Backport regression suite to 2.5.

apache2/t/regression/misc/00-multipart-parser.t

@@ -0,0 +1,364 @@
+### Multipart parser tests
+
+# Final CRLF or not, we should still work
+{
+	type => "misc",
+	comment => "multipart parser (final CRLF)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny"
+		SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny"
+		SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny"
+	),
+	match_log => {
+		debug => [ qr/Adding request argument \(BODY\): name "a", value "1".*Adding request argument \(BODY\): name "b", value "2"/s, 1 ],
+		-debug => [ qr/Multipart error:/, 1 ],
+
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+		],
+		normalize_raw_request_data(
+			q(
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data; name="a"
+
+				1
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data; name="b"
+
+				2
+				-----------------------------69343412719991675451336310646--
+			),
+		),
+	),
+},
+{
+	type => "misc",
+	comment => "multipart parser (no final CRLF)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny"
+		SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny"
+		SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny"
+	),
+	match_log => {
+		debug => [ qr/Adding request argument \(BODY\): name "a", value "1".*Adding request argument \(BODY\): name "b", value "2"/s, 1 ],
+		-debug => [ qr/Multipart error:/, 1 ],
+
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+		],
+		normalize_raw_request_data(
+			q(
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data; name="a"
+
+				1
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data; name="b"
+
+				2
+				-----------------------------69343412719991675451336310646--),
+		),
+	),
+},
+
+# Should work with a boundary of "boundary"
+{
+	type => "misc",
+	comment => "multipart parser (boundary contains \"boundary\")",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny"
+		SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny"
+		SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny"
+	),
+	match_log => {
+		debug => [ qr/Adding request argument \(BODY\): name "a", value "1".*Adding request argument \(BODY\): name "b", value "2"/s, 1 ],
+		-debug => [ qr/Multipart error:/, 1 ],
+
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "multipart/form-data; boundary=------------------------------------------------boundary",
+		],
+		normalize_raw_request_data(
+			q(
+				--------------------------------------------------boundary
+				Content-Disposition: form-data; name="a"
+
+				1
+				--------------------------------------------------boundary
+				Content-Disposition: form-data; name="b"
+
+				2
+				--------------------------------------------------boundary--
+			),
+		),
+	),
+},
+{
+	type => "misc",
+	comment => "multipart parser (boundary contains \"bOuNdArY\")",
+	note => q(
+		KHTML Boundary
+	),
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny"
+		SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny"
+		SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny"
+	),
+	match_log => {
+		debug => [ qr/Adding request argument \(BODY\): name "a", value "1".*Adding request argument \(BODY\): name "b", value "2"/s, 1 ],
+		-debug => [ qr/Multipart error:/, 1 ],
+
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "multipart/form-data; boundary=--------0xKhTmLbOuNdArY",
+		],
+		normalize_raw_request_data(
+			q(
+				----------0xKhTmLbOuNdArY
+				Content-Disposition: form-data; name="a"
+
+				1
+				----------0xKhTmLbOuNdArY
+				Content-Disposition: form-data; name="b"
+
+				2
+				----------0xKhTmLbOuNdArY--
+			),
+		),
+	),
+},
+
+# We should handle data starting with a "--"
+{
+	type => "misc",
+	comment => "multipart parser (data contains \"--\")",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny"
+		SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny"
+	),
+	match_log => {
+		debug => [ qr/Adding request argument \(BODY\): name "a", value "--test".*Adding request argument \(BODY\): name "b", value "--"/s, 1 ],
+		-debug => [ qr/Multipart error:/, 1 ],
+
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+		],
+		normalize_raw_request_data(
+			q(
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data; name="a"
+
+				--test
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data; name="b"
+
+				--
+				-----------------------------69343412719991675451336310646--),
+		),
+	),
+},
+
+# We should emit warnings for parsing errors
+{
+	type => "misc",
+	comment => "multipart parser error (no final boundary)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecAuditLog "$ENV{AUDIT_LOG}"
+		SecAuditEngine RelevantOnly
+	),
+	match_log => {
+		audit => [ qr/Final boundary missing/, 1 ],
+		debug => [ qr/Final boundary missing/, 1 ],
+
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+		],
+		normalize_raw_request_data(
+			q(
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data; name="a"
+
+				1
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data; name="b"
+
+				2
+			),
+		),
+	),
+},
+{
+	type => "misc",
+	comment => "multipart parser error (no disposition)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecAuditLog "$ENV{AUDIT_LOG}"
+		SecAuditEngine RelevantOnly
+	),
+	match_log => {
+		-debug => [ qr/Multipart error:/, 1 ],
+		audit => [ qr/Part missing Content-Disposition header/, 1 ],
+		debug => [ qr/Part missing Content-Disposition header/, 1 ],
+
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+		],
+		normalize_raw_request_data(
+			q(
+				-----------------------------69343412719991675451336310646
+
+				1
+				-----------------------------69343412719991675451336310646
+
+				2
+				-----------------------------69343412719991675451336310646--
+			),
+		),
+	),
+},
+{
+	type => "misc",
+	comment => "multipart parser error (bad disposition)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecAuditLog "$ENV{AUDIT_LOG}"
+		SecAuditEngine RelevantOnly
+	),
+	match_log => {
+		audit => [ qr/Invalid Content-Disposition header/, 1 ],
+		debug => [ qr/Invalid Content-Disposition header/, 1 ],
+
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+		],
+		normalize_raw_request_data(
+			q(
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data name="a"
+
+				1
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data name="b"
+
+				2
+				-----------------------------69343412719991675451336310646--
+			),
+		),
+	),
+},
+{
+	type => "misc",
+	comment => "multipart parser error (no disposition name)",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecRequestBodyAccess On
+		SecAuditLog "$ENV{AUDIT_LOG}"
+		SecAuditEngine RelevantOnly
+	),
+	match_log => {
+		-debug => [ qr/Multipart error:/, 1 ],
+		audit => [ qr/Content-Disposition header missing name field/, 1 ],
+		debug => [ qr/Content-Disposition header missing name field/, 1 ],
+
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+		],
+		normalize_raw_request_data(
+			q(
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data;
+
+				1
+				-----------------------------69343412719991675451336310646
+				Content-Disposition: form-data;
+
+				2
+				-----------------------------69343412719991675451336310646--
+			),
+		),
+	),
+},

apache2/t/regression/misc/00-phases.t

@@ -0,0 +1,151 @@
+### Test the phases
+
+# Phase 1 (request headers)
+{
+	type => "misc",
+	comment => "phase 1",
+	conf => qq(
+		SecRuleEngine On
+		SecRequestBodyAccess On
+		SecResponseBodyAccess On
+		SecResponseBodyMimeType text/plain null
+		SecRule REQUEST_LINE "^POST" "phase:1,pass,log,auditlog"
+		SecRule ARGS "val1" "phase:1,pass,log,auditlog"
+		SecRule RESPONSE_HEADERS:Last-Modified "." "phase:1,pass,log,auditlog"
+		SecRule RESPONSE_BODY "TEST" "phase:1,pass,log,auditlog"
+	),
+	match_log => {
+		error => [ qr/Pattern match "\^POST" at REQUEST_LINE/, 1 ],
+		-error => [ qr/Pattern match .* (ARGS|RESPONSE)/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		"arg1=val1&arg2=val2",
+	),
+},
+
+# Phase 2 (request body)
+{
+	type => "misc",
+	comment => "phase 2",
+	conf => qq(
+		SecRuleEngine On
+		SecRequestBodyAccess On
+		SecResponseBodyAccess On
+		SecResponseBodyMimeType text/plain null
+		SecRule REQUEST_LINE "^POST" "phase:2,pass,log,auditlog"
+		SecRule ARGS "val1" "phase:2,pass,log,auditlog"
+		SecRule RESPONSE_HEADERS:Last-Modified "." "phase:2,pass,log,auditlog"
+		SecRule RESPONSE_BODY "TEST" "phase:2,pass,log,auditlog"
+	),
+	match_log => {
+		error => [ qr/Pattern match "\^POST" at REQUEST_LINE.*Pattern match "val1" at ARGS/s, 1 ],
+		-error => [ qr/Pattern match .* RESPONSE/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		"arg1=val1&arg2=val2",
+	),
+},
+
+# Phase 3 (response headers)
+{
+	type => "misc",
+	comment => "phase 3",
+	conf => qq(
+		SecRuleEngine On
+		SecRequestBodyAccess On
+		SecResponseBodyAccess On
+		SecResponseBodyMimeType text/plain null
+		SecRule REQUEST_LINE "^POST" "phase:3,pass,log,auditlog"
+		SecRule ARGS "val1" "phase:3,pass,log,auditlog"
+		SecRule RESPONSE_HEADERS:Last-Modified "." "phase:3,pass,log,auditlog"
+		SecRule RESPONSE_BODY "TEST" "phase:3,pass,log,auditlog"
+	),
+	match_log => {
+		error => [ qr/Pattern match "\^POST" at REQUEST_LINE.*Pattern match "val1" at ARGS.*Pattern match "\." at RESPONSE_HEADERS/s, 1 ],
+		-error => [ qr/Pattern match .* RESPONSE_BODY/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		"arg1=val1&arg2=val2",
+	),
+},
+
+# Phase 4 (response body)
+{
+	type => "misc",
+	comment => "phase 4",
+	conf => qq(
+		SecRuleEngine On
+		SecRequestBodyAccess On
+		SecResponseBodyAccess On
+		SecResponseBodyMimeType text/plain null
+		SecDebugLog "$ENV{DEBUG_LOG}"
+		SecDebugLogLevel 9
+		SecRule REQUEST_LINE "^POST" "phase:4,pass,log,auditlog"
+		SecRule ARGS "val1" "phase:4,pass,log,auditlog"
+		SecRule RESPONSE_HEADERS:Last-Modified "." "phase:4,pass,log,auditlog"
+		SecRule RESPONSE_BODY "TEST" "phase:4,pass,log,auditlog"
+	),
+	match_log => {
+		error => [ qr/Pattern match "\^POST" at REQUEST_LINE.*Pattern match "val1" at ARGS.*Pattern match "\." at RESPONSE_HEADERS.*Pattern match "TEST" at RESPONSE_BODY/s, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		"arg1=val1&arg2=val2",
+	),
+},
+
+# Phase 5 (logging)
+{
+	type => "misc",
+	comment => "phase 5",
+	conf => qq(
+		SecRuleEngine On
+		SecRequestBodyAccess On
+		SecResponseBodyAccess On
+		SecResponseBodyMimeType text/plain null
+		SecRule REQUEST_LINE "^POST" "phase:5,pass,log,auditlog"
+		SecRule ARGS "val1" "phase:5,pass,log,auditlog"
+		SecRule RESPONSE_HEADERS:Last-Modified "." "phase:5,pass,log,auditlog"
+		SecRule RESPONSE_BODY "TEST" "phase:5,pass,log,auditlog"
+	),
+	match_log => {
+		error => [ qr/Pattern match "\^POST" at REQUEST_LINE.*Pattern match "val1" at ARGS.*Pattern match "\." at RESPONSE_HEADERS.*Pattern match "TEST" at RESPONSE_BODY/s, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		"arg1=val1&arg2=val2",
+	),
+},