while forwarding response data (%d): %s",
rc, get_apr_error(msr->mp, rc)); rc, get_apr_error(msr->mp, rc));
break;
}
} }
return rc; return rc;

2
apache2/build/find_apu.m4
View File

@ -26,7 +26,7 @@ AC_MSG_CHECKING([for libapu config script])
for x in ${test_paths}; do for x in ${test_paths}; do
dnl # Determine if the script was specified and use it directly dnl # Determine if the script was specified and use it directly
if test ! -d "$x" -a -e "$x"; then if test ! -d "$x" -a -e "$x"; then
APU_CONFIG="`basename $x`" APU_CONFIG=$x
apu_path="no" apu_path="no"
break break
fi fi

2
apache2/build/find_lua.m4
View File

@ -25,7 +25,7 @@ AC_MSG_CHECKING([for liblua config script])
for x in ${test_paths}; do for x in ${test_paths}; do
dnl # Determine if the script was specified and use it directly dnl # Determine if the script was specified and use it directly
if test ! -d "$x" -a -e "$x"; then if test ! -d "$x" -a -e "$x"; then
LUA_CONFIG="$x" LUA_CONFIG=$x
break break
fi fi

4
apache2/configure vendored
View File

@ -5571,7 +5571,7 @@ $as_echo_n "checking for libapu config script... " >&6; }
for x in ${test_paths}; do for x in ${test_paths}; do
if test ! -d "$x" -a -e "$x"; then if test ! -d "$x" -a -e "$x"; then
APU_CONFIG="`basename $x`" APU_CONFIG=$x
apu_path="no" apu_path="no"
break break
fi fi
@ -5721,7 +5721,7 @@ $as_echo_n "checking for liblua config script... " >&6; }
for x in ${test_paths}; do for x in ${test_paths}; do
if test ! -d "$x" -a -e "$x"; then if test ! -d "$x" -a -e "$x"; then
LUA_CONFIG="$x" LUA_CONFIG=$x
break break
fi fi

57
apache2/mlogc-src/Makefile.win Executable file
View File

@ -0,0 +1,57 @@
###########################################################################
### You Will need to modify the following variables for your system
###########################################################################
###########################################################################
# Path to Apache httpd installation
BASE = C:\Apache2
# Paths to required libraries
PCRE = C:\work\pcre-7.0-lib
CURL = C:\work\libcurl-7.19.3-win32-ssl-msvc
# Linking libraries
LIBS = $(BASE)\lib\libapr-1.lib \
$(BASE)\lib\libaprutil-1.lib \
$(PCRE)\lib\pcre.lib \
$(CURL)\lib\Release\curllib.lib \
wsock32.lib
###########################################################################
###########################################################################
CC = cL
MT = mt
DEFS = /nologo /O2 /W3 -DWIN32 -DWINNT -Dinline=APR_INLINE -D_CONSOLE
EXE = mlogc.exe
INCLUDES = -I. -I.. \
-I$(PCRE)\include -I$(PCRE) \
-I$(CURL)\include -I$(CURL) \
-I$(BASE)\include
CFLAGS= -MT $(INCLUDES) $(DEFS)
LDFLAGS =
OBJS = mlogc.obj
all: $(EXE)
.c.obj:
$(CC) $(CFLAGS) -c $< -Fo$@
.cpp.obj:
$(CC) $(CFLAGS) -c $< -Fo$@
$(EXE): $(OBJS)
$(CC) $(CFLAGS) $(LDFLAGS) $(OBJS) $(LIBS) /link /NODEFAULTLIB:MSVCRT.lib /subsystem:console
install: $(EXE)
copy $(EXE) $(BASE)\bin
clean:
del $(OBJS) $(EXE) *.dll *.lib *.pdb *.idb *.ilk *.exp *.res *.rc *.bin *.manifest

42
apache2/mlogc-src/mlogc.c
View File

@ -80,8 +80,8 @@ do { \
#define CMDLINE_OPTS "fvh" #define CMDLINE_OPTS "fvh"
#define IN 0 #define TXIN 0
#define OUT 1 #define TXOUT 1
#define STATUSBUF_SIZE 256 #define STATUSBUF_SIZE 256
@ -549,7 +549,7 @@ static void transaction_log(int direction, const char *entry)
char msg[8196] = ""; char msg[8196] = "";
apr_snprintf(msg, sizeof(msg), "%u %s: %s\n", (unsigned int)apr_time_sec(apr_time_now()), apr_snprintf(msg, sizeof(msg), "%u %s: %s\n", (unsigned int)apr_time_sec(apr_time_now()),
(direction == IN ? "IN" : "OUT"), entry); (direction == TXIN ? "IN" : "OUT"), entry);
nbytes = strlen(msg); nbytes = strlen(msg);
apr_file_write_full(transaction_log_fd, msg, nbytes, &nbytes_written); apr_file_write_full(transaction_log_fd, msg, nbytes, &nbytes_written);
} }
@ -954,25 +954,30 @@ static void logc_shutdown(int rc)
static int handle_signals(int signum) static int handle_signals(int signum)
{ {
switch (signum) { switch (signum) {
case SIGHUP:
error_log(LOG_NOTICE, NULL, "Caught SIGHUP, ignored.");
/* ENH: reload config? */
return 0;
case SIGINT: case SIGINT:
error_log(LOG_NOTICE, NULL, "Caught SIGINT, shutting down."); error_log(LOG_NOTICE, NULL, "Caught SIGINT, shutting down.");
logc_shutdown(0); logc_shutdown(0);
case SIGTERM: case SIGTERM:
error_log(LOG_NOTICE, NULL, "Caught SIGTERM, shutting down."); error_log(LOG_NOTICE, NULL, "Caught SIGTERM, shutting down.");
logc_shutdown(0); logc_shutdown(0);
#ifndef WIN32
case SIGHUP:
error_log(LOG_NOTICE, NULL, "Caught SIGHUP, ignored.");
/* ENH: reload config? */
return 0;
case SIGALRM: case SIGALRM:
error_log(LOG_DEBUG, NULL, "Caught SIGALRM, ignored."); error_log(LOG_DEBUG, NULL, "Caught SIGALRM, ignored.");
return 0; return 0;
case SIGTSTP: case SIGTSTP:
error_log(LOG_DEBUG, NULL, "Caught SIGTSTP, ignored."); error_log(LOG_DEBUG, NULL, "Caught SIGTSTP, ignored.");
return 0; return 0;
#endif /* WIN32 */
} }
#ifndef WIN32
error_log(LOG_NOTICE, NULL, "Caught unexpected signal %d: %s", signum, apr_signal_description_get(signum)); error_log(LOG_NOTICE, NULL, "Caught unexpected signal %d: %s", signum, apr_signal_description_get(signum));
#else
error_log(LOG_NOTICE, NULL, "Caught unexpected signal %d", signum);
#endif /* WIN32 */
logc_shutdown(1); logc_shutdown(1);
return 0; /* should never reach */ return 0; /* should never reach */
@ -1283,7 +1288,7 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
/* Deal with the previous entry. */ /* Deal with the previous entry. */
if (entry != NULL) { if (entry != NULL) {
error_log(LOG_DEBUG, thread, "Removing previous entry from storage."); error_log(LOG_DEBUG, thread, "Removing previous entry from storage.");
transaction_log(OUT, entry->line); transaction_log(TXOUT, entry->line);
/* Remove previous entry from storage. */ /* Remove previous entry from storage. */
apr_hash_set(in_progress, &entry->id, sizeof(entry->id), NULL); apr_hash_set(in_progress, &entry->id, sizeof(entry->id), NULL);
@ -1539,7 +1544,7 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
*(entry_t **)apr_array_push(queue) = entry; *(entry_t **)apr_array_push(queue) = entry;
} }
else { else {
transaction_log(OUT, entry->line); transaction_log(TXOUT, entry->line);
free((void *)entry->line); free((void *)entry->line);
free(entry); free(entry);
} }
@ -1723,7 +1728,7 @@ static void * APR_THREAD_FUNC thread_manager(apr_thread_t *thread, void *data)
return NULL; return NULL;
} }
#ifndef WIN32
/** /**
* Thread to handle all signals * Thread to handle all signals
*/ */
@ -1740,7 +1745,7 @@ static void * APR_THREAD_FUNC thread_signals(apr_thread_t *thread, void *data)
return NULL; return NULL;
} }
#endif /* WIN32 */
/** /**
* The main loop where we receive log entries from * The main loop where we receive log entries from
@ -1825,7 +1830,7 @@ static void receive_loop(void) {
drop_next = 0; drop_next = 0;
} }
else { else {
transaction_log(IN, buf + evnt); transaction_log(TXIN, buf + evnt);
error_log(LOG_DEBUG2, NULL, "Received audit log entry (count %lu queue %d workers %d): %s", error_log(LOG_DEBUG2, NULL, "Received audit log entry (count %lu queue %d workers %d): %s",
entry_counter, queue->nelts, current_workers, _log_escape(tmp_pool, (buf + evnt), strlen(buf + evnt))); entry_counter, queue->nelts, current_workers, _log_escape(tmp_pool, (buf + evnt), strlen(buf + evnt)));
add_entry(buf + evnt, 1); add_entry(buf + evnt, 1);
@ -1921,7 +1926,7 @@ static void start_management_thread(void)
logc_shutdown(1); logc_shutdown(1);
} }
} }
#ifndef WIN32
/** /**
* Creates a thread to handle all signals * Creates a thread to handle all signals
*/ */
@ -1941,6 +1946,7 @@ static void start_signal_thread(void)
logc_shutdown(1); logc_shutdown(1);
} }
} }
#endif /* WIN32 */
/** /**
* Usage text. * Usage text.
@ -1982,7 +1988,13 @@ int main(int argc, const char * const argv[]) {
logc_pid = getpid(); logc_pid = getpid();
apr_pool_create(&pool, NULL); apr_pool_create(&pool, NULL);
apr_pool_create(&recv_pool, NULL); apr_pool_create(&recv_pool, NULL);
#ifndef WIN32
apr_setup_signal_thread(); apr_setup_signal_thread();
#else
apr_signal(SIGINT, handle_signals);
apr_signal(SIGTERM, handle_signals);
#endif /* WIN32 */
if (argc < 2) { if (argc < 2) {
usage(); usage();
@ -2034,7 +2046,9 @@ int main(int argc, const char * const argv[]) {
server_error = 0; server_error = 0;
start_management_thread(); start_management_thread();
#ifndef WIN32
start_signal_thread(); start_signal_thread();
#endif /* WIN32 */
/* Process stdin until EOF */ /* Process stdin until EOF */
receive_loop(); receive_loop();

24
apache2/msc_util.c
View File

@ -27,12 +27,28 @@
#include <apr_lib.h> #include <apr_lib.h>
/* NOTE: Be careful as these can ONLY be used on static values for X. /**
* NOTE: Be careful as these can ONLY be used on static values for X.
* (i.e. VALID_HEX(c++) will NOT work) * (i.e. VALID_HEX(c++) will NOT work)
*/ */
#define VALID_HEX(X) (((X >= '0')&&(X <= '9')) || ((X >= 'a')&&(X <= 'f')) || ((X >= 'A')&&(X <= 'F'))) #define VALID_HEX(X) (((X >= '0')&&(X <= '9')) || ((X >= 'a')&&(X <= 'f')) || ((X >= 'A')&&(X <= 'F')))
#define ISODIGIT(X) ((X >= '0')&&(X <= '7')) #define ISODIGIT(X) ((X >= '0')&&(X <= '7'))
#if (defined(WIN32) || defined(NETWARE))
/** Windows does not define all the octal modes */
#define S_IXOTH 00001
#define S_IWOTH 00002
#define S_IROTH 00004
#define S_IXGRP 00010
#define S_IWGRP 00020
#define S_IRGRP 00040
#define S_IXUSR 00100
#define S_IWUSR 00200
#define S_IRUSR 00400
#define S_ISVTX 01000
#define S_ISGID 02000
#define S_ISUID 04000
#endif /* defined(WIN32 || NETWARE) */
/** /**
* *
@ -418,7 +434,7 @@ char *current_filetime(apr_pool_t *mp) {
/** /**
* *
*/ */
int msc_mkstemp_ex(char *template, mode_t mode) { int msc_mkstemp_ex(char *template, int mode) {
/* ENH Use apr_file_mktemp instead. */ /* ENH Use apr_file_mktemp instead. */
#if !(defined(WIN32)||defined(NETWARE)) #if !(defined(WIN32)||defined(NETWARE))
@ -669,7 +685,7 @@ int js_decode_nonstrict_inplace(unsigned char *input, long int input_len) {
j = 2; j = 2;
buf[j] = '\0'; buf[j] = '\0';
} }
*d++ = strtol(buf, NULL, 8); *d++ = (unsigned char)strtol(buf, NULL, 8);
i += 1 + j; i += 1 + j;
count++; count++;
} }
@ -1362,7 +1378,7 @@ int css_decode_inplace(unsigned char *input, long int input_len) {
/** /**
* Translate UNIX octal umask/mode to APR apr_fileperms_t * Translate UNIX octal umask/mode to APR apr_fileperms_t
*/ */
apr_fileperms_t mode2fileperms(mode_t mode) { apr_fileperms_t mode2fileperms(int mode) {
apr_fileperms_t perms = 0; apr_fileperms_t perms = 0;
if (mode & S_IXOTH) perms |= APR_WEXECUTE; if (mode & S_IXOTH) perms |= APR_WEXECUTE;

4
apache2/msc_util.h
View File

@ -56,7 +56,7 @@ char DSOLOCAL *current_logtime(apr_pool_t *mp);
char DSOLOCAL *current_filetime(apr_pool_t *mp); char DSOLOCAL *current_filetime(apr_pool_t *mp);
int DSOLOCAL msc_mkstemp_ex(char *template, mode_t mode); int DSOLOCAL msc_mkstemp_ex(char *template, int mode);
int DSOLOCAL msc_mkstemp(char *template); int DSOLOCAL msc_mkstemp(char *template);
@ -99,6 +99,6 @@ char DSOLOCAL *resolve_relative_path(apr_pool_t *pool, const char *parent_filena
int DSOLOCAL css_decode_inplace(unsigned char *input, long int input_len); int DSOLOCAL css_decode_inplace(unsigned char *input, long int input_len);
apr_fileperms_t DSOLOCAL mode2fileperms(mode_t mode); apr_fileperms_t DSOLOCAL mode2fileperms(int mode);
#endif #endif

4
apache2/t/run-regression-tests.pl.in
View File

@ -156,7 +156,6 @@ for my $type (@TYPES) {
for my $cfg (sort @cfg) { for my $cfg (sort @cfg) {
runfile($dir, $cfg); runfile($dir, $cfg);
} }
} }
done(); done();
@ -636,9 +635,12 @@ sub httpd_stop {
unless (defined match_log("error", qr/caught SIG[A-Z]+, shutting down/, 60, "Waiting on httpd to stop: ")) { unless (defined match_log("error", qr/caught SIG[A-Z]+, shutting down/, 60, "Waiting on httpd to stop: ")) {
vrb(join(" ", map { quote_shell($_) } @p)); vrb(join(" ", map { quote_shell($_) } @p));
msg("Httpd server failed to shutdown."); msg("Httpd server failed to shutdown.");
sleep 0.5;
return -1; return -1;
} }
sleep 0.5;
return $rc; return $rc;
} }

2
doc/modsecurity2-apache-reference.xml
View File

@ -6,7 +6,7 @@
Manual</title> Manual</title>
<articleinfo> <articleinfo>
<releaseinfo>Version 2.6.0-trunk (Aug 24, 2009)</releaseinfo> <releaseinfo>Version 2.6.0-trunk (Sep 18, 2009)</releaseinfo>
<copyright> <copyright>
<year>2004-2009</year> <year>2004-2009</year>