github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-30 11:44:32 +03:00
Code Issues Packages Projects Releases Wiki Activity

Changes from kyprizel.

Browse Source
This commit is contained in:
gregwroblewski
2012-08-30 21:00:49 +00:00
parent 3425aa9b4f
commit a63008b164
1 changed files with 274 additions and 263 deletions
Download Patch File Download Diff File Expand all files Collapse all files

329
nginx/modsecurity/ngx_http_modsecurity_module.c
View File

@@ -29,47 +29,47 @@
extern ngx_module_t ngx_http_modsecurity_module; extern ngx_module_t ngx_http_modsecurity_module;
typedef struct typedef struct {
{
ngx_log_t *log;
} ngx_http_modsecurity_main_conf_t;
typedef struct
{
ngx_int_t request_processed;
ngx_int_t request_blocked;
ngx_int_t error;
ngx_flag_t enabled; ngx_flag_t enabled;
ngx_str_t config_path; char *config_path;
directory_config *config; directory_config *config;
} ngx_http_modsecurity_loc_conf_t; } ngx_http_modsecurity_loc_conf_t;
typedef struct {
conn_rec *connection;
} ngx_http_modsecurity_ctx_t;
/* /*
** Module's registred function/handlers. ** Module's registred function/handlers.
*/ */
static ngx_int_t ngx_http_modsecurity_access_handler(ngx_http_request_t *r); static ngx_int_t ngx_http_modsecurity_handler(ngx_http_request_t *r);
static ngx_int_t ngx_http_modsecurity_init(ngx_conf_t *cf); static ngx_int_t ngx_http_modsecurity_init(ngx_conf_t *cf);
static ngx_int_t ngx_http_modsecurity_init_process(ngx_cycle_t *cycle); static ngx_int_t ngx_http_modsecurity_init_process(ngx_cycle_t *cycle);
static void ngx_http_modsecurity_exit_process(ngx_cycle_t *cycle); static void ngx_http_modsecurity_exit_process(ngx_cycle_t *cycle);
static void *ngx_http_modsecurity_create_loc_conf(ngx_conf_t *cf); static void *ngx_http_modsecurity_create_loc_conf(ngx_conf_t *cf);
static char *ngx_http_modsecurity_merge_loc_conf(ngx_conf_t *cf, static char *ngx_http_modsecurity_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child);
void *parent, //static ngx_int_t ngx_http_read_request_body(ngx_http_request_t *req, ngx_http_client_body_handler_pt handler);
void *child); static char *ngx_http_modsecurity_set_config(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
static ngx_int_t ngx_http_read_request_body(ngx_http_request_t *req,
ngx_http_client_body_handler_pt handler);
void *ngx_http_modsecurity_create_main_conf(ngx_conf_t *cf);
/* command handled by the module */ /* command handled by the module */
static ngx_command_t ngx_http_modsecurity_commands[] = { static ngx_command_t ngx_http_modsecurity_commands[] = {
{ ngx_string("ModSecurityConfig"), { ngx_string("ModSecurityConfig"),
NGX_HTTP_LOC_CONF|NGX_CONF_1MORE, NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
#ifdef zzz_
ngx_http_modsecurity_set_config,
NGX_HTTP_LOC_CONF_OFFSET,
0,
#else
ngx_conf_set_str_slot, ngx_conf_set_str_slot,
NGX_HTTP_LOC_CONF_OFFSET, NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_modsecurity_loc_conf_t, config_path), offsetof(ngx_http_modsecurity_loc_conf_t, config_path),
#endif
NULL }, NULL },
{ ngx_string("ModSecurityEnabled"), { ngx_string("ModSecurityEnabled"),
NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF
|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1,
ngx_conf_set_flag_slot, ngx_conf_set_flag_slot,
NGX_HTTP_LOC_CONF_OFFSET, NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_modsecurity_loc_conf_t, enabled), offsetof(ngx_http_modsecurity_loc_conf_t, enabled),
@@ -84,10 +84,13 @@ static ngx_command_t ngx_http_modsecurity_commands[] = {
static ngx_http_module_t ngx_http_modsecurity_module_ctx = { static ngx_http_module_t ngx_http_modsecurity_module_ctx = {
NULL, /* preconfiguration */ NULL, /* preconfiguration */
ngx_http_modsecurity_init, /* postconfiguration */ ngx_http_modsecurity_init, /* postconfiguration */
ngx_http_modsecurity_create_main_conf, /* create main configuration */
NULL, /* create main configuration */
NULL, /* init main configuration */ NULL, /* init main configuration */
NULL, /* create server configuration */ NULL, /* create server configuration */
NULL, /* merge server configuration */ NULL, /* merge server configuration */
ngx_http_modsecurity_create_loc_conf, /* create location configuration */ ngx_http_modsecurity_create_loc_conf, /* create location configuration */
ngx_http_modsecurity_merge_loc_conf /* merge location configuration */ ngx_http_modsecurity_merge_loc_conf /* merge location configuration */
}; };
@@ -108,34 +111,21 @@ ngx_module_t ngx_http_modsecurity_module = {
NGX_MODULE_V1_PADDING NGX_MODULE_V1_PADDING
}; };
#define DEFAULT_MAX_LOC_T 10 /* create loc conf struct */
void *
ngx_http_modsecurity_create_main_conf(ngx_conf_t *cf)
{
ngx_http_modsecurity_main_conf_t *mc;
mc = ngx_pcalloc(cf->pool, sizeof(ngx_http_modsecurity_main_conf_t));
if (!mc)
return (NGX_CONF_ERROR);
return (mc);
}
/* create log conf struct */
static void * static void *
ngx_http_modsecurity_create_loc_conf(ngx_conf_t *cf) ngx_http_modsecurity_create_loc_conf(ngx_conf_t *cf)
{ {
ngx_http_modsecurity_loc_conf_t *conf; ngx_http_modsecurity_loc_conf_t *conf;
conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_modsecurity_loc_conf_t)); conf = (ngx_http_modsecurity_loc_conf_t *) ngx_pcalloc(cf->pool, sizeof(ngx_http_modsecurity_loc_conf_t));
if (conf == NULL) if (conf == NULL)
return NULL; return NULL;
conf->enabled = NGX_CONF_UNSET; conf->enabled = NGX_CONF_UNSET;
conf->config_path = NULL;
conf->config = NULL;
return (conf); return conf;
} }
/* merge loc conf */ /* merge loc conf */
@@ -146,46 +136,52 @@ ngx_http_modsecurity_merge_loc_conf(ngx_conf_t *cf, void *parent,
ngx_http_modsecurity_loc_conf_t *prev = parent; ngx_http_modsecurity_loc_conf_t *prev = parent;
ngx_http_modsecurity_loc_conf_t *conf = child; ngx_http_modsecurity_loc_conf_t *conf = child;
if(conf->config_path.len == 0)
conf->config_path = prev->config_path;
ngx_conf_merge_value(conf->enabled, prev->enabled, 0); ngx_conf_merge_value(conf->enabled, prev->enabled, 0);
if (conf->config == NULL) {
conf->config = prev->config;
}
if (conf->config_path == NULL) {
conf->config_path = prev->config_path;
}
// ngx_conf_log_error(NGX_LOG_DEBUG_HTTP, cf, 0,
// "merging loc conf: %s", conf->config_path);
return NGX_CONF_OK; return NGX_CONF_OK;
} }
void modsecLog(void *obj, int level, char *str) void
modsecLog(void *obj, int level, char *str)
{ {
if (obj != NULL) if (obj != NULL)
ngx_log_error(NGX_LOG_INFO, (ngx_log_t *)obj, 0, "%s", str); ngx_log_error(NGX_LOG_INFO, (ngx_log_t *)obj, 0, "%s", str);
} }
/* /*
** This function sets up handlers for ACCESS_PHASE, ** This function sets up handlers for PRE_ACCESS_PHASE,
*/ */
static ngx_int_t static ngx_int_t
ngx_http_modsecurity_init(ngx_conf_t *cf) ngx_http_modsecurity_init(ngx_conf_t *cf)
{ {
ngx_http_handler_pt *h; ngx_http_handler_pt *h;
ngx_http_core_main_conf_t *cmcf; ngx_http_core_main_conf_t *cmcf;
ngx_http_modsecurity_main_conf_t *main_cf;
// ngx_http_modsecurity_loc_conf_t **loc_cf;
// unsigned int i;
cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); cmcf = (ngx_http_core_main_conf_t *) ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
main_cf = ngx_http_conf_get_module_main_conf(cf, ngx_http_modsecurity_module); if (cmcf == NULL) {
if (cmcf == NULL || return NGX_ERROR;
main_cf == NULL) }
return (NGX_ERROR);
/* Register for access phase */ /* Register for pre access phase */
//h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); h = ngx_array_push(&cmcf->phases[NGX_HTTP_PRE_ACCESS_PHASE].handlers);
h = ngx_array_push(&cmcf->phases[NGX_HTTP_REWRITE_PHASE].handlers); if (h == NULL) {
if (h == NULL) return NGX_ERROR;
return (NGX_ERROR); }
*h = ngx_http_modsecurity_access_handler; *h = ngx_http_modsecurity_handler;
return (NGX_OK); return NGX_OK;
} }
static ngx_int_t static ngx_int_t
@@ -196,11 +192,8 @@ ngx_http_modsecurity_init_process(ngx_cycle_t *cycle)
modsecSetLogHook(cycle->log, modsecLog); modsecSetLogHook(cycle->log, modsecLog);
modsecInit(); modsecInit();
modsecStartConfig(); modsecStartConfig();
modsecFinalizeConfig(); modsecFinalizeConfig();
modsecInitProcess(); modsecInitProcess();
return NGX_OK; return NGX_OK;
@@ -209,29 +202,34 @@ ngx_http_modsecurity_init_process(ngx_cycle_t *cycle)
static void static void
ngx_http_modsecurity_exit_process(ngx_cycle_t *cycle) ngx_http_modsecurity_exit_process(ngx_cycle_t *cycle)
{ {
modsecTerminate(); // we are exiting process anyway and if the request was not finished properly
// the pool cleanup function for ModSecurity might break the termination process
//
//modsecTerminate();
} }
// This is a temporary hack to make PCRE work with ModSecurity /* This is a temporary hack to make PCRE work with ModSecurity
// nginx hijacks pcre_malloc and pcre_free, so we have to re-hijack them ** nginx hijacks pcre_malloc and pcre_free, so we have to re-hijack them
// */
extern apr_pool_t *pool; extern apr_pool_t *pool;
void *modsec_pcre_malloc(size_t size) void *
modsec_pcre_malloc(size_t size)
{ {
return apr_palloc(pool, size); return apr_palloc(pool, size);
} }
void modsec_pcre_free(void *ptr) void
modsec_pcre_free(void *ptr)
{ {
} }
char *ConvertNgxStringToUTF8(ngx_str_t str, apr_pool_t *pool) char *
ConvertNgxStringToUTF8(ngx_str_t str, apr_pool_t *pool)
{ {
char *t = (char *) apr_palloc(pool, str.len + 1); char *t = (char *) apr_palloc(pool, str.len + 1);
memcpy(t, str.data, str.len); ngx_memcpy(t, str.data, str.len);
t[str.len] = 0; t[str.len] = 0;
return t; return t;
@@ -240,7 +238,6 @@ char *ConvertNgxStringToUTF8(ngx_str_t str, apr_pool_t *pool)
/* /*
** Create payload handler for calling request body function ** Create payload handler for calling request body function
*/ */
void void
ngx_http_dummy_payload_handler(ngx_http_request_t *req) ngx_http_dummy_payload_handler(ngx_http_request_t *req)
{ {
@@ -249,9 +246,10 @@ ngx_http_dummy_payload_handler(ngx_http_request_t *req)
/* /*
* XXX: needs rewrite and testing
** If method is POST or PUT, read request body and put in req->request_body->bufs ** If method is POST or PUT, read request body and put in req->request_body->bufs
*/ */
#ifdef zz
static ngx_int_t static ngx_int_t
ngx_http_read_request_body(ngx_http_request_t *req, ngx_http_read_request_body(ngx_http_request_t *req,
ngx_http_client_body_handler_pt handler) ngx_http_client_body_handler_pt handler)
@@ -259,8 +257,7 @@ ngx_http_read_request_body(ngx_http_request_t *req,
// If has body request treat it // If has body request treat it
ngx_int_t rc = 0; ngx_int_t rc = 0;
if(req->method == NGX_HTTP_POST || req->method==NGX_HTTP_PUT) if (req->method == NGX_HTTP_POST || req->method==NGX_HTTP_PUT) {
{
//calling request body function //calling request body function
rc = ngx_http_read_client_request_body(req, ngx_http_dummy_payload_handler); rc = ngx_http_read_client_request_body(req, ngx_http_dummy_payload_handler);
} }
@@ -275,92 +272,76 @@ ngx_http_read_request_body(ngx_http_request_t *req,
return NGX_DECLINED; return NGX_DECLINED;
} }
#endif
/* /*
** [ENTRY POINT] does : this is the function called by nginx : ** [ENTRY POINT] does : this function called by nginx from the request handler
*/ */
static ngx_int_t ngx_http_modsecurity_access_handler(ngx_http_request_t *req) static ngx_int_t
ngx_http_modsecurity_handler(ngx_http_request_t *req)
{ {
/* ngx_http_request_ctx_t *ctx;
ngx_int_t rc;
ngx_http_core_loc_conf_t *clcf;
struct tms tmsstart, tmsend;
clock_t start, end;
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
if (ctx && ctx->over)
return (NGX_DECLINED);
if (ctx && ctx->wait_for_body) {
return (NGX_DONE);
}
// the module is not enabled here
//if (!cf->enabled || cf->force_disabled)
// return (NGX_DECLINED);
// don't process internal requests.
//if (r->internal) {
// return (NGX_DECLINED);
}
//nothing: return (NGX_OK);
//redirect : return (NGX_HTTP_OK);
*/
ngx_http_modsecurity_loc_conf_t *cf; ngx_http_modsecurity_loc_conf_t *cf;
conn_rec *c; ngx_http_modsecurity_ctx_t *ctx;
request_rec *r; request_rec *r;
ngx_list_part_t *part;
ngx_table_elt_t *h;
ngx_uint_t i;
int status;
conn_rec *connection;
const char *msg;
/* Process only main request */
if (req != req->main || req->internal) {
return NGX_DECLINED;
}
cf = ngx_http_get_module_loc_conf(req, ngx_http_modsecurity_module); cf = ngx_http_get_module_loc_conf(req, ngx_http_modsecurity_module);
if (!cf) {
return NGX_ERROR;
}
if (!cf) if (!cf->enabled) {
return (NGX_ERROR); return NGX_DECLINED;
}
if(!cf->enabled) /* XXX: temporary hack, nginx uses pcre as well and hijacks these two */
return (NGX_DECLINED);
// temporary hack, nginx uses pcre as well and hijacks these two
//
pcre_malloc = modsec_pcre_malloc; pcre_malloc = modsec_pcre_malloc;
pcre_free = modsec_pcre_free; pcre_free = modsec_pcre_free;
if(cf->config == NULL) ctx = ngx_http_get_module_ctx(req, ngx_http_modsecurity_module);
{ if (ctx == NULL) {
ctx = (ngx_http_modsecurity_ctx_t *) ngx_pcalloc(req->pool, sizeof(ngx_http_modsecurity_ctx_t));
if (ctx == NULL) {
ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "ModSecurity: ctx memory allocation error");
return NGX_ERROR;
}
ngx_http_set_ctx(req, ctx, ngx_http_modsecurity_module);
}
if (cf->config == NULL) {
cf->config = modsecGetDefaultConfig(); cf->config = modsecGetDefaultConfig();
if(cf->config_path.len != 0) msg = modsecProcessConfig(cf->config, cf->config_path);
{ if (msg != NULL) {
char *path = ngx_pcalloc(req->pool, cf->config_path.len+1); ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "ModSecurity: modsecProcessConfig() %s", msg);
return NGX_ERROR;
memcpy(path, cf->config_path.data, cf->config_path.len);
const char *msg = modsecProcessConfig(cf->config, path);
if(msg != NULL)
ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "%s", msg);
} }
} }
//if(r->connection->requests == 0) if (req->connection->requests == 0 || ctx->connection == NULL) {
//{ ctx->connection = modsecNewConnection();
c = modsecNewConnection(); modsecProcessConnection(ctx->connection);
}
modsecProcessConnection(c);
//}
r = modsecNewRequest(c, cf->config);
r = modsecNewRequest(ctx->connection, cf->config);
r->request_time = apr_time_now(); r->request_time = apr_time_now();
r->method = ConvertNgxStringToUTF8(req->method_name, r->pool);
r->path_info = ConvertNgxStringToUTF8(req->unparsed_uri, r->pool); r->path_info = ConvertNgxStringToUTF8(req->unparsed_uri, r->pool);
r->unparsed_uri = ConvertNgxStringToUTF8(req->unparsed_uri, r->pool); r->unparsed_uri = ConvertNgxStringToUTF8(req->unparsed_uri, r->pool);
r->uri = r->unparsed_uri; r->uri = r->unparsed_uri;
r->the_request = ConvertNgxStringToUTF8(req->request_line, r->pool); r->the_request = ConvertNgxStringToUTF8(req->request_line, r->pool);
r->args = ConvertNgxStringToUTF8(req->args, r->pool); r->args = ConvertNgxStringToUTF8(req->args, r->pool);
r->filename = r->path_info; r->filename = r->path_info;
r->parsed_uri.scheme = "http"; r->parsed_uri.scheme = "http";
@@ -375,14 +356,11 @@ static ngx_int_t ngx_http_modsecurity_access_handler(ngx_http_request_t *req)
r->parsed_uri.user = NULL; r->parsed_uri.user = NULL;
r->parsed_uri.fragment = ConvertNgxStringToUTF8(req->exten, r->pool); r->parsed_uri.fragment = ConvertNgxStringToUTF8(req->exten, r->pool);
ngx_list_part_t *part = &req->headers_in.headers.part; part = &req->headers_in.headers.part;
ngx_table_elt_t *h = part->elts; h = part->elts;
u_int i;
for(i = 0; ; i++) for (i = 0; ; i++) {
{ if (i >= part->nelts) {
if(i >= part->nelts)
{
if (part->next == NULL) if (part->next == NULL)
break; break;
@@ -397,31 +375,64 @@ static ngx_int_t ngx_http_modsecurity_access_handler(ngx_http_request_t *req)
apr_table_setn(r->subprocess_env, "UNIQUE_ID", "12345"); apr_table_setn(r->subprocess_env, "UNIQUE_ID", "12345");
ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "%s", r->uri); /*
ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "ModSecurity: %s", r->uri);
int status = modsecProcessRequest(r); */
ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "status: %d", status); /* XXX: need correct request body handler */
/*
ngx_http_read_request_body(req, ngx_http_dummy_payload_handler); ngx_http_read_request_body(req, ngx_http_dummy_payload_handler);
if(req->headers_in.content_length) if (req->headers_in.content_length) {
{
ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body: %s", req->request_body->bufs); ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body: %s", req->request_body->bufs);
} else { } else {
ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body: "); ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body: ");
} }
*/
if(status == DECLINED) status = modsecProcessRequest(r);
{
// this function would work here, but it is only internal modsecFinishRequest(r);
//ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
return (NGX_DECLINED); if (status != DECLINED) {
ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "ModSecurity: status: %d", status);
/* XXX: not implemented in standalone */
/*
ngx_http_clear_accept_ranges(req);
ngx_http_clear_last_modified(req);
ngx_http_clear_content_length(req);
// If DECLINED, finalize connection (sent FIN) and return HTTP 500
ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "Invalid Request");
ngx_http_finalize_request(req, NGX_HTTP_INTERNAL_SERVER_ERROR);
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
*/
return NGX_DECLINED;
} }
return status; return NGX_DECLINED;
}
static char *
ngx_http_modsecurity_set_config(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
ngx_http_modsecurity_loc_conf_t *ucf = conf;
ngx_str_t *value;
value = cf->args->elts;
if (cf->args->nelts == 0 || value[1].len == 0) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"ModSecurity: config path required");
return NGX_CONF_ERROR;
}
/* not sure if we have to copy it in a buffed or use directly */
/* XXX: need to check if path is absolute or relative and exists */
ucf->config_path = (char *) ngx_pcalloc(cf->pool, value[1].len + 1);
if (ucf->config_path == NULL) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"ModSecurity: config path memory allocation error");
return NGX_CONF_ERROR;
}
ngx_memcpy(ucf->config_path, value[1].data, value[1].len);
return NGX_CONF_OK;
} }