From 974298a76c67bcf664e2f9790c2ec47c7fb911a3 Mon Sep 17 00:00:00 2001 From: brectanus Date: Wed, 17 Oct 2007 19:11:47 +0000 Subject: [PATCH] Added ctl:ruleRemoveById action. See #259. --- CHANGES | 4 ++- apache2/re.c | 47 ++++++++++++++++----------- apache2/re_actions.c | 4 +-- doc/modsecurity2-apache-reference.xml | 6 +++- 4 files changed, 38 insertions(+), 23 deletions(-) diff --git a/CHANGES b/CHANGES index 862ada9c..a321b3f8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,9 @@ -01 Oct 2007 - 2.5.0-dev3 +17 Oct 2007 - 2.5.0-dev3 ------------------------ + * Added ctl:ruleRemoveById action to allow rule removal on a match. + * Added a @containsWord operator that will match a given string anywhere in the target value, but only on word boundaries. diff --git a/apache2/re.c b/apache2/re.c index eeb98936..a350c49d 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -703,6 +703,34 @@ apr_status_t msre_ruleset_process_phase(msre_ruleset *ruleset, modsec_rec *msr) continue; } + /* Check if this rule was removed at runtime */ + if ((rule->actionset->id !=NULL) && (! apr_is_empty_array(msr->removed_rules))) { + int j; + int do_process = 1; + const char *range; + + for(j = 0; j < msr->removed_rules->nelts; j++) { + range = ((const char**)msr->removed_rules->elts)[j]; + + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Checking removal of rule id=\"%s\" against: %s", rule->actionset->id, range); + } + + if (rule_id_in_range(atoi(rule->actionset->id), range)) { + do_process = 0; + break; + } + } + + /* Go to the next rule if this one has been removed. */ + if (do_process == 0) { + if (msr->txcfg->debuglog_level >= 5) { + msr_log(msr, 5, "Not processing rule id=\"%s\": removed by ctl action", rule->actionset->id); + } + continue; + } + } + if (msr->txcfg->debuglog_level >= 4) { apr_pool_t *p = msr->mp; const char *fn = NULL; @@ -1384,25 +1412,6 @@ apr_status_t msre_rule_process(msre_rule *rule, modsec_rec *msr) { int invocations = 0; int multi_match = 0; - /* Check if this rule was excluded at runtime */ - if ((rule->actionset->id !=NULL) && (! apr_is_empty_array(msr->removed_rules))) { - const char *range; - - for(i = 0; i < msr->removed_rules->nelts; i++) { - range = ((const char**)msr->removed_rules->elts)[i]; - - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Checking rule id=\"%s\" against exclusion: %s", rule->actionset->id, range); - } - - if (rule_id_in_range(atoi(rule->actionset->id), range)) { - msr_log(msr, 5, "Rule id=\"%s\" excluded.", rule->actionset->id); - return RULE_NO_MATCH; - } - } - - } - /* Choose the correct metadata/disruptive action actionset. */ acting_actionset = rule->actionset; if (rule->chain_starter != NULL) { diff --git a/apache2/re_actions.c b/apache2/re_actions.c index eb8a7e4c..f3db7aae 100644 --- a/apache2/re_actions.c +++ b/apache2/re_actions.c @@ -482,7 +482,7 @@ static char *msre_action_ctl_validate(msre_engine *engine, msre_action *action) if (strcasecmp(value, "detectiononly") == 0) return NULL; return apr_psprintf(engine->mp, "Invalid setting for ctl name ruleEngine: %s", value); } else - if (strcasecmp(name, "removeRuleById") == 0) { + if (strcasecmp(name, "ruleRemoveById") == 0) { /* ENH nothing yet */ return NULL; } else @@ -603,7 +603,7 @@ static apr_status_t msre_action_ctl_execute(modsec_rec *msr, apr_pool_t *mptmp, return 1; } else - if (strcasecmp(name, "removeRuleById") == 0) { + if (strcasecmp(name, "ruleRemoveById") == 0) { *(const char **)apr_array_push(msr->removed_rules) = (const char *)apr_pstrdup(msr->mp, value); return 1; } else diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index c4d6edd8..b31370f1 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -3624,6 +3624,10 @@ SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requ debugLogLevel + + ruleRemoveById + + requestBodyAccess @@ -5110,4 +5114,4 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods} - \ No newline at end of file +