From 7ac515ee29211ae6a3ea3f7306bc7aff46d07e7d Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Wed, 8 Jan 2014 13:54:51 -0800 Subject: [PATCH] nginx: Adds proper support to SecServerSignature SecServerSignature was leading nginx to crash. It was trying to write over a memory area that it was not allowed to. In order to fix that a new function was created on the standalone api. This function is called modsecIsServerSignatureAvailale. Whenever it returns data it means that the function SecServerSignature was used by the user. Nginx module was also patched to support this new function. --- apache2/mod_security2.c | 7 ++++++- nginx/modsecurity/ngx_http_modsecurity.c | 8 ++++++++ standalone/api.c | 8 ++++++++ standalone/api.h | 2 ++ 4 files changed, 24 insertions(+), 1 deletion(-) diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index c9304993..6e989643 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -537,6 +537,11 @@ static modsec_rec *create_tx_context(request_rec *r) { static apr_status_t change_server_signature(server_rec *s) { char *server_version = NULL; + /* This is a very particular way to handle the server banner. It is Apache + * only. Stanalone and descendants should address that in its specifics + * implementations, e.g. Nginx module. + */ +#if !(defined(VERSION_IIS)) && !(defined(VERSION_NGINX)) && !(defined(VERSION_STANDALONE)) if (new_server_signature == NULL) return 0; server_version = (char *)apache_get_server_version(); @@ -568,7 +573,7 @@ static apr_status_t change_server_signature(server_rec *s) { else { ap_log_error(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, 0, s, "SecServerSignature: Changed server signature to \"%s\".", server_version); } - +#endif return 1; } diff --git a/nginx/modsecurity/ngx_http_modsecurity.c b/nginx/modsecurity/ngx_http_modsecurity.c index dc622551..a72e6c51 100644 --- a/nginx/modsecurity/ngx_http_modsecurity.c +++ b/nginx/modsecurity/ngx_http_modsecurity.c @@ -719,6 +719,14 @@ ngx_http_modsecurity_save_headers_out(ngx_http_request_t *r) upstream = r->upstream; r->upstream = &ngx_http_modsecurity_upstream; + /* case SecServerSignature was used, the "Server: ..." header is added + * here, overwriting the default header supplied by nginx. + */ + if (modsecIsServerSignatureAvailale() != NULL) { + apr_table_add(ctx->req->headers_out, "Server", + modsecIsServerSignatureAvailale()); + } + if (apr_table_do(ngx_http_modsecurity_save_headers_out_visitor, r, ctx->req->headers_out, NULL) == 0) { diff --git a/standalone/api.c b/standalone/api.c index c7875896..4ce29236 100644 --- a/standalone/api.c +++ b/standalone/api.c @@ -673,3 +673,11 @@ void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsi void modsecSetDropAction(int (*func)(request_rec *r)) { modsecDropAction = func; } + +/* + * Case SecServerSignature was used, this function returns the banner that + * should be used, otherwise it returns NULL. + */ +const char *modsecIsServerSignatureAvailale(void) { + return new_server_signature; +} diff --git a/standalone/api.h b/standalone/api.h index eec55a31..b2ab9322 100644 --- a/standalone/api.h +++ b/standalone/api.h @@ -114,6 +114,8 @@ int modsecIsRequestBodyAccessEnabled(request_rec *r); void modsecSetConfigForIISRequestBody(request_rec *r); +const char *modsecIsServerSignatureAvailale(void); + #ifdef __cplusplus } #endif