fix rsub input parsing and add maturity, ver and accuracy actions

CHANGES

@@ -70,6 +70,8 @@ XX NNN 2012 - 2.7.0-rc1
  * Added USERAGENT_IP variable. Created when Apache24 is used with mod_remoteip to know the real
    client ip address.
 
+ ^ Added new rule metadata actions ver, maturity and accuracy. Also included into RULE collection.
+
  * Fixed Variable DURATION contains the elapsed time in microseconds for compatible reasons with apache and
    other variables.
 

apache2/apache2_config.c

@@ -803,9 +803,12 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
             ||(rule->actionset->rev != NOT_SET_P)
             ||(rule->actionset->msg != NOT_SET_P)
             ||(rule->actionset->severity != NOT_SET)
+            ||(rule->actionset->version != NOT_SET_P)
+            ||(rule->actionset->accuracy != NOT_SET)
+            ||(rule->actionset->maturity != NOT_SET)
             ||(rule->actionset->logdata != NOT_SET_P))
         {
-            return apr_psprintf(cmd->pool, "ModSecurity: Metadata actions (id, rev, msg, tag, severity, logdata) "
+            return apr_psprintf(cmd->pool, "ModSecurity: Metadata actions (id, rev, msg, tag, severity, ver, accuracy, maturity, logdata) "
                 " can only be specified by chain starter rules.");
         }
 
@@ -1432,10 +1435,13 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg,
     /* ENH: loop through to check for tags */
     if ((dcfg->tmp_default_actionset->id != NOT_SET_P)
         ||(dcfg->tmp_default_actionset->rev != NOT_SET_P)
+        ||(dcfg->tmp_default_actionset->version != NOT_SET_P)
+        ||(dcfg->tmp_default_actionset->maturity != NOT_SET)
+        ||(dcfg->tmp_default_actionset->accuracy != NOT_SET)
         ||(dcfg->tmp_default_actionset->msg != NOT_SET_P))
     {
         return apr_psprintf(cmd->pool, "ModSecurity: SecDefaultAction must not "
-            "contain any metadata actions (id, rev, msg, tag, severity, logdata).");
+            "contain any metadata actions (id, rev, msg, tag, severity, ver, accuracy, maturity, logdata).");
     }
     /* These are just a warning for now. */
     if ((dcfg->tmp_default_actionset->severity != NOT_SET)

apache2/re.c

@@ -548,6 +548,9 @@ static char *msre_actionset_generate_action_string(apr_pool_t *pool, const msre_
                     || (strcmp("nolog", action->metadata->name) == 0)
                     || (strcmp("noauditlog", action->metadata->name) == 0)
                     || (strcmp("severity", action->metadata->name) == 0)
+                    || (strcmp("ver", action->metadata->name) == 0)
+                    || (strcmp("maturity", action->metadata->name) == 0)
+                    || (strcmp("accuracy", action->metadata->name) == 0)
                     || (strcmp("tag", action->metadata->name) == 0)
                     || (strcmp("phase", action->metadata->name) == 0)) 
             {
@@ -1024,9 +1027,12 @@ msre_actionset *msre_actionset_create(msre_engine *engine, const char *text,
     actionset->id = NOT_SET_P;
     actionset->rev = NOT_SET_P;
     actionset->msg = NOT_SET_P;
+    actionset->version = NOT_SET_P;
     actionset->logdata = NOT_SET_P;
     actionset->phase = NOT_SET;
     actionset->severity = -1;
+    actionset->accuracy = -1;
+    actionset->maturity = -1;
     actionset->rule = NOT_SET_P;
     actionset->arg_max = -1;
     actionset->arg_min = -1;
@@ -1106,8 +1112,11 @@ msre_actionset *msre_actionset_merge(msre_engine *engine, msre_actionset *parent
     if (child->id != NOT_SET_P) merged->id = child->id;
     if (child->rev != NOT_SET_P) merged->rev = child->rev;
     if (child->msg != NOT_SET_P) merged->msg = child->msg;
+    if (child->version != NOT_SET_P) merged->version = child->version;
     if (child->logdata != NOT_SET_P) merged->logdata = child->logdata;
     if (child->severity != NOT_SET) merged->severity = child->severity;
+    if (child->accuracy != NOT_SET) merged->accuracy = child->accuracy;
+    if (child->maturity != NOT_SET) merged->maturity = child->maturity;
     if (child->phase != NOT_SET) merged->phase = child->phase;
     if (child->rule != NOT_SET_P) merged->rule = child->rule;
     if (child->arg_min != NOT_SET) merged->arg_min = child->arg_min;
@@ -1162,9 +1171,12 @@ void msre_actionset_set_defaults(msre_actionset *actionset) {
     if (actionset->id == NOT_SET_P) actionset->id = NULL;
     if (actionset->rev == NOT_SET_P) actionset->rev = NULL;
     if (actionset->msg == NOT_SET_P) actionset->msg = NULL;
+    if (actionset->version == NOT_SET_P) actionset->version = NULL;
     if (actionset->logdata == NOT_SET_P) actionset->logdata = NULL;
     if (actionset->phase == NOT_SET) actionset->phase = 2;
     if (actionset->severity == -1) {} /* leave at -1 */
+    if (actionset->accuracy == -1) {} /* leave at -1 */
+    if (actionset->maturity == -1) {} /* leave at -1 */
     if (actionset->rule == NOT_SET_P) actionset->rule = NULL;
     if (actionset->arg_max == NOT_SET) actionset->arg_max = -1;
     if (actionset->arg_min == NOT_SET) actionset->arg_min = -1;
@@ -1995,6 +2007,9 @@ char *msre_format_metadata(modsec_rec *msr, msre_actionset *actionset) {
     char *msg = "";
     char *logdata = "";
     char *severity = "";
+    char *accuracy = "";
+    char *maturity = "";
+    char *version = "";
     char *tags = "";
     char *fn = "";
     int k;
@@ -2050,6 +2065,18 @@ char *msre_format_metadata(modsec_rec *msr, msre_actionset *actionset) {
         severity = apr_psprintf(msr->mp, " [severity \"%s\"]",
                 msre_format_severity(actionset->severity));
     }
+    if (actionset->version != NULL) {
+        version = apr_psprintf(msr->mp, " [ver \"%s\"]",
+                log_escape(msr->mp, actionset->version));
+    }
+    if (actionset->maturity >= 0) {
+        maturity = apr_psprintf(msr->mp, " [maturity \"%d\"]",
+                actionset->maturity);
+    }
+    if (actionset->accuracy >= 0) {
+        accuracy = apr_psprintf(msr->mp, " [accuracy \"%d\"]",
+                actionset->accuracy);
+    }
 
     /* Extract rule tags from the action list. */
     tarr = apr_table_elts(actionset->actions);
@@ -2070,7 +2097,7 @@ char *msre_format_metadata(modsec_rec *msr, msre_actionset *actionset) {
         }
     }
 
-    return apr_pstrcat(msr->mp, fn, id, rev, msg, logdata, severity, tags, NULL);
+    return apr_pstrcat(msr->mp, fn, id, rev, msg, logdata, severity, version, maturity, accuracy, tags, NULL);
 }
 
 char * msre_rule_generate_unparsed(apr_pool_t *pool,  const msre_rule *rule, const char *targets,

apache2/re.h

@@ -289,6 +289,9 @@ struct msre_actionset {
     const char              *rev;
     const char              *msg;
     const char              *logdata;
+    const char              *version;
+    int                      maturity;
+    int                      accuracy;
     int                      severity;
     int                      phase;
     msre_rule               *rule;

apache2/re_actions.c

@@ -459,6 +459,33 @@ static apr_status_t msre_action_sanitizeMatchedBytes_init(msre_engine *engine,
     return 1;
 }
 
+/* accuracy */
+
+static apr_status_t msre_action_accuracy_init(msre_engine *engine,
+    msre_actionset *actionset, msre_action *action)
+{
+    actionset->accuracy = atoi(action->param);
+    return 1;
+}
+
+/* maturity */
+
+static apr_status_t msre_action_maturity_init(msre_engine *engine,
+    msre_actionset *actionset, msre_action *action)
+{
+    actionset->maturity = atoi(action->param);
+    return 1;
+}
+
+/* ver */
+
+static apr_status_t msre_action_ver_init(msre_engine *engine,
+    msre_actionset *actionset, msre_action *action)
+{
+    actionset->version = action->param;
+    return 1;
+}
+
 /* severity */
 
 static apr_status_t msre_action_severity_init(msre_engine *engine,
@@ -2285,6 +2312,45 @@ void msre_engine_register_default_actions(msre_engine *engine) {
         NULL
     );
 
+    /* accuracy */
+    msre_engine_action_register(engine,
+        "accuracy",
+        ACTION_METADATA,
+        1, 1,
+        NO_PLUS_MINUS,
+        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
+        NULL,
+        msre_action_accuracy_init,
+        NULL
+    );
+
+    /* maturity */
+    msre_engine_action_register(engine,
+        "maturity",
+        ACTION_METADATA,
+        1, 1,
+        NO_PLUS_MINUS,
+        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
+        NULL,
+        msre_action_maturity_init,
+        NULL
+    );
+
+    /* ver */
+    msre_engine_action_register(engine,
+        "ver",
+        ACTION_METADATA,
+        1, 1,
+        NO_PLUS_MINUS,
+        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
+        NULL,
+        msre_action_ver_init,
+        NULL
+    );
+
     /* severity */
     msre_engine_action_register(engine,
         "severity",

apache2/re_operators.c

@@ -401,7 +401,6 @@ static int msre_op_rsub_param_init(msre_rule *rule, char **error_msg) {
     char *reg_pattern = NULL;
     char *replace = NULL;
     char *e_pattern = NULL;
-    char *e_replace = NULL;
     char *parsed_replace = NULL;
     char *flags = NULL;
     char *data = NULL;
@@ -420,7 +419,6 @@ static int msre_op_rsub_param_init(msre_rule *rule, char **error_msg) {
     }
 
     data = apr_pstrdup(rule->ruleset->mp, line);
-
     delim = *++data;
     if (delim)
         reg_pattern = ++data;
@@ -475,15 +473,15 @@ static int msre_op_rsub_param_init(msre_rule *rule, char **error_msg) {
     }
 
     op_len = strlen(replace);
-    parsed_replace = apr_pstrdup(rule->ruleset->mp, parse_pm_content(replace, op_len, rule, error_msg));
+    parsed_replace = apr_pstrdup(rule->ruleset->mp, parse_pm_content(param_remove_escape(rule, replace, strlen(replace)),
+        op_len, rule, error_msg));
 
     if(!parsed_replace) {
         *error_msg = apr_psprintf(rule->ruleset->mp, "Error rsub operator parsing input data");
         return -1;
     }
 
-    e_replace = param_remove_escape(rule, parsed_replace, strlen(parsed_replace));
+    rule->sub_str = apr_pstrmemdup(rule->ruleset->mp, parsed_replace, strlen(parsed_replace));
-    rule->sub_str = apr_pstrmemdup(rule->ruleset->mp, e_replace, strlen(e_replace));
 
     if (flags) {
         while (*flags) {

apache2/re_variables.c

@@ -415,8 +415,20 @@ static int var_rule_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
     } else
     if ((strcasecmp(var->param, "logdata") == 0)&&(actionset->logdata != NULL)) {
         return var_simple_generate(var, vartab, mptmp, actionset->logdata);
+    } else
+    if ((strcasecmp(var->param, "ver") == 0)&&(actionset->version != NULL)) {
+        return var_simple_generate(var, vartab, mptmp, actionset->version);
+    } else
+    if ((strcasecmp(var->param, "maturity") == 0)&&(actionset->maturity != -1)) {
+        char *value = apr_psprintf(mptmp, "%d", actionset->maturity);
+        return var_simple_generate(var, vartab, mptmp, value);
+    } else
+    if ((strcasecmp(var->param, "accuracy") == 0)&&(actionset->accuracy != -1)) {
+        char *value = apr_psprintf(mptmp, "%d", actionset->accuracy);
+        return var_simple_generate(var, vartab, mptmp, value);
     }
 
+
     return 0;
 }