From 76969fea1d1153be450359ae410325850e200de7 Mon Sep 17 00:00:00 2001 From: b1v1r Date: Tue, 3 Nov 2009 23:49:36 +0000 Subject: [PATCH] Moved output filter to run before other stock filters (MODSEC-89). --- CHANGES | 8 ++++++++ apache2/mod_security2.c | 12 +++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 1f79c1c4..8a5b6d8d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,11 @@ +02 Nov 2009 - 2.5.11 +-------------------- + + * Moved output filter to run before other stock filters (mod_deflate, + mod_cache, mod_expires, mod_filter) to avoid analyzing modified data + in the response. Patch originally submitted by Ivan Ristic. + + 18 Sep 2009 - 2.5.10 -------------------- diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index 62679f34..01ff01e6 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -1126,8 +1126,18 @@ static void register_hooks(apr_pool_t *mp) { ap_register_input_filter("MODSECURITY_IN", input_filter, NULL, AP_FTYPE_CONTENT_SET); + + /* Ensure that the output filter runs before other modules so that + * we get a request that has a better chance of not being modified: + * + * Currently: + * mod_expires = -2 + * mod_cache = -1 + * mod_deflate = -1 + * mod_headers = 0 + */ ap_register_output_filter("MODSECURITY_OUT", output_filter, - NULL, AP_FTYPE_CONTENT_SET); + NULL, AP_FTYPE_CONTENT_SET - 3); ap_register_output_filter("PDFP_OUT", pdfp_output_filter, NULL, AP_FTYPE_CONTENT_SET);