From e4eaade2ca973228307db9533f982ca0ebf79016 Mon Sep 17 00:00:00 2001 From: brectanus Date: Sat, 16 Feb 2008 00:27:44 +0000 Subject: [PATCH] Make Lua support optional since it is still experimental (--without-lua). If someone still uses SecRuleScript, however, it iignores it and just warns on Apache startup. --- apache2/Makefile.in | 2 +- apache2/apache2_config.c | 9 ++ apache2/build/find_lua.m4 | 179 ++++++++++++++++++++------------------ apache2/msc_lua.c | 3 + apache2/msc_lua.h | 4 + apache2/re.c | 10 +++ apache2/re.h | 8 ++ apache2/re_actions.c | 7 +- apache2/re_operators.c | 13 ++- 9 files changed, 144 insertions(+), 91 deletions(-) diff --git a/apache2/Makefile.in b/apache2/Makefile.in index 147d572f..67274191 100644 --- a/apache2/Makefile.in +++ b/apache2/Makefile.in @@ -77,7 +77,7 @@ clean: clean-extras maintainer-clean: clean @rm -rf Makefile mlogc-src/Makefile t/run-tests.pl config config.log config.status configure mod_security2_config.h ../tools/*.pl autoscan.log configure.scan build/libtool.m4 build/config.guess build/config.sub build/ltmain.sh build/apxs-wrapper -dist-clean: maintainer-clean +distclean: maintainer-clean install-mods: mod_security2.la $(INSTALL_MOD_SHARED) mod_security2.la diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index a9767b2c..d7bb4857 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -15,7 +15,9 @@ #include "pdf_protect.h" #include "http_log.h" +#if defined(WITH_LUA) #include "msc_lua.h" +#endif /* -- Directory context creation and initialisation -- */ @@ -551,10 +553,12 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type, /* Create the rule now. */ switch(type) { + #if defined(WITH_LUA) case RULE_TYPE_LUA : rule = msre_rule_lua_create(dcfg->ruleset, cmd->directive->filename, cmd->directive->line_num, p1, p2, &my_error_msg); break; + #endif default : rule = msre_rule_create(dcfg->ruleset, type, cmd->directive->filename, cmd->directive->line_num, p1, p2, p3, &my_error_msg); @@ -1398,8 +1402,13 @@ static const char *cmd_rule_inheritance(cmd_parms *cmd, void *_dcfg, int flag) { static const char *cmd_rule_script(cmd_parms *cmd, void *_dcfg, const char *p1, const char *p2) { + #if defined(WITH_LUA) const char *filename = resolve_relative_path(cmd->pool, cmd->directive->filename, p1); return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_LUA, filename, p2, NULL); + #else + ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool, "Ignoring SecRuleScript \"%s\" directive (%s:%d): No Lua scripting support.", p1, cmd->directive->filename, cmd->directive->line_num); + return NULL; + #endif } static const char *cmd_rule_remove_by_id(cmd_parms *cmd, void *_dcfg, const char *p1) { diff --git a/apache2/build/find_lua.m4 b/apache2/build/find_lua.m4 index 83e48cbf..5a1842d6 100644 --- a/apache2/build/find_lua.m4 +++ b/apache2/build/find_lua.m4 @@ -18,97 +18,106 @@ AC_ARG_WITH( lua_path="$withval", :) -dnl # Determine lua lib directory -if test -z "${lua_path}"; then - test_paths="/usr/local /usr" +if test "${lua_path}" != "no"; then + dnl # Determine lua lib directory + if test -z "${lua_path}"; then + test_paths="/usr/local /usr" + else + test_paths="${lua_path}" + fi + + AC_MSG_CHECKING([for pkg-config script for lua library]) + for x in ${test_paths}; do + if test -e "${x}/bin/${LUA_CONFIG}"; then + with_lua="${x}/bin" + break + else + with_lua="" + fi + done + if test -n "${with_lua}"; then + LUA_CONFIG="${with_lua}/${LUA_CONFIG}" + for LUA_PKGNAME in ${LUA_PKGNAMES}; do + if ${LUA_CONFIG} --exists ${LUA_PKGNAME}; then + break + fi + LUA_PKGNAME="" + done + if test -n "$LUA_PKGNAME"; then + AC_MSG_RESULT([${LUA_CONFIG} ${LUA_PKGNAME}]) + LUA_CFLAGS="`${LUA_CONFIG} ${LUA_PKGNAME} --cflags`" + LUA_LIBS="`${LUA_CONFIG} ${LUA_PKGNAME} --libs`" + CFLAGS=$save_CFLAGS + LDFLAGS=$save_LDFLAGS + else + AC_MSG_RESULT([no]) + fi + else + AC_MSG_RESULT([no]) + + dnl Hack to just try to find the lib and include + AC_MSG_CHECKING([for lua install]) + for x in ${test_paths}; do + if test -e "${x}/liblua5.1.a"; then + with_lua_lib="${x}" + lua_lib_name="lua5.1" + break + elif test -e "${x}/lib/liblua5.1.a"; then + with_lua_lib="${x}/lib" + lua_lib_name="lua5.1" + break + elif test -e "${x}/liblua.a"; then + with_lua_lib="${x}" + lua_lib_name="lua" + break + elif test -e "${x}/lib/liblua.a"; then + with_lua_lib="${x}/lib" + lua_lib_name="lua" + break + else + with_lua_lib="" + lua_lib_name="" + fi + done + for x in ${test_paths}; do + if test -e "${x}/lua.h"; then + with_lua_inc="${x}" + break + elif test -e "${x}/include/lua.h"; then + with_lua_inc="${x}/include" + break + else + with_lua_inc="" + fi + done + if test -n "${with_lua_lib}" -a -n "${with_lua_inc}"; then + LUA_CONFIG="" + AC_MSG_RESULT([${with_lua_lib} ${with_lua_inc}]) + LUA_CFLAGS="-I${with_lua_inc}" + LUA_LIBS="-L${with_lua_lib} -l${lua_lib_name}" + CFLAGS=$save_CFLAGS + LDFLAGS=$save_LDFLAGS + else + AC_MSG_RESULT([no]) + fi + fi else - test_paths="${lua_path}" + AC_MSG_NOTICE([not using optional lua library]) fi -AC_MSG_CHECKING([for pkg-config script for lua library]) -for x in ${test_paths}; do - if test -e "${x}/bin/${LUA_CONFIG}"; then - with_lua="${x}/bin" - break - else - with_lua="" - fi -done -if test -n "${with_lua}"; then - LUA_CONFIG="${with_lua}/${LUA_CONFIG}" - for LUA_PKGNAME in ${LUA_PKGNAMES}; do - if ${LUA_CONFIG} --exists ${LUA_PKGNAME}; then - break - fi - LUA_PKGNAME="" - done - if test -n "$LUA_PKGNAME"; then - AC_MSG_RESULT([${LUA_CONFIG} ${LUA_PKGNAME}]) - LUA_CFLAGS="`${LUA_CONFIG} ${LUA_PKGNAME} --cflags`" - LUA_LIBS="`${LUA_CONFIG} ${LUA_PKGNAME} --libs`" - CFLAGS=$save_CFLAGS - LDFLAGS=$save_LDFLAGS - else - AC_MSG_RESULT([no]) - fi -else - AC_MSG_RESULT([no]) - - dnl Hack to just try to find the lib and include - AC_MSG_CHECKING([for lua install]) - for x in ${test_paths}; do - if test -e "${x}/liblua5.1.a"; then - with_lua_lib="${x}" - lua_lib_name="lua5.1" - break - elif test -e "${x}/lib/liblua5.1.a"; then - with_lua_lib="${x}/lib" - lua_lib_name="lua5.1" - break - elif test -e "${x}/liblua.a"; then - with_lua_lib="${x}" - lua_lib_name="lua" - break - elif test -e "${x}/lib/liblua.a"; then - with_lua_lib="${x}/lib" - lua_lib_name="lua" - break - else - with_lua_lib="" - lua_lib_name="" - fi - done - for x in ${test_paths}; do - if test -e "${x}/lua.h"; then - with_lua_inc="${x}" - break - elif test -e "${x}/include/lua.h"; then - with_lua_inc="${x}/include" - break - else - with_lua_inc="" - fi - done - if test -n "${with_lua_lib}" -a -n "${with_lua_inc}"; then - LUA_CONFIG="" - AC_MSG_RESULT([${with_lua_lib} ${with_lua_inc}]) - LUA_CFLAGS="-I${with_lua_inc}" - LUA_LIBS="-L${with_lua_lib} -l${lua_lib_name}" - CFLAGS=$save_CFLAGS - LDFLAGS=$save_LDFLAGS - else - AC_MSG_RESULT([no]) - fi +if test -n "${LUA_LIBS}"; then + LUA_CFLAGS="-DWITH_LUA ${LUA_CFLAGS}" fi AC_SUBST(LUA_LIBS) AC_SUBST(LUA_CFLAGS) -if test -z "${LUA_LIBS}"; then - AC_MSG_NOTICE([*** lua library not found.]) - ifelse([$2], , AC_MSG_ERROR([lua library is required]), $2) -else - AC_MSG_NOTICE([using '${LUA_LIBS}' for lua Library]) - ifelse([$1], , , $1) -fi +if test "${lua_path}" != "no"; then + if test -z "${LUA_LIBS}"; then + ifelse([$2], , AC_MSG_NOTICE([optional lua library not found]), $2) + else + AC_MSG_NOTICE([using '${LUA_LIBS}' for lua Library]) + ifelse([$1], , , $1) + fi +fi ]) diff --git a/apache2/msc_lua.c b/apache2/msc_lua.c index a219b7d1..6eaae2bc 100644 --- a/apache2/msc_lua.c +++ b/apache2/msc_lua.c @@ -8,6 +8,8 @@ * write to Breach Security, Inc. at support@breach.com. * */ +#if defined(WITH_LUA) + #include "msc_lua.h" #include "apr_strings.h" @@ -408,3 +410,4 @@ int lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rul return ((*error_msg != NULL) ? RULE_MATCH : RULE_NO_MATCH); } +#endif /* WITH_LUA */ diff --git a/apache2/msc_lua.h b/apache2/msc_lua.h index 10082ba2..4f9ba937 100644 --- a/apache2/msc_lua.h +++ b/apache2/msc_lua.h @@ -8,6 +8,8 @@ * write to Breach Security, Inc. at support@breach.com. * */ +#if defined(WITH_LUA) + #ifndef _MSC_LUA_H_ #define _MSC_LUA_H_ @@ -37,3 +39,5 @@ char DSOLOCAL *lua_compile(msc_script **script, const char *filename, apr_pool_t int DSOLOCAL lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rule, char **error_msg); #endif + +#endif /* WITH_LUA */ diff --git a/apache2/re.c b/apache2/re.c index efab1865..186218ab 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -12,7 +12,9 @@ #include "re.h" +#if defined(WITH_LUA) #include "msc_lua.h" +#endif static const char *const severities[] = { "EMERGENCY", @@ -1390,6 +1392,7 @@ char * msre_rule_generate_unparsed(apr_pool_t *pool, const msre_rule *rule, con case RULE_TYPE_MARKER: unparsed = apr_psprintf(pool, "SecMarker \"%s\"", rule->actionset->id); break; + #if defined(WITH_LUA) case RULE_TYPE_LUA: /* SecRuleScript */ if (r_actions == NULL) { @@ -1400,6 +1403,7 @@ char * msre_rule_generate_unparsed(apr_pool_t *pool, const msre_rule *rule, con r_args, log_escape(pool, r_actions)); } break; + #endif } return unparsed; @@ -1494,6 +1498,7 @@ msre_rule *msre_rule_create(msre_ruleset *ruleset, int type, return rule; } +#if defined(WITH_LUA) /** * */ @@ -1536,6 +1541,7 @@ msre_rule *msre_rule_lua_create(msre_ruleset *ruleset, return rule; } +#endif /** * Perform non-disruptive actions associated with the provided actionset. @@ -2191,6 +2197,7 @@ static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) { return (match_count ? RULE_MATCH : RULE_NO_MATCH); } +#if defined(WITH_LUA) /** * */ @@ -2226,6 +2233,7 @@ static apr_status_t msre_rule_process_lua(msre_rule *rule, modsec_rec *msr) { return rc; } +#endif /** * @@ -2240,9 +2248,11 @@ apr_status_t msre_rule_process(msre_rule *rule, modsec_rec *msr) { apr_pool_clear(msr->msc_rule_mptmp); } + #if defined(WITH_LUA) if (rule->type == RULE_TYPE_LUA) { return msre_rule_process_lua(rule, msr); } + #endif return msre_rule_process_normal(rule, msr); } diff --git a/apache2/re.h b/apache2/re.h index dbf10598..dcc1e966 100644 --- a/apache2/re.h +++ b/apache2/re.h @@ -35,7 +35,9 @@ typedef struct msre_cache_rec msre_cache_rec; #include "persist_dbm.h" #include "apache2.h" +#if defined(WITH_LUA) #include "msc_lua.h" +#endif /* Actions, variables, functions and operator functions */ @@ -125,7 +127,9 @@ int DSOLOCAL msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset #define RULE_TYPE_NORMAL 0 /* SecRule */ #define RULE_TYPE_ACTION 1 /* SecAction */ #define RULE_TYPE_MARKER 2 /* SecMarker */ +#if defined(WITH_LUA) #define RULE_TYPE_LUA 3 /* SecRuleScript */ +#endif struct msre_rule { apr_array_header_t *targets; @@ -150,8 +154,10 @@ struct msre_rule { unsigned int op_time; #endif + #if defined(WITH_LUA) /* Compiled Lua script. */ msc_script *script; + #endif }; char DSOLOCAL *msre_rule_generate_unparsed(apr_pool_t *pool, const msre_rule *rule, const char *targets, const char *args, const char *actions); @@ -160,9 +166,11 @@ msre_rule DSOLOCAL *msre_rule_create(msre_ruleset *ruleset, int type, const char *fn, int line, const char *targets, const char *args, const char *actions, char **error_msg); +#if defined(WITH_LUA) msre_rule DSOLOCAL *msre_rule_lua_create(msre_ruleset *ruleset, const char *fn, int line, const char *script_filename, const char *actions, char **error_msg); +#endif apr_status_t DSOLOCAL msre_rule_process(msre_rule *rule, modsec_rec *msr); diff --git a/apache2/re_actions.c b/apache2/re_actions.c index 5fecb9a9..25e5c6e0 100644 --- a/apache2/re_actions.c +++ b/apache2/re_actions.c @@ -1597,6 +1597,7 @@ static apr_status_t msre_action_setuid_execute(modsec_rec *msr, apr_pool_t *mptm /* exec */ static char *msre_action_exec_validate(msre_engine *engine, msre_action *action) { + #if defined(WITH_LUA) char *filename = (char *)action->param; /* TODO Support relative filenames. */ @@ -1615,6 +1616,7 @@ static char *msre_action_exec_validate(msre_engine *engine, msre_action *action) action->param_data = script; } } + #endif return NULL; } @@ -1622,6 +1624,7 @@ static char *msre_action_exec_validate(msre_engine *engine, msre_action *action) static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + #if defined(WITH_LUA) if (action->param_data != NULL) { /* Lua */ msc_script *script = (msc_script *)action->param_data; char *my_error_msg = NULL; @@ -1630,7 +1633,9 @@ static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp, msr_log(msr, 1, "%s", my_error_msg); return 0; } - } else { /* Execute as shell script. */ + } else + #endif + { /* Execute as shell script. */ char *script_output = NULL; int rc = apache2_exec(msr, action->param, NULL, &script_output); diff --git a/apache2/re_operators.c b/apache2/re_operators.c index 494b2449..e9d067ec 100644 --- a/apache2/re_operators.c +++ b/apache2/re_operators.c @@ -1312,6 +1312,7 @@ static int msre_op_inspectFile_init(msre_rule *rule, char **error_msg) { filename = resolve_relative_path(rule->ruleset->mp, rule->filename, filename); + #if defined(WITH_LUA) /* ENH Write & use string_ends(s, e). */ if (strlen(rule->op_param) > 4) { char *p = filename + strlen(filename) - 4; @@ -1326,6 +1327,7 @@ static int msre_op_inspectFile_init(msre_rule *rule, char **error_msg) { rule->op_param_data = script; } } + #endif if (rule->op_param_data == NULL) { /* ENH Verify the script exists and that we have @@ -1373,10 +1375,9 @@ static int msre_op_inspectFile_execute(modsec_rec *msr, msre_rule *rule, msre_va log_escape_nq(msr->mp, script_output)); return 1; /* Match. */ } - - /* No match. */ - return 0; - } else { + } + #if defined(WITH_LUA) + else { /* Execute internally, as Lua script. */ char *target = apr_pstrmemdup(msr->mp, var->value, var->value_len); msc_script *script = (msc_script *)rule->op_param_data; @@ -1390,6 +1391,10 @@ static int msre_op_inspectFile_execute(modsec_rec *msr, msre_rule *rule, msre_va return rc; } + #endif + + /* No match. */ + return 0; } /* validateByteRange */