Backport trunk changes for changeset:1072 and changeset:1073 to 2.5, but leave out the error filter code until more testing is completed. See #498.

2026-01-13 06:57:10 +03:00 · 2008-06-05 16:55:53 +00:00
parent f417680065
commit e1342ff011
6 changed files with 28 additions and 16 deletions
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-03 Jun 2008 - 2.5.5
+05 Jun 2008 - 2.5.5
 -------------------

 * Fixed an issue where an alert was not logged in the error log
--- a/apache2/apache2_io.c
+++ b/apache2/apache2_io.c
@@ -510,10 +510,13 @@ apr_status_t output_filter(ap_filter_t *f, apr_bucket_brigade *bb_in) {
            ap_remove_output_filter(f);
            return send_error_bucket(msr, f, HTTP_INTERNAL_SERVER_ERROR);
        }
+
        if (rc > 0) { /* transaction needs to be interrupted */
            int status = perform_interception(msr);
            if (status != DECLINED) { /* DECLINED means we allow-ed the request. */
                ap_remove_output_filter(f);
+                msr->of_status = OF_STATUS_COMPLETE;
+                msr->resbody_status = RESBODY_STATUS_ERROR;
                return send_error_bucket(msr, f, status);
            }
        }
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@@ -919,7 +919,8 @@ static void hook_insert_filter(request_rec *r) {
    /* Add the input filter, but only if we need it to run. */
    if (msr->if_status == IF_STATUS_WANTS_TO_RUN) {
        if (msr->txcfg->debuglog_level >= 4) {
-            msr_log(msr, 4, "Hook insert_filter: Adding input forwarding filter %s(r %pp).", (((r->main != NULL)||(r->prev != NULL)) ? "for subrequest " : ""), r);
+            msr_log(msr, 4, "Hook insert_filter: Adding input forwarding filter %s(r %pp).",
+                (((r->main != NULL)||(r->prev != NULL)) ? "for subrequest " : ""), r);
        }

        ap_add_input_filter("MODSECURITY_IN", msr, r, r->connection);
@@ -961,7 +962,8 @@ static void hook_insert_filter(request_rec *r) {
    }
 }

-/* NOTE: This is causing and endless loop when blocking in phase:3 */
+// TODO: Holding off on this for now (needs more testing)
+#if 0
 /**
 * Invoked whenever Apache starts processing an error. A chance
 * to insert ourselves into the output filter chain.
@@ -975,16 +977,6 @@ static void hook_insert_error_filter(request_rec *r) {
    msr = retrieve_tx_context(r);
    if (msr == NULL) return;

-    /* Do not run if we are already running, which may happen
-     * if we intercept in phase 3.
-     */
-    if (msr->of_is_error == 1) {
-        if (msr->txcfg->debuglog_level >= 4) {
-            msr_log(msr, 4, "Hook insert_error_filter: Already processing.");
-        }
-        return;
-    }
-
    /* Do not run if not enabled. */
    if (msr->txcfg->is_enabled == 0) {
        if (msr->txcfg->debuglog_level >= 4) {
@@ -1013,6 +1005,7 @@ static void hook_insert_error_filter(request_rec *r) {
        }
    }
 }
+#endif

 #if (!defined(NO_MODSEC_API))
 /**
@@ -1113,7 +1106,9 @@ static void register_hooks(apr_pool_t *mp) {

    /* Filter hooks */
    ap_hook_insert_filter(hook_insert_filter, NULL, NULL, APR_HOOK_FIRST);
+#if 0
    ap_hook_insert_error_filter(hook_insert_error_filter, NULL, NULL, APR_HOOK_FIRST);
+#endif

    ap_register_input_filter("MODSECURITY_IN", input_filter,
        NULL, AP_FTYPE_CONTENT_SET);
--- a/apache2/modsecurity.c
+++ b/apache2/modsecurity.c
@@ -225,6 +225,7 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
    /* Initialise C-T */
    msr->request_content_type = NULL;
    s = apr_table_get(msr->request_headers, "Content-Type");
+    msr_log(msr, 9, "C-T (apache): \"%s\"", s);
    if (s != NULL) msr->request_content_type = s;

    /* Decide what to do with the request body. */
@@ -492,7 +493,20 @@ static apr_status_t modsecurity_process_phase_logging(modsec_rec *msr) {
 * need to be explicitly provided since it's already available
 * in the modsec_rec structure.
 */
-apr_status_t modsecurity_process_phase(modsec_rec *msr, int phase) {
+apr_status_t modsecurity_process_phase(modsec_rec *msr, unsigned int phase) {
+    /* Check if we've should run. */
+    if ((msr->was_intercepted)&&(phase != PHASE_LOGGING)) {
+        msr_log(msr, 4, "Skipping phase %i as request was already intercepted.", phase);
+        return 0;
+    }
+
+    /* Do not process the same phase twice. */
+    if (msr->phase >= phase) {
+        msr_log(msr, 4, "Skipping phase %i because it was previously run (at %i now).",
+            phase, msr->phase);
+        return 0;
+    }
+
    msr->phase = phase;

    switch(phase) {
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -539,7 +539,7 @@ void DSOLOCAL modsecurity_shutdown(msc_engine *msce);

 apr_status_t DSOLOCAL modsecurity_tx_init(modsec_rec *msr);

-apr_status_t DSOLOCAL modsecurity_process_phase(modsec_rec *msr, int phase);
+apr_status_t DSOLOCAL modsecurity_process_phase(modsec_rec *msr, unsigned int phase);


 /* Request body functions */
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@@ -4,7 +4,7 @@
  Manual</title>

  <articleinfo>
-    <releaseinfo>Version 2.5.5 (June 3, 2008)</releaseinfo>
+    <releaseinfo>Version 2.5.5 (June 5, 2008)</releaseinfo>

    <copyright>
      <year>2004-2008</year>