From 8a1687bf36dbae891ca0e4acbfbcae012fac54d8 Mon Sep 17 00:00:00 2001 From: brectanus Date: Mon, 17 Dec 2007 05:13:49 +0000 Subject: [PATCH] Make phase 5 more strict and catch an inherited disruptive action. See #429. --- apache2/apache2_config.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index d27f7c12..f5a7fe41 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -556,12 +556,6 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, const char * /* Check some cases prior to merging so we know where it came from */ - /* Must NOT specify a disruptive action in logging phase. */ - if ((rule->actionset != NULL) && (rule->actionset->phase == PHASE_LOGGING) && (rule->actionset->intercept_action != ACTION_ALLOW && rule->actionset->intercept_action != ACTION_NONE)) { - return apr_psprintf(cmd->pool, "ModSecurity: Disruptive actions " - "cannot be specified in the logging phase. %d", rule->actionset->intercept_action); - } - /* Check syntax for chained rules */ if ((rule->actionset != NULL) && (dcfg->tmp_chain_starter != NULL)) { /* Must NOT specify a disruptive action. */ @@ -600,6 +594,12 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, const char * rule->actionset = msre_actionset_merge(modsecurity->msre, dcfg->tmp_default_actionset, rule->actionset, 1); + /* Must NOT specify a disruptive action in logging phase. */ + if ((rule->actionset != NULL) && (rule->actionset->phase == PHASE_LOGGING) && (rule->actionset->intercept_action != ACTION_ALLOW) && (rule->actionset->intercept_action != ACTION_NONE)) { + return apr_psprintf(cmd->pool, "ModSecurity: Disruptive actions " + "cannot be specified in the logging phase."); + } + if (dcfg->tmp_chain_starter != NULL) { rule->chain_starter = dcfg->tmp_chain_starter; rule->actionset->phase = rule->chain_starter->actionset->phase;