github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 11:16:33 +03:00
Code Issues Packages Projects Releases Wiki Activity

move 2.5.13 into trunk

Browse Source
This commit is contained in:
brenosilva
2010-12-08 18:58:18 +00:00
parent df61af4627
commit 549f059480
50 changed files with 550 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
apache2/mod_security2.c
View File

@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
* Copyright (c) 2004-2010 Breach Security, Inc. (http://www.breach.com/)
* Copyright (c) 2004-2010 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* This product is released under the terms of the General Public Licence,
* version 2 (GPLv2). Please refer to the file LICENSE (included with this
@@ -12,8 +12,8 @@
* distribution.
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Breach Security, Inc.
* directly using the email address support@breach.com.
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address support@trustwave.com.
*
*/
#include <limits.h>
@@ -31,6 +31,8 @@
#include "msc_logging.h"
#include "msc_util.h"
#include "ap_mpm.h"
#include "scoreboard.h"
/* ModSecurity structure */
@@ -56,6 +58,15 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0;
unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
unsigned long int DSOLOCAL conn_read_state_limit = 0;
static int server_limit, thread_limit;
typedef struct {
int child_num;
int thread_num;
} sb_handle;
/* -- Miscellaneous functions -- */
/**
@@ -1101,6 +1112,60 @@ static void modsec_register_operator(const char *name, void *fn_init, void *fn_e
}
}
/*
* \brief Connetion hook to limit the number of
* connections in BUSY state
*
* \param conn Pointer to connection struct
*
* \retval DECLINED On failure
* \retval OK On Success
*/
static int hook_connection_early(conn_rec *conn)
{
sb_handle *sb = conn->sbh;
int i, j;
unsigned long int ip_count = 0;
worker_score *ws_record = NULL;
if(sb != NULL && conn_read_state_limit > 0) {
ws_record = &ap_scoreboard_image->servers[sb->child_num][sb->thread_num];
if(ws_record == NULL)
return DECLINED;
apr_cpystrn(ws_record->client, conn->remote_ip, sizeof(ws_record->client));
for (i = 0; i < server_limit; ++i) {
for (j = 0; j < thread_limit; ++j) {
ws_record = ap_get_scoreboard_worker(i, j);
if(ws_record == NULL)
return DECLINED;
switch (ws_record->status) {
case SERVER_BUSY_READ:
if (strcmp(conn->remote_ip, ws_record->client) == 0)
ip_count++;
break;
default:
break;
}
}
}
if (ip_count > conn_read_state_limit) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "ModSecurity: Access denied with code 400. Too many threads [%ld] of %ld allowed in READ state from %s - Possible DoS Consumption Attack [Rejected]", ip_count,conn_read_state_limit,conn->remote_ip);
return OK;
} else {
return DECLINED;
}
}
return DECLINED;
}
/**
* This function is exported for other Apache modules to
* register new variables.
@@ -1191,6 +1256,10 @@ static void register_hooks(apr_pool_t *mp) {
APR_REGISTER_OPTIONAL_FN(modsec_register_reqbody_processor);
#endif
/* For connection level hook */
ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit);
ap_mpm_query(AP_MPMQ_HARD_LIMIT_DAEMONS, &server_limit);
/* Main hooks */
ap_hook_pre_config(hook_pre_config, NULL, NULL, APR_HOOK_FIRST);
ap_hook_post_config(hook_post_config, postconfig_beforeme_list,
@@ -1201,6 +1270,9 @@ static void register_hooks(apr_pool_t *mp) {
* // ap_hook_handler(hook_handler, NULL, NULL, APR_HOOK_MIDDLE);
*/
/* Connection processing hooks */
ap_hook_process_connection(hook_connection_early, NULL, NULL, APR_HOOK_FIRST);
/* Transaction processing hooks */
ap_hook_post_read_request(hook_request_early,
postread_beforeme_list, postread_afterme_list, APR_HOOK_REALLY_FIRST);