mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-08-13 21:36:00 +03:00
brectanus
parent
cd51a10046
commit
476684e6ec
@ -554,21 +554,24 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, const char *
|
||||
if (dcfg->tmp_default_actionset == NULL) return FATAL_ERROR;
|
||||
}
|
||||
|
||||
/* Merge actions with the parent. */
|
||||
rule->actionset = msre_actionset_merge(modsecurity->msre, dcfg->tmp_default_actionset,
|
||||
rule->actionset, 1);
|
||||
/* Check some cases prior to merging so we know where it came from */
|
||||
|
||||
/* Must NOT specify a disruptive action in logging phase. */
|
||||
if (rule->actionset->phase == PHASE_LOGGING && (rule->actionset->intercept_action != ACTION_ALLOW && rule->actionset->intercept_action != ACTION_NONE)) {
|
||||
return apr_psprintf(cmd->pool, "ModSecurity: Disruptive actions "
|
||||
"cannot be specified in the logging phase. %d", rule->actionset->intercept_action);
|
||||
}
|
||||
|
||||
/* Check syntax for chained rules */
|
||||
if (dcfg->tmp_chain_starter != NULL) {
|
||||
/* This rule is part of a chain. */
|
||||
|
||||
/* Must NOT specify a disruptive action. */
|
||||
if (rule->actionset->intercept_action == NOT_SET) {
|
||||
if (rule->actionset->intercept_action != NOT_SET) {
|
||||
return apr_psprintf(cmd->pool, "ModSecurity: Disruptive actions can only "
|
||||
"be specified by chain starter rules.");
|
||||
}
|
||||
|
||||
/* Must NOT specify a phase. */
|
||||
if (rule->actionset->phase == NOT_SET) {
|
||||
if (rule->actionset->phase != NOT_SET) {
|
||||
return apr_psprintf(cmd->pool, "ModSecurity: Execution phases can only be "
|
||||
"specified by chain starter rules.");
|
||||
}
|
||||
@ -593,6 +596,13 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, const char *
|
||||
rule->actionset->phase = rule->chain_starter->actionset->phase;
|
||||
}
|
||||
|
||||
/* Merge actions with the parent.
|
||||
*
|
||||
* ENH Probably do not want this done fully for chained rules.
|
||||
*/
|
||||
rule->actionset = msre_actionset_merge(modsecurity->msre, dcfg->tmp_default_actionset,
|
||||
rule->actionset, 1);
|
||||
|
||||
if (rule->actionset->is_chained != 1) {
|
||||
/* If this rule is part of the chain but does
|
||||
* not want more rules to follow in the chain
|
||||
|
||||
@ -1090,7 +1090,9 @@ SecAuditLogStorageDir logs/audit
|
||||
<para><emphasis>Dependencies/Notes:</emphasis> Rules following a
|
||||
SecDefaultAction directive will inherit this setting unless a specific
|
||||
action is specified for an indivdual rule or until another
|
||||
SecDefaultAction is specified.</para>
|
||||
SecDefaultAction is specified. Take special note that in the logging
|
||||
disruptive actions are not allowed, but this can inadvertantly be
|
||||
inherited using a disruptive action in SecDefaultAction.</para>
|
||||
|
||||
<para>The default value is:</para>
|
||||
|
||||
@ -2090,7 +2092,9 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,<emphasis>phase:1</emphasis>"</programl
|
||||
This phase can be used to inspect the error messages logged by Apache.
|
||||
You can not deny/block connections in this phase as it is too late. This
|
||||
phase also allows for inspection of other response headers that weren't
|
||||
available during phase:3 or phase:4.</para>
|
||||
available during phase:3 or phase:4. Note that you must be careful
|
||||
not to inherit a disruptive action into a rule in this phase as this
|
||||
is a configuration error in ModSecurity 2.5.0 and later versions.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user