github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-15 23:55:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

Change 'sanitise' to 'sanitize' everywhere, preserving the 'sanitise' action variants for backward compatibility.

Browse Source
This commit is contained in:
ivanr 2009-10-29 17:57:18 +00:00
parent 6d83f91b2b
commit 8fe278e845
8 changed files with 145 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
apache2/modsecurity.c
View File

@ -297,12 +297,12 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
} }
} }
msr->arguments_to_sanitise = apr_table_make(msr->mp, 16); msr->arguments_to_sanitize = apr_table_make(msr->mp, 16);
if (msr->arguments_to_sanitise == NULL) return -1; if (msr->arguments_to_sanitize == NULL) return -1;
msr->request_headers_to_sanitise = apr_table_make(msr->mp, 16); msr->request_headers_to_sanitize = apr_table_make(msr->mp, 16);
if (msr->request_headers_to_sanitise == NULL) return -1; if (msr->request_headers_to_sanitize == NULL) return -1;
msr->response_headers_to_sanitise = apr_table_make(msr->mp, 16); msr->response_headers_to_sanitize = apr_table_make(msr->mp, 16);
if (msr->response_headers_to_sanitise == NULL) return -1; if (msr->response_headers_to_sanitize == NULL) return -1;
/* Initialise cookies */ /* Initialise cookies */
msr->request_cookies = apr_table_make(msr->mp, 16); msr->request_cookies = apr_table_make(msr->mp, 16);

6
apache2/modsecurity.h
View File

@ -250,9 +250,9 @@ struct modsec_rec {
const char *request_content_type; const char *request_content_type;
apr_table_t *arguments; apr_table_t *arguments;
apr_table_t *arguments_to_sanitise; apr_table_t *arguments_to_sanitize;
apr_table_t *request_headers_to_sanitise; apr_table_t *request_headers_to_sanitize;
apr_table_t *response_headers_to_sanitise; apr_table_t *response_headers_to_sanitize;
apr_table_t *request_cookies; apr_table_t *request_cookies;
unsigned int is_relevant; unsigned int is_relevant;

84
apache2/msc_logging.c
View File

@ -287,7 +287,7 @@ static char *create_auditlog_boundary(request_rec *r) {
* Sanitises the request line by removing the parameters * Sanitises the request line by removing the parameters
* that have been marked as sensitive. * that have been marked as sensitive.
*/ */
static void sanitise_request_line(modsec_rec *msr) { static void sanitize_request_line(modsec_rec *msr) {
const apr_array_header_t *tarr; const apr_array_header_t *tarr;
const apr_table_entry_t *telts; const apr_table_entry_t *telts;
int i; int i;
@ -299,7 +299,7 @@ static void sanitise_request_line(modsec_rec *msr) {
qspos++; qspos++;
/* Loop through the list of sensitive parameters. */ /* Loop through the list of sensitive parameters. */
tarr = apr_table_elts(msr->arguments_to_sanitise); tarr = apr_table_elts(msr->arguments_to_sanitize);
telts = (const apr_table_entry_t*)tarr->elts; telts = (const apr_table_entry_t*)tarr->elts;
for (i = 0; i < tarr->nelts; i++) { for (i = 0; i < tarr->nelts; i++) {
msc_arg *arg = (msc_arg *)telts[i].val; msc_arg *arg = (msc_arg *)telts[i].val;
@ -313,7 +313,7 @@ static void sanitise_request_line(modsec_rec *msr) {
j = arg->value_origin_offset; j = arg->value_origin_offset;
while((*p != '\0')&&(j--)) p++; while((*p != '\0')&&(j--)) p++;
if (*p == '\0') { if (*p == '\0') {
msr_log(msr, 1, "Unable to sanitise variable \"%s\" at offset %u of QUERY_STRING" msr_log(msr, 1, "Unable to sanitize variable \"%s\" at offset %u of QUERY_STRING"
"because the request line is too short.", "because the request line is too short.",
log_escape_ex(msr->mp, arg->name, arg->name_len), log_escape_ex(msr->mp, arg->name, arg->name_len),
arg->value_origin_offset); arg->value_origin_offset);
@ -326,7 +326,7 @@ static void sanitise_request_line(modsec_rec *msr) {
*p++ = '*'; *p++ = '*';
} }
if (*p == '\0') { if (*p == '\0') {
msr_log(msr, 1, "Unable to sanitise variable \"%s\" at offset %u (size %d) " msr_log(msr, 1, "Unable to sanitize variable \"%s\" at offset %u (size %d) "
"of QUERY_STRING because the request line is too short.", "of QUERY_STRING because the request line is too short.",
log_escape_ex(msr->mp, arg->name, arg->name_len), log_escape_ex(msr->mp, arg->name, arg->name_len),
arg->value_origin_offset, arg->value_origin_len); arg->value_origin_offset, arg->value_origin_len);
@ -491,7 +491,7 @@ void sec_audit_logger(modsec_rec *msr) {
text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_REQUEST_HEADERS); text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_REQUEST_HEADERS);
sec_auditlog_write(msr, text, strlen(text)); sec_auditlog_write(msr, text, strlen(text));
sanitise_request_line(msr); sanitize_request_line(msr);
sec_auditlog_write(msr, msr->request_line, strlen(msr->request_line)); sec_auditlog_write(msr, msr->request_line, strlen(msr->request_line));
sec_auditlog_write(msr, "\n", 1); sec_auditlog_write(msr, "\n", 1);
@ -500,9 +500,9 @@ void sec_audit_logger(modsec_rec *msr) {
te = (apr_table_entry_t *)arr->elts; te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) { for (i = 0; i < arr->nelts; i++) {
text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, te[i].val); text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, te[i].val);
/* Do we need to sanitise this request header? */ /* Do we need to sanitize this request header? */
if (apr_table_get(msr->request_headers_to_sanitise, te[i].key) != NULL) { if (apr_table_get(msr->request_headers_to_sanitize, te[i].key) != NULL) {
/* Yes, sanitise it. */ /* Yes, sanitize it. */
memset(text + strlen(te[i].key) + 2, '*', strlen(te[i].val)); memset(text + strlen(te[i].key) + 2, '*', strlen(te[i].val));
} }
sec_auditlog_write(msr, text, strlen(text)); sec_auditlog_write(msr, text, strlen(text));
@ -525,17 +525,17 @@ void sec_audit_logger(modsec_rec *msr) {
apr_array_header_t *sorted_args; apr_array_header_t *sorted_args;
unsigned int offset = 0, last_offset = 0; unsigned int offset = 0, last_offset = 0;
msc_arg *nextarg = NULL; msc_arg *nextarg = NULL;
int sanitise = 0; /* IMP1 Use constants for "sanitise" values. */ int sanitize = 0; /* IMP1 Use constants for "sanitize" values. */
char *my_error_msg = NULL; char *my_error_msg = NULL;
sorted_args = apr_array_make(msr->mp, 25, sizeof(const msc_arg *)); sorted_args = apr_array_make(msr->mp, 25, sizeof(const msc_arg *));
/* First we need to sort the arguments that need to be /* First we need to sort the arguments that need to be
* sanitised in descending order (we are using a stack structure * sanitized in descending order (we are using a stack structure
* to store then so the order will be ascending when we start * to store then so the order will be ascending when we start
* popping them out). This is because we will * popping them out). This is because we will
* be reading the request body sequentially and must * be reading the request body sequentially and must
* sanitise it as we go. * sanitize it as we go.
*/ */
for(;;) { for(;;) {
@ -544,7 +544,7 @@ void sec_audit_logger(modsec_rec *msr) {
/* Find the next largest offset (excluding /* Find the next largest offset (excluding
* the ones we've used up already). * the ones we've used up already).
*/ */
tarr = apr_table_elts(msr->arguments_to_sanitise); tarr = apr_table_elts(msr->arguments_to_sanitize);
telts = (const apr_table_entry_t*)tarr->elts; telts = (const apr_table_entry_t*)tarr->elts;
for(i = 0; i < tarr->nelts; i++) { for(i = 0; i < tarr->nelts; i++) {
msc_arg *arg = (msc_arg *)telts[i].val; msc_arg *arg = (msc_arg *)telts[i].val;
@ -570,7 +570,7 @@ void sec_audit_logger(modsec_rec *msr) {
*/ */
if (nextarg == NULL) break; if (nextarg == NULL) break;
sanitise = 2; /* Means time to pop the next argument out. */ sanitize = 2; /* Means time to pop the next argument out. */
last_offset = offset; last_offset = offset;
offset = 0; offset = 0;
{ /* IMP1 Fix this ugly bit here. */ { /* IMP1 Fix this ugly bit here. */
@ -580,7 +580,7 @@ void sec_audit_logger(modsec_rec *msr) {
} }
/* Now start retrieving the body chunk by chunk and /* Now start retrieving the body chunk by chunk and
* sanitise data in pieces. * sanitize data in pieces.
*/ */
rc = modsecurity_request_body_retrieve_start(msr, &my_error_msg); rc = modsecurity_request_body_retrieve_start(msr, &my_error_msg);
@ -589,8 +589,8 @@ void sec_audit_logger(modsec_rec *msr) {
} else { } else {
msc_data_chunk *chunk = NULL; msc_data_chunk *chunk = NULL;
unsigned int chunk_offset = 0; unsigned int chunk_offset = 0;
unsigned int sanitise_offset = 0; unsigned int sanitize_offset = 0;
unsigned int sanitise_length = 0; unsigned int sanitize_length = 0;
text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_REQUEST_BODY); text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_REQUEST_BODY);
sec_auditlog_write(msr, text, strlen(text)); sec_auditlog_write(msr, text, strlen(text));
@ -598,46 +598,46 @@ void sec_audit_logger(modsec_rec *msr) {
for(;;) { for(;;) {
rc = modsecurity_request_body_retrieve(msr, &chunk, -1, &my_error_msg); rc = modsecurity_request_body_retrieve(msr, &chunk, -1, &my_error_msg);
if (chunk != NULL) { if (chunk != NULL) {
/* Anything greater than 1 means we have more data to sanitise. */ /* Anything greater than 1 means we have more data to sanitize. */
while (sanitise > 1) { while (sanitize > 1) {
msc_arg **arg = NULL; msc_arg **arg = NULL;
if (sanitise == 2) { if (sanitize == 2) {
/* Get the next argument from the stack. */ /* Get the next argument from the stack. */
arg = (msc_arg **)apr_array_pop(sorted_args); arg = (msc_arg **)apr_array_pop(sorted_args);
if (arg == NULL) sanitise = 0; /* We're done sanitising. */ if (arg == NULL) sanitize = 0; /* We're done sanitising. */
else { else {
/* Continue with sanitation to process the /* Continue with sanitation to process the
* retrieved argument. * retrieved argument.
*/ */
sanitise = 1; sanitize = 1;
sanitise_offset = (*arg)->value_origin_offset; sanitize_offset = (*arg)->value_origin_offset;
sanitise_length = (*arg)->value_origin_len; sanitize_length = (*arg)->value_origin_len;
} }
} }
if (sanitise) { if (sanitize) {
/* Check if the data we want to sanitise is /* Check if the data we want to sanitize is
* stored in the current chunk. * stored in the current chunk.
*/ */
if (chunk_offset + chunk->length > sanitise_offset) { if (chunk_offset + chunk->length > sanitize_offset) {
unsigned int soff; /* data offset within chunk */ unsigned int soff; /* data offset within chunk */
unsigned int len; /* amount in this chunk to sanitise */ unsigned int len; /* amount in this chunk to sanitize */
soff = sanitise_offset - chunk_offset; soff = sanitize_offset - chunk_offset;
if (soff + sanitise_length <= chunk->length) { if (soff + sanitize_length <= chunk->length) {
/* The entire argument resides in the current chunk. */ /* The entire argument resides in the current chunk. */
len = sanitise_length; len = sanitize_length;
sanitise = 2; /* Get another parameter to sanitise. */ sanitize = 2; /* Get another parameter to sanitize. */
} else { } else {
/* Some work to do here but we'll need to seek /* Some work to do here but we'll need to seek
* another chunk. * another chunk.
*/ */
len = chunk->length - soff; len = chunk->length - soff;
sanitise_offset += len; sanitize_offset += len;
sanitise_length -= len; sanitize_length -= len;
sanitise = 1; /* It's OK to go to the next chunk. */ sanitize = 1; /* It's OK to go to the next chunk. */
} }
/* Yes, we actually write over the original data. /* Yes, we actually write over the original data.
@ -650,7 +650,7 @@ void sec_audit_logger(modsec_rec *msr) {
} }
} }
/* Write the sanitised chunk to the log /* Write the sanitized chunk to the log
* and advance to the next chunk. */ * and advance to the next chunk. */
sec_auditlog_write(msr, chunk->data, chunk->length); sec_auditlog_write(msr, chunk->data, chunk->length);
chunk_offset += chunk->length; chunk_offset += chunk->length;
@ -676,7 +676,7 @@ void sec_audit_logger(modsec_rec *msr) {
if ((msr->msc_reqbody_read)&&(msr->mpd != NULL)) { if ((msr->msc_reqbody_read)&&(msr->mpd != NULL)) {
char *buffer = NULL; char *buffer = NULL;
buffer = multipart_reconstruct_urlencoded_body_sanitise(msr); buffer = multipart_reconstruct_urlencoded_body_sanitize(msr);
if (buffer == NULL) { if (buffer == NULL) {
msr_log(msr, 1, "Audit log: Failed to reconstruct request body."); msr_log(msr, 1, "Audit log: Failed to reconstruct request body.");
} else { } else {
@ -710,9 +710,9 @@ void sec_audit_logger(modsec_rec *msr) {
te = (apr_table_entry_t *)arr->elts; te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) { for (i = 0; i < arr->nelts; i++) {
text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, te[i].val); text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, te[i].val);
/* Do we need to sanitise this response header? */ /* Do we need to sanitize this response header? */
if (apr_table_get(msr->response_headers_to_sanitise, te[i].key) != NULL) { if (apr_table_get(msr->response_headers_to_sanitize, te[i].key) != NULL) {
/* Yes, sanitise it. */ /* Yes, sanitize it. */
memset(text + strlen(te[i].key) + 2, '*', strlen(te[i].val)); memset(text + strlen(te[i].key) + 2, '*', strlen(te[i].val));
} }
sec_auditlog_write(msr, text, strlen(text)); sec_auditlog_write(msr, text, strlen(text));
@ -816,7 +816,7 @@ void sec_audit_logger(modsec_rec *msr) {
const apr_array_header_t *tarr; const apr_array_header_t *tarr;
const apr_table_entry_t *telts; const apr_table_entry_t *telts;
tarr = apr_table_elts(msr->arguments_to_sanitise); tarr = apr_table_elts(msr->arguments_to_sanitize);
telts = (const apr_table_entry_t*)tarr->elts; telts = (const apr_table_entry_t*)tarr->elts;
if (tarr->nelts > 0) { if (tarr->nelts > 0) {
@ -837,7 +837,7 @@ void sec_audit_logger(modsec_rec *msr) {
const apr_array_header_t *tarr; const apr_array_header_t *tarr;
const apr_table_entry_t *telts; const apr_table_entry_t *telts;
tarr = apr_table_elts(msr->request_headers_to_sanitise); tarr = apr_table_elts(msr->request_headers_to_sanitize);
telts = (const apr_table_entry_t*)tarr->elts; telts = (const apr_table_entry_t*)tarr->elts;
if (tarr->nelts > 0) { if (tarr->nelts > 0) {
@ -857,7 +857,7 @@ void sec_audit_logger(modsec_rec *msr) {
const apr_array_header_t *tarr; const apr_array_header_t *tarr;
const apr_table_entry_t *telts; const apr_table_entry_t *telts;
tarr = apr_table_elts(msr->response_headers_to_sanitise); tarr = apr_table_elts(msr->response_headers_to_sanitize);
telts = (const apr_table_entry_t*)tarr->elts; telts = (const apr_table_entry_t*)tarr->elts;
if (tarr->nelts > 0) { if (tarr->nelts > 0) {

4
apache2/msc_multipart.c
View File

@ -1279,7 +1279,7 @@ int multipart_get_arguments(modsec_rec *msr, char *origin, apr_table_t *argument
/** /**
* *
*/ */
char *multipart_reconstruct_urlencoded_body_sanitise(modsec_rec *msr) { char *multipart_reconstruct_urlencoded_body_sanitize(modsec_rec *msr) {
multipart_part **parts; multipart_part **parts;
char *body; char *body;
unsigned int body_len; unsigned int body_len;
@ -1317,7 +1317,7 @@ char *multipart_reconstruct_urlencoded_body_sanitise(modsec_rec *msr) {
* in the memory. * in the memory.
*/ */
if (msr->phase >= PHASE_LOGGING) { if (msr->phase >= PHASE_LOGGING) {
if (apr_table_get(msr->arguments_to_sanitise, parts[i]->name) != NULL) { if (apr_table_get(msr->arguments_to_sanitize, parts[i]->name) != NULL) {
memset(parts[i]->value, '*', strlen(parts[i]->value)); memset(parts[i]->value, '*', strlen(parts[i]->value));
} }
} }

2
apache2/msc_multipart.h
View File

@ -133,6 +133,6 @@ apr_status_t DSOLOCAL multipart_cleanup(modsec_rec *msr);
int DSOLOCAL multipart_get_arguments(modsec_rec *msr, char *origin, apr_table_t *arguments); int DSOLOCAL multipart_get_arguments(modsec_rec *msr, char *origin, apr_table_t *arguments);
char DSOLOCAL *multipart_reconstruct_urlencoded_body_sanitise(modsec_rec *msr); char DSOLOCAL *multipart_reconstruct_urlencoded_body_sanitize(modsec_rec *msr);
#endif #endif

90
apache2/re_actions.c
View File

@ -973,8 +973,8 @@ static char *msre_action_xmlns_validate(msre_engine *engine, msre_action *action
return NULL; return NULL;
} }
/* sanitiseArg */ /* sanitizeArg */
static apr_status_t msre_action_sanitiseArg_execute(modsec_rec *msr, apr_pool_t *mptmp, static apr_status_t msre_action_sanitizeArg_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action) msre_rule *rule, msre_action *action)
{ {
const char *sargname = NULL; const char *sargname = NULL;
@ -990,7 +990,7 @@ static apr_status_t msre_action_sanitiseArg_execute(modsec_rec *msr, apr_pool_t
msc_arg *arg = (msc_arg *)telts[i].val; msc_arg *arg = (msc_arg *)telts[i].val;
if (strcasecmp(sargname, arg->name) == 0) { if (strcasecmp(sargname, arg->name) == 0) {
apr_table_addn(msr->arguments_to_sanitise, arg->name, (void *)arg); apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
} }
} }
@ -1001,8 +1001,8 @@ static apr_status_t msre_action_sanitiseArg_execute(modsec_rec *msr, apr_pool_t
#define SANITISE_REQUEST_HEADER 2 #define SANITISE_REQUEST_HEADER 2
#define SANITISE_RESPONSE_HEADER 3 #define SANITISE_RESPONSE_HEADER 3
/* sanitiseMatched */ /* sanitizeMatched */
static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_pool_t *mptmp, static apr_status_t msre_action_sanitizeMatched_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action) msre_rule *rule, msre_action *action)
{ {
const char *sargname = NULL; const char *sargname = NULL;
@ -1041,7 +1041,7 @@ static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_poo
type = SANITISE_RESPONSE_HEADER; type = SANITISE_RESPONSE_HEADER;
} }
else { else {
msr_log(msr, 3, "sanitiseMatched: Don't know how to handle variable: %s", msr_log(msr, 3, "sanitizeMatched: Don't know how to handle variable: %s",
mvar->name); mvar->name);
return 0; return 0;
} }
@ -1053,17 +1053,17 @@ static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_poo
for (i = 0; i < tarr->nelts; i++) { for (i = 0; i < tarr->nelts; i++) {
msc_arg *arg = (msc_arg *)telts[i].val; msc_arg *arg = (msc_arg *)telts[i].val;
if (strcasecmp(sargname, arg->name) == 0) { if (strcasecmp(sargname, arg->name) == 0) {
apr_table_addn(msr->arguments_to_sanitise, arg->name, (void *)arg); apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
} }
} }
break; break;
case SANITISE_REQUEST_HEADER : case SANITISE_REQUEST_HEADER :
apr_table_set(msr->request_headers_to_sanitise, sargname, "1"); apr_table_set(msr->request_headers_to_sanitize, sargname, "1");
break; break;
case SANITISE_RESPONSE_HEADER : case SANITISE_RESPONSE_HEADER :
apr_table_set(msr->response_headers_to_sanitise, sargname, "1"); apr_table_set(msr->response_headers_to_sanitize, sargname, "1");
break; break;
default : default :
@ -1074,19 +1074,19 @@ static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_poo
return 1; return 1;
} }
/* sanitiseRequestHeader */ /* sanitizeRequestHeader */
static apr_status_t msre_action_sanitiseRequestHeader_execute(modsec_rec *msr, apr_pool_t *mptmp, static apr_status_t msre_action_sanitizeRequestHeader_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action) msre_rule *rule, msre_action *action)
{ {
apr_table_set(msr->request_headers_to_sanitise, action->param, "1"); apr_table_set(msr->request_headers_to_sanitize, action->param, "1");
return 1; return 1;
} }
/* sanitiseResponseHeader */ /* sanitizeResponseHeader */
static apr_status_t msre_action_sanitiseResponseHeader_execute(modsec_rec *msr, apr_pool_t *mptmp, static apr_status_t msre_action_sanitizeResponseHeader_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action) msre_rule *rule, msre_action *action)
{ {
apr_table_set(msr->response_headers_to_sanitise, action->param, "1"); apr_table_set(msr->response_headers_to_sanitize, action->param, "1");
return 1; return 1;
} }
@ -2195,7 +2195,20 @@ void msre_engine_register_default_actions(msre_engine *engine) {
ACTION_CGROUP_NONE, ACTION_CGROUP_NONE,
NULL, NULL,
NULL, NULL,
msre_action_sanitiseArg_execute msre_action_sanitizeArg_execute
);
/* sanitizeArg */
msre_engine_action_register(engine,
"sanitizeArg",
ACTION_NON_DISRUPTIVE,
1, 1,
NO_PLUS_MINUS,
ACTION_CARDINALITY_MANY,
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitizeArg_execute
); );
/* sanitiseMatched */ /* sanitiseMatched */
@ -2208,7 +2221,20 @@ void msre_engine_register_default_actions(msre_engine *engine) {
ACTION_CGROUP_NONE, ACTION_CGROUP_NONE,
NULL, NULL,
NULL, NULL,
msre_action_sanitiseMatched_execute msre_action_sanitizeMatched_execute
);
/* sanitizeMatched */
msre_engine_action_register(engine,
"sanitizeMatched",
ACTION_NON_DISRUPTIVE,
0, 0,
NO_PLUS_MINUS,
ACTION_CARDINALITY_MANY,
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitizeMatched_execute
); );
/* sanitiseRequestHeader */ /* sanitiseRequestHeader */
@ -2221,7 +2247,20 @@ void msre_engine_register_default_actions(msre_engine *engine) {
ACTION_CGROUP_NONE, ACTION_CGROUP_NONE,
NULL, NULL,
NULL, NULL,
msre_action_sanitiseRequestHeader_execute msre_action_sanitizeRequestHeader_execute
);
/* sanitizeRequestHeader */
msre_engine_action_register(engine,
"sanitizeRequestHeader",
ACTION_NON_DISRUPTIVE,
1, 1,
NO_PLUS_MINUS,
ACTION_CARDINALITY_MANY,
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitizeRequestHeader_execute
); );
/* sanitiseResponseHeader */ /* sanitiseResponseHeader */
@ -2234,7 +2273,20 @@ void msre_engine_register_default_actions(msre_engine *engine) {
ACTION_CGROUP_NONE, ACTION_CGROUP_NONE,
NULL, NULL,
NULL, NULL,
msre_action_sanitiseResponseHeader_execute msre_action_sanitizeResponseHeader_execute
);
/* sanitizeResponseHeader */
msre_engine_action_register(engine,
"sanitizeResponseHeader",
ACTION_NON_DISRUPTIVE,
1, 1,
NO_PLUS_MINUS,
ACTION_CARDINALITY_MANY,
ACTION_CGROUP_NONE,
NULL,
NULL,
msre_action_sanitizeResponseHeader_execute
); );
/* setenv */ /* setenv */

32
doc/modsecurity2-apache-reference.xml
View File

@ -5126,7 +5126,7 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403</programlisting>
</section> </section>
<section> <section>
<title><literal>sanitiseArg</literal></title> <title><literal>sanitizeArg</literal></title>
<para><emphasis>Description:</emphasis> Sanitises (replaces each byte <para><emphasis>Description:</emphasis> Sanitises (replaces each byte
with an asterisk) a named request argument prior to audit with an asterisk) a named request argument prior to audit
@ -5136,7 +5136,7 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403</programlisting>
<para>Example:</para> <para>Example:</para>
<programlisting format="linespecific">SecAction nolog,phase:2,<emphasis>sanitiseArg:password</emphasis></programlisting> <programlisting format="linespecific">SecAction nolog,phase:2,<emphasis>sanitizeArg:password</emphasis></programlisting>
<para><emphasis>Note</emphasis></para> <para><emphasis>Note</emphasis></para>
@ -5148,7 +5148,7 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403</programlisting>
</section> </section>
<section> <section>
<title><literal>sanitiseMatched</literal></title> <title><literal>sanitizeMatched</literal></title>
<para><emphasis>Description:</emphasis> Sanitises the variable (request <para><emphasis>Description:</emphasis> Sanitises the variable (request
argument, request header, or response header) that caused a rule argument, request header, or response header) that caused a rule
@ -5156,52 +5156,52 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403</programlisting>
<para><emphasis>Action Group:</emphasis> Non-disruptive</para> <para><emphasis>Action Group:</emphasis> Non-disruptive</para>
<para>Example: This action can be used to sanitise arbitrary transaction <para>Example: This action can be used to sanitize arbitrary transaction
elements when they match a condition. For example, the example below elements when they match a condition. For example, the example below
will sanitise any argument that contains the word<emphasis> will sanitize any argument that contains the word<emphasis>
password</emphasis> in the name.</para> password</emphasis> in the name.</para>
<programlisting format="linespecific">SecRule ARGS_NAMES password nolog,pass,<emphasis>sanitiseMatched</emphasis></programlisting> <programlisting format="linespecific">SecRule ARGS_NAMES password nolog,pass,<emphasis>sanitizeMatched</emphasis></programlisting>
<para><emphasis>Note</emphasis></para> <para><emphasis>Note</emphasis></para>
<para>Same note as sanitiseArg.</para> <para>Same note as sanitizeArg.</para>
</section> </section>
<section> <section>
<title><literal>sanitiseRequestHeader</literal></title> <title><literal>sanitizeRequestHeader</literal></title>
<para><emphasis>Description:</emphasis> Sanitises a named request <para><emphasis>Description:</emphasis> Sanitises a named request
header.</para> header.</para>
<para><emphasis>Action Group:</emphasis> Non-disruptive</para> <para><emphasis>Action Group:</emphasis> Non-disruptive</para>
<para>Example: This will sanitise the data in the Authorization <para>Example: This will sanitize the data in the Authorization
header.</para> header.</para>
<programlisting format="linespecific">SecAction log,phase:1,<emphasis>sanitiseRequestHeader:Authorization</emphasis></programlisting> <programlisting format="linespecific">SecAction log,phase:1,<emphasis>sanitizeRequestHeader:Authorization</emphasis></programlisting>
<para><emphasis>Note</emphasis></para> <para><emphasis>Note</emphasis></para>
<para>Same note as sanitiseArg.</para> <para>Same note as sanitizeArg.</para>
</section> </section>
<section> <section>
<title><literal>sanitiseResponseHeader</literal></title> <title><literal>sanitizeResponseHeader</literal></title>
<para><emphasis>Description:</emphasis> Sanitises a named response <para><emphasis>Description:</emphasis> Sanitises a named response
header.</para> header.</para>
<para><emphasis>Action Group:</emphasis> Non-disruptive</para> <para><emphasis>Action Group:</emphasis> Non-disruptive</para>
<para>Example: This will sanitise the Set-Cookie data sent to the <para>Example: This will sanitize the Set-Cookie data sent to the
client.</para> client.</para>
<programlisting format="linespecific">SecAction log,phase:3,<emphasis>sanitiseResponseHeader:Set-Cookie</emphasis></programlisting> <programlisting format="linespecific">SecAction log,phase:3,<emphasis>sanitizeResponseHeader:Set-Cookie</emphasis></programlisting>
<para><emphasis>Note</emphasis></para> <para><emphasis>Note</emphasis></para>
<para>Same note as sanitiseArg.</para> <para>Same note as sanitizeArg.</para>
</section> </section>
<section> <section>
@ -5958,7 +5958,7 @@ SecRule XML "<emphasis>@validateSchema /path/to/apache2/conf/xml.xsd</emphasis>"
<para>Example:</para> <para>Example:</para>
<programlisting format="linespecific">SecRule ARGS "<emphasis>@verifyCC \d{13,16}</emphasis>" \ <programlisting format="linespecific">SecRule ARGS "<emphasis>@verifyCC \d{13,16}</emphasis>" \
"phase:2,sanitiseMatched,log,auditlog,pass,msg:'Potential credit card number'"</programlisting> "phase:2,sanitizeMatched,log,auditlog,pass,msg:'Potential credit card number'"</programlisting>
</section> </section>
<section> <section>

8
doc/modsecurity2-data-formats.xml
View File

@ -347,7 +347,7 @@
<para>ModSecurity alerts will always contain text fragments that were <para>ModSecurity alerts will always contain text fragments that were
taken from configuration or the transaction. Such text fragments escaped taken from configuration or the transaction. Such text fragments escaped
before they are user in messages, in order to sanitise the potentially before they are user in messages, in order to sanitize the potentially
dangerous characters. They are also sometimes surrounded using double dangerous characters. They are also sometimes surrounded using double
quotes. The escaping algorithm is as follows:<orderedlist> quotes. The escaping algorithm is as follows:<orderedlist>
<listitem> <listitem>
@ -856,7 +856,7 @@ Server: Apache/2.x.x
<title>Sanitised-Args</title> <title>Sanitised-Args</title>
<para>The <literal>Sanitised-Args</literal> header contains a list <para>The <literal>Sanitised-Args</literal> header contains a list
of arguments that were sanitised (each byte of their content of arguments that were sanitized (each byte of their content
replaced with an asterisk) before logging. For example:</para> replaced with an asterisk) before logging. For example:</para>
<programlisting>Sanitised-Args: "old_password", "new_password", "new_password_repeat".</programlisting> <programlisting>Sanitised-Args: "old_password", "new_password", "new_password_repeat".</programlisting>
@ -866,7 +866,7 @@ Server: Apache/2.x.x
<title>Sanitised-Request-Headers</title> <title>Sanitised-Request-Headers</title>
<para>The <literal>Sanitised-Request-Headers</literal> header <para>The <literal>Sanitised-Request-Headers</literal> header
contains a list of request headers that were sanitised before contains a list of request headers that were sanitized before
logging. For example:</para> logging. For example:</para>
<programlisting>Sanitised-Request-Headers: "Authentication".</programlisting> <programlisting>Sanitised-Request-Headers: "Authentication".</programlisting>
@ -876,7 +876,7 @@ Server: Apache/2.x.x
<title>Sanitised-Response-Headers</title> <title>Sanitised-Response-Headers</title>
<para>The <literal>Sanitised-Response-Headers</literal> header <para>The <literal>Sanitised-Response-Headers</literal> header
contains a list of response headers that were sanitised before contains a list of response headers that were sanitized before
logging. For example:</para> logging. For example:</para>
<programlisting>Sanitised-Response-Headers: "My-Custom-Header".</programlisting> <programlisting>Sanitised-Response-Headers: "My-Custom-Header".</programlisting>