Make Lua support optional since it is still experimental (--without-lua). If someone still uses SecRuleScript, however, it iignores it and just warns on Apache startup.

2025-08-14 13:56:01 +03:00 · 2008-02-16 00:27:44 +00:00 · 2008-02-16 00:27:44 +00:00 · e4eaade2ca
commit e4eaade2ca
parent 63bccf793c
9 changed files with 144 additions and 91 deletions
--- a/apache2/Makefile.in
+++ b/apache2/Makefile.in
@ -77,7 +77,7 @@ clean: clean-extras
 maintainer-clean: clean
 	@rm -rf Makefile mlogc-src/Makefile t/run-tests.pl config config.log config.status configure mod_security2_config.h ../tools/*.pl autoscan.log configure.scan build/libtool.m4 build/config.guess build/config.sub build/ltmain.sh build/apxs-wrapper

-dist-clean: maintainer-clean
+distclean: maintainer-clean

 install-mods: mod_security2.la
 	$(INSTALL_MOD_SHARED) mod_security2.la
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@ -15,7 +15,9 @@
 #include "pdf_protect.h"
 #include "http_log.h"

+#if defined(WITH_LUA)
 #include "msc_lua.h"
+#endif


 /* -- Directory context creation and initialisation -- */
@ -551,10 +553,12 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,

    /* Create the rule now. */
    switch(type) {
+        #if defined(WITH_LUA)
        case RULE_TYPE_LUA :
            rule = msre_rule_lua_create(dcfg->ruleset, cmd->directive->filename,
                cmd->directive->line_num, p1, p2, &my_error_msg);
            break;
+        #endif
        default :
            rule = msre_rule_create(dcfg->ruleset, type, cmd->directive->filename,
                cmd->directive->line_num, p1, p2, p3, &my_error_msg);
@ -1398,8 +1402,13 @@ static const char *cmd_rule_inheritance(cmd_parms *cmd, void *_dcfg, int flag) {
 static const char *cmd_rule_script(cmd_parms *cmd, void *_dcfg, const char *p1,
    const char *p2)
 {
+    #if defined(WITH_LUA)
    const char *filename = resolve_relative_path(cmd->pool, cmd->directive->filename, p1);
    return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_LUA, filename, p2, NULL);
+    #else
+    ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool, "Ignoring SecRuleScript \"%s\" directive (%s:%d): No Lua scripting support.", p1, cmd->directive->filename, cmd->directive->line_num);
+    return NULL;
+    #endif
 }

 static const char *cmd_rule_remove_by_id(cmd_parms *cmd, void *_dcfg, const char *p1) {
--- a/apache2/build/find_lua.m4
+++ b/apache2/build/find_lua.m4
@ -18,97 +18,106 @@ AC_ARG_WITH(
    lua_path="$withval",
    :)

-dnl # Determine lua lib directory
-if test -z "${lua_path}"; then
-    test_paths="/usr/local /usr"
+if test "${lua_path}" != "no"; then
+    dnl # Determine lua lib directory
+    if test -z "${lua_path}"; then
+        test_paths="/usr/local /usr"
+    else
+        test_paths="${lua_path}"
+    fi
+
+    AC_MSG_CHECKING([for pkg-config script for lua library])
+    for x in ${test_paths}; do
+        if test -e "${x}/bin/${LUA_CONFIG}"; then
+            with_lua="${x}/bin"
+            break
+        else
+            with_lua=""
+        fi
+    done
+    if test -n "${with_lua}"; then
+        LUA_CONFIG="${with_lua}/${LUA_CONFIG}"
+        for LUA_PKGNAME in ${LUA_PKGNAMES}; do
+            if ${LUA_CONFIG} --exists ${LUA_PKGNAME}; then
+                break
+            fi
+            LUA_PKGNAME=""
+        done
+        if test -n "$LUA_PKGNAME"; then
+            AC_MSG_RESULT([${LUA_CONFIG} ${LUA_PKGNAME}])
+            LUA_CFLAGS="`${LUA_CONFIG} ${LUA_PKGNAME} --cflags`"
+            LUA_LIBS="`${LUA_CONFIG} ${LUA_PKGNAME} --libs`"
+            CFLAGS=$save_CFLAGS
+            LDFLAGS=$save_LDFLAGS
+        else
+            AC_MSG_RESULT([no])
+        fi
+    else
+        AC_MSG_RESULT([no])
+
+        dnl Hack to just try to find the lib and include
+        AC_MSG_CHECKING([for lua install])
+        for x in ${test_paths}; do
+            if test -e "${x}/liblua5.1.a"; then
+                with_lua_lib="${x}"
+                lua_lib_name="lua5.1"
+                break
+            elif test -e "${x}/lib/liblua5.1.a"; then
+                with_lua_lib="${x}/lib"
+                lua_lib_name="lua5.1"
+                break
+            elif test -e "${x}/liblua.a"; then
+                with_lua_lib="${x}"
+                lua_lib_name="lua"
+                break
+            elif test -e "${x}/lib/liblua.a"; then
+                with_lua_lib="${x}/lib"
+                lua_lib_name="lua"
+                break
+            else
+                with_lua_lib=""
+                lua_lib_name=""
+            fi
+        done
+        for x in ${test_paths}; do
+            if test -e "${x}/lua.h"; then
+                with_lua_inc="${x}"
+                break
+            elif test -e "${x}/include/lua.h"; then
+                with_lua_inc="${x}/include"
+                break
+            else
+                with_lua_inc=""
+            fi
+        done
+        if test -n "${with_lua_lib}" -a -n "${with_lua_inc}"; then
+            LUA_CONFIG=""
+            AC_MSG_RESULT([${with_lua_lib} ${with_lua_inc}])
+            LUA_CFLAGS="-I${with_lua_inc}"
+            LUA_LIBS="-L${with_lua_lib} -l${lua_lib_name}"
+            CFLAGS=$save_CFLAGS
+            LDFLAGS=$save_LDFLAGS
+        else
+            AC_MSG_RESULT([no])
+        fi
+    fi
 else
-    test_paths="${lua_path}"
+    AC_MSG_NOTICE([not using optional lua library])
 fi

-AC_MSG_CHECKING([for pkg-config script for lua library])
-for x in ${test_paths}; do
-    if test -e "${x}/bin/${LUA_CONFIG}"; then
-        with_lua="${x}/bin"
-        break
-    else
-        with_lua=""
-    fi
-done
-if test -n "${with_lua}"; then
-    LUA_CONFIG="${with_lua}/${LUA_CONFIG}"
-    for LUA_PKGNAME in ${LUA_PKGNAMES}; do
-        if ${LUA_CONFIG} --exists ${LUA_PKGNAME}; then
-            break
-        fi
-        LUA_PKGNAME=""
-    done
-    if test -n "$LUA_PKGNAME"; then
-        AC_MSG_RESULT([${LUA_CONFIG} ${LUA_PKGNAME}])
-        LUA_CFLAGS="`${LUA_CONFIG} ${LUA_PKGNAME} --cflags`"
-        LUA_LIBS="`${LUA_CONFIG} ${LUA_PKGNAME} --libs`"
-        CFLAGS=$save_CFLAGS
-        LDFLAGS=$save_LDFLAGS
-    else
-        AC_MSG_RESULT([no])
-    fi
-else
-    AC_MSG_RESULT([no])
-
-    dnl Hack to just try to find the lib and include
-    AC_MSG_CHECKING([for lua install])
-    for x in ${test_paths}; do
-        if test -e "${x}/liblua5.1.a"; then
-            with_lua_lib="${x}"
-            lua_lib_name="lua5.1"
-            break
-        elif test -e "${x}/lib/liblua5.1.a"; then
-            with_lua_lib="${x}/lib"
-            lua_lib_name="lua5.1"
-            break
-        elif test -e "${x}/liblua.a"; then
-            with_lua_lib="${x}"
-            lua_lib_name="lua"
-            break
-        elif test -e "${x}/lib/liblua.a"; then
-            with_lua_lib="${x}/lib"
-            lua_lib_name="lua"
-            break
-        else
-            with_lua_lib=""
-            lua_lib_name=""
-        fi
-    done
-    for x in ${test_paths}; do
-        if test -e "${x}/lua.h"; then
-            with_lua_inc="${x}"
-            break
-        elif test -e "${x}/include/lua.h"; then
-            with_lua_inc="${x}/include"
-            break
-        else
-            with_lua_inc=""
-        fi
-    done
-    if test -n "${with_lua_lib}" -a -n "${with_lua_inc}"; then
-        LUA_CONFIG=""
-        AC_MSG_RESULT([${with_lua_lib} ${with_lua_inc}])
-        LUA_CFLAGS="-I${with_lua_inc}"
-        LUA_LIBS="-L${with_lua_lib} -l${lua_lib_name}"
-        CFLAGS=$save_CFLAGS
-        LDFLAGS=$save_LDFLAGS
-    else
-        AC_MSG_RESULT([no])
-    fi
+if test -n "${LUA_LIBS}"; then
+    LUA_CFLAGS="-DWITH_LUA ${LUA_CFLAGS}"
 fi

 AC_SUBST(LUA_LIBS)
 AC_SUBST(LUA_CFLAGS)

-if test -z "${LUA_LIBS}"; then
-  AC_MSG_NOTICE([*** lua library not found.])
-  ifelse([$2], , AC_MSG_ERROR([lua library is required]), $2)
-else
-  AC_MSG_NOTICE([using '${LUA_LIBS}' for lua Library])
-  ifelse([$1], , , $1) 
+if test "${lua_path}" != "no"; then
+    if test -z "${LUA_LIBS}"; then
+      ifelse([$2], , AC_MSG_NOTICE([optional lua library not found]), $2)
+    else
+      AC_MSG_NOTICE([using '${LUA_LIBS}' for lua Library])
+      ifelse([$1], , , $1) 
+    fi 
 fi
 ])
--- a/apache2/msc_lua.c
+++ b/apache2/msc_lua.c
@ -8,6 +8,8 @@
 * write to Breach Security, Inc. at support@breach.com.
 *
 */
+#if defined(WITH_LUA)
+
 #include "msc_lua.h"

 #include "apr_strings.h"
@ -408,3 +410,4 @@ int lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rul
    return ((*error_msg != NULL) ? RULE_MATCH : RULE_NO_MATCH);
 }

+#endif /* WITH_LUA */
--- a/apache2/msc_lua.h
+++ b/apache2/msc_lua.h
@ -8,6 +8,8 @@
 * write to Breach Security, Inc. at support@breach.com.
 *
 */
+#if defined(WITH_LUA)
+
 #ifndef _MSC_LUA_H_
 #define _MSC_LUA_H_

@ -37,3 +39,5 @@ char DSOLOCAL *lua_compile(msc_script **script, const char *filename, apr_pool_t
 int DSOLOCAL lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rule, char **error_msg);

 #endif
+
+#endif /* WITH_LUA */
--- a/apache2/re.c
+++ b/apache2/re.c
@ -12,7 +12,9 @@

 #include "re.h"

+#if defined(WITH_LUA)
 #include "msc_lua.h"
+#endif

 static const char *const severities[] = {
    "EMERGENCY",
@ -1390,6 +1392,7 @@ char * msre_rule_generate_unparsed(apr_pool_t *pool,  const msre_rule *rule, con
    case RULE_TYPE_MARKER:
        unparsed = apr_psprintf(pool, "SecMarker \"%s\"", rule->actionset->id);
        break;
+    #if defined(WITH_LUA)
    case RULE_TYPE_LUA:
        /* SecRuleScript */
        if (r_actions == NULL) {
@ -1400,6 +1403,7 @@ char * msre_rule_generate_unparsed(apr_pool_t *pool,  const msre_rule *rule, con
                           r_args, log_escape(pool, r_actions));
        }
        break;
+    #endif
    }

    return unparsed;
@ -1494,6 +1498,7 @@ msre_rule *msre_rule_create(msre_ruleset *ruleset, int type,
    return rule;
 }

+#if defined(WITH_LUA)
 /**
 *
 */
@ -1536,6 +1541,7 @@ msre_rule *msre_rule_lua_create(msre_ruleset *ruleset,

    return rule;
 }
+#endif

 /**
 * Perform non-disruptive actions associated with the provided actionset.
@ -2191,6 +2197,7 @@ static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) {
    return (match_count ? RULE_MATCH : RULE_NO_MATCH);
 }

+#if defined(WITH_LUA)
 /**
 *
 */
@ -2226,6 +2233,7 @@ static apr_status_t msre_rule_process_lua(msre_rule *rule, modsec_rec *msr) {

    return rc;
 }
+#endif

 /**
 *
@ -2240,9 +2248,11 @@ apr_status_t msre_rule_process(msre_rule *rule, modsec_rec *msr) {
        apr_pool_clear(msr->msc_rule_mptmp);
    }

+    #if defined(WITH_LUA)
    if (rule->type == RULE_TYPE_LUA) {
        return msre_rule_process_lua(rule, msr);
    }
+    #endif

    return msre_rule_process_normal(rule, msr);
 }
--- a/apache2/re.h
+++ b/apache2/re.h
@ -35,7 +35,9 @@ typedef struct msre_cache_rec msre_cache_rec;
 #include "persist_dbm.h"
 #include "apache2.h"

+#if defined(WITH_LUA)
 #include "msc_lua.h"
+#endif

 /* Actions, variables, functions and operator functions */

@ -125,7 +127,9 @@ int DSOLOCAL msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset
 #define RULE_TYPE_NORMAL        0  /* SecRule */
 #define RULE_TYPE_ACTION        1  /* SecAction */
 #define RULE_TYPE_MARKER        2  /* SecMarker */
+#if defined(WITH_LUA)
 #define RULE_TYPE_LUA           3  /* SecRuleScript */
+#endif

 struct msre_rule {
    apr_array_header_t      *targets;
@ -150,8 +154,10 @@ struct msre_rule {
    unsigned int             op_time;
    #endif

+    #if defined(WITH_LUA)
    /* Compiled Lua script. */
    msc_script              *script;
+    #endif
 };

 char DSOLOCAL *msre_rule_generate_unparsed(apr_pool_t *pool, const msre_rule *rule, const char *targets, const char *args, const char *actions);
@ -160,9 +166,11 @@ msre_rule DSOLOCAL *msre_rule_create(msre_ruleset *ruleset, int type,
    const char *fn, int line, const char *targets,
    const char *args, const char *actions, char **error_msg);

+#if defined(WITH_LUA)
 msre_rule DSOLOCAL *msre_rule_lua_create(msre_ruleset *ruleset,
    const char *fn, int line, const char *script_filename,
    const char *actions, char **error_msg);
+#endif

 apr_status_t DSOLOCAL msre_rule_process(msre_rule *rule, modsec_rec *msr);

--- a/apache2/re_actions.c
+++ b/apache2/re_actions.c
@ -1597,6 +1597,7 @@ static apr_status_t msre_action_setuid_execute(modsec_rec *msr, apr_pool_t *mptm

 /* exec */
 static char *msre_action_exec_validate(msre_engine *engine, msre_action *action) {
+    #if defined(WITH_LUA)
    char *filename = (char *)action->param;

    /* TODO Support relative filenames. */
@ -1615,6 +1616,7 @@ static char *msre_action_exec_validate(msre_engine *engine, msre_action *action)
            action->param_data = script;
        }
    }
+    #endif

    return NULL;
 }
@ -1622,6 +1624,7 @@ static char *msre_action_exec_validate(msre_engine *engine, msre_action *action)
 static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp,
    msre_rule *rule, msre_action *action)
 {
+    #if defined(WITH_LUA)
    if (action->param_data != NULL) { /* Lua */
        msc_script *script = (msc_script *)action->param_data;
        char *my_error_msg = NULL;
@ -1630,7 +1633,9 @@ static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp,
            msr_log(msr, 1, "%s", my_error_msg);
            return 0;
        }
-    } else { /* Execute as shell script. */
+    } else
+    #endif
+    { /* Execute as shell script. */
        char *script_output = NULL;

        int rc = apache2_exec(msr, action->param, NULL, &script_output);
--- a/apache2/re_operators.c
+++ b/apache2/re_operators.c
@ -1312,6 +1312,7 @@ static int msre_op_inspectFile_init(msre_rule *rule, char **error_msg) {

    filename = resolve_relative_path(rule->ruleset->mp, rule->filename, filename);

+    #if defined(WITH_LUA)
    /* ENH Write & use string_ends(s, e). */
    if (strlen(rule->op_param) > 4) {
        char *p = filename + strlen(filename) - 4;
@ -1326,6 +1327,7 @@ static int msre_op_inspectFile_init(msre_rule *rule, char **error_msg) {
            rule->op_param_data = script;
        }
    }
+    #endif

    if (rule->op_param_data == NULL) {
        /* ENH Verify the script exists and that we have
@ -1373,10 +1375,9 @@ static int msre_op_inspectFile_execute(modsec_rec *msr, msre_rule *rule, msre_va
                log_escape_nq(msr->mp,  script_output));
            return 1; /* Match. */
        }
-
-        /* No match. */
-        return 0;
-    } else {
+    }
+    #if defined(WITH_LUA)
+    else {
        /* Execute internally, as Lua script. */
        char *target = apr_pstrmemdup(msr->mp, var->value, var->value_len);
        msc_script *script = (msc_script *)rule->op_param_data;
@ -1390,6 +1391,10 @@ static int msre_op_inspectFile_execute(modsec_rec *msr, msre_rule *rule, msre_va

        return rc;
    }
+    #endif
+
+    /* No match. */
+    return 0;
 }

 /* validateByteRange */