Make Lua support optional since it is still experimental (--without-lua). If someone still uses SecRuleScript, however, it iignores it and just warns on Apache startup.

apache2/Makefile.in

@@ -77,7 +77,7 @@ clean: clean-extras
 maintainer-clean: clean
 	@rm -rf Makefile mlogc-src/Makefile t/run-tests.pl config config.log config.status configure mod_security2_config.h ../tools/*.pl autoscan.log configure.scan build/libtool.m4 build/config.guess build/config.sub build/ltmain.sh build/apxs-wrapper
 
-dist-clean: maintainer-clean
+distclean: maintainer-clean
 
 install-mods: mod_security2.la
 	$(INSTALL_MOD_SHARED) mod_security2.la

apache2/apache2_config.c

@@ -15,7 +15,9 @@
 #include "pdf_protect.h"
 #include "http_log.h"
 
+#if defined(WITH_LUA)
 #include "msc_lua.h"
+#endif
 
 
 /* -- Directory context creation and initialisation -- */
@@ -551,10 +553,12 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
 
     /* Create the rule now. */
     switch(type) {
+        #if defined(WITH_LUA)
         case RULE_TYPE_LUA :
             rule = msre_rule_lua_create(dcfg->ruleset, cmd->directive->filename,
                 cmd->directive->line_num, p1, p2, &my_error_msg);
             break;
+        #endif
         default :
             rule = msre_rule_create(dcfg->ruleset, type, cmd->directive->filename,
                 cmd->directive->line_num, p1, p2, p3, &my_error_msg);
@@ -1398,8 +1402,13 @@ static const char *cmd_rule_inheritance(cmd_parms *cmd, void *_dcfg, int flag) {
 static const char *cmd_rule_script(cmd_parms *cmd, void *_dcfg, const char *p1,
     const char *p2)
 {
+    #if defined(WITH_LUA)
     const char *filename = resolve_relative_path(cmd->pool, cmd->directive->filename, p1);
     return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_LUA, filename, p2, NULL);
+    #else
+    ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool, "Ignoring SecRuleScript \"%s\" directive (%s:%d): No Lua scripting support.", p1, cmd->directive->filename, cmd->directive->line_num);
+    return NULL;
+    #endif
 }
 
 static const char *cmd_rule_remove_by_id(cmd_parms *cmd, void *_dcfg, const char *p1) {

apache2/build/find_lua.m4

@@ -18,6 +18,7 @@ AC_ARG_WITH(
     lua_path="$withval",
     :)
 
+if test "${lua_path}" != "no"; then
     dnl # Determine lua lib directory
     if test -z "${lua_path}"; then
         test_paths="/usr/local /usr"
@@ -100,15 +101,23 @@ else
             AC_MSG_RESULT([no])
         fi
     fi
+else
+    AC_MSG_NOTICE([not using optional lua library])
+fi
+
+if test -n "${LUA_LIBS}"; then
+    LUA_CFLAGS="-DWITH_LUA ${LUA_CFLAGS}"
+fi
 
 AC_SUBST(LUA_LIBS)
 AC_SUBST(LUA_CFLAGS)
 
+if test "${lua_path}" != "no"; then
     if test -z "${LUA_LIBS}"; then
-  AC_MSG_NOTICE([*** lua library not found.])
+      ifelse([$2], , AC_MSG_NOTICE([optional lua library not found]), $2)
-  ifelse([$2], , AC_MSG_ERROR([lua library is required]), $2)
     else
       AC_MSG_NOTICE([using '${LUA_LIBS}' for lua Library])
       ifelse([$1], , , $1) 
     fi 
+fi
 ])

apache2/msc_lua.c

@@ -8,6 +8,8 @@
  * write to Breach Security, Inc. at support@breach.com.
  *
  */
+#if defined(WITH_LUA)
+
 #include "msc_lua.h"
 
 #include "apr_strings.h"
@@ -408,3 +410,4 @@ int lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rul
     return ((*error_msg != NULL) ? RULE_MATCH : RULE_NO_MATCH);
 }
 
+#endif /* WITH_LUA */

apache2/msc_lua.h

@@ -8,6 +8,8 @@
  * write to Breach Security, Inc. at support@breach.com.
  *
  */
+#if defined(WITH_LUA)
+
 #ifndef _MSC_LUA_H_
 #define _MSC_LUA_H_
 
@@ -37,3 +39,5 @@ char DSOLOCAL *lua_compile(msc_script **script, const char *filename, apr_pool_t
 int DSOLOCAL lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rule, char **error_msg);
 
 #endif
+
+#endif /* WITH_LUA */

apache2/re.c

@@ -12,7 +12,9 @@
 
 #include "re.h"
 
+#if defined(WITH_LUA)
 #include "msc_lua.h"
+#endif
 
 static const char *const severities[] = {
     "EMERGENCY",
@@ -1390,6 +1392,7 @@ char * msre_rule_generate_unparsed(apr_pool_t *pool,  const msre_rule *rule, con
     case RULE_TYPE_MARKER:
         unparsed = apr_psprintf(pool, "SecMarker \"%s\"", rule->actionset->id);
         break;
+    #if defined(WITH_LUA)
     case RULE_TYPE_LUA:
         /* SecRuleScript */
         if (r_actions == NULL) {
@@ -1400,6 +1403,7 @@ char * msre_rule_generate_unparsed(apr_pool_t *pool,  const msre_rule *rule, con
                            r_args, log_escape(pool, r_actions));
         }
         break;
+    #endif
     }
 
     return unparsed;
@@ -1494,6 +1498,7 @@ msre_rule *msre_rule_create(msre_ruleset *ruleset, int type,
     return rule;
 }
 
+#if defined(WITH_LUA)
 /**
  *
  */
@@ -1536,6 +1541,7 @@ msre_rule *msre_rule_lua_create(msre_ruleset *ruleset,
 
     return rule;
 }
+#endif
 
 /**
  * Perform non-disruptive actions associated with the provided actionset.
@@ -2191,6 +2197,7 @@ static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) {
     return (match_count ? RULE_MATCH : RULE_NO_MATCH);
 }
 
+#if defined(WITH_LUA)
 /**
  *
  */
@@ -2226,6 +2233,7 @@ static apr_status_t msre_rule_process_lua(msre_rule *rule, modsec_rec *msr) {
 
     return rc;
 }
+#endif
 
 /**
  *
@@ -2240,9 +2248,11 @@ apr_status_t msre_rule_process(msre_rule *rule, modsec_rec *msr) {
         apr_pool_clear(msr->msc_rule_mptmp);
     }
 
+    #if defined(WITH_LUA)
     if (rule->type == RULE_TYPE_LUA) {
         return msre_rule_process_lua(rule, msr);
     }
+    #endif
 
     return msre_rule_process_normal(rule, msr);
 }

apache2/re.h

@@ -35,7 +35,9 @@ typedef struct msre_cache_rec msre_cache_rec;
 #include "persist_dbm.h"
 #include "apache2.h"
 
+#if defined(WITH_LUA)
 #include "msc_lua.h"
+#endif
 
 /* Actions, variables, functions and operator functions */
 
@@ -125,7 +127,9 @@ int DSOLOCAL msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset
 #define RULE_TYPE_NORMAL        0  /* SecRule */
 #define RULE_TYPE_ACTION        1  /* SecAction */
 #define RULE_TYPE_MARKER        2  /* SecMarker */
+#if defined(WITH_LUA)
 #define RULE_TYPE_LUA           3  /* SecRuleScript */
+#endif
 
 struct msre_rule {
     apr_array_header_t      *targets;
@@ -150,8 +154,10 @@ struct msre_rule {
     unsigned int             op_time;
     #endif
 
+    #if defined(WITH_LUA)
     /* Compiled Lua script. */
     msc_script              *script;
+    #endif
 };
 
 char DSOLOCAL *msre_rule_generate_unparsed(apr_pool_t *pool, const msre_rule *rule, const char *targets, const char *args, const char *actions);
@@ -160,9 +166,11 @@ msre_rule DSOLOCAL *msre_rule_create(msre_ruleset *ruleset, int type,
     const char *fn, int line, const char *targets,
     const char *args, const char *actions, char **error_msg);
 
+#if defined(WITH_LUA)
 msre_rule DSOLOCAL *msre_rule_lua_create(msre_ruleset *ruleset,
     const char *fn, int line, const char *script_filename,
     const char *actions, char **error_msg);
+#endif
 
 apr_status_t DSOLOCAL msre_rule_process(msre_rule *rule, modsec_rec *msr);
 

apache2/re_actions.c

@@ -1597,6 +1597,7 @@ static apr_status_t msre_action_setuid_execute(modsec_rec *msr, apr_pool_t *mptm
 
 /* exec */
 static char *msre_action_exec_validate(msre_engine *engine, msre_action *action) {
+    #if defined(WITH_LUA)
     char *filename = (char *)action->param;
 
     /* TODO Support relative filenames. */
@@ -1615,6 +1616,7 @@ static char *msre_action_exec_validate(msre_engine *engine, msre_action *action)
             action->param_data = script;
         }
     }
+    #endif
 
     return NULL;
 }
@@ -1622,6 +1624,7 @@ static char *msre_action_exec_validate(msre_engine *engine, msre_action *action)
 static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp,
     msre_rule *rule, msre_action *action)
 {
+    #if defined(WITH_LUA)
     if (action->param_data != NULL) { /* Lua */
         msc_script *script = (msc_script *)action->param_data;
         char *my_error_msg = NULL;
@@ -1630,7 +1633,9 @@ static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp,
             msr_log(msr, 1, "%s", my_error_msg);
             return 0;
         }
-    } else { /* Execute as shell script. */
+    } else
+    #endif
+    { /* Execute as shell script. */
         char *script_output = NULL;
 
         int rc = apache2_exec(msr, action->param, NULL, &script_output);

apache2/re_operators.c

@@ -1312,6 +1312,7 @@ static int msre_op_inspectFile_init(msre_rule *rule, char **error_msg) {
 
     filename = resolve_relative_path(rule->ruleset->mp, rule->filename, filename);
 
+    #if defined(WITH_LUA)
     /* ENH Write & use string_ends(s, e). */
     if (strlen(rule->op_param) > 4) {
         char *p = filename + strlen(filename) - 4;
@@ -1326,6 +1327,7 @@ static int msre_op_inspectFile_init(msre_rule *rule, char **error_msg) {
             rule->op_param_data = script;
         }
     }
+    #endif
 
     if (rule->op_param_data == NULL) {
         /* ENH Verify the script exists and that we have
@@ -1373,10 +1375,9 @@ static int msre_op_inspectFile_execute(modsec_rec *msr, msre_rule *rule, msre_va
                 log_escape_nq(msr->mp,  script_output));
             return 1; /* Match. */
         }
-
+    }
-        /* No match. */
+    #if defined(WITH_LUA)
-        return 0;
+    else {
-    } else {
         /* Execute internally, as Lua script. */
         char *target = apr_pstrmemdup(msr->mp, var->value, var->value_len);
         msc_script *script = (msc_script *)rule->op_param_data;
@@ -1390,6 +1391,10 @@ static int msre_op_inspectFile_execute(modsec_rec *msr, msre_rule *rule, msre_va
 
         return rc;
     }
+    #endif
+
+    /* No match. */
+    return 0;
 }
 
 /* validateByteRange */