github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Sync up trunk with changes from 2.5.x.

Browse Source
This commit is contained in:
brectanus 2008-03-28 17:06:44 +00:00
parent d797619fcb
commit 5f09dbb3ee
9 changed files with 458 additions and 426 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
CHANGES
View File

@ -1,3 +1,24 @@
19 Mar 2008 - 2.5.1-breach1
---------------------------
* Allow HTTP_* targets as an alias for REQUEST_HEADERS:*.
14 Mar 2008 - 2.5.1
-------------------
* Fixed an issue where a match would not occur if transformation caching
was enabled.
* Using "severity" in a default action is now just a warning.
* Cleaned up the "make test" target to better locate headers/libraries.
* Now search /usr/lib64 and /usr/lib32 for lua libs.
* No longer treat warnings as errors by default (use --enable-strict-compile).
19 Feb 2008 - 2.5.0 19 Feb 2008 - 2.5.0
------------------- -------------------

3
apache2/Makefile.in
View File

@ -26,6 +26,7 @@ MODSEC_APXS_EXTRA_CFLAGS = @MODSEC_APXS_EXTRA_CFLAGS@
APXS = @APXS@ APXS = @APXS@
APXS_WRAPPER = @APXS_WRAPPER@ APXS_WRAPPER = @APXS_WRAPPER@
APXS_INCLUDEDIR = @APXS_INCLUDEDIR@
APXS_INCLUDES = @APXS_INCLUDES@ APXS_INCLUDES = @APXS_INCLUDES@
APXS_CFLAGS = @APXS_CFLAGS@ APXS_CFLAGS = @APXS_CFLAGS@
APXS_LDFLAGS = @APXS_LDFLAGS@ APXS_LDFLAGS = @APXS_LDFLAGS@
@ -112,7 +113,7 @@ mlogc-static:
### Experimental Test Framework (*NIX only right now) ### Experimental Test Framework (*NIX only right now)
msc_test.lo: msc_test.c msc_test.lo: msc_test.c
$(LIBTOOL) --mode=compile $(CC) $(APXS_CFLAGS) $(EXTRA_CFLAGS) $(MODSEC_EXTRA_CFLAGS) $(CPPFLAGS) $(APR_CFLAGS) $(APU_CFLAGS) -o msc_test.lo -c msc_test.c $(LIBTOOL) --mode=compile $(CC) $(APXS_INCLUDES) $(APXS_CFLAGS) $(EXTRA_CFLAGS) $(MODSEC_EXTRA_CFLAGS) $(CPPFLAGS) $(APR_CFLAGS) $(APU_CFLAGS) -o msc_test.lo -c msc_test.c
msc_test: $(TESTOBJS) msc_test.lo msc_test: $(TESTOBJS) msc_test.lo
@objs=""; \ @objs=""; \

14
apache2/apache2_config.c
View File

@ -1120,13 +1120,21 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg, const char *p
/* ENH: loop through to check for tags */ /* ENH: loop through to check for tags */
if ((dcfg->tmp_default_actionset->id != NOT_SET_P) if ((dcfg->tmp_default_actionset->id != NOT_SET_P)
||(dcfg->tmp_default_actionset->rev != NOT_SET_P) ||(dcfg->tmp_default_actionset->rev != NOT_SET_P)
||(dcfg->tmp_default_actionset->msg != NOT_SET_P) ||(dcfg->tmp_default_actionset->msg != NOT_SET_P))
||(dcfg->tmp_default_actionset->severity != NOT_SET)
||(dcfg->tmp_default_actionset->logdata != NOT_SET_P))
{ {
return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must not " return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must not "
"contain any metadata actions (id, rev, msg, tag, severity, logdata)."); "contain any metadata actions (id, rev, msg, tag, severity, logdata).");
} }
/* These are just a warning for now. */
if ((dcfg->tmp_default_actionset->severity != NOT_SET)
||(dcfg->tmp_default_actionset->logdata != NOT_SET_P))
{
ap_log_perror(APLOG_MARK,
APLOG_STARTUP|APLOG_WARNING|APLOG_NOERRNO, 0, cmd->pool,
"ModSecurity: WARNING Using \"severity\" or \"logdata\" in "
"SecDefaultAction is deprecated (%s:%d).",
cmd->directive->filename, cmd->directive->line_num);
}
/* Must not use chain. */ /* Must not use chain. */
if (dcfg->tmp_default_actionset->is_chained != NOT_SET) { if (dcfg->tmp_default_actionset->is_chained != NOT_SET) {

16
apache2/build/find_lua.m4
View File

@ -66,6 +66,14 @@ if test "${lua_path}" != "no"; then
with_lua_lib="${x}/lib" with_lua_lib="${x}/lib"
lua_lib_name="lua5.1" lua_lib_name="lua5.1"
break break
elif test -e "${x}/lib64/liblua5.1.a"; then
with_lua_lib="${x}/lib64"
lua_lib_name="lua5.1"
break
elif test -e "${x}/lib32/liblua5.1.a"; then
with_lua_lib="${x}/lib32"
lua_lib_name="lua5.1"
break
elif test -e "${x}/liblua.a"; then elif test -e "${x}/liblua.a"; then
with_lua_lib="${x}" with_lua_lib="${x}"
lua_lib_name="lua" lua_lib_name="lua"
@ -74,6 +82,14 @@ if test "${lua_path}" != "no"; then
with_lua_lib="${x}/lib" with_lua_lib="${x}/lib"
lua_lib_name="lua" lua_lib_name="lua"
break break
elif test -e "${x}/lib64/liblua.a"; then
with_lua_lib="${x}/lib64"
lua_lib_name="lua"
break
elif test -e "${x}/lib32/liblua.a"; then
with_lua_lib="${x}/lib32"
lua_lib_name="lua"
break
else else
with_lua_lib="" with_lua_lib=""
lua_lib_name="" lua_lib_name=""

30
apache2/configure.in
View File

@ -89,10 +89,22 @@ VERSION_OK
[AC_MSG_NOTICE(httpd is recent enough)], [AC_MSG_NOTICE(httpd is recent enough)],
[AC_MSG_ERROR(apache is too old, mmn must be at least $HTTPD_WANTED_MMN)]) [AC_MSG_ERROR(apache is too old, mmn must be at least $HTTPD_WANTED_MMN)])
fi fi
APXS_INCLUDEDIR="`$APXS -q INCLUDEDIR`"
# Make sure the include dir is used
if test -n "$APXS_INCLUDEDIR"; then
APXS_INCLUDES="-I${APXS_INCLUDEDIR} `$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`"
else
APXS_INCLUDES="`$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`" APXS_INCLUDES="`$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`"
fi
APXS_CFLAGS="`$APXS -q CFLAGS` `$APXS -q EXTRA_CFLAGS`" APXS_CFLAGS="`$APXS -q CFLAGS` `$APXS -q EXTRA_CFLAGS`"
APXS_LDFLAGS="`$APXS -q LDFLAGS` `$APXS -q EXTRA_LDFLAGS`" APXS_LDFLAGS="`$APXS -q LDFLAGS` `$APXS -q EXTRA_LDFLAGS`"
APXS_LIBDIR="`$APXS -q LIBDIR`"
# Make sure the lib dir is used
if test -n "$APXS_LIBDIR"; then
APXS_LIBS="-L{$APXS_LIBDIR} `$APXS -q LIBS` `$APXS -q EXTRA_LIBS`"
else
APXS_LIBS="`$APXS -q LIBS` `$APXS -q EXTRA_LIBS`" APXS_LIBS="`$APXS -q LIBS` `$APXS -q EXTRA_LIBS`"
fi
APXS_LIBTOOL="`$APXS -q LIBTOOL`" APXS_LIBTOOL="`$APXS -q LIBTOOL`"
APXS_CC="`$APXS -q CC`" APXS_CC="`$APXS -q CC`"
else else
@ -126,6 +138,21 @@ sinclude(build/find_curl.m4)
### Configure Options ### Configure Options
# Strict Compile
AC_ARG_ENABLE(strict-compile,
AS_HELP_STRING([--enable-strict-compile],
[Enable strict compilation (warnings are errors).]),
[
if test "$enableval" != "no"; then
strict_compile="-Werror"
else
strict_compile=
fi
],
[
strict_compile=
])
# DEBUG_CONF # DEBUG_CONF
AC_ARG_ENABLE(debug-conf, AC_ARG_ENABLE(debug-conf,
AS_HELP_STRING([--enable-debug-conf], AS_HELP_STRING([--enable-debug-conf],
@ -203,7 +230,7 @@ AC_ARG_ENABLE(modsec-api,
### Build *EXTRA_CFLAGS vars ### Build *EXTRA_CFLAGS vars
EXTRA_CFLAGS="-O2 -g -Wall -Werror" EXTRA_CFLAGS="-O2 -g -Wall $strict_compile"
MODSEC_EXTRA_CFLAGS="$debug_conf $debug_cache $debug_acmp $perf_meas $modsec_api" MODSEC_EXTRA_CFLAGS="$debug_conf $debug_cache $debug_acmp $perf_meas $modsec_api"
APXS_WRAPPER=build/apxs-wrapper APXS_WRAPPER=build/apxs-wrapper
@ -227,6 +254,7 @@ AC_SUBST(EXTRA_CFLAGS)
AC_SUBST(MODSEC_EXTRA_CFLAGS) AC_SUBST(MODSEC_EXTRA_CFLAGS)
AC_SUBST(APXS) AC_SUBST(APXS)
AC_SUBST(APXS_WRAPPER) AC_SUBST(APXS_WRAPPER)
AC_SUBST(APXS_INCLUDEDIR)
AC_SUBST(APXS_INCLUDES) AC_SUBST(APXS_INCLUDES)
AC_SUBST(APXS_EXTRA_CFLAGS) AC_SUBST(APXS_EXTRA_CFLAGS)
AC_SUBST(MODSEC_APXS_EXTRA_CFLAGS) AC_SUBST(MODSEC_APXS_EXTRA_CFLAGS)

8
apache2/modsecurity.c
View File

@ -17,11 +17,11 @@
#include "msc_util.h" #include "msc_util.h"
modsec_build_type_rec DSOLOCAL modsec_build_type[] = { modsec_build_type_rec DSOLOCAL modsec_build_type[] = {
{ "dev", 1 }, /* Development build */ { "-dev", 1 }, /* Development build */
{ "rc", 3 }, /* Release Candidate build */ { "-rc", 3 }, /* Release Candidate build */
{ "", 9 }, /* Production build */ { "", 9 }, /* Production build */
{ "breach", 9 }, /* Breach build */ { "-breach", 9 }, /* Breach build */
{ "trunk", 9 }, /* Trunk build */ { "-trunk", 9 }, /* Trunk build */
{ NULL, -1 } /* terminator */ { NULL, -1 } /* terminator */
}; };

11
apache2/modsecurity.h
View File

@ -62,14 +62,17 @@ extern DSOLOCAL modsec_build_type_rec modsec_build_type[];
#define MODSEC_VERSION_MAJOR "2" #define MODSEC_VERSION_MAJOR "2"
#define MODSEC_VERSION_MINOR "5" #define MODSEC_VERSION_MINOR "5"
#define MODSEC_VERSION_MAINT "0" #define MODSEC_VERSION_MAINT "1"
#define MODSEC_VERSION_TYPE "" #define MODSEC_VERSION_TYPE "-breach"
#define MODSEC_VERSION_RELEASE "" #define MODSEC_VERSION_RELEASE "1"
#define MODULE_NAME "ModSecurity for Apache" #define MODULE_NAME "ModSecurity for Apache"
#define MODSEC_VERSION_SUFFIX MODSEC_VERSION_TYPE MODSEC_VERSION_RELEASE
#define MODULE_RELEASE \ #define MODULE_RELEASE \
MODSEC_VERSION_MAJOR "." MODSEC_VERSION_MINOR "." MODSEC_VERSION_MAINT \ MODSEC_VERSION_MAJOR "." MODSEC_VERSION_MINOR "." MODSEC_VERSION_MAINT \
"-" MODSEC_VERSION_TYPE MODSEC_VERSION_RELEASE MODSEC_VERSION_SUFFIX
#define MODULE_NAME_FULL MODULE_NAME "/" MODULE_RELEASE " (http://www.modsecurity.org/)" #define MODULE_NAME_FULL MODULE_NAME "/" MODULE_RELEASE " (http://www.modsecurity.org/)"
#define PHASE_REQUEST_HEADERS 1 #define PHASE_REQUEST_HEADERS 1

20
apache2/re.c
View File

@ -231,6 +231,7 @@ msre_action_metadata *msre_resolve_action(msre_engine *engine, const char *name)
msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *name, const char *param, msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *name, const char *param,
modsec_rec *msr, char **error_msg) modsec_rec *msr, char **error_msg)
{ {
const char *varparam = param;
msre_var *var = apr_pcalloc(pool, sizeof(msre_var)); msre_var *var = apr_pcalloc(pool, sizeof(msre_var));
if (var == NULL) return NULL; if (var == NULL) return NULL;
@ -251,6 +252,17 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *
var->name = name; var->name = name;
} }
/* Treat HTTP_* targets as an alias for REQUEST_HEADERS:* */
if ( (var->name != NULL)
&& (strlen(var->name) > 5)
&& (strncmp("HTTP_", var->name, 5) == 0))
{
const char *oldname = var->name;
var->name = apr_pstrdup(pool, "REQUEST_HEADERS");
varparam = apr_pstrdup(pool, oldname + 5);
}
/* Resolve variable */ /* Resolve variable */
var->metadata = msre_resolve_var(engine, var->name); var->metadata = msre_resolve_var(engine, var->name);
if (var->metadata == NULL) { if (var->metadata == NULL) {
@ -268,7 +280,7 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *
} }
/* Check the parameter. */ /* Check the parameter. */
if (param == NULL) { if (varparam == NULL) {
if (var->metadata->argc_min > 0) { if (var->metadata->argc_min > 0) {
*error_msg = apr_psprintf(engine->mp, "Missing mandatory parameter for variable %s.", *error_msg = apr_psprintf(engine->mp, "Missing mandatory parameter for variable %s.",
name); name);
@ -283,7 +295,7 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *
return NULL; return NULL;
} }
var->param = param; var->param = varparam;
} }
return var; return var;
@ -735,6 +747,8 @@ void msre_engine_destroy(msre_engine *engine) {
* transaction phase. * transaction phase.
*/ */
#if defined(PERFORMANCE_MEASUREMENT) #if defined(PERFORMANCE_MEASUREMENT)
static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_rec *msr);
apr_status_t msre_ruleset_process_phase(msre_ruleset *ruleset, modsec_rec *msr) { apr_status_t msre_ruleset_process_phase(msre_ruleset *ruleset, modsec_rec *msr) {
apr_array_header_t *arr = NULL; apr_array_header_t *arr = NULL;
msre_rule **rules = NULL; msre_rule **rules = NULL;
@ -1986,6 +2000,8 @@ static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) {
return -1; return -1;
} }
if (rc == RULE_MATCH) { if (rc == RULE_MATCH) {
match_count++;
/* Return straight away if the transaction /* Return straight away if the transaction
* was intercepted - no need to process the remaining * was intercepted - no need to process the remaining
* targets. * targets.

751
doc/modsecurity2-apache-reference.xml
View File

File diff suppressed because it is too large Load Diff