Use use new msr->rule_was_intercepted flag. See #425.

2026-01-10 02:04:36 +03:00 · 2007-12-17 19:58:35 +00:00
parent d6f492064a
commit 2f447fcd72
2 changed files with 9 additions and 4 deletions
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -285,6 +285,7 @@ struct modsec_rec {
    apr_md5_ctx_t        new_auditlog_md5ctx;

    unsigned int         was_intercepted;
+    unsigned int         rule_was_intercepted;
    unsigned int         intercept_phase;
    msre_actionset      *intercept_actionset;
    const char          *intercept_message;
--- a/apache2/re.c
+++ b/apache2/re.c
@@ -664,6 +664,9 @@ apr_status_t msre_ruleset_process_phase(msre_ruleset *ruleset, modsec_rec *msr)
    for (i = 0; i < arr->nelts; i++) {
        msre_rule *rule = rules[i];

+        /* Reset the rule interception flag */
+        msr->rule_was_intercepted = 0;
+
        /* NEXT_CHAIN is used when one of the rules in a chain
         * fails to match and then we need to skip the remaining
         * rules in that chain in order to get to the next
@@ -731,8 +734,8 @@ apr_status_t msre_ruleset_process_phase(msre_ruleset *ruleset, modsec_rec *msr)
        }
        else
        if (rc == RULE_MATCH) {
-            if ((msr->phase == msr->intercept_phase) && msr->was_intercepted) {
-                /* If the transaction was intercepted we will
+            if (msr->rule_was_intercepted) {
+                /* If the transaction was intercepted by this rule we will
                 * go back. Do note that we are relying on the
                 * rule to know if it is a part of a chain and
                 * not intercept if it is.
@@ -1153,6 +1156,7 @@ static void msre_perform_disruptive_actions(modsec_rec *msr, msre_rule *rule,
     * transaction, and rememer the rule that caused it.
     */
    msr->was_intercepted = 1;
+    msr->rule_was_intercepted = 1;
    msr->intercept_phase = msr->phase;
    msr->intercept_actionset = actionset;
    msr->intercept_message = message;
@@ -1389,7 +1393,7 @@ apr_status_t msre_rule_process(msre_rule *rule, modsec_rec *msr) {
                        * was intercepted - no need to process the remaining
                        * targets.
                        */
-                        if (msr->was_intercepted) {
+                        if (msr->rule_was_intercepted) {
                            return RULE_MATCH;
                        }
                    }
@@ -1437,7 +1441,7 @@ apr_status_t msre_rule_process(msre_rule *rule, modsec_rec *msr) {
                 * was intercepted - no need to process the remaining
                 * targets.
                 */
-                if (msr->was_intercepted) {
+                if (msr->rule_was_intercepted) {
                    return RULE_MATCH;
                }
            }