Merge 2.5.9 changes into trunk.

apache2/acmp.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/acmp.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/apache2.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/apache2_config.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/apache2_io.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/apache2_util.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/build/find_apr.m4

@@ -17,41 +17,56 @@ AC_DEFUN([CHECK_APR],
 
 AC_ARG_WITH(
     apr,
-    [AC_HELP_STRING([--with-apr=PATH],[Path to the apr prefix])],
+    [AC_HELP_STRING([--with-apr=PATH],[Path to apr prefix or config script])],
-    apr_path="$withval",
+    apr_path="${withval}",
     :)
 
-dnl # Determine apr lib directory
+AC_MSG_CHECKING([for libapr config script])
-if test -z "${apr_path}"; then
+
-    test_paths="/usr/local/apr /usr/local /usr"
+dnl # Determine if the script was specified and use it directly
-else
+if test ! -d "${withval}" -a -e "${withval}"; then
-    test_paths="${apr_path}"
+    APR_CONFIG="`basename $withval`"
+    with_apr=`echo ${withval} | sed "s/\/\?${APR_CONFIG}\$//"`
 fi
 
-AC_MSG_CHECKING([for libapr config script])
+dnl # Look for the config script
-for x in ${test_paths}; do
+if test -z "${with_apr}"; then
-    for APR_CONFIG in apr-1-config apr-config; do
+    dnl # Determine apr lib directory
-        if test -e "${x}/bin/${APR_CONFIG}"; then
+    if test -z "${apr_path}"; then
-            with_apr="${x}/bin"
+        test_paths="/usr/local/apr /usr/local /usr"
+    else
+        test_paths="${apr_path}"
+    fi
+
+    for x in ${test_paths}; do
+        for APR_CONFIG in apr-1-mt-config apr-1-config apr-mt-config apr-config; do
+            if test -e "${x}/bin/${APR_CONFIG}"; then
+                with_apr="${x}/bin"
+                break
+            elif test -e "${x}/${APR_CONFIG}"; then
+                with_apr="${x}"
+                break
+            else
+                with_apr=""
+            fi
+        done
+        if test -n "$with_apr"; then
             break
-        elif test -e "${x}/${APR_CONFIG}"; then
-            with_apr="${x}"
-            break
-        else
-            with_apr=""
         fi
     done
-    if test -n "$with_apr"; then
+fi
-        break
+
-    fi
-done
 if test -n "${with_apr}"; then
     APR_CONFIG="${with_apr}/${APR_CONFIG}"
     AC_MSG_RESULT([${APR_CONFIG}])
     APR_CFLAGS="`${APR_CONFIG} --includes --cppflags --cflags`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr CFLAGS: $APR_CFLAGS); fi
     APR_LDFLAGS="`${APR_CONFIG} --ldflags`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr LDFLAGS: $APR_LDFLAGS); fi
     APR_LIBS="`${APR_CONFIG} --libs`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr LIBS: $APR_LIBS); fi
     APR_LINK_LD="`${APR_CONFIG} --link-ld`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apr LINK_LD: $APR_LINK_LD); fi
     CFLAGS=$save_CFLAGS
     LDFLAGS=$save_LDFLAGS
 else
@@ -64,10 +79,10 @@ AC_SUBST(APR_LDFLAGS)
 AC_SUBST(APR_LINK_LD)
 
 if test -z "${APR_LIBS}"; then
-  AC_MSG_NOTICE([*** apr library not found.])
+    AC_MSG_NOTICE([*** apr library not found.])
-  ifelse([$2], , AC_MSG_ERROR([apr library is required]), $2)
+    ifelse([$2], , AC_MSG_ERROR([apr library is required]), $2)
 else
-  AC_MSG_NOTICE([using '${APR_LIBS}' for apr Library])
+    AC_MSG_NOTICE([using '${APR_LIBS}' for apr Library])
-  ifelse([$1], , , $1) 
+    ifelse([$1], , , $1) 
 fi 
 ])

apache2/build/find_apu.m4

@@ -17,41 +17,56 @@ AC_DEFUN([CHECK_APU],
 
 AC_ARG_WITH(
     apu,
-    [AC_HELP_STRING([--with-apu=PATH],[Path to the apu prefix])],
+    [AC_HELP_STRING([--with-apu=PATH],[Path to apu prefix or config script])],
     apu_path="$withval",
     :)
 
-dnl # Determine apu lib directory
+AC_MSG_CHECKING([for libapr-util config script])
-if test -z "${apu_path}"; then
+
-    test_paths="/usr/local/apr /usr/local /usr"
+dnl # Determine if the script was specified and use it directly
-else
+if test ! -d "${withval}" -a -e "${withval}"; then
-    test_paths="${apu_path}"
+    APU_CONFIG="`basename $withval`"
+    with_apu=`echo ${withval} | sed "s/\/\?${APU_CONFIG}\$//"`
 fi
 
-AC_MSG_CHECKING([for libapr-util config script])
+dnl # Look for the config script
-for x in ${test_paths}; do
+if test -z "${with_apu}"; then
-    for APU_CONFIG in apu-1-config apu-config; do
+    dnl # Determine apu lib directory
-        if test -e "${x}/bin/${APU_CONFIG}"; then
+    if test -z "${apu_path}"; then
-            with_apu="${x}/bin"
+        test_paths="/usr/local/apr-util /usr/local/apu /usr/local/apr /usr/local /usr"
+    else
+        test_paths="${apu_path}"
+    fi
+
+    for x in ${test_paths}; do
+        for APU_CONFIG in apu-1-mt-config apu-1-config apu-mt-config apu-config; do
+            if test -e "${x}/bin/${APU_CONFIG}"; then
+                with_apu="${x}/bin"
+                break
+            elif test -e "${x}/${APU_CONFIG}"; then
+                with_apu="${x}"
+                break
+            else
+                with_apu=""
+            fi
+        done
+        if test -n "$with_apu"; then
             break
-        elif test -e "${x}/${APU_CONFIG}"; then
-            with_apu="${x}"
-            break
-        else
-            with_apu=""
         fi
     done
-    if test -n "$with_apu"; then
+fi
-        break
+
-    fi
-done
 if test -n "${with_apu}"; then
     APU_CONFIG="${with_apu}/${APU_CONFIG}"
     AC_MSG_RESULT([${APU_CONFIG}])
     APU_CFLAGS="`${APU_CONFIG} --includes`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu CFLAGS: $APU_CFLAGS); fi
     APU_LDFLAGS="`${APU_CONFIG} --ldflags`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDFLAGS: $APU_LDFLAGS); fi
     APU_LIBS="`${APU_CONFIG} --libs`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LIBS: $APU_LIBS); fi
     APU_LINK_LD="`${APU_CONFIG} --link-ld`"
+    if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LINK_LD: $APU_LINK_LD); fi
     CFLAGS=$save_CFLAGS
     LDFLAGS=$save_LDFLAGS
 else

apache2/configure

@@ -1315,8 +1315,8 @@ Optional Packages:
                           will be used as a base for pcre, apr and apu config
                           scripts.
   --with-pcre=PATH        Path to the pcre prefix
-  --with-apr=PATH         Path to the apr prefix
+  --with-apr=PATH         Path to apr prefix or config script
-  --with-apu=PATH         Path to the apu prefix
+  --with-apu=PATH         Path to apu prefix or config script
   --with-libxml=PATH      Path to the libxml2 prefix
   --with-lua=PATH         Path to the lua prefix
   --with-curl=PATH        Path to the curl prefix
@@ -5463,44 +5463,61 @@ fi
 
 # Check whether --with-apr was given.
 if test "${with_apr+set}" = set; then
-  withval=$with_apr; apr_path="$withval"
+  withval=$with_apr; apr_path="${withval}"
 else
   :
 fi
 
 
-if test -z "${apr_path}"; then
-    test_paths="/usr/local/apr /usr/local /usr"
-else
-    test_paths="${apr_path}"
-fi
-
 { echo "$as_me:$LINENO: checking for libapr config script" >&5
 echo $ECHO_N "checking for libapr config script... $ECHO_C" >&6; }
-for x in ${test_paths}; do
+
-    for APR_CONFIG in apr-1-config apr-config; do
+if test ! -d "${withval}" -a -e "${withval}"; then
-        if test -e "${x}/bin/${APR_CONFIG}"; then
+    APR_CONFIG="`basename $withval`"
-            with_apr="${x}/bin"
+    with_apr=`echo ${withval} | sed "s/\/\?${APR_CONFIG}\$//"`
+fi
+
+if test -z "${with_apr}"; then
+        if test -z "${apr_path}"; then
+        test_paths="/usr/local/apr /usr/local /usr"
+    else
+        test_paths="${apr_path}"
+    fi
+
+    for x in ${test_paths}; do
+        for APR_CONFIG in apr-1-mt-config apr-1-config apr-mt-config apr-config; do
+            if test -e "${x}/bin/${APR_CONFIG}"; then
+                with_apr="${x}/bin"
+                break
+            elif test -e "${x}/${APR_CONFIG}"; then
+                with_apr="${x}"
+                break
+            else
+                with_apr=""
+            fi
+        done
+        if test -n "$with_apr"; then
             break
-        elif test -e "${x}/${APR_CONFIG}"; then
-            with_apr="${x}"
-            break
-        else
-            with_apr=""
         fi
     done
-    if test -n "$with_apr"; then
+fi
-        break
+
-    fi
-done
 if test -n "${with_apr}"; then
     APR_CONFIG="${with_apr}/${APR_CONFIG}"
     { echo "$as_me:$LINENO: result: ${APR_CONFIG}" >&5
 echo "${ECHO_T}${APR_CONFIG}" >&6; }
     APR_CFLAGS="`${APR_CONFIG} --includes --cppflags --cflags`"
+    if test "$verbose_output" -eq 1; then { echo "$as_me:$LINENO: apr CFLAGS: $APR_CFLAGS" >&5
+echo "$as_me: apr CFLAGS: $APR_CFLAGS" >&6;}; fi
     APR_LDFLAGS="`${APR_CONFIG} --ldflags`"
+    if test "$verbose_output" -eq 1; then { echo "$as_me:$LINENO: apr LDFLAGS: $APR_LDFLAGS" >&5
+echo "$as_me: apr LDFLAGS: $APR_LDFLAGS" >&6;}; fi
     APR_LIBS="`${APR_CONFIG} --libs`"
+    if test "$verbose_output" -eq 1; then { echo "$as_me:$LINENO: apr LIBS: $APR_LIBS" >&5
+echo "$as_me: apr LIBS: $APR_LIBS" >&6;}; fi
     APR_LINK_LD="`${APR_CONFIG} --link-ld`"
+    if test "$verbose_output" -eq 1; then { echo "$as_me:$LINENO: apr LINK_LD: $APR_LINK_LD" >&5
+echo "$as_me: apr LINK_LD: $APR_LINK_LD" >&6;}; fi
     CFLAGS=$save_CFLAGS
     LDFLAGS=$save_LDFLAGS
 else
@@ -5514,13 +5531,13 @@ fi
 
 
 if test -z "${APR_LIBS}"; then
-  { echo "$as_me:$LINENO: *** apr library not found." >&5
+    { echo "$as_me:$LINENO: *** apr library not found." >&5
 echo "$as_me: *** apr library not found." >&6;}
-  { { echo "$as_me:$LINENO: error: apr library is required" >&5
+    { { echo "$as_me:$LINENO: error: apr library is required" >&5
 echo "$as_me: error: apr library is required" >&2;}
    { (exit 1); exit 1; }; }
 else
-  { echo "$as_me:$LINENO: using '${APR_LIBS}' for apr Library" >&5
+    { echo "$as_me:$LINENO: using '${APR_LIBS}' for apr Library" >&5
 echo "$as_me: using '${APR_LIBS}' for apr Library" >&6;}
 
 fi
@@ -5535,38 +5552,55 @@ else
 fi
 
 
-if test -z "${apu_path}"; then
-    test_paths="/usr/local/apr /usr/local /usr"
-else
-    test_paths="${apu_path}"
-fi
-
 { echo "$as_me:$LINENO: checking for libapr-util config script" >&5
 echo $ECHO_N "checking for libapr-util config script... $ECHO_C" >&6; }
-for x in ${test_paths}; do
+
-    for APU_CONFIG in apu-1-config apu-config; do
+if test ! -d "${withval}" -a -e "${withval}"; then
-        if test -e "${x}/bin/${APU_CONFIG}"; then
+    APU_CONFIG="`basename $withval`"
-            with_apu="${x}/bin"
+    with_apu=`echo ${withval} | sed "s/\/\?${APU_CONFIG}\$//"`
+fi
+
+if test -z "${with_apu}"; then
+        if test -z "${apu_path}"; then
+        test_paths="/usr/local/apr-util /usr/local/apu /usr/local/apr /usr/local /usr"
+    else
+        test_paths="${apu_path}"
+    fi
+
+    for x in ${test_paths}; do
+        for APU_CONFIG in apu-1-mt-config apu-1-config apu-mt-config apu-config; do
+            if test -e "${x}/bin/${APU_CONFIG}"; then
+                with_apu="${x}/bin"
+                break
+            elif test -e "${x}/${APU_CONFIG}"; then
+                with_apu="${x}"
+                break
+            else
+                with_apu=""
+            fi
+        done
+        if test -n "$with_apu"; then
             break
-        elif test -e "${x}/${APU_CONFIG}"; then
-            with_apu="${x}"
-            break
-        else
-            with_apu=""
         fi
     done
-    if test -n "$with_apu"; then
+fi
-        break
+
-    fi
-done
 if test -n "${with_apu}"; then
     APU_CONFIG="${with_apu}/${APU_CONFIG}"
     { echo "$as_me:$LINENO: result: ${APU_CONFIG}" >&5
 echo "${ECHO_T}${APU_CONFIG}" >&6; }
     APU_CFLAGS="`${APU_CONFIG} --includes`"
+    if test "$verbose_output" -eq 1; then { echo "$as_me:$LINENO: apu CFLAGS: $APU_CFLAGS" >&5
+echo "$as_me: apu CFLAGS: $APU_CFLAGS" >&6;}; fi
     APU_LDFLAGS="`${APU_CONFIG} --ldflags`"
+    if test "$verbose_output" -eq 1; then { echo "$as_me:$LINENO: apu LDFLAGS: $APU_LDFLAGS" >&5
+echo "$as_me: apu LDFLAGS: $APU_LDFLAGS" >&6;}; fi
     APU_LIBS="`${APU_CONFIG} --libs`"
+    if test "$verbose_output" -eq 1; then { echo "$as_me:$LINENO: apu LIBS: $APU_LIBS" >&5
+echo "$as_me: apu LIBS: $APU_LIBS" >&6;}; fi
     APU_LINK_LD="`${APU_CONFIG} --link-ld`"
+    if test "$verbose_output" -eq 1; then { echo "$as_me:$LINENO: apu LINK_LD: $APU_LINK_LD" >&5
+echo "$as_me: apu LINK_LD: $APU_LINK_LD" >&6;}; fi
     CFLAGS=$save_CFLAGS
     LDFLAGS=$save_LDFLAGS
 else

apache2/mlogc-src/mlogc-batch-load.pl.in

@@ -1,7 +1,7 @@
 #!@PERL@
 #
 # ModSecurity for Apache 2.x, http://www.modsecurity.org/
-# Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+# Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
 #
 # This product is released under the terms of the General Public Licence,
 # version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/mod_security2.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/modsecurity.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this
@@ -569,10 +569,7 @@ apr_status_t modsecurity_process_phase(modsec_rec *msr, unsigned int phase) {
 
         msr->tcache_items = 0;
         msr->tcache = apr_hash_make(msr->mp);
-        if (msr->tcache == NULL) {
+        if (msr->tcache == NULL) return -1;
-            msr_log(msr, 1, "Internal error: Failed to allocate transformation cache for phase %d", msr->phase);
-            return -1;
-        }
     }
 
     switch(phase) {

apache2/modsecurity.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_geo.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_geo.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_logging.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_logging.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_lua.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_lua.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_multipart.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this
@@ -310,7 +310,13 @@ static int multipart_process_part_header(modsec_rec *msr, char **error_msg) {
                 return -1;
             }
 
+            /* extract header name */
             header_name = apr_pstrmemdup(msr->mp, msr->mpd->buf, (data - msr->mpd->buf));
+            if (data == msr->mpd->buf) {
+                *error_msg = apr_psprintf(msr->mp, "Multipart: Invalid part header (header name missing).");
+
+                 return -1;
+            }
 
             /* extract the value value */
             data++;
@@ -548,23 +554,30 @@ static int multipart_process_boundary(modsec_rec *msr, int last_part, char **err
             if (msr->mpd->mpp->value == NULL) return -1;
         }
 
-        /* add the part to the list of parts */
+        if (msr->mpd->mpp->name) {
-        *(multipart_part **)apr_array_push(msr->mpd->parts) = msr->mpd->mpp;
+            /* add the part to the list of parts */
-        if (msr->mpd->mpp->type == MULTIPART_FILE) {
+            *(multipart_part **)apr_array_push(msr->mpd->parts) = msr->mpd->mpp;
-            if (msr->txcfg->debuglog_level >= 9) {
+            if (msr->mpd->mpp->type == MULTIPART_FILE) {
-                msr_log(msr, 9, "Multipart: Added file part %pp to the list: name \"%s\" "
+                if (msr->txcfg->debuglog_level >= 9) {
-                    "file name \"%s\" (offset %u, length %u)",
+                    msr_log(msr, 9, "Multipart: Added file part %pp to the list: name \"%s\" "
-                    msr->mpd->mpp, log_escape(msr->mp, msr->mpd->mpp->name),
+                        "file name \"%s\" (offset %u, length %u)",
-                    log_escape(msr->mp, msr->mpd->mpp->filename),
+                        msr->mpd->mpp, log_escape(msr->mp, msr->mpd->mpp->name),
-                    msr->mpd->mpp->offset, msr->mpd->mpp->length);
+                        log_escape(msr->mp, msr->mpd->mpp->filename),
+                        msr->mpd->mpp->offset, msr->mpd->mpp->length);
+                }
+            }
+            else {
+                if (msr->txcfg->debuglog_level >= 9) {
+                    msr_log(msr, 9, "Multipart: Added part %pp to the list: name \"%s\" "
+                        "(offset %u, length %u)", msr->mpd->mpp, log_escape(msr->mp, msr->mpd->mpp->name),
+                        msr->mpd->mpp->offset, msr->mpd->mpp->length);
+                }
             }
         }
         else {
-            if (msr->txcfg->debuglog_level >= 9) {
+            msr_log(msr, 3, "Multipart: Skipping invalid part %pp (part name missing): "
-                msr_log(msr, 9, "Multipart: Added part %pp to the list: name \"%s\" "
+                "(offset %u, length %u)", msr->mpd->mpp,
-                    "(offset %u, length %u)", msr->mpd->mpp, log_escape(msr->mp, msr->mpd->mpp->name),
+                msr->mpd->mpp->offset, msr->mpd->mpp->length);
-                    msr->mpd->mpp->offset, msr->mpd->mpp->length);
-            }
         }
 
         msr->mpd->mpp = NULL;

apache2/msc_multipart.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_parsers.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_parsers.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_pcre.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_pcre.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_release.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_release.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_reqbody.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_test.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_util.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_util.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_xml.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/msc_xml.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/pdf_protect.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/pdf_protect.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/persist_dbm.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this
@@ -141,7 +141,7 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
     }
 
     /* ENH Need expiration (and perhaps other metadata) accessible in blob
-     * form so we can determine if we need to convert to a table.  This will
+     * form to determine if converting to a table is needed.  This will
      * save some cycles.
      */
 
@@ -149,8 +149,7 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
     col = collection_unpack(msr, (const unsigned char *)value->dptr, value->dsize, 1);
     if (col == NULL) return NULL;
 
-    /* We have to close *after* we use "value" from the fetch or the memory
+    /* Close after "value" used from fetch or memory may be overwritten. */
-     * may be overwritten. */
     if (existing_dbm == NULL) {
         apr_sdbm_close(dbm);
     }
@@ -189,7 +188,7 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
     /* Delete the collection if the variable "KEY" does not exist.
      *
      * ENH It would probably be more efficient to hold the DBM
-     * open until we determine if it needs deleted than to open a second
+     * open until determined if it needs deleted than to open a second
      * time.
      */
     if (apr_table_get(col, "KEY") == NULL) {
@@ -246,7 +245,7 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
                 apr_time_t td;
                 counter = atoi(var->value);
 
-                /* UPDATE_RATE is removed on store, so we add it back here */
+                /* UPDATE_RATE is removed on store, so add it back here */
                 var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
                 var->name = "UPDATE_RATE";
                 var->name_len = strlen(var->name);
@@ -381,7 +380,7 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
         return -1;
     }
 
-        /* We only need to lock so we can pull in the stored data again. */
+        /* Only need to lock to pull in the stored data again. */
         rc = apr_sdbm_lock(dbm, APR_FLOCK_EXCLUSIVE);
         if (rc != APR_SUCCESS) {
             msr_log(msr, 1, "Failed to exclusivly lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename),
@@ -390,7 +389,7 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
             return -1;
         }
 
-    /* If there is an original value, then we need to create a delta and
+    /* If there is an original value, then create a delta and
      * apply the delta to the current value */
     orig_col = (const apr_table_t *)apr_table_get(msr->collections_original, var_name->value);
     if (orig_col != NULL) {
@@ -409,7 +408,7 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
         msc_string *var = (msc_string *)te[i].val;
         int len;
 
-        /* If there is an original value, then we need to apply the delta
+        /* If there is an original value, then apply the delta
          * to the latest stored value */
         if (stored_col != NULL) {
             const msc_string *orig_var = (const msc_string *)apr_table_get(orig_col, var->name);
@@ -559,8 +558,8 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) {
         return -1;
     }
 
-    /* No one can write to the file while we're
+    /* No one can write to the file while doing this so
-     * doing this so let's do it as fast as we can.
+     * do it as fast as possible.
      */
     rc = apr_sdbm_firstkey(dbm, &key);
     while(rc == APR_SUCCESS) {

apache2/persist_dbm.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/re.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/re.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/re_actions.c

@@ -1565,16 +1565,12 @@ static apr_status_t init_collection(modsec_rec *msr, const char *real_col_name,
     table = collection_retrieve(msr, real_col_name, col_key, col_key_len);
 
     if (table == NULL) {
-
         /* Does not exist yet - create new. */
         msr_log(msr, 4, "Creating collection (name \"%s\", key \"%s\").",
             real_col_name, col_key);
 
         table = apr_table_make(msr->mp, 24);
-        if (table == NULL) {
+        if (table == NULL) return -1;
-            msr_log(msr, 1, "Failed to allocate space for collection.");
-            return -1;
-        }
 
         /* IMP1 Is the timeout hard-coded to 3600? */
 
@@ -1807,8 +1803,18 @@ static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp,
 static apr_status_t msre_action_prepend_execute(modsec_rec *msr, apr_pool_t *mptmp,
     msre_rule *rule, msre_action *action)
 {
-    msr->content_prepend = action->param;
+    msc_string *var = NULL;
-    msr->content_prepend_len = strlen(action->param);
+
+    /* Expand any macros in the text */
+    var = apr_pcalloc(mptmp, sizeof(msc_string));
+    if (var == NULL) return -1;
+    var->value = (char *)action->param;
+    var->value_len = strlen(var->value);
+    expand_macros(msr, var, rule, mptmp);
+
+    /* ENH: Verify we really have to dup the data here. */
+    msr->content_prepend = apr_pstrndup(msr->mp, var->value, var->value_len);
+    msr->content_prepend_len = var->value_len;
 
     return 1;
 }
@@ -1817,8 +1823,18 @@ static apr_status_t msre_action_prepend_execute(modsec_rec *msr, apr_pool_t *mpt
 static apr_status_t msre_action_append_execute(modsec_rec *msr, apr_pool_t *mptmp,
     msre_rule *rule, msre_action *action)
 {
-    msr->content_append = action->param;
+    msc_string *var = NULL;
-    msr->content_append_len = strlen(action->param);
+
+    /* Expand any macros in the text */
+    var = apr_pcalloc(mptmp, sizeof(msc_string));
+    if (var == NULL) return -1;
+    var->value = (char *)action->param;
+    var->value_len = strlen(var->value);
+    expand_macros(msr, var, rule, mptmp);
+
+    /* ENH: Verify we really have to dup the data here. */
+    msr->content_append = apr_pstrndup(msr->mp, var->value, var->value_len);
+    msr->content_append_len = var->value_len;
 
     return 1;
 }

apache2/re_operators.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/re_tfns.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/re_variables.c

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this

apache2/t/regression/action/00-misc.t

@@ -1,6 +1,5 @@
 ### Test misc actions
 
-# TODO: append
 # TODO: block
 # TODO: capture
 # TODO: chain
@@ -10,7 +9,6 @@
 # TODO: initcol
 # TODO: multiMatch
 # TODO: pause
-# TODO: prepend
 # TODO: sanitiseArg
 # TODO: sanitiseMatched
 # TODO: sanitiseRequestHeader

apache2/t/regression/action/10-append-prepend.t

@@ -0,0 +1,49 @@
+# TODO: Need more tests here
+
+### append
+{
+	type => "action",
+	comment => "append content",
+	conf => qq(
+		SecRuleEngine On
+        SecContentInjection On
+		SecDebugLog "$ENV{DEBUG_LOG}"
+		SecDebugLogLevel 9
+		SecAction "phase:1,setvar:tx.test=test"
+		SecAction "phase:2,append:'APPEND: \%{tx.test}'"
+	),
+	match_log => {
+        debug => [ "Added content to bottom: APPEND: test", 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+		content => qr/APPEND: test$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+
+### prepend
+{
+	type => "action",
+	comment => "prepend content",
+	conf => qq(
+		SecRuleEngine On
+        SecContentInjection On
+		SecDebugLog "$ENV{DEBUG_LOG}"
+		SecDebugLogLevel 9
+		SecAction "phase:1,setvar:tx.test=test"
+		SecAction "phase:2,prepend:'PREPEND: \%{tx.test}'"
+	),
+	match_log => {
+        debug => [ "Added content to top: PREPEND: test", 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+		content => qr/^PREPEND: test/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},

apache2/utf8tables.h

@@ -1,6 +1,6 @@
 /*
  * ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2008 Breach Security, Inc. (http://www.breach.com/)
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
  *
  * This product is released under the terms of the General Public Licence,
  * version 2 (GPLv2). Please refer to the file LICENSE (included with this