From 98982e29621e0912b587d2144870c6947bf721a7 Mon Sep 17 00:00:00 2001
From: ivanr <ivanr@9017d574-64ec-4062-9424-5e00b32a252b>
Date: Fri, 19 Mar 2010 20:00:59 +0000
Subject: [PATCH] Added the SecDisableBackendCompression directive

---
 CHANGES                  |  8 ++++++--
 apache2/apache2_config.c | 22 ++++++++++++++++++++++
 apache2/apache2_io.c     | 16 ++++++++++++++++
 apache2/mod_security2.c  |  8 ++++++++
 apache2/modsecurity.h    |  2 ++
 5 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5d346114..6ee1adca 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,11 @@
-14 Feb 2010 - trunk
+19 Mar 2010 - trunk
 -------------------
 
- * Add REQUEST_BODY_LENGTH, which contains the number of request body
+ * Added SecDisableBackendCompression, which disabled backend compression
+   while keeping the frontend compression enabled (assuming mod_deflate
+   in installed and configured in the proxy). [Ivan Ristic]
+
+ * Added REQUEST_BODY_LENGTH, which contains the number of request body
    bytes read. [Ivan Ristic]
 
  * Integrate with mod_log_config using the %{VARNAME}M format string.
diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
index 3a8589c0..a5b42c93 100644
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@@ -115,6 +115,8 @@ void *create_directory_config(apr_pool_t *mp, char *path)
     dcfg->component_signatures = apr_array_make(mp, 16, sizeof(char *));
 
     dcfg->request_encoding = NOT_SET_P;
+    
+    dcfg->disable_backend_compression = NOT_SET;
 
     return dcfg;
 }
@@ -459,6 +461,9 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
 
     merged->request_encoding = (child->request_encoding == NOT_SET_P
         ? parent->request_encoding : child->request_encoding);
+        
+    merged->disable_backend_compression = (child->disable_backend_compression == NOT_SET
+        ? parent->disable_backend_compression : child->disable_backend_compression);
 
     return merged;
 }
@@ -542,6 +547,7 @@ void init_directory_config(directory_config *dcfg)
 
     if (dcfg->request_encoding == NOT_SET_P) dcfg->request_encoding = NULL;
 
+    if (dcfg->disable_backend_compression == NOT_SET) dcfg->disable_backend_compression = 0;
 }
 
 /**
@@ -1255,6 +1261,14 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg,
     return NULL;
 }
 
+static const char *cmd_disable_backend_compression(cmd_parms *cmd, void *_dcfg, int flag)
+{
+    directory_config *dcfg = (directory_config *)_dcfg;
+    if (dcfg == NULL) return NULL;
+    dcfg->disable_backend_compression = flag;
+    return NULL;
+}
+
 static const char *cmd_guardian_log(cmd_parms *cmd, void *_dcfg,
                                     const char *p1, const char *p2)
 {
@@ -1997,6 +2011,14 @@ const command_rec module_directives[] = {
         CMD_SCOPE_ANY,
         "default action list"
     ),
+    
+    AP_INIT_FLAG (
+        "SecDisableBackendCompression",
+        cmd_disable_backend_compression,
+        NULL,
+        CMD_SCOPE_ANY,
+        "When set to On, removes the compression headers from the backend requests."
+    ),
 
     AP_INIT_TAKE1 (
         "SecGeoLookupDB",
diff --git a/apache2/apache2_io.c b/apache2/apache2_io.c
index 8f4b1968..1438590d 100644
--- a/apache2/apache2_io.c
+++ b/apache2/apache2_io.c
@@ -512,6 +512,22 @@ apr_status_t output_filter(ap_filter_t *f, apr_bucket_brigade *bb_in) {
         msr_log(msr, 9, "Output filter: Receiving output (f %pp, r %pp).", f, f->r);
     }
 
+    /* Put back the Accept-Encoding and TE request headers
+     * if they were removed from the request.
+     */
+    if (msr->txcfg->disable_backend_compression) {
+        char *ae = (char *)apr_table_get(msr->request_headers, "Accept-Encoding");
+        char *te = (char *)apr_table_get(msr->request_headers, "TE");
+
+        if ((ae != NULL)&&(apr_table_get(f->r->headers_in, "Accept-Encoding") == NULL)) {
+            apr_table_add(f->r->headers_in, "Accept-Encoding", ae);
+        }        
+        
+        if ((te != NULL)&&(apr_table_get(f->r->headers_in, "TE") == NULL)) {
+            apr_table_add(f->r->headers_in, "TE", te);
+        }        
+    }
+
     /* Initialise on first invocation */
     if (msr->of_status == OF_STATUS_NOT_STARTED) {
         /* Update our context from the request structure. */
diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
index 1b430810..ac2a093a 100644
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@@ -781,6 +781,14 @@ static int hook_request_late(request_rec *r) {
         rc = perform_interception(msr);
     }
 
+    /* Remove the compression ability indications the client set,
+     * but only if we need to disable backend compression.
+     */    
+    if (msr->txcfg->disable_backend_compression) {
+        apr_table_unset(r->headers_in, "Accept-Encoding");
+        apr_table_unset(r->headers_in, "TE");
+    }
+
     return rc;
 }
 
diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
index b2bcab87..59654a54 100644
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -477,6 +477,8 @@ struct directory_config {
 
     /* Request character encoding. */
     const char          *request_encoding;
+    
+    int disable_backend_compression;
 };
 
 struct error_message {