Cleanup building actionsets and use minimal default. See #445.

Fully resolve all rules before logging.
2025-08-14 05:45:59 +03:00 · 2008-01-25 04:52:49 +00:00 · 2008-01-25 04:52:49 +00:00 · 52ccced72b
commit 52ccced72b
parent 946a350043
4 changed files with 19 additions and 7 deletions
--- a/3
+++ b/3
@ -10,7 +10,8 @@
 * No longer log the query portion of the URI in the error log as
   it may contain sensitive data.
- * There are no longer any default transformations performed.
+ * The default action is now a minimal "phase:2,log,pass" with no default
   transformations performed.
 * Implemented SecRuleUpdateActionById.
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@ -708,6 +708,9 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
        apr_table_unset(dcfg->tmp_rule_placeholders, rule->actionset->id);
    }
    /* Update the unparsed rule */
    rule->unparsed = msre_rule_generate_unparsed(dcfg->ruleset->mp, rule, NULL, NULL, NULL);
    return NULL;    
 }
@ -790,7 +793,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,
    /* Create a new actionset */
    new_actionset = msre_actionset_create(modsecurity->msre, p2, &my_error_msg);
-    if (dcfg->tmp_default_actionset == NULL) return FATAL_ERROR;
+    if (new_actionset == NULL) return FATAL_ERROR;
    if (my_error_msg != NULL) return my_error_msg;
    /* Must NOT change an id */
@ -1098,11 +1101,13 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg, const char *p
    }
    /* Must specify a disruptive action. */
    /* ENH: Remove this requirement? */
    if (dcfg->tmp_default_actionset->intercept_action == NOT_SET) {
        return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must specify a disruptive action.");
    }
    /* Must specify a phase. */
    /* ENH: Remove this requirement? */
    if (dcfg->tmp_default_actionset->phase == NOT_SET) {
        return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must specify a phase.");
    }
@ -1131,6 +1136,12 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg, const char *p
            "contain a skip action.");
    }
    /* Must not use skipAfter. */
    if (dcfg->tmp_default_actionset->skip_after != NOT_SET_P) {
        return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must not "
            "contain a skipAfter action.");
    }
    return NULL;
 }
--- a/apache2/re.c
+++ b/apache2/re.c
@ -645,7 +645,7 @@ msre_actionset *msre_actionset_merge(msre_engine *engine, msre_actionset *parent
 msre_actionset *msre_actionset_create_default(msre_engine *engine) {
    char  *my_error_msg = NULL;
    return msre_actionset_create(engine,
-        "log,auditlog,deny,status:403,phase:2",
+        "phase:2,log,pass",
        &my_error_msg);
 }
@ -677,7 +677,7 @@ void msre_actionset_set_defaults(msre_actionset *actionset) {
    if (actionset->intercept_pause == NOT_SET) actionset->intercept_pause = 0;
    /* Other */
-    if (actionset->auditlog == NOT_SET) actionset->auditlog = 1;
+    if (actionset->auditlog == NOT_SET) actionset->auditlog = 0;
    if (actionset->log == NOT_SET) actionset->log = 1;
 }
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@ -1118,9 +1118,9 @@ SecAuditLogStorageDir logs/audit
      disruptive actions are not allowed, but this can inadvertently be
      inherited using a disruptive action in SecDefaultAction.</para>
-      <para>The default value is:</para>
+      <para>The default value is minimal (differing from previous versions):</para>
-      <programlisting format="linespecific">SecDefaultAction log,auditlog,deny,status:403,phase:2,t:none</programlisting>
+      <programlisting format="linespecific">SecDefaultAction phase:2,log,pass</programlisting>
      <para><emphasis>Note</emphasis></para>
@ -5721,4 +5721,4 @@ Server: Apache/2.x.x
      </section>
    </section>
  </section>
-</article>
+</article>