From 6031e7fdae9764352a599b141ece07e862a64f9f Mon Sep 17 00:00:00 2001 From: brenosilva Date: Sat, 2 Apr 2011 23:10:16 +0000 Subject: [PATCH] Improvements, bug fixes and cleanup from Tom Donavan --- README_WINDOWS.TXT | 270 +++++++++++++++++++++-------------------- apache2/Makefile.win | 63 +++++----- apache2/msc_geo.c | 7 -- apache2/msc_logging.c | 6 +- apache2/msc_logging.h | 3 + apache2/msc_lua.h | 2 + apache2/msc_util.c | 34 +++++- apache2/msc_util.h | 9 ++ apache2/re.c | 4 +- apache2/re_actions.c | 35 ++++-- apache2/re_operators.c | 41 +++++-- 11 files changed, 274 insertions(+), 200 deletions(-) diff --git a/README_WINDOWS.TXT b/README_WINDOWS.TXT index 6fa91f12..1201864c 100644 --- a/README_WINDOWS.TXT +++ b/README_WINDOWS.TXT @@ -1,181 +1,191 @@ -============================================================ -Build notes for Windows from Tom Donovan -============================================================ -These are the raw build notes from Tom Donovan for building -ModSecurity 2.5.12 with Apache httpd 2.2.14 on Windows. Some -day these should be incorporated into the official docs, but -there has not yet been time, so they are included here in -their raw format for now. -============================================================ +===================================================================== +MOD_SECURITY 2.6 Command-line Build notes for Windows 4/2/2011 +===================================================================== -I build Apache 2.2.14 from source in C:\work\httpd-2.2.14 -I have a VC9 build of Apache 2.2.14 installed in C:\Apache2214 +PREREQUISITES: -My PATH includes VC9 and CMAKE 2.6 + Microsoft Visual Studio C++ tested with Visual Studio 2008 (aka VC9) -BEFORE BUILDING - if OpenSSL and Zlib support is desired in LIBXML2 and CURL + CMake build system from: http://www.cmake.org/ tested with CMake v2.8.0 - REM #### set an env variable to my Apache build directory - SET HTTPD_BUILD=C:\work\httpd-2.2.14 + Apache 2.2.x from: http://httpd.apache.org/ tested with Apache 2.2.17 + Apache must be built from source using the same Visual Studio compiler as mod_security. - REM #### ensure that CURL and LIBXML2 can find the OpenSSL and Zlib includes and libraries that Apache was built with - SET INCLUDE=%INCLUDE%;%HTTPD_BUILD%\srclib\openssl\inc32;%HTTPD_BUILD%\srclib\zlib - SET LIB=%LIB%;%HTTPD_BUILD%\srclib\openssl\out32dll;%HTTPD_BUILD%\srclib\zlib + PCRE Perl Compatible Regular Expression library from: http://www.pcre.org/ tested with PCRE v8.12 - REM #### ensure that CURL doesn't use the static zlib library: zlib.lib. Force it to use zdll.lib instead, which points to zlib1.dll - IF EXIST %HTTPD_BUILD%\srclib\zlib\zlib.lib DEL %HTTPD_BUILD%\srclib\zlib\zlib.lib + LibXML2 from: http://xmlsoft.org/ tested with LibXML2 v2.7.7 + Note that LibXML2 v2.7.8 does not build correctly for Windows -BUILD PCRE-7.9 + Lua Scripting Language from: http://www.lua.org/ tested with Lua v5.1.4 - Downloaded pcre-7.9.tar.gz from ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ - untar'd into C:\work\ creating C:\work\pcre-7.9 + cURL multiprotocol file transfer library from: http://curl.haxx.se/ tested with cURL v7.21.4 - CD C:\work\pcre-7.9 + +BEFORE BUILDING + +The directory where you build software from source ( C:\work in this exmaple) +must contain the Apache source you used to build the Apache web serverand the mod_security source + + Apache source is in C:\work\httpd-2.2.17 in this example. + Apache has been installed to C:\Apache2217 in this example. + Mod_security source is in C:\work\mod_security in this example. + +Download and untar the prerequite library sources: + + Download pcre-8.12.tar.gz from ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ + untar it into C:\work\ creating C:\work\pcre-8.12 + + Download libxml2-2.7.7.tar.gz from ftp://xmlsoft.org/libxml2/ + untar it into C:\work\ creating C:\work\libxml2-2.7.7 + + Download lua-5.1.4.tar.gz from http://www.lua.org/ftp/ + untar it into C:\work\ creating C:\work\lua-5.1.4 + + Download curl-7.21.4.tar.gz from http://curl.haxx.se/download.html + untar it into C:\work\ creating C:\work\curl-7.21.4 + +Setup your build environment: + + The PATH environment variable must include the Visual Studio variables as set by vsvars32.bat + The PATH environment variable must also include the CMAKE bin\ directory + + Set an environment variable to the Apache source code directory: + + SET HTTPD_BUILD=C:\work\httpd-2.2.17 + + If OpenSSL and Zlib support were included when you built Apache 2.2, and you want them available to LIBXML2 and CURL + + Ensure that cURL and libXML2 can find the OpenSSL and Zlib includes and libraries that Apache was built with. + + SET INCLUDE=%INCLUDE%;%HTTPD_BUILD%\srclib\openssl\inc32;%HTTPD_BUILD%\srclib\zlib + SET LIB=%LIB%;%HTTPD_BUILD%\srclib\openssl\out32dll;%HTTPD_BUILD%\srclib\zlib + + Ensure that cURL and libXML2 don't use the static zlib library: zlib.lib. + Force cURL and libXML2 to use zdll.lib instead, requiring zlib1.dll at runtime: + + IF EXIST %HTTPD_BUILD%\srclib\zlib\zlib.lib DEL %HTTPD_BUILD%\srclib\zlib\zlib.lib + +BUILD PCRE-8.12 + + CD C:\work\pcre-8.12 CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True NMAKE -BUILD LIBXML2-2.7.6 +BUILD LIBXML2-2.7.7 (note: the more recent version: 2.7.8 does not build correctly on Windows) - Downloaded libxml2-2.7.6.tar.gz from ftp://xmlsoft.org/libxml2/ - untar'd into C:\work\ creating C:\work\libxml2-2.7.6 - - CD C:\work\libxml2-2.7.6\win32 + CD C:\work\libxml2-2.7.7\win32 CSCRIPT configure.js iconv=no vcmanifest=yes zlib=yes NMAKE -f Makefile.msvc BUILD LUA-5.1.4 - Downloaded lua-5.1.4.tar.gz from http://www.lua.org/ftp/ - untar'd into C:\work\ creating C:\work\lua-5.1.4 - CD C:\work\lua-5.1.4\src CL /Ox /arch:SSE2 /GF /GL /Gy /FD /EHsc /MD /Zi /TC /wd4005 /D "_MBCS" /D "LUA_CORE" /D "LUA_BUILD_AS_DLL" /D "_CRT_SECURE_NO_WARNINGS" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_WIN32" /D "_WINDLL" /c *.c DEL lua.obj luac.obj LINK /DLL /LTCG /DEBUG /OUT:lua5.1.dll *.obj IF EXIST lua5.1.dll.manifest MT -manifest lua5.1.dll.manifest -outputresource:lua5.1.dll;2 -BUILD CURL-7.20.0 - Downloaded curl-7.20.0.tar.gz from http://curl.haxx.se/download.html - untar'd into C:\work\ creating C:\work\curl-7.20.0 - - CD C:\work\curl-7.20.0 - - *** Fixed Bug: https://sourceforge.net/tracker/?func=detail&aid=2951269&group_id=976&atid=100976 *** - Edited the file include\curl\curlbuild.h.cmake near line 160 - put double-quotes around all CURL_FORMAT* values. - e.g. change: ${CURL_FORMAT_CURL_OFF_T} to: "${CURL_FORMAT_CURL_OFF_T}" - - /* curl_off_t formatting string directive without "%" conversion specifier. */ - #cmakedefine CURL_FORMAT_CURL_OFF_T "${CURL_FORMAT_CURL_OFF_T}" - - /* unsigned curl_off_t formatting string without "%" conversion specifier. */ - #cmakedefine CURL_FORMAT_CURL_OFF_TU "${CURL_FORMAT_CURL_OFF_TU}" - - /* curl_off_t formatting string directive with "%" conversion specifier. */ - #cmakedefine CURL_FORMAT_OFF_T "${CURL_FORMAT_OFF_T}" +BUILD CURL-7.21.4 + CD C:\work\curl-7.21.4 CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True -DCURL_ZLIB=True - NMAKE -BUILD MOD_SECURITY-2.5.12 +BUILD MOD_SECURITY-2.6 - Edited the top of C:\work\mod_security-2.5.12\apache2\Makefile.win and set my local paths - (note that pcre.lib is not in $(PCRE)\LibR as it is in the original Makefile.win ) + CD C:\work\mod_security\apache2 + NMAKE -f Makefile.win APACHE=C:\Apache2217 PCRE=C:\work\pcre-8.12 LIBXML2=C:\work\libxml2-2.7.7 LUA=C:\work\lua-5.1.4\src - # Path to Apache httpd installation - BASE = C:\Apache2214 +INSTALL MOD_SECURITY AND RUN APACHE - # Paths to required libraries - LIBXML2 = C:\work\libxml2-2.7.6 - LUA = C:\work\lua-5.1.4\src - PCRE = C:\work\pcre-7.9 +Copy these five files to C:\Apache2217\bin: + C:\work\pcre-8.12\pcre.dll C:\Apache2217\bin\ + C:\work\lua-5.1.4\src\lua5.1.dll C:\Apache2217\bin\ + C:\work\libxml2-2.7.7\win32\bin.msvc\libxml2.dll C:\Apache2217\bin\ + C:\work\curl-7.21.4\libcurl.dll C:\Apache2217\bin\ + C:\work\mod_security\apache2\mlogc-src\mlogc.exe - # Linking libraries - LIBS = $(BASE)\lib\libhttpd.lib \ - $(BASE)\lib\libapr-1.lib \ - $(BASE)\lib\libaprutil-1.lib \ - $(PCRE)\pcre.lib \ - $(LIBXML2)\win32\bin.msvc\libxml2.lib \ - $(LUA)\lua5.1.lib \ - wsock32.lib +Copy this one file to C:\Apache2217\modules: - CD C:\work\mod_security-2.5.12\apache2 - NMAKE -f Makefile.win + C:\work\mod_security\apache2\mod_security2.so -BUILD MOD_SECURITY-2.5.12 MLOGC program +You may also copy C:\work\curl-7.21.4\curl.exe to C:\Apache2217\bin, if you want to use the cURL command-line program. - Edited the top of C:\work\mod_security-2.5.12\apache2\mlogc-src\Makefile.win and set my local paths +Download the core rules from http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/ +and unzip them into C:\Apache2217\conf\modsecurity_crs - # Path to Apache httpd installation - BASE = C:\Apache2214 +Add configuration directives to your Apache conf\httpd.conf: - # Paths to required libraries - PCRE = C:\work\pcre-7.9 - CURL = C:\work\curl-7.20.0 + # mod_security requires mod_unique_id + LoadModule unique_id_module modules/mod_unique_id.so - # Linking libraries - LIBS = $(BASE)\lib\libapr-1.lib \ - $(BASE)\lib\libaprutil-1.lib \ - $(PCRE)\pcre.lib \ - $(CURL)\libcurl_imp.lib \ - wsock32.lib + # mod_security + LoadModule security2_module modules/mod_security2.so + + SecRuleEngine On + SecDataDir logs + Include conf/modsecurity_crs/*.conf + Include conf/modsecurity_crs/base_rules/*.conf + SecAuditEngine RelevantOnly + SecAuditLogRelevantStatus "^(?:5|4\d[^4])" + SecAuditLogType Serial + SecAuditLogParts ABCDEFGHZ + SecAuditLog logs/modsecurity.log + - CD C:\work\mod_security-2.5.12\apache2\mlogc-src - NMAKE -f Makefile.win +============================================================================================== +OPTIONAL: BUILD AND CONFIGURE THE MOD_SECURITY-2.6 MLOGC piped-logging program -INSTALL AND RUN +Edit the top of C:\work\mod_security\apache2\mlogc-src\Makefile.win and set your local paths - Copied these five files to C:\Apache2214\bin: - C:\work\pcre-7.9\pcre.dll - C:\work\lua-5.1.4\src\lua5.1.dll - C:\work\libxml2-2.7.6\win32\bin.msvc\libxml2.dll - C:\work\curl-7.20.0\libcurl.dll - C:\work\mod_security-2.5.12\apache2\mlogc-src\mlogc.exe + # Path to Apache httpd installation + BASE = C:\Apache2217 - Copied this one file to C:\Apache2214\modules: + # Paths to required libraries + PCRE = C:\work\pcre-8.12 + CURL = C:\work\curl-7.21.4 - C:\work\mod_security-2.5.12\apache2\mod_security2.so + # Linking libraries + LIBS = $(BASE)\lib\libapr-1.lib \ + $(BASE)\lib\libaprutil-1.lib \ + $(PCRE)\pcre.lib \ + $(CURL)\libcurl_imp.lib \ + wsock32.lib - You could also copy C:\work\curl-7.20.0\\curl.exe to C:\Apache2214\bin, if you want to use the cURL command-line. +Build the mlogc.exe program: - Downloaded the core rules from http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/ - and unzipped them in C:\Apache2214\conf\modsecurity_crs + CD C:\work\mod_security_trunk\mlogc + NMAKE -f Makefile.win - Added this to my conf\httpd.conf: +Copy mlocg.exe to C:\Apache2217\bin\ - LoadModule unique_id_module modules/mod_unique_id.so - LoadModule security2_module modules/mod_security2.so - - Include conf/modsecurity_crs/*.conf - Include conf/modsecurity_crs/base_rules/*.conf - SecDataDir logs - SecAuditEngine RelevantOnly - SecAuditLogRelevantStatus "^(?:5|4\d[^4])" - SecAuditLogType Concurrent - SecAuditLogParts ABCDEFGHZ - SecAuditLogStorageDir logs/data/ - SecAuditLog "|bin/mlogc.exe" - +Create a new command file C:\Apache2217\bin\mlogc.bat with one line: - My conf\mlogc.conf has this: - CollectorRoot "C:/Apache2214/logs" - ConsoleURI "https://localhost:8888/rpc/auditLogReceiver" - SensorUsername "test" - SensorPassword "testtest" - LogStorageDir "data" - TransactionLog "mlogc-transaction.log" - QueuePath "mlogc-queue.log" - ErrorLog "mlogc-error.log" - LockFile "mlogc.lck" - KeepEntries 0 - ErrorLogLevel 2 - MaxConnections 10 - MaxWorkerRequests 1000 - TransactionDelay 50 - StartupDelay 5000 - CheckpointInterval 15 - ServerErrorTimeout 60 + C:\Apache2217\bin\mlogc.exe C:\Apache2217\conf\mlogc.conf +Create a new configuration file C:\Apache2217\conf\mlogc.conf to control the piped-logging program mlogc.exe. +Here is an example conf\mlogc.conf: -Mod_security appears to work OK with the "ModSecurity Community Console". + CollectorRoot "C:/Apache2217/logs" + ConsoleURI "https://localhost:8888/rpc/auditLogReceiver" + SensorUsername "test" + SensorPassword "testtest" + LogStorageDir "data" + TransactionLog "mlogc-transaction.log" + QueuePath "mlogc-queue.log" + ErrorLog "mlogc-error.log" + LockFile "mlogc.lck" + KeepEntries 0 + ErrorLogLevel 2 + MaxConnections 10 + MaxWorkerRequests 1000 + TransactionDelay 50 + StartupDelay 5000 + CheckpointInterval 15 + ServerErrorTimeout 60 + +Change the SecAuditLog directive in conf\httpd.conf to pipe the log data to mlogc +instead of writing them to a file: + + SecAuditLog |C:/Apache2217/bin/mlogc.bat diff --git a/apache2/Makefile.win b/apache2/Makefile.win index 7f6a8553..990c4684 100644 --- a/apache2/Makefile.win +++ b/apache2/Makefile.win @@ -1,51 +1,51 @@ ########################################################################### -### You Will need to modify the following variables for your system -########################################################################### -########################################################################### - -# Path to Apache httpd installation -BASE = C:\Apache2 - -# Paths to required libraries -LIBXML2 = C:\work\libxml2-2.6.31 -LUA = C:\work\lua-5.1.3 -PCRE = C:\work\httpd-2.2.8\srclib\pcre +# +# Usage: NMAKE -f Makefile.win APACHE={httpd installion dir} PCRE={pcre dir} LIBXML2={LibXML2 dir} [ LUA={Lua dir} ] +# +!IF "$(APACHE)" == "" || "$(PCRE)" == "" || "$(LIBXML2)" == "" +!ERROR NMAKE arguments: APACHE=dir PCRE=dir LIBXML2=dir are required to build mod_security2 for Windows +!ENDIF # Linking libraries -LIBS = $(BASE)\lib\libhttpd.lib \ - $(BASE)\lib\libapr-1.lib \ - $(BASE)\lib\libaprutil-1.lib \ - $(PCRE)\LibR\pcre.lib \ +LIBS = $(APACHE)\lib\libhttpd.lib \ + $(APACHE)\lib\libapr-1.lib \ + $(APACHE)\lib\libaprutil-1.lib \ + $(PCRE)\pcre.lib \ $(LIBXML2)\win32\bin.msvc\libxml2.lib \ - $(LUA)\lua5.1.lib \ - wsock32.lib + Ws2_32.lib ########################################################################### ########################################################################### -CC = cL +CC = CL MT = mt -DEFS = /nologo /O2 /LD /W3 /wd4244 -DWIN32 -DWINNT -Dinline=APR_INLINE +DEFS = /nologo /O2 /LD /W3 /wd4244 /wd4018 -DWIN32 -DWINNT -Dinline=APR_INLINE DLL = mod_security2.so -INCLUDES = -I. \ +INCLUDES = -I. -I.. \ -I$(PCRE)\include -I$(PCRE) \ -I$(LIBXML2)\include \ - -I$(LUA)\include -I$(LUA) \ - -I$(BASE)\include + -I$(APACHE)\include + +# Lua is optional +!IF "$(LUA)" != "" +LIBS = $(LIBS) $(LUA)\lua5.1.lib +DEFS=$(DEFS) -DWITH_LUA +INCLUDES = $(INCLUDES) -I$(LUA)\include -I$(LUA) \ +!ENDIF CFLAGS= -MD $(INCLUDES) $(DEFS) -LDFLAGS = +LDFLAGS = OBJS = mod_security2.obj apache2_config.obj apache2_io.obj apache2_util.obj \ re.obj re_operators.obj re_actions.obj re_tfns.obj re_variables.obj \ msc_logging.obj msc_xml.obj msc_multipart.obj modsecurity.obj \ msc_parsers.obj msc_util.obj msc_pcre.obj persist_dbm.obj \ - msc_reqbody.obj pdf_protect.obj msc_geo.obj msc_gsb.obj acmp.obj msc_lua.obj \ + msc_reqbody.obj msc_geo.obj msc_gsb.obj acmp.obj msc_lua.obj \ msc_release.obj all: $(DLL) @@ -53,21 +53,20 @@ all: $(DLL) dll: $(DLL) mod_security2_config.h: mod_security2_config.hw - @echo off - type mod_security2_config.hw > mod_security2_config.h + @type mod_security2_config.hw > mod_security2_config.h .c.obj: - $(CC) $(CFLAGS) -c $< -Fo$@ + $(CC) $(CFLAGS) -c $< -Fo$@ .cpp.obj: - $(CC) $(CFLAGS) -c $< -Fo$@ + $(CC) $(CFLAGS) -c $< -Fo$@ $(DLL): mod_security2_config.h $(OBJS) - $(CC) $(CFLAGS) $(LDFLAGS) -LD $(OBJS) -Fe$(DLL) $(LIBS) /link - IF EXIST $(DLL).manifest $(MT) -manifest $(DLL).manifest -outputresource:$(DLL);2 + $(CC) $(CFLAGS) $(LDFLAGS) -LD $(OBJS) -Fe$(DLL) $(LIBS) /link + IF EXIST $(DLL).manifest $(MT) -manifest $(DLL).manifest -outputresource:$(DLL);2 install: $(DLL) - copy $(DLL) $(BASE)\modules + copy /Y $(DLL) $(APACHE)\modules clean: - del $(OBJS) $(DLL) *.dll *.lib *.pdb *.idb *.ilk *.exp *.res *.rc *.bin mod_security2_config.h *.manifest + del $(OBJS) $(DLL) *.dll *.lib *.pdb *.idb *.ilk *.exp *.res *.rc *.bin mod_security2_config.h *.manifest diff --git a/apache2/msc_geo.c b/apache2/msc_geo.c index f3e83e7e..6327f536 100644 --- a/apache2/msc_geo.c +++ b/apache2/msc_geo.c @@ -205,10 +205,6 @@ static int db_open(directory_config *dcfg, char **error_msg) apr_pool_t *mp = dcfg->mp; geo_db *geo = dcfg->geo; apr_status_t rc; - apr_size_t nbytes; - apr_off_t offset; - unsigned char buf[3]; - int i, j; #ifdef DEBUG_CONF fprintf(stderr, "GEO: Initializing geo DB \"%s\".\n", geo->dbfn); @@ -280,9 +276,6 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro int level; double dtmp; int itmp; - const unsigned char * p; - unsigned int x; - int j; *error_msg = NULL; diff --git a/apache2/msc_logging.c b/apache2/msc_logging.c index ffee2d1f..bf4e8b47 100644 --- a/apache2/msc_logging.c +++ b/apache2/msc_logging.c @@ -1120,13 +1120,13 @@ void sec_audit_logger(modsec_rec *msr) { /* AUDITLOG_PART_UPLOADS */ if ((strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_UPLOADS) != NULL) && (msr->mpd != NULL)) { - text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_UPLOADS); - sec_auditlog_write(msr, text, strlen(text)); - multipart_part **parts = NULL; unsigned int total_size = 0; int cfiles = 0; + text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_UPLOADS); + sec_auditlog_write(msr, text, strlen(text)); + parts = (multipart_part **)msr->mpd->parts->elts; for(cfiles = 0; cfiles < msr->mpd->parts->nelts; cfiles++) { if (parts[cfiles]->type == MULTIPART_FILE) { diff --git a/apache2/msc_logging.h b/apache2/msc_logging.h index f168941f..1ba417b1 100644 --- a/apache2/msc_logging.h +++ b/apache2/msc_logging.h @@ -38,6 +38,7 @@ #define AUDITLOG_PART_ENDMARKER 'Z' #include "modsecurity.h" +#include "apr_pools.h" int DSOLOCAL is_valid_parts_specification(char *p); @@ -47,4 +48,6 @@ char DSOLOCAL *construct_log_vcombinedus_limited(modsec_rec *msr, int _limit, in void DSOLOCAL sec_audit_logger(modsec_rec *msr); +void DSOLOCAL version(apr_pool_t *mp); + #endif diff --git a/apache2/msc_lua.h b/apache2/msc_lua.h index 2272cb68..1f8e50ee 100644 --- a/apache2/msc_lua.h +++ b/apache2/msc_lua.h @@ -42,6 +42,8 @@ char DSOLOCAL *lua_compile(msc_script **script, const char *filename, apr_pool_t int DSOLOCAL lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rule, char **error_msg); +apr_status_t DSOLOCAL msre_action_setvar_execute(modsec_rec *r, apr_pool_t *, msre_rule *, char *, char *); + #endif #endif /* WITH_LUA */ diff --git a/apache2/msc_util.c b/apache2/msc_util.c index 36261f7d..eb73f48b 100644 --- a/apache2/msc_util.c +++ b/apache2/msc_util.c @@ -69,6 +69,37 @@ static const short b64_reverse_t[256] = { -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2 }; +#if defined(WIN32) || defined(WINNT) +/* Windows does not have inet_aton */ +int inet_aton(const char *cp, struct in_addr *inp) { + inp->s_addr = inet_addr(cp); + return (inp->s_addr == 0); +} +/* Windows versions before Vista do not have inet_pton */ +#if !defined(NTDDI_VERSION) || NTDDI_VERSION < NTDDI_VISTA +int inet_pton(int family, const char *cp, struct in6_addr *addr) { + struct addrinfo hints; + PADDRINFOA ppResult; + + ZeroMemory( &hints, sizeof(hints) ); + hints.ai_flags = AI_NUMERICHOST; + hints.ai_family = AF_INET6; + if (getaddrinfo(cp, NULL, &hints, &ppResult) == 0) { + while (ppResult) { + if (ppResult->ai_family == AF_INET6) { + memcpy(addr, ppResult->ai_addr, ppResult->ai_addrlen); + return 1; + } + ppResult = ppResult->ai_next; + } + } + return -1; +} + +#endif /* NTDDI_VERSION */ +#endif /* WIN32 || WINNT */ + + /* \brief Remove escape char * * \param mptmp Pointer to the pool @@ -78,7 +109,7 @@ static const short b64_reverse_t[256] = { * \retval string On Success */ char *remove_escape(apr_pool_t *mptmp, const char *input, int input_len) { - char *parm = apr_palloc(mptmp, input_len);; + char *parm = apr_palloc(mptmp, input_len); char *ret = parm; int len = input_len; @@ -204,7 +235,6 @@ int convert_to_int(const char c) int set_match_to_tx(modsec_rec *msr, int capture, const char *match, int tx_n) { if (capture) { - int i; msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); if (s == NULL) return -1; diff --git a/apache2/msc_util.h b/apache2/msc_util.h index f088794b..66e58f87 100644 --- a/apache2/msc_util.h +++ b/apache2/msc_util.h @@ -120,4 +120,13 @@ char DSOLOCAL *construct_single_var(modsec_rec *msr, char *name); char DSOLOCAL *format_all_performance_variables(modsec_rec *msr, apr_pool_t *mp); +#if defined(WIN32) || defined(WINNT) +int DSOLOCAL inet_pton(int family, const char *cp, struct in6_addr *addr); + +#if !defined(NTDDI_VERSION) || NTDDI_VERSION < NTDDI_VISTA +int DSLOCAL inet_aton(const char *cp, struct in_addr *inp); + +#endif /* NTDDI_VERSION */ +#endif /* WIN32 || WINNT */ + #endif diff --git a/apache2/re.c b/apache2/re.c index 7b1c519f..7d076d59 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -1993,9 +1993,11 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr, parm = strchr(msr->matched_var->name,':'); if(parm) { + msc_string *mvar = NULL; + parm++; - msc_string *mvar = apr_palloc(msr->mp, sizeof(msc_string)); + mvar = apr_palloc(msr->mp, sizeof(msc_string)); mvar->name = apr_pstrdup(msr->mp, parm); mvar->name_len = strlen(mvar->name); mvar->value = apr_pmemdup(msr->mp, var->value, var->value_len); diff --git a/apache2/re_actions.c b/apache2/re_actions.c index 05103fb1..cfd2776c 100644 --- a/apache2/re_actions.c +++ b/apache2/re_actions.c @@ -584,6 +584,10 @@ static apr_status_t msre_action_tag_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { msc_string *var = NULL; + msre_action *action = NULL; + const apr_array_header_t *tarr = NULL; + const apr_table_entry_t *telts = NULL; + int act; var = apr_pcalloc(mptmp, sizeof(msc_string)); if (var == NULL) return -1; @@ -591,9 +595,19 @@ static apr_status_t msre_action_tag_execute(modsec_rec *msr, apr_pool_t *mptmp, var->value_len = strlen(var->value); expand_macros(msr, var, rule, mptmp); - action->param = apr_pstrmemdup(msr->mp, var->value, var->value_len); + tarr = apr_table_elts(rule->actionset->actions); + telts = (const apr_table_entry_t*)tarr->elts; - return 1; + for (act = 0; act < tarr->nelts; act++) { + action = (msre_action *)telts[act].val; + if((action != NULL) && (action->metadata != NULL) && (strcmp("tag", action->metadata->name) == 0)) { + action->param = apr_pstrmemdup(msr->mp, var->value, var->value_len); + return 1; + } + } + + + return 0; } /* proxy */ @@ -604,7 +618,7 @@ static char *msre_action_proxy_validate(msre_engine *engine, msre_action *action } static apr_status_t msre_action_proxy_init(msre_engine *engine, msre_actionset *actionset, - msre_action *action) + msre_action *action) { actionset->intercept_action = ACTION_PROXY; actionset->intercept_uri = action->param; @@ -613,7 +627,7 @@ static apr_status_t msre_action_proxy_init(msre_engine *engine, msre_actionset * } static apr_status_t msre_action_proxy_execute(modsec_rec *msr, apr_pool_t *mptmp, - msre_rule *rule, msre_action *action) + msre_rule *rule, msre_action *action) { msc_string *var = NULL; @@ -631,7 +645,7 @@ static apr_status_t msre_action_proxy_execute(modsec_rec *msr, apr_pool_t *mptmp /* pass */ static apr_status_t msre_action_pass_init(msre_engine *engine, msre_actionset *actionset, - msre_action *action) + msre_action *action) { actionset->intercept_action = ACTION_NONE; actionset->intercept_action_rec = action; @@ -646,7 +660,7 @@ static char *msre_action_skip_validate(msre_engine *engine, msre_action *action) } static apr_status_t msre_action_skip_init(msre_engine *engine, msre_actionset *actionset, - msre_action *action) + msre_action *action) { actionset->skip_count = atoi(action->param); if (actionset->skip_count <= 0) actionset->skip_count = 1; @@ -661,7 +675,7 @@ static char *msre_action_skipAfter_validate(msre_engine *engine, msre_action *ac } static apr_status_t msre_action_skipAfter_init(msre_engine *engine, msre_actionset *actionset, - msre_action *action) + msre_action *action) { actionset->skip_after = action->param; return 1; @@ -1149,9 +1163,7 @@ static apr_status_t msre_action_sanitizeMatched_execute(modsec_rec *msr, apr_poo const char *sargname = NULL; const apr_array_header_t *tarr; const apr_table_entry_t *telts; - const apr_array_header_t *tarr_pattern; - const apr_table_entry_t *telts_pattern; - int i, type = 0, k; + int i, type = 0; msc_string *mvar = msr->matched_var; if (mvar->name_len == 0) return 0; @@ -2626,10 +2638,9 @@ void msre_engine_register_default_actions(msre_engine *engine) { ); /* tag */ - /* ENH: This should be ACTION_METADATA??? */ msre_engine_action_register(engine, "tag", - ACTION_NON_DISRUPTIVE, + ACTION_METADATA, 1, 1, NO_PLUS_MINUS, ACTION_CARDINALITY_MANY, diff --git a/apache2/re_operators.c b/apache2/re_operators.c index 73c469c8..11fc4a86 100644 --- a/apache2/re_operators.c +++ b/apache2/re_operators.c @@ -18,13 +18,10 @@ #include "apr_lib.h" #include "apr_strmatch.h" #include "acmp.h" -#if defined(WIN32) || defined(WINNT) -#include "pcre.h" -#else +#if !defined(WIN32) && !defined(WINNT) #include #endif - #define PARSE_REGEX_IP "([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)(?:(\\/[0-9]+))?|([0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+)(?:(\\/[0-9]+))?" #define MAX_SUBSTRINGS 30 @@ -79,7 +76,6 @@ static int msre_op_nomatch_execute(modsec_rec *msr, msre_rule *rule, /* ipmatch */ -#if !defined(WIN32) || !defined(WINNT) /* * \brief Init function to ipmatch operator * @@ -91,7 +87,7 @@ static int msre_op_nomatch_execute(modsec_rec *msr, msre_rule *rule, */ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) { const char *errptr = NULL; - int erroffset; + int erroffset = 0; char *data = NULL; const char *str = NULL; char *saved = NULL; @@ -207,6 +203,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) { while (maskbits >= 8) { #ifdef LINUX mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0xff; +#elif defined(WIN32) || defined(WINNT) + mask6.sin6_addr.s6_addr[j++] = 0xff; #elif SOLARIS2 mask6.sin6_addr._S6_un._S6_u8[j++] = 0xff; #else @@ -219,6 +217,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) { #ifdef LINUX mask6.sin6_addr.__in6_u.__u6_addr8[j] >>= 1; mask6.sin6_addr.__in6_u.__u6_addr8[j] |= 0x80; +#elif defined(WIN32) || defined(WINNT) + mask6.sin6_addr.s6_addr[j] >>= 1; + mask6.sin6_addr.s6_addr[j] |= 0x80; #elif SOLARIS2 mask6.sin6_addr._S6_un._S6_u8[j] >>= 1; mask6.sin6_addr._S6_un._S6_u8[j] |= 0x80; @@ -233,6 +234,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) { while (j < 16) { #ifdef LINUX mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0; +#elif defined(WIN32) || defined(WINNT) + mask6.sin6_addr.s6_addr[j++] = 0; #elif SOLARIS2 mask6.sin6_addr._S6_un._S6_u8[j++] = 0; #else @@ -243,6 +246,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) { for (j = 0; j < 4; j++) { #ifdef LINUX sa.sin6_addr.__in6_u.__u6_addr32[j] &= mask6.sin6_addr.__in6_u.__u6_addr32[j]; +#elif defined(WIN32) || defined(WINNT) + sa.sin6_addr.s6_words[j*2] &= mask6.sin6_addr.s6_words[j*2] ; + sa.sin6_addr.s6_words[j*2+1] &= mask6.sin6_addr.s6_words[j*2+1] ; #elif SOLARIS2 sa.sin6_addr._S6_un.u6__S6_u32[j] &= mask6.sin6_addr._S6_un._S6_u32[j]; #else @@ -286,6 +292,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) { while (maskbits >= 8) { #ifdef LINUX mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0xff; +#elif defined(WIN32) || defined(WINNT) + mask6.sin6_addr.s6_addr[j++] = 0xff; #elif SOLARIS2 mask6.sin6_addr._S6_un._S6_u8[j++] = 0xff; #else @@ -297,6 +305,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) { #ifdef LINUX mask6.sin6_addr.__in6_u.__u6_addr8[j] >>= 1; mask6.sin6_addr.__in6_u.__u6_addr8[j] |= 0x80; +#elif defined(WIN32) || defined(WINNT) + mask6.sin6_addr.s6_addr[j] >>= 1; + mask6.sin6_addr.s6_addr[j] |= 0x80; #elif SOLARIS2 mask6.sin6_addr._S6_un._S6_u8[j] >>= 1; mask6.sin6_addr._S6_un._S6_u8[j] |= 0x80; @@ -311,6 +322,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) { while (j < 16) { #ifdef LINUX mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0; +#elif defined(WIN32) || defined(WINNT) + mask6.sin6_addr.s6_addr[j++] = 0; #elif SOLARIS2 mask6.sin6_addr._S6_un._S6_u8[j++] = 0; #else @@ -322,6 +335,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) { for (j = 0; j < 4; j++) { #ifdef LINUX sa.sin6_addr.__in6_u.__u6_addr32[j] &= mask6.sin6_addr.__in6_u.__u6_addr32[j]; +#elif defined(WIN32) || defined(WINNT) + sa.sin6_addr.s6_words[j*2] &= mask6.sin6_addr.s6_words[j*2] ; + sa.sin6_addr.s6_words[j*2+1] &= mask6.sin6_addr.s6_words[j*2+1] ; #elif SOLARIS2 sa.sin6_addr._S6_un._S6_u32[j] &= mask6.sin6_addr._S6_un._S6_u32[j]; #else @@ -421,7 +437,7 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) { */ static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { const char *errptr = NULL; - int erroffset; + int erroffset=0; struct in_addr addr; struct sockaddr_in6 sa; unsigned long ipaddr; @@ -472,6 +488,9 @@ static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *v #ifdef LINUX if (((sa.sin6_addr.__in6_u.__u6_addr8[i] ^ ipdata->netaddr->sin6_addr.__in6_u.__u6_addr8[i]) & ipdata->netaddr->sin6_addr.__in6_u.__u6_addr8[i]) == 0) +#elif defined(WIN32) || defined(WINNT) + if (((sa.sin6_addr.s6_addr[i] ^ ipdata->netaddr->sin6_addr.s6_addr[i]) & + ipdata->netaddr->sin6_addr.s6_addr[i]) == 0) #elif SOLARIS2 if (((sa.sin6_addr._S6_un._S6_u8[i] ^ ipdata->netaddr->sin6_addr._S6_un._S6_u8[i]) & ipdata->netaddr->sin6_addr._S6_un._S6_u8[i]) == 0) @@ -488,12 +507,11 @@ static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *v return 0; } -#endif /* WIN32 | WINNT */ /* rsub */ static char *param_remove_escape(msre_rule *rule, char *str, int len) { - char *parm = apr_palloc(rule->ruleset->mp, len);; + char *parm = apr_palloc(rule->ruleset->mp, len); char *ret = parm; for(;*str!='\0';str++) { @@ -525,7 +543,7 @@ static char *param_remove_escape(msre_rule *rule, char *str, int len) { */ static int msre_op_rsub_param_init(msre_rule *rule, char **error_msg) { const char *errptr = NULL; - int erroffset; + int erroffset = 0; ap_regex_t *regex; const char *pattern = NULL; const char *line = NULL; @@ -1387,7 +1405,6 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var const char *match = NULL; unsigned int match_length; unsigned int canon_length; - unsigned int base_length; int rv, i, ret; char *data = NULL; unsigned int size = var->value_len; @@ -3728,14 +3745,12 @@ void msre_engine_register_default_operators(msre_engine *engine) { msre_op_nomatch_execute ); -#if !defined(WIN32) || !defined(WINNT) /* ipmatch */ msre_engine_op_register(engine, "ipmatch", msre_op_ipmatch_param_init, msre_op_ipmatch_execute ); -#endif /* WIN32 | WINNT */ /* rsub */ msre_engine_op_register(engine,