From 5fefb6a2cf0d5c15219b87e244b08d48b74c7623 Mon Sep 17 00:00:00 2001
From: Breno Silva <breno.silva@gmail.com>
Date: Fri, 1 Mar 2013 07:58:12 -0400
Subject: [PATCH] MODSEC-58

---
 apache2/apache2_config.c | 86 +++++++++++++++++++++++++++++++++++++++-
 apache2/re.c             |  2 +-
 configure.ac             | 18 ++++++++-
 3 files changed, 102 insertions(+), 4 deletions(-)

diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
index 2d8fb146..df755114 100644
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@@ -2796,15 +2796,28 @@ static const char *cmd_cache_transformations(cmd_parms *cmd, void *_dcfg,
 #define CMD_SCOPE_MAIN  (RSRC_CONF)
 #define CMD_SCOPE_ANY   (RSRC_CONF | ACCESS_CONF)
 
+#if defined(HTACCESS_CONFIG)
+#define CMD_SCOPE_HTACCESS  (OR_OPTIONS)
+#endif
+
 const command_rec module_directives[] = {
 
+#ifdef HTACCESS_CONFIG
+    AP_INIT_TAKE1 (
+        "SecAction",
+        cmd_action,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "an action list"
+    ),
+#else
     AP_INIT_TAKE1 (
         "SecAction",
         cmd_action,
         NULL,
         CMD_SCOPE_ANY,
         "an action list"
-    ),
+#endif
 
     AP_INIT_TAKE1 (
         "SecArgumentSeparator",
@@ -3183,6 +3196,15 @@ const command_rec module_directives[] = {
         "clears the list of MIME types that will be buffered on output"
     ),
 
+#ifdef HTACCESS_CONFIG
+    AP_INIT_TAKE23 (
+        "SecRule",
+        cmd_rule,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule target, operator and optional action list"
+    ),
+#else
     AP_INIT_TAKE23 (
         "SecRule",
         cmd_rule,
@@ -3190,6 +3212,7 @@ const command_rec module_directives[] = {
         CMD_SCOPE_ANY,
         "rule target, operator and optional action list"
     ),
+#endif
 
     AP_INIT_TAKE1 (
         "SecRuleEngine",
@@ -3215,6 +3238,31 @@ const command_rec module_directives[] = {
         "rule script and optional actionlist"
     ),
 
+#ifdef HTACCESS_CONFIG
+    AP_INIT_ITERATE (
+        "SecRuleRemoveById",
+        cmd_rule_remove_by_id,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule ID for removal"
+    ),
+
+    AP_INIT_ITERATE (
+        "SecRuleRemoveByTag",
+        cmd_rule_remove_by_tag,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule tag for removal"
+    ),
+
+    AP_INIT_ITERATE (
+        "SecRuleRemoveByMsg",
+        cmd_rule_remove_by_msg,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule message for removal"
+    ),
+#else
     AP_INIT_ITERATE (
         "SecRuleRemoveById",
         cmd_rule_remove_by_id,
@@ -3238,6 +3286,7 @@ const command_rec module_directives[] = {
         CMD_SCOPE_ANY,
         "rule message for removal"
     ),
+#endif
 
     AP_INIT_TAKE2 (
         "SecHashMethodPm",
@@ -3255,6 +3304,39 @@ const command_rec module_directives[] = {
         "Hash method and regex"
     ),
 
+#ifdef HTACCESS_CONFIG
+    AP_INIT_TAKE2 (
+        "SecRuleUpdateActionById",
+        cmd_rule_update_action_by_id,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "updated action list"
+    ),
+
+    AP_INIT_TAKE23 (
+        "SecRuleUpdateTargetById",
+        cmd_rule_update_target_by_id,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "updated target list"
+    ),
+
+    AP_INIT_TAKE23 (
+        "SecRuleUpdateTargetByTag",
+        cmd_rule_update_target_by_tag,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule tag pattern and updated target list"
+    ),
+
+    AP_INIT_TAKE23 (
+        "SecRuleUpdateTargetByMsg",
+        cmd_rule_update_target_by_msg,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule message pattern and updated target list"
+    ),
+#else
     AP_INIT_TAKE2 (
         "SecRuleUpdateActionById",
         cmd_rule_update_action_by_id,
@@ -3286,7 +3368,7 @@ const command_rec module_directives[] = {
         CMD_SCOPE_ANY,
         "rule message pattern and updated target list"
     ),
-
+#endif
 
     AP_INIT_TAKE1 (
         "SecServerSignature",
diff --git a/apache2/re.c b/apache2/re.c
index 956a7eb9..efd90c6c 100644
--- a/apache2/re.c
+++ b/apache2/re.c
@@ -161,7 +161,7 @@ char *msre_ruleset_rule_update_target_matching_exception(modsec_rec *msr, msre_r
     char *err;
 
     if(ruleset == NULL)
-        return apr_psprintf(ruleset->mp, "No ruleset present");
+        return NULL;
 
     if(p2 == NULL)  {
         return apr_psprintf(ruleset->mp, "Trying to update without a target");
diff --git a/configure.ac b/configure.ac
index d48813ca..78ca88f8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -355,6 +355,22 @@ AC_ARG_ENABLE(lua-cache,
   lua_cache=
 ])
 
+# Enable phase-1 in post_read_request
+AC_ARG_ENABLE(htaccess-config,
+              AS_HELP_STRING([--enable-htaccess-config],
+                             [Enable some mod_security directives into htaccess files.]),
+[
+  if test "$enableval" != "no"; then
+    htaccess_config="-DHTACCESS_CONFIG"
+    MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $htaccess_config"
+  else
+    htaccess_config=
+  fi
+],
+[
+  htaccess_config=
+])
+
 # Enable phase-1 in post_read_request
 AC_ARG_ENABLE(request-early,
               AS_HELP_STRING([--enable-request-early],
@@ -634,7 +650,7 @@ else
   fi
 fi
 
-MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type"
+MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type"
 
 APXS_WRAPPER=build/apxs-wrapper
 APXS_EXTRA_CFLAGS=""