From f4a6e716dd4ad5bfdb6dae36c49738abd070610b Mon Sep 17 00:00:00 2001 From: brectanus Date: Thu, 24 Jan 2008 22:10:37 +0000 Subject: [PATCH] Implemented SecUploadFileMode. See #448. --- CHANGES | 4 +- apache2/apache2_config.c | 32 ++++++++++++++ apache2/modsecurity.h | 1 + apache2/msc_multipart.c | 16 +++++++ doc/modsecurity2-apache-reference.xml | 63 ++++++++++++++++++--------- 5 files changed, 94 insertions(+), 22 deletions(-) diff --git a/CHANGES b/CHANGES index a7e7b9d8..7efb77f5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -23 Jan 2008 - 2.1.6-rc1 +24 Jan 2008 - 2.1.6-rc1 ----------------------- + * Implemented SecUploadFileMode to allow setting the mode for uploaded files. + * No longer log the query portion of the URI in the error log as it may contain sensitive data. diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index 88bdf1d7..8ac18155 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -69,6 +69,7 @@ void *create_directory_config(apr_pool_t *mp, char *path) { dcfg->upload_dir = NOT_SET_P; dcfg->upload_keep_files = NOT_SET; dcfg->upload_validates_files = NOT_SET; + dcfg->upload_filemode = NOT_SET; /* These are only used during the configuration process. */ dcfg->tmp_chain_starter = NULL; @@ -346,6 +347,8 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child) { ? parent->upload_keep_files : child->upload_keep_files); merged->upload_validates_files = (child->upload_validates_files == NOT_SET ? parent->upload_validates_files : child->upload_validates_files); + merged->upload_filemode = (child->upload_filemode == NOT_SET + ? parent->upload_filemode : child->upload_filemode); /* Misc */ merged->data_dir = (child->data_dir == NOT_SET_P @@ -407,6 +410,7 @@ void init_directory_config(directory_config *dcfg) { if (dcfg->upload_dir == NOT_SET_P) dcfg->upload_dir = NULL; if (dcfg->upload_keep_files == NOT_SET) dcfg->upload_keep_files = KEEP_FILES_OFF; if (dcfg->upload_validates_files == NOT_SET) dcfg->upload_validates_files = 0; + if (dcfg->upload_filemode == NOT_SET) dcfg->upload_filemode = 0600; /* Misc */ if (dcfg->data_dir == NOT_SET_P) dcfg->data_dir = NULL; @@ -1058,6 +1062,26 @@ static const char *cmd_upload_dir(cmd_parms *cmd, void *_dcfg, const char *p1) { return NULL; } +static const char *cmd_upload_filemode(cmd_parms *cmd, void *_dcfg, const char *p1) { + directory_config *dcfg = (directory_config *)_dcfg; + + if (dcfg == NULL) return NULL; + + if (strcasecmp(p1, "default") == 0) { + dcfg->upload_filemode = NOT_SET; + } + else { + long int mode = strtol(p1, NULL, 8); /* expects octal mode */ + if ((mode == LONG_MAX)||(mode == LONG_MIN)||(mode <= 0)||(mode > 0777)) { + return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecUploadFileMode: %s", p1); + } + + dcfg->upload_filemode = (int)mode; + } + + return NULL; +} + static const char *cmd_upload_keep_files(cmd_parms *cmd, void *_dcfg, const char *p1) { directory_config *dcfg = (directory_config *)_dcfg; @@ -1362,6 +1386,14 @@ const command_rec module_directives[] = { "" // TODO ), + AP_INIT_TAKE1 ( + "SecUploadFileMode", + cmd_upload_filemode, + NULL, + CMD_SCOPE_ANY, + "octal permissions mode for uploaded files" + ), + AP_INIT_TAKE1 ( "SecUploadKeepFiles", cmd_upload_keep_files, diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h index 2fcaf872..7cf9a034 100644 --- a/apache2/modsecurity.h +++ b/apache2/modsecurity.h @@ -377,6 +377,7 @@ struct directory_config { const char *upload_dir; int upload_keep_files; int upload_validates_files; + int upload_filemode; /* Used only in the configuration phase. */ msre_rule *tmp_chain_starter; diff --git a/apache2/msc_multipart.c b/apache2/msc_multipart.c index 72ef3c85..79c8f91e 100644 --- a/apache2/msc_multipart.c +++ b/apache2/msc_multipart.c @@ -9,6 +9,7 @@ * */ #include +#include #include "msc_multipart.h" #include "msc_util.h" @@ -377,6 +378,21 @@ static int multipart_process_part_data(modsec_rec *msr, char **error_msg) { msr_log(msr, 4, "Multipart: Created temporary file: %s", log_escape_nq(msr->mp, msr->mpd->mpp->tmp_file_name)); + + #if (!(defined(WIN32) || defined(NETWARE))) + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Multipart: Changing file mode to %04o: %s", msr->txcfg->upload_filemode, log_escape_nq(msr->mp, msr->mpd->mpp->tmp_file_name)); + } + if (fchmod(msr->mpd->mpp->tmp_file_fd, msr->txcfg->upload_filemode) < 0) { + + char errbuf[256]; + if (msr->txcfg->debuglog_level >= 3) { + msr_log(msr, 3, "Multipart: Could not change mode on \"%s\" (%d): %s", + log_escape_nq(msr->mp, msr->mpd->mpp->tmp_file_name), + errno, apr_strerror(APR_FROM_OS_ERROR(errno), errbuf, 256)); + } + } + #endif } /* write the reserve first */ diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index 6593dd03..67976de0 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -3,7 +3,7 @@ ModSecurity Reference Manual - Version 2.1.6-rc1 / (Jan 23, 2008) + Version 2.1.6-rc1 / (Jan 24, 2008) 2004-2008 @@ -335,14 +335,15 @@ Add one line to your configuration to load libxml2: + LoadFile /usr/lib/libxml2.so Add one line to your configuration to load ModSecurity: - LoadModule security2_module + + LoadModule security2_module modules/mod_security2.so @@ -363,19 +364,17 @@ If you have compiled Apache yourself or are compiling for a distribution, please read the following notes. - The ModSecurity Core rules may assume XML support is - available (compiled with -DWITH_LIBXML2). You may have to manually - remove any XML references in the Core rules if you choose not to - include XML support. In future versions of ModSecurity XML support - will be required. For these reasons, please consider XML support - required. + The ModSecurity Core rules may assume XML support is available + (compiled with -DWITH_LIBXML2). You may have to manually remove any XML + references in the Core rules if you choose not to include XML support. + In future versions of ModSecurity XML support will be required. For + these reasons, please consider XML support required. - You might experience problems - compiling ModSecurity against PCRE. This is because Apache bundles PCRE - but this library is also typically provided by the operating system. I - would expect most (all) vendor-packaged Apache distributions to be - configured to use an external PCRE library (so this should not be a - problem). + You might experience problems compiling ModSecurity against PCRE. + This is because Apache bundles PCRE but this library is also typically + provided by the operating system. I would expect most (all) + vendor-packaged Apache distributions to be configured to use an external + PCRE library (so this should not be a problem). You want to avoid Apache using the bundled PCRE library and ModSecurity linking against the one provided by the operating system. @@ -389,11 +388,10 @@ available only in the Apache source code) and change the include path for ModSecurity (as you did in step 7 above) to point to them. - If your Apache is using an external PCRE library you - can compile ModSecurity with WITH_PCRE_STUDY defined,which would possibly - give you a slight performance edge in regular expression - processing. + If your Apache is using an external PCRE library you can compile + ModSecurity with WITH_PCRE_STUDY + defined,which would possibly give you a slight performance edge in + regular expression processing. @@ -1565,6 +1563,29 @@ ServerAlias www.app2.com directive is used with SecUploadKeepFiles. +
+ <literal>SecUploadFileMode</literal> + + Description: Configures the mode + (permissions) of any uploaded files using an octal number. + + Syntax: SecUploadFileMode octal_mode + + Example Usage: SecUploadFileMode 0640 + + Processing Phase: N/A + + Scope: Any + + Dependencies/Notes: The mode is an octal + number (as used in chmod). The default mode is for only the account + writing the file to have read/write access (0600). Use this directive + with caution to avoid exposing potentially sensitive data to + unauthorized users. +
+
<literal>SecUploadKeepFiles</literal> @@ -4440,4 +4461,4 @@ SecRule XML "@validateSchema /path/to/apache2/conf/xml.xsd
- + \ No newline at end of file