MODSEC-58

2025-08-14 05:45:59 +03:00 · 2013-03-01 07:58:12 -04:00 · 2013-03-01 07:58:12 -04:00 · 5fefb6a2cf
commit 5fefb6a2cf
parent 2472dcb541
3 changed files with 102 additions and 4 deletions
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@ -2796,15 +2796,28 @@ static const char *cmd_cache_transformations(cmd_parms *cmd, void *_dcfg,
 #define CMD_SCOPE_MAIN  (RSRC_CONF)
 #define CMD_SCOPE_ANY   (RSRC_CONF | ACCESS_CONF)

+#if defined(HTACCESS_CONFIG)
+#define CMD_SCOPE_HTACCESS  (OR_OPTIONS)
+#endif
+
 const command_rec module_directives[] = {

+#ifdef HTACCESS_CONFIG
+    AP_INIT_TAKE1 (
+        "SecAction",
+        cmd_action,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "an action list"
+    ),
+#else
    AP_INIT_TAKE1 (
        "SecAction",
        cmd_action,
        NULL,
        CMD_SCOPE_ANY,
        "an action list"
-    ),
+#endif

    AP_INIT_TAKE1 (
        "SecArgumentSeparator",
@ -3183,6 +3196,15 @@ const command_rec module_directives[] = {
        "clears the list of MIME types that will be buffered on output"
    ),

+#ifdef HTACCESS_CONFIG
+    AP_INIT_TAKE23 (
+        "SecRule",
+        cmd_rule,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule target, operator and optional action list"
+    ),
+#else
    AP_INIT_TAKE23 (
        "SecRule",
        cmd_rule,
@ -3190,6 +3212,7 @@ const command_rec module_directives[] = {
        CMD_SCOPE_ANY,
        "rule target, operator and optional action list"
    ),
+#endif

    AP_INIT_TAKE1 (
        "SecRuleEngine",
@ -3215,6 +3238,31 @@ const command_rec module_directives[] = {
        "rule script and optional actionlist"
    ),

+#ifdef HTACCESS_CONFIG
+    AP_INIT_ITERATE (
+        "SecRuleRemoveById",
+        cmd_rule_remove_by_id,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule ID for removal"
+    ),
+
+    AP_INIT_ITERATE (
+        "SecRuleRemoveByTag",
+        cmd_rule_remove_by_tag,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule tag for removal"
+    ),
+
+    AP_INIT_ITERATE (
+        "SecRuleRemoveByMsg",
+        cmd_rule_remove_by_msg,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule message for removal"
+    ),
+#else
    AP_INIT_ITERATE (
        "SecRuleRemoveById",
        cmd_rule_remove_by_id,
@ -3238,6 +3286,7 @@ const command_rec module_directives[] = {
        CMD_SCOPE_ANY,
        "rule message for removal"
    ),
+#endif

    AP_INIT_TAKE2 (
        "SecHashMethodPm",
@ -3255,6 +3304,39 @@ const command_rec module_directives[] = {
        "Hash method and regex"
    ),

+#ifdef HTACCESS_CONFIG
+    AP_INIT_TAKE2 (
+        "SecRuleUpdateActionById",
+        cmd_rule_update_action_by_id,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "updated action list"
+    ),
+
+    AP_INIT_TAKE23 (
+        "SecRuleUpdateTargetById",
+        cmd_rule_update_target_by_id,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "updated target list"
+    ),
+
+    AP_INIT_TAKE23 (
+        "SecRuleUpdateTargetByTag",
+        cmd_rule_update_target_by_tag,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule tag pattern and updated target list"
+    ),
+
+    AP_INIT_TAKE23 (
+        "SecRuleUpdateTargetByMsg",
+        cmd_rule_update_target_by_msg,
+        NULL,
+        CMD_SCOPE_HTACCESS,
+        "rule message pattern and updated target list"
+    ),
+#else
    AP_INIT_TAKE2 (
        "SecRuleUpdateActionById",
        cmd_rule_update_action_by_id,
@ -3286,7 +3368,7 @@ const command_rec module_directives[] = {
        CMD_SCOPE_ANY,
        "rule message pattern and updated target list"
    ),
-
+#endif

    AP_INIT_TAKE1 (
        "SecServerSignature",
--- a/apache2/re.c
+++ b/apache2/re.c
@ -161,7 +161,7 @@ char *msre_ruleset_rule_update_target_matching_exception(modsec_rec *msr, msre_r
    char *err;

    if(ruleset == NULL)
-        return apr_psprintf(ruleset->mp, "No ruleset present");
+        return NULL;

    if(p2 == NULL)  {
        return apr_psprintf(ruleset->mp, "Trying to update without a target");
--- a/configure.ac
+++ b/configure.ac
@ -355,6 +355,22 @@ AC_ARG_ENABLE(lua-cache,
  lua_cache=
 ])

+# Enable phase-1 in post_read_request
+AC_ARG_ENABLE(htaccess-config,
+              AS_HELP_STRING([--enable-htaccess-config],
+                             [Enable some mod_security directives into htaccess files.]),
+[
+  if test "$enableval" != "no"; then
+    htaccess_config="-DHTACCESS_CONFIG"
+    MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $htaccess_config"
+  else
+    htaccess_config=
+  fi
+],
+[
+  htaccess_config=
+])
+
 # Enable phase-1 in post_read_request
 AC_ARG_ENABLE(request-early,
              AS_HELP_STRING([--enable-request-early],
@ -634,7 +650,7 @@ else
  fi
 fi

-MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type"
+MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type"

 APXS_WRAPPER=build/apxs-wrapper
 APXS_EXTRA_CFLAGS=""