Improvements, bug fixes and cleanup from Tom Donavan

2025-08-16 07:56:12 +03:00 · 2011-04-02 23:10:16 +00:00 · 2011-04-02 23:10:16 +00:00 · 6031e7fdae
commit 6031e7fdae
parent f0d6a06a95
11 changed files with 274 additions and 200 deletions
--- a/README_WINDOWS.TXT
+++ b/README_WINDOWS.TXT
@ -1,181 +1,191 @@
-============================================================
+=====================================================================
-Build notes for Windows from Tom Donovan
+MOD_SECURITY 2.6  Command-line Build notes for Windows       4/2/2011
-============================================================
+=====================================================================
 These are the raw build notes from Tom Donovan for building
 ModSecurity 2.5.12 with Apache httpd 2.2.14 on Windows. Some
 day these should be incorporated into the official docs, but
 there has not yet been time, so they are included here in 
 their raw format for now.
 ============================================================
-I build Apache 2.2.14 from source in C:\work\httpd-2.2.14
+PREREQUISITES:
 I have a VC9 build of Apache 2.2.14 installed in C:\Apache2214
-My PATH includes VC9 and CMAKE 2.6
+    Microsoft Visual Studio C++                                                     tested with Visual Studio 2008 (aka VC9)
-BEFORE BUILDING - if OpenSSL and Zlib support is desired in LIBXML2 and CURL
+    CMake build system from:   http://www.cmake.org/                                tested with CMake v2.8.0
-    REM ####   set an env variable to my Apache build directory
+    Apache 2.2.x  from:        http://httpd.apache.org/                             tested with Apache 2.2.17
-    SET HTTPD_BUILD=C:\work\httpd-2.2.14
+        Apache must be built from source using the same Visual Studio compiler as mod_security.
-    REM  ####   ensure that CURL and LIBXML2 can find the OpenSSL and Zlib includes and libraries that Apache was built with
+    PCRE  Perl Compatible Regular Expression library from: http://www.pcre.org/     tested with PCRE v8.12
    SET INCLUDE=%INCLUDE%;%HTTPD_BUILD%\srclib\openssl\inc32;%HTTPD_BUILD%\srclib\zlib
    SET LIB=%LIB%;%HTTPD_BUILD%\srclib\openssl\out32dll;%HTTPD_BUILD%\srclib\zlib
-    REM  ####   ensure that CURL doesn't use the static zlib library: zlib.lib. Force it to use zdll.lib instead, which points to zlib1.dll
+    LibXML2 from: http://xmlsoft.org/                       tested with LibXML2 v2.7.7
-    IF EXIST %HTTPD_BUILD%\srclib\zlib\zlib.lib  DEL %HTTPD_BUILD%\srclib\zlib\zlib.lib
+        Note that LibXML2 v2.7.8 does not build correctly for Windows
-BUILD PCRE-7.9
+    Lua Scripting Language from:  http://www.lua.org/       tested with Lua v5.1.4
-    Downloaded pcre-7.9.tar.gz     from ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
+    cURL multiprotocol file transfer library from: http://curl.haxx.se/             tested with cURL v7.21.4
    untar'd into C:\work\  creating C:\work\pcre-7.9
-    CD C:\work\pcre-7.9
+
 BEFORE BUILDING
 The directory where you build software from source ( C:\work in this exmaple)
 must contain the Apache source you used to build the Apache web serverand the mod_security source
    Apache source is in             C:\work\httpd-2.2.17    in this example.
    Apache has been installed to    C:\Apache2217           in this example.
    Mod_security source is in       C:\work\mod_security    in this example.
 Download and untar the prerequite library sources:
    Download pcre-8.12.tar.gz     from ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
    untar it into C:\work\  creating C:\work\pcre-8.12
    Download libxml2-2.7.7.tar.gz    from ftp://xmlsoft.org/libxml2/
    untar it into C:\work\ creating C:\work\libxml2-2.7.7
    Download lua-5.1.4.tar.gz from http://www.lua.org/ftp/
    untar it into C:\work\ creating C:\work\lua-5.1.4
    Download curl-7.21.4.tar.gz from http://curl.haxx.se/download.html
    untar it into C:\work\ creating C:\work\curl-7.21.4
 Setup your build environment:
    The PATH environment variable must include the Visual Studio variables as set by vsvars32.bat
    The PATH environment variable must also include the CMAKE bin\ directory
    Set an environment variable to the Apache source code directory:
        SET HTTPD_BUILD=C:\work\httpd-2.2.17
    If OpenSSL and Zlib support were included when you built Apache 2.2, and you want them available to LIBXML2 and CURL
        Ensure that cURL and libXML2 can find the OpenSSL and Zlib includes and libraries that Apache was built with.
            SET INCLUDE=%INCLUDE%;%HTTPD_BUILD%\srclib\openssl\inc32;%HTTPD_BUILD%\srclib\zlib
            SET LIB=%LIB%;%HTTPD_BUILD%\srclib\openssl\out32dll;%HTTPD_BUILD%\srclib\zlib
        Ensure that cURL and libXML2 don't use the static zlib library: zlib.lib.
        Force cURL and libXML2 to use zdll.lib instead, requiring zlib1.dll at runtime:
            IF EXIST %HTTPD_BUILD%\srclib\zlib\zlib.lib  DEL %HTTPD_BUILD%\srclib\zlib\zlib.lib
 BUILD PCRE-8.12
    CD C:\work\pcre-8.12
    CMAKE   -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True
    NMAKE
-BUILD LIBXML2-2.7.6
+BUILD LIBXML2-2.7.7  (note: the more recent version: 2.7.8 does not build correctly on Windows)
-    Downloaded libxml2-2.7.6.tar.gz    from ftp://xmlsoft.org/libxml2/
+    CD C:\work\libxml2-2.7.7\win32
    untar'd into C:\work\ creating C:\work\libxml2-2.7.6
    CD C:\work\libxml2-2.7.6\win32
    CSCRIPT configure.js iconv=no vcmanifest=yes zlib=yes
    NMAKE -f Makefile.msvc
 BUILD LUA-5.1.4
    Downloaded lua-5.1.4.tar.gz from http://www.lua.org/ftp/
    untar'd into C:\work\ creating C:\work\lua-5.1.4
    CD C:\work\lua-5.1.4\src
    CL /Ox /arch:SSE2 /GF /GL /Gy /FD /EHsc /MD  /Zi /TC /wd4005 /D "_MBCS" /D "LUA_CORE" /D "LUA_BUILD_AS_DLL" /D "_CRT_SECURE_NO_WARNINGS" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_WIN32" /D "_WINDLL" /c *.c
    DEL lua.obj luac.obj
    LINK /DLL /LTCG /DEBUG /OUT:lua5.1.dll *.obj
    IF EXIST lua5.1.dll.manifest MT  -manifest lua5.1.dll.manifest -outputresource:lua5.1.dll;2
-BUILD CURL-7.20.0
+BUILD CURL-7.21.4
    Downloaded curl-7.20.0.tar.gz from http://curl.haxx.se/download.html
    untar'd into C:\work\ creating C:\work\curl-7.20.0
    CD C:\work\curl-7.20.0
    *** Fixed Bug:    https://sourceforge.net/tracker/?func=detail&aid=2951269&group_id=976&atid=100976   ***
    Edited the file  include\curl\curlbuild.h.cmake   near line 160 - put double-quotes around all CURL_FORMAT*  values.
        e.g.  change:   ${CURL_FORMAT_CURL_OFF_T}   to:   "${CURL_FORMAT_CURL_OFF_T}"
                /* curl_off_t formatting string directive without "%" conversion specifier. */
                #cmakedefine CURL_FORMAT_CURL_OFF_T "${CURL_FORMAT_CURL_OFF_T}"
                /* unsigned curl_off_t formatting string without "%" conversion specifier. */
                #cmakedefine CURL_FORMAT_CURL_OFF_TU "${CURL_FORMAT_CURL_OFF_TU}"
                /* curl_off_t formatting string directive with "%" conversion specifier. */
                #cmakedefine CURL_FORMAT_OFF_T "${CURL_FORMAT_OFF_T}"
    CD C:\work\curl-7.21.4
    CMAKE   -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True -DCURL_ZLIB=True
    NMAKE
-BUILD MOD_SECURITY-2.5.12
+BUILD MOD_SECURITY-2.6
-    Edited the top of C:\work\mod_security-2.5.12\apache2\Makefile.win and set my local paths
+    CD C:\work\mod_security\apache2
-    (note that pcre.lib is not in $(PCRE)\LibR as it is in the original Makefile.win )
+    NMAKE -f Makefile.win APACHE=C:\Apache2217 PCRE=C:\work\pcre-8.12 LIBXML2=C:\work\libxml2-2.7.7 LUA=C:\work\lua-5.1.4\src
-            # Path to Apache httpd installation
+INSTALL MOD_SECURITY AND RUN APACHE
            BASE = C:\Apache2214
-            # Paths to required libraries
+Copy these five files to C:\Apache2217\bin:
-            LIBXML2 = C:\work\libxml2-2.7.6
+    C:\work\pcre-8.12\pcre.dll C:\Apache2217\bin\
-            LUA = C:\work\lua-5.1.4\src
+    C:\work\lua-5.1.4\src\lua5.1.dll C:\Apache2217\bin\
-            PCRE = C:\work\pcre-7.9
+    C:\work\libxml2-2.7.7\win32\bin.msvc\libxml2.dll  C:\Apache2217\bin\
    C:\work\curl-7.21.4\libcurl.dll  C:\Apache2217\bin\
    C:\work\mod_security\apache2\mlogc-src\mlogc.exe
-            # Linking libraries
+Copy this one file to C:\Apache2217\modules:
            LIBS = $(BASE)\lib\libhttpd.lib \
                   $(BASE)\lib\libapr-1.lib \
                   $(BASE)\lib\libaprutil-1.lib \
                   $(PCRE)\pcre.lib \
                   $(LIBXML2)\win32\bin.msvc\libxml2.lib \
                   $(LUA)\lua5.1.lib \
                   wsock32.lib
-    CD C:\work\mod_security-2.5.12\apache2
+    C:\work\mod_security\apache2\mod_security2.so
    NMAKE -f Makefile.win
-BUILD MOD_SECURITY-2.5.12 MLOGC program
+You may also copy C:\work\curl-7.21.4\curl.exe to C:\Apache2217\bin, if you want to use the cURL command-line program.
-    Edited the top of C:\work\mod_security-2.5.12\apache2\mlogc-src\Makefile.win and set my local paths
+Download the core rules from http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/
 and unzip them into C:\Apache2217\conf\modsecurity_crs
-            # Path to Apache httpd installation
+Add configuration directives to your Apache conf\httpd.conf:
            BASE = C:\Apache2214
-            # Paths to required libraries
+    # mod_security requires mod_unique_id
-            PCRE = C:\work\pcre-7.9
+    LoadModule unique_id_module modules/mod_unique_id.so
            CURL = C:\work\curl-7.20.0
-            # Linking libraries
+    # mod_security
-            LIBS = $(BASE)\lib\libapr-1.lib \
+    LoadModule security2_module  modules/mod_security2.so
-                   $(BASE)\lib\libaprutil-1.lib \
+    <IfModule security2_module>
-                   $(PCRE)\pcre.lib \
+        SecRuleEngine On
-                   $(CURL)\libcurl_imp.lib \
+        SecDataDir   logs
-                   wsock32.lib
+        Include conf/modsecurity_crs/*.conf
        Include conf/modsecurity_crs/base_rules/*.conf
        SecAuditEngine RelevantOnly
        SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
        SecAuditLogType Serial
        SecAuditLogParts ABCDEFGHZ
        SecAuditLog logs/modsecurity.log
    </IfModule>
-    CD  C:\work\mod_security-2.5.12\apache2\mlogc-src
+==============================================================================================
-    NMAKE -f Makefile.win
+OPTIONAL:   BUILD AND CONFIGURE THE MOD_SECURITY-2.6 MLOGC piped-logging program
-INSTALL AND RUN
+Edit the top of C:\work\mod_security\apache2\mlogc-src\Makefile.win and set your local paths
-    Copied these five files to C:\Apache2214\bin:
+        # Path to Apache httpd installation
-        C:\work\pcre-7.9\pcre.dll
+        BASE = C:\Apache2217
        C:\work\lua-5.1.4\src\lua5.1.dll
        C:\work\libxml2-2.7.6\win32\bin.msvc\libxml2.dll
        C:\work\curl-7.20.0\libcurl.dll
        C:\work\mod_security-2.5.12\apache2\mlogc-src\mlogc.exe
-    Copied this one file to C:\Apache2214\modules:
+        # Paths to required libraries
        PCRE = C:\work\pcre-8.12
        CURL = C:\work\curl-7.21.4
-        C:\work\mod_security-2.5.12\apache2\mod_security2.so
+        # Linking libraries
        LIBS = $(BASE)\lib\libapr-1.lib \
               $(BASE)\lib\libaprutil-1.lib \
               $(PCRE)\pcre.lib \
               $(CURL)\libcurl_imp.lib \
               wsock32.lib
-    You could also copy C:\work\curl-7.20.0\\curl.exe to C:\Apache2214\bin, if you want to use the cURL command-line.
+Build the mlogc.exe program:
-    Downloaded the core rules from http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/
+        CD  C:\work\mod_security_trunk\mlogc
-    and unzipped them in C:\Apache2214\conf\modsecurity_crs
+        NMAKE -f Makefile.win
-    Added this to my conf\httpd.conf:
+Copy mlocg.exe to C:\Apache2217\bin\
-        LoadModule unique_id_module modules/mod_unique_id.so
+Create a new command file C:\Apache2217\bin\mlogc.bat with one line:
        LoadModule security2_module  modules/mod_security2.so
        <IfModule security2_module>
            Include conf/modsecurity_crs/*.conf
            Include conf/modsecurity_crs/base_rules/*.conf
            SecDataDir   logs
            SecAuditEngine RelevantOnly
            SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
            SecAuditLogType Concurrent
            SecAuditLogParts ABCDEFGHZ
            SecAuditLogStorageDir logs/data/
            SecAuditLog "|bin/mlogc.exe"
        </IfModule>
-    My conf\mlogc.conf has this:
+        C:\Apache2217\bin\mlogc.exe C:\Apache2217\conf\mlogc.conf
        CollectorRoot       "C:/Apache2214/logs"
        ConsoleURI          "https://localhost:8888/rpc/auditLogReceiver"
        SensorUsername      "test"
        SensorPassword      "testtest"
        LogStorageDir       "data"
        TransactionLog      "mlogc-transaction.log"
        QueuePath           "mlogc-queue.log"
        ErrorLog            "mlogc-error.log"
        LockFile            "mlogc.lck"
        KeepEntries         0
        ErrorLogLevel       2
        MaxConnections      10
        MaxWorkerRequests   1000
        TransactionDelay    50
        StartupDelay        5000
        CheckpointInterval  15
        ServerErrorTimeout  60
 Create a new configuration file C:\Apache2217\conf\mlogc.conf to control the piped-logging program mlogc.exe.
 Here is an example conf\mlogc.conf:
-Mod_security appears to work OK with the "ModSecurity Community Console".
+    CollectorRoot       "C:/Apache2217/logs"
    ConsoleURI          "https://localhost:8888/rpc/auditLogReceiver"
    SensorUsername      "test"
    SensorPassword      "testtest"
    LogStorageDir       "data"
    TransactionLog      "mlogc-transaction.log"
    QueuePath           "mlogc-queue.log"
    ErrorLog            "mlogc-error.log"
    LockFile            "mlogc.lck"
    KeepEntries         0
    ErrorLogLevel       2
    MaxConnections      10
    MaxWorkerRequests   1000
    TransactionDelay    50
    StartupDelay        5000
    CheckpointInterval  15
    ServerErrorTimeout  60
 Change the SecAuditLog directive in conf\httpd.conf to pipe the log data to mlogc
 instead of writing them to a file:
    SecAuditLog |C:/Apache2217/bin/mlogc.bat
--- a/apache2/Makefile.win
+++ b/apache2/Makefile.win
@ -1,51 +1,51 @@
 ###########################################################################
-### You Will need to modify the following variables for your system
+#
-###########################################################################
+# Usage:   NMAKE -f Makefile.win APACHE={httpd installion dir}  PCRE={pcre dir} LIBXML2={LibXML2 dir} [   LUA={Lua dir} ]
-###########################################################################
+#
-
+!IF "$(APACHE)" == "" || "$(PCRE)" == "" || "$(LIBXML2)" == ""
-# Path to Apache httpd installation
+!ERROR NMAKE arguments: APACHE=dir PCRE=dir LIBXML2=dir are required to build mod_security2 for Windows
-BASE = C:\Apache2
+!ENDIF
 # Paths to required libraries
 LIBXML2 = C:\work\libxml2-2.6.31
 LUA = C:\work\lua-5.1.3
 PCRE = C:\work\httpd-2.2.8\srclib\pcre
 # Linking libraries
-LIBS = $(BASE)\lib\libhttpd.lib \
+LIBS = $(APACHE)\lib\libhttpd.lib \
-       $(BASE)\lib\libapr-1.lib \
+       $(APACHE)\lib\libapr-1.lib \
-       $(BASE)\lib\libaprutil-1.lib \
+       $(APACHE)\lib\libaprutil-1.lib \
-       $(PCRE)\LibR\pcre.lib \
+       $(PCRE)\pcre.lib \
       $(LIBXML2)\win32\bin.msvc\libxml2.lib \
-       $(LUA)\lua5.1.lib \
+       Ws2_32.lib
       wsock32.lib
 ###########################################################################
 ###########################################################################
-CC = cL
+CC = CL
 MT = mt
-DEFS = /nologo /O2 /LD /W3 /wd4244 -DWIN32 -DWINNT -Dinline=APR_INLINE
+DEFS = /nologo /O2 /LD /W3 /wd4244 /wd4018 -DWIN32 -DWINNT -Dinline=APR_INLINE
 DLL = mod_security2.so
-INCLUDES = -I. \
+INCLUDES = -I. -I.. \
           -I$(PCRE)\include -I$(PCRE) \
           -I$(LIBXML2)\include \
-           -I$(LUA)\include -I$(LUA) \
+           -I$(APACHE)\include
-           -I$(BASE)\include 
+
 # Lua is optional
 !IF "$(LUA)" != ""
 LIBS = $(LIBS) $(LUA)\lua5.1.lib
 DEFS=$(DEFS) -DWITH_LUA
 INCLUDES = $(INCLUDES) -I$(LUA)\include -I$(LUA) \
 !ENDIF
 CFLAGS= -MD $(INCLUDES) $(DEFS)
-LDFLAGS = 
+LDFLAGS =
 OBJS = mod_security2.obj apache2_config.obj apache2_io.obj apache2_util.obj \
       re.obj re_operators.obj re_actions.obj re_tfns.obj re_variables.obj \
       msc_logging.obj msc_xml.obj msc_multipart.obj modsecurity.obj \
       msc_parsers.obj msc_util.obj msc_pcre.obj persist_dbm.obj \
-       msc_reqbody.obj pdf_protect.obj msc_geo.obj msc_gsb.obj acmp.obj msc_lua.obj \
+       msc_reqbody.obj msc_geo.obj msc_gsb.obj acmp.obj msc_lua.obj \
       msc_release.obj
 all: $(DLL)
@ -53,21 +53,20 @@ all: $(DLL)
 dll: $(DLL)
 mod_security2_config.h: mod_security2_config.hw
-	@echo off
+        @type mod_security2_config.hw > mod_security2_config.h
 	type mod_security2_config.hw > mod_security2_config.h
 .c.obj:
-	$(CC) $(CFLAGS) -c $< -Fo$@
+        $(CC) $(CFLAGS) -c $< -Fo$@
 .cpp.obj:
-	$(CC) $(CFLAGS) -c $< -Fo$@
+        $(CC) $(CFLAGS) -c $< -Fo$@
 $(DLL): mod_security2_config.h $(OBJS)
-	$(CC) $(CFLAGS) $(LDFLAGS) -LD $(OBJS) -Fe$(DLL) $(LIBS) /link
+        $(CC) $(CFLAGS) $(LDFLAGS) -LD $(OBJS) -Fe$(DLL) $(LIBS) /link
-	IF EXIST $(DLL).manifest $(MT) -manifest $(DLL).manifest -outputresource:$(DLL);2
+        IF EXIST $(DLL).manifest $(MT) -manifest $(DLL).manifest -outputresource:$(DLL);2
 install: $(DLL)
-	copy $(DLL) $(BASE)\modules
+        copy /Y $(DLL) $(APACHE)\modules
 clean:
-	del $(OBJS) $(DLL) *.dll *.lib *.pdb *.idb *.ilk *.exp *.res *.rc *.bin mod_security2_config.h *.manifest
+        del $(OBJS) $(DLL) *.dll *.lib *.pdb *.idb *.ilk *.exp *.res *.rc *.bin mod_security2_config.h *.manifest
--- a/apache2/msc_geo.c
+++ b/apache2/msc_geo.c
@ -205,10 +205,6 @@ static int db_open(directory_config *dcfg, char **error_msg)
    apr_pool_t *mp = dcfg->mp;
    geo_db *geo = dcfg->geo;
    apr_status_t rc;
    apr_size_t nbytes;
    apr_off_t offset;
    unsigned char buf[3];
    int i, j;
    #ifdef DEBUG_CONF
    fprintf(stderr, "GEO: Initializing geo DB \"%s\".\n", geo->dbfn);
@ -280,9 +276,6 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
    int level;
    double dtmp;
    int itmp;
    const unsigned char * p;
    unsigned int x;
    int j;
    *error_msg = NULL;
--- a/apache2/msc_logging.c
+++ b/apache2/msc_logging.c
@ -1120,13 +1120,13 @@ void sec_audit_logger(modsec_rec *msr) {
    /* AUDITLOG_PART_UPLOADS */
    if ((strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_UPLOADS) != NULL) && (msr->mpd != NULL)) {
        text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_UPLOADS);
        sec_auditlog_write(msr, text, strlen(text));
        multipart_part **parts = NULL;
        unsigned int total_size = 0;
        int cfiles = 0;
        text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_UPLOADS);
        sec_auditlog_write(msr, text, strlen(text));
        parts = (multipart_part **)msr->mpd->parts->elts;
        for(cfiles = 0; cfiles < msr->mpd->parts->nelts; cfiles++) {
            if (parts[cfiles]->type == MULTIPART_FILE) {
--- a/apache2/msc_logging.h
+++ b/apache2/msc_logging.h
@ -38,6 +38,7 @@
 #define AUDITLOG_PART_ENDMARKER             'Z'
 #include "modsecurity.h"
 #include "apr_pools.h"
 int DSOLOCAL is_valid_parts_specification(char *p);
@ -47,4 +48,6 @@ char DSOLOCAL *construct_log_vcombinedus_limited(modsec_rec *msr, int _limit, in
 void DSOLOCAL sec_audit_logger(modsec_rec *msr);
 void DSOLOCAL version(apr_pool_t *mp);
 #endif
--- a/apache2/msc_lua.h
+++ b/apache2/msc_lua.h
@ -42,6 +42,8 @@ char DSOLOCAL *lua_compile(msc_script **script, const char *filename, apr_pool_t
 int DSOLOCAL lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rule, char **error_msg);
 apr_status_t DSOLOCAL  msre_action_setvar_execute(modsec_rec *r, apr_pool_t *, msre_rule *, char *, char *);
 #endif
 #endif /* WITH_LUA */
--- a/apache2/msc_util.c
+++ b/apache2/msc_util.c
@ -69,6 +69,37 @@ static const short b64_reverse_t[256] = {
  -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2
 };
 #if defined(WIN32) || defined(WINNT)
 /* Windows does not have inet_aton */
 int inet_aton(const char *cp, struct in_addr *inp) {
    inp->s_addr = inet_addr(cp);
    return (inp->s_addr == 0);
 }
 /* Windows versions before Vista do not have inet_pton */
 #if  !defined(NTDDI_VERSION) || NTDDI_VERSION < NTDDI_VISTA
 int inet_pton(int family, const char *cp, struct in6_addr *addr) {
    struct addrinfo hints;
    PADDRINFOA ppResult;
    ZeroMemory( &hints, sizeof(hints) );
    hints.ai_flags = AI_NUMERICHOST;
    hints.ai_family = AF_INET6;
    if (getaddrinfo(cp, NULL, &hints, &ppResult) == 0) {
        while (ppResult) {
            if (ppResult->ai_family == AF_INET6) {
                memcpy(addr, ppResult->ai_addr, ppResult->ai_addrlen);
                return 1;
            }
            ppResult = ppResult->ai_next;
        }
    }
    return -1;
 }
 #endif /* NTDDI_VERSION */
 #endif /* WIN32 || WINNT */
 /* \brief Remove escape char
 *
 * \param mptmp Pointer to the pool
@ -78,7 +109,7 @@ static const short b64_reverse_t[256] = {
 * \retval string On Success
 */
 char *remove_escape(apr_pool_t *mptmp, const char *input, int input_len)  {
-    char *parm = apr_palloc(mptmp, input_len);;
+    char *parm = apr_palloc(mptmp, input_len);
    char *ret = parm;
    int len = input_len;
@ -204,7 +235,6 @@ int convert_to_int(const char c)
 int set_match_to_tx(modsec_rec *msr, int capture, const char *match, int tx_n)  {
    if (capture) {
        int i;
        msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
        if (s == NULL) return -1;
--- a/apache2/msc_util.h
+++ b/apache2/msc_util.h
@ -120,4 +120,13 @@ char DSOLOCAL *construct_single_var(modsec_rec *msr, char *name);
 char DSOLOCAL *format_all_performance_variables(modsec_rec *msr, apr_pool_t *mp);
 #if defined(WIN32) || defined(WINNT)
 int DSOLOCAL inet_pton(int family, const char *cp, struct in6_addr *addr);
 #if  !defined(NTDDI_VERSION) || NTDDI_VERSION < NTDDI_VISTA
 int DSLOCAL inet_aton(const char *cp, struct in_addr *inp);
 #endif /* NTDDI_VERSION */
 #endif /* WIN32 || WINNT */
 #endif
--- a/apache2/re.c
+++ b/apache2/re.c
@ -1993,9 +1993,11 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
        parm = strchr(msr->matched_var->name,':');
        if(parm)    {
            msc_string *mvar = NULL;
            parm++;
-            msc_string *mvar = apr_palloc(msr->mp, sizeof(msc_string));
+            mvar = apr_palloc(msr->mp, sizeof(msc_string));
            mvar->name = apr_pstrdup(msr->mp, parm);
            mvar->name_len = strlen(mvar->name);
            mvar->value = apr_pmemdup(msr->mp, var->value, var->value_len);
--- a/apache2/re_actions.c
+++ b/apache2/re_actions.c
@ -584,6 +584,10 @@ static apr_status_t msre_action_tag_execute(modsec_rec *msr, apr_pool_t *mptmp,
    msre_rule *rule, msre_action *action)
 {
    msc_string *var = NULL;
    msre_action *action = NULL;
    const apr_array_header_t *tarr = NULL;
    const apr_table_entry_t *telts = NULL;
    int act;
    var = apr_pcalloc(mptmp, sizeof(msc_string));
    if (var == NULL) return -1;
@ -591,9 +595,19 @@ static apr_status_t msre_action_tag_execute(modsec_rec *msr, apr_pool_t *mptmp,
    var->value_len = strlen(var->value);
    expand_macros(msr, var, rule, mptmp);
-    action->param = apr_pstrmemdup(msr->mp, var->value, var->value_len);
+    tarr = apr_table_elts(rule->actionset->actions);
    telts = (const apr_table_entry_t*)tarr->elts;
-    return 1;
+    for (act = 0; act < tarr->nelts; act++) {
        action = (msre_action *)telts[act].val;
        if((action != NULL) && (action->metadata != NULL) && (strcmp("tag", action->metadata->name) == 0))  {
            action->param = apr_pstrmemdup(msr->mp, var->value, var->value_len);
            return 1;
        }
    }
    return 0;
 }
 /* proxy */
@ -604,7 +618,7 @@ static char *msre_action_proxy_validate(msre_engine *engine, msre_action *action
 }
 static apr_status_t msre_action_proxy_init(msre_engine *engine, msre_actionset *actionset,
-    msre_action *action)
+        msre_action *action)
 {
    actionset->intercept_action = ACTION_PROXY;
    actionset->intercept_uri = action->param;
@ -613,7 +627,7 @@ static apr_status_t msre_action_proxy_init(msre_engine *engine, msre_actionset *
 }
 static apr_status_t msre_action_proxy_execute(modsec_rec *msr, apr_pool_t *mptmp,
-    msre_rule *rule, msre_action *action)
+        msre_rule *rule, msre_action *action)
 {
    msc_string *var = NULL;
@ -631,7 +645,7 @@ static apr_status_t msre_action_proxy_execute(modsec_rec *msr, apr_pool_t *mptmp
 /* pass */
 static apr_status_t msre_action_pass_init(msre_engine *engine, msre_actionset *actionset,
-    msre_action *action)
+        msre_action *action)
 {
    actionset->intercept_action = ACTION_NONE;
    actionset->intercept_action_rec = action;
@ -646,7 +660,7 @@ static char *msre_action_skip_validate(msre_engine *engine, msre_action *action)
 }
 static apr_status_t msre_action_skip_init(msre_engine *engine, msre_actionset *actionset,
-    msre_action *action)
+        msre_action *action)
 {
    actionset->skip_count = atoi(action->param);
    if (actionset->skip_count <= 0) actionset->skip_count = 1;
@ -661,7 +675,7 @@ static char *msre_action_skipAfter_validate(msre_engine *engine, msre_action *ac
 }
 static apr_status_t msre_action_skipAfter_init(msre_engine *engine, msre_actionset *actionset,
-    msre_action *action)
+        msre_action *action)
 {
    actionset->skip_after = action->param;
    return 1;
@ -1149,9 +1163,7 @@ static apr_status_t msre_action_sanitizeMatched_execute(modsec_rec *msr, apr_poo
    const char *sargname = NULL;
    const apr_array_header_t *tarr;
    const apr_table_entry_t *telts;
-    const apr_array_header_t *tarr_pattern;
+    int i, type = 0;
    const apr_table_entry_t *telts_pattern;
    int i, type = 0, k;
    msc_string *mvar = msr->matched_var;
    if (mvar->name_len == 0) return 0;
@ -2626,10 +2638,9 @@ void msre_engine_register_default_actions(msre_engine *engine) {
    );
    /* tag */
    /* ENH: This should be ACTION_METADATA??? */
    msre_engine_action_register(engine,
        "tag",
-        ACTION_NON_DISRUPTIVE,
+        ACTION_METADATA,
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
--- a/apache2/re_operators.c
+++ b/apache2/re_operators.c
@ -18,13 +18,10 @@
 #include "apr_lib.h"
 #include "apr_strmatch.h"
 #include "acmp.h"
-#if defined(WIN32) || defined(WINNT)
+#if !defined(WIN32) && !defined(WINNT)
 #include "pcre.h"
 #else
 #include <regex.h>
 #endif
 #define PARSE_REGEX_IP "([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)(?:(\\/[0-9]+))?|([0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+\\:[0-9a-f]+)(?:(\\/[0-9]+))?"
 #define MAX_SUBSTRINGS 30
@ -79,7 +76,6 @@ static int msre_op_nomatch_execute(modsec_rec *msr, msre_rule *rule,
 /* ipmatch */
 #if !defined(WIN32) || !defined(WINNT)
 /*
 * \brief Init function to ipmatch operator
 *
@ -91,7 +87,7 @@ static int msre_op_nomatch_execute(modsec_rec *msr, msre_rule *rule,
 */
 static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
    const char *errptr = NULL;
-    int erroffset;
+    int erroffset = 0;
    char *data = NULL;
    const char *str = NULL;
    char *saved = NULL;
@ -207,6 +203,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
                        while (maskbits >= 8) {
 #ifdef LINUX
                            mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0xff;
 #elif defined(WIN32) || defined(WINNT)
                            mask6.sin6_addr.s6_addr[j++] = 0xff;
 #elif SOLARIS2
                            mask6.sin6_addr._S6_un._S6_u8[j++] = 0xff;
 #else
@ -219,6 +217,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
 #ifdef LINUX
                            mask6.sin6_addr.__in6_u.__u6_addr8[j] >>= 1;
                            mask6.sin6_addr.__in6_u.__u6_addr8[j] |= 0x80;
 #elif defined(WIN32) || defined(WINNT)
                            mask6.sin6_addr.s6_addr[j] >>= 1;
                            mask6.sin6_addr.s6_addr[j] |= 0x80;
 #elif SOLARIS2
                            mask6.sin6_addr._S6_un._S6_u8[j] >>= 1;
                            mask6.sin6_addr._S6_un._S6_u8[j] |= 0x80;
@ -233,6 +234,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
                       while (j < 16) {
 #ifdef LINUX
                            mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0;
 #elif defined(WIN32) || defined(WINNT)
                            mask6.sin6_addr.s6_addr[j++] = 0;
 #elif SOLARIS2
                            mask6.sin6_addr._S6_un._S6_u8[j++] = 0;
 #else
@ -243,6 +246,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
                        for (j = 0; j < 4; j++) {
 #ifdef LINUX
                            sa.sin6_addr.__in6_u.__u6_addr32[j]  &= mask6.sin6_addr.__in6_u.__u6_addr32[j];
 #elif defined(WIN32) || defined(WINNT)
                            sa.sin6_addr.s6_words[j*2]  &= mask6.sin6_addr.s6_words[j*2] ;
                            sa.sin6_addr.s6_words[j*2+1]  &= mask6.sin6_addr.s6_words[j*2+1] ;
 #elif SOLARIS2
                            sa.sin6_addr._S6_un.u6__S6_u32[j]  &= mask6.sin6_addr._S6_un._S6_u32[j];
 #else
@ -286,6 +292,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
                            while (maskbits >= 8) {
 #ifdef LINUX
                                mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0xff;
 #elif defined(WIN32) || defined(WINNT)
                                mask6.sin6_addr.s6_addr[j++] = 0xff;
 #elif SOLARIS2
                                mask6.sin6_addr._S6_un._S6_u8[j++] = 0xff;
 #else
@ -297,6 +305,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
 #ifdef LINUX
                                mask6.sin6_addr.__in6_u.__u6_addr8[j] >>= 1;
                                mask6.sin6_addr.__in6_u.__u6_addr8[j] |= 0x80;
 #elif defined(WIN32) || defined(WINNT)
                                mask6.sin6_addr.s6_addr[j] >>= 1;
                                mask6.sin6_addr.s6_addr[j] |= 0x80;
 #elif SOLARIS2
                                mask6.sin6_addr._S6_un._S6_u8[j] >>= 1;
                                mask6.sin6_addr._S6_un._S6_u8[j] |= 0x80;
@ -311,6 +322,8 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
                           while (j < 16) {
 #ifdef LINUX
                                mask6.sin6_addr.__in6_u.__u6_addr8[j++] = 0;
 #elif defined(WIN32) || defined(WINNT)
                                mask6.sin6_addr.s6_addr[j++] = 0;
 #elif SOLARIS2
                                mask6.sin6_addr._S6_un._S6_u8[j++] = 0;
 #else
@ -322,6 +335,9 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
                            for (j = 0; j < 4; j++) {
 #ifdef LINUX
                                sa.sin6_addr.__in6_u.__u6_addr32[j]  &= mask6.sin6_addr.__in6_u.__u6_addr32[j];
 #elif defined(WIN32) || defined(WINNT)
                                sa.sin6_addr.s6_words[j*2]  &= mask6.sin6_addr.s6_words[j*2] ;
                                sa.sin6_addr.s6_words[j*2+1]  &= mask6.sin6_addr.s6_words[j*2+1] ;
 #elif SOLARIS2
                                sa.sin6_addr._S6_un._S6_u32[j]  &= mask6.sin6_addr._S6_un._S6_u32[j];
 #else
@ -421,7 +437,7 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
 */
 static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
    const char *errptr = NULL;
-    int erroffset;
+    int erroffset=0;
    struct in_addr addr;
    struct sockaddr_in6 sa;
    unsigned long ipaddr;
@ -472,6 +488,9 @@ static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *v
 #ifdef LINUX
                    if (((sa.sin6_addr.__in6_u.__u6_addr8[i] ^ ipdata->netaddr->sin6_addr.__in6_u.__u6_addr8[i]) &
                                ipdata->netaddr->sin6_addr.__in6_u.__u6_addr8[i]) == 0)
 #elif defined(WIN32) || defined(WINNT)
                    if (((sa.sin6_addr.s6_addr[i] ^ ipdata->netaddr->sin6_addr.s6_addr[i]) &
                                ipdata->netaddr->sin6_addr.s6_addr[i]) == 0)
 #elif SOLARIS2
                    if (((sa.sin6_addr._S6_un._S6_u8[i] ^ ipdata->netaddr->sin6_addr._S6_un._S6_u8[i]) &
                                ipdata->netaddr->sin6_addr._S6_un._S6_u8[i]) == 0)
@ -488,12 +507,11 @@ static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *v
    return 0;
 }
 #endif /* WIN32 | WINNT */
 /* rsub */
 static char *param_remove_escape(msre_rule *rule, char *str, int len)  {
-    char *parm = apr_palloc(rule->ruleset->mp, len);;
+    char *parm = apr_palloc(rule->ruleset->mp, len);
    char *ret = parm;
    for(;*str!='\0';str++)    {
@ -525,7 +543,7 @@ static char *param_remove_escape(msre_rule *rule, char *str, int len)  {
 */
 static int msre_op_rsub_param_init(msre_rule *rule, char **error_msg) {
    const char *errptr = NULL;
-    int erroffset;
+    int erroffset = 0;
    ap_regex_t *regex;
    const char *pattern = NULL;
    const char *line = NULL;
@ -1387,7 +1405,6 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
    const char *match = NULL;
    unsigned int match_length;
    unsigned int canon_length;
    unsigned int base_length;
    int rv, i, ret;
    char *data = NULL;
    unsigned int size = var->value_len;
@ -3728,14 +3745,12 @@ void msre_engine_register_default_operators(msre_engine *engine) {
        msre_op_nomatch_execute
    );
 #if !defined(WIN32) || !defined(WINNT)
    /* ipmatch */
    msre_engine_op_register(engine,
        "ipmatch",
        msre_op_ipmatch_param_init,
        msre_op_ipmatch_execute
    );
 #endif /* WIN32 | WINNT */
    /* rsub */
    msre_engine_op_register(engine,