From 48d85c7d6e6c4fd157b7766f2182bb5afcf5abf5 Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Fri, 1 Nov 2013 06:22:04 -0700 Subject: [PATCH] Places connection filter engine in a separated configuration Different from the Rules or other options, the connections filters are applied to entire server, not to a single vhost, or so. In order to keep it clear to the user this patches adds "SecConnectionEngine" which works in the same way that SecRuleEngine does. --- apache2/apache2_config.c | 38 ++++++++++++++++++++++++++++++++++++-- apache2/mod_security2.c | 2 +- 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index 2ee70bfe..140401e2 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -2141,6 +2141,34 @@ static const char *cmd_rule(cmd_parms *cmd, void *_dcfg, return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_NORMAL, p1, p2, p3); } +static const char *cmd_sever_conn_filters_engine(cmd_parms *cmd, void *_dcfg, + const char *p1) +{ + directory_config *dcfg = (directory_config *)_dcfg; + + if (dcfg == NULL) return NULL; + + if (strcasecmp(p1, "on") == 0) + { + conn_limits_filter_state = MODSEC_ENABLED; + } + else if (strcasecmp(p1, "off") == 0) + { + conn_limits_filter_state = MODSEC_DISABLED; + } + else if (strcasecmp(p1, "detectiononly") == 0) + { + conn_limits_filter_state = MODSEC_DETECTION_ONLY; + } + else + { + return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \ + "SecConnectionEngine: %s", p1); + } + + return NULL; +} + static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1) { directory_config *dcfg = (directory_config *)_dcfg; @@ -2167,8 +2195,6 @@ static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1) "SecRuleEngine: %s", p1); } - conn_limits_filter_state = dcfg->is_enabled; - return NULL; } @@ -3411,6 +3437,14 @@ const command_rec module_directives[] = { "On or Off" ), + AP_INIT_TAKE1 ( + "SecConnectionEngine", + cmd_sever_conn_filters_engine, + NULL, + CMD_SCOPE_ANY, + "On or Off" + ), + AP_INIT_TAKE1 ( "SecXmlExternalEntity", cmd_xml_external_entity, diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index 8e90e64a..c0240ef5 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -63,7 +63,7 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0; int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED; -int DSOLOCAL conn_limits_filter_state = 0; +int DSOLOCAL conn_limits_filter_state = MODSEC_DISABLED; unsigned long int DSOLOCAL conn_read_state_limit = 0; TreeRoot DSOLOCAL *conn_read_state_whitelist = 0;