Using run time string on the operators

2025-09-29 19:24:29 +03:00 · 2018-01-22 18:05:02 -03:00
parent 6a97dbee7a
commit a299997e02
74 changed files with 6884 additions and 6111 deletions
--- a/src/operators/begins_with.cc
+++ b/src/operators/begins_with.cc
@@ -26,18 +26,16 @@ namespace operators {

 bool BeginsWith::evaluate(Transaction *transaction, Rule *rule,
    const std::string &str, std::shared_ptr<RuleMessage> ruleMessage) {
-    bool ret = false;
-
-    std::string p = MacroExpansion::expand(m_param, transaction);
+    std::string p(m_string->evaluate(transaction));

    if (str.size() < p.size()) {
-        ret = false;
+        return false;
    } else if (!str.compare(0, p.size(), p)) {
        logOffset(ruleMessage, 0, p.size());
-        ret = true;
+        return true;
    }

-    return ret;
+    return false;
 }


--- a/src/operators/begins_with.h
+++ b/src/operators/begins_with.h
@@ -18,6 +18,7 @@

 #include <string>
 #include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -28,10 +29,8 @@ namespace operators {
 class BeginsWith : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    BeginsWith(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit BeginsWith(std::string param)
-        : Operator("BeginsWith", param) { }
+    explicit BeginsWith(std::unique_ptr<RunTimeString> param)
+        : Operator("BeginsWith", std::move(param)) { }

    bool evaluate(Transaction *transaction, Rule *rule, const std::string &str,
        std::shared_ptr<RuleMessage> ruleMessage) override;
--- a/src/operators/contains.cc
+++ b/src/operators/contains.cc
@@ -24,7 +24,7 @@ namespace operators {

 bool Contains::evaluate(Transaction *transaction, Rule *rule,
        const std::string &input, std::shared_ptr<RuleMessage> ruleMessage) {
-    std::string p = MacroExpansion::expand(m_param, transaction);
+    std::string p(m_string->evaluate(transaction));
    size_t offset = input.find(p);

    bool contains = offset != std::string::npos;
--- a/src/operators/contains.h
+++ b/src/operators/contains.h
@@ -19,6 +19,7 @@
 #include <string>
 #include <list>
 #include <memory>
+#include <utility>

 #include "modsecurity/transaction.h"
 #include "modsecurity/rule_message.h"
@@ -31,10 +32,8 @@ namespace operators {
 class Contains : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    Contains(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit Contains(std::string param)
-        : Operator("Contains", param) { }
+    explicit Contains(std::unique_ptr<RunTimeString> param)
+        : Operator("Contains", std::move(param)) { }
    bool evaluate(Transaction *transaction, Rule *rule,
        const std::string &str,
        std::shared_ptr<RuleMessage> ruleMessage) override;
--- a/src/operators/contains_word.cc
+++ b/src/operators/contains_word.cc
@@ -39,7 +39,7 @@ bool ContainsWord::acceptableChar(const std::string& a, size_t pos) {

 bool ContainsWord::evaluate(Transaction *transaction, Rule *rule,
    const std::string &input, std::shared_ptr<RuleMessage> ruleMessage) {
-    std::string paramTarget = MacroExpansion::expand(m_param, transaction);
+    std::string paramTarget(m_string->evaluate(transaction));

    if (paramTarget.empty()) {
        return true;
--- a/src/operators/contains_word.h
+++ b/src/operators/contains_word.h
@@ -18,6 +18,7 @@

 #include <string>
 #include <memory>
+#include <utility>

 #include "src/operators/operator.h"
 #include "modsecurity/rule_message.h"
@@ -28,10 +29,9 @@ namespace operators {
 class ContainsWord : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    ContainsWord(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit ContainsWord(std::string param)
-        : Operator("ContainsWord", param) { }
+    explicit ContainsWord(std::unique_ptr<RunTimeString> param)
+        : Operator("ContainsWord", std::move(param)) { }
+
    bool evaluate(Transaction *transaction, Rule *rule,
        const std::string &str,
        std::shared_ptr<RuleMessage> ruleMessage) override;
--- a/src/operators/detect_sqli.h
+++ b/src/operators/detect_sqli.h
@@ -27,10 +27,6 @@ namespace operators {
 class DetectSQLi : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    DetectSQLi(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) {
-            m_match_message.assign("detected SQLi using libinjection.");
-        }
    DetectSQLi()
        : Operator("DetectSQLi") {
            m_match_message.assign("detected SQLi using libinjection.");
--- a/src/operators/detect_xss.h
+++ b/src/operators/detect_xss.h
@@ -26,10 +26,6 @@ namespace operators {
 class DetectXSS : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    DetectXSS(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) {
-            m_match_message.assign("detected XSS using libinjection.");
-        }
    DetectXSS()
        : Operator("DetectXSS") {
            m_match_message.assign("detected XSS using libinjection.");
--- a/src/operators/ends_with.cc
+++ b/src/operators/ends_with.cc
@@ -27,7 +27,7 @@ namespace operators {
 bool EndsWith::evaluate(Transaction *transaction, Rule *rule,
    const std::string &input, std::shared_ptr<RuleMessage> ruleMessage) {
    bool ret = false;
-    std::string p = MacroExpansion::expand(m_param, transaction);
+    std::string p(m_string->evaluate(transaction));

    if (input.length() >= p.length()) {
        ret = (0 == input.compare(input.length() - p.length(),
--- a/src/operators/ends_with.h
+++ b/src/operators/ends_with.h
@@ -18,6 +18,7 @@

 #include <string>
 #include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -28,10 +29,10 @@ namespace operators {
 class EndsWith : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    EndsWith(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit EndsWith(std::string param)
-        : Operator("EndsWith", param) { }
+    explicit EndsWith(std::unique_ptr<RunTimeString> param)
+        : Operator("EndsWith", std::move(param)) {
+            m_couldContainsMacro = true;
+        }
    bool evaluate(Transaction *transaction, Rule *rule,
        const std::string &str,
        std::shared_ptr<RuleMessage> ruleMessage) override;
--- a/src/operators/eq.cc
+++ b/src/operators/eq.cc
@@ -27,8 +27,7 @@ namespace operators {
 bool Eq::evaluate(Transaction *transaction, const std::string &input) {
    int p = 0;
    int i = 0;
-    bool eq = false;
-    std::string pt = MacroExpansion::expand(m_param, transaction);
+    std::string pt(m_string->evaluate(transaction));

    try {
        p = std::stoi(pt);
@@ -41,9 +40,7 @@ bool Eq::evaluate(Transaction *transaction, const std::string &input) {
        i = 0;
    }

-    eq = p == i;
-
-    return eq;
+    return p == i;
 }


--- a/src/operators/eq.h
+++ b/src/operators/eq.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_EQ_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -27,10 +29,8 @@ namespace operators {
 class Eq : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    Eq(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit Eq(std::string param)
-        : Operator("Eq", param) { }
+    explicit Eq(std::unique_ptr<RunTimeString> param)
+        : Operator("Eq", std::move(param)) { }
    bool evaluate(Transaction *transaction, const std::string &input) override;
 };

--- a/src/operators/fuzzy_hash.h
+++ b/src/operators/fuzzy_hash.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_FUZZY_HASH_H_

 #include <string>
+#include <memory>
+#include <utility>

 #ifdef WITH_SSDEEP
 #include <fuzzy.h>
@@ -36,12 +38,8 @@ struct fuzzy_hash_chunk {
 class FuzzyHash : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    FuzzyHash(std::string o, std::string p, bool n)
-        : Operator(o, p, n),
-        m_head(NULL),
-        m_threshold(0) { }
-    explicit FuzzyHash(std::string param)
-        : Operator("FuzzyHash", param),
+    explicit FuzzyHash(std::unique_ptr<RunTimeString> param)
+        : Operator("FuzzyHash", std::move(param)),
        m_head(NULL),
        m_threshold(0) { }
    ~FuzzyHash();
--- a/src/operators/ge.cc
+++ b/src/operators/ge.cc
@@ -24,8 +24,8 @@ namespace modsecurity {
 namespace operators {

 bool Ge::evaluate(Transaction *transaction, const std::string &input) {
-    std::string p = MacroExpansion::expand(m_param, transaction);
-    std::string i = MacroExpansion::expand(input, transaction);
+    std::string p(m_string->evaluate(transaction));
+    std::string i = input;

    bool ge = atoll(i.c_str()) >= atoll(p.c_str());

--- a/src/operators/ge.h
+++ b/src/operators/ge.h
@@ -17,20 +17,21 @@
 #define SRC_OPERATORS_GE_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

-
 namespace modsecurity {
 namespace operators {

 class Ge : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    Ge(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit Ge(std::string param)
-        : Operator("Ge", param) { }
+    explicit Ge(std::unique_ptr<RunTimeString> param)
+        : Operator("Ge", std::move(param)) {
+            m_couldContainsMacro = true;
+        }
    bool evaluate(Transaction *transaction, const std::string &input) override;
 };

--- a/src/operators/geo_lookup.h
+++ b/src/operators/geo_lookup.h
@@ -27,10 +27,6 @@ namespace operators {
 class GeoLookup : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    GeoLookup(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit GeoLookup(std::string param)
-        : Operator("GeoLookup", param) { }
    GeoLookup()
        : Operator("GeoLookup") { }
    bool evaluate(Transaction *transaction, const std::string &exp) override;
--- a/src/operators/gsblookup.h
+++ b/src/operators/gsblookup.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_GSBLOOKUP_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -26,10 +28,8 @@ namespace operators {
 class GsbLookup : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    GsbLookup(std::string o, std::string p, bool n)
-        : Operator(o, p, n) { }
-    explicit GsbLookup(std::string param)
-        : Operator("GsbLookup", param) { }
+    explicit GsbLookup(std::unique_ptr<RunTimeString> param)
+        : Operator("GsbLookup", std::move(param)) { }

    bool evaluate(Transaction *transaction, const std::string &str);
 };
--- a/src/operators/gt.cc
+++ b/src/operators/gt.cc
@@ -24,7 +24,7 @@ namespace modsecurity {
 namespace operators {

 bool Gt::evaluate(Transaction *transaction, const std::string &input) {
-    std::string p = MacroExpansion::expand(m_param, transaction);
+    std::string p(m_string->evaluate(transaction));

    bool gt = atoll(input.c_str()) > atoll(p.c_str());

--- a/src/operators/gt.h
+++ b/src/operators/gt.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_GT_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -27,10 +29,10 @@ namespace operators {
 class Gt : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    Gt(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit Gt(std::string param)
-        : Operator("Gt", param) { }
+    explicit Gt(std::unique_ptr<RunTimeString> param)
+        : Operator("Gt", std::move(param)) {
+            m_couldContainsMacro = true;
+        }
    bool evaluate(Transaction *transaction, const std::string &input) override;
 };

--- a/src/operators/inspect_file.h
+++ b/src/operators/inspect_file.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_INSPECT_FILE_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"
 #include "src/engine/lua.h"
@@ -28,12 +30,8 @@ namespace operators {
 class InspectFile : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    InspectFile(std::string o, std::string p, bool n)
-        : Operator(o, p, n),
-        m_file(""),
-        m_isScript(false) { }
-    explicit InspectFile(std::string param)
-        : Operator("InspectFile", param),
+    explicit InspectFile(std::unique_ptr<RunTimeString> param)
+        : Operator("InspectFile", std::move(param)),
        m_file(""),
        m_isScript(false) { }

--- a/src/operators/ip_match.h
+++ b/src/operators/ip_match.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_IP_MATCH_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"
 #include "src/utils/ip_tree.h"
@@ -27,12 +29,11 @@ namespace operators {
 class IpMatch : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    IpMatch(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    IpMatch(std::string op, std::string param)
-        : Operator(op, param) { }
-    explicit IpMatch(std::string param)
-        : Operator("IpMatch", param) { }
+    explicit IpMatch(std::unique_ptr<RunTimeString> param)
+        : Operator("IpMatch", std::move(param)) { }
+    IpMatch(std::string n, std::unique_ptr<RunTimeString> param)
+        : Operator(n, std::move(param)) { }
+
    bool evaluate(Transaction *transaction, const std::string &input) override;

    bool init(const std::string &file, std::string *error) override;
--- a/src/operators/ip_match_f.h
+++ b/src/operators/ip_match_f.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_IP_MATCH_F_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/ip_match_from_file.h"

@@ -26,10 +28,8 @@ namespace operators {

 class IpMatchF : public IpMatchFromFile {
 public:
-    IpMatchF(std::string op, std::string param, bool negation)
-        : IpMatchFromFile(op, param, negation) { }
-    explicit IpMatchF(std::string param)
-        : IpMatchFromFile("IpMatchFromF", param) { }
+    explicit IpMatchF(std::unique_ptr<RunTimeString> param)
+        : IpMatchFromFile(std::move(param)) { }
 };

 }  // namespace operators
--- a/src/operators/ip_match_from_file.h
+++ b/src/operators/ip_match_from_file.h
@@ -16,6 +16,8 @@
 #define SRC_OPERATORS_IP_MATCH_FROM_FILE_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/ip_match.h"

@@ -25,13 +27,10 @@ namespace operators {
 class IpMatchFromFile : public IpMatch {
 public:
    /** @ingroup ModSecurity_Operator */
-    IpMatchFromFile(std::string op, std::string param, bool negation)
-        : IpMatch(op, param, negation) { }
-    IpMatchFromFile(std::string op, std::string param)
-        : IpMatch(op, param) { }
-    explicit IpMatchFromFile(std::string param)
-        : IpMatch("IpMatchFromFile", param) { }
-
+    explicit IpMatchFromFile(std::unique_ptr<RunTimeString> param)
+        : IpMatch("IpMatchFromFile", std::move(param)) { }
+    IpMatchFromFile(std::string n, std::unique_ptr<RunTimeString> param)
+        : IpMatch(n, std::move(param)) { }
    bool init(const std::string& file, std::string *error) override;
 };

--- a/src/operators/le.cc
+++ b/src/operators/le.cc
@@ -24,7 +24,7 @@ namespace modsecurity {
 namespace operators {

 bool Le::evaluate(Transaction *transaction, const std::string &input) {
-    std::string p = MacroExpansion::expand(m_param, transaction);
+    std::string p(m_string->evaluate(transaction));

    bool le = atoll(input.c_str()) <= atoll(p.c_str());

--- a/src/operators/le.h
+++ b/src/operators/le.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_LE_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -27,10 +29,10 @@ namespace operators {
 class Le : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    Le(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit Le(std::string param)
-        : Operator("Le", param) { }
+    explicit Le(std::unique_ptr<RunTimeString> param)
+        : Operator("Le", std::move(param)) {
+            m_couldContainsMacro = true;
+        }

    bool evaluate(Transaction *transaction, const std::string &input) override;
 };
--- a/src/operators/lt.cc
+++ b/src/operators/lt.cc
@@ -24,7 +24,7 @@ namespace modsecurity {
 namespace operators {

 bool Lt::evaluate(Transaction *transaction, const std::string &input) {
-    std::string p = MacroExpansion::expand(m_param, transaction);
+    std::string p(m_string->evaluate(transaction));

    bool lt = atoll(input.c_str()) < atoll(p.c_str());

--- a/src/operators/lt.h
+++ b/src/operators/lt.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_LT_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -27,10 +29,10 @@ namespace operators {
 class Lt : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    Lt(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit Lt(std::string param)
-        : Operator("Lt", param) { }
+    explicit Lt(std::unique_ptr<RunTimeString> param)
+        : Operator("Lt", std::move(param)) {
+             m_couldContainsMacro = true;
+        }

    bool evaluate(Transaction *transaction, const std::string &input) override;
 };
--- a/src/operators/no_match.h
+++ b/src/operators/no_match.h
@@ -29,8 +29,6 @@ namespace operators {
 class NoMatch : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    NoMatch(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
    NoMatch()
        : Operator("NoMatch") { }

--- a/src/operators/operator.cc
+++ b/src/operators/operator.cc
@@ -20,7 +20,7 @@
 #include <string>

 #include "modsecurity/transaction.h"
-
+#include "src/run_time_string.h"
 #include "src/utils/string.h"
 #include "src/operators/begins_with.h"
 #include "src/operators/contains.h"
@@ -109,6 +109,34 @@ bool Operator::evaluateInternal(Transaction *transaction,
 }


+std::string Operator::resolveMatchMessage(Transaction *t,
+    std::string key, std::string value) {
+    std::string ret = m_match_message;
+
+    if (ret.empty() == true) {
+        if (m_couldContainsMacro == false) {
+            ret = "Matched \"Operator `" + m_op + "' with parameter `" +
+                utils::string::limitTo(200, m_param) +
+                "' against variable `" + key + "' (Value: `" +
+                utils::string::limitTo(100,
+                    utils::string::toHexIfNeeded(value)) + \
+                "' )";
+        } else {
+            std::string p(m_string->evaluate(t));
+            ret = "Matched \"Operator `" + m_op + "' with parameter `" +
+                utils::string::limitTo(200, p) +
+                "' against variable `" + key + "' (Value: `" +
+                utils::string::limitTo(100,
+                    utils::string::toHexIfNeeded(value)) +
+                "' )";
+        }
+    }
+
+
+    return ret;
+}
+
+
 bool Operator::evaluate(Transaction *transaction, const std::string& a) {
 #ifndef NO_LOGS
    if (transaction) {
@@ -120,61 +148,62 @@ bool Operator::evaluate(Transaction *transaction, const std::string& a) {
    return true;
 }

-Operator *Operator::instantiate(std::string op, std::string param) {
+Operator *Operator::instantiate(std::string op, std::string param_str) {
    std::string op_ = utils::string::tolower(op);
+    std::unique_ptr<RunTimeString> param(new RunTimeString());
+    param->appendText(param_str);

-    IF_MATCH(beginswith) { return new BeginsWith(param); }
-    IF_MATCH(contains) { return new Contains(param); }
-    IF_MATCH(containsword) { return new ContainsWord(param); }
+    IF_MATCH(beginswith) { return new BeginsWith(std::move(param)); }
+    IF_MATCH(contains) { return new Contains(std::move(param)); }
+    IF_MATCH(containsword) { return new ContainsWord(std::move(param)); }
    IF_MATCH(detectsqli) { return new DetectSQLi(); }
    IF_MATCH(detectxss) { return new DetectXSS(); }
-    IF_MATCH(endswith) { return new EndsWith(param); }
-    IF_MATCH(eq) { return new Eq(param); }
-    IF_MATCH(fuzzyhash) { return new FuzzyHash(param); }
-    IF_MATCH(geolookup) { return new GeoLookup(param); }
-    IF_MATCH(ge) { return new Ge(param); }
-    IF_MATCH(gsblookup) { return new GsbLookup(param); }
-    IF_MATCH(gt) { return new Gt(param); }
-    IF_MATCH(inspectfile) { return new InspectFile(param); }
-    IF_MATCH(ipmatchf) { return new IpMatchF(param); }
+    IF_MATCH(endswith) { return new EndsWith(std::move(param)); }
+    IF_MATCH(eq) { return new Eq(std::move(param)); }
+    IF_MATCH(fuzzyhash) { return new FuzzyHash(std::move(param)); }
+    IF_MATCH(geolookup) { return new GeoLookup(); }
+    IF_MATCH(ge) { return new Ge(std::move(param)); }
+    IF_MATCH(gsblookup) { return new GsbLookup(std::move(param)); }
+    IF_MATCH(gt) { return new Gt(std::move(param)); }
+    IF_MATCH(inspectfile) { return new InspectFile(std::move(param)); }
+    IF_MATCH(ipmatchf) { return new IpMatchF(std::move(param)); }
    IF_MATCH(ipmatchfromfile) {
-        return new IpMatchFromFile(param);
+        return new IpMatchFromFile(std::move(param));
    }
-    IF_MATCH(ipmatch) { return new IpMatch(param); }
-    IF_MATCH(le) { return new Le(param); }
-    IF_MATCH(lt) { return new Lt(param); }
+    IF_MATCH(ipmatch) { return new IpMatch(std::move(param)); }
+    IF_MATCH(le) { return new Le(std::move(param)); }
+    IF_MATCH(lt) { return new Lt(std::move(param)); }
    IF_MATCH(nomatch) { return new NoMatch(); }
-    IF_MATCH(pmfromfile) { return new PmFromFile(param); }
-    IF_MATCH(pmf) { return new PmF(param); }
-    IF_MATCH(pm) { return new Pm(param); }
-    IF_MATCH(rbl) { return new Rbl(param); }
-    IF_MATCH(rsub) { return new Rsub(param); }
-    IF_MATCH(rx) { return new Rx(param); }
-    IF_MATCH(streq) { return new StrEq(param); }
-    IF_MATCH(strmatch) { return new StrMatch(param); }
+    IF_MATCH(pmfromfile) { return new PmFromFile(std::move(param)); }
+    IF_MATCH(pmf) { return new PmF(std::move(param)); }
+    IF_MATCH(pm) { return new Pm(std::move(param)); }
+    IF_MATCH(rbl) { return new Rbl(std::move(param)); }
+    IF_MATCH(rsub) { return new Rsub(std::move(param)); }
+    IF_MATCH(rx) { return new Rx(std::move(param)); }
+    IF_MATCH(streq) { return new StrEq(std::move(param)); }
+    IF_MATCH(strmatch) { return new StrMatch(std::move(param)); }
    IF_MATCH(validatebyterange) {
-        return new ValidateByteRange(param);
+        return new ValidateByteRange(std::move(param));
    }
-    IF_MATCH(validatedtd) { return new ValidateDTD(param); }
-    IF_MATCH(validatehash) { return new ValidateHash(param); }
-    IF_MATCH(validateschema) { return new ValidateSchema(param); }
+    IF_MATCH(validatedtd) { return new ValidateDTD(std::move(param)); }
+    IF_MATCH(validatehash) { return new ValidateHash(std::move(param)); }
+    IF_MATCH(validateschema) { return new ValidateSchema(std::move(param)); }
    IF_MATCH(validateurlencoding) {
        return new ValidateUrlEncoding();
    }
    IF_MATCH(validateutf8encoding) {
        return new ValidateUtf8Encoding();
    }
-    IF_MATCH(verifycc) { return new VerifyCC(param); }
-    IF_MATCH(verifycpf) { return new VerifyCPF(param); }
-    IF_MATCH(verifyssn) { return new VerifySSN(param); }
-    IF_MATCH(within) { return new Within(param); }
+    IF_MATCH(verifycc) { return new VerifyCC(std::move(param)); }
+    IF_MATCH(verifycpf) { return new VerifyCPF(std::move(param)); }
+    IF_MATCH(verifyssn) { return new VerifySSN(std::move(param)); }
+    IF_MATCH(within) { return new Within(std::move(param)); }

    IF_MATCH(unconditionalmatch) {
        return new UnconditionalMatch();
    }

-
-    return new Operator(param);
+    std::invalid_argument("Operator not found.");
 }

 }  // namespace operators
--- a/src/operators/operator.h
+++ b/src/operators/operator.h
@@ -15,6 +15,7 @@

 #include <string>
 #include <memory>
+#include <utility>

 #ifndef SRC_OPERATORS_OPERATOR_H__
 #define SRC_OPERATORS_OPERATOR_H__
@@ -22,6 +23,7 @@
 #include "modsecurity/transaction.h"
 #include "modsecurity/rule.h"
 #include "modsecurity/rule_message.h"
+#include "src/run_time_string.h"

 namespace modsecurity {
 namespace operators {
@@ -33,25 +35,70 @@ class Operator {
        : m_match_message(""),
        m_negation(false),
        m_op(""),
-        m_param("") { }
+        m_param(""),
+        m_couldContainsMacro(false) {
+            if (m_couldContainsMacro == false && m_string) {
+                m_param = m_string->evaluate();
+            }
+        }

    Operator(std::string opName, std::string param, bool negation)
        : m_match_message(""),
        m_negation(negation),
        m_op(opName),
-        m_param(param) { }
+        m_param(param),
+        m_couldContainsMacro(false) {
+            if (m_couldContainsMacro == false && m_string) {
+                m_param = m_string->evaluate();
+            }
+        }
+
+    Operator(std::string opName, std::unique_ptr<RunTimeString> param,
+        bool negation)
+        : m_match_message(""),
+        m_negation(negation),
+        m_op(opName),
+        m_param(""),
+        m_string(std::move(param)),
+        m_couldContainsMacro(false) {
+            if (m_couldContainsMacro == false && m_string) {
+                m_param = m_string->evaluate();
+            }
+        }

    Operator(std::string opName, std::string param)
        : m_match_message(""),
        m_negation(false),
        m_op(opName),
-        m_param(param) { }
+        m_param(param),
+        m_couldContainsMacro(false) {
+            if (m_couldContainsMacro == false && m_string) {
+                m_param = m_string->evaluate();
+            }
+        }
+
+    Operator(std::string opName, std::unique_ptr<RunTimeString> param)
+        : m_match_message(""),
+        m_negation(false),
+        m_op(opName),
+        m_param(""),
+        m_string(std::move(param)),
+        m_couldContainsMacro(false) {
+            if (m_couldContainsMacro == false && m_string) {
+                m_param = m_string->evaluate();
+            }
+        }

    explicit Operator(std::string opName)
        : m_match_message(""),
        m_negation(false),
        m_op(opName),
-        m_param() { }
+        m_param(),
+        m_couldContainsMacro(false) {
+            if (m_couldContainsMacro == false && m_string) {
+                m_param = m_string->evaluate();
+            }
+        }

    virtual ~Operator() { }
    static Operator *instantiate(std::string opName, std::string param);
@@ -60,6 +107,9 @@ class Operator {
        return true;
    }

+    virtual std::string resolveMatchMessage(Transaction *t,
+        std::string key, std::string value);
+
    bool evaluateInternal(Transaction *t, const std::string& a);
    bool evaluateInternal(Transaction *t, Rule *rule,
        const std::string& a);
@@ -90,6 +140,8 @@ class Operator {
    bool m_negation;
    std::string m_op;
    std::string m_param;
+    std::unique_ptr<RunTimeString> m_string;
+    bool m_couldContainsMacro;

 protected:
    bool debug(Transaction *transaction, int x, std::string a);
--- a/src/operators/pm.h
+++ b/src/operators/pm.h
@@ -19,6 +19,7 @@
 #include <string>
 #include <list>
 #include <memory>
+#include <utility>

 #include "src/operators/operator.h"
 #include "src/utils/acmp.h"
@@ -31,16 +32,12 @@ namespace operators {
 class Pm : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    Pm(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) {
+    explicit Pm(std::unique_ptr<RunTimeString> param)
+        : Operator("Pm", std::move(param)) {
        m_p = acmp_create(0);
    }
-    Pm(std::string op, std::string param)
-        : Operator(op, param) {
-        m_p = acmp_create(0);
-    }
-    explicit Pm(std::string param)
-        : Operator("Pm", param) {
+    explicit Pm(std::string n, std::unique_ptr<RunTimeString> param)
+        : Operator(n, std::move(param)) {
        m_p = acmp_create(0);
    }
    ~Pm();
--- a/src/operators/pm_f.h
+++ b/src/operators/pm_f.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_PM_F_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/pm_from_file.h"

@@ -28,10 +30,8 @@ namespace operators {
 class PmF : public PmFromFile {
 public:
    /** @ingroup ModSecurity_Operator */
-    PmF(std::string op, std::string param, bool negation)
-        : PmFromFile(op, param, negation) { }
-    explicit PmF(std::string param)
-        : PmFromFile("PmFromF", param) { }
+    explicit PmF(std::unique_ptr<RunTimeString> param)
+        : PmFromFile("PmFromF", std::move(param)) { }
 };


--- a/src/operators/pm_from_file.h
+++ b/src/operators/pm_from_file.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_PM_FROM_FILE_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/pm.h"

@@ -28,12 +30,11 @@ namespace operators {
 class PmFromFile : public Pm {
 public:
    /** @ingroup ModSecurity_Operator */
-    PmFromFile(std::string op, std::string param, bool negation)
-        : Pm(op, param, negation) { }
-    PmFromFile(std::string op, std::string param)
-        : Pm(op, param) { }
-    explicit PmFromFile(std::string param)
-        : Pm("PmFromFile", param) { }
+    explicit PmFromFile(std::unique_ptr<RunTimeString> param)
+        : Pm("PmFromFile", std::move(param)) { }
+    explicit PmFromFile(std::string n, std::unique_ptr<RunTimeString> param)
+        : Pm(n, std::move(param)) { }
+
    bool init(const std::string &file, std::string *error) override;
 };

--- a/src/operators/rbl.h
+++ b/src/operators/rbl.h
@@ -23,6 +23,8 @@
 #include <arpa/inet.h>

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -59,24 +61,10 @@ class Rbl : public Operator {
    };

    /** @ingroup ModSecurity_Operator */
-    Rbl(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation),
-        m_service(param),
-        m_demandsPassword(false) {
-            m_provider = RblProvider::UnknownProvider;
-            if (m_service.find("httpbl.org") != std::string::npos) {
-                m_demandsPassword = true;
-                m_provider = RblProvider::httpbl;
-            } else if (m_service.find("uribl.com") != std::string::npos) {
-                m_provider = RblProvider::httpbl;
-            } else if (m_service.find("spamhaus.org") != std::string::npos) {
-                m_provider = RblProvider::httpbl;
-            }
-        }
-    explicit Rbl(std::string param)
-        : Operator("Rbl", param),
-        m_service(param),
+    explicit Rbl(std::unique_ptr<RunTimeString> param)
+        : Operator("Rbl", std::move(param)),
        m_demandsPassword(false) {
+            m_service = m_string->evaluate();
            m_provider = RblProvider::UnknownProvider;
            if (m_service.find("httpbl.org") != std::string::npos) {
                m_demandsPassword = true;
--- a/src/operators/rsub.h
+++ b/src/operators/rsub.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_RSUB_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -28,10 +30,8 @@ namespace operators {
 class Rsub : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    Rsub(std::string o, std::string p, bool n)
-        : Operator(o, p, n) { }
-    explicit Rsub(std::string param)
-        : Operator("Rsub", param) { }
+    explicit Rsub(std::unique_ptr<RunTimeString> param)
+        : Operator("Rsub", std::move(param)) { }
    bool evaluate(Transaction *transaction, const std::string  &str) override;
 };

--- a/src/operators/rx.cc
+++ b/src/operators/rx.cc
@@ -29,8 +29,7 @@ namespace operators {


 bool Rx::init(const std::string &arg, std::string *error) {
-    m_containsMacro = MacroExpansion::containsMacro(m_param);
-    if (m_containsMacro == false) {
+    if (m_string->m_containsMacro == false) {
        m_re = new Regex(m_param);
    }

@@ -44,12 +43,12 @@ bool Rx::evaluate(Transaction *transaction, Rule *rule,
    std::list<SMatch> matches;
    Regex *re;

-    if (m_param.empty()) {
+    if (m_param.empty() && !m_string->m_containsMacro) {
        return true;
    }

-    if (m_containsMacro) {
-        std::string eparam = MacroExpansion::expand(m_param, transaction);
+    if (m_string->m_containsMacro) {
+        std::string eparam(m_string->evaluate(transaction));
        re = new Regex(eparam);
    } else {
        re = m_re;
@@ -75,7 +74,7 @@ bool Rx::evaluate(Transaction *transaction, Rule *rule,
        logOffset(ruleMessage, i.m_offset, i.m_length);
    }

-    if (m_containsMacro) {
+    if (m_string->m_containsMacro) {
        delete re;
    }

--- a/src/operators/rx.h
+++ b/src/operators/rx.h
@@ -19,6 +19,7 @@
 #include <string>
 #include <list>
 #include <memory>
+#include <utility>

 #include "src/operators/operator.h"
 #include "src/utils/regex.h"
@@ -35,21 +36,13 @@ namespace operators {
 class Rx : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    Rx(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation),
-        m_containsMacro(false) {
+    explicit Rx(std::unique_ptr<RunTimeString> param)
+        : Operator("Rx", std::move(param)) {
+            m_couldContainsMacro = true;
        }
-    Rx(std::string name, std::string param)
-        : Operator(name, param),
-        m_containsMacro(false) {
-    }
-    explicit Rx(std::string param)
-        : Operator("Rx", param),
-        m_containsMacro(false) {
-    }

    ~Rx() {
-        if (m_containsMacro == false && m_re != NULL) {
+        if (m_string->m_containsMacro == false && m_re != NULL) {
            delete m_re;
            m_re = NULL;
        }
@@ -68,8 +61,8 @@ class Rx : public Operator {
        std::shared_ptr<RuleMessage> ruleMessage) override;

    bool init(const std::string &arg, std::string *error);
+
 private:
-    bool m_containsMacro;
    Regex *m_re;
 };

--- a/src/operators/str_eq.cc
+++ b/src/operators/str_eq.cc
@@ -22,10 +22,8 @@ namespace modsecurity {
 namespace operators {

 bool StrEq::evaluate(Transaction *transaction, const std::string &str) {
-    std::string p = MacroExpansion::expand(m_param, transaction);
-    bool eq = !p.compare(str);
-
-    return eq;
+    std::string pt(m_string->evaluate(transaction));
+    return !pt.compare(str);
 }


--- a/src/operators/str_eq.h
+++ b/src/operators/str_eq.h
@@ -14,6 +14,8 @@
 */

 #include <string>
+#include <memory>
+#include <utility>

 #include "modsecurity/transaction.h"
 #include "src/operators/operator.h"
@@ -29,10 +31,8 @@ namespace operators {
 class StrEq : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    StrEq(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit StrEq(std::string param)
-        : Operator("StrEq", param) { }
+    explicit StrEq(std::unique_ptr<RunTimeString> param)
+        : Operator("StrEq", std::move(param)) { }

    bool evaluate(Transaction *transaction, const std::string &str) override;
 };
--- a/src/operators/str_match.cc
+++ b/src/operators/str_match.cc
@@ -25,7 +25,7 @@ namespace operators {


 bool StrMatch::evaluate(Transaction *transaction, const std::string &input) {
-    std::string p = MacroExpansion::expand(m_param, transaction);
+    std::string p(m_string->evaluate(transaction));
    bool ret = input.find(p) != std::string::npos;

    return ret;
--- a/src/operators/str_match.h
+++ b/src/operators/str_match.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_STR_MATCH_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -27,10 +29,10 @@ namespace operators {
 class StrMatch : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    StrMatch(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit StrMatch(std::string param)
-        : Operator("StrMatch", param) { }
+    explicit StrMatch(std::unique_ptr<RunTimeString> param)
+        : Operator("StrMatch", std::move(param)) {
+            m_couldContainsMacro = true;
+        }

    bool evaluate(Transaction *transaction, const std::string &input) override;
 };
--- a/src/operators/unconditional_match.h
+++ b/src/operators/unconditional_match.h
@@ -28,8 +28,6 @@ namespace operators {
 class UnconditionalMatch : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    UnconditionalMatch(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
    UnconditionalMatch()
        : Operator("UnconditionalMatch") { }

--- a/src/operators/validate_byte_range.h
+++ b/src/operators/validate_byte_range.h
@@ -20,6 +20,7 @@
 #include <vector>
 #include <cstring>
 #include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -30,12 +31,8 @@ namespace operators {
 class ValidateByteRange : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    ValidateByteRange(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) {
-            std::memset(table, '\0', sizeof(char) * 32);
-        }
-    explicit ValidateByteRange(std::string param)
-        : Operator("ValidadeByteRange", param) {
+    explicit ValidateByteRange(std::unique_ptr<RunTimeString> param)
+        : Operator("ValidadeByteRange", std::move(param)) {
            std::memset(table, '\0', sizeof(char) * 32);
        }
    ~ValidateByteRange() override { }
--- a/src/operators/validate_dtd.h
+++ b/src/operators/validate_dtd.h
@@ -23,6 +23,8 @@
 #include <libxml/xpath.h>

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -33,11 +35,8 @@ namespace operators {
 class ValidateDTD : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    ValidateDTD(std::string o, std::string p, bool i)
-        : Operator(o, p, i),
-        m_dtd(NULL) { }
-    explicit ValidateDTD(std::string param)
-        : Operator("ValidateDTD", param) { }
+    explicit ValidateDTD(std::unique_ptr<RunTimeString> param)
+        : Operator("ValidateDTD", std::move(param)) { }
    ~ValidateDTD() {
        if (m_dtd != NULL) {
            xmlFreeDtd(m_dtd);
--- a/src/operators/validate_hash.h
+++ b/src/operators/validate_hash.h
@@ -17,6 +17,8 @@
 #define SRC_OPERATORS_VALIDATE_HASH_H_

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -27,10 +29,8 @@ namespace operators {
 class ValidateHash : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    ValidateHash(std::string o, std::string p, bool n)
-        : Operator(o, p, n) { }
-    explicit ValidateHash(std::string param)
-        : Operator("ValidateHash", param) { }
+    explicit ValidateHash(std::unique_ptr<RunTimeString> param)
+        : Operator("ValidateHash", std::move(param)) { }
    bool evaluate(Transaction *transaction, const std::string  &str) override;
 };

--- a/src/operators/validate_schema.h
+++ b/src/operators/validate_schema.h
@@ -23,6 +23,8 @@
 #include <libxml/xpath.h>

 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -33,13 +35,8 @@ namespace operators {
 class ValidateSchema : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    ValidateSchema(std::string o, std::string p, bool i)
-        : Operator(o, p, i),
-        m_parserCtx(NULL),
-        m_validCtx(NULL),
-        m_schema(NULL) { }
-    explicit ValidateSchema(std::string param)
-        : Operator("ValidateSchema", param),
+    explicit ValidateSchema(std::unique_ptr<RunTimeString> param)
+        : Operator("ValidateSchema", std::move(param)),
        m_parserCtx(NULL),
        m_validCtx(NULL),
        m_schema(NULL) { }
--- a/src/operators/validate_url_encoding.h
+++ b/src/operators/validate_url_encoding.h
@@ -28,8 +28,6 @@ namespace operators {
 class ValidateUrlEncoding : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    ValidateUrlEncoding(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
    ValidateUrlEncoding()
        : Operator("ValidateUrlEncoding") { }

--- a/src/operators/validate_utf8_encoding.h
+++ b/src/operators/validate_utf8_encoding.h
@@ -35,8 +35,6 @@ namespace operators {
 class ValidateUtf8Encoding : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    ValidateUtf8Encoding(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
    ValidateUtf8Encoding()
        : Operator("ValidateUtf8Encoding") { }

--- a/src/operators/verify_cc.h
+++ b/src/operators/verify_cc.h
@@ -18,6 +18,8 @@

 #include <pcre.h>
 #include <string>
+#include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -27,12 +29,8 @@ namespace operators {
 class VerifyCC : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    VerifyCC(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation),
-        m_pc(NULL),
-        m_pce(NULL) { }
-    explicit VerifyCC(std::string param)
-        : Operator("VerifyCC", param),
+    explicit VerifyCC(std::unique_ptr<RunTimeString> param)
+        : Operator("VerifyCC", std::move(param)),
        m_pc(NULL),
        m_pce(NULL) { }
    ~VerifyCC();
--- a/src/operators/verify_cpf.h
+++ b/src/operators/verify_cpf.h
@@ -18,6 +18,7 @@

 #include <string>
 #include <memory>
+#include <utility>

 #include "src/operators/operator.h"
 #include "src/utils/regex.h"
@@ -33,17 +34,9 @@ namespace operators {
 class VerifyCPF : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    VerifyCPF(std::string o, std::string p, bool n)
-        : Operator(o, p, n) {
-        m_re = new Regex(p);
-    }
-    VerifyCPF(std::string name, std::string param)
-        : Operator(name, param) {
-        m_re = new Regex(param);
-    }
-    explicit VerifyCPF(std::string param)
-        : Operator("VerifyCPF", param) {
-        m_re = new Regex(param);
+    explicit VerifyCPF(std::unique_ptr<RunTimeString> param)
+        : Operator("VerifyCPF", std::move(param)) {
+        m_re = new Regex(m_param);
    }

    ~VerifyCPF() {
--- a/src/operators/verify_ssn.h
+++ b/src/operators/verify_ssn.h
@@ -18,6 +18,7 @@

 #include <string>
 #include <memory>
+#include <utility>

 #include "src/operators/operator.h"
 #include "src/utils/regex.h"
@@ -33,17 +34,9 @@ namespace operators {
 class VerifySSN : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    VerifySSN(std::string o, std::string p, bool n)
-        : Operator(o, p, n) {
-        m_re = new Regex(p);
-    }
-    VerifySSN(std::string name, std::string param)
-        : Operator(name, param) {
-        m_re = new Regex(param);
-    }
-    explicit VerifySSN(std::string param)
-        : Operator("VerifySSN", param) {
-        m_re = new Regex(param);
+    explicit VerifySSN(std::unique_ptr<RunTimeString> param)
+        : Operator("VerifySSN", std::move(param)) {
+        m_re = new Regex(m_param);
    }

    ~VerifySSN() {
--- a/src/operators/within.cc
+++ b/src/operators/within.cc
@@ -27,8 +27,8 @@ namespace operators {
 bool Within::evaluate(Transaction *transaction, Rule *rule,
    const std::string &str, std::shared_ptr<RuleMessage> ruleMessage) {
    bool res = false;
-    std::string paramTarget = MacroExpansion::expand(m_param, transaction);
    size_t pos = 0;
+    std::string paramTarget(m_string->evaluate(transaction));

    if (str.empty()) {
        return true;
--- a/src/operators/within.h
+++ b/src/operators/within.h
@@ -18,6 +18,7 @@

 #include <string>
 #include <memory>
+#include <utility>

 #include "src/operators/operator.h"

@@ -28,10 +29,10 @@ namespace operators {
 class Within : public Operator {
 public:
    /** @ingroup ModSecurity_Operator */
-    Within(std::string op, std::string param, bool negation)
-        : Operator(op, param, negation) { }
-    explicit Within(std::string param)
-        : Operator("Within", param) { }
+    explicit Within(std::unique_ptr<RunTimeString> param)
+        : Operator("Within", std::move(param)) {
+            m_couldContainsMacro = true;
+        }
    bool evaluate(Transaction *transaction, Rule *rule,
        const std::string &str, std::shared_ptr<RuleMessage> ruleMessage);
 };