Cleanup building actionsets and use minimal default. See #445.

Fully resolve all rules before logging.

CHANGES

@@ -10,7 +10,8 @@
  * No longer log the query portion of the URI in the error log as
    it may contain sensitive data.
 
- * There are no longer any default transformations performed.
+ * The default action is now a minimal "phase:2,log,pass" with no default
+   transformations performed.
 
  * Implemented SecRuleUpdateActionById.
 

apache2/apache2_config.c

@@ -708,6 +708,9 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
         apr_table_unset(dcfg->tmp_rule_placeholders, rule->actionset->id);
     }
         
+    /* Update the unparsed rule */
+    rule->unparsed = msre_rule_generate_unparsed(dcfg->ruleset->mp, rule, NULL, NULL, NULL);
+
     return NULL;    
 }
 
@@ -790,7 +793,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,
 
     /* Create a new actionset */
     new_actionset = msre_actionset_create(modsecurity->msre, p2, &my_error_msg);
-    if (dcfg->tmp_default_actionset == NULL) return FATAL_ERROR;
+    if (new_actionset == NULL) return FATAL_ERROR;
     if (my_error_msg != NULL) return my_error_msg;
 
     /* Must NOT change an id */
@@ -1098,11 +1101,13 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg, const char *p
     }
 
     /* Must specify a disruptive action. */
+    /* ENH: Remove this requirement? */
     if (dcfg->tmp_default_actionset->intercept_action == NOT_SET) {
         return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must specify a disruptive action.");
     }
 
     /* Must specify a phase. */
+    /* ENH: Remove this requirement? */
     if (dcfg->tmp_default_actionset->phase == NOT_SET) {
         return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must specify a phase.");
     }
@@ -1131,6 +1136,12 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg, const char *p
             "contain a skip action.");
     }
 
+    /* Must not use skipAfter. */
+    if (dcfg->tmp_default_actionset->skip_after != NOT_SET_P) {
+        return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must not "
+            "contain a skipAfter action.");
+    }
+
     return NULL;
 }
 

apache2/re.c

@@ -645,7 +645,7 @@ msre_actionset *msre_actionset_merge(msre_engine *engine, msre_actionset *parent
 msre_actionset *msre_actionset_create_default(msre_engine *engine) {
     char  *my_error_msg = NULL;
     return msre_actionset_create(engine,
-        "log,auditlog,deny,status:403,phase:2",
+        "phase:2,log,pass",
         &my_error_msg);
 }
 
@@ -677,7 +677,7 @@ void msre_actionset_set_defaults(msre_actionset *actionset) {
     if (actionset->intercept_pause == NOT_SET) actionset->intercept_pause = 0;
 
     /* Other */
-    if (actionset->auditlog == NOT_SET) actionset->auditlog = 1;
+    if (actionset->auditlog == NOT_SET) actionset->auditlog = 0;
     if (actionset->log == NOT_SET) actionset->log = 1;
 }
 

doc/modsecurity2-apache-reference.xml

@@ -1118,9 +1118,9 @@ SecAuditLogStorageDir logs/audit
       disruptive actions are not allowed, but this can inadvertently be
       inherited using a disruptive action in SecDefaultAction.</para>
 
-      <para>The default value is:</para>
+      <para>The default value is minimal (differing from previous versions):</para>
 
-      <programlisting format="linespecific">SecDefaultAction log,auditlog,deny,status:403,phase:2,t:none</programlisting>
+      <programlisting format="linespecific">SecDefaultAction phase:2,log,pass</programlisting>
 
       <para><emphasis>Note</emphasis></para>
 
@@ -5721,4 +5721,4 @@ Server: Apache/2.x.x
       </section>
     </section>
   </section>
-</article>
+</article>