nginx: Adds proper support to SecServerSignature

SecServerSignature was leading nginx to crash. It was trying to write over a memory area that it was not allowed to. In order to fix that a new function was created on the standalone api. This function is called modsecIsServerSignatureAvailale. Whenever it returns data it means that the function SecServerSignature was used by the user. Nginx module was also patched to support this new function.
2025-09-29 19:24:29 +03:00 · 2014-01-08 13:54:51 -08:00
parent 2a43589395
commit 7ac515ee29
4 changed files with 24 additions and 1 deletions
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@@ -537,6 +537,11 @@ static modsec_rec *create_tx_context(request_rec *r) {
 static apr_status_t change_server_signature(server_rec *s) {
    char *server_version = NULL;

+    /* This is a very particular way to handle the server banner. It is Apache
+     * only. Stanalone and descendants should address that in its specifics
+     * implementations, e.g. Nginx module.
+     */
+#if !(defined(VERSION_IIS)) && !(defined(VERSION_NGINX)) && !(defined(VERSION_STANDALONE))
    if (new_server_signature == NULL) return 0;

    server_version = (char *)apache_get_server_version();
@@ -568,7 +573,7 @@ static apr_status_t change_server_signature(server_rec *s) {
    else {
        ap_log_error(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, 0, s, "SecServerSignature: Changed server signature to \"%s\".", server_version);
    }
-
+#endif
    return 1;
 }

--- a/nginx/modsecurity/ngx_http_modsecurity.c
+++ b/nginx/modsecurity/ngx_http_modsecurity.c
@@ -719,6 +719,14 @@ ngx_http_modsecurity_save_headers_out(ngx_http_request_t *r)
    upstream = r->upstream;
    r->upstream = &ngx_http_modsecurity_upstream;

+    /* case SecServerSignature was used, the "Server: ..." header is added
+     * here, overwriting the default header supplied by nginx.
+     */
+    if (modsecIsServerSignatureAvailale() != NULL) {
+        apr_table_add(ctx->req->headers_out, "Server",
+                modsecIsServerSignatureAvailale());
+    }
+
    if (apr_table_do(ngx_http_modsecurity_save_headers_out_visitor,
                     r, ctx->req->headers_out, NULL) == 0) {

--- a/standalone/api.c
+++ b/standalone/api.c
@@ -673,3 +673,11 @@ void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsi
 void modsecSetDropAction(int (*func)(request_rec *r)) {
    modsecDropAction = func;
 }
+
+/*
+ * Case SecServerSignature was used, this function returns the banner that
+ * should be used, otherwise it returns NULL.
+ */
+const char *modsecIsServerSignatureAvailale(void) {
+    return new_server_signature;
+}
--- a/standalone/api.h
+++ b/standalone/api.h
@@ -114,6 +114,8 @@ int modsecIsRequestBodyAccessEnabled(request_rec *r);

 void modsecSetConfigForIISRequestBody(request_rec *r);

+const char *modsecIsServerSignatureAvailale(void);
+
 #ifdef __cplusplus
 }
 #endif