Honor the SecRuleEngine while filtering connections

The SecRuleEngine has the capability to Enable, Disable or even to place the ModSecurity in DetectionOnly mode. The SecReadStateLimit and SecWriteStateLimit were not honoring such state, due the fact that our configuration belongs to requests not to connections, the only struct that exists while those filters are placed. By adding a global variable "conn_limits_filter_state" we are now able to identify the current state of the ModSecurity, once the configuration is loaded this variable is set and used by the connections filters.
2025-09-29 11:16:33 +03:00 · 2013-10-31 14:28:00 -07:00
parent 0037a0732a
commit a15f8813e9
3 changed files with 53 additions and 29 deletions
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@@ -2144,18 +2144,30 @@ static const char *cmd_rule(cmd_parms *cmd, void *_dcfg,
 static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
 {
    directory_config *dcfg = (directory_config *)_dcfg;
+
    if (dcfg == NULL) return NULL;

-    if (strcasecmp(p1, "on") == 0) dcfg->is_enabled = MODSEC_ENABLED;
-    else
-    if (strcasecmp(p1, "off") == 0) dcfg->is_enabled = MODSEC_DISABLED;
-    else
-    if (strcasecmp(p1, "detectiononly") == 0) {
+    if (strcasecmp(p1, "on") == 0)
+    {
+        dcfg->is_enabled = MODSEC_ENABLED;
+    }
+    else if (strcasecmp(p1, "off") == 0)
+    {
+        dcfg->is_enabled = MODSEC_DISABLED;
+    }
+    else if (strcasecmp(p1, "detectiononly") == 0)
+    {
        dcfg->is_enabled = MODSEC_DETECTION_ONLY;
        dcfg->of_limit_action = RESPONSE_BODY_LIMIT_ACTION_PARTIAL;
        dcfg->if_limit_action = REQUEST_BODY_LIMIT_ACTION_PARTIAL;
-    } else
-    return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1);
+    }
+    else
+    {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
+                "SecRuleEngine: %s", p1);
+    }
+
+    conn_limits_filter_state = dcfg->is_enabled;

    return NULL;
 }