github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Makes Curl no longer a mandatory depedency for ModSecurity core

Browse Source 
As reported by Rainer Jung, Curl may not be mandatory to build
	ModSecurity core. This patch make it optional by:
	- Concentrate all downloads using curl on msc_remote_rules.c
	- Split Curl build definitions checks into: WITH_CURL, WITH_REMOTE_RULES
	and WITH_CRYPTO.
	  - WITH_CURL: Contains Culr headers and binaries during the build time.
	  - WITH_REMOTE_RULES: Currently enabled if Curl is present.
	  - WITH_CRYPTO: Set if apr tool was compiled with crypto support.
	- Renames msc_remote_grab_content to msc_remote_download_content
This commit is contained in:
Felipe Zimmerle 2014-11-26 11:14:34 -08:00
parent 94fd570e31
commit 23823bb2c3
12 changed files with 180 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGES
View File

@ -1,3 +1,9 @@
DD mmm YYYY - 2.9.????? (To be released)
-----------------------
* Curl is not a mandatory dependency to ModSecurity core anymore.
[Rainer Jung and ModSecurity team]
18 Nov 2014 - 2.9.0-RC1 18 Nov 2014 - 2.9.0-RC1
----------------------- -----------------------

14
apache2/apache2_config.c
View File

@ -2239,7 +2239,7 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
{ {
char *error_msg = NULL; char *error_msg = NULL;
directory_config *dcfg = (directory_config *)_dcfg; directory_config *dcfg = (directory_config *)_dcfg;
#ifdef WITH_REMOTE_RULES_SUPPORT #ifdef WITH_REMOTE_RULES
int crypto = 0; int crypto = 0;
const char *uri = p2; const char *uri = p2;
const char *key = p1; const char *key = p1;
@ -2247,12 +2247,18 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
if (dcfg == NULL) return NULL; if (dcfg == NULL) return NULL;
#ifdef WITH_REMOTE_RULES_SUPPORT #ifdef WITH_REMOTE_RULES
if (strncasecmp(p1, "crypto", 6) == 0) if (strncasecmp(p1, "crypto", 6) == 0)
{ {
#ifdef WITH_APU_CRYPTO
uri = p3; uri = p3;
key = p2; key = p2;
crypto = 1; crypto = 1;
#else
return apr_psprintf(cmd->pool, "ModSecurity: SecRemoteRule using " \
"`crypto' but ModSecurity was not compiled with crypto " \
"support.");
#endif
} }
if (uri == NULL || key == NULL) if (uri == NULL || key == NULL)
@ -2293,8 +2299,8 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
return error_msg; return error_msg;
} }
#else #else
return apr_psprintf(cmd->pool, "ModSecurity: " \ return apr_psprintf(cmd->pool, "ModSecurity: SecRemoteRules: " \
"SecRemoteRules: ModSecurity was not compiled with such functionality."); "ModSecurity was not compiled with SecRemoteRules support.");
#endif #endif
return NULL; return NULL;

4
apache2/mod_security2.c
View File

@ -68,7 +68,7 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0;
unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0; unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
#ifdef WITH_REMOTE_RULES_SUPPORT #ifdef WITH_REMOTE_RULES
msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL; msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
#endif #endif
int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL; int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
@ -761,7 +761,7 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t
} }
#endif #endif
#ifdef WITH_REMOTE_RULES_SUPPORT #ifdef WITH_REMOTE_RULES
if (remote_rules_server != NULL) if (remote_rules_server != NULL)
{ {
if (remote_rules_server->amount_of_rules == 1) if (remote_rules_server->amount_of_rules == 1)

2
apache2/modsecurity.h
View File

@ -146,7 +146,7 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit;
extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion; extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
#ifdef WITH_REMOTE_RULES_SUPPORT #ifdef WITH_REMOTE_RULES
extern DSOLOCAL msc_remote_rules_server *remote_rules_server; extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
#endif #endif
extern DSOLOCAL int remote_rules_fail_action; extern DSOLOCAL int remote_rules_fail_action;

76
apache2/msc_remote_rules.c
View File

@ -16,17 +16,22 @@
#include "msc_status_engine.h" #include "msc_status_engine.h"
#include <apr_thread_pool.h> #include <apr_thread_pool.h>
#ifdef WITH_CURL
#include <curl/curl.h> #include <curl/curl.h>
#endif
#include <apu.h> #include <apu.h>
#ifdef WITH_REMOTE_RULES
#include <apr_crypto.h> #include <apr_crypto.h>
#include <apr_sha1.h> #include <apr_sha1.h>
#endif
#ifndef AP_MAX_ARGC #ifndef AP_MAX_ARGC
#define AP_MAX_ARGC 64 #define AP_MAX_ARGC 64
#endif #endif
#ifdef WITH_REMOTE_RULES_SUPPORT
/** /**
* @brief Insert a new SecRule to be processed by ModSecurity * @brief Insert a new SecRule to be processed by ModSecurity
@ -201,6 +206,7 @@ const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms,
NULL); NULL);
} }
} }
/** /**
* @brief Fetch an URL and fill the content into a memory buffer. * @brief Fetch an URL and fill the content into a memory buffer.
* *
@ -225,11 +231,14 @@ const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms,
* *
* @retval n>=0 everything went fine. * @retval n>=0 everything went fine.
* @retval n<-1 Something wrong happened, further details on error_msg. * @retval n<-1 Something wrong happened, further details on error_msg.
* n=-2 Download failed, but operation should not be aborted.
* n=-3 ModSecurity was not compiled with curl support.
* *
*/ */
int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key, int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key,
struct msc_curl_memory_buffer_t *chunk, char **error_msg) struct msc_curl_memory_buffer_t *chunk, char **error_msg)
{ {
#ifdef WITH_CURL
CURL *curl; CURL *curl;
CURLcode res; CURLcode res;
@ -237,9 +246,10 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
char *apr_id = NULL; char *apr_id = NULL;
char *beacon_str = NULL; char *beacon_str = NULL;
char *beacon_apr = NULL; char *beacon_apr = NULL;
char *header_key = NULL;
int beacon_str_len = 0; int beacon_str_len = 0;
chunk->size = 0;
memset(id, '\0', sizeof(id)); memset(id, '\0', sizeof(id));
if (msc_status_engine_unique_id(id)) if (msc_status_engine_unique_id(id))
{ {
@ -266,11 +276,6 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
free(beacon_str); free(beacon_str);
} }
if (key != NULL)
{
header_key = apr_psprintf(mp, "ModSec-key: %s", key);
}
if (curl) if (curl)
{ {
struct curl_slist *headers_chunk = NULL; struct curl_slist *headers_chunk = NULL;
@ -279,12 +284,14 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
char *ptr = NULL; char *ptr = NULL;
DWORD res_len; DWORD res_len;
#endif #endif
curl_easy_setopt(curl, CURLOPT_URL, remote_rules_server->uri); curl_easy_setopt(curl, CURLOPT_URL, uri);
headers_chunk = curl_slist_append(headers_chunk, apr_id); headers_chunk = curl_slist_append(headers_chunk, apr_id);
headers_chunk = curl_slist_append(headers_chunk, beacon_apr); headers_chunk = curl_slist_append(headers_chunk, beacon_apr);
if (key != NULL) if (key != NULL)
{ {
char *header_key = NULL;
header_key = apr_psprintf(mp, "ModSec-key: %s", key);
headers_chunk = curl_slist_append(headers_chunk, header_key); headers_chunk = curl_slist_append(headers_chunk, header_key);
} }
@ -321,18 +328,20 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
if (remote_rules_fail_action == REMOTE_RULES_WARN_ON_FAIL) if (remote_rules_fail_action == REMOTE_RULES_WARN_ON_FAIL)
{ {
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
"Failed to fetch \"%s\" error: %s ", "Failed to download \"%s\" error: %s ",
remote_rules_server->uri, curl_easy_strerror(res)); uri, curl_easy_strerror(res));
return -2;
} }
else else
{ {
*error_msg = apr_psprintf(mp, "Failed to fetch \"%s\" " \ *error_msg = apr_psprintf(mp, "Failed to download \"%s\" " \
"error: %s ", "error: %s ",
remote_rules_server->uri, curl_easy_strerror(res)); uri, curl_easy_strerror(res));
}
return -1; return -1;
} }
}
curl_slist_free_all(headers_chunk); curl_slist_free_all(headers_chunk);
} }
@ -341,8 +350,12 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
curl_global_cleanup(); curl_global_cleanup();
return 0; return 0;
#else
return -3;
#endif
} }
/** /**
* @brief Setup an apr_crypto_key_t from a given password and salt. * @brief Setup an apr_crypto_key_t from a given password and salt.
* *
@ -369,6 +382,7 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
* @retval n<-1 Something wrong happened, check error_msg for further details. * @retval n<-1 Something wrong happened, check error_msg for further details.
* *
*/ */
#ifdef WITH_APU_CRYPTO
int msc_remote_enc_key_setup(apr_pool_t *pool, int msc_remote_enc_key_setup(apr_pool_t *pool,
const char *key, const char *key,
apr_crypto_key_t **apr_key, apr_crypto_key_t **apr_key,
@ -411,11 +425,6 @@ int msc_remote_enc_key_setup(apr_pool_t *pool,
*error_msg = "Internal error - apr_crypto_passphrase: APR_EKEYTYPE"; *error_msg = "Internal error - apr_crypto_passphrase: APR_EKEYTYPE";
return -1; return -1;
} }
else if (rv == APR_EKEYTYPE)
{
*error_msg = "Internal error - apr_crypto_passphrase: APR_EKEYTYPE";
return -1;
}
else if (rv != APR_SUCCESS) else if (rv != APR_SUCCESS)
{ {
*error_msg = "Internal error - apr_crypto_passphrase: Unknown error"; *error_msg = "Internal error - apr_crypto_passphrase: Unknown error";
@ -424,6 +433,7 @@ int msc_remote_enc_key_setup(apr_pool_t *pool,
return 0; return 0;
} }
#endif
/** /**
* @brief Decrypt an buffer into a memory buffer. * @brief Decrypt an buffer into a memory buffer.
@ -449,6 +459,7 @@ int msc_remote_enc_key_setup(apr_pool_t *pool,
* @retval n<-1 Something wrong happened, further details on error_msg. * @retval n<-1 Something wrong happened, further details on error_msg.
* *
*/ */
#ifdef WITH_APU_CRYPTO
int msc_remote_decrypt(apr_pool_t *pool, int msc_remote_decrypt(apr_pool_t *pool,
const char *key, const char *key,
struct msc_curl_memory_buffer_t *chunk, struct msc_curl_memory_buffer_t *chunk,
@ -488,12 +499,9 @@ int msc_remote_decrypt(apr_pool_t *pool,
return -1; return -1;
} }
#ifndef APU_CRYPTO_RECOMMENDED_DRIVER
rv = apr_crypto_get_driver(&driver, "openssl", NULL, &err, pool);
#else
rv = apr_crypto_get_driver(&driver, APU_CRYPTO_RECOMMENDED_DRIVER, NULL, rv = apr_crypto_get_driver(&driver, APU_CRYPTO_RECOMMENDED_DRIVER, NULL,
&err, pool); &err, pool);
#endif
if (rv != APR_SUCCESS || driver == NULL) if (rv != APR_SUCCESS || driver == NULL)
{ {
*error_msg = "Internal error - apr_crypto_get_driver: Unknown error"; *error_msg = "Internal error - apr_crypto_get_driver: Unknown error";
@ -573,7 +581,7 @@ int msc_remote_decrypt(apr_pool_t *pool,
return 0; return 0;
} }
#endif
/** /**
* @brief Add SecRules from a given URI. * @brief Add SecRules from a given URI.
@ -598,6 +606,8 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
msc_remote_rules_server *remote_rules_server, msc_remote_rules_server *remote_rules_server,
char **error_msg) char **error_msg)
{ {
#ifdef WITH_REMOTE_RULES
struct msc_curl_memory_buffer_t chunk_encrypted; struct msc_curl_memory_buffer_t chunk_encrypted;
unsigned char *plain_text = NULL; unsigned char *plain_text = NULL;
int len = 0; int len = 0;
@ -612,13 +622,12 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
chunk_encrypted.size = 0; chunk_encrypted.size = 0;
chunk_encrypted.memory = NULL; chunk_encrypted.memory = NULL;
res = msc_remote_grab_content(mp, remote_rules_server->uri, res = msc_remote_download_content(mp, remote_rules_server->uri,
remote_rules_server->key, &chunk_encrypted, error_msg); remote_rules_server->key, &chunk_encrypted, error_msg);
if (*error_msg != NULL) if (*error_msg != NULL)
{ {
return -1; return -1;
} }
/* error_msg is not filled when the user set SecRemoteRulesFailAction /* error_msg is not filled when the user set SecRemoteRulesFailAction
* to warn * to warn
*/ */
@ -629,14 +638,21 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
if (remote_rules_server->crypto == 1) if (remote_rules_server->crypto == 1)
{ {
#ifdef WITH_APU_CRYPTO
msc_remote_decrypt(mp, remote_rules_server->key, &chunk_encrypted, msc_remote_decrypt(mp, remote_rules_server->key, &chunk_encrypted,
&plain_text, &plain_text,
&plain_text_len, &plain_text_len,
error_msg); error_msg);
if (*error_msg != NULL) if (*error_msg != NULL)
{ {
msc_remote_clean_chunk(&chunk_encrypted);
return -1; return -1;
} }
#else
*error_msg = "ModSecurity was not compiled with crypto support.\n";
msc_remote_clean_chunk(&chunk_encrypted);
return -1;
#endif
msc_remote_clean_chunk(&chunk_encrypted); msc_remote_clean_chunk(&chunk_encrypted);
} }
@ -725,12 +741,17 @@ next:
{ {
msc_remote_clean_chunk(&chunk_encrypted); msc_remote_clean_chunk(&chunk_encrypted);
} }
#else
*error_msg = "SecRemoteRules was not enabled during ModSecurity " \
"compilation.";
return -1;
#endif
} }
int msc_remote_clean_chunk(struct msc_curl_memory_buffer_t *chunk) int msc_remote_clean_chunk(struct msc_curl_memory_buffer_t *chunk)
{ {
if (chunk->size <= 0) if (chunk->size == 0)
{ {
goto end; goto end;
} }
@ -747,4 +768,3 @@ end:
return 0; return 0;
} }
#endif

15
apache2/msc_remote_rules.h
View File

@ -12,12 +12,6 @@
* directly using the email address security@modsecurity.org. * directly using the email address security@modsecurity.org.
*/ */
#if APU_HAVE_CRYPTO
#define WITH_REMOTE_RULES_SUPPORT
#endif
#ifdef WITH_REMOTE_RULES_SUPPORT
#ifndef MSC_REMOTE_RULES_H #ifndef MSC_REMOTE_RULES_H
#define MSC_REMOTE_RULES_H #define MSC_REMOTE_RULES_H
@ -35,9 +29,9 @@ struct msc_curl_memory_buffer_t;
#include "http_core.h" #include "http_core.h"
#include "http_config.h" #include "http_config.h"
#include <curl/curl.h> #ifdef WITH_APU_CRYPTO
#include <apr_crypto.h> #include <apr_crypto.h>
#endif
struct msc_remote_rules_server { struct msc_remote_rules_server {
directory_config *context; directory_config *context;
@ -51,9 +45,10 @@ struct msc_remote_rules_server {
const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms, const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms,
void *mconfig, const char *args); void *mconfig, const char *args);
int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key, int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key,
struct msc_curl_memory_buffer_t *chunk, char **error_msg); struct msc_curl_memory_buffer_t *chunk, char **error_msg);
#ifdef WITH_APU_CRYPTO
int msc_remote_enc_key_setup(apr_pool_t *pool, int msc_remote_enc_key_setup(apr_pool_t *pool,
const char *key, const char *key,
apr_crypto_key_t **apr_key, apr_crypto_key_t **apr_key,
@ -67,6 +62,7 @@ int msc_remote_decrypt(apr_pool_t *pool,
unsigned char **plain_text, unsigned char **plain_text,
apr_size_t *plain_text_len, apr_size_t *plain_text_len,
char **error_msg); char **error_msg);
#endif
int msc_remote_add_rules_from_uri(cmd_parms *orig_parms, int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
msc_remote_rules_server *remote_rules_server, msc_remote_rules_server *remote_rules_server,
@ -75,5 +71,4 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
int msc_remote_clean_chunk(struct msc_curl_memory_buffer_t *chunk); int msc_remote_clean_chunk(struct msc_curl_memory_buffer_t *chunk);
#endif #endif
#endif

116
apache2/msc_util.c
View File

@ -26,7 +26,11 @@
#include <apr_sha1.h> #include <apr_sha1.h>
#include "modsecurity_config.h" #include "modsecurity_config.h"
#include "msc_remote_rules.h"
#ifdef WITH_CURL
#include "curl/curl.h" #include "curl/curl.h"
#endif
/** /**
* NOTE: Be careful as these can ONLY be used on static values for X. * NOTE: Be careful as these can ONLY be used on static values for X.
@ -2613,6 +2617,7 @@ int ip_tree_from_file(TreeRoot **rtree, char *uri,
return 0; return 0;
} }
#ifdef WITH_CURL
int ip_tree_from_uri(TreeRoot **rtree, char *uri, int ip_tree_from_uri(TreeRoot **rtree, char *uri,
apr_pool_t *mp, char **error_msg) apr_pool_t *mp, char **error_msg)
{ {
@ -2621,118 +2626,24 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri,
int line = 0; int line = 0;
apr_file_t *fd; apr_file_t *fd;
char *start; char *start;
char buf[HUGE_STRING_LEN + 1]; // FIXME: 2013-10-29 zimmerle: dynamic? int res;
char errstr[1024]; //
CURL *curl;
CURLcode res;
char id[(APR_SHA1_DIGESTSIZE*2) + 1];
char *apr_id = NULL;
char *beacon_str = NULL;
int beacon_str_len = 0;
char *beacon_apr = NULL;
struct msc_curl_memory_buffer_t chunk; struct msc_curl_memory_buffer_t chunk;
char *word = NULL; char *word = NULL;
char *brkt = NULL; char *brkt = NULL;
char *sep = "\n"; char *sep = "\n";
chunk.memory = malloc(1); /* will be grown as needed by the realloc above */
chunk.size = 0; /* no data at this point */
if (create_radix_tree(mp, rtree, error_msg)) if (create_radix_tree(mp, rtree, error_msg))
{ {
return -1; return -1;
} }
/* Retrieve the beacon string */ res = msc_remote_download_content(mp, uri, NULL, &chunk, error_msg);
beacon_str_len = msc_beacon_string(NULL, 0); if (res)
beacon_str = malloc(sizeof(char) * beacon_str_len + 1);
if (beacon_str == NULL) {
beacon_str = "Failed to retrieve beacon string";
beacon_apr = apr_psprintf(mp, "ModSec-status: %s", beacon_str);
}
else
{ {
msc_beacon_string(beacon_str, beacon_str_len); return res;
beacon_apr = apr_psprintf(mp, "ModSec-status: %s", beacon_str);
free(beacon_str);
} }
memset(id, '\0', sizeof(id));
if (msc_status_engine_unique_id(id)) {
sprintf(id, "no unique id");
}
apr_id = apr_psprintf(mp, "ModSec-unique-id: %s", id);
curl_global_init(CURL_GLOBAL_ALL);
curl = curl_easy_init();
if (curl) {
struct curl_slist *headers_chunk = NULL;
#ifdef WIN32
char *buf = malloc(sizeof(TCHAR) * (2048 + 1));
char *ptr = NULL;
DWORD res_len;
#endif
curl_easy_setopt(curl, CURLOPT_URL, uri);
headers_chunk = curl_slist_append(headers_chunk, apr_id);
headers_chunk = curl_slist_append(headers_chunk, beacon_apr);
/* send all data to this function */
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, msc_curl_write_memory_cb);
/* we pass our 'chunk' struct to the callback function */
curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&chunk);
/* Make it TLS 1.x only. */
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
#ifdef WIN32
res_len = SearchPathA(NULL, "curl-ca-bundle.crt", NULL, (2048 + 1), buf, &ptr);
if (res_len > 0) {
curl_easy_setopt(curl, CURLOPT_CAINFO, strdup(buf));
}
free(buf);
#endif
/* thoseeare the default options, but lets make sure */
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
/* some servers don't like requests that are made without a user-agent
field, so we provide one */
curl_easy_setopt(curl, CURLOPT_USERAGENT, "ModSecurity");
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers_chunk);
res = curl_easy_perform(curl);
if (res != CURLE_OK)
{
if (remote_rules_fail_action == REMOTE_RULES_WARN_ON_FAIL)
{
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
"Failed to fetch \"%s\" error: %s ",
uri, curl_easy_strerror(res));
return 0;
}
else
{
*error_msg = apr_psprintf(mp, "Failed to fetch \"%s\" " \
"error: %s ", uri,
curl_easy_strerror(res));
return -1;
}
}
curl_easy_cleanup(curl);
curl_slist_free_all(headers_chunk);
}
curl_global_cleanup();
for (word = strtok_r(chunk.memory, sep, &brkt); for (word = strtok_r(chunk.memory, sep, &brkt);
word; word;
word = strtok_r(NULL, sep, &brkt)) word = strtok_r(NULL, sep, &brkt))
@ -2774,9 +2685,12 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri,
} }
} }
msc_remote_clean_chunk(&chunk);
return 0; return 0;
} }
#endif
int tree_contains_ip(apr_pool_t *mp, TreeRoot *rtree, int tree_contains_ip(apr_pool_t *mp, TreeRoot *rtree,
const char *value, modsec_rec *msr, char **error_msg) const char *value, modsec_rec *msr, char **error_msg)
@ -2859,6 +2773,7 @@ int ip_tree_from_param(apr_pool_t *mp,
return 0; return 0;
} }
#ifdef WITH_CURL
size_t msc_curl_write_memory_cb(void *contents, size_t size, size_t msc_curl_write_memory_cb(void *contents, size_t size,
size_t nmemb, void *userp) size_t nmemb, void *userp)
{ {
@ -2887,6 +2802,7 @@ size_t msc_curl_write_memory_cb(void *contents, size_t size,
return realsize; return realsize;
} }
#endif
#ifdef WIN32 #ifdef WIN32
char* strtok_r( char* strtok_r(
@ -2914,5 +2830,5 @@ char* strtok_r(
*nextp = str; *nextp = str;
return ret; return ret;
} }
#endif #endif

136
apache2/re_operators.c
View File

@ -23,7 +23,7 @@
#include "msc_util.h" #include "msc_util.h"
#include "msc_tree.h" #include "msc_tree.h"
#include "msc_crypt.h" #include "msc_crypt.h"
#include "curl/curl.h" #include "msc_remote_rules.h"
#include <apr_sha1.h> #include <apr_sha1.h>
#if APR_HAVE_ARPA_INET_H #if APR_HAVE_ARPA_INET_H
@ -196,19 +196,32 @@ static int msre_op_ipmatchFromFile_param_init(msre_rule *rule, char **error_msg)
} }
filepath = fn; filepath = fn;
if (strlen(fn) > strlen("http://") && strncmp(fn, "http://", strlen("http://")) == 0) if (strlen(fn) > strlen("http://") &&
strncmp(fn, "http://", strlen("http://")) == 0)
{ {
*error_msg = apr_psprintf(rule->ruleset->mp, "HTTPS address or file " \ *error_msg = apr_psprintf(rule->ruleset->mp, "HTTPS address or file " \
"path are expected for operator ipmatchFromFile \"%s\"", fn); "path are expected for operator ipmatchFromFile \"%s\"", fn);
return 0; return 0;
} }
else if (strlen(fn) > strlen("https://") && strncmp(fn, "https://", strlen("https://")) == 0) else if (strlen(fn) > strlen("https://") &&
strncmp(fn, "https://", strlen("https://")) == 0)
{ {
#ifdef WITH_CURL
res = ip_tree_from_uri(&rtree, fn, rule->ruleset->mp, error_msg); res = ip_tree_from_uri(&rtree, fn, rule->ruleset->mp, error_msg);
if (res) if (res == -2)
{
/* Failed to download but we won't stop the webserver to start. */
return 1;
}
else if (res)
{ {
return 0; return 0;
} }
#else
*error_msg = apr_psprintf(rule->ruleset->mp, "ModSecurity was not " \
"compiled with Curl support, it cannot load: \"%s\"", fn);
return 0;
#endif
} }
else else
{ {
@ -1257,117 +1270,29 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
/* Add path of the rule filename for a relative phrase filename */ /* Add path of the rule filename for a relative phrase filename */
filepath = fn; filepath = fn;
if (strlen(fn) > strlen("http://") && strncmp(fn, "http://", strlen("http://")) == 0) if (strlen(fn) > strlen("http://") &&
strncmp(fn, "http://", strlen("http://")) == 0)
{ {
*error_msg = apr_psprintf(rule->ruleset->mp, "HTTPS address or " \ *error_msg = apr_psprintf(rule->ruleset->mp, "HTTPS address or " \
"file path are expected for operator pmFromFile \"%s\"", fn); "file path are expected for operator pmFromFile \"%s\"", fn);
return 0; return 0;
} }
else if (strlen(fn) > strlen("https://") && strncmp(fn, "https://", strlen("https://")) == 0) else if (strlen(fn) > strlen("https://") &&
strncmp(fn, "https://", strlen("https://")) == 0)
{ {
CURL *curl; #ifdef WITH_CURL
CURLcode res; int res = 0;
char id[(APR_SHA1_DIGESTSIZE*2) + 1];
char *apr_id = NULL;
char *beacon_str = NULL;
int beacon_str_len = 0;
char *beacon_apr = NULL;
struct msc_curl_memory_buffer_t chunk;
char *word = NULL; char *word = NULL;
char *brkt = NULL; char *brkt = NULL;
char *sep = "\n"; char *sep = "\n";
struct msc_curl_memory_buffer_t chunk;
/* Retrieve the beacon string */ res = msc_remote_download_content(rule->ruleset->mp, fn, NULL,
beacon_str_len = msc_beacon_string(NULL, 0); &chunk, error_msg);
if (res == -1)
beacon_str = malloc(sizeof(char) * beacon_str_len + 1);
if (beacon_str == NULL) {
beacon_str = "Failed to retrieve beacon string";
beacon_apr = apr_psprintf(rule->ruleset->mp, "ModSec-status: %s", beacon_str);
}
else
{ {
msc_beacon_string(beacon_str, beacon_str_len);
beacon_apr = apr_psprintf(rule->ruleset->mp, "ModSec-status: %s", beacon_str);
free(beacon_str);
}
memset(id, '\0', sizeof(id));
if (msc_status_engine_unique_id(id)) {
sprintf(id, "no unique id");
}
apr_id = apr_psprintf(rule->ruleset->mp, "ModSec-unique-id: %s", id);
chunk.memory = malloc(1); /* will be grown as needed by the realloc above */
chunk.size = 0; /* no data at this point */
curl_global_init(CURL_GLOBAL_ALL);
curl = curl_easy_init();
if (curl) {
struct curl_slist *headers_chunk = NULL;
#ifdef WIN32
char *buf = malloc(sizeof(TCHAR) * (2048 + 1));
char *ptr = NULL;
DWORD res_len;
#endif
curl_easy_setopt(curl, CURLOPT_URL, fn);
headers_chunk = curl_slist_append(headers_chunk, apr_id);
headers_chunk = curl_slist_append(headers_chunk, beacon_apr);
/* send all data to this function */
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, msc_curl_write_memory_cb);
/* we pass our 'chunk' struct to the callback function */
curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&chunk);
/* Make it TLS 1.x only. */
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
#ifdef WIN32
res_len = SearchPathA(NULL, "curl-ca-bundle.crt", NULL, (2048 + 1), buf, &ptr);
if (res_len > 0) {
curl_easy_setopt(curl, CURLOPT_CAINFO, strdup(buf));
}
free(buf);
#endif
/* those are the default options, but lets make sure */
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
/* some servers don't like requests that are made without a user-agent
field, so we provide one */
curl_easy_setopt(curl, CURLOPT_USERAGENT, "ModSecurity");
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers_chunk);
res = curl_easy_perform(curl);
if (res != CURLE_OK)
{
if (remote_rules_fail_action == REMOTE_RULES_WARN_ON_FAIL)
{
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
"Failed to fetch \"%s\" error: %s ", fn,
curl_easy_strerror(res));
return 1;
}
else
{
*error_msg = apr_psprintf(rule->ruleset->mp,
"Failed to fetch \"%s\" error: %s ", fn,
curl_easy_strerror(res));
return 0; return 0;
} }
}
curl_easy_cleanup(curl);
curl_slist_free_all(headers_chunk);
}
curl_global_cleanup();
for (word = strtok_r(chunk.memory, sep, &brkt); for (word = strtok_r(chunk.memory, sep, &brkt);
word; word;
@ -1377,8 +1302,13 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
if (*word == '#') continue; if (*word == '#') continue;
acmp_add_pattern(p, word, NULL, NULL, strlen(word)); acmp_add_pattern(p, word, NULL, NULL, strlen(word));
} }
msc_remote_clean_chunk(&chunk);
#else
*error_msg = apr_psprintf(rule->ruleset->mp, "ModSecurity was not " \
"compiled with Curl support, it cannot load: \"%s\"", fn);
return 0;
#endif
} }
else else
{ {

1
build/find_curl.m4
View File

@ -70,6 +70,7 @@ if test -n "${curl_path}"; then
if test "$curl_tlsv2_ver" -le "$curl_ver"; then if test "$curl_tlsv2_ver" -le "$curl_ver"; then
CURL_CFLAGS="${CURL_CFLAGS} -DWITH_CURL_SSLVERSION_TLSv1_2" CURL_CFLAGS="${CURL_CFLAGS} -DWITH_CURL_SSLVERSION_TLSv1_2"
fi fi
CURL_CFLAGS="${CURL_CFLAGS} -DWITH_CURL"
else else
AC_MSG_RESULT([no, $CURL_VERSION]) AC_MSG_RESULT([no, $CURL_VERSION])
AC_MSG_NOTICE([NOTE: curl library may be too old]) AC_MSG_NOTICE([NOTE: curl library may be too old])

22
configure.ac
View File

@ -702,7 +702,27 @@ CHECK_CURL()
CHECK_YAJL() CHECK_YAJL()
#AC_SEARCH_LIBS([yajl_alloc], [yajl]) #AC_SEARCH_LIBS([yajl_alloc], [yajl])
CHECK_SSDEEP() CHECK_SSDEEP()
AC_SEARCH_LIBS([fuzzy_hash_buf], [fuzzy]) #AC_SEARCH_LIBS([fuzzy_hash_buf], [fuzzy])
CFLAGS="$CFLAGS $APU_CFLAGS"
AC_TRY_COMPILE(
[#include <apr_crypto.h>],
[
#if APU_HAVE_CRYPTO == 0
#error APR util was not compiled with crypto support.
#endif
],
[ AC_DEFINE([WITH_APU_CRYPTO], [1], [APR util was compiled with crypto support])
MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_APU_CRYPTO"
],
[ AC_MSG_WARN([APR util was not compiled with crypto support. SecRemoteRule will not support the parameter 'crypto']) ]
)
# Current our unique download backend is curl, furhter we can support more.
if test ! -z "${CURL_VERSION}"; then
AC_DEFINE([WITH_REMOTE_RULES], [1], [Enables SecRemoteRules support])
MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_REMOTE_RULES"
fi
AC_CONFIG_FILES([Makefile]) AC_CONFIG_FILES([Makefile])
AC_CONFIG_FILES([tools/Makefile]) AC_CONFIG_FILES([tools/Makefile])

4
tests/Makefile.am
View File

@ -6,6 +6,7 @@ msc_test_SOURCES = msc_test.c \
../apache2/libinjection/libinjection_xss.c \ ../apache2/libinjection/libinjection_xss.c \
../apache2/modsecurity.c \ ../apache2/modsecurity.c \
../apache2/msc_status_engine.c \ ../apache2/msc_status_engine.c \
../apache2/msc_remote_rules.c \
../apache2/msc_crypt.c \ ../apache2/msc_crypt.c \
../apache2/msc_geo.c \ ../apache2/msc_geo.c \
../apache2/msc_gsb.c \ ../apache2/msc_gsb.c \
@ -28,7 +29,8 @@ msc_test_SOURCES = msc_test.c \
../apache2/re_tfns.c \ ../apache2/re_tfns.c \
../apache2/re_variables.c \ ../apache2/re_variables.c \
../standalone/regex.c \ ../standalone/regex.c \
../standalone/server.c ../standalone/server.c \
../standalone/config.c
msc_test_CFLAGS = @APR_CFLAGS@ \ msc_test_CFLAGS = @APR_CFLAGS@ \
@APU_CFLAGS@ \ @APU_CFLAGS@ \

9
tests/msc_test.c
View File

@ -79,6 +79,15 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0;
unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0; unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
char DSOLOCAL *real_server_signature = NULL; char DSOLOCAL *real_server_signature = NULL;
int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL; int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
module AP_MODULE_DECLARE_DATA security2_module = {
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
};
/* Stubs */ /* Stubs */
char *format_error_log_message(apr_pool_t *mp, error_message_t *em) { char *format_error_log_message(apr_pool_t *mp, error_message_t *em) {