github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-30 03:34:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Change 'sanitise' to 'sanitize' everywhere, preserving the 'sanitise' action variants for backward compatibility.

Browse Source
This commit is contained in:
ivanr
2009-10-29 17:57:18 +00:00
parent 6d83f91b2b
commit 8fe278e845
8 changed files with 145 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
apache2/modsecurity.c
View File

@@ -297,12 +297,12 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
}
}
msr->arguments_to_sanitise = apr_table_make(msr->mp, 16);
if (msr->arguments_to_sanitise == NULL) return -1;
msr->request_headers_to_sanitise = apr_table_make(msr->mp, 16);
if (msr->request_headers_to_sanitise == NULL) return -1;
msr->response_headers_to_sanitise = apr_table_make(msr->mp, 16);
if (msr->response_headers_to_sanitise == NULL) return -1;
msr->arguments_to_sanitize = apr_table_make(msr->mp, 16);
if (msr->arguments_to_sanitize == NULL) return -1;
msr->request_headers_to_sanitize = apr_table_make(msr->mp, 16);
if (msr->request_headers_to_sanitize == NULL) return -1;
msr->response_headers_to_sanitize = apr_table_make(msr->mp, 16);
if (msr->response_headers_to_sanitize == NULL) return -1;
/* Initialise cookies */
msr->request_cookies = apr_table_make(msr->mp, 16);

6
apache2/modsecurity.h
View File

@@ -250,9 +250,9 @@ struct modsec_rec {
const char *request_content_type;
apr_table_t *arguments;
apr_table_t *arguments_to_sanitise;
apr_table_t *request_headers_to_sanitise;
apr_table_t *response_headers_to_sanitise;
apr_table_t *arguments_to_sanitize;
apr_table_t *request_headers_to_sanitize;
apr_table_t *response_headers_to_sanitize;
apr_table_t *request_cookies;
unsigned int is_relevant;

84
apache2/msc_logging.c
View File

@@ -287,7 +287,7 @@ static char *create_auditlog_boundary(request_rec *r) {
* Sanitises the request line by removing the parameters
* that have been marked as sensitive.
*/
static void sanitise_request_line(modsec_rec *msr) {
static void sanitize_request_line(modsec_rec *msr) {
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
int i;
@@ -299,7 +299,7 @@ static void sanitise_request_line(modsec_rec *msr) {
qspos++;
/* Loop through the list of sensitive parameters. */
tarr = apr_table_elts(msr->arguments_to_sanitise);
tarr = apr_table_elts(msr->arguments_to_sanitize);
telts = (const apr_table_entry_t*)tarr->elts;
for (i = 0; i < tarr->nelts; i++) {
msc_arg *arg = (msc_arg *)telts[i].val;
@@ -313,7 +313,7 @@ static void sanitise_request_line(modsec_rec *msr) {
j = arg->value_origin_offset;
while((*p != '\0')&&(j--)) p++;
if (*p == '\0') {
msr_log(msr, 1, "Unable to sanitise variable \"%s\" at offset %u of QUERY_STRING"
msr_log(msr, 1, "Unable to sanitize variable \"%s\" at offset %u of QUERY_STRING"
"because the request line is too short.",
log_escape_ex(msr->mp, arg->name, arg->name_len),
arg->value_origin_offset);
@@ -326,7 +326,7 @@ static void sanitise_request_line(modsec_rec *msr) {
*p++ = '*';
}
if (*p == '\0') {
msr_log(msr, 1, "Unable to sanitise variable \"%s\" at offset %u (size %d) "
msr_log(msr, 1, "Unable to sanitize variable \"%s\" at offset %u (size %d) "
"of QUERY_STRING because the request line is too short.",
log_escape_ex(msr->mp, arg->name, arg->name_len),
arg->value_origin_offset, arg->value_origin_len);
@@ -491,7 +491,7 @@ void sec_audit_logger(modsec_rec *msr) {
text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_REQUEST_HEADERS);
sec_auditlog_write(msr, text, strlen(text));
sanitise_request_line(msr);
sanitize_request_line(msr);
sec_auditlog_write(msr, msr->request_line, strlen(msr->request_line));
sec_auditlog_write(msr, "\n", 1);
@@ -500,9 +500,9 @@ void sec_audit_logger(modsec_rec *msr) {
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, te[i].val);
/* Do we need to sanitise this request header? */
if (apr_table_get(msr->request_headers_to_sanitise, te[i].key) != NULL) {
/* Yes, sanitise it. */
/* Do we need to sanitize this request header? */
if (apr_table_get(msr->request_headers_to_sanitize, te[i].key) != NULL) {
/* Yes, sanitize it. */
memset(text + strlen(te[i].key) + 2, '*', strlen(te[i].val));
}
sec_auditlog_write(msr, text, strlen(text));
@@ -525,17 +525,17 @@ void sec_audit_logger(modsec_rec *msr) {
apr_array_header_t *sorted_args;
unsigned int offset = 0, last_offset = 0;
msc_arg *nextarg = NULL;
int sanitise = 0; /* IMP1 Use constants for "sanitise" values. */
int sanitize = 0; /* IMP1 Use constants for "sanitize" values. */
char *my_error_msg = NULL;
sorted_args = apr_array_make(msr->mp, 25, sizeof(const msc_arg *));
/* First we need to sort the arguments that need to be
* sanitised in descending order (we are using a stack structure
* sanitized in descending order (we are using a stack structure
* to store then so the order will be ascending when we start
* popping them out). This is because we will
* be reading the request body sequentially and must
* sanitise it as we go.
* sanitize it as we go.
*/
for(;;) {
@@ -544,7 +544,7 @@ void sec_audit_logger(modsec_rec *msr) {
/* Find the next largest offset (excluding
* the ones we've used up already).
*/
tarr = apr_table_elts(msr->arguments_to_sanitise);
tarr = apr_table_elts(msr->arguments_to_sanitize);
telts = (const apr_table_entry_t*)tarr->elts;
for(i = 0; i < tarr->nelts; i++) {
msc_arg *arg = (msc_arg *)telts[i].val;
@@ -570,7 +570,7 @@ void sec_audit_logger(modsec_rec *msr) {
*/
if (nextarg == NULL) break;
sanitise = 2; /* Means time to pop the next argument out. */
sanitize = 2; /* Means time to pop the next argument out. */
last_offset = offset;
offset = 0;
{ /* IMP1 Fix this ugly bit here. */
@@ -580,7 +580,7 @@ void sec_audit_logger(modsec_rec *msr) {
}
/* Now start retrieving the body chunk by chunk and
* sanitise data in pieces.
* sanitize data in pieces.
*/
rc = modsecurity_request_body_retrieve_start(msr, &my_error_msg);
@@ -589,8 +589,8 @@ void sec_audit_logger(modsec_rec *msr) {
} else {
msc_data_chunk *chunk = NULL;
unsigned int chunk_offset = 0;
unsigned int sanitise_offset = 0;
unsigned int sanitise_length = 0;
unsigned int sanitize_offset = 0;
unsigned int sanitize_length = 0;
text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_REQUEST_BODY);
sec_auditlog_write(msr, text, strlen(text));
@@ -598,46 +598,46 @@ void sec_audit_logger(modsec_rec *msr) {
for(;;) {
rc = modsecurity_request_body_retrieve(msr, &chunk, -1, &my_error_msg);
if (chunk != NULL) {
/* Anything greater than 1 means we have more data to sanitise. */
while (sanitise > 1) {
/* Anything greater than 1 means we have more data to sanitize. */
while (sanitize > 1) {
msc_arg **arg = NULL;
if (sanitise == 2) {
if (sanitize == 2) {
/* Get the next argument from the stack. */
arg = (msc_arg **)apr_array_pop(sorted_args);
if (arg == NULL) sanitise = 0; /* We're done sanitising. */
if (arg == NULL) sanitize = 0; /* We're done sanitising. */
else {
/* Continue with sanitation to process the
* retrieved argument.
*/
sanitise = 1;
sanitise_offset = (*arg)->value_origin_offset;
sanitise_length = (*arg)->value_origin_len;
sanitize = 1;
sanitize_offset = (*arg)->value_origin_offset;
sanitize_length = (*arg)->value_origin_len;
}
}
if (sanitise) {
/* Check if the data we want to sanitise is
if (sanitize) {
/* Check if the data we want to sanitize is
* stored in the current chunk.
*/
if (chunk_offset + chunk->length > sanitise_offset) {
if (chunk_offset + chunk->length > sanitize_offset) {
unsigned int soff; /* data offset within chunk */
unsigned int len; /* amount in this chunk to sanitise */
unsigned int len; /* amount in this chunk to sanitize */
soff = sanitise_offset - chunk_offset;
soff = sanitize_offset - chunk_offset;
if (soff + sanitise_length <= chunk->length) {
if (soff + sanitize_length <= chunk->length) {
/* The entire argument resides in the current chunk. */
len = sanitise_length;
sanitise = 2; /* Get another parameter to sanitise. */
len = sanitize_length;
sanitize = 2; /* Get another parameter to sanitize. */
} else {
/* Some work to do here but we'll need to seek
* another chunk.
*/
len = chunk->length - soff;
sanitise_offset += len;
sanitise_length -= len;
sanitise = 1; /* It's OK to go to the next chunk. */
sanitize_offset += len;
sanitize_length -= len;
sanitize = 1; /* It's OK to go to the next chunk. */
}
/* Yes, we actually write over the original data.
@@ -650,7 +650,7 @@ void sec_audit_logger(modsec_rec *msr) {
}
}
/* Write the sanitised chunk to the log
/* Write the sanitized chunk to the log
* and advance to the next chunk. */
sec_auditlog_write(msr, chunk->data, chunk->length);
chunk_offset += chunk->length;
@@ -676,7 +676,7 @@ void sec_audit_logger(modsec_rec *msr) {
if ((msr->msc_reqbody_read)&&(msr->mpd != NULL)) {
char *buffer = NULL;
buffer = multipart_reconstruct_urlencoded_body_sanitise(msr);
buffer = multipart_reconstruct_urlencoded_body_sanitize(msr);
if (buffer == NULL) {
msr_log(msr, 1, "Audit log: Failed to reconstruct request body.");
} else {
@@ -710,9 +710,9 @@ void sec_audit_logger(modsec_rec *msr) {
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, te[i].val);
/* Do we need to sanitise this response header? */
if (apr_table_get(msr->response_headers_to_sanitise, te[i].key) != NULL) {
/* Yes, sanitise it. */
/* Do we need to sanitize this response header? */
if (apr_table_get(msr->response_headers_to_sanitize, te[i].key) != NULL) {
/* Yes, sanitize it. */
memset(text + strlen(te[i].key) + 2, '*', strlen(te[i].val));
}
sec_auditlog_write(msr, text, strlen(text));
@@ -816,7 +816,7 @@ void sec_audit_logger(modsec_rec *msr) {
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
tarr = apr_table_elts(msr->arguments_to_sanitise);
tarr = apr_table_elts(msr->arguments_to_sanitize);
telts = (const apr_table_entry_t*)tarr->elts;
if (tarr->nelts > 0) {
@@ -837,7 +837,7 @@ void sec_audit_logger(modsec_rec *msr) {
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
tarr = apr_table_elts(msr->request_headers_to_sanitise);
tarr = apr_table_elts(msr->request_headers_to_sanitize);
telts = (const apr_table_entry_t*)tarr->elts;
if (tarr->nelts > 0) {
@@ -857,7 +857,7 @@ void sec_audit_logger(modsec_rec *msr) {
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
tarr = apr_table_elts(msr->response_headers_to_sanitise);
tarr = apr_table_elts(msr->response_headers_to_sanitize);
telts = (const apr_table_entry_t*)tarr->elts;
if (tarr->nelts > 0) {

4
apache2/msc_multipart.c
View File

@@ -1279,7 +1279,7 @@ int multipart_get_arguments(modsec_rec *msr, char *origin, apr_table_t *argument
/**
*
*/
char *multipart_reconstruct_urlencoded_body_sanitise(modsec_rec *msr) {
char *multipart_reconstruct_urlencoded_body_sanitize(modsec_rec *msr) {
multipart_part **parts;
char *body;
unsigned int body_len;
@@ -1317,7 +1317,7 @@ char *multipart_reconstruct_urlencoded_body_sanitise(modsec_rec *msr) {
* in the memory.
*/
if (msr->phase >= PHASE_LOGGING) {
if (apr_table_get(msr->arguments_to_sanitise, parts[i]->name) != NULL) {
if (apr_table_get(msr->arguments_to_sanitize, parts[i]->name) != NULL) {
memset(parts[i]->value, '*', strlen(parts[i]->value));
}
}

2
apache2/msc_multipart.h
View File

@@ -133,6 +133,6 @@ apr_status_t DSOLOCAL multipart_cleanup(modsec_rec *msr);
int DSOLOCAL multipart_get_arguments(modsec_rec *msr, char *origin, apr_table_t *arguments);
char DSOLOCAL *multipart_reconstruct_urlencoded_body_sanitise(modsec_rec *msr);
char DSOLOCAL *multipart_reconstruct_urlencoded_body_sanitize(modsec_rec *msr);
#endif

90
apache2/re_actions.c
View File

@@ -973,8 +973,8 @@ static char *msre_action_xmlns_validate(msre_engine *engine, msre_action *action
return NULL;
}
/* sanitiseArg */
static apr_status_t msre_action_sanitiseArg_execute(modsec_rec *msr, apr_pool_t *mptmp,
/* sanitizeArg */
static apr_status_t msre_action_sanitizeArg_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
const char *sargname = NULL;
@@ -990,7 +990,7 @@ static apr_status_t msre_action_sanitiseArg_execute(modsec_rec *msr, apr_pool_t
msc_arg *arg = (msc_arg *)telts[i].val;
if (strcasecmp(sargname, arg->name) == 0) {
apr_table_addn(msr->arguments_to_sanitise, arg->name, (void *)arg);
apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
}
}
@@ -1001,8 +1001,8 @@ static apr_status_t msre_action_sanitiseArg_execute(modsec_rec *msr, apr_pool_t
#define SANITISE_REQUEST_HEADER 2
#define SANITISE_RESPONSE_HEADER 3
/* sanitiseMatched */
static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_pool_t *mptmp,
/* sanitizeMatched */
static apr_status_t msre_action_sanitizeMatched_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
const char *sargname = NULL;
@@ -1041,7 +1041,7 @@ static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_poo
type = SANITISE_RESPONSE_HEADER;
}
else {
msr_log(msr, 3, "sanitiseMatched: Don't know how to handle variable: %s",
msr_log(msr, 3, "sanitizeMatched: Don't know how to handle variable: %s",
mvar->name);
return 0;
}
@@ -1053,17 +1053,17 @@ static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_poo
for (i = 0; i < tarr->nelts; i++) {
msc_arg *arg = (msc_arg *)telts[i].val;
if (strcasecmp(sargname, arg->name) == 0) {
apr_table_addn(msr->arguments_to_sanitise, arg->name, (void *)arg);
apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
}
}
break;
case SANITISE_REQUEST_HEADER :
apr_table_set(msr->request_headers_to_sanitise, sargname, "1");
apr_table_set(msr->request_headers_to_sanitize, sargname, "1");
break;
case SANITISE_RESPONSE_HEADER :
apr_table_set(msr->response_headers_to_sanitise, sargname, "1");
apr_table_set(msr->response_headers_to_sanitize, sargname, "1");
break;
default :
@@ -1074,19 +1074,19 @@ static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_poo
return 1;
}
/* sanitiseRequestHeader */
static apr_status_t msre_action_sanitiseRequestHeader_execute(modsec_rec *msr, apr_pool_t *mptmp,
/* sanitizeRequestHeader */
static apr_status_t msre_action_sanitizeRequestHeader_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
apr_table_set(msr->request_headers_to_sanitise, action->param, "1");
apr_table_set(msr->request_headers_to_sanitize, action->param, "1");
return 1;
}
/* sanitiseResponseHeader */
static apr_status_t msre_action_sanitiseResponseHeader_execute(modsec_rec *msr, apr_pool_t *mptmp,
/* sanitizeResponseHeader */
static apr_status_t msre_action_sanitizeResponseHeader_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
apr_table_set(msr->response_headers_to_sanitise, action->param, "1");
apr_table_set(msr->response_headers_to_sanitize, action->param, "1");
return 1;
}
@@ -2195,7 +2195,20 @@ void msre_engine_register_default_actions(msre_engine *engine) {
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitiseArg_execute
msre_action_sanitizeArg_execute
);
/* sanitizeArg */
msre_engine_action_register(engine,
"sanitizeArg",
ACTION_NON_DISRUPTIVE,
1, 1,
NO_PLUS_MINUS,
ACTION_CARDINALITY_MANY,
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitizeArg_execute
);
/* sanitiseMatched */
@@ -2208,7 +2221,20 @@ void msre_engine_register_default_actions(msre_engine *engine) {
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitiseMatched_execute
msre_action_sanitizeMatched_execute
);
/* sanitizeMatched */
msre_engine_action_register(engine,
"sanitizeMatched",
ACTION_NON_DISRUPTIVE,
0, 0,
NO_PLUS_MINUS,
ACTION_CARDINALITY_MANY,
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitizeMatched_execute
);
/* sanitiseRequestHeader */
@@ -2221,7 +2247,20 @@ void msre_engine_register_default_actions(msre_engine *engine) {
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitiseRequestHeader_execute
msre_action_sanitizeRequestHeader_execute
);
/* sanitizeRequestHeader */
msre_engine_action_register(engine,
"sanitizeRequestHeader",
ACTION_NON_DISRUPTIVE,
1, 1,
NO_PLUS_MINUS,
ACTION_CARDINALITY_MANY,
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitizeRequestHeader_execute
);
/* sanitiseResponseHeader */
@@ -2234,7 +2273,20 @@ void msre_engine_register_default_actions(msre_engine *engine) {
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitiseResponseHeader_execute
msre_action_sanitizeResponseHeader_execute
);
/* sanitizeResponseHeader */
msre_engine_action_register(engine,
"sanitizeResponseHeader",
ACTION_NON_DISRUPTIVE,
1, 1,
NO_PLUS_MINUS,
ACTION_CARDINALITY_MANY,
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitizeResponseHeader_execute
);
/* setenv */