Sync up trunk with changes from 2.5.x.

CHANGES

@@ -1,3 +1,24 @@
+19 Mar 2008 - 2.5.1-breach1
+---------------------------
+
+ * Allow HTTP_* targets as an alias for REQUEST_HEADERS:*.
+
+
+14 Mar 2008 - 2.5.1
+-------------------
+
+ * Fixed an issue where a match would not occur if transformation caching
+   was enabled.
+
+ * Using "severity" in a default action is now just a warning.
+
+ * Cleaned up the "make test" target to better locate headers/libraries.
+
+ * Now search /usr/lib64 and /usr/lib32 for lua libs.
+
+ * No longer treat warnings as errors by default (use --enable-strict-compile).
+
+
 19 Feb 2008 - 2.5.0
 -------------------
 

apache2/Makefile.in

@@ -26,6 +26,7 @@ MODSEC_APXS_EXTRA_CFLAGS = @MODSEC_APXS_EXTRA_CFLAGS@
 
 APXS = @APXS@
 APXS_WRAPPER = @APXS_WRAPPER@
+APXS_INCLUDEDIR = @APXS_INCLUDEDIR@
 APXS_INCLUDES = @APXS_INCLUDES@
 APXS_CFLAGS = @APXS_CFLAGS@
 APXS_LDFLAGS = @APXS_LDFLAGS@
@@ -112,7 +113,7 @@ mlogc-static:
 
 ### Experimental Test Framework (*NIX only right now)
 msc_test.lo: msc_test.c
-	$(LIBTOOL) --mode=compile $(CC) $(APXS_CFLAGS) $(EXTRA_CFLAGS) $(MODSEC_EXTRA_CFLAGS) $(CPPFLAGS) $(APR_CFLAGS) $(APU_CFLAGS) -o msc_test.lo -c msc_test.c
+	$(LIBTOOL) --mode=compile $(CC) $(APXS_INCLUDES) $(APXS_CFLAGS) $(EXTRA_CFLAGS) $(MODSEC_EXTRA_CFLAGS) $(CPPFLAGS) $(APR_CFLAGS) $(APU_CFLAGS) -o msc_test.lo -c msc_test.c
 
 msc_test: $(TESTOBJS) msc_test.lo
 	@objs=""; \

apache2/apache2_config.c

@@ -1120,13 +1120,21 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg, const char *p
     /* ENH: loop through to check for tags */
     if ((dcfg->tmp_default_actionset->id != NOT_SET_P)
         ||(dcfg->tmp_default_actionset->rev != NOT_SET_P)
-        ||(dcfg->tmp_default_actionset->msg != NOT_SET_P)
-        ||(dcfg->tmp_default_actionset->severity != NOT_SET)
-        ||(dcfg->tmp_default_actionset->logdata != NOT_SET_P))
+        ||(dcfg->tmp_default_actionset->msg != NOT_SET_P))
     {
         return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must not "
             "contain any metadata actions (id, rev, msg, tag, severity, logdata).");
     }
+    /* These are just a warning for now. */
+    if ((dcfg->tmp_default_actionset->severity != NOT_SET)
+        ||(dcfg->tmp_default_actionset->logdata != NOT_SET_P))
+    {
+        ap_log_perror(APLOG_MARK,
+            APLOG_STARTUP|APLOG_WARNING|APLOG_NOERRNO, 0, cmd->pool,
+            "ModSecurity: WARNING Using \"severity\" or \"logdata\" in "
+            "SecDefaultAction is deprecated (%s:%d).",
+            cmd->directive->filename, cmd->directive->line_num);
+    }
 
     /* Must not use chain. */
     if (dcfg->tmp_default_actionset->is_chained != NOT_SET) {

apache2/build/find_lua.m4

@@ -66,6 +66,14 @@ if test "${lua_path}" != "no"; then
                 with_lua_lib="${x}/lib"
                 lua_lib_name="lua5.1"
                 break
+            elif test -e "${x}/lib64/liblua5.1.a"; then
+                with_lua_lib="${x}/lib64"
+                lua_lib_name="lua5.1"
+                break
+            elif test -e "${x}/lib32/liblua5.1.a"; then
+                with_lua_lib="${x}/lib32"
+                lua_lib_name="lua5.1"
+                break
             elif test -e "${x}/liblua.a"; then
                 with_lua_lib="${x}"
                 lua_lib_name="lua"
@@ -74,6 +82,14 @@ if test "${lua_path}" != "no"; then
                 with_lua_lib="${x}/lib"
                 lua_lib_name="lua"
                 break
+            elif test -e "${x}/lib64/liblua.a"; then
+                with_lua_lib="${x}/lib64"
+                lua_lib_name="lua"
+                break
+            elif test -e "${x}/lib32/liblua.a"; then
+                with_lua_lib="${x}/lib32"
+                lua_lib_name="lua"
+                break
             else
                 with_lua_lib=""
                 lua_lib_name=""

apache2/configure.in

@@ -89,10 +89,22 @@ VERSION_OK
     [AC_MSG_NOTICE(httpd is recent enough)],
     [AC_MSG_ERROR(apache is too old, mmn must be at least $HTTPD_WANTED_MMN)])
   fi
-  APXS_INCLUDES="`$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`"
+  APXS_INCLUDEDIR="`$APXS -q INCLUDEDIR`"
+  # Make sure the include dir is used
+  if test -n "$APXS_INCLUDEDIR"; then
+    APXS_INCLUDES="-I${APXS_INCLUDEDIR} `$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`"
+  else
+    APXS_INCLUDES="`$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`"
+  fi
   APXS_CFLAGS="`$APXS -q CFLAGS` `$APXS -q EXTRA_CFLAGS`"
   APXS_LDFLAGS="`$APXS -q LDFLAGS` `$APXS -q EXTRA_LDFLAGS`"
-  APXS_LIBS="`$APXS -q LIBS` `$APXS -q EXTRA_LIBS`"
+  APXS_LIBDIR="`$APXS -q LIBDIR`"
+  # Make sure the lib dir is used
+  if test -n "$APXS_LIBDIR"; then
+    APXS_LIBS="-L{$APXS_LIBDIR} `$APXS -q LIBS` `$APXS -q EXTRA_LIBS`"
+  else
+    APXS_LIBS="`$APXS -q LIBS` `$APXS -q EXTRA_LIBS`"
+  fi
   APXS_LIBTOOL="`$APXS -q LIBTOOL`"
   APXS_CC="`$APXS -q CC`"
 else
@@ -126,6 +138,21 @@ sinclude(build/find_curl.m4)
 
 ### Configure Options
 
+# Strict Compile
+AC_ARG_ENABLE(strict-compile,
+              AS_HELP_STRING([--enable-strict-compile],
+                             [Enable strict compilation (warnings are errors).]),
+[
+  if test "$enableval" != "no"; then
+    strict_compile="-Werror"
+  else
+    strict_compile=
+  fi
+],
+[
+  strict_compile=
+])
+
 # DEBUG_CONF
 AC_ARG_ENABLE(debug-conf,
               AS_HELP_STRING([--enable-debug-conf],
@@ -203,7 +230,7 @@ AC_ARG_ENABLE(modsec-api,
 
 ### Build *EXTRA_CFLAGS vars
 
-EXTRA_CFLAGS="-O2 -g -Wall -Werror"
+EXTRA_CFLAGS="-O2 -g -Wall $strict_compile"
 MODSEC_EXTRA_CFLAGS="$debug_conf $debug_cache $debug_acmp $perf_meas $modsec_api"
 
 APXS_WRAPPER=build/apxs-wrapper
@@ -227,6 +254,7 @@ AC_SUBST(EXTRA_CFLAGS)
 AC_SUBST(MODSEC_EXTRA_CFLAGS)
 AC_SUBST(APXS)
 AC_SUBST(APXS_WRAPPER)
+AC_SUBST(APXS_INCLUDEDIR)
 AC_SUBST(APXS_INCLUDES)
 AC_SUBST(APXS_EXTRA_CFLAGS)
 AC_SUBST(MODSEC_APXS_EXTRA_CFLAGS)

apache2/modsecurity.c

@@ -17,12 +17,12 @@
 #include "msc_util.h"
 
 modsec_build_type_rec DSOLOCAL modsec_build_type[] = {
-    { "dev", 1 },     /* Development build */
-    { "rc", 3 },      /* Release Candidate build */
-    { "", 9 },        /* Production build */
-    { "breach", 9 },  /* Breach build */
-    { "trunk", 9 },   /* Trunk build */
-    { NULL, -1 }      /* terminator */
+    { "-dev", 1 },     /* Development build */
+    { "-rc", 3 },      /* Release Candidate build */
+    { "", 9 },         /* Production build */
+    { "-breach", 9 },  /* Breach build */
+    { "-trunk", 9 },   /* Trunk build */
+    { NULL, -1 }       /* terminator */
 };
 
 /**

apache2/modsecurity.h

@@ -62,14 +62,17 @@ extern DSOLOCAL modsec_build_type_rec modsec_build_type[];
 
 #define MODSEC_VERSION_MAJOR       "2"
 #define MODSEC_VERSION_MINOR       "5"
-#define MODSEC_VERSION_MAINT       "0"
-#define MODSEC_VERSION_TYPE        ""
-#define MODSEC_VERSION_RELEASE     ""
+#define MODSEC_VERSION_MAINT       "1"
+#define MODSEC_VERSION_TYPE        "-breach"
+#define MODSEC_VERSION_RELEASE     "1"
 
 #define MODULE_NAME "ModSecurity for Apache"
+
+#define MODSEC_VERSION_SUFFIX MODSEC_VERSION_TYPE MODSEC_VERSION_RELEASE
 #define MODULE_RELEASE \
   MODSEC_VERSION_MAJOR "." MODSEC_VERSION_MINOR "." MODSEC_VERSION_MAINT \
-  "-" MODSEC_VERSION_TYPE MODSEC_VERSION_RELEASE
+  MODSEC_VERSION_SUFFIX
+
 #define MODULE_NAME_FULL MODULE_NAME "/" MODULE_RELEASE " (http://www.modsecurity.org/)"
 
 #define PHASE_REQUEST_HEADERS       1

apache2/re.c

@@ -231,6 +231,7 @@ msre_action_metadata *msre_resolve_action(msre_engine *engine, const char *name)
 msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *name, const char *param,
     modsec_rec *msr, char **error_msg)
 {
+    const char *varparam = param;
     msre_var *var = apr_pcalloc(pool, sizeof(msre_var));
     if (var == NULL) return NULL;
 
@@ -251,6 +252,17 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *
         var->name = name;
     }
 
+    /* Treat HTTP_* targets as an alias for REQUEST_HEADERS:* */
+    if (   (var->name != NULL)
+        && (strlen(var->name) > 5)
+        && (strncmp("HTTP_", var->name, 5) == 0))
+    {
+        const char *oldname = var->name;
+        var->name = apr_pstrdup(pool, "REQUEST_HEADERS");
+        varparam = apr_pstrdup(pool, oldname + 5);
+    }
+
+
     /* Resolve variable */
     var->metadata = msre_resolve_var(engine, var->name);
     if (var->metadata == NULL) {
@@ -268,7 +280,7 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *
     }
 
     /* Check the parameter. */
-    if (param == NULL) {
+    if (varparam == NULL) {
         if (var->metadata->argc_min > 0) {
             *error_msg = apr_psprintf(engine->mp, "Missing mandatory parameter for variable %s.",
                 name);
@@ -283,7 +295,7 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *
             return NULL;
         }
 
-        var->param = param;
+        var->param = varparam;
     }
 
     return var;
@@ -735,6 +747,8 @@ void msre_engine_destroy(msre_engine *engine) {
  * transaction phase.
  */
 #if defined(PERFORMANCE_MEASUREMENT)
+static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_rec *msr);
+
 apr_status_t msre_ruleset_process_phase(msre_ruleset *ruleset, modsec_rec *msr) {
     apr_array_header_t *arr = NULL;
     msre_rule **rules = NULL;
@@ -1986,6 +2000,8 @@ static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) {
                     return -1;
                 }
                 if (rc == RULE_MATCH) {
+                    match_count++;
+
                     /* Return straight away if the transaction
                      * was intercepted - no need to process the remaining
                      * targets.