Fix: quoted Include config with wildcard

2025-08-13 13:26:01 +03:00 · 2023-05-30 09:32:07 -07:00 · 2023-05-30 09:32:07 -07:00 · 938707d117
commit 938707d117
parent 2121938c51
4 changed files with 63 additions and 23 deletions
--- a/2
+++ b/2
@ -1,6 +1,8 @@
 v3.x.y - YYYY-MMM-DD (to be released)
 -------------------------------------

+  - Fix: quoted Include config with wildcard
+    [Issue #2905 - @wiseelf, @airween, @martinhsv]
  - Support isolated PCRE match limits
    [Issue #2736 - @brandonpayton, @martinhsv]
  - Fix: meta actions not applied if multiMatch in first rule of chain
--- a/src/parser/seclang-scanner.cc
+++ b/src/parser/seclang-scanner.cc
@ -1,5 +1,5 @@

-#line 2 "seclang-scanner.cc"
+#line 3 "seclang-scanner.cc"

 #define  YY_INT_ALIGNED short int

@ -5128,7 +5128,7 @@ static const flex_int16_t yy_rule_linenum[546] =
     1174, 1179, 1181, 1182, 1183, 1184, 1186, 1187, 1188, 1189,
     1191, 1192, 1193, 1194, 1196, 1198, 1199, 1201, 1202, 1203,
     1204, 1206, 1211, 1212, 1213, 1217, 1218, 1219, 1224, 1226,
-     1227, 1228, 1247, 1276, 1307
+     1227, 1228, 1247, 1276, 1306
    } ;

 /* The intent behind this definition is that it'll catch
@ -5214,15 +5214,15 @@ static std::stack<int> YY_PREVIOUS_STATE;
 #define BEGIN_PREVIOUS() { BEGIN(YY_PREVIOUS_STATE.top()); YY_PREVIOUS_STATE.pop(); }

 // The location of the current token.
-#line 5217 "seclang-scanner.cc"
+#line 5218 "seclang-scanner.cc"
 #define YY_NO_INPUT 1

 #line 494 "seclang-scanner.ll"
  // Code run each time a pattern is matched.
  # define YY_USER_ACTION  driver.loc.back()->columns (yyleng);

-#line 5224 "seclang-scanner.cc"
 #line 5225 "seclang-scanner.cc"
+#line 5226 "seclang-scanner.cc"

 #define INITIAL 0
 #define EXPECTING_ACTION_PREDICATE_VARIABLE 1
@ -5544,7 +5544,7 @@ YY_DECL
  // Code run each time yylex is called.
  driver.loc.back()->step();

-#line 5547 "seclang-scanner.cc"
+#line 5548 "seclang-scanner.cc"

 	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
 		{
@ -8597,9 +8597,9 @@ YY_RULE_SETUP
 {
    std::string err;
    const char *tmpStr = yytext + strlen("include");
-    const char *file   = tmpStr + strspn( tmpStr, " \t");
-    char *f = strdup(file);
-    std::string fi = modsecurity::utils::find_resource(f, *driver.loc.back()->end.filename, &err);
+    const char *afterWhitespace   = tmpStr + strspn( tmpStr, " \t");
+    std::string file(afterWhitespace+1, strlen(afterWhitespace)-2);
+    std::string fi = modsecurity::utils::find_resource(file, *driver.loc.back()->end.filename, &err);
    if (fi.empty() == true) {
        BEGIN(INITIAL);
        driver.error (*driver.loc.back(), "", file + std::string(": Not able to open file. ") + err);
@ -8622,13 +8622,12 @@ YY_RULE_SETUP
        }
        yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE ));
    }
-    free(f);
 }
 	YY_BREAK
 case 545:
 /* rule 545 can match eol */
 YY_RULE_SETUP
-#line 1307 "seclang-scanner.ll"
+#line 1306 "seclang-scanner.ll"
 {
    HttpsClient c;
    std::string key;
@ -8667,7 +8666,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 546:
 YY_RULE_SETUP
-#line 1344 "seclang-scanner.ll"
+#line 1343 "seclang-scanner.ll"
 ECHO;
 	YY_BREAK
 #line 8673 "seclang-scanner.cc"
@ -9775,7 +9774,7 @@ void yyfree (void * ptr )

 /* %ok-for-header */

-#line 1344 "seclang-scanner.ll"
+#line 1343 "seclang-scanner.ll"


 namespace modsecurity {
--- a/src/parser/seclang-scanner.ll
+++ b/src/parser/seclang-scanner.ll
@ -1275,9 +1275,9 @@ EQUALS_MINUS                            (?i:=\-)
 {CONFIG_INCLUDE}[ \t]+["]{CONFIG_VALUE_PATH}["] {
    std::string err;
    const char *tmpStr = yytext + strlen("include");
-    const char *file   = tmpStr + strspn( tmpStr, " \t");
-    char *f = strdup(file);
-    std::string fi = modsecurity::utils::find_resource(f, *driver.loc.back()->end.filename, &err);
+    const char *afterWhitespace   = tmpStr + strspn( tmpStr, " \t");
+    std::string file(afterWhitespace+1, strlen(afterWhitespace)-2);
+    std::string fi = modsecurity::utils::find_resource(file, *driver.loc.back()->end.filename, &err);
    if (fi.empty() == true) {
        BEGIN(INITIAL);
        driver.error (*driver.loc.back(), "", file + std::string(": Not able to open file. ") + err);
@ -1300,7 +1300,6 @@ EQUALS_MINUS                            (?i:=\-)
        }
        yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE ));
    }
-    free(f);
 }

 {CONFIG_SEC_REMOTE_RULES}[ ][^ ]+[ ][^\n\r ]+ {
--- a/test/test-cases/regression/config-include.json
+++ b/test/test-cases/regression/config-include.json
@ -2,7 +2,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Include (1/7)",
+    "title":"Include (1/8)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -42,7 +42,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Include (2/7)",
+    "title":"Include (2/8)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -82,7 +82,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Include (3/7)",
+    "title":"Include (3/8)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -122,7 +122,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Include (4/7)",
+    "title":"Include (4/8)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -162,7 +162,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Include (5/7)",
+    "title":"Include (5/8)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -203,7 +203,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Include (6/7)",
+    "title":"Include (6/8)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -243,7 +243,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Include (7/7)",
+    "title":"Include (7/8)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -279,5 +279,45 @@
      "Include test-cases/data/conasdffig_example2.txt",
      "SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\""
    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Include (8/8) -- quoted with wildcard",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value&key=other_value",
+      "method":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Executing operator \"Contains\" with param \"config_example2\" against ARGS."
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "Include \"test-cases/data/config_ex*ple2.txt\"",
+      "SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\""
+    ]
  }
 ]