github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 13:26:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixed inspectFile operator does not pass FILES_TMPNAMES

Browse Source 
pass FILES_TMPNAMES variable to lua engine Fixed Lua engine
should also be aware of the variable and pass it to the target
lua script main function
This commit is contained in:
root 2019-11-09 06:36:34 +03:00 committed by Felipe Zimmerle
parent 05e9e7cf31
commit 6624a18a4e
No known key found for this signature in database
GPG Key ID: E6DFB08CE8B11277
4 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -1,6 +1,9 @@
v3.0.4 - YYYY-MMM-DD (to be released)
-------------------------------------
- Fix: ModSecurity 3.x inspectFile operator does not pass
FILES_TMPNAMES parameter to lua engine
[Issue #2204, #2205 - @kadirerdogan]
- XML: Remove error messages from stderr
[Issue #2010 - @JaiHarpalani, @zimmerle]
- Filter comment or blank line for pmFromFile operator

13
src/engine/lua.cc
View File

@ -121,7 +121,8 @@ const char *Lua::blob_reader(lua_State *L, void *ud, size_t *size) {
}
#endif
int Lua::run(Transaction *t) {
int Lua::run(Transaction *t, const std::string &str) {
#ifdef WITH_LUA
std::string luaRet;
const char *a = NULL;
@ -184,7 +185,15 @@ int Lua::run(Transaction *t) {
lua_setglobal(L, "modsec");
lua_getglobal(L, "main");
if (lua_pcall(L, 0, 1, 0)) {
ms_dbg_a(t, 1, str);
/* Put the parameter on the stack. */
if (!str.empty() ) {
lua_pushlstring(L, str.c_str(), str.length());
}
if (lua_pcall(L, ((!str.empty()) ? 1 : 0), 1, 0)) {
std::string e;
const char *luaerr = lua_tostring(L, -1);
e.assign("Failed to execute lua script: " + m_scriptName + " (main)");

2
src/engine/lua.h
View File

@ -69,7 +69,7 @@ class Lua {
Lua() { }
bool load(std::string script, std::string *err);
int run(Transaction *t);
int run(Transaction *t, const std::string &str="");
static bool isCompatible(std::string script, Lua *l, std::string *error);
#ifdef WITH_LUA

2
src/operators/inspect_file.cc
View File

@ -51,7 +51,7 @@ bool InspectFile::init(const std::string &param2, std::string *error) {
bool InspectFile::evaluate(Transaction *transaction, const std::string &str) {
if (m_isScript) {
return m_lua.run(transaction);
return m_lua.run(transaction, str);
} else {
FILE *in;
char buff[512];