Added back support for HTTP_* targets by aliasing it to REQUEST_HEADERS:*.

Fixed the severity warning message to only be displayed at a warn log level.

CHANGES

@@ -1,3 +1,9 @@
+19 Mar 2008 - 2.5.1-breach1
+---------------------------
+
+ * Allow HTTP_* targets as an alias for REQUEST_HEADERS:*.
+
+
 14 Mar 2008 - 2.5.1
 -------------------
 

apache2/apache2_config.c

@@ -1129,10 +1129,11 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg, const char *p
     if ((dcfg->tmp_default_actionset->severity != NOT_SET)
         ||(dcfg->tmp_default_actionset->logdata != NOT_SET_P))
     {
-        ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool,
+        ap_log_perror(APLOG_MARK,
-            "ModSecurity: WARNING SecDefaultAction \"%s\" should not "
+            APLOG_STARTUP|APLOG_WARNING|APLOG_NOERRNO, 0, cmd->pool,
-            "contain a severity or logdata action (%s:%d).",
+            "ModSecurity: WARNING Using \"severity\" or \"logdata\" in "
-            p1, cmd->directive->filename, cmd->directive->line_num);
+            "SecDefaultAction is deprecated (%s:%d).",
+            cmd->directive->filename, cmd->directive->line_num);
     }
 
     /* Must not use chain. */

apache2/modsecurity.h

@@ -63,8 +63,8 @@ extern DSOLOCAL modsec_build_type_rec modsec_build_type[];
 #define MODSEC_VERSION_MAJOR       "2"
 #define MODSEC_VERSION_MINOR       "5"
 #define MODSEC_VERSION_MAINT       "1"
-#define MODSEC_VERSION_TYPE        ""
+#define MODSEC_VERSION_TYPE        "-breach"
-#define MODSEC_VERSION_RELEASE     ""
+#define MODSEC_VERSION_RELEASE     "1"
 
 #define MODULE_NAME "ModSecurity for Apache"
 

apache2/re.c

@@ -231,6 +231,7 @@ msre_action_metadata *msre_resolve_action(msre_engine *engine, const char *name)
 msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *name, const char *param,
     modsec_rec *msr, char **error_msg)
 {
+    const char *varparam = param;
     msre_var *var = apr_pcalloc(pool, sizeof(msre_var));
     if (var == NULL) return NULL;
 
@@ -251,6 +252,17 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *
         var->name = name;
     }
 
+    /* Treat HTTP_* targets as an alias for REQUEST_HEADERS:* */
+    if (   (var->name != NULL)
+        && (strlen(var->name) > 5)
+        && (strncmp("HTTP_", var->name, 5) == 0))
+    {
+        const char *oldname = var->name;
+        var->name = apr_pstrdup(pool, "REQUEST_HEADERS");
+        varparam = apr_pstrdup(pool, oldname + 5);
+    }
+
+
     /* Resolve variable */
     var->metadata = msre_resolve_var(engine, var->name);
     if (var->metadata == NULL) {
@@ -268,7 +280,7 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *
     }
 
     /* Check the parameter. */
-    if (param == NULL) {
+    if (varparam == NULL) {
         if (var->metadata->argc_min > 0) {
             *error_msg = apr_psprintf(engine->mp, "Missing mandatory parameter for variable %s.",
                 name);
@@ -283,7 +295,7 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *
             return NULL;
         }
 
-        var->param = param;
+        var->param = varparam;
     }
 
     return var;

doc/modsecurity2-apache-reference.xml

@@ -4,7 +4,7 @@
   Manual</title>
 
   <articleinfo>
-    <releaseinfo>Version 2.5.1 (March 14, 2008)</releaseinfo>
+    <releaseinfo>Version 2.5.1-breach1 (March 19, 2008)</releaseinfo>
 
     <copyright>
       <year>2004-2008</year>