Stricter configuration parsing. See #66 and #429.

apache2/apache2_config.c

@@ -554,21 +554,24 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, const char *
         if (dcfg->tmp_default_actionset == NULL) return FATAL_ERROR;
     }
 
-    /* Merge actions with the parent. */
+    /* Check some cases prior to merging so we know where it came from */
-    rule->actionset = msre_actionset_merge(modsecurity->msre, dcfg->tmp_default_actionset,
-        rule->actionset, 1);
 
+    /* Must NOT specify a disruptive action in logging phase. */
+    if (rule->actionset->phase == PHASE_LOGGING && (rule->actionset->intercept_action != ACTION_ALLOW && rule->actionset->intercept_action != ACTION_NONE)) {
+        return apr_psprintf(cmd->pool, "ModSecurity: Disruptive actions "
+            "cannot be specified in the logging phase. %d", rule->actionset->intercept_action);
+    }
+
+    /* Check syntax for chained rules */
     if (dcfg->tmp_chain_starter != NULL) {
-        /* This rule is part of a chain. */
-
         /* Must NOT specify a disruptive action. */
-        if (rule->actionset->intercept_action == NOT_SET) {
+        if (rule->actionset->intercept_action != NOT_SET) {
             return apr_psprintf(cmd->pool, "ModSecurity: Disruptive actions can only "
                 "be specified by chain starter rules.");
         }
 
         /* Must NOT specify a phase. */
-        if (rule->actionset->phase == NOT_SET) {
+        if (rule->actionset->phase != NOT_SET) {
             return apr_psprintf(cmd->pool, "ModSecurity: Execution phases can only be "
                 "specified by chain starter rules.");
         }
@@ -593,6 +596,13 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, const char *
         rule->actionset->phase = rule->chain_starter->actionset->phase;
     }
 
+    /* Merge actions with the parent.
+     *
+     * ENH Probably do not want this done fully for chained rules.
+     */
+    rule->actionset = msre_actionset_merge(modsecurity->msre, dcfg->tmp_default_actionset,
+        rule->actionset, 1);
+
     if (rule->actionset->is_chained != 1) {
         /* If this rule is part of the chain but does
          * not want more rules to follow in the chain

doc/modsecurity2-apache-reference.xml

@@ -1090,7 +1090,9 @@ SecAuditLogStorageDir logs/audit
       <para><emphasis>Dependencies/Notes:</emphasis> Rules following a
       SecDefaultAction directive will inherit this setting unless a specific
       action is specified for an indivdual rule or until another
-      SecDefaultAction is specified.</para>
+      SecDefaultAction is specified.  Take special note that in the logging
+      disruptive actions are not allowed, but this can inadvertantly be
+      inherited using a disruptive action in SecDefaultAction.</para>
 
       <para>The default value is:</para>
 
@@ -2090,7 +2092,9 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,<emphasis>phase:1</emphasis>"</programl
       This phase can be used to inspect the error messages logged by Apache.
       You can not deny/block connections in this phase as it is too late. This
       phase also allows for inspection of other response headers that weren't
-      available during phase:3 or phase:4.</para>
+      available during phase:3 or phase:4.  Note that you must be careful
+      not to inherit a disruptive action into a rule in this phase as this
+      is a configuration error in ModSecurity 2.5.0 and later versions.</para>
     </section>
   </section>