From d06aec83611f631773d9dc09c7b2594b8580201d Mon Sep 17 00:00:00 2001
From: brectanus <brectanus@9017d574-64ec-4062-9424-5e00b32a252b>
Date: Sat, 15 Dec 2007 00:51:19 +0000
Subject: [PATCH] Backport fixes for #66 to 2.1.x.  See #431.

---
 CHANGES                               |  9 +++++++++
 apache2/apache2_config.c              | 19 +++++++++++--------
 doc/modsecurity2-apache-reference.xml |  2 +-
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4a1233e1..6c7a20ef 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,12 @@
+14 Dec 2007 - 2.1.5-rc1
+-----------------------
+
+ * Stricter configuration parsing.  Disruptive actions, meta actions and
+   phases are no longer allowed in a chained rule.
+
+ * Fixed t:escapeSeqDecode to better follow ANSI C escapes.
+
+
 27 Nov 2007 - 2.1.4
 -------------------
 
diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
index 31ef0741..4ced1ec6 100644
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@@ -441,21 +441,18 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, const char *
         if (dcfg->tmp_default_actionset == NULL) return FATAL_ERROR;
     }
 
-    /* Merge actions with the parent. */
-    rule->actionset = msre_actionset_merge(modsecurity->msre, dcfg->tmp_default_actionset,
-        rule->actionset, 1);
-
-    if (dcfg->tmp_chain_starter != NULL) {
-        /* This rule is part of a chain. */
+    /* Check some cases prior to merging so we know where it came from */
 
+    /* Check syntax for chained rules */
+    if ((rule->actionset != NULL) && (dcfg->tmp_chain_starter != NULL)) {
         /* Must NOT specify a disruptive action. */
-        if (rule->actionset->intercept_action == NOT_SET) {
+        if (rule->actionset->intercept_action != NOT_SET) {
             return apr_psprintf(cmd->pool, "ModSecurity: Disruptive actions can only "
                 "be specified by chain starter rules.");
         }
 
         /* Must NOT specify a phase. */
-        if (rule->actionset->phase == NOT_SET) {
+        if (rule->actionset->phase != NOT_SET) {
             return apr_psprintf(cmd->pool, "ModSecurity: Execution phases can only be "
                 "specified by chain starter rules.");
         }
@@ -474,7 +471,13 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, const char *
             return apr_psprintf(cmd->pool, "ModSecurity: The skip action can only be used "
                 " by chain starter rules. ");
         }
+    }
 
+    /* Merge actions with the parent. */
+    rule->actionset = msre_actionset_merge(modsecurity->msre, dcfg->tmp_default_actionset,
+        rule->actionset, 1);
+
+    if (dcfg->tmp_chain_starter != NULL) {
         rule->chain_starter = dcfg->tmp_chain_starter;
         rule->actionset->phase = rule->chain_starter->actionset->phase;
     }
diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml
index 32213206..7ec4dc48 100644
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@@ -3,7 +3,7 @@
   <title>ModSecurity Reference Manual</title>
 
   <articleinfo>
-    <releaseinfo>Version 2.1.4 / (November 27, 2007)</releaseinfo>
+    <releaseinfo>Version 2.1.5-rc1 / (December 14, 2007)</releaseinfo>
 
     <copyright>
       <year>2004-2007</year>