From 83ff6c479611898d1d9cc9aa6ec1a13f8757de0a Mon Sep 17 00:00:00 2001 From: brectanus Date: Tue, 3 Jun 2008 20:28:05 +0000 Subject: [PATCH] Re-enable error output filter with a fix after more testing/tracing of code. See #498. Update versions to ready for release of 2.5.5. --- CHANGES | 2 +- apache2/apache2_io.c | 7 +++++++ apache2/mod_security2.c | 14 ++++++++++---- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index dc332422..a8076f54 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,4 @@ -02 Jun 2008 - trunk +03 Jun 2008 - trunk ------------------- * Fixed an issue where an alert was not logged in the error log diff --git a/apache2/apache2_io.c b/apache2/apache2_io.c index cbfe3989..f4df75ed 100644 --- a/apache2/apache2_io.c +++ b/apache2/apache2_io.c @@ -39,6 +39,7 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *bb_out, return APR_EGENERAL; } + /* Make sure we are using the current request */ msr->r = f->r; if (msr->phase < PHASE_REQUEST_BODY) { @@ -678,17 +679,20 @@ apr_status_t output_filter(ap_filter_t *f, apr_bucket_brigade *bb_in) { /* Do we need to process a partial response? */ if (start_skipping) { if (flatten_response_body(msr) < 0) { + ap_remove_output_filter(f); return send_error_bucket(msr, f, HTTP_INTERNAL_SERVER_ERROR); } /* Process phase RESPONSE_BODY */ rc = modsecurity_process_phase(msr, PHASE_RESPONSE_BODY); if (rc < 0) { + ap_remove_output_filter(f); return send_error_bucket(msr, f, HTTP_INTERNAL_SERVER_ERROR); } if (rc > 0) { int status = perform_interception(msr); if (status != DECLINED) { /* DECLINED means we allow-ed the request. */ + ap_remove_output_filter(f); return send_error_bucket(msr, f, status); } } @@ -735,16 +739,19 @@ apr_status_t output_filter(ap_filter_t *f, apr_bucket_brigade *bb_in) { */ if (msr->phase < PHASE_RESPONSE_BODY) { if (flatten_response_body(msr) < 0) { + ap_remove_output_filter(f); return send_error_bucket(msr, f, HTTP_INTERNAL_SERVER_ERROR); } rc = modsecurity_process_phase(msr, PHASE_RESPONSE_BODY); if (rc < 0) { + ap_remove_output_filter(f); return send_error_bucket(msr, f, HTTP_INTERNAL_SERVER_ERROR); } if (rc > 0) { int status = perform_interception(msr); if (status != DECLINED) { /* DECLINED means we allow-ed the request. */ + ap_remove_output_filter(f); return send_error_bucket(msr, f, status); } } diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index 61a63e5d..c94f03e9 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -962,7 +962,6 @@ static void hook_insert_filter(request_rec *r) { } /* NOTE: This is causing and endless loop when blocking in phase:3 */ -#if 0 /** * Invoked whenever Apache starts processing an error. A chance * to insert ourselves into the output filter chain. @@ -976,6 +975,16 @@ static void hook_insert_error_filter(request_rec *r) { msr = retrieve_tx_context(r); if (msr == NULL) return; + /* Do not run if we are already running, which may happen + * if we intercept in phase 3. + */ + if (msr->of_is_error == 1) { + if (msr->txcfg->debuglog_level >= 4) { + msr_log(msr, 4, "Hook insert_error_filter: Already processing."); + } + return; + } + /* Do not run if not enabled. */ if (msr->txcfg->is_enabled == 0) { if (msr->txcfg->debuglog_level >= 4) { @@ -1004,7 +1013,6 @@ static void hook_insert_error_filter(request_rec *r) { } } } -#endif #if (!defined(NO_MODSEC_API)) /** @@ -1108,9 +1116,7 @@ static void register_hooks(apr_pool_t *mp) { /* Filter hooks */ ap_hook_insert_filter(hook_insert_filter, NULL, NULL, APR_HOOK_FIRST); -#if 0 ap_hook_insert_error_filter(hook_insert_error_filter, NULL, NULL, APR_HOOK_FIRST); -#endif ap_register_input_filter("MODSECURITY_IN", input_filter, NULL, AP_FTYPE_CONTENT_SET);