diff --git a/apache2/re_actions.c b/apache2/re_actions.c index b840e501..12505574 100644 --- a/apache2/re_actions.c +++ b/apache2/re_actions.c @@ -16,7 +16,6 @@ #include #include "apr_lib.h" #include "apr_strmatch.h" -#include "apr_env.h" /** * Register action with the engine. @@ -2195,90 +2194,6 @@ static char *msre_action_exec_validate(msre_engine *engine, apr_pool_t *mp, msre return NULL; } -int beanshell_execute(const char *script, modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule) -{ - apr_status_t rv; - apr_pool_t *mp = mptmp; - apr_procattr_t *pattr; - int argc = 0; - const char* argv[8]; - apr_proc_t proc; - int st; - apr_exit_why_e why; - const char* env[8]; - - const char *progname = "java"; - - if ((rv = apr_procattr_create(&pattr, mp)) != APR_SUCCESS) { - return 0; - } - if ((rv = apr_procattr_io_set(pattr, APR_CHILD_BLOCK, APR_CHILD_BLOCK, APR_CHILD_BLOCK)) != APR_SUCCESS) { - return 0; - } - if ((rv = apr_procattr_cmdtype_set(pattr, APR_PROGRAM_PATH)) != APR_SUCCESS) { - return 0; - } - //rv = apr_procattr_dir_set(pattr, "."); - - argv[argc++] = progname; - argv[argc++] = "-classpath"; -#ifdef BEANSHELL_JAR - argv[argc++] = BEANSHELL_JAR; // "/jars/bsh-2.0b4.jar"; -#else - argv[argc++] = "*"; -#endif - argv[argc++] = "bsh.Interpreter"; - argv[argc++] = (const char*) script; - argv[argc++] = NULL; - - apr_env_set("envvar", "This is a value", mp); - //apr_env_delete("envvar", mp); - - if (msr->txcfg->debuglog_level >= 8) { - msr_log(msr, 8, "BeanShell: Executing script: %s", script); - } - - if ((rv = apr_proc_create(&proc, progname, (const char* const*)argv, - NULL, pattr, mp)) != APR_SUCCESS) { - msr_log(msr, 1, "Could not find java to execute: %s", script); - return rv; - } - - rv = apr_proc_wait(&proc, &st, &why, APR_WAIT); - if (APR_STATUS_IS_CHILD_DONE(rv)) { - - if (proc.err != NULL) { - while (1) { - char buf[1024]; - apr_file_pipe_timeout_set(proc.err, -1); - /* read the command's output through the pipe */ - rv = apr_file_gets(buf, sizeof(buf), proc.err); - if (rv != APR_SUCCESS) { - break; - } - msr_log(msr, 1, "Script stderr: %s\n", buf); - } - apr_file_close(proc.err); - } - while (1) { - char buf[1024]; - apr_file_pipe_timeout_set(proc.out, -1); - /* read the command's output through the pipe */ - rv = apr_file_gets(buf, sizeof(buf), proc.out); - if (rv != APR_SUCCESS) { - break; - } - //if (msr->txcfg->debuglog_level >= 8) { - msr_log(msr, 1, "BeanShell script output: %s\n", buf); - //} - } - apr_file_close(proc.out); - - } else { - msr_log(msr, 1, "Failed to execute: %s", script); - } -} - static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { @@ -2291,7 +2206,7 @@ static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp, action->param[lenparam - 1] == 'h')) { //beanshell_execute(action->param, msr, mptmp, rule); char *script_output = NULL; - + int rc; const char *start = "java -classpath bsh*.jar bsh.Interpreter "; char *command = (char*) apr_palloc(mptmp, strlen(start) + lenparam + 1); @@ -2299,7 +2214,7 @@ static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp, strcpy(command, start); strcat(command, action->param); command[strlen(start) + lenparam] = '\0'; - int rc = apache2_exec(msr, command, NULL, &script_output); + rc = apache2_exec(msr, command, NULL, &script_output); if (rc != 1) { msr_log(msr, 1, "Failed to execute: %s", action->param); return 0; diff --git a/java/ModSecurityLoader/dist/ModSecurityLoaderConfig.xml b/java/ModSecurityLoader/dist/ModSecurityLoaderConfig.xml new file mode 100644 index 00000000..f9da8095 --- /dev/null +++ b/java/ModSecurityLoader/dist/ModSecurityLoaderConfig.xml @@ -0,0 +1,38 @@ + + + + + + zlib1 + c:\work\mod_security2\java\libs\zlib1.dll + + + libxml2 + c:\work\mod_security2\java\libs\libxml2.dll + + + libpcre + c:\work\mod_security2\java\libs\pcre.dll + + + libapr-1 + c:\work\mod_security2\java\libs\libapr-1.dll + + + libapriconv-1 + c:\work\mod_security2\java\libs\libapriconv-1.dll + + + libaprutil-1 + c:\work\mod_security2\java\libs\libaprutil-1.dll + + + libModSecurityJNI + c:\work\mod_security2\java\libs\ModSecurityJNI.dll + + \ No newline at end of file diff --git a/java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java b/java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java index 23e5d534..f312f4ed 100644 --- a/java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java +++ b/java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java @@ -1,52 +1,120 @@ package org.modsecurity.loader; -import java.io.File; +import java.util.HashMap; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; public class ModSecurityLoader { - //private static final String MODSECURITYLIBSDIR_PATH = "c:\\work\\mod_security\\java\\libs\\"; //directory with ModSecurity native libraries + public static final String CONFIG_FILENAME = "ModSecurityLoaderConfig.xml"; + private static final String zlibParamName = "zlib1"; + private static final String libxml2ParamName = "libxml2"; + private static final String libpcreParamName = "libpcre"; + private static final String libaprParamName = "libapr-1"; + private static final String libapriconvParamName = "libapriconv-1"; + private static final String libaprutilParamName = "libaprutil-1"; + private static final String libModSecurityJNIParamName = "libModSecurityJNI"; static { - System.out.println("ModSecurity loader static block executed."); -// File modSecDir = new File(MODSECURITYLIBSDIR_PATH); -// File[] flibs = modSecDir.listFiles(); -// loadLib(flibs, "zlib1"); -// loadLib(flibs, "libxml2"); -// loadLib(flibs, "pcre"); -// loadLib(flibs, "libapr-1"); -// loadLib(flibs, "libapriconv-1"); -// loadLib(flibs, "libaprutil-1"); -// loadLib(flibs, "ModSecurityJNI"); + //System.out.println("ModSecurity loader static block executed."); - //alternative load, this requires native libraries to be in java.library.path, you can set it - //by specifying server VM start-up option: -Djava.library.path=path/to/libs/ + //try load native libraries from config file with native libs paths, otherwise get paths from the + // server VM start-up option: -Djava.library.path=path/to/libs/ + HashMap libPaths = new HashMap(); try { - System.loadLibrary("zlib1"); //needed for libxml2 in Windows - } catch(UnsatisfiedLinkError ex) { - } - System.loadLibrary("libxml2"); - System.loadLibrary("pcre"); - System.loadLibrary("libapr-1"); - try { - System.loadLibrary("libapriconv-1"); - } catch(UnsatisfiedLinkError ex) { //needed for libaprutil-1 in Windows - } - System.loadLibrary("libaprutil-1"); - System.loadLibrary("ModSecurityJNI"); - - System.out.println("ModSecurity native libraries loaded."); - } + Document dom; + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilder db = dbf.newDocumentBuilder(); + dom = db.parse(CONFIG_FILENAME); - private static void loadLib(File[] files, String lib) { - for (int i = 0; i < files.length; i++) { - if (files[i].getName().startsWith(lib)) { - System.load(files[i].getAbsolutePath()); - break; + Element doc = dom.getDocumentElement(); + + NodeList nl = doc.getElementsByTagName("init-param"); + + for (int i = 0; i < nl.getLength(); i++) { + String key = null; + String value = null; + + Node initParam = nl.item(i); + + NodeList keyNl = ((Element) initParam).getElementsByTagName("param-name"); + if (keyNl.getLength() > 0 && keyNl.item(0).hasChildNodes()) { + key = keyNl.item(0).getFirstChild().getNodeValue(); + } + + NodeList valNl = ((Element) initParam).getElementsByTagName("param-value"); + if (valNl.getLength() > 0 && valNl.item(0).hasChildNodes()) { + value = valNl.item(0).getFirstChild().getNodeValue(); + } + + if (key != null && value != null) { + libPaths.put(key, value); + } } + } catch (Exception ex) { + } + + if (!libPaths.containsKey(zlibParamName)) { + libPaths.put(zlibParamName, null); + } + if (!libPaths.containsKey(libxml2ParamName)) { + libPaths.put(libxml2ParamName, null); + } + if (!libPaths.containsKey(libpcreParamName)) { + libPaths.put(libpcreParamName, null); + } + if (!libPaths.containsKey(libaprParamName)) { + libPaths.put(libaprParamName, null); + } + if (!libPaths.containsKey(libapriconvParamName)) { + libPaths.put(libapriconvParamName, null); + } + if (!libPaths.containsKey(libaprutilParamName)) { + libPaths.put(libaprutilParamName, null); + } + if (!libPaths.containsKey(libModSecurityJNIParamName)) { + libPaths.put(libModSecurityJNIParamName, null); + } + + try { + loadLib("zlib1", libPaths.get(zlibParamName)); + } catch (UnsatisfiedLinkError err) { + } + loadLib("xml2", libPaths.get(libxml2ParamName)); + loadLib("pcre", libPaths.get(libpcreParamName)); + loadLib("apr-1", libPaths.get(libaprParamName)); + try { + loadLib("apriconv-1", libPaths.get(libapriconvParamName)); + } catch (UnsatisfiedLinkError err) { + } + loadLib("aprutil-1", libPaths.get(libaprutilParamName)); + loadLib("ModSecurityJNI", libPaths.get(libModSecurityJNIParamName)); + } + + private static void loadLib(String name, String absolutePath) throws UnsatisfiedLinkError { + try { + System.load(absolutePath); + return; + } catch (NullPointerException ex) { + } catch (UnsatisfiedLinkError ex) { + throw ex; + } + try { + System.loadLibrary(name); + return; + } catch (UnsatisfiedLinkError ex) { + } + try { + System.loadLibrary("lib" + name); + } catch (UnsatisfiedLinkError ex) { + throw ex; } } - + public static void main(String[] args) { - } } diff --git a/java/ModSecurityTestApp/dist/ModSecurityTestApp.war b/java/ModSecurityTestApp/dist/ModSecurityTestApp.war index e6819b76..fab0e776 100644 Binary files a/java/ModSecurityTestApp/dist/ModSecurityTestApp.war and b/java/ModSecurityTestApp/dist/ModSecurityTestApp.war differ diff --git a/java/ModSecurityTestApp/web/help.html b/java/ModSecurityTestApp/web/help.html index 606ea900..c44601de 100644 --- a/java/ModSecurityTestApp/web/help.html +++ b/java/ModSecurityTestApp/web/help.html @@ -39,7 +39,7 @@


-

Installation

+

Installation

First you need to choose whether to download and compile ModSecurity from the project's version control web-site: github.com/SpiderLabs/ModSecurity or using pre-compiled binaries from @@ -212,6 +212,30 @@ sudo cp ./java/.libs/libModSecurityJNI.so /usr/lib/
+ +

BeanShell scripting with ModSecurity

+

+ You can use BeanShell scripts in SecRule + ModSecurity directives using the exec action. First you need to put the + bsh.jar file (which can be downloaded from beanshell.org) + into the current directory of your server (for example $CATALINA_HOME/bin in Tomcat). + An example of an exec can be the following: +

+ + 
+
+SecAction "setenv:msg=%{rule.msg},exec:/usr/local/apache/conf/beanshell_script.bsh"
+
+
+

+ The environment variable set in the SecAction can be accessed in BeanShell scripts + using: +

+ 
+
+System.getenv("msg");
+
+