From 2a707d43706d51545ef9d1051ab21776932c664c Mon Sep 17 00:00:00 2001
From: ivanr <ivanr@9017d574-64ec-4062-9424-5e00b32a252b>
Date: Fri, 21 Sep 2007 19:06:54 +0000
Subject: [PATCH] Enable our output filters to intercept bodies of error
 responses (#65).

---
 apache2/mod_security2.c | 21 ++++++++++++---------
 apache2/modsecurity.h   |  1 +
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
index 02bd951e..b87791ef 100644
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@@ -950,7 +950,6 @@ static void hook_insert_filter(request_rec *r) {
     }
 }
 
-#if 0
 /**
  * Invoked whenever Apache starts processing an error. A chance
  * to insert ourselves into the output filter chain.
@@ -961,25 +960,30 @@ static void hook_insert_error_filter(request_rec *r) {
     /* Find the transaction context and make sure we are
      * supposed to proceed.
      */
-
-    /* TODO Insert filter but make a note that it's the error
-     *      response the filter would be receiving.
-     */
-
     msr = retrieve_tx_context(r);
     if (msr == NULL) return;
 
+    /* Do not run if not enabled. */
     if (msr->txcfg->is_enabled == 0) {
         if (msr->txcfg->debuglog_level >= 4) {
             msr_log(msr, 4, "Hook insert_error_filter: Processing disabled, skipping.");
         }
         return;
     }
-    
+
+    /* Do not run if the output filter already completed. This will
+     * happen if we intercept in phase 4.
+     */
     if (msr->of_status != OF_STATUS_COMPLETE) {
         if (msr->txcfg->debuglog_level >= 4) {
             msr_log(msr, 4, "Hook insert_error_filter: Adding output filter (r %x).", r);
         }
+
+        /* Make a note that the output we will be receiving is a
+         * result of error processing.
+         */
+        msr->of_is_error = 1;
+
         ap_add_output_filter("MODSECURITY_OUT", msr, r, r->connection);
     } else {
         if (msr->txcfg->debuglog_level >= 4) {
@@ -987,7 +991,6 @@ static void hook_insert_error_filter(request_rec *r) {
         }
     }
 }
-#endif
 
 #if (!defined(NO_MODSEC_API))
 /**
@@ -1083,7 +1086,7 @@ static void register_hooks(apr_pool_t *mp) {
 
     /* Filter hooks */
     ap_hook_insert_filter(hook_insert_filter, NULL, NULL, APR_HOOK_FIRST);
-    /* ap_hook_insert_error_filter(hook_insert_error_filter, NULL, NULL, APR_HOOK_FIRST); */
+    ap_hook_insert_error_filter(hook_insert_error_filter, NULL, NULL, APR_HOOK_FIRST);
 
     ap_register_input_filter("MODSECURITY_IN", input_filter,
         NULL, AP_FTYPE_CONTENT_SET);
diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
index 4daa9bca..88a053fa 100644
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -213,6 +213,7 @@ struct modsec_rec {
     unsigned int         of_status;
     unsigned int         of_done_reading;
     unsigned int         of_skipping;
+    unsigned int         of_is_error;
 
     unsigned int         resbody_status;
     apr_size_t           resbody_length;