Re-enable error output filter with a fix after more testing/tracing of code. See #498.

Update versions to ready for release of 2.5.5.
2025-08-13 21:36:00 +03:00 · 2008-06-03 20:28:05 +00:00 · 2008-06-03 20:28:05 +00:00 · 83ff6c4796
commit 83ff6c4796
parent 230837d4a3
3 changed files with 18 additions and 5 deletions
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-02 Jun 2008 - trunk
+03 Jun 2008 - trunk
 -------------------

 * Fixed an issue where an alert was not logged in the error log
--- a/apache2/apache2_io.c
+++ b/apache2/apache2_io.c
@ -39,6 +39,7 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *bb_out,
        return APR_EGENERAL;
    }

+    /* Make sure we are using the current request */
    msr->r = f->r;

    if (msr->phase < PHASE_REQUEST_BODY) {
@ -678,17 +679,20 @@ apr_status_t output_filter(ap_filter_t *f, apr_bucket_brigade *bb_in) {
        /* Do we need to process a partial response? */
        if (start_skipping) {
            if (flatten_response_body(msr) < 0) {
+                ap_remove_output_filter(f);
                return send_error_bucket(msr, f, HTTP_INTERNAL_SERVER_ERROR);
            }

            /* Process phase RESPONSE_BODY */
            rc = modsecurity_process_phase(msr, PHASE_RESPONSE_BODY);
            if (rc < 0) {
+                ap_remove_output_filter(f);
                return send_error_bucket(msr, f, HTTP_INTERNAL_SERVER_ERROR);
            }
            if (rc > 0) {
                int status = perform_interception(msr);
                if (status != DECLINED) { /* DECLINED means we allow-ed the request. */
+                    ap_remove_output_filter(f);
                    return send_error_bucket(msr, f, status);
                }
            }
@ -735,16 +739,19 @@ apr_status_t output_filter(ap_filter_t *f, apr_bucket_brigade *bb_in) {
     */
    if (msr->phase < PHASE_RESPONSE_BODY) {
        if (flatten_response_body(msr) < 0) {
+            ap_remove_output_filter(f);
            return send_error_bucket(msr, f, HTTP_INTERNAL_SERVER_ERROR);
        }

        rc = modsecurity_process_phase(msr, PHASE_RESPONSE_BODY);
        if (rc < 0) {
+            ap_remove_output_filter(f);
            return send_error_bucket(msr, f, HTTP_INTERNAL_SERVER_ERROR);
        }
        if (rc > 0) {
            int status = perform_interception(msr);
            if (status != DECLINED) { /* DECLINED means we allow-ed the request. */
+                ap_remove_output_filter(f);
                return send_error_bucket(msr, f, status);
            }
        }
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@ -962,7 +962,6 @@ static void hook_insert_filter(request_rec *r) {
 }

 /* NOTE: This is causing and endless loop when blocking in phase:3 */
-#if 0
 /**
 * Invoked whenever Apache starts processing an error. A chance
 * to insert ourselves into the output filter chain.
@ -976,6 +975,16 @@ static void hook_insert_error_filter(request_rec *r) {
    msr = retrieve_tx_context(r);
    if (msr == NULL) return;

+    /* Do not run if we are already running, which may happen
+     * if we intercept in phase 3.
+     */
+    if (msr->of_is_error == 1) {
+        if (msr->txcfg->debuglog_level >= 4) {
+            msr_log(msr, 4, "Hook insert_error_filter: Already processing.");
+        }
+        return;
+    }
+
    /* Do not run if not enabled. */
    if (msr->txcfg->is_enabled == 0) {
        if (msr->txcfg->debuglog_level >= 4) {
@ -1004,7 +1013,6 @@ static void hook_insert_error_filter(request_rec *r) {
        }
    }
 }
-#endif

 #if (!defined(NO_MODSEC_API))
 /**
@ -1108,9 +1116,7 @@ static void register_hooks(apr_pool_t *mp) {

    /* Filter hooks */
    ap_hook_insert_filter(hook_insert_filter, NULL, NULL, APR_HOOK_FIRST);
-#if 0
    ap_hook_insert_error_filter(hook_insert_error_filter, NULL, NULL, APR_HOOK_FIRST);
-#endif

    ap_register_input_filter("MODSECURITY_IN", input_filter,
        NULL, AP_FTYPE_CONTENT_SET);