merge upstream & update configs

CHANGES

@@ -1,3 +1,56 @@
+23 Jul 2013 - 2.7.5
+-------------------
+Improvements:
+
+    * SecUnicodeCodePage is deprecated. SecUnicodeMapFile now accepts the code page as a second parameter.
+
+    * Updated Libinjection to version 3.4.1. Many improvements were made.
+
+    * Severity action now supports strings (emergency, alert, critical, error, warning, notice, info, debug).
+
+Bug Fixes:
+
+    * Fixed utf8toUnicode tfn null byte conversion.
+
+    * Fixed NGINX crash when issue reload command.
+
+    * Fixed flush output buffer before inject modified hashed response body.
+
+    * Fixed url normalization for Hash Engine.
+
+    * Fixed NGINX ap_unixd_set_global_perms_mutex compilation error with apache 2.4 devel files.
+
+Security Issues:
+
+10 May 2013 - 2.7.4
+-------------------
+Improvements:
+
+    * Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).
+
+    * Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.
+
+    * NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches.
+
+Bug Fixes:
+
+    * Fixed SecRulePerfTime storing unnecessary rules performance times.
+
+    * Fixed Possible SDBM deadlock condition.
+
+    * Fixed Possible @rsub memory leak.
+
+    * Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.
+
+    * Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID.
+
+    * Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body.
+
+Security Issues:
+
+    * Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used,
+      mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI).
+
 28 Mar 2013 - 2.7.3
 -------------------
 
@@ -32,7 +85,7 @@
 
   * SECURITY: Added SecXmlExternalEntity (On|Off - default it Off) that will disable
     by default the external entity load task executed by LibXml2. This is a security issue
-    reported by Timur Yunusov, Alexey Osipov (Positive Technologies).
+    [CVE-2013-1915] reported by Timur Yunusov, Alexey Osipov (Positive Technologies).
 
 21 Jan 2013 - 2.7.2
 -------------------
@@ -130,7 +183,7 @@
     support Include directive like Apache2.
 
   * Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for multipart strict
-    validation.
+    validation. https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20121017-0_mod_security_ruleset_bypass.txt).
 
   * Updated Reference Manual.
 

NOTICE

@@ -1,5 +1,5 @@
     ModSecurity (www.modsecurity.org)
-    Copyright [2004-2011] Trustwave Holdings, Inc
+    Copyright [2004-2013] Trustwave Holdings, Inc
 
     This product includes software developed at
     Trustwave Holdings, Inc (http://www.trustwave.com/).

README.TXT

@@ -1,5 +1,5 @@
 ModSecurity for Apache 2.x, http://www.modsecurity.org/
-Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 
 You may not use this file except in compliance with
 the License.  You may obtain a copy of the License at

alp2/alp2.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

alp2/alp2.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

alp2/alp2_pp.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

alp2/alp2_pp.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/Makefile.am

@@ -11,7 +11,8 @@ mod_security2_la_SOURCES = mod_security2.c \
                            re_variables.c msc_logging.c msc_xml.c \
                            msc_multipart.c modsecurity.c msc_parsers.c \
                            msc_util.c msc_pcre.c persist_dbm.c msc_reqbody.c \
-                           msc_geo.c msc_gsb.c msc_crypt.c msc_tree.c msc_unicode.c acmp.c msc_lua.c msc_release.c
+                           msc_geo.c msc_gsb.c msc_crypt.c msc_tree.c msc_unicode.c acmp.c msc_lua.c msc_release.c \
+                           libinjection/libinjection_sqli.c
 
 mod_security2_la_CFLAGS = @APXS_CFLAGS@ @APR_CFLAGS@ @APU_CFLAGS@ \
                           @PCRE_CFLAGS@ @LIBXML2_CFLAGS@ @LUA_CFLAGS@ @MODSEC_EXTRA_CFLAGS@ @CURL_CFLAGS@
@@ -72,7 +73,7 @@ install-exec-hook: $(pkglib_LTLIBRARIES)
 	for m in $(pkglib_LTLIBRARIES); do \
 	  base=`echo $$m | sed 's/\..*//'`; \
 	  rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \
-	  install -D -m444 $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES); \
+	  install -D -m444 $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES)/$$base.so; \
 	done
 else
 install-exec-hook: $(pkglib_LTLIBRARIES)

apache2/Makefile.win

@@ -46,7 +46,7 @@ OBJS = mod_security2.obj apache2_config.obj apache2_io.obj apache2_util.obj \
        msc_logging.obj msc_xml.obj msc_multipart.obj modsecurity.obj \
        msc_parsers.obj msc_util.obj msc_pcre.obj persist_dbm.obj \
        msc_reqbody.obj msc_geo.obj msc_gsb.obj msc_crypt.obj msc_tree.obj msc_unicode.obj acmp.obj msc_lua.obj \
-       msc_release.obj
+       msc_release.obj libinjection\libinjection_sqli.obj
 
 all: $(DLL)
 

apache2/acmp.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/acmp.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/apache2.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/apache2_config.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -2346,7 +2346,7 @@ static const char *cmd_hash_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
         dcfg->hash_is_enabled = HASH_DISABLED;
         dcfg->hash_enforcement = HASH_DISABLED;
     }
-    else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SexHashEngine: %s", p1);
+    else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecHashEngine: %s", p1);
 
     return NULL;
 }
@@ -2656,6 +2656,8 @@ static const char *cmd_geo_lookup_db(cmd_parms *cmd, void *_dcfg,
 /**
 * \brief Add SecUnicodeCodePage configuration option
 *
+* Depcrecated
+*
 * \param cmd Pointer to configuration data
 * \param _dcfg Pointer to directory configuration
 * \param p1 Pointer to configuration option
@@ -2688,13 +2690,24 @@ static const char *cmd_unicode_codepage(cmd_parms *cmd,
 * \retval NULL On success
 */
 static const char *cmd_unicode_map(cmd_parms *cmd, void *_dcfg,
-                                     const char *p1)
+                                     const char *p1, const char *p2)
 {
     const char *filename = resolve_relative_path(cmd->pool, cmd->directive->filename, p1);
     char *error_msg;
+    long val = 0;
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
 
+    if(p2 != NULL)  {
+        val = atol(p2);
+        if (val <= 0) {
+            return apr_psprintf(cmd->pool, "ModSecurity: Invalid setting for "
+                    "SecUnicodeMapFile: %s", p2);
+        }
+
+        unicode_codepage = (unsigned long int)val;
+    }
+
     if (unicode_map_init(dcfg, filename, &error_msg) <= 0) {
         return error_msg;
     }
@@ -3069,7 +3082,7 @@ const command_rec module_directives[] = {
         "Unicode CodePage"
     ),
 
-    AP_INIT_TAKE1 (
+    AP_INIT_TAKE12 (
         "SecUnicodeMapFile",
         cmd_unicode_map,
         NULL,

apache2/apache2_io.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -588,7 +588,7 @@ static int flatten_response_body(modsec_rec *msr) {
         }
 
         memset(msr->stream_output_data, 0, msr->stream_output_length+1);
-        strncpy(msr->stream_output_data, msr->resbody_data, msr->stream_output_length);
+        memcpy(msr->stream_output_data, msr->resbody_data, msr->stream_output_length);
         msr->stream_output_data[msr->stream_output_length] = '\0';
     } else if (msr->txcfg->stream_outbody_inspection && msr->txcfg->hash_is_enabled == HASH_ENABLED)    {
         int retval = 0;
@@ -617,7 +617,7 @@ static int flatten_response_body(modsec_rec *msr) {
             }
 
             memset(msr->stream_output_data, 0, msr->stream_output_length+1);
-            strncpy(msr->stream_output_data, msr->resbody_data, msr->stream_output_length);
+            memcpy(msr->stream_output_data, msr->resbody_data, msr->stream_output_length);
             msr->stream_output_data[msr->stream_output_length] = '\0';
         }
     }

apache2/apache2_util.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -198,6 +198,10 @@ static void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *
     apr_size_t nbytes, nbytes_written;
     apr_file_t *debuglog_fd = NULL;
     int filter_debug_level = 0;
+    char *remote = NULL;
+    char *parse_remote = NULL;
+    char *saved = NULL;
+    char *str = NULL;
     char str1[1024] = "";
     char str2[1256] = "";
 
@@ -269,7 +273,7 @@ static void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *
             hostname, log_escape(msr->mp, r->uri), unique_id);
 #else
         ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server,
-            "[client %s] ModSecurity: %s%s [uri \"%s\"]%s", r->connection->remote_ip, str1,
+                "[client %s] ModSecurity: %s%s [uri \"%s\"]%s", msr->remote_addr ? msr->remote_addr : r->connection->remote_ip, str1,
                 hostname, log_escape(msr->mp, r->uri), unique_id);
 #endif
 

apache2/libinjection/COPYING.txt

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2012, 2013
+ * Nick Galbreath -- nickg [at] client9 [dot] com
+ * http://www.client9.com/projects/libinjection/
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ *
+ *   Neither the name of libinjection nor the names of its
+ *   contributors may be used to endorse or promote products derived from
+ *   this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * This is the standard "new" BSD license:
+ * http://www.opensource.org/licenses/bsd-license.php
+ */

apache2/libinjection/libinjection.h

@@ -0,0 +1,286 @@
+/**
+ * Copyright 2012, 2013 Nick Galbreath
+ * nickg@client9.com
+ * BSD License -- see COPYING.txt for details
+ *
+ * https://libinjection.client9.com/
+ *
+ */
+
+#ifndef _LIBINJECTION_H
+#define _LIBINJECTION_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Version info.
+ * See python's normalized version
+ * http://www.python.org/dev/peps/pep-0386/#normalizedversion
+ */
+#define LIBINJECTION_VERSION "3.4.1"
+
+/**
+ * Libinjection's sqli module makes a "normalized"
+ * value of the token.  This is the maximum size
+ * Token with values larger than this will be truncated
+ */
+#ifndef LIBINJECTION_SQLI_TOKEN_SIZE
+#define LIBINJECTION_SQLI_TOKEN_SIZE 32
+#endif
+
+/**
+ * Number of tokens used to create a fingerprint
+ */
+#ifndef LIBINJECTION_SQLI_MAX_TOKENS
+#define LIBINJECTION_SQLI_MAX_TOKENS 5
+#endif
+
+enum lookup_type {
+    FLAG_NONE          = 0,
+    FLAG_QUOTE_NONE    = 1 << 1,
+    FLAG_QUOTE_SINGLE  = 1 << 2,
+    FLAG_QUOTE_DOUBLE  = 1 << 3,
+
+    FLAG_SQL_ANSI      = 1 << 4,
+    FLAG_SQL_MYSQL     = 1 << 5,
+
+    LOOKUP_WORD,
+    LOOKUP_TYPE,
+    LOOKUP_OPERATOR,
+    LOOKUP_FINGERPRINT
+};
+
+typedef struct {
+#ifdef SWIG
+%immutable;
+#endif
+    char type;
+    char str_open;
+    char str_close;
+
+    /*
+     * position and length of token
+     * in original string
+     */
+    size_t pos;
+    size_t len;
+
+    /*  count:
+     *  in type 'v', used for number of opening '@'
+     *  but maybe unsed in other contexts
+     */
+    int  count;
+
+    char val[LIBINJECTION_SQLI_TOKEN_SIZE];
+}  stoken_t;
+
+
+/**
+ * Pointer to function, takes cstr input,
+ *  returns '\0' for no match, else a char
+ */
+struct libinjection_sqli_state;
+typedef char (*ptr_lookup_fn)(struct libinjection_sqli_state*, int lookuptype, const char* word, size_t len);
+
+typedef struct libinjection_sqli_state {
+#ifdef SWIG
+%immutable;
+#endif
+
+    /*
+     * input, does not need to be null terminated.
+     * it is also not modified.
+     */
+    const char *s;
+
+    /*
+     * input length
+     */
+    size_t slen;
+
+    /*
+     * How to lookup a word or fingerprint
+     */
+    ptr_lookup_fn lookup;
+    void*         userdata;
+
+    /*
+     *
+     */
+    int flags;
+
+    /*
+     * pos is index in string we are at when tokenizing
+     */
+    size_t pos;
+
+    /* MAX TOKENS + 1 since we use one extra token
+     * to determine the type of the previous token
+     */
+    stoken_t tokenvec[LIBINJECTION_SQLI_MAX_TOKENS + 1];
+
+    /*
+     * Pointer to token position in tokenvec, above
+     */
+    stoken_t *current;
+
+    /*
+     * fingerprint pattern c-string
+     * +1 for ending null
+     */
+    char fingerprint[LIBINJECTION_SQLI_MAX_TOKENS + 1];
+
+    /*
+     * Line number of code that said decided if the input was SQLi or
+     * not.  Most of the time it's line that said "it's not a matching
+     * fingerprint" but there is other logic that sometimes approves
+     * an input. This is only useful for debugging.
+     *
+     */
+    int reason;
+
+    /* Number of ddw (dash-dash-white) comments
+     * These comments are in the form of
+     *   '--[whitespace]' or '--[EOF]'
+     *
+     * All databases treat this as a comment.
+     */
+     int stats_comment_ddw;
+
+    /* Number of ddx (dash-dash-[notwhite]) comments
+     *
+     * ANSI SQL treats these are comments, MySQL treats this as
+     * two unary operators '-' '-'
+     *
+     * If you are parsing result returns FALSE and
+     * stats_comment_dd > 0, you should reparse with
+     * COMMENT_MYSQL
+     *
+     */
+    int stats_comment_ddx;
+
+    /*
+     * c-style comments found  /x .. x/
+     */
+    int stats_comment_c;
+
+    /* '#' operators or mysql EOL comments found
+     *
+     */
+    int stats_comment_hash;
+
+    /*
+     * number of tokens folded away
+     */
+    int stats_folds;
+
+    /*
+     * total tokens processed
+     */
+    int stats_tokens;
+
+} sfilter;
+
+/**
+ *
+ */
+void libinjection_sqli_init(sfilter* sql_state,
+                            const char* s, size_t slen,
+                            int flags);
+
+/**
+ * Main API: tests for SQLi in three possible contexts, no quotes,
+ * single quote and double quote
+ *
+ * \param sql_state
+ * \param s
+ * \param slen
+ * \param fn a pointer to a function that determines if a fingerprint
+ *        is a match or not.  If NULL, then a hardwired list is
+ *        used. Useful for loading fingerprints data from custom
+ *        sources.
+ *
+ * \return 1 (true) if SQLi, 0 (false) if benign
+ */
+int libinjection_is_sqli(sfilter * sql_state);
+
+/*  FOR H@CKERS ONLY
+ *
+ */
+void libinjection_sqli_callback(sfilter* sql_state, ptr_lookup_fn fn, void* userdata);
+
+
+/*
+ * Resets state, but keeps initial string and callbacks
+ */
+void libinjection_sqli_reset(sfilter* sql_state, int flags);
+
+/**
+ *
+ */
+
+/**
+ * This detects SQLi in a single context, mostly useful for custom
+ * logic and debugging.
+ *
+ * \param sql_state
+ *
+ * \returns a pointer to sfilter.fingerprint as convenience
+ *          do not free!
+ *
+ */
+const char* libinjection_sqli_fingerprint(sfilter * sql_state, int flags);
+
+/**
+ * The default "word" to token-type or fingerprint function.  This
+ * uses a ASCII case-insensitive binary tree.
+ */
+char libinjection_sqli_lookup_word(sfilter *sql_state, int lookup_type,
+                                   const char* s, size_t slen);
+
+/* Streaming tokenization interface.
+ *
+ * sql_state->current is updated with the current token.
+ *
+ * \returns 1, has a token, keep going, or 0 no tokens
+ *
+ */
+int  libinjection_sqli_tokenize(sfilter * sql_state);
+
+/**
+ * parses and folds input, up to 5 tokens
+ *
+ */
+int libinjection_sqli_fold(sfilter * sql_state);
+
+/** The built-in default function to match fingerprints
+ *  and do false negative/positive analysis.  This calls the following
+ *  two functions.  With this, you over-ride one part or the other.
+ *
+ *     return libinjection_sqli_blacklist(sql_state) &&
+ *        libinject_sqli_not_whitelist(sql_state);
+ *
+ * \param sql_state should be filled out after libinjection_sqli_fingerprint is called
+ */
+int libinjection_sqli_check_fingerprint(sfilter *sql_state);
+
+/* Given a pattern determine if it's a SQLi pattern.
+ *
+ * \return TRUE if sqli, false otherwise
+ */
+int libinjection_sqli_blacklist(sfilter* sql_state);
+
+/* Given a positive match for a pattern (i.e. pattern is SQLi), this function
+ * does additional analysis to reduce false positives.
+ *
+ * \return TRUE if sqli, false otherwise
+ */
+int libinjection_sqli_not_whitelist(sfilter* sql_state);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _LIBINJECTION_H */

apache2/mod_security2.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/modsecurity.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -391,11 +391,9 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
     if (msr->matched_vars == NULL) return -1;
     apr_table_clear(msr->matched_vars);
 
-    if(msr->txcfg->max_rule_time > 0)   {
     msr->perf_rules = apr_table_make(msr->mp, 8);
     if (msr->perf_rules == NULL) return -1;
     apr_table_clear(msr->perf_rules);
-    }
 
     /* Locate the cookie headers and parse them */
     arr = apr_table_elts(msr->request_headers);

apache2/modsecurity.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -442,6 +442,8 @@ struct modsec_rec {
     lua_State           *L;
     #endif
 #endif
+
+    int                 msc_sdbm_delete_error;
 };
 
 struct directory_config {

apache2/msc_crypt.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
@@ -68,10 +68,26 @@ char *normalize_path(modsec_rec *msr, char *input) {
             char *Uri = NULL;
             int bytes = 0;
             int i;
+            char *relative_link = NULL;
+            char *filename = NULL;
+            char *relative_path = NULL;
+            char *relative_uri = NULL;
 
-            xmlNormalizeURIPath(uri->path);
+            filename = file_basename(msr->mp, msr->r->parsed_uri.path);
-            Uri = apr_pstrdup(msr->mp, uri->path);
 
+            if(filename == NULL || (strlen(msr->r->parsed_uri.path) - strlen(filename) < 0))
+                return NULL;
+
+            relative_path = apr_pstrndup(msr->mp, msr->r->parsed_uri.path, strlen(msr->r->parsed_uri.path) - strlen(filename));
+            relative_uri = apr_pstrcat(msr->mp, relative_path, uri->path, NULL);
+
+            relative_link = apr_pstrdup(msr->mp, relative_uri);
+
+            xmlNormalizeURIPath(relative_link);
+
+            Uri = apr_pstrdup(msr->mp, relative_link);
+
+/*
             for(i = 0; i < (int)strlen(Uri); i++)    {
                 if(Uri[i] != '.' && Uri[i] != '/')  {
                     if (i - 1 < 0)
@@ -88,12 +104,15 @@ char *normalize_path(modsec_rec *msr, char *input) {
 
             if(bytes >= (int)strlen(uri->path))
                 return NULL;
+*/
+
+            content = apr_psprintf(msr->mp, "%s", Uri);
 
-            content = apr_psprintf(msr->mp, "%s", uri->path+bytes);
             if(parsed_content)
                 parsed_content = apr_pstrcat(msr->mp, parsed_content, content, NULL);
             else
                 parsed_content = apr_pstrcat(msr->mp, content, NULL);
+
         }
 
         if(uri->query_raw)  {
@@ -629,6 +648,7 @@ int do_hash_method(modsec_rec *msr, char *link, int type)   {
 int hash_response_body_links(modsec_rec *msr)   {
     int lsize = 0, fsize = 0, lcount = 0, fcount = 0, i;
     int isize = 0, icount = 0, frsize = 0, frcount = 0;
+    int bytes = 0;
     xmlXPathContextPtr  xpathCtx = NULL;
     xmlXPathObjectPtr   xpathObj = NULL;
     xmlChar *content_option = NULL;
@@ -687,6 +707,7 @@ int hash_response_body_links(modsec_rec *msr)   {
                             if(mac_link != NULL) {
                                 xmlSetProp(cur, (const xmlChar *) "href", (const xmlChar *) mac_link);
                                 lcount++;
+                                bytes += strlen(mac_link);
                                 msr->of_stream_changed = 1;
                             }
                             mac_link = NULL;
@@ -703,6 +724,7 @@ int hash_response_body_links(modsec_rec *msr)   {
                             if(mac_link != NULL) {
                                 xmlSetProp(cur, (const xmlChar *) "href", (const xmlChar *) mac_link);
                                 lcount++;
+                                bytes += strlen(mac_link);
                                 msr->of_stream_changed = 1;
                             }
                             mac_link = NULL;
@@ -758,6 +780,7 @@ int hash_response_body_links(modsec_rec *msr)   {
                             if(mac_link != NULL) {
                                 xmlSetProp(cur, (const xmlChar *) "action", (const xmlChar *) mac_link);
                                 fcount++;
+                                bytes += strlen(mac_link);
                                 msr->of_stream_changed = 1;
                             }
                             mac_link = NULL;
@@ -774,6 +797,7 @@ int hash_response_body_links(modsec_rec *msr)   {
                             if(mac_link != NULL) {
                                 xmlSetProp(cur, (const xmlChar *) "action", (const xmlChar *) mac_link);
                                 fcount++;
+                                bytes += strlen(mac_link);
                                 msr->of_stream_changed = 1;
                             }
                             mac_link = NULL;
@@ -828,6 +852,7 @@ int hash_response_body_links(modsec_rec *msr)   {
                             if(mac_link != NULL) {
                                 xmlSetProp(cur, (const xmlChar *) "src", (const xmlChar *) mac_link);
                                 icount++;
+                                bytes += strlen(mac_link);
                                 msr->of_stream_changed = 1;
                             }
                             mac_link = NULL;
@@ -844,6 +869,7 @@ int hash_response_body_links(modsec_rec *msr)   {
                             if(mac_link != NULL) {
                                 xmlSetProp(cur, (const xmlChar *) "src", (const xmlChar *) mac_link);
                                 icount++;
+                                bytes += strlen(mac_link);
                                 msr->of_stream_changed = 1;
                             }
                             mac_link = NULL;
@@ -893,6 +919,7 @@ int hash_response_body_links(modsec_rec *msr)   {
                             if(mac_link != NULL) {
                                 xmlSetProp(cur, (const xmlChar *) "src", (const xmlChar *) mac_link);
                                 frcount++;
+                                bytes += strlen(mac_link);
                                 msr->of_stream_changed = 1;
                             }
                             mac_link = NULL;
@@ -909,6 +936,7 @@ int hash_response_body_links(modsec_rec *msr)   {
                             if(mac_link != NULL) {
                                 xmlSetProp(cur, (const xmlChar *) "src", (const xmlChar *) mac_link);
                                 frcount++;
+                                bytes += strlen(mac_link);
                                 msr->of_stream_changed = 1;
                             }
                             mac_link = NULL;
@@ -953,7 +981,7 @@ int hash_response_body_links(modsec_rec *msr)   {
     if((elts >= INT32_MAX) || (elts < 0))
         return 0;
 
-    return elts;
+    return bytes;
 
 obj_error:
     if(xpathCtx != NULL)
@@ -1044,6 +1072,7 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
     }
 
     htmlDocContentDumpFormatOutput(output_buf, msr->crypto_html_tree, NULL, 0);
+    xmlOutputBufferFlush(output_buf);
 
 #ifdef  LIBXML2_NEW_BUFFER
 
@@ -1133,10 +1162,11 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
         }
 
         memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
-        memcpy(msr->stream_output_data, output_buf->buffer->content, msr->stream_output_length);
+        memcpy(msr->stream_output_data, (char *)xmlBufferContent(output_buf->buffer), msr->stream_output_length);
+        //memcpy(msr->stream_output_data, output_buf->buffer->content, msr->stream_output_length);
 
         if (msr->txcfg->debuglog_level >= 4)
-            msr_log(msr, 4, "inject_hashed_response_body: Copying XML tree from CONTENT to stream buffer [%d] bytes.", output_buf->buffer->use);
+            msr_log(msr, 4, "inject_hashed_response_body: Copying XML tree from CONTENT to stream buffer [%d] bytes.", msr->stream_output_length);
 
     } else {
 
@@ -1162,10 +1192,11 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
         }
 
         memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
-        memcpy(msr->stream_output_data, output_buf->conv->content, msr->stream_output_length);
+        memcpy(msr->stream_output_data, (char *)xmlBufferContent(output_buf->conv), msr->stream_output_length);
+        //memcpy(msr->stream_output_data, output_buf->conv->content, msr->stream_output_length);
 
         if (msr->txcfg->debuglog_level >= 4)
-            msr_log(msr, 4, "inject_hashed_response_body: Copying XML tree from CONV to stream buffer [%d] bytes.", output_buf->conv->use);
+            msr_log(msr, 4, "inject_hashed_response_body: Copying XML tree from CONV to stream buffer [%d] bytes.", msr->stream_output_length);
 
     }
 
@@ -1209,14 +1240,15 @@ char *do_hash_link(modsec_rec *msr, char *link, int type)  {
     if(strlen(link) > 7 && strncmp("http:",(char*)link,5)==0){
         path_chunk = strchr(link+7,'/');
         if(path_chunk != NULL)  {
-            if (msr->txcfg->debuglog_level >= 4)
+            if (msr->txcfg->debuglog_level >= 4)    {
                 msr_log(msr, 4, "Signing data [%s]", path_chunk+1);
+                }
 
             if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
                 hash_value =  hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
 
             if(msr->txcfg->crypto_key_add == HASH_SESSIONID)  {
-                if(strlen(msr->sessionid) == 0)   {
+                if(msr->sessionid == NULL || strlen(msr->sessionid) == 0)   {
 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
                     const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
 #else
@@ -1251,14 +1283,15 @@ char *do_hash_link(modsec_rec *msr, char *link, int type)  {
         if(strlen(link) > 8 && strncmp("https",(char*)link,5)==0){
             path_chunk = strchr(link+8,'/');
             if(path_chunk != NULL)  {
-                if (msr->txcfg->debuglog_level >= 4)
+                if (msr->txcfg->debuglog_level >= 4)    {
                     msr_log(msr, 4, "Signing data [%s]", path_chunk+1);
+                }
 
                 if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
                     hash_value =  hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
 
                 if(msr->txcfg->crypto_key_add == HASH_SESSIONID)  {
-                    if(strlen(msr->sessionid) == 0)   {
+                    if(msr->sessionid == NULL || strlen(msr->sessionid) == 0)   {
 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
                         const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
 #else
@@ -1291,14 +1324,15 @@ char *do_hash_link(modsec_rec *msr, char *link, int type)  {
             }
         }
         else if(*link=='/'){
-            if (msr->txcfg->debuglog_level >= 4)
+            if (msr->txcfg->debuglog_level >= 4)    {
                 msr_log(msr, 4, "Signing data [%s]", link+1);
+                }
 
             if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
                 hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) link+1, strlen((char*)link)-1);
 
             if(msr->txcfg->crypto_key_add == HASH_SESSIONID)  {
-                if(strlen(msr->sessionid) == 0)   {
+                if(msr->sessionid == NULL || strlen(msr->sessionid) == 0)   {
 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
                     const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
 #else
@@ -1344,14 +1378,15 @@ char *do_hash_link(modsec_rec *msr, char *link, int type)  {
 
             relative_link = relative_uri+1;
 
-            if (msr->txcfg->debuglog_level >= 4)
+            if (msr->txcfg->debuglog_level >= 4)    {
                 msr_log(msr, 4, "Signing data [%s] size %d", relative_link, strlen(relative_link));
+                }
 
             if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
                 hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link));
 
             if(msr->txcfg->crypto_key_add == HASH_SESSIONID)  {
-                if(strlen(msr->sessionid) == 0)   {
+                if(msr->sessionid == NULL || strlen(msr->sessionid) == 0)   {
 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
                     const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
 #else
@@ -1379,6 +1414,9 @@ char *do_hash_link(modsec_rec *msr, char *link, int type)  {
                 msr->txcfg->crypto_key_len = strlen(new_pwd);
                 hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link));
             }
+
+        link = relative_uri;
+
         }
 
     if(hash_value == NULL) return NULL;

apache2/msc_crypt.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_geo.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_geo.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_gsb.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_gsb.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_logging.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_logging.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_lua.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_lua.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_multipart.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_multipart.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_parsers.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_parsers.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_pcre.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_pcre.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_release.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_release.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -38,7 +38,7 @@
 
 #define MODSEC_VERSION_MAJOR       "2"
 #define MODSEC_VERSION_MINOR       "7"
-#define MODSEC_VERSION_MAINT       "3"
+#define MODSEC_VERSION_MAINT       "5"
 #define MODSEC_VERSION_TYPE        ""
 #define MODSEC_VERSION_RELEASE     ""
 
@@ -53,10 +53,10 @@
 #define MODSEC_MODULE_NAME "ModSecurity for IIS (STABLE)"
 #else
 #ifdef	VERSION_NGINX
-#define MODSEC_MODULE_NAME "ModSecurity for nginx (RC)"
+#define MODSEC_MODULE_NAME "ModSecurity for nginx (STABLE)"
 #else
 #ifdef	VERSION_STANDALONE
-#define MODSEC_MODULE_NAME "ModSecurity Standalone (RC)"
+#define MODSEC_MODULE_NAME "ModSecurity Standalone (STABLE)"
 #else
 #define MODSEC_MODULE_NAME "ModSecurity for Apache"
 #endif

apache2/msc_reqbody.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -170,6 +170,7 @@ static apr_status_t modsecurity_request_body_store_memory(modsec_rec *msr,
 
     /* Would storing this chunk mean going over the limit? */
     if ((msr->msc_reqbody_spilltodisk)
+        && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON)
         && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit))
     {
         msc_data_chunk **chunks;

apache2/msc_tree.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
  *
  * You may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at

apache2/msc_tree.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_unicode.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -130,8 +130,10 @@ static int unicode_map_create(directory_config *dcfg, char **error_msg)
 
     apr_file_close(u_map->map);
 
+    if(buf) {
         free(buf);
         buf = NULL;
+    }
 
     return 1;
 }

apache2/msc_unicode.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_util.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -120,9 +120,14 @@ char *utf8_unicode_inplace_ex(apr_pool_t *mp, unsigned char *input, long int inp
         if ((c & 0x80) == 0) {
             /* single byte unicode (7 bit ASCII equivilent) has no validation */
             count++;
-            if(count <= len)
+            if(count <= len)    {
+                if(c == 0)
+                    *data = x2c(&c);
+                else
                     *data++ = c;
             }
+
+        }
         /* If first byte begins with binary 110 it is two byte encoding*/
         else if ((c & 0xE0) == 0xC0) {
             /* check we have at least two bytes */

apache2/msc_util.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_xml.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/msc_xml.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/persist_dbm.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -220,6 +220,7 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
             msr_log(msr, 1, "collection_retrieve_ex: Failed deleting collection (name \"%s\", "
                 "key \"%s\"): %s", log_escape(msr->mp, col_name),
                 log_escape_ex(msr->mp, col_key, col_key_len), get_apr_error(msr->mp, rc));
+            msr->msc_sdbm_delete_error = 1;
             goto cleanup;
         }
 
@@ -490,7 +491,12 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
     /* Now generate the binary object. */
     blob = apr_pcalloc(msr->mp, blob_size);
     if (blob == NULL) {
-        goto error;
+        if (dbm != NULL) {
+            apr_sdbm_unlock(dbm);
+            apr_sdbm_close(dbm);
+        }
+
+        return -1;
     }
 
     blob[0] = 0x49;
@@ -543,9 +549,15 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
     if (rc != APR_SUCCESS) {
         msr_log(msr, 1, "collection_store: Failed to write to DBM file \"%s\": %s", dbm_filename,
                 get_apr_error(msr->mp, rc));
-        goto error;
+        if (dbm != NULL) {
+            apr_sdbm_unlock(dbm);
+            apr_sdbm_close(dbm);
         }
 
+        return -1;
+    }
+
+    apr_sdbm_unlock(dbm);
     apr_sdbm_close(dbm);
 
     if (msr->txcfg->debuglog_level >= 4) {
@@ -557,11 +569,6 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
     return 0;
 
 error:
-
-    if (dbm) {
-        apr_sdbm_close(dbm);
-    }
-
     return -1;
 }
 
@@ -672,6 +679,7 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) {
                         msr_log(msr, 1, "collections_remove_stale: Failed deleting collection (name \"%s\", "
                             "key \"%s\"): %s", log_escape(msr->mp, col_name),
                             log_escape_ex(msr->mp, key.dptr, key.dsize - 1), get_apr_error(msr->mp, rc));
+                    msr->msc_sdbm_delete_error = 1;
                         goto error;
                     }
 

apache2/persist_dbm.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/re.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -2604,15 +2604,19 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
             rt_time = apr_table_get(msr->perf_rules, rule->actionset->id);
             if(rt_time == NULL) {
                 rt_time = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT, (t1 - time_before_op));
+                rule_time = (apr_time_t)atoi(rt_time);
+                if(rule_time >= msr->txcfg->max_rule_time)
                     apr_table_setn(msr->perf_rules, rule->actionset->id, rt_time);
             } else  {
                 rule_time = (apr_time_t)atoi(rt_time);
                 rule_time += (t1 - time_before_op);
+                if(rule_time >= msr->txcfg->max_rule_time)  {
                     rt_time = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT, rule_time);
                     apr_table_setn(msr->perf_rules, rule->actionset->id, rt_time);
                 }
             }
         }
+    }
 #endif
 
     if (rc < 0) {

apache2/re.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/re_actions.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -491,7 +491,25 @@ static apr_status_t msre_action_ver_init(msre_engine *engine,
 static apr_status_t msre_action_severity_init(msre_engine *engine,
         msre_actionset *actionset, msre_action *action)
 {
+    if (strcasecmp(action->param, "emergency") == 0)    {
+        actionset->severity = 0;
+    } else if (strcasecmp(action->param, "alert") == 0) {
+        actionset->severity = 1;
+    } else if (strcasecmp(action->param, "critical") == 0) {
+        actionset->severity = 2;
+    } else if (strcasecmp(action->param, "error") == 0) {
+        actionset->severity = 3;
+    } else if (strcasecmp(action->param, "warning") == 0) {
+        actionset->severity = 4;
+    } else if (strcasecmp(action->param, "notice") == 0) {
+        actionset->severity = 5;
+    } else if (strcasecmp(action->param, "info") == 0) {
+        actionset->severity = 6;
+    } else if (strcasecmp(action->param, "debug") == 0) {
+        actionset->severity = 7;
+    } else  {
         actionset->severity = atoi(action->param);
+    }
     return 1;
 }
 

apache2/re_operators.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -27,6 +27,8 @@
 #include <arpa/inet.h>
 #endif
 
+#include "libinjection/libinjection.h"
+
 /**
  *
  */
@@ -369,7 +371,7 @@ static int msre_op_ipmatchFromFile_execute(modsec_rec *msr, msre_rule *rule, msr
 /* rsub */
 
 static char *param_remove_escape(msre_rule *rule, char *str, int len)  {
-    char *parm = apr_palloc(rule->ruleset->mp, len);
+    char *parm = apr_pcalloc(rule->ruleset->mp, len);
     char *ret = parm;
 
     for(;*str!='\0';str++)    {
@@ -693,7 +695,7 @@ nextround:
 
         msr->of_stream_changed = 1;
 
-        strncpy(msr->stream_output_data, data, size);
+        memcpy(msr->stream_output_data, data, size);
         msr->stream_output_data[size] = '\0';
 
         var->value_len = size;
@@ -717,7 +719,7 @@ nextround:
 
         msr->if_stream_changed = 1;
 
-        strncpy(msr->stream_input_data, data, size);
+        memcpy(msr->stream_input_data, data, size);
         msr->stream_input_data[size] = '\0';
 
         var->value_len = size;
@@ -2129,6 +2131,41 @@ static int msre_op_contains_execute(modsec_rec *msr, msre_rule *rule, msre_var *
     return 0;
 }
 
+/** libinjection detectSQLi
+ *   links against files in libinjection directory
+ *  See www.client9.com/libinjection for details
+ */
+static int msre_op_detectSQLi_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
+    char **error_msg) {
+
+    struct libinjection_sqli_state sqli_state;
+    int issqli;
+    int capture;
+
+    libinjection_sqli_init(&sqli_state, var->value, var->value_len, 0);
+    issqli = libinjection_is_sqli(&sqli_state);
+    capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0;
+
+    if (issqli) {
+        set_match_to_tx(msr, capture, sqli_state.fingerprint, 0);
+
+        *error_msg = apr_psprintf(msr->mp, "detected SQLi using libinjection with fingerprint '%s'",
+                                  sqli_state.fingerprint);
+        if (msr->txcfg->debuglog_level >= 9) {
+            msr_log(msr, 9, "ISSQL: libinjection fingerprint '%s' matched input '%s'",
+                    sqli_state.fingerprint,
+                    log_escape_ex(msr->mp, var->value, var->value_len));
+        }
+    } else {
+        if (msr->txcfg->debuglog_level >= 9) {
+            msr_log(msr, 9, "ISSQL: not sqli, no libinjection sqli fingerprint matched input '%s'",
+                    log_escape_ex(msr->mp, var->value, var->value_len));
+        }
+    }
+
+    return issqli;
+}
+
 /* containsWord */
 
 static int msre_op_containsWord_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
@@ -4502,7 +4539,14 @@ void msre_engine_register_default_operators(msre_engine *engine) {
         msre_op_containsWord_execute
     );
 
-    /* is */
+    /* detectSQLi */
+    msre_engine_op_register(engine,
+        "detectSQLi",
+         NULL,
+         msre_op_detectSQLi_execute
+    );
+
+    /* streq */
     msre_engine_op_register(engine,
         "streq",
         NULL, /* ENH init function to flag var substitution */

apache2/re_tfns.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

apache2/re_variables.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
@@ -511,6 +511,19 @@ static int var_reqbody_processor_generate(modsec_rec *msr, msre_var *var, msre_r
     return 1;
 }
 
+/* SDBM_DELETE_ERROR */
+static int var_sdbm_delete_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+    apr_table_t *vartab, apr_pool_t *mptmp)
+{
+    msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+
+    rvar->value = apr_psprintf(mptmp, "%d", msr->msc_sdbm_delete_error);
+    rvar->value_len = strlen(rvar->value);
+    apr_table_addn(vartab, rvar->name, (void *)rvar);
+
+    return 1;
+}
+
 /* REQBODY_ERROR */
 
 static int var_reqbody_processor_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
@@ -700,6 +713,15 @@ static int var_useragent_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *
 static int var_remote_addr_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
     apr_table_t *vartab, apr_pool_t *mptmp)
 {
+#if !defined(MSC_TEST)
+#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 3
+    if (ap_find_linked_module("mod_remoteip.c") != NULL) {
+        if(msr->r->useragent_ip != NULL) msr->remote_addr = apr_pstrdup(msr->mp, msr->r->useragent_ip);
+        return var_simple_generate(var, vartab, mptmp, msr->remote_addr);
+    }
+#endif
+#endif
+
     return var_simple_generate(var, vartab, mptmp, msr->remote_addr);
 }
 
@@ -3117,6 +3139,16 @@ void msre_engine_register_default_variables(msre_engine *engine) {
         PHASE_REQUEST_HEADERS
     );
 
+    msre_engine_variable_register(engine,
+        "SDBM_DELETE_ERROR",
+        VAR_SIMPLE,
+        0, 0,
+        NULL,
+        var_sdbm_delete_error_generate,
+        VAR_DONT_CACHE, /* dynamic */
+        PHASE_REQUEST_BODY
+    );
+
     /* REQBODY_PROCESSOR_ERROR - Deprecated */
     msre_engine_variable_register(engine,
         "REQBODY_PROCESSOR_ERROR",

apache2/utf8tables.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

build/find_apr.m4

@@ -11,7 +11,8 @@ APR_CFLAGS=""
 APR_CPPFLAGS=""
 APR_LDFLAGS=""
 APR_LDADD=""
-
+APR_INCLUDEDIR=""
+APR_LINKLD=""
 AC_DEFUN([CHECK_APR],
 [dnl
 
@@ -63,6 +64,10 @@ if test -n "${apr_path}"; then
     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr LDFLAGS: $APR_LDFLAGS); fi
     APR_LDADD="`${APR_CONFIG} --link-libtool`"
     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr LDADD: $APR_LDADD); fi
+    APR_INCLUDEDIR="`${APR_CONFIG} --includedir`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr INCLUDEDIR: $APR_INCLUDEDIR); fi
+    APR_LINKLD="`${APR_CONFIG} --link-ld`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr LINKLD: $APR_LINKLD); fi
 else
     AC_MSG_RESULT([no])
 fi
@@ -73,6 +78,8 @@ AC_SUBST(APR_CFLAGS)
 AC_SUBST(APR_CPPFLAGS)
 AC_SUBST(APR_LDFLAGS)
 AC_SUBST(APR_LDADD)
+AC_SUBST(APR_INCLUDEDIR)
+AC_SUBST(APR_LINKLD)
 
 if test -z "${APR_VERSION}"; then
     AC_MSG_NOTICE([*** apr library not found.])

build/find_apu.m4

@@ -10,6 +10,8 @@ APU_CONFIG=""
 APU_CFLAGS=""
 APU_LDFLAGS=""
 APU_LDADD=""
+APU_INCLUDEDIR=""
+APU_LINKLD=""
 
 AC_DEFUN([CHECK_APU],
 [dnl
@@ -18,7 +20,7 @@ AC_ARG_WITH(
     apu,
     [AC_HELP_STRING([--with-apu=PATH],[Path to apu prefix or config script])],
     [test_paths="${with_apu}"],
-    [test_paths="/usr/local/libapr-util /usr/local/apr-util /usr/local/libapu /usr/local/apu /usr/local /opt/libapr-util /opt/apr-util /opt/libapu /opt/apu /opt /usr"])
+    [test_paths="/usr/local/libapr-util /usr/local/apr-util /usr/local/libapu /usr/local/apu /usr/local/apr /usr/local /opt/libapr-util /opt/apr-util /opt/libapu /opt/apu /opt /usr"])
 
 AC_MSG_CHECKING([for libapu config script])
 
@@ -60,6 +62,10 @@ if test -n "${apu_path}"; then
     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDFLAGS: $APU_LDFLAGS); fi
     APU_LDADD="`${APU_CONFIG} --link-libtool`"
     if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDADD: $APU_LDADD); fi
+    APU_INCLUDEDIR="`${APU_CONFIG} --includedir`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu INCLUDEDIR: $APU_INCLUDEDIR); fi
+    APU_LINKLD="`${APU_CONFIG} --link-ld`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LINKLD: $APU_LINKLD); fi
 else
     AC_MSG_RESULT([no])
 fi
@@ -69,6 +75,8 @@ AC_SUBST(APU_VERSION)
 AC_SUBST(APU_CFLAGS)
 AC_SUBST(APU_LDFLAGS)
 AC_SUBST(APU_LDADD)
+AC_SUBST(APU_INCLUDEDIR)
+AC_SUBST(APU_LINKLD)
 
 if test -z "${APU_VERSION}"; then
     AC_MSG_NOTICE([*** apu library not found.])

ext/mod_op_strstr.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

ext/mod_reqbody_example.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

ext/mod_tfn_reverse.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

ext/mod_var_remote_addr_port.c

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

iis/Makefile.win

@@ -52,6 +52,7 @@ OBJS1 = mod_security2.obj apache2_config.obj apache2_io.obj apache2_util.obj \
        msc_release.obj msc_crypt.obj msc_tree.obj
 OBJS2 = api.obj buckets.obj config.obj filters.obj hooks.obj regex.obj server.obj
 OBJS3 = main.obj moduleconfig.obj mymodule.obj
+OBJS4 = libinjection_sqli.obj
 
 all: $(DLL)
 
@@ -60,14 +61,17 @@ dll: $(DLL)
 $(OBJS1): ..\apache2\$*.c
         $(CC) $(CFLAGS) -c ..\apache2\$*.c -Fo$@
 
+$(OBJS4): ..\apache2\libinjection\$*.c
+        $(CC) $(CFLAGS) -c ..\apache2\libinjection\$*.c -Fo$@
+
 $(OBJS2): ..\standalone\$*.c
         $(CC) $(CFLAGS) -c ..\standalone\$*.c -Fo$@
 
 .cpp.obj:
         $(CC) $(CFLAGS) -c $< -Fo$@
 
-$(DLL): $(OBJS1) $(OBJS2) $(OBJS3)
+$(DLL): $(OBJS1) $(OBJS2) $(OBJS3) $(OBJS4)
-        $(LINK) $(LDFLAGS) $(OBJS1) $(OBJS2) $(OBJS3) $(LIBS)
+        $(LINK) $(LDFLAGS) $(OBJS1) $(OBJS2) $(OBJS3) $(OBJS4) $(LIBS)
         IF EXIST $(DLL).manifest $(MT) -manifest $(DLL).manifest -outputresource:$(DLL);#1
 
 clean:

iis/main.cpp

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

iis/moduleconfig.cpp

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

iis/moduleconfig.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

iis/mymodule.cpp

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at

iis/mymodule.h

@@ -1,6 +1,6 @@
 /*
 * ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at