github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Added new directive (SecPdfProtectMethod) to enable the user to choose between using token redirection (falling back on forced download in some cases) and forced download (in all cases).

Browse Source
This commit is contained in:
ivanr
2007-06-14 15:26:08 +00:00
committed by Felipe Zimmerle
parent 9543e136ce
commit b1cbccdc6b
2 changed files with 67 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
apache2/apache2_config.c
View File

@@ -17,6 +17,7 @@
#include "modsecurity.h" #include "modsecurity.h"
#include "msc_logging.h" #include "msc_logging.h"
#include "msc_util.h" #include "msc_util.h"
#include "pdf_protect.h"
#include "http_log.h" #include "http_log.h"
#include "apr_lib.h" #include "apr_lib.h"
#include "acmp.h" #include "acmp.h"
@@ -112,6 +113,14 @@ void *create_directory_config(apr_pool_t *mp, char *path)
dcfg->stream_inbody_inspection = NOT_SET; dcfg->stream_inbody_inspection = NOT_SET;
dcfg->stream_outbody_inspection = NOT_SET; dcfg->stream_outbody_inspection = NOT_SET;
/* PDF XSS protection. */
dcfg->pdfp_enabled = NOT_SET;
dcfg->pdfp_secret = NOT_SET_P;
dcfg->pdfp_timeout = NOT_SET;
dcfg->pdfp_token_name = NOT_SET_P;
dcfg->pdfp_only_get = NOT_SET;
dcfg->pdfp_method = NOT_SET;
/* Geo Lookups */ /* Geo Lookups */
dcfg->geo = NOT_SET_P; dcfg->geo = NOT_SET_P;
@@ -523,6 +532,20 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
merged->stream_outbody_inspection = (child->stream_outbody_inspection == NOT_SET merged->stream_outbody_inspection = (child->stream_outbody_inspection == NOT_SET
? parent->stream_outbody_inspection : child->stream_outbody_inspection); ? parent->stream_outbody_inspection : child->stream_outbody_inspection);
/* PDF XSS protection. */
merged->pdfp_enabled = (child->pdfp_enabled == NOT_SET
? parent->pdfp_enabled : child->pdfp_enabled);
merged->pdfp_secret = (child->pdfp_secret == NOT_SET_P
? parent->pdfp_secret : child->pdfp_secret);
merged->pdfp_timeout = (child->pdfp_timeout == NOT_SET
? parent->pdfp_timeout : child->pdfp_timeout);
merged->pdfp_token_name = (child->pdfp_token_name == NOT_SET_P
? parent->pdfp_token_name : child->pdfp_token_name);
merged->pdfp_only_get = (child->pdfp_only_get == NOT_SET
? parent->pdfp_only_get : child->pdfp_only_get);
merged->pdfp_method = (child->pdfp_method == NOT_SET
? parent->pdfp_method : child->pdfp_method);
/* Geo Lookup */ /* Geo Lookup */
merged->geo = (child->geo == NOT_SET_P merged->geo = (child->geo == NOT_SET_P
? parent->geo : child->geo); ? parent->geo : child->geo);
@@ -678,6 +701,14 @@ void init_directory_config(directory_config *dcfg)
if (dcfg->stream_inbody_inspection == NOT_SET) dcfg->stream_inbody_inspection = 0; if (dcfg->stream_inbody_inspection == NOT_SET) dcfg->stream_inbody_inspection = 0;
if (dcfg->stream_outbody_inspection == NOT_SET) dcfg->stream_outbody_inspection = 0; if (dcfg->stream_outbody_inspection == NOT_SET) dcfg->stream_outbody_inspection = 0;
/* PDF XSS protection. */
if (dcfg->pdfp_enabled == NOT_SET) dcfg->pdfp_enabled = 0;
if (dcfg->pdfp_secret == NOT_SET_P) dcfg->pdfp_secret = NULL;
if (dcfg->pdfp_timeout == NOT_SET) dcfg->pdfp_timeout = 10;
if (dcfg->pdfp_token_name == NOT_SET_P) dcfg->pdfp_token_name = "PDFPTOKEN";
if (dcfg->pdfp_only_get == NOT_SET) dcfg->pdfp_only_get = 1;
if (dcfg->pdfp_method == NOT_SET) dcfg->pdfp_method = PDF_PROTECT_METHOD_TOKEN_REDIRECTION;
/* Geo Lookup */ /* Geo Lookup */
if (dcfg->geo == NOT_SET_P) dcfg->geo = NULL; if (dcfg->geo == NOT_SET_P) dcfg->geo = NULL;
@@ -2812,7 +2843,6 @@ static const char *cmd_cache_transformations(cmd_parms *cmd, void *_dcfg,
if (intval < 0) { if (intval < 0) {
return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations maxlen must be positive: %s", charval); return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations maxlen must be positive: %s", charval);
} }
/* The NOT_SET indicator is -1, a signed long, and therfore /* The NOT_SET indicator is -1, a signed long, and therfore
* we cannot be >= the unsigned value of NOT_SET. * we cannot be >= the unsigned value of NOT_SET.
*/ */
@@ -2844,6 +2874,26 @@ static const char *cmd_cache_transformations(cmd_parms *cmd, void *_dcfg,
} }
static const char *cmd_pdf_protect_method(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
directory_config *dcfg = (directory_config *)_dcfg;
if (dcfg == NULL) return NULL;
if (strcasecmp(p1, "TokenRedirection") == 0) {
dcfg->pdfp_method = PDF_PROTECT_METHOD_TOKEN_REDIRECTION;
} else
if (strcasecmp(p1, "ForcedDownload") == 0) {
dcfg->pdfp_method = PDF_PROTECT_METHOD_FORCED_DOWNLOAD;
} else {
return (const char *)apr_psprintf(cmd->pool,
"ModSecurity: Unrecognised parameter value for SecPdfProtectMethod: %s", p1);
}
return NULL;
}
/* -- Configuration directives definitions -- */ /* -- Configuration directives definitions -- */
#define CMD_SCOPE_MAIN (RSRC_CONF) #define CMD_SCOPE_MAIN (RSRC_CONF)
@@ -3520,6 +3570,14 @@ const command_rec module_directives[] = {
"Set Hash key" "Set Hash key"
), ),
AP_INIT_TAKE1 (
"SecPdfProtectMethod",
cmd_pdf_protect_method,
NULL,
RSRC_CONF,
"protection method to use. Can be 'TokenRedirection' (default) or 'ForcedDownload'"
),
AP_INIT_TAKE1 ( AP_INIT_TAKE1 (
"SecHashParam", "SecHashParam",
cmd_hash_param, cmd_hash_param,

8
apache2/modsecurity.h
View File

@@ -547,6 +547,14 @@ struct directory_config {
int stream_inbody_inspection; int stream_inbody_inspection;
int stream_outbody_inspection; int stream_outbody_inspection;
/* PDF XSS Protection. */
int pdfp_enabled;
const char *pdfp_secret;
int pdfp_timeout;
const char *pdfp_token_name;
int pdfp_only_get;
int pdfp_method;
/* Geo Lookup */ /* Geo Lookup */
geo_db *geo; geo_db *geo;