github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2026-01-14 07:27:09 +03:00
Code Issues Packages Projects Releases Wiki Activity

Now support macro expansion in numeric operators @eq, @ge, @lt, etc. (MODSEC-109).

Browse Source
This commit is contained in:
b1v1r
2010-02-03 23:50:38 +00:00
parent bfe41347d2
commit 7262e026d2
3 changed files with 84 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,6 +1,8 @@
14 Jan 2010 - 2.5.12 14 Jan 2010 - 2.5.12
-------------------- --------------------
* Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
* Update copyright to 2010. * Update copyright to 2010.
* Reserved 700,000-799,999 IDs for Ivan Ristic. * Reserved 700,000-799,999 IDs for Ivan Ristic.

77
apache2/re_operators.c
View File

@@ -1778,18 +1778,27 @@ static int msre_op_validateUtf8Encoding_execute(modsec_rec *msr, msre_rule *rule
static int msre_op_eq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, static int msre_op_eq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg) char **error_msg)
{ {
msc_string str;
int left, right; int left, right;
char *target = NULL; char *target = NULL;
if (error_msg == NULL) return -1;
*error_msg = NULL;
if ((var->value == NULL)||(rule->op_param == NULL)) { if ((var->value == NULL)||(rule->op_param == NULL)) {
/* NULL values do not match anything. */ /* NULL values do not match anything. */
return 0; return 0;
} }
str.value = (char *)rule->op_param;
str.value_len = strlen(str.value);
expand_macros(msr, &str, rule, msr->mp);
target = apr_pstrmemdup(msr->mp, var->value, var->value_len); target = apr_pstrmemdup(msr->mp, var->value, var->value_len);
if (target == NULL) return -1; if (target == NULL) return -1;
left = atoi(target); left = atoi(target);
right = atoi(rule->op_param); right = atoi(str.value);
if (left != right) { if (left != right) {
/* No match. */ /* No match. */
@@ -1807,6 +1816,7 @@ static int msre_op_eq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
static int msre_op_gt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, static int msre_op_gt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg) char **error_msg)
{ {
msc_string str;
int left, right; int left, right;
char *target = NULL; char *target = NULL;
@@ -1815,10 +1825,23 @@ static int msre_op_gt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
return 0; return 0;
} }
if (error_msg == NULL) return -1;
*error_msg = NULL;
if ((var->value == NULL)||(rule->op_param == NULL)) {
/* NULL values do not match anything. */
return 0;
}
str.value = (char *)rule->op_param;
str.value_len = strlen(str.value);
expand_macros(msr, &str, rule, msr->mp);
target = apr_pstrmemdup(msr->mp, var->value, var->value_len); target = apr_pstrmemdup(msr->mp, var->value, var->value_len);
if (target == NULL) return -1; if (target == NULL) return -1;
left = atoi(target); left = atoi(target);
right = atoi(rule->op_param); right = atoi(str.value);
if (left <= right) { if (left <= right) {
/* No match. */ /* No match. */
@@ -1836,6 +1859,7 @@ static int msre_op_gt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
static int msre_op_lt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, static int msre_op_lt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg) char **error_msg)
{ {
msc_string str;
int left, right; int left, right;
char *target = NULL; char *target = NULL;
@@ -1844,10 +1868,23 @@ static int msre_op_lt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
return 0; return 0;
} }
if (error_msg == NULL) return -1;
*error_msg = NULL;
if ((var->value == NULL)||(rule->op_param == NULL)) {
/* NULL values do not match anything. */
return 0;
}
str.value = (char *)rule->op_param;
str.value_len = strlen(str.value);
expand_macros(msr, &str, rule, msr->mp);
target = apr_pstrmemdup(msr->mp, var->value, var->value_len); target = apr_pstrmemdup(msr->mp, var->value, var->value_len);
if (target == NULL) return -1; if (target == NULL) return -1;
left = atoi(target); left = atoi(target);
right = atoi(rule->op_param); right = atoi(str.value);
if (left >= right) { if (left >= right) {
/* No match. */ /* No match. */
@@ -1865,6 +1902,7 @@ static int msre_op_lt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
static int msre_op_ge_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, static int msre_op_ge_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg) char **error_msg)
{ {
msc_string str;
int left, right; int left, right;
char *target = NULL; char *target = NULL;
@@ -1873,10 +1911,23 @@ static int msre_op_ge_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
return 0; return 0;
} }
if (error_msg == NULL) return -1;
*error_msg = NULL;
if ((var->value == NULL)||(rule->op_param == NULL)) {
/* NULL values do not match anything. */
return 0;
}
str.value = (char *)rule->op_param;
str.value_len = strlen(str.value);
expand_macros(msr, &str, rule, msr->mp);
target = apr_pstrmemdup(msr->mp, var->value, var->value_len); target = apr_pstrmemdup(msr->mp, var->value, var->value_len);
if (target == NULL) return -1; if (target == NULL) return -1;
left = atoi(target); left = atoi(target);
right = atoi(rule->op_param); right = atoi(str.value);
if (left < right) { if (left < right) {
/* No match. */ /* No match. */
@@ -1894,6 +1945,7 @@ static int msre_op_ge_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
static int msre_op_le_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, static int msre_op_le_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg) char **error_msg)
{ {
msc_string str;
int left, right; int left, right;
char *target = NULL; char *target = NULL;
@@ -1902,10 +1954,23 @@ static int msre_op_le_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
return 0; return 0;
} }
if (error_msg == NULL) return -1;
*error_msg = NULL;
if ((var->value == NULL)||(rule->op_param == NULL)) {
/* NULL values do not match anything. */
return 0;
}
str.value = (char *)rule->op_param;
str.value_len = strlen(str.value);
expand_macros(msr, &str, rule, msr->mp);
target = apr_pstrmemdup(msr->mp, var->value, var->value_len); target = apr_pstrmemdup(msr->mp, var->value, var->value_len);
if (target == NULL) return -1; if (target == NULL) return -1;
left = atoi(target); left = atoi(target);
right = atoi(rule->op_param); right = atoi(str.value);
if (left > right) { if (left > right) {
/* No match. */ /* No match. */
@@ -1918,7 +1983,7 @@ static int msre_op_le_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
} }
} }
/* ------------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
/** /**
* *

11
doc/modsecurity2-apache-reference.xml
View File

@@ -5576,6 +5576,9 @@ SecRule ARGS:route "!<emphasis>@endsWith %{REQUEST_ADDR}</emphasis>" t:none,deny
<para>Example:</para> <para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@eq</emphasis> 15"</programlisting> <programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@eq</emphasis> 15"</programlisting>
<para>Macro expansion is performed so you may use variable names such
as <literal>%{TX.1}</literal>, etc.</para>
</section> </section>
<section> <section>
@@ -5587,6 +5590,8 @@ SecRule ARGS:route "!<emphasis>@endsWith %{REQUEST_ADDR}</emphasis>" t:none,deny
<para>Example:</para> <para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@ge</emphasis> 15"</programlisting> <programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@ge</emphasis> 15"</programlisting>
<para>Macro expansion is performed so you may use variable names such
</section> </section>
<section> <section>
@@ -5629,6 +5634,8 @@ SecRule &amp;GEO "@eq 0" "deny,status:403,msg:'Failed to lookup IP'"</programlis
<para>Example:</para> <para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@gt</emphasis> 15"</programlisting> <programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@gt</emphasis> 15"</programlisting>
<para>Macro expansion is performed so you may use variable names such
</section> </section>
<section> <section>
@@ -5677,6 +5684,8 @@ end</programlisting>
<para>Example:</para> <para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@le</emphasis> 15"</programlisting> <programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@le</emphasis> 15"</programlisting>
<para>Macro expansion is performed so you may use variable names such
</section> </section>
<section> <section>
@@ -5688,6 +5697,8 @@ end</programlisting>
<para>Example:</para> <para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@lt</emphasis> 15"</programlisting> <programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@lt</emphasis> 15"</programlisting>
<para>Macro expansion is performed so you may use variable names such
</section> </section>
<section> <section>