github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merging 2.7.2 into master

Browse Source
This commit is contained in:
Breno Silva
2013-01-20 18:09:49 -04:00
parent 0e2b07b00e
commit 49c505156b
35 changed files with 9433 additions and 2607 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
apache2/Makefile.am
View File

@@ -66,6 +66,7 @@ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@PCRE_LDFLAGS@ @LIBXML2_LDFLAGS@ @LUA_LDFLAGS@
endif
if LINUX
install-exec-hook: $(pkglib_LTLIBRARIES)
@echo "Removing unused static libraries..."; \
for m in $(pkglib_LTLIBRARIES); do \
@@ -73,3 +74,12 @@ install-exec-hook: $(pkglib_LTLIBRARIES)
rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \
install -D -m444 $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES); \
done
else
install-exec-hook: $(pkglib_LTLIBRARIES)
@echo "Removing unused static libraries..."; \
for m in $(pkglib_LTLIBRARIES); do \
base=`echo $$m | sed 's/\..*//'`; \
rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \
cp -p $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES); \
done
endif

7
apache2/Makefile.win
View File

@@ -52,16 +52,13 @@ all: $(DLL)
dll: $(DLL)
mod_security2_config.h: mod_security2_config.hw
@type mod_security2_config.hw > modsecurity_config.h
.c.obj:
$(CC) $(CFLAGS) -c $< -Fo$@
.cpp.obj:
$(CC) $(CFLAGS) -c $< -Fo$@
$(DLL): mod_security2_config.h $(OBJS)
$(DLL): $(OBJS)
$(CC) $(CFLAGS) $(LDFLAGS) -LD $(OBJS) -Fe$(DLL) $(LIBS) /link
IF EXIST $(DLL).manifest $(MT) -manifest $(DLL).manifest -outputresource:$(DLL);2
@@ -69,4 +66,4 @@ install: $(DLL)
copy /Y $(DLL) $(APACHE)\modules
clean:
del $(OBJS) $(DLL) *.dll *.lib *.pdb *.idb *.ilk *.exp *.res *.rc *.bin mod_security2_config.h *.manifest
del $(OBJS) $(DLL) *.dll *.lib *.pdb *.idb *.ilk *.exp *.res *.rc *.bin *.manifest

2
apache2/apache2_util.c
View File

@@ -265,7 +265,7 @@ static void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server,
"[client %s] ModSecurity: %s%s [uri \"%s\"]%s", r->connection->client_ip, str1,
"[client %s] ModSecurity: %s%s [uri \"%s\"]%s", r->useragent_ip ? r->useragent_ip : r->connection->client_ip, str1,
hostname, log_escape(msr->mp, r->uri), unique_id);
#else
ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server,

27
apache2/mod_security2.c
View File

@@ -64,6 +64,9 @@ unsigned long int DSOLOCAL conn_read_state_limit = 0;
unsigned long int DSOLOCAL conn_write_state_limit = 0;
#if defined(WIN32) || defined(VERSION_NGINX)
int (*modsecDropAction)(request_rec *r) = NULL;
#endif
static int server_limit, thread_limit;
typedef struct {
@@ -250,11 +253,25 @@ int perform_interception(modsec_rec *msr) {
}
}
#else
log_level = 1;
status = HTTP_INTERNAL_SERVER_ERROR;
message = apr_psprintf(msr->mp, "Access denied with code 500%s "
"(Error: Connection drop not implemented on this platform).",
phase_text);
{
if (modsecDropAction == NULL) {
log_level = 1;
status = HTTP_INTERNAL_SERVER_ERROR;
message = apr_psprintf(msr->mp, "Access denied with code 500%s "
"(Error: Connection drop not implemented on this platform.",
phase_text);
} else if (modsecDropAction(msr->r) == 0) {
status = HTTP_FORBIDDEN;
message = apr_psprintf(msr->mp, "Access denied with connection close%s.",
phase_text);
} else {
log_level = 1;
status = HTTP_INTERNAL_SERVER_ERROR;
message = apr_psprintf(msr->mp, "Access denied with code 500%s "
"(Error: Connection drop request failed.",
phase_text);
}
}
#endif
break;

28
apache2/modsecurity.c
View File

@@ -276,7 +276,8 @@ static apr_status_t modsecurity_tx_cleanup(void *data) {
apr_status_t modsecurity_tx_init(modsec_rec *msr) {
const char *s = NULL;
const apr_array_header_t *arr;
char *_cookies = NULL;
char *semicolon = NULL;
char *comma = NULL;
apr_table_entry_t *te;
int i;
@@ -402,12 +403,27 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
for (i = 0; i < arr->nelts; i++) {
if (strcasecmp(te[i].key, "Cookie") == 0) {
if (msr->txcfg->cookie_format == COOKIES_V0) {
_cookies = apr_pstrdup(msr->mp, te[i].val);
while((*_cookies != 0)&&(*_cookies != ',')&&(*_cookies != ';')) _cookies++;
if(*_cookies == ',')
parse_cookies_v0(msr, te[i].val, msr->request_cookies, ",");
else
semicolon = apr_pstrdup(msr->mp, te[i].val);
while((*semicolon != 0)&&(*semicolon != ';')) semicolon++;
if(*semicolon == ';') {
parse_cookies_v0(msr, te[i].val, msr->request_cookies, ";");
} else {
comma = apr_pstrdup(msr->mp, te[i].val);
while((*comma != 0)&&(*comma != ',')) comma++;
if(*comma == ',') {
comma++;
if(*comma == 0x20) {// looks like comma is the separator
if (msr->txcfg->debuglog_level >= 5) {
msr_log(msr, 5, "Cookie v0 parser: Using comma as a separator. Semi-colon was not identified!");
}
parse_cookies_v0(msr, te[i].val, msr->request_cookies, ",");
} else {
parse_cookies_v0(msr, te[i].val, msr->request_cookies, ";");
}
} else {
parse_cookies_v0(msr, te[i].val, msr->request_cookies, ";");
}
}
} else {
parse_cookies_v1(msr, te[i].val, msr->request_cookies);
}

29
apache2/modsecurity_config.h
View File

@@ -1 +1,28 @@
/* This file is left empty for building on Windows. */
/* Some APR files define PACKAGE* constants, which may conflict
* so this is here to prevent that by removing them.
*/
#ifndef WIN32
/* Undefine all these so there are no conflicts */
#undef PACKAGE
#undef PACKAGE_BUGREPORT
#undef PACKAGE_NAME
#undef PACKAGE_STRING
#undef PACKAGE_TARNAME
#undef PACKAGE_URL
#undef PACKAGE_VERSION
/* Include the real autoconf header */
#include "modsecurity_config_auto.h"
/* Undefine all these (again) so there are no conflicts */
#undef PACKAGE
#undef PACKAGE_BUGREPORT
#undef PACKAGE_NAME
#undef PACKAGE_STRING
#undef PACKAGE_TARNAME
#undef PACKAGE_URL
#undef PACKAGE_VERSION
#endif

4
apache2/msc_lua.c
View File

@@ -79,7 +79,11 @@ static int lua_restore(lua_State *L, msc_script *script) {
dumpr.script = script;
dumpr.index = 0;
#if LUA_VERSION_NUM > 501
return lua_load(L, dump_reader, &dumpr, script->name, NULL);
#else
return lua_load(L, dump_reader, &dumpr, script->name);
#endif
}
/**

4
apache2/msc_release.h
View File

@@ -38,7 +38,7 @@
#define MODSEC_VERSION_MAJOR "2"
#define MODSEC_VERSION_MINOR "7"
#define MODSEC_VERSION_MAINT "1"
#define MODSEC_VERSION_MAINT "2"
#define MODSEC_VERSION_TYPE ""
#define MODSEC_VERSION_RELEASE ""
@@ -50,7 +50,7 @@
/* Apache Module Defines */
#ifdef VERSION_IIS
#define MODSEC_MODULE_NAME "ModSecurity for IIS (Beta)"
#define MODSEC_MODULE_NAME "ModSecurity for IIS (STABLE)"
#else
#ifdef VERSION_NGINX
#define MODSEC_MODULE_NAME "ModSecurity for nginx (Beta)"

6
apache2/msc_tree.c
View File

@@ -14,10 +14,14 @@
#include <stdio.h>
#include <stdlib.h>
#if APR_HAVE_STDINT_H
#include <stdint.h>
#endif
#include <string.h>
#if !defined(WIN32) || !defined(WINNT)
#if APR_HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#if APR_HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#include "apr_lib.h"

23
apache2/msc_util.c
View File

@@ -834,7 +834,9 @@ char *m_strcasestr(const char *haystack, const char *needle) {
int inet_pton(int family, const char *src, void *dst) {
struct addrinfo addr;
struct sockaddr_in *in = NULL;
#if APR_HAVE_IPV6
struct sockaddr_in6 *in6 = NULL;
#endif
struct addrinfo *addr_info = NULL;
memset(&addr, 0, sizeof(struct addrinfo));
@@ -849,11 +851,13 @@ int inet_pton(int family, const char *src, void *dst) {
if(in != NULL)
memcpy(dst, &in->sin_addr, 4);
}
#if APR_HAVE_IPV6
else if (addr_info->ai_family == AF_INET6) {
in6 = (struct sockaddr_in6*)addr_info->ai_addr;
if(in6 != NULL)
memcpy(dst, &in6->sin6_addr, 16);
}
#endif
else {
freeaddrinfo(addr_info);
return -1;
@@ -1202,7 +1206,26 @@ char *log_escape(apr_pool_t *mp, const char *text) {
}
char *log_escape_nq(apr_pool_t *mp, const char *text) {
#ifdef VERSION_IIS
int l = 0;
// this is a workaround for unknown bug that causes 'text' sometimes to lack zero-termination
//
__try
{
l = text ? strlen(text) : 0;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
l = -1;
}
if(l < 0)
return _log_escape(mp, "BUG: see log_escape_nq()", 24, 0, 0, 0);
return _log_escape(mp, (const unsigned char *)text, l, 0, 0, 0);
#else
return _log_escape(mp, (const unsigned char *)text, text ? strlen(text) : 0, 0, 0, 0);
#endif
}
char *log_escape_ex(apr_pool_t *mp, const char *text, unsigned long int text_length) {

31
apache2/re_operators.c
View File

@@ -23,7 +23,7 @@
#include "msc_tree.h"
#include "msc_crypt.h"
#if !defined(WIN32) || !defined(WINNT)
#if APR_HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
@@ -305,7 +305,9 @@ static int msre_op_ipmatchFromFile_param_init(msre_rule *rule, char **error_msg)
static int msre_op_ipmatchFromFile_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
TreeRoot *rtree = rule->op_param_data;
struct in_addr in;
#if APR_HAVE_IPV6
struct in6_addr in6;
#endif
if (error_msg == NULL)
return -1;
@@ -336,6 +338,7 @@ static int msre_op_ipmatchFromFile_execute(modsec_rec *msr, msre_rule *rule, msr
return 1;
}
}
#if APR_HAVE_IPV6
else {
if (inet_pton(AF_INET6, var->value, &in6) <= 0) {
if (msr->txcfg->debuglog_level >= 9) {
@@ -350,6 +353,7 @@ static int msre_op_ipmatchFromFile_execute(modsec_rec *msr, msre_rule *rule, msr
return 1;
}
}
#endif
return 0;
}
@@ -760,7 +764,8 @@ static int msre_op_validateHash_param_init(msre_rule *rule, char **error_msg) {
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
rule,((rule->actionset != NULL)&&(rule->actionset->id != NULL)) ? rule->actionset->id : "-",
rule,((rule->actionset != NULL)&&((rule->actionset->id != NULL)&&
(rule->actionset->id != NOT_SET_P))) ? rule->actionset->id : "-",
rule->filename != NULL ? rule->filename : "-",
rule->line_num,rc);
}
@@ -850,7 +855,8 @@ static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_v
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
rule,((rule->actionset != NULL)&&(rule->actionset->id != NULL)) ? rule->actionset->id : "-",
rule,((rule->actionset != NULL)&&((rule->actionset->id != NULL)&&
(rule->actionset->id != NOT_SET_P))) ? rule->actionset->id : "-",
rule->filename != NULL ? rule->filename : "-",
rule->line_num,rc);
msr_log(msr, 4, "%s.", *error_msg);
@@ -1001,7 +1007,8 @@ static int msre_op_rx_param_init(msre_rule *rule, char **error_msg) {
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
rule,((rule->actionset != NULL)&&(rule->actionset->id != NULL)) ? rule->actionset->id : "-",
rule,((rule->actionset != NULL)&&((rule->actionset->id != NULL)&&
(rule->actionset->id != NOT_SET_P))) ? rule->actionset->id : "-",
rule->filename != NULL ? rule->filename : "-",
rule->line_num,rc);
}
@@ -1081,7 +1088,8 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
rule,((rule->actionset != NULL)&&(rule->actionset->id != NULL)) ? rule->actionset->id : "-",
rule,((rule->actionset != NULL)&&((rule->actionset->id != NULL)&&
(rule->actionset->id != NOT_SET_P))) ? rule->actionset->id : "-",
rule->filename != NULL ? rule->filename : "-",
rule->line_num,rc);
msr_log(msr, 4, "%s.", *error_msg);
@@ -2708,7 +2716,8 @@ static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var *
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
rule,((rule->actionset != NULL)&&(rule->actionset->id != NULL)) ? rule->actionset->id : "-",
rule,((rule->actionset != NULL)&&((rule->actionset->id != NULL)&&
(rule->actionset->id != NOT_SET_P))) ? rule->actionset->id : "-",
rule->filename != NULL ? rule->filename : "-",
rule->line_num,rc);
msr_log(msr, 4, "%s.", *error_msg);
@@ -2874,7 +2883,7 @@ static int cpf_verify(const char *cpfnumber, int len) {
"88888888888",
"99999999999"};
while((*cpfnumber != '\0') && ( var_len >= 0)) {
while((*cpfnumber != '\0') && ( var_len > 0)) {
if(*cpfnumber != '-' || *cpfnumber != '.') {
if(i < cpf_len && isdigit(*cpfnumber)) {
@@ -2888,7 +2897,7 @@ static int cpf_verify(const char *cpfnumber, int len) {
}
if (strlen(s_cpf) != cpf_len || i != cpf_len-1)
if (i != cpf_len)
return 0;
else {
for(i = 0; i< cpf_len; i++) {
@@ -3016,7 +3025,8 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
rule,((rule->actionset != NULL)&&(rule->actionset->id != NULL)) ? rule->actionset->id : "-",
rule,((rule->actionset != NULL)&&((rule->actionset->id != NULL)&&
(rule->actionset->id != NOT_SET_P))) ? rule->actionset->id : "-",
rule->filename != NULL ? rule->filename : "-",
rule->line_num,rc);
msr_log(msr, 4, "%s.", *error_msg);
@@ -3307,7 +3317,8 @@ static int msre_op_verifySSN_execute(modsec_rec *msr, msre_rule *rule, msre_var
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
rule,((rule->actionset != NULL)&&(rule->actionset->id != NULL)) ? rule->actionset->id : "-",
rule,((rule->actionset != NULL)&&((rule->actionset->id != NULL)&&
(rule->actionset->id != NOT_SET_P))) ? rule->actionset->id : "-",
rule->filename != NULL ? rule->filename : "-",
rule->line_num,rc);
msr_log(msr, 4, "%s.", *error_msg);