Implement SecMarker. See #416.

apache2/apache2_config.c

@@ -657,18 +657,64 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, const char *
             return "Internal Error: Failed to add placeholder to the ruleset.";
         }
 
+        /* No longer need to search for the ID */
         apr_table_unset(dcfg->tmp_rule_placeholders, rule->actionset->id);
     }
         
     return NULL;    
 }
 
+/**
+ * TODO
+ */
+static const char *add_marker(cmd_parms *cmd, directory_config *dcfg, const char *p1, 
+    const char *p2, const char *p3)
+{
+    char *my_error_msg = NULL;
+    msre_rule *rule = NULL;
+    extern msc_engine *modsecurity;
+    int p;
+
+    /* Create a ruleset if one does not exist. */
+    if ((dcfg->ruleset == NULL)||(dcfg->ruleset == NOT_SET_P)) {
+        dcfg->ruleset = msre_ruleset_create(modsecurity->msre, cmd->pool);
+        if (dcfg->ruleset == NULL) return FATAL_ERROR;
+    }
+
+    /* Create the rule now. */
+    rule = msre_rule_create(dcfg->ruleset, cmd->directive->filename, cmd->directive->line_num, p1, p2, p3, &my_error_msg);
+    if (rule == NULL) {
+        return my_error_msg;
+    }
+
+    /* This is a marker */
+    rule->placeholder = RULE_PH_MARKER;
+
+    /* Add placeholder to each phase */
+    for (p = PHASE_FIRST; p <= PHASE_LAST; p++) {
+        if (msre_ruleset_rule_add(dcfg->ruleset, rule, p) < 0) {
+            return "Internal Error: Failed to add marker to the ruleset.";
+        }
+    }
+
+    /* No longer need to search for the ID */
+    apr_table_unset(dcfg->tmp_rule_placeholders, rule->actionset->id);
+        
+    return NULL;    
+}
+
 /* -- Configuration directives -- */
 
 static const char *cmd_action(cmd_parms *cmd, void *_dcfg, const char *p1) {
     return add_rule(cmd, (directory_config *)_dcfg, SECACTION_TARGETS, SECACTION_ARGS, p1);
 }
 
+static const char *cmd_marker(cmd_parms *cmd, void *_dcfg, const char *p1) {
+    directory_config *dcfg = (directory_config *)_dcfg;
+    const char *action = apr_pstrcat(dcfg->mp, SECMARKER_BASE_ACTIONS, p1, NULL);
+    return add_marker(cmd, (directory_config *)_dcfg, SECMARKER_TARGETS, SECMARKER_ARGS, action);
+}
+
 static const char *cmd_argument_separator(cmd_parms *cmd, void *_dcfg, const char *p1) {
     directory_config *dcfg = (directory_config *)_dcfg;
 
@@ -1638,6 +1684,14 @@ const command_rec module_directives[] = {
         "The filename of the filter debugging log file"
     ),
 
+    AP_INIT_TAKE1 (
+        "SecMarker",
+        cmd_marker,
+        NULL,
+        CMD_SCOPE_ANY,
+        "marker for a skipAfter target"
+    ),
+    
     AP_INIT_FLAG (
         "SecPdfProtect",
         cmd_pdf_protect,

apache2/modsecurity.h

@@ -117,6 +117,10 @@ extern DSOLOCAL modsec_build_type_rec modsec_build_type[];
 #define SECACTION_TARGETS                       "REQUEST_URI"
 #define SECACTION_ARGS                          "@unconditionalMatch"
 
+#define SECMARKER_TARGETS                       "REQUEST_URI"
+#define SECMARKER_ARGS                          "@noMatch"
+#define SECMARKER_BASE_ACTIONS                  "t:none,pass,id:"
+
 #if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE)
 #include "unixd.h"
 #define __SET_MUTEX_PERMS

apache2/re.c

@@ -1225,6 +1225,9 @@ msre_rule *msre_rule_create(msre_ruleset *ruleset,
     if ((strcmp(SECACTION_TARGETS, targets) == 0) && (strcmp(SECACTION_ARGS, args) == 0)) {
         rule->unparsed = apr_pstrcat(ruleset->mp, "SecAction", " \"", actions, "\"", NULL);
     }
+    else if ((strcmp(SECMARKER_TARGETS, targets) == 0) && (strcmp(SECMARKER_ARGS, args) == 0) && (strncmp(SECMARKER_BASE_ACTIONS, actions, strlen(SECMARKER_BASE_ACTIONS)) == 0)) {
+        rule->unparsed = apr_pstrcat(ruleset->mp, "SecMarker", " \"", (actions + strlen(SECMARKER_BASE_ACTIONS)), "\"", NULL);
+    }
     else {
         rule->unparsed = apr_pstrcat(ruleset->mp, "SecRule", " \"", targets, "\" \"", args, "\"", (actions != NULL ? " \"" : ""), (actions != NULL ? actions : ""), (actions != NULL ? "\"" : ""), NULL);
     }

apache2/re.h

@@ -110,7 +110,8 @@ int DSOLOCAL msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset
 #define RULE_MATCH              1
 
 #define RULE_PH_NONE            0  /* Not a placeholder */
-#define RULE_PH_SKIPAFTER       1  /* Placeholder for skipAfter targets */
+#define RULE_PH_SKIPAFTER       1  /* Implicit placeholder for skipAfter */
+#define RULE_PH_MARKER          2  /* Explicit placeholder for SecMarker */
 
 struct msre_rule {
     apr_array_header_t      *targets;

apache2/re_operators.c

@@ -53,6 +53,17 @@ static int msre_op_unconditionalmatch_execute(modsec_rec *msr, msre_rule *rule,
     return 1;
 }
 
+/* noMatch */
+
+static int msre_op_nomatch_execute(modsec_rec *msr, msre_rule *rule,
+    msre_var *var, char **error_msg)
+{
+    *error_msg = "No match.";
+
+    /* Never match. */
+    return 0;
+}
+
 /* rx */
 
 static int msre_op_rx_param_init(msre_rule *rule, char **error_msg) {
@@ -1731,6 +1742,13 @@ void msre_engine_register_default_operators(msre_engine *engine) {
         msre_op_unconditionalmatch_execute
     );
 
+    /* noMatch */
+    msre_engine_op_register(engine,
+        "noMatch",
+        NULL,
+        msre_op_nomatch_execute
+    );
+
     /* rx */
     msre_engine_op_register(engine,
         "rx",