diff --git a/CHANGES b/CHANGES index 8e261a3b..46b66c40 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,8 @@ - -17 Oct 2007 - 2.5.0-dev3 +02 Nov 2007 - 2.5.0-dev3 ------------------------ + * Fix warnings on Solaris and/or 64bit builds. + * Added skipAfter: action to allow skipping all rules until a rule with a specified ID is reached. Rule execution then continues after the specified rule. diff --git a/apache2/Makefile b/apache2/Makefile index 7cd4c577..a725f3b7 100644 --- a/apache2/Makefile +++ b/apache2/Makefile @@ -17,7 +17,17 @@ builddir = . # Debian - /usr/share/apache2 (apache2-prefork-dev or apache2-threaded-dev # needed, depending on your installation type) # -top_dir = /apps/apache22 +# NOTE: On Solaris the top_builddir is /var/apache2. This version of Apache +# httpd uses the buildin PCRE, but you must still install the PCRE headers +# to compile ModSecurity as they are not installed with Apache httpd. Because +# of this, it is recommended to install your own version of Apache httpd. +# +# Additionally, if you do not have PCRE installed, you can use the +# headers included with Apache httpd. To do this, add the PCRE +# include directory to the INCLUDES variable below +# Something like: -I /path/to/httpd-x.y/srclib/pcre +# +top_dir = /usr/local/apache2 top_srcdir = ${top_dir} top_builddir = ${top_dir} @@ -28,6 +38,7 @@ APXS = apxs APACHECTL = apachectl INCLUDES = -I /usr/include/libxml2 +#INCLUDES = -I /usr/include/libxml2 -I /path/to/httpd-x.y/srclib/pcre DEFS = -DWITH_LIBXML2 #DEFS = -DWITH_LIBXML2 -DPERFORMANCE_MEASUREMENT #DEFS = -DWITH_LIBXML2 -DNO_MODSEC_API diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index 88401165..eec00ce7 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -1304,11 +1304,18 @@ static const char *cmd_cache_transformations(cmd_parms *cmd, void *_dcfg, const charval = apr_table_get(vartable, "minlen"); if (charval != NULL) { intval = apr_atoi64(charval); + if (errno == ERANGE) { + return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations minlen out of range: %s", charval); + } if (intval < 0) { return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations minlen must be positive: %s", charval); } - if (intval >= (apr_size_t)NOT_SET) { - return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations minlen must be less than: %u", (apr_size_t)NOT_SET); + + /* The NOT_SET indicator is -1, a signed long, and therfore + * we cannot be >= the unsigned value of NOT_SET. + */ + if ((unsigned long)intval >= (unsigned long)NOT_SET) { + return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations minlen must be less than: %u", (unsigned long)NOT_SET); } dcfg->cache_trans_min = (apr_size_t)intval; } @@ -1317,14 +1324,21 @@ static const char *cmd_cache_transformations(cmd_parms *cmd, void *_dcfg, const charval = apr_table_get(vartable, "maxlen"); if (charval != NULL) { intval = apr_atoi64(charval); + if (errno == ERANGE) { + return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations maxlen out of range: %s", charval); + } if (intval < 0) { return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations maxlen must be positive: %s", charval); } - if (intval >= (apr_size_t)NOT_SET) { - return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations maxlen must be less than: %u", (apr_size_t)NOT_SET); + + /* The NOT_SET indicator is -1, a signed long, and therfore + * we cannot be >= the unsigned value of NOT_SET. + */ + if ((unsigned long)intval >= (unsigned long)NOT_SET) { + return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations maxlen must be less than: %u", (unsigned long)NOT_SET); } - if ((intval != 0) && (intval < dcfg->cache_trans_min)) { - return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations maxlen must not be less than minlen: %u < %u", (apr_size_t)intval, dcfg->cache_trans_min); + if ((intval != 0) && ((apr_size_t)intval < dcfg->cache_trans_min)) { + return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations maxlen must not be less than minlen: %u < %" APR_SIZE_T_FMT, (unsigned long)intval, dcfg->cache_trans_min); } dcfg->cache_trans_max = (apr_size_t)intval; diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index 04dcebb2..a936a95d 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -449,7 +449,7 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t if (first_time == 0) { ap_log_error(APLOG_MARK, APLOG_NOTICE | APLOG_NOERRNO, 0, s, - "ModSecurity: chroot checkpoint #2 (pid=%d ppid=%d)", getpid(), getppid()); + "ModSecurity: chroot checkpoint #2 (pid=%d ppid=%d)", (int)getpid(), (int)getppid()); if (chdir(chroot_dir) < 0) { ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, s, @@ -478,7 +478,7 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t "ModSecurity: chroot successful, path=%s", chroot_dir); } else { ap_log_error(APLOG_MARK, APLOG_NOTICE | APLOG_NOERRNO, 0, s, - "ModSecurity: chroot checkpoint #1 (pid=%d ppid=%d)", getpid(), getppid()); + "ModSecurity: chroot checkpoint #1 (pid=%d ppid=%d)", (int)getpid(), (int)getppid()); } } #endif @@ -986,7 +986,7 @@ static void hook_insert_error_filter(request_rec *r) { */ static void modsec_register_tfn(const char *name, void *fn) { if (modsecurity != NULL) { - msre_engine_tfn_register(modsecurity->msre, name, fn); + msre_engine_tfn_register(modsecurity->msre, name, (fn_tfn_execute_t)fn); } } @@ -996,7 +996,7 @@ static void modsec_register_tfn(const char *name, void *fn) { */ static void modsec_register_operator(const char *name, void *fn_init, void *fn_exec) { if (modsecurity != NULL) { - msre_engine_op_register(modsecurity->msre, name, fn_init, fn_exec); + msre_engine_op_register(modsecurity->msre, name, (fn_op_param_init_t)fn_init, (fn_op_execute_t)fn_exec); } } diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c index 6448ca0b..eec3eed0 100644 --- a/apache2/modsecurity.c +++ b/apache2/modsecurity.c @@ -480,9 +480,8 @@ apr_status_t modsecurity_process_phase(modsec_rec *msr, int phase) { break; default : msr_log(msr, 1, "Invalid processing phase: %d", msr->phase); - return -1; break; } - return 0; + return -1; } diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h index 0c867b20..0555f1b2 100644 --- a/apache2/modsecurity.h +++ b/apache2/modsecurity.h @@ -75,8 +75,8 @@ extern DSOLOCAL modsec_build_type_rec modsec_build_type[]; #define PHASE_FIRST PHASE_REQUEST_HEADERS #define PHASE_LAST PHASE_LOGGING -#define NOT_SET -1 -#define NOT_SET_P (void *)-1 +#define NOT_SET -1l +#define NOT_SET_P (void *)-1l #define CREATEMODE ( APR_UREAD | APR_UWRITE | APR_GREAD ) #define CREATEMODE_DIR ( APR_UREAD | APR_UWRITE | APR_UEXECUTE | APR_GREAD | APR_GEXECUTE ) diff --git a/apache2/re.h b/apache2/re.h index 66ba0bcf..9d9dc1f1 100644 --- a/apache2/re.h +++ b/apache2/re.h @@ -145,17 +145,16 @@ apr_status_t DSOLOCAL msre_rule_process(msre_rule *rule, modsec_rec *msr); #define PHASE_RESPONSE_BODY 4 #define PHASE_LOGGING 5 -#define FN_OP_PARAM_INIT(X) int (*X)(msre_rule *rule, char **error_msg) -#define FN_OP_EXECUTE(X) int (*X)(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) - +typedef int (*fn_op_param_init_t)(msre_rule *rule, char **error_msg); +typedef int (*fn_op_execute_t)(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg); struct msre_op_metadata { const char *name; - FN_OP_PARAM_INIT (param_init); - FN_OP_EXECUTE (execute); + fn_op_param_init_t param_init; + fn_op_execute_t execute; }; -#define FN_TFN_EXECUTE(X) int (*X)(apr_pool_t *pool, unsigned char *input, long int input_length, char **rval, long int *rval_length) +typedef int (*fn_tfn_execute_t)(apr_pool_t *pool, unsigned char *input, long int input_length, char **rval, long int *rval_length); struct msre_tfn_metadata { const char *name; @@ -171,14 +170,14 @@ struct msre_tfn_metadata { * * NOTE Strict transformation functions not supported yet. */ - FN_TFN_EXECUTE(execute); + fn_tfn_execute_t execute; }; void DSOLOCAL msre_engine_tfn_register(msre_engine *engine, const char *name, - FN_TFN_EXECUTE(execute)); + fn_tfn_execute_t execute); void DSOLOCAL msre_engine_op_register(msre_engine *engine, const char *name, - FN_OP_PARAM_INIT(fn1), FN_OP_EXECUTE(fn2)); + fn_op_param_init_t fn1, fn_op_execute_t fn2); void DSOLOCAL msre_engine_register_default_tfns(msre_engine *engine); @@ -193,16 +192,16 @@ msre_tfn_metadata DSOLOCAL *msre_engine_tfn_resolve(msre_engine *engine, const c #define VAR_DONT_CACHE 0 #define VAR_CACHE 1 -#define FN_VAR_VALIDATE(X) char *(*X)(msre_ruleset *ruleset, msre_var *var) -#define FN_VAR_GENERATE(X) int (*X)(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *table, apr_pool_t *mptmp) +typedef char *(*fn_var_validate_t)(msre_ruleset *ruleset, msre_var *var); +typedef int (*fn_var_generate_t)(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *table, apr_pool_t *mptmp); struct msre_var_metadata { const char *name; unsigned int type; /* VAR_TYPE_ constants */ unsigned int argc_min; unsigned int argc_max; - FN_VAR_VALIDATE (validate); - FN_VAR_GENERATE (generate); + fn_var_validate_t validate; + fn_var_generate_t generate; unsigned int is_cacheable; /* 0 - no, 1 - yes */ unsigned int availability; /* when does this variable become available? */ }; @@ -250,7 +249,7 @@ struct msre_actionset { void DSOLOCAL msre_engine_variable_register(msre_engine *engine, const char *name, unsigned int type, unsigned int argc_min, unsigned int argc_max, - FN_VAR_VALIDATE(validate), FN_VAR_GENERATE(generate), + fn_var_validate_t validate, fn_var_generate_t generate, unsigned int is_cacheable, unsigned int availability); msre_actionset DSOLOCAL *msre_actionset_create(msre_engine *engine, const char *text, @@ -263,9 +262,9 @@ msre_actionset DSOLOCAL *msre_actionset_create_default(msre_engine *engine); void DSOLOCAL msre_actionset_init(msre_actionset *actionset, msre_rule *rule); -#define FN_ACTION_VALIDATE(X) char *(*X)(msre_engine *engine, msre_action *action) -#define FN_ACTION_INIT(X) apr_status_t (*X)(msre_engine *engine, msre_actionset *actionset, msre_action *action) -#define FN_ACTION_EXECUTE(X) apr_status_t (*X)(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) +typedef char *(*fn_action_validate_t)(msre_engine *engine, msre_action *action); +typedef apr_status_t (*fn_action_init_t)(msre_engine *engine, msre_actionset *actionset, msre_action *action); +typedef apr_status_t (*fn_action_execute_t)(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action); #define ACTION_DISRUPTIVE 1 #define ACTION_NON_DISRUPTIVE 2 @@ -285,9 +284,9 @@ struct msre_action_metadata { unsigned int argc_max; unsigned int allow_param_plusminus; unsigned int cardinality; - FN_ACTION_VALIDATE (validate); - FN_ACTION_INIT (init); - FN_ACTION_EXECUTE (execute); + fn_action_validate_t validate; + fn_action_init_t init; + fn_action_execute_t execute; }; struct msre_action { diff --git a/apache2/re_actions.c b/apache2/re_actions.c index 97481827..bef9de42 100644 --- a/apache2/re_actions.c +++ b/apache2/re_actions.c @@ -16,8 +16,8 @@ */ static void msre_engine_action_register(msre_engine *engine, const char *name, unsigned int type, unsigned int argc_min, unsigned int argc_max, unsigned int allow_param_plusminus, - unsigned int cardinality, FN_ACTION_VALIDATE(validate), FN_ACTION_INIT(init), - FN_ACTION_EXECUTE(execute)) + unsigned int cardinality, fn_action_validate_t validate, fn_action_init_t init, + fn_action_execute_t execute) { msre_action_metadata *metadata = (msre_action_metadata *)apr_pcalloc(engine->mp, sizeof(msre_action_metadata)); diff --git a/apache2/re_operators.c b/apache2/re_operators.c index a91cf90d..32ca54fa 100644 --- a/apache2/re_operators.c +++ b/apache2/re_operators.c @@ -19,7 +19,7 @@ * */ void msre_engine_op_register(msre_engine *engine, const char *name, - FN_OP_PARAM_INIT(fn1), FN_OP_EXECUTE(fn2)) + fn_op_param_init_t fn1, fn_op_execute_t fn2) { msre_op_metadata *metadata = (msre_op_metadata *)apr_pcalloc(engine->mp, sizeof(msre_op_metadata)); @@ -1240,17 +1240,17 @@ static int msre_op_validateUrlEncoding_execute(modsec_rec *msr, msre_rule *rule, int rc = validate_url_encoding(var->value, var->value_len); switch(rc) { case 1 : - return 0; /* Encoding is valid, no match. */ + /* Encoding is valid */ break; case -2 : *error_msg = apr_psprintf(msr->mp, "Invalid URL Encoding: Non-hexadecimal " "digits used."); - return 1; /* Invalid, match. */ + return 1; /* Invalid match. */ break; case -3 : *error_msg = apr_psprintf(msr->mp, "Invalid URL Encoding: Not enough characters " "at the end of input."); - return 1; /* Invalid, match. */ + return 1; /* Invalid match. */ break; case -1 : default : diff --git a/apache2/re_tfns.c b/apache2/re_tfns.c index be0d5711..992f4835 100644 --- a/apache2/re_tfns.c +++ b/apache2/re_tfns.c @@ -432,7 +432,7 @@ static int msre_fn_normalisePathWin_execute(apr_pool_t *mptmp, unsigned char *in * Registers one transformation function with the engine. */ void msre_engine_tfn_register(msre_engine *engine, const char *name, - FN_TFN_EXECUTE(execute)) + fn_tfn_execute_t execute) { msre_tfn_metadata *metadata = (msre_tfn_metadata *)apr_pcalloc(engine->mp, sizeof(msre_tfn_metadata)); diff --git a/apache2/re_variables.c b/apache2/re_variables.c index d75afafa..18e97eee 100644 --- a/apache2/re_variables.c +++ b/apache2/re_variables.c @@ -2094,7 +2094,7 @@ static int var_webappid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule */ void msre_engine_variable_register(msre_engine *engine, const char *name, unsigned int type, unsigned int argc_min, unsigned int argc_max, - FN_VAR_VALIDATE(validate), FN_VAR_GENERATE(generate), + fn_var_validate_t validate, fn_var_generate_t generate, unsigned int is_cacheable, unsigned int availability) { msre_var_metadata *metadata = (msre_var_metadata *)apr_pcalloc(engine->mp,