github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Improvements, bug fixes and cleanup from Tom Donavan

Browse Source
This commit is contained in:
brenosilva
2011-04-02 23:10:16 +00:00
parent f0d6a06a95
commit 6031e7fdae
11 changed files with 274 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
apache2/Makefile.win
View File

@@ -1,51 +1,51 @@
###########################################################################
### You Will need to modify the following variables for your system
###########################################################################
###########################################################################
# Path to Apache httpd installation
BASE = C:\Apache2
# Paths to required libraries
LIBXML2 = C:\work\libxml2-2.6.31
LUA = C:\work\lua-5.1.3
PCRE = C:\work\httpd-2.2.8\srclib\pcre
#
# Usage: NMAKE -f Makefile.win APACHE={httpd installion dir} PCRE={pcre dir} LIBXML2={LibXML2 dir} [ LUA={Lua dir} ]
#
!IF "$(APACHE)" == "" || "$(PCRE)" == "" || "$(LIBXML2)" == ""
!ERROR NMAKE arguments: APACHE=dir PCRE=dir LIBXML2=dir are required to build mod_security2 for Windows
!ENDIF
# Linking libraries
LIBS = $(BASE)\lib\libhttpd.lib \
$(BASE)\lib\libapr-1.lib \
$(BASE)\lib\libaprutil-1.lib \
$(PCRE)\LibR\pcre.lib \
LIBS = $(APACHE)\lib\libhttpd.lib \
$(APACHE)\lib\libapr-1.lib \
$(APACHE)\lib\libaprutil-1.lib \
$(PCRE)\pcre.lib \
$(LIBXML2)\win32\bin.msvc\libxml2.lib \
$(LUA)\lua5.1.lib \
wsock32.lib
Ws2_32.lib
###########################################################################
###########################################################################
CC = cL
CC = CL
MT = mt
DEFS = /nologo /O2 /LD /W3 /wd4244 -DWIN32 -DWINNT -Dinline=APR_INLINE
DEFS = /nologo /O2 /LD /W3 /wd4244 /wd4018 -DWIN32 -DWINNT -Dinline=APR_INLINE
DLL = mod_security2.so
INCLUDES = -I. \
INCLUDES = -I. -I.. \
-I$(PCRE)\include -I$(PCRE) \
-I$(LIBXML2)\include \
-I$(LUA)\include -I$(LUA) \
-I$(BASE)\include
-I$(APACHE)\include
# Lua is optional
!IF "$(LUA)" != ""
LIBS = $(LIBS) $(LUA)\lua5.1.lib
DEFS=$(DEFS) -DWITH_LUA
INCLUDES = $(INCLUDES) -I$(LUA)\include -I$(LUA) \
!ENDIF
CFLAGS= -MD $(INCLUDES) $(DEFS)
LDFLAGS =
LDFLAGS =
OBJS = mod_security2.obj apache2_config.obj apache2_io.obj apache2_util.obj \
re.obj re_operators.obj re_actions.obj re_tfns.obj re_variables.obj \
msc_logging.obj msc_xml.obj msc_multipart.obj modsecurity.obj \
msc_parsers.obj msc_util.obj msc_pcre.obj persist_dbm.obj \
msc_reqbody.obj pdf_protect.obj msc_geo.obj msc_gsb.obj acmp.obj msc_lua.obj \
msc_reqbody.obj msc_geo.obj msc_gsb.obj acmp.obj msc_lua.obj \
msc_release.obj
all: $(DLL)
@@ -53,21 +53,20 @@ all: $(DLL)
dll: $(DLL)
mod_security2_config.h: mod_security2_config.hw
@echo off
type mod_security2_config.hw > mod_security2_config.h
@type mod_security2_config.hw > mod_security2_config.h
.c.obj:
$(CC) $(CFLAGS) -c $< -Fo$@
$(CC) $(CFLAGS) -c $< -Fo$@
.cpp.obj:
$(CC) $(CFLAGS) -c $< -Fo$@
$(CC) $(CFLAGS) -c $< -Fo$@
$(DLL): mod_security2_config.h $(OBJS)
$(CC) $(CFLAGS) $(LDFLAGS) -LD $(OBJS) -Fe$(DLL) $(LIBS) /link
IF EXIST $(DLL).manifest $(MT) -manifest $(DLL).manifest -outputresource:$(DLL);2
$(CC) $(CFLAGS) $(LDFLAGS) -LD $(OBJS) -Fe$(DLL) $(LIBS) /link
IF EXIST $(DLL).manifest $(MT) -manifest $(DLL).manifest -outputresource:$(DLL);2
install: $(DLL)
copy $(DLL) $(BASE)\modules
copy /Y $(DLL) $(APACHE)\modules
clean:
del $(OBJS) $(DLL) *.dll *.lib *.pdb *.idb *.ilk *.exp *.res *.rc *.bin mod_security2_config.h *.manifest
del $(OBJS) $(DLL) *.dll *.lib *.pdb *.idb *.ilk *.exp *.res *.rc *.bin mod_security2_config.h *.manifest

7
apache2/msc_geo.c
View File

@@ -205,10 +205,6 @@ static int db_open(directory_config *dcfg, char **error_msg)
apr_pool_t *mp = dcfg->mp;
geo_db *geo = dcfg->geo;
apr_status_t rc;
apr_size_t nbytes;
apr_off_t offset;
unsigned char buf[3];
int i, j;
#ifdef DEBUG_CONF
fprintf(stderr, "GEO: Initializing geo DB \"%s\".\n", geo->dbfn);
@@ -280,9 +276,6 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
int level;
double dtmp;
int itmp;
const unsigned char * p;
unsigned int x;
int j;
*error_msg = NULL;

6
apache2/msc_logging.c
View File

@@ -1120,13 +1120,13 @@ void sec_audit_logger(modsec_rec *msr) {
/* AUDITLOG_PART_UPLOADS */
if ((strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_UPLOADS) != NULL) && (msr->mpd != NULL)) {
text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_UPLOADS);
sec_auditlog_write(msr, text, strlen(text));
multipart_part **parts = NULL;
unsigned int total_size = 0;
int cfiles = 0;
text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_UPLOADS);
sec_auditlog_write(msr, text, strlen(text));
parts = (multipart_part **)msr->mpd->parts->elts;
for(cfiles = 0; cfiles < msr->mpd->parts->nelts; cfiles++) {
if (parts[cfiles]->type == MULTIPART_FILE) {

3
apache2/msc_logging.h
View File

@@ -38,6 +38,7 @@
#define AUDITLOG_PART_ENDMARKER 'Z'
#include "modsecurity.h"
#include "apr_pools.h"
int DSOLOCAL is_valid_parts_specification(char *p);
@@ -47,4 +48,6 @@ char DSOLOCAL *construct_log_vcombinedus_limited(modsec_rec *msr, int _limit, in
void DSOLOCAL sec_audit_logger(modsec_rec *msr);
void DSOLOCAL version(apr_pool_t *mp);
#endif

2
apache2/msc_lua.h
View File

@@ -42,6 +42,8 @@ char DSOLOCAL *lua_compile(msc_script **script, const char *filename, apr_pool_t
int DSOLOCAL lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rule, char **error_msg);
apr_status_t DSOLOCAL msre_action_setvar_execute(modsec_rec *r, apr_pool_t *, msre_rule *, char *, char *);
#endif
#endif /* WITH_LUA */

34
apache2/msc_util.c
View File

@@ -69,6 +69,37 @@ static const short b64_reverse_t[256] = {
-2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2
};
#if defined(WIN32) || defined(WINNT)
/* Windows does not have inet_aton */
int inet_aton(const char *cp, struct in_addr *inp) {
inp->s_addr = inet_addr(cp);
return (inp->s_addr == 0);
}
/* Windows versions before Vista do not have inet_pton */
#if !defined(NTDDI_VERSION) || NTDDI_VERSION < NTDDI_VISTA
int inet_pton(int family, const char *cp, struct in6_addr *addr) {
struct addrinfo hints;
PADDRINFOA ppResult;
ZeroMemory( &hints, sizeof(hints) );
hints.ai_flags = AI_NUMERICHOST;
hints.ai_family = AF_INET6;
if (getaddrinfo(cp, NULL, &hints, &ppResult) == 0) {
while (ppResult) {
if (ppResult->ai_family == AF_INET6) {
memcpy(addr, ppResult->ai_addr, ppResult->ai_addrlen);
return 1;
}
ppResult = ppResult->ai_next;
}
}
return -1;
}
#endif /* NTDDI_VERSION */
#endif /* WIN32 || WINNT */
/* \brief Remove escape char
*
* \param mptmp Pointer to the pool
@@ -78,7 +109,7 @@ static const short b64_reverse_t[256] = {
* \retval string On Success
*/
char *remove_escape(apr_pool_t *mptmp, const char *input, int input_len) {
char *parm = apr_palloc(mptmp, input_len);;
char *parm = apr_palloc(mptmp, input_len);
char *ret = parm;
int len = input_len;
@@ -204,7 +235,6 @@ int convert_to_int(const char c)
int set_match_to_tx(modsec_rec *msr, int capture, const char *match, int tx_n) {
if (capture) {
int i;
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
if (s == NULL) return -1;

9
apache2/msc_util.h
View File

@@ -120,4 +120,13 @@ char DSOLOCAL *construct_single_var(modsec_rec *msr, char *name);
char DSOLOCAL *format_all_performance_variables(modsec_rec *msr, apr_pool_t *mp);
#if defined(WIN32) || defined(WINNT)
int DSOLOCAL inet_pton(int family, const char *cp, struct in6_addr *addr);
#if !defined(NTDDI_VERSION) || NTDDI_VERSION < NTDDI_VISTA
int DSLOCAL inet_aton(const char *cp, struct in_addr *inp);
#endif /* NTDDI_VERSION */
#endif /* WIN32 || WINNT */
#endif

4
apache2/re.c
View File

@@ -1993,9 +1993,11 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
parm = strchr(msr->matched_var->name,':');
if(parm) {
msc_string *mvar = NULL;
parm++;
msc_string *mvar = apr_palloc(msr->mp, sizeof(msc_string));
mvar = apr_palloc(msr->mp, sizeof(msc_string));
mvar->name = apr_pstrdup(msr->mp, parm);
mvar->name_len = strlen(mvar->name);
mvar->value = apr_pmemdup(msr->mp, var->value, var->value_len);

35
apache2/re_actions.c
View File

@@ -584,6 +584,10 @@ static apr_status_t msre_action_tag_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
msc_string *var = NULL;
msre_action *action = NULL;
const apr_array_header_t *tarr = NULL;
const apr_table_entry_t *telts = NULL;
int act;
var = apr_pcalloc(mptmp, sizeof(msc_string));
if (var == NULL) return -1;
@@ -591,9 +595,19 @@ static apr_status_t msre_action_tag_execute(modsec_rec *msr, apr_pool_t *mptmp,
var->value_len = strlen(var->value);
expand_macros(msr, var, rule, mptmp);
action->param = apr_pstrmemdup(msr->mp, var->value, var->value_len);
tarr = apr_table_elts(rule->actionset->actions);
telts = (const apr_table_entry_t*)tarr->elts;
return 1;
for (act = 0; act < tarr->nelts; act++) {
action = (msre_action *)telts[act].val;
if((action != NULL) && (action->metadata != NULL) && (strcmp("tag", action->metadata->name) == 0)) {
action->param = apr_pstrmemdup(msr->mp, var->value, var->value_len);
return 1;
}
}
return 0;
}
/* proxy */
@@ -604,7 +618,7 @@ static char *msre_action_proxy_validate(msre_engine *engine, msre_action *action
}
static apr_status_t msre_action_proxy_init(msre_engine *engine, msre_actionset *actionset,
msre_action *action)
msre_action *action)
{
actionset->intercept_action = ACTION_PROXY;
actionset->intercept_uri = action->param;
@@ -613,7 +627,7 @@ static apr_status_t msre_action_proxy_init(msre_engine *engine, msre_actionset *
}
static apr_status_t msre_action_proxy_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
msre_rule *rule, msre_action *action)
{
msc_string *var = NULL;
@@ -631,7 +645,7 @@ static apr_status_t msre_action_proxy_execute(modsec_rec *msr, apr_pool_t *mptmp
/* pass */
static apr_status_t msre_action_pass_init(msre_engine *engine, msre_actionset *actionset,
msre_action *action)
msre_action *action)
{
actionset->intercept_action = ACTION_NONE;
actionset->intercept_action_rec = action;
@@ -646,7 +660,7 @@ static char *msre_action_skip_validate(msre_engine *engine, msre_action *action)
}
static apr_status_t msre_action_skip_init(msre_engine *engine, msre_actionset *actionset,
msre_action *action)
msre_action *action)
{
actionset->skip_count = atoi(action->param);
if (actionset->skip_count <= 0) actionset->skip_count = 1;
@@ -661,7 +675,7 @@ static char *msre_action_skipAfter_validate(msre_engine *engine, msre_action *ac
}
static apr_status_t msre_action_skipAfter_init(msre_engine *engine, msre_actionset *actionset,
msre_action *action)
msre_action *action)
{
actionset->skip_after = action->param;
return 1;
@@ -1149,9 +1163,7 @@ static apr_status_t msre_action_sanitizeMatched_execute(modsec_rec *msr, apr_poo
const char *sargname = NULL;
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
const apr_array_header_t *tarr_pattern;
const apr_table_entry_t *telts_pattern;
int i, type = 0, k;
int i, type = 0;
msc_string *mvar = msr->matched_var;
if (mvar->name_len == 0) return 0;
@@ -2626,10 +2638,9 @@ void msre_engine_register_default_actions(msre_engine *engine) {
);
/* tag */
/* ENH: This should be ACTION_METADATA??? */
msre_engine_action_register(engine,
"tag",
ACTION_NON_DISRUPTIVE,
ACTION_METADATA,
1, 1,
NO_PLUS_MINUS,
ACTION_CARDINALITY_MANY,

41
apache2/re_operators.c
View File

@@ -18,13 +18,10 @@
#include "apr_lib.h"
#include "apr_strmatch.h"
#include "acmp.h"
#if defined(WIN32) || defined(WINNT)
#include "pcre.h"
#else
#if !defined(WIN32) && !defined(WINNT)
#include <regex.h>
#endif
#define PARSE_REGEX_IP "([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)(?:(\\/[0-9]+))?|([0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+)(?:(\\/[0-9]+))?"
#define MAX_SUBSTRINGS 30
@@ -79,7 +76,6 @@ static int msre_op_nomatch_execute(modsec_rec *msr, msre_rule *rule,
/* ipmatch */
#if !defined(WIN32) || !defined(WINNT)
/*
* \brief Init function to ipmatch operator
*
@@ -91,7 +87,7 @@ static int msre_op_nomatch_execute(modsec_rec *msr, msre_rule *rule,
*/
static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
const char *errptr = NULL;
int erroffset;
int erroffset = 0;
char *data = NULL;
const char *str = NULL;
char *saved = NULL;
@@ -207,6 +203,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
while (maskbits >= 8) {
#ifdef LINUX
mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0xff;
#elif defined(WIN32) || defined(WINNT)
mask6.sin6_addr.s6_addr[j++] = 0xff;
#elif SOLARIS2
mask6.sin6_addr._S6_un._S6_u8[j++] = 0xff;
#else
@@ -219,6 +217,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
#ifdef LINUX
mask6.sin6_addr.__in6_u.__u6_addr8[j] >>= 1;
mask6.sin6_addr.__in6_u.__u6_addr8[j] |= 0x80;
#elif defined(WIN32) || defined(WINNT)
mask6.sin6_addr.s6_addr[j] >>= 1;
mask6.sin6_addr.s6_addr[j] |= 0x80;
#elif SOLARIS2
mask6.sin6_addr._S6_un._S6_u8[j] >>= 1;
mask6.sin6_addr._S6_un._S6_u8[j] |= 0x80;
@@ -233,6 +234,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
while (j < 16) {
#ifdef LINUX
mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0;
#elif defined(WIN32) || defined(WINNT)
mask6.sin6_addr.s6_addr[j++] = 0;
#elif SOLARIS2
mask6.sin6_addr._S6_un._S6_u8[j++] = 0;
#else
@@ -243,6 +246,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
for (j = 0; j < 4; j++) {
#ifdef LINUX
sa.sin6_addr.__in6_u.__u6_addr32[j] &= mask6.sin6_addr.__in6_u.__u6_addr32[j];
#elif defined(WIN32) || defined(WINNT)
sa.sin6_addr.s6_words[j*2] &= mask6.sin6_addr.s6_words[j*2] ;
sa.sin6_addr.s6_words[j*2+1] &= mask6.sin6_addr.s6_words[j*2+1] ;
#elif SOLARIS2
sa.sin6_addr._S6_un.u6__S6_u32[j] &= mask6.sin6_addr._S6_un._S6_u32[j];
#else
@@ -286,6 +292,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
while (maskbits >= 8) {
#ifdef LINUX
mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0xff;
#elif defined(WIN32) || defined(WINNT)
mask6.sin6_addr.s6_addr[j++] = 0xff;
#elif SOLARIS2
mask6.sin6_addr._S6_un._S6_u8[j++] = 0xff;
#else
@@ -297,6 +305,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
#ifdef LINUX
mask6.sin6_addr.__in6_u.__u6_addr8[j] >>= 1;
mask6.sin6_addr.__in6_u.__u6_addr8[j] |= 0x80;
#elif defined(WIN32) || defined(WINNT)
mask6.sin6_addr.s6_addr[j] >>= 1;
mask6.sin6_addr.s6_addr[j] |= 0x80;
#elif SOLARIS2
mask6.sin6_addr._S6_un._S6_u8[j] >>= 1;
mask6.sin6_addr._S6_un._S6_u8[j] |= 0x80;
@@ -311,6 +322,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
while (j < 16) {
#ifdef LINUX
mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0;
#elif defined(WIN32) || defined(WINNT)
mask6.sin6_addr.s6_addr[j++] = 0;
#elif SOLARIS2
mask6.sin6_addr._S6_un._S6_u8[j++] = 0;
#else
@@ -322,6 +335,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
for (j = 0; j < 4; j++) {
#ifdef LINUX
sa.sin6_addr.__in6_u.__u6_addr32[j] &= mask6.sin6_addr.__in6_u.__u6_addr32[j];
#elif defined(WIN32) || defined(WINNT)
sa.sin6_addr.s6_words[j*2] &= mask6.sin6_addr.s6_words[j*2] ;
sa.sin6_addr.s6_words[j*2+1] &= mask6.sin6_addr.s6_words[j*2+1] ;
#elif SOLARIS2
sa.sin6_addr._S6_un._S6_u32[j] &= mask6.sin6_addr._S6_un._S6_u32[j];
#else
@@ -421,7 +437,7 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
*/
static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
const char *errptr = NULL;
int erroffset;
int erroffset=0;
struct in_addr addr;
struct sockaddr_in6 sa;
unsigned long ipaddr;
@@ -472,6 +488,9 @@ static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *v
#ifdef LINUX
if (((sa.sin6_addr.__in6_u.__u6_addr8[i] ^ ipdata->netaddr->sin6_addr.__in6_u.__u6_addr8[i]) &
ipdata->netaddr->sin6_addr.__in6_u.__u6_addr8[i]) == 0)
#elif defined(WIN32) || defined(WINNT)
if (((sa.sin6_addr.s6_addr[i] ^ ipdata->netaddr->sin6_addr.s6_addr[i]) &
ipdata->netaddr->sin6_addr.s6_addr[i]) == 0)
#elif SOLARIS2
if (((sa.sin6_addr._S6_un._S6_u8[i] ^ ipdata->netaddr->sin6_addr._S6_un._S6_u8[i]) &
ipdata->netaddr->sin6_addr._S6_un._S6_u8[i]) == 0)
@@ -488,12 +507,11 @@ static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *v
return 0;
}
#endif /* WIN32 | WINNT */
/* rsub */
static char *param_remove_escape(msre_rule *rule, char *str, int len) {
char *parm = apr_palloc(rule->ruleset->mp, len);;
char *parm = apr_palloc(rule->ruleset->mp, len);
char *ret = parm;
for(;*str!='\0';str++) {
@@ -525,7 +543,7 @@ static char *param_remove_escape(msre_rule *rule, char *str, int len) {
*/
static int msre_op_rsub_param_init(msre_rule *rule, char **error_msg) {
const char *errptr = NULL;
int erroffset;
int erroffset = 0;
ap_regex_t *regex;
const char *pattern = NULL;
const char *line = NULL;
@@ -1387,7 +1405,6 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
const char *match = NULL;
unsigned int match_length;
unsigned int canon_length;
unsigned int base_length;
int rv, i, ret;
char *data = NULL;
unsigned int size = var->value_len;
@@ -3728,14 +3745,12 @@ void msre_engine_register_default_operators(msre_engine *engine) {
msre_op_nomatch_execute
);
#if !defined(WIN32) || !defined(WINNT)
/* ipmatch */
msre_engine_op_register(engine,
"ipmatch",
msre_op_ipmatch_param_init,
msre_op_ipmatch_execute
);
#endif /* WIN32 | WINNT */
/* rsub */
msre_engine_op_register(engine,