mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2026-01-13 06:57:10 +03:00
Backport trunk changes for changeset:1072 and changeset:1073 to 2.5, but leave out the error filter code until more testing is completed. See #498.
This commit is contained in:
brectanus
2
CHANGES
2
CHANGES
@@ -1,4 +1,4 @@
|
|||||||
03 Jun 2008 - 2.5.5
|
05 Jun 2008 - 2.5.5
|
||||||
-------------------
|
-------------------
|
||||||
|
|
||||||
* Fixed an issue where an alert was not logged in the error log
|
* Fixed an issue where an alert was not logged in the error log
|
||||||
|
|||||||
@@ -510,10 +510,13 @@ apr_status_t output_filter(ap_filter_t *f, apr_bucket_brigade *bb_in) {
|
|||||||
ap_remove_output_filter(f);
|
ap_remove_output_filter(f);
|
||||||
return send_error_bucket(msr, f, HTTP_INTERNAL_SERVER_ERROR);
|
return send_error_bucket(msr, f, HTTP_INTERNAL_SERVER_ERROR);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (rc > 0) { /* transaction needs to be interrupted */
|
if (rc > 0) { /* transaction needs to be interrupted */
|
||||||
int status = perform_interception(msr);
|
int status = perform_interception(msr);
|
||||||
if (status != DECLINED) { /* DECLINED means we allow-ed the request. */
|
if (status != DECLINED) { /* DECLINED means we allow-ed the request. */
|
||||||
ap_remove_output_filter(f);
|
ap_remove_output_filter(f);
|
||||||
|
msr->of_status = OF_STATUS_COMPLETE;
|
||||||
|
msr->resbody_status = RESBODY_STATUS_ERROR;
|
||||||
return send_error_bucket(msr, f, status);
|
return send_error_bucket(msr, f, status);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -919,7 +919,8 @@ static void hook_insert_filter(request_rec *r) {
|
|||||||
/* Add the input filter, but only if we need it to run. */
|
/* Add the input filter, but only if we need it to run. */
|
||||||
if (msr->if_status == IF_STATUS_WANTS_TO_RUN) {
|
if (msr->if_status == IF_STATUS_WANTS_TO_RUN) {
|
||||||
if (msr->txcfg->debuglog_level >= 4) {
|
if (msr->txcfg->debuglog_level >= 4) {
|
||||||
msr_log(msr, 4, "Hook insert_filter: Adding input forwarding filter %s(r %pp).", (((r->main != NULL)||(r->prev != NULL)) ? "for subrequest " : ""), r);
|
msr_log(msr, 4, "Hook insert_filter: Adding input forwarding filter %s(r %pp).",
|
||||||
|
(((r->main != NULL)||(r->prev != NULL)) ? "for subrequest " : ""), r);
|
||||||
}
|
}
|
||||||
|
|
||||||
ap_add_input_filter("MODSECURITY_IN", msr, r, r->connection);
|
ap_add_input_filter("MODSECURITY_IN", msr, r, r->connection);
|
||||||
@@ -961,7 +962,8 @@ static void hook_insert_filter(request_rec *r) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* NOTE: This is causing and endless loop when blocking in phase:3 */
|
// TODO: Holding off on this for now (needs more testing)
|
||||||
|
#if 0
|
||||||
/**
|
/**
|
||||||
* Invoked whenever Apache starts processing an error. A chance
|
* Invoked whenever Apache starts processing an error. A chance
|
||||||
* to insert ourselves into the output filter chain.
|
* to insert ourselves into the output filter chain.
|
||||||
@@ -975,16 +977,6 @@ static void hook_insert_error_filter(request_rec *r) {
|
|||||||
msr = retrieve_tx_context(r);
|
msr = retrieve_tx_context(r);
|
||||||
if (msr == NULL) return;
|
if (msr == NULL) return;
|
||||||
|
|
||||||
/* Do not run if we are already running, which may happen
|
|
||||||
* if we intercept in phase 3.
|
|
||||||
*/
|
|
||||||
if (msr->of_is_error == 1) {
|
|
||||||
if (msr->txcfg->debuglog_level >= 4) {
|
|
||||||
msr_log(msr, 4, "Hook insert_error_filter: Already processing.");
|
|
||||||
}
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Do not run if not enabled. */
|
/* Do not run if not enabled. */
|
||||||
if (msr->txcfg->is_enabled == 0) {
|
if (msr->txcfg->is_enabled == 0) {
|
||||||
if (msr->txcfg->debuglog_level >= 4) {
|
if (msr->txcfg->debuglog_level >= 4) {
|
||||||
@@ -1013,6 +1005,7 @@ static void hook_insert_error_filter(request_rec *r) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
#if (!defined(NO_MODSEC_API))
|
#if (!defined(NO_MODSEC_API))
|
||||||
/**
|
/**
|
||||||
@@ -1113,7 +1106,9 @@ static void register_hooks(apr_pool_t *mp) {
|
|||||||
|
|
||||||
/* Filter hooks */
|
/* Filter hooks */
|
||||||
ap_hook_insert_filter(hook_insert_filter, NULL, NULL, APR_HOOK_FIRST);
|
ap_hook_insert_filter(hook_insert_filter, NULL, NULL, APR_HOOK_FIRST);
|
||||||
|
#if 0
|
||||||
ap_hook_insert_error_filter(hook_insert_error_filter, NULL, NULL, APR_HOOK_FIRST);
|
ap_hook_insert_error_filter(hook_insert_error_filter, NULL, NULL, APR_HOOK_FIRST);
|
||||||
|
#endif
|
||||||
|
|
||||||
ap_register_input_filter("MODSECURITY_IN", input_filter,
|
ap_register_input_filter("MODSECURITY_IN", input_filter,
|
||||||
NULL, AP_FTYPE_CONTENT_SET);
|
NULL, AP_FTYPE_CONTENT_SET);
|
||||||
|
|||||||
@@ -225,6 +225,7 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
|
|||||||
/* Initialise C-T */
|
/* Initialise C-T */
|
||||||
msr->request_content_type = NULL;
|
msr->request_content_type = NULL;
|
||||||
s = apr_table_get(msr->request_headers, "Content-Type");
|
s = apr_table_get(msr->request_headers, "Content-Type");
|
||||||
|
msr_log(msr, 9, "C-T (apache): \"%s\"", s);
|
||||||
if (s != NULL) msr->request_content_type = s;
|
if (s != NULL) msr->request_content_type = s;
|
||||||
|
|
||||||
/* Decide what to do with the request body. */
|
/* Decide what to do with the request body. */
|
||||||
@@ -492,7 +493,20 @@ static apr_status_t modsecurity_process_phase_logging(modsec_rec *msr) {
|
|||||||
* need to be explicitly provided since it's already available
|
* need to be explicitly provided since it's already available
|
||||||
* in the modsec_rec structure.
|
* in the modsec_rec structure.
|
||||||
*/
|
*/
|
||||||
apr_status_t modsecurity_process_phase(modsec_rec *msr, int phase) {
|
apr_status_t modsecurity_process_phase(modsec_rec *msr, unsigned int phase) {
|
||||||
|
/* Check if we've should run. */
|
||||||
|
if ((msr->was_intercepted)&&(phase != PHASE_LOGGING)) {
|
||||||
|
msr_log(msr, 4, "Skipping phase %i as request was already intercepted.", phase);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Do not process the same phase twice. */
|
||||||
|
if (msr->phase >= phase) {
|
||||||
|
msr_log(msr, 4, "Skipping phase %i because it was previously run (at %i now).",
|
||||||
|
phase, msr->phase);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
msr->phase = phase;
|
msr->phase = phase;
|
||||||
|
|
||||||
switch(phase) {
|
switch(phase) {
|
||||||
|
|||||||
@@ -539,7 +539,7 @@ void DSOLOCAL modsecurity_shutdown(msc_engine *msce);
|
|||||||
|
|
||||||
apr_status_t DSOLOCAL modsecurity_tx_init(modsec_rec *msr);
|
apr_status_t DSOLOCAL modsecurity_tx_init(modsec_rec *msr);
|
||||||
|
|
||||||
apr_status_t DSOLOCAL modsecurity_process_phase(modsec_rec *msr, int phase);
|
apr_status_t DSOLOCAL modsecurity_process_phase(modsec_rec *msr, unsigned int phase);
|
||||||
|
|
||||||
|
|
||||||
/* Request body functions */
|
/* Request body functions */
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
Manual</title>
|
Manual</title>
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<releaseinfo>Version 2.5.5 (June 3, 2008)</releaseinfo>
|
<releaseinfo>Version 2.5.5 (June 5, 2008)</releaseinfo>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2004-2008</year>
|
<year>2004-2008</year>
|
||||||
|
|||||||
Reference in New Issue
Block a user