github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 05:45:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Parse fix: accepting variables in between quotes

Browse Source
This commit is contained in:
Felipe Zimmerle 2017-03-29 19:56:19 -03:00
parent c7053e572f
commit b3c8e97ff7
No known key found for this signature in database
GPG Key ID: E6DFB08CE8B11277
5 changed files with 4432 additions and 4327 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2477
src/parser/seclang-parser.cc
View File

File diff suppressed because it is too large Load Diff

39
src/parser/seclang-parser.hh
View File

@ -770,7 +770,7 @@ namespace yy {
// "OPERATOR_RBL"
// "OPERATOR_RSUB"
// "OPERATOR_RX"
// "Operator Rx"
// "Operator RX (content only)"
// "OPERATOR_STR_EQ"
// "OPERATOR_STR_MATCH"
// "OPERATOR_UNCONDITIONAL_MATCH"
@ -815,6 +815,7 @@ namespace yy {
char dummy4[sizeof(std::unique_ptr<actions::Action>)];
// variables
// variables_may_be_quoted
char dummy5[sizeof(std::unique_ptr<std::vector<std::unique_ptr<Variable> > > )];
// actions
@ -2583,9 +2584,9 @@ namespace yy {
enum
{
yyeof_ = 0,
yylast_ = 764, ///< Last index in yytable_.
yynnts_ = 12, ///< Number of nonterminal symbols.
yyfinal_ = 260, ///< Termination state number.
yylast_ = 898, ///< Last index in yytable_.
yynnts_ = 13, ///< Number of nonterminal symbols.
yyfinal_ = 262, ///< Termination state number.
yyterror_ = 1,
yyerrcode_ = 256,
yyntokens_ = 286 ///< Number of tokens.
@ -2855,7 +2856,7 @@ namespace yy {
case 251: // "OPERATOR_RBL"
case 252: // "OPERATOR_RSUB"
case 253: // "OPERATOR_RX"
case 254: // "Operator Rx"
case 254: // "Operator RX (content only)"
case 255: // "OPERATOR_STR_EQ"
case 256: // "OPERATOR_STR_MATCH"
case 257: // "OPERATOR_UNCONDITIONAL_MATCH"
@ -2895,15 +2896,16 @@ namespace yy {
value.copy< std::unique_ptr<Operator> > (other.value);
break;
case 296: // var
case 297: // var
value.copy< std::unique_ptr<Variable> > (other.value);
break;
case 297: // act
case 298: // act
value.copy< std::unique_ptr<actions::Action> > (other.value);
break;
case 295: // variables
case 296: // variables_may_be_quoted
value.copy< std::unique_ptr<std::vector<std::unique_ptr<Variable> > > > (other.value);
break;
@ -3090,7 +3092,7 @@ namespace yy {
case 251: // "OPERATOR_RBL"
case 252: // "OPERATOR_RSUB"
case 253: // "OPERATOR_RX"
case 254: // "Operator Rx"
case 254: // "Operator RX (content only)"
case 255: // "OPERATOR_STR_EQ"
case 256: // "OPERATOR_STR_MATCH"
case 257: // "OPERATOR_UNCONDITIONAL_MATCH"
@ -3130,15 +3132,16 @@ namespace yy {
value.copy< std::unique_ptr<Operator> > (v);
break;
case 296: // var
case 297: // var
value.copy< std::unique_ptr<Variable> > (v);
break;
case 297: // act
case 298: // act
value.copy< std::unique_ptr<actions::Action> > (v);
break;
case 295: // variables
case 296: // variables_may_be_quoted
value.copy< std::unique_ptr<std::vector<std::unique_ptr<Variable> > > > (v);
break;
@ -3391,7 +3394,7 @@ namespace yy {
case 251: // "OPERATOR_RBL"
case 252: // "OPERATOR_RSUB"
case 253: // "OPERATOR_RX"
case 254: // "Operator Rx"
case 254: // "Operator RX (content only)"
case 255: // "OPERATOR_STR_EQ"
case 256: // "OPERATOR_STR_MATCH"
case 257: // "OPERATOR_UNCONDITIONAL_MATCH"
@ -3431,15 +3434,16 @@ namespace yy {
value.template destroy< std::unique_ptr<Operator> > ();
break;
case 296: // var
case 297: // var
value.template destroy< std::unique_ptr<Variable> > ();
break;
case 297: // act
case 298: // act
value.template destroy< std::unique_ptr<actions::Action> > ();
break;
case 295: // variables
case 296: // variables_may_be_quoted
value.template destroy< std::unique_ptr<std::vector<std::unique_ptr<Variable> > > > ();
break;
@ -3632,7 +3636,7 @@ namespace yy {
case 251: // "OPERATOR_RBL"
case 252: // "OPERATOR_RSUB"
case 253: // "OPERATOR_RX"
case 254: // "Operator Rx"
case 254: // "Operator RX (content only)"
case 255: // "OPERATOR_STR_EQ"
case 256: // "OPERATOR_STR_MATCH"
case 257: // "OPERATOR_UNCONDITIONAL_MATCH"
@ -3672,15 +3676,16 @@ namespace yy {
value.move< std::unique_ptr<Operator> > (s.value);
break;
case 296: // var
case 297: // var
value.move< std::unique_ptr<Variable> > (s.value);
break;
case 297: // act
case 298: // act
value.move< std::unique_ptr<actions::Action> > (s.value);
break;
case 295: // variables
case 296: // variables_may_be_quoted
value.move< std::unique_ptr<std::vector<std::unique_ptr<Variable> > > > (s.value);
break;
@ -5484,7 +5489,7 @@ namespace yy {
} // yy
#line 5488 "seclang-parser.hh" // lalr1.cc:377
#line 5493 "seclang-parser.hh" // lalr1.cc:377

20
src/parser/seclang-parser.yy
View File

@ -603,7 +603,7 @@ using modsecurity::operators::Operator;
OPERATOR_RBL "OPERATOR_RBL"
OPERATOR_RSUB "OPERATOR_RSUB"
OPERATOR_RX "OPERATOR_RX"
OPERATOR_RX_CONTENT_ONLY "Operator Rx"
OPERATOR_RX_CONTENT_ONLY "Operator RX (content only)"
OPERATOR_STR_EQ "OPERATOR_STR_EQ"
OPERATOR_STR_MATCH "OPERATOR_STR_MATCH"
OPERATOR_UNCONDITIONAL_MATCH "OPERATOR_UNCONDITIONAL_MATCH"
@ -649,6 +649,7 @@ using modsecurity::operators::Operator;
op
;
%type <std::unique_ptr<std::vector<std::unique_ptr<Variable> > > > variables_may_be_quoted
%type <std::unique_ptr<std::vector<std::unique_ptr<Variable> > > > variables
%type <std::unique_ptr<Variable>> var
@ -1297,18 +1298,29 @@ expression:
;
variables:
variables PIPE var
variables_may_be_quoted
{
$$ = std::move($1);
}
| QUOTATION_MARK variables_may_be_quoted QUOTATION_MARK
{
$$ = std::move($2);
}
;
variables_may_be_quoted:
variables_may_be_quoted PIPE var
{
$1->push_back(std::move($3));
$$ = std::move($1);
}
| variables PIPE VAR_EXCLUSION var
| variables_may_be_quoted PIPE VAR_EXCLUSION var
{
std::unique_ptr<Variable> c(new VariableModificatorExclusion(std::move($4)));
$1->push_back(std::move(c));
$$ = std::move($1);
}
| variables PIPE VAR_COUNT var
| variables_may_be_quoted PIPE VAR_COUNT var
{
std::unique_ptr<Variable> c(new VariableModificatorCount(std::move($4)));
$1->push_back(std::move(c));

6217
src/parser/seclang-scanner.cc
View File

File diff suppressed because it is too large Load Diff

6
src/parser/seclang-scanner.ll
View File

@ -309,8 +309,8 @@ CONGIG_DIR_SEC_COOKIE_FORMAT (?i:SecCookieFormat)
CONGIG_DIR_SEC_DATA_DIR (?i:SecDataDir)
CONGIG_DIR_SEC_STATUS_ENGINE (?i:SecStatusEngine)
CONGIG_DIR_SEC_TMP_DIR (?i:SecTmpDir)
DICT_ELEMENT [^ \t|]+
DICT_ELEMENT_WITH_PIPE [^ \t]+
DICT_ELEMENT ([^\"| \t]|([^\\]\\\"))+
DICT_ELEMENT_WITH_PIPE [^ \t"]+
DICT_ELEMENT_TWO [^\"\=]+
@ -757,6 +757,7 @@ EQUALS_MINUS (?i:=\-)
{VAR_EXCLUSION} { return p::make_VAR_EXCLUSION(*driver.loc.back()); }
{VAR_COUNT} { return p::make_VAR_COUNT(*driver.loc.back()); }
["] { return p::make_QUOTATION_MARK(yytext, *driver.loc.back()); }
}
@ -766,6 +767,7 @@ EQUALS_MINUS (?i:=\-)
['][\/]{DICT_ELEMENT_WITH_PIPE}[\/]['] { BEGIN(EXPECTING_VARIABLE); return p::make_DICT_ELEMENT_REGEXP(std::string(yytext, 2, yyleng-4), *driver.loc.back()); }
{DICT_ELEMENT} { BEGIN(EXPECTING_VARIABLE); return p::make_DICT_ELEMENT(yytext, *driver.loc.back()); }
. { BEGIN(LEXING_ERROR_ACTION); yyless(0); }
["] { return p::make_QUOTATION_MARK(yytext, *driver.loc.back()); }
}
<EXPECTING_VARIABLE,TRANSACTION_FROM_VARIABLE_TO_OPERATOR>{