github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 05:45:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Added support for MATCHED_VAR and MATCHED_VAR_NAME. See #123.

Browse Source
This commit is contained in:
brectanus 2007-10-15 16:50:36 +00:00
parent b784e6cb73
commit 793b576701
6 changed files with 166 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apache2/modsecurity.c
View File

@ -304,6 +304,9 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
msr->tcache = apr_hash_make(msr->mp);
if (msr->tcache == NULL) return -1;
msr->matched_var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
if (msr->matched_var == NULL) return -1;
msr->highest_severity = 255; /* high, invalid value */
return 1;

2
apache2/modsecurity.h
View File

@ -324,7 +324,7 @@ struct modsec_rec {
apr_time_t time_checkpoint_2;
apr_time_t time_checkpoint_3;
const char *matched_var;
msc_string *matched_var;
int highest_severity;
/* upload */

6
apache2/re.c
View File

@ -1342,7 +1342,11 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
log_escape(msr->mp, full_varname));
}
msr->matched_var = apr_pstrdup(msr->mp, var->name);
/* Save the last matched var data */
msr->matched_var->name = apr_pstrdup(msr->mp, var->name);
msr->matched_var->name_len = strlen(msr->matched_var->name);
msr->matched_var->value = apr_pmemdup(msr->mp, var->value, var->value_len);
msr->matched_var->value_len = var->value_len;
/* Keep track of the highest severity matched so far */
if ((acting_actionset->severity > 0) && (acting_actionset->severity < msr->highest_severity))

29
apache2/re_actions.c
View File

@ -769,39 +769,40 @@ static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_poo
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
int i, type = 0;
msc_string *mvar = msr->matched_var;
if (msr->matched_var == NULL) return 0;
if (mvar->name_len == 0) return 0;
/* IMP1 We need to extract the variable name properly here,
* taking into account it may have been escaped.
*/
if (strncmp(msr->matched_var, "ARGS:", 5) == 0) {
sargname = apr_pstrdup(msr->mp, msr->matched_var + 5);
if ((mvar->name_len > 5) && (strncmp(mvar->name, "ARGS:", 5) == 0)) {
sargname = apr_pstrdup(msr->mp, mvar->name + 5);
type = SANITISE_ARG;
} else
if (strncmp(msr->matched_var, "ARGS_NAMES:", 11) == 0) {
sargname = apr_pstrdup(msr->mp, msr->matched_var + 11);
if ((mvar->name_len > 11) && (strncmp(mvar->name, "ARGS_NAMES:", 11) == 0)) {
sargname = apr_pstrdup(msr->mp, mvar->name + 11);
type = SANITISE_ARG;
} else
if (strncmp(msr->matched_var, "REQUEST_HEADERS:", 16) == 0) {
sargname = apr_pstrdup(msr->mp, msr->matched_var + 16);
if ((mvar->name_len > 16) && (strncmp(mvar->name, "REQUEST_HEADERS:", 16) == 0)) {
sargname = apr_pstrdup(msr->mp, mvar->name + 16);
type = SANITISE_REQUEST_HEADER;
} else
if (strncmp(msr->matched_var, "REQUEST_HEADERS_NAMES:", 22) == 0) {
sargname = apr_pstrdup(msr->mp, msr->matched_var + 22);
if ((mvar->name_len > 22) && (strncmp(mvar->name, "REQUEST_HEADERS_NAMES:", 22) == 0)) {
sargname = apr_pstrdup(msr->mp, mvar->name + 22);
type = SANITISE_REQUEST_HEADER;
} else
if (strncmp(msr->matched_var, "RESPONSE_HEADERS:", 17) == 0) {
sargname = apr_pstrdup(msr->mp, msr->matched_var + 17);
if ((mvar->name_len > 17) && (strncmp(mvar->name, "RESPONSE_HEADERS:", 17) == 0)) {
sargname = apr_pstrdup(msr->mp, mvar->name + 17);
type = SANITISE_RESPONSE_HEADER;
} else
if (strncmp(msr->matched_var, "RESPONSE_HEADERS_NAMES:", 23) == 0) {
sargname = apr_pstrdup(msr->mp, msr->matched_var + 23);
if ((mvar->name_len > 23) && (strncmp(mvar->name, "RESPONSE_HEADERS_NAMES:", 23) == 0)) {
sargname = apr_pstrdup(msr->mp, mvar->name + 23);
type = SANITISE_RESPONSE_HEADER;
}
else {
msr_log(msr, 3, "sanitiseMatched: Don't know how to handle variable: %s",
msr->matched_var);
mvar->name);
return 0;
}

30
apache2/re_variables.c
View File

@ -843,8 +843,23 @@ static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_matched_var_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
return var_simple_generate(var, vartab, mptmp,
apr_pstrdup(mptmp, msr->matched_var));
return var_simple_generate_ex(var, vartab, mptmp,
apr_pmemdup(mptmp,
msr->matched_var->value,
msr->matched_var->value_len),
msr->matched_var->value_len);
}
/* MATCHED_VAR_NAME */
static int var_matched_var_name_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
return var_simple_generate_ex(var, vartab, mptmp,
apr_pmemdup(mptmp,
msr->matched_var->name,
msr->matched_var->name_len),
msr->matched_var->name_len);
}
/* SESSION */
@ -2312,6 +2327,17 @@ void msre_engine_register_default_variables(msre_engine *engine) {
PHASE_REQUEST_HEADERS
);
/* MATCHED_VAR_NAME */
msre_engine_variable_register(engine,
"MATCHED_VAR_NAME",
VAR_SIMPLE,
0, 0,
NULL,
var_matched_var_name_generate,
VAR_DONT_CACHE,
PHASE_REQUEST_HEADERS
);
/* MODSEC_BUILD */
msre_engine_variable_register(engine,
"MODSEC_BUILD",

398
doc/modsecurity2-apache-reference.xml
View File

@ -2025,9 +2025,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis
<para>The following variables are supported in ModSecurity 2.x:</para>
<section>
<title>
<literal moreinfo="none">ARGS</literal>
</title>
<title><literal moreinfo="none">ARGS</literal></title>
<para><literal>ARGS</literal> is a collection and can be used on its own
(means all arguments including the POST Payload), with a static
@ -2072,9 +2070,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis
</section>
<section>
<title>
<literal moreinfo="none">ARGS_COMBINED_SIZE</literal>
</title>
<title><literal moreinfo="none">ARGS_COMBINED_SIZE</literal></title>
<para>This variable allows you to set more targeted evaluations on the
total size of the Arguments as compared with normal Apache LimitRequest
@ -2088,9 +2084,7 @@ SecRule <emphasis role="bold">ARGS_COMBINED_SIZE</emphasis> "@gt 25"</programlis
</section>
<section>
<title>
<literal moreinfo="none">ARGS_NAMES</literal>
</title>
<title><literal moreinfo="none">ARGS_NAMES</literal></title>
<para>Is a collection of the argument names. You can search for specific
argument names that you want to block. In a positive policy scenario,
@ -2104,18 +2098,14 @@ SecRule<emphasis role="bold"> ARGS_NAMES</emphasis> "!^(p|a)$"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">ARGS_GET</literal>
</title>
<title><literal moreinfo="none">ARGS_GET</literal></title>
<para><literal>ARGS_GET</literal> is similar to <literal>ARGS</literal>,
but only contains arguments from the query string.</para>
</section>
<section>
<title>
<literal moreinfo="none">ARGS_GET_NAMES</literal>
</title>
<title><literal moreinfo="none">ARGS_GET_NAMES</literal></title>
<para><literal>ARGS_GET_NAMES</literal> is similar to
<literal>ARGS_NAMES</literal>, but only contains argument names from the
@ -2123,9 +2113,7 @@ SecRule<emphasis role="bold"> ARGS_NAMES</emphasis> "!^(p|a)$"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">ARGS_POST</literal>
</title>
<title><literal moreinfo="none">ARGS_POST</literal></title>
<para><literal>ARGS_POST</literal> is similar to
<literal>ARGS</literal>, but only contains arguments from the POST
@ -2133,9 +2121,7 @@ SecRule<emphasis role="bold"> ARGS_NAMES</emphasis> "!^(p|a)$"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">ARGS_POST_NAMES</literal>
</title>
<title><literal moreinfo="none">ARGS_POST_NAMES</literal></title>
<para><literal>ARGS_POST_NAMES</literal> is similar to
<literal>ARGS_NAMES</literal>, but only contains argument names from the
@ -2143,18 +2129,14 @@ SecRule<emphasis role="bold"> ARGS_NAMES</emphasis> "!^(p|a)$"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">AUTH_TYPE</literal>
</title>
<title><literal moreinfo="none">AUTH_TYPE</literal></title>
<para>This variable holds the authentication method used to validate a
user. Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">AUTH_TYPE</emphasis> "basic" log,deny,status:403,phase:1,t:lowercase</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This data will not be available in a proxy-mode deployment as the
authentication is not local. In a proxy-mode deployment, you would need
@ -2163,9 +2145,7 @@ SecRule<emphasis role="bold"> ARGS_NAMES</emphasis> "!^(p|a)$"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">ENV</literal>
</title>
<title><literal moreinfo="none">ENV</literal></title>
<para>Collection, requires a single parameter (after a colon character).
The ENV variable is set with setenv and does not give access to the CGI
@ -2177,9 +2157,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">FILES</literal>
</title>
<title><literal moreinfo="none">FILES</literal></title>
<para>Collection. Contains a collection of original file names (as they
were called on the remote user's file system). Note: only available if
@ -2189,9 +2167,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">FILES_COMBINED_SIZE</literal>
</title>
<title><literal moreinfo="none">FILES_COMBINED_SIZE</literal></title>
<para>Single value. Total size of the uploaded files. Note: only
available if files were extracted from the request body. Example:</para>
@ -2200,9 +2176,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">FILES_NAMES</literal>
</title>
<title><literal moreinfo="none">FILES_NAMES</literal></title>
<para>Collection w/o parameter. Contains a list of form fields that were
used for file upload. Note: only available if files were extracted from
@ -2212,9 +2186,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">FILES_SIZES</literal>
</title>
<title><literal moreinfo="none">FILES_SIZES</literal></title>
<para>Collection. Contains a list of file sizes. Useful for implementing
a size limitation on individual uploaded files. Note: only available if
@ -2224,9 +2196,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">FILES_TMPNAMES</literal>
</title>
<title><literal moreinfo="none">FILES_TMPNAMES</literal></title>
<para>Collection. Contains a collection of temporary files' names on the
disk. Useful when used together with <literal
@ -2237,9 +2207,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">GEO</literal>
</title>
<title><literal moreinfo="none">GEO</literal></title>
<para><literal>GEO</literal> is a collection populated by the <literal
moreinfo="none">@geoLookups</literal> operator. It can be used to match
@ -2313,9 +2281,7 @@ SecRule GEO:COUNTRY_CODE "!@streq UK"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">HIGHEST_SEVERITY</literal>
</title>
<title><literal moreinfo="none">HIGHEST_SEVERITY</literal></title>
<para>This variable holds the highest severity of any rules that have
matched so far. Severities are numeric values and thus can be used with
@ -2332,22 +2298,31 @@ SecRule GEO:COUNTRY_CODE "!@streq UK"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">MATCHED_VAR</literal>
</title>
<title><literal moreinfo="none">MATCHED_VAR</literal></title>
<para>This variable holds the value of the variable that was matched
against. It is similar to the TX:0, except it can be used for all
operators and does not require that the <literal
moreinfo="none">capture</literal> action be specified.</para>
<programlisting format="linespecific">SecRule ARGS pattern chain,deny
...
SecRule <emphasis role="bold">MATCHED_VAR</emphasis> "further scrutiny"</programlisting>
</section>
<section>
<title><literal moreinfo="none">MATCHED_VAR_NAME</literal></title>
<para>This variable holds the full name of the variable that was matched
against.</para>
<programlisting format="linespecific">SecRule ARGS pattern setvar:tx.mymatch=%{MATCHED_VAR}
<programlisting format="linespecific">SecRule ARGS pattern setvar:tx.mymatch=%{MATCHED_VAR_NAME}
...
SecRule <emphasis role="bold">TX:MYMATCH</emphasis> "@eq ARGS:param" deny</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">MODSEC_BUILD</literal>
</title>
<title><literal moreinfo="none">MODSEC_BUILD</literal></title>
<para>This variable holds the ModSecurity build number. This variable is
intended to be used to check the build number prior to using a feature
@ -2358,9 +2333,7 @@ SecRule ARGS "@pm some key words" deny,status:500</programlisting>
</section>
<section>
<title>
<literal>MULTIPART_STRICT_ERROR</literal>
</title>
<title><literal>MULTIPART_STRICT_ERROR</literal></title>
<para><literal>MULTIPART_STRICT_ERROR</literal> will be set to
<literal>1</literal> when any of the following variables is also set to
@ -2407,9 +2380,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
</section>
<section>
<title>
<literal>MULTIPART_UNMATCHED_BOUNDARY</literal>
</title>
<title><literal>MULTIPART_UNMATCHED_BOUNDARY</literal></title>
<para>Set to <literal>1</literal> when, during the parsing phase of a
<literal>multipart/request-body</literal>, ModSecurity encounters what
@ -2427,9 +2398,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">PATH_INFO</literal>
</title>
<title><literal moreinfo="none">PATH_INFO</literal></title>
<para>Besides passing query information to a script/handler, you can
also pass additional data, known as extra path information, as part of
@ -2439,9 +2408,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">QUERY_STRING</literal>
</title>
<title><literal moreinfo="none">QUERY_STRING</literal></title>
<para>This variable holds form data passed to the script/handler by
appending data after a question mark. Warning: Not URL-decoded.
@ -2451,9 +2418,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REMOTE_ADDR</literal>
</title>
<title><literal moreinfo="none">REMOTE_ADDR</literal></title>
<para>This variable holds the IP address of the remote client.
Example:</para>
@ -2462,9 +2427,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REMOTE_HOST</literal>
</title>
<title><literal moreinfo="none">REMOTE_HOST</literal></title>
<para>If HostnameLookUps are set to On, then this variable will hold the
DNS resolved remote host name. If it is set to Off, then it will hold
@ -2476,9 +2439,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REMOTE_PORT</literal>
</title>
<title><literal moreinfo="none">REMOTE_PORT</literal></title>
<para>This variable holds information on the source port that the client
used when initiating the connection to our web server. Example: in this
@ -2490,9 +2451,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REMOTE_USER</literal>
</title>
<title><literal moreinfo="none">REMOTE_USER</literal></title>
<para>This variable holds the username of the authenticated user. If
there are no password (basic|digest) access controls in place, then this
@ -2500,18 +2459,14 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"</programlisting>
<programlisting format="linespecific">SecRule <emphasis role="bold">REMOTE_USER</emphasis> "admin"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This data will not be available in a proxy-mode deployment as the
authentication is not local.</para>
</section>
<section>
<title>
<literal moreinfo="none">REQBODY_PROCESSOR</literal>
</title>
<title><literal moreinfo="none">REQBODY_PROCESSOR</literal></title>
<para>Built-in processors are <literal
moreinfo="none">URLENCODED</literal>,<literal moreinfo="none">
@ -2523,9 +2478,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQBODY_PROCESSOR_ERROR</literal>
</title>
<title><literal
moreinfo="none">REQBODY_PROCESSOR_ERROR</literal></title>
<para>Possible values are 0 (no error) or 1 (error). This variable will
be set by request body processors (typically the
@ -2550,9 +2504,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQBODY_PROCESSOR_ERROR_MSG</literal>
</title>
<title><literal
moreinfo="none">REQBODY_PROCESSOR_ERROR_MSG</literal></title>
<para>Empty, or contains the error message from the processor.
Example:</para>
@ -2561,9 +2514,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_BASENAME</literal>
</title>
<title><literal moreinfo="none">REQUEST_BASENAME</literal></title>
<para>This variable holds just the filename part of
<literal>REQUEST_FILENAME</literal> (e.g. index.php). Warning: not
@ -2573,9 +2524,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_BODY</literal>
</title>
<title><literal moreinfo="none">REQUEST_BODY</literal></title>
<para>This variable holds the data in the request body (including
POST_PAYLOAD data). REQUEST_BODY should be used if the original order of
@ -2584,18 +2533,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
<programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_BODY</emphasis> "^username=\w{25,}\&amp;password=\w{25,}\&amp;Submit\=login$"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This variable is only available if the content type is
application/x-www-form-urlencoded.</para>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_COOKIES</literal>
</title>
<title><literal moreinfo="none">REQUEST_COOKIES</literal></title>
<para>This variable is a collection of all of the cookie data. Example:
the following example is using the Ampersand special operator to count
@ -2606,9 +2551,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_COOKIES_NAMES</literal>
</title>
<title><literal moreinfo="none">REQUEST_COOKIES_NAMES</literal></title>
<para>This variable is a collection of the cookie names in the request
headers. Example: the following rule will trigger if the JSESSIONID
@ -2618,9 +2561,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_FILENAME</literal>
</title>
<title><literal moreinfo="none">REQUEST_FILENAME</literal></title>
<para>This variable holds the relative REQUEST_URI minus the
QUERY_STRING part (e.g. /index.php). Example:</para>
@ -2629,9 +2570,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_HEADERS</literal>
</title>
<title><literal moreinfo="none">REQUEST_HEADERS</literal></title>
<para>This variable can be used as either a collection of all of the
Request Headers or can be used to specify indivudual headers (by using
@ -2649,9 +2588,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_HEADERS_NAMES</literal>
</title>
<title><literal moreinfo="none">REQUEST_HEADERS_NAMES</literal></title>
<para>This variable is a collection of the names of all of the Request
Headers. Example:</para>
@ -2661,9 +2598,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_LINE</literal>
</title>
<title><literal moreinfo="none">REQUEST_LINE</literal></title>
<para>This variable holds the complete request line sent to the server
(including the REQUEST_METHOD and HTTP version data). Example: this
@ -2673,9 +2608,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
<programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_LINE</emphasis> "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>Due to the default action transformation function lowercase, the
regex strings should be in lowercase as well unless the t:none
@ -2683,9 +2616,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_METHOD</literal>
</title>
<title><literal moreinfo="none">REQUEST_METHOD</literal></title>
<para>This variable holds the Request Method used by the client.
Example: the following example will trigger if the Request Method is
@ -2693,9 +2624,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
<programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_METHOD</emphasis> "^((?:connect|trace))$"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>Due to the default action transformation function lowercase, the
regex strings should be in lowercase as well unless the t:none
@ -2703,18 +2632,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_PROTOCOL</literal>
</title>
<title><literal moreinfo="none">REQUEST_PROTOCOL</literal></title>
<para>This variable holds the Request Protocol Version information.
Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_PROTOCOL</emphasis> "!^http/(0\.9|1\.0|1\.1)$"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>Due to the default action transformation function lowercase, the
regex strings should be in lowercase as well unless the t:none
@ -2722,9 +2647,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_URI</literal>
</title>
<title><literal moreinfo="none">REQUEST_URI</literal></title>
<para>This variable holds the full URL including the QUERY_STRING data
(e.g. /index.php?p=X), however it will never contain a domain name, even
@ -2736,9 +2659,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">REQUEST_URI_RAW</literal>
</title>
<title><literal moreinfo="none">REQUEST_URI_RAW</literal></title>
<para>Same as REQUEST_URI but will contain the domain name if it was
provided on the request line (e.g.
@ -2749,9 +2670,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">RESPONSE_BODY</literal>
</title>
<title><literal moreinfo="none">RESPONSE_BODY</literal></title>
<para>This variable holds the data for the response payload.
Example:</para>
@ -2760,9 +2679,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal>RESPONSE_CONTENT_LENGTH</literal>
</title>
<title><literal>RESPONSE_CONTENT_LENGTH</literal></title>
<para>Response body length in bytes. Can be available starting with
phase 3 but it does not have to be (as the length of response body is
@ -2778,18 +2695,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal>RESPONSE_CONTENT_TYPE</literal>
</title>
<title><literal>RESPONSE_CONTENT_TYPE</literal></title>
<para>Response content type. Only available starting with phase
3.</para>
</section>
<section>
<title>
<literal moreinfo="none">RESPONSE_HEADERS</literal>
</title>
<title><literal moreinfo="none">RESPONSE_HEADERS</literal></title>
<para>This variable is similar to the REQUEST_HEADERS variable and can
be used in the same manner. Example:</para>
@ -2797,9 +2710,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
<programlisting format="linespecific">SecRule<emphasis role="bold"> RESPONSE_HEADERS</emphasis><emphasis
role="bold">:X-Cache</emphasis> "MISS"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This variable may not have access to some headers when running in
embedded-mode. Headers such as Server, Date, Connection and Content-Type
@ -2809,27 +2720,21 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">RESPONSE_HEADERS_NAMES</literal>
</title>
<title><literal moreinfo="none">RESPONSE_HEADERS_NAMES</literal></title>
<para>This variable is a collection of the response header names.
Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">RESPONSE_HEADERS_NAMES</emphasis> "Set-Cookie"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>Same limitations as RESPONSE_HEADERS with regards to access to
some headers in embedded-mode.</para>
</section>
<section>
<title>
<literal moreinfo="none">RESPONSE_PROTOCOL</literal>
</title>
<title><literal moreinfo="none">RESPONSE_PROTOCOL</literal></title>
<para>This variable holds the HTTP Response Protocol information.
Example:</para>
@ -2838,18 +2743,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">RESPONSE_STATUS</literal>
</title>
<title><literal moreinfo="none">RESPONSE_STATUS</literal></title>
<para>This variable holds the HTTP Response Status Code generated by
Apache. Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">RESPONSE_STATUS</emphasis> "^[45]"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This directive may not work as expected in embedded-mode as Apache
handles many of the stock response codes (404, 401, etc...) earlier in
@ -2858,9 +2759,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">RULE</literal>
</title>
<title><literal moreinfo="none">RULE</literal></title>
<para>This variable provides access to the <literal
moreinfo="none">id</literal>, <literal moreinfo="none">rev</literal>,
@ -2875,77 +2774,59 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">SCRIPT_BASENAME</literal>
</title>
<title><literal moreinfo="none">SCRIPT_BASENAME</literal></title>
<para>This variable holds just the local filename part of
SCRIPT_FILENAME. Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">SCRIPT_BASENAME</emphasis> "^login\.php$"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This variable is not available in proxy mode.</para>
</section>
<section>
<title>
<literal moreinfo="none">SCRIPT_FILENAME</literal>
</title>
<title><literal moreinfo="none">SCRIPT_FILENAME</literal></title>
<para>This variable holds the full path on the server to the requested
script. (e.g. SCRIPT_NAME plus the server path). Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">SCRIPT_FILENAME</emphasis> "^/usr/local/apache/cgi-bin/login\.php$"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This variable is not available in proxy mode.</para>
</section>
<section>
<title>
<literal moreinfo="none">SCRIPT_GID</literal>
</title>
<title><literal moreinfo="none">SCRIPT_GID</literal></title>
<para>This variable holds the groupid (numerical value) of the group
owner of the script. Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">SCRIPT_GID</emphasis> "!^46$"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This variable is not available in proxy mode.</para>
</section>
<section>
<title>
<literal moreinfo="none">SCRIPT_GROUPNAME</literal>
</title>
<title><literal moreinfo="none">SCRIPT_GROUPNAME</literal></title>
<para>This variable holds the group name of the group owner of the
script. Example:</para>
<programlisting format="linespecific">SecRule<emphasis role="bold"> SCRIPT_GROUPNAME</emphasis> "!^apache$"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This variable is not available in proxy mode.</para>
</section>
<section>
<title>
<literal moreinfo="none">SCRIPT_MODE</literal>
</title>
<title><literal moreinfo="none">SCRIPT_MODE</literal></title>
<para>This variable holds the script's permissions mode data (numerical
- 1=execute, 2=write, 4=read and 7=read/write/execute). Example: will
@ -2953,17 +2834,13 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
<programlisting format="linespecific">SecRule <emphasis role="bold">SCRIPT_MODE</emphasis> "^(2|3|6|7)$"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This variable is not available in proxy mode.</para>
</section>
<section>
<title>
<literal moreinfo="none">SCRIPT_UID</literal>
</title>
<title><literal moreinfo="none">SCRIPT_UID</literal></title>
<para>This variable holds the userid (numerical value) of the owner of
the script. Example: the example rule below will trigger if the UID is
@ -2971,34 +2848,26 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
<programlisting format="linespecific">SecRule<emphasis role="bold"> SCRIPT_UID</emphasis> "!^46$"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This variable is not available in proxy mode.</para>
</section>
<section>
<title>
<literal moreinfo="none">SCRIPT_USERNAME</literal>
</title>
<title><literal moreinfo="none">SCRIPT_USERNAME</literal></title>
<para>This variable holds the username of the owner of the script.
Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">SCRIPT_USERNAME</emphasis> "!^apache$"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This variable is not available in proxy mode.</para>
</section>
<section>
<title>
<literal moreinfo="none">SERVER_ADDR</literal>
</title>
<title><literal moreinfo="none">SERVER_ADDR</literal></title>
<para>This variable contains the IP address of the server.
Example:</para>
@ -3007,27 +2876,21 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">SERVER_NAME</literal>
</title>
<title><literal moreinfo="none">SERVER_NAME</literal></title>
<para>This variable contains the server's hostname or IP address.
Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">SERVER_NAME</emphasis> "hostname\.com$"</programlisting>
<para>
<emphasis role="bold">Note</emphasis>
</para>
<para><emphasis role="bold">Note</emphasis></para>
<para>This data is taken from the Host header submitted in the client
request.</para>
</section>
<section>
<title>
<literal moreinfo="none">SERVER_PORT</literal>
</title>
<title><literal moreinfo="none">SERVER_PORT</literal></title>
<para>This variable contains the local port that the web server is
listening on. Example:</para>
@ -3036,9 +2899,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">SESSION</literal>
</title>
<title><literal moreinfo="none">SESSION</literal></title>
<para>This variable is a collection, available only after <literal
moreinfo="none">setsid</literal> is executed. Example: the following
@ -3056,9 +2917,7 @@ SecRule<emphasis role="bold"> SESSION:BLOCKED</emphasis> "@eq 1" "log,deny,statu
</section>
<section>
<title>
<literal moreinfo="none">SESSIONID</literal>
</title>
<title><literal moreinfo="none">SESSIONID</literal></title>
<para>This variable is the value set with <literal
moreinfo="none">setsid</literal>. Example:</para>
@ -3069,9 +2928,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">TIME</literal>
</title>
<title><literal moreinfo="none">TIME</literal></title>
<para>This variable holds a formatted string representing the time
(hour:minute:second). Example:</para>
@ -3080,9 +2937,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">TIME_DAY</literal>
</title>
<title><literal moreinfo="none">TIME_DAY</literal></title>
<para>This variable holds the current date (1-31). Example: this rule
would trigger anytime between the 10th and 20th days of the
@ -3092,9 +2947,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">TIME_EPOCH</literal>
</title>
<title><literal moreinfo="none">TIME_EPOCH</literal></title>
<para>This variable holds the time in seconds since 1970.
Example:</para>
@ -3103,9 +2956,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">TIME_HOUR</literal>
</title>
<title><literal moreinfo="none">TIME_HOUR</literal></title>
<para>This variable holds the current hour (0-23). Example: this rule
would trigger during "off hours".</para>
@ -3114,9 +2965,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">TIME_MIN</literal>
</title>
<title><literal moreinfo="none">TIME_MIN</literal></title>
<para>This variable holds the current minute (0-59). Example: this rule
would trigger during the last half hour of every hour.</para>
@ -3125,9 +2974,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">TIME_MON</literal>
</title>
<title><literal moreinfo="none">TIME_MON</literal></title>
<para>This variable holds the current month (0-11). Example: this rule
would match if the month was either November (10) or December
@ -3137,9 +2984,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">TIME_SEC</literal>
</title>
<title><literal moreinfo="none">TIME_SEC</literal></title>
<para>This variable holds the current second count (0-59).
Example:</para>
@ -3148,9 +2993,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">TIME_WDAY</literal>
</title>
<title><literal moreinfo="none">TIME_WDAY</literal></title>
<para>This variable holds the current weekday (0-6). Example: this rule
would trigger only on week-ends (Saturday and Sunday).</para>
@ -3159,9 +3002,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">TIME_YEAR</literal>
</title>
<title><literal moreinfo="none">TIME_YEAR</literal></title>
<para>This variable holds the current four-digit year data.
Example:</para>
@ -3170,9 +3011,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">TX</literal>
</title>
<title><literal moreinfo="none">TX</literal></title>
<para>Transaction Collection. This is used to store pieces of data,
create a transaction anomaly score, and so on. Transaction variables are
@ -3208,9 +3047,7 @@ SecRule<emphasis role="bold"> TX:SCORE</emphasis> "@gt 20" deny,log</programlist
</section>
<section>
<title>
<literal moreinfo="none">USERID</literal>
</title>
<title><literal moreinfo="none">USERID</literal></title>
<para>This variable is the value set with <literal
moreinfo="none">setuid</literal>. Example:</para>
@ -3220,9 +3057,7 @@ SecRule<emphasis role="bold"> USERID</emphasis> "Admin"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">WEBAPPID</literal>
</title>
<title><literal moreinfo="none">WEBAPPID</literal></title>
<para>This variable is the value set with <literal
moreinfo="none">SecWebAppId</literal>. Example:</para>
@ -3233,9 +3068,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">WEBSERVER_ERROR_LOG</literal>
</title>
<title><literal moreinfo="none">WEBSERVER_ERROR_LOG</literal></title>
<para>Contains zero or more error messages produced by the web server.
Access to this variable is in phase:5 (logging). Example:</para>
@ -3244,9 +3077,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"</programlisting>
</section>
<section>
<title>
<literal moreinfo="none">XML</literal>
</title>
<title><literal moreinfo="none">XML</literal></title>
<para>Can be used standalone (as a target for validateDTD and
validateSchema) or with an XPath expression parameter (which makes it a
@ -3317,17 +3148,14 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
<orderedlist>
<listitem>
<para>
<ulink url="http://www.w3.org/TR/xpath">XPath Standard</ulink>
</para>
<para><ulink url="http://www.w3.org/TR/xpath">XPath
Standard</ulink></para>
</listitem>
<listitem>
<para>
<ulink
url="http://www.zvon.org/xxl/XPathTutorial/General/examples.html">XPath
Tutorial</ulink>
</para>
<para><ulink
url="http://www.zvon.org/xxl/XPathTutorial/General/examples.html">XPath
Tutorial</ulink></para>
</listitem>
</orderedlist>
</section>