github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-30 19:47:47 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #45 from gwroblew/remotes/trunk

Browse Source 
Fixed two crashing bugs: race condition when module was initialized and ...
This commit is contained in:
Breno Silva
2013-03-25 07:23:37 -07:00
parent bc235a855b a47a4ce4f9
commit f73635ab53
4 changed files with 169 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
iis/mymodulefactory.h
View File

@@ -20,12 +20,15 @@
// of CMyHttpModule for each request. // of CMyHttpModule for each request.
class CMyHttpModuleFactory : public IHttpModuleFactory class CMyHttpModuleFactory : public IHttpModuleFactory
{ {
CMyHttpModule * m_pModule; CMyHttpModule * m_pModule;
CRITICAL_SECTION m_csLock;
public: public:
CMyHttpModuleFactory() CMyHttpModuleFactory()
{ {
m_pModule = NULL; m_pModule = NULL;
InitializeCriticalSection(&m_csLock);
} }
virtual virtual
@@ -43,6 +46,8 @@ public:
goto Finished; goto Finished;
} }
EnterCriticalSection(&m_csLock);
if(m_pModule == NULL) if(m_pModule == NULL)
{ {
m_pModule = new CMyHttpModule(); m_pModule = new CMyHttpModule();
@@ -54,6 +59,8 @@ public:
} }
} }
LeaveCriticalSection(&m_csLock);
*ppModule = m_pModule; *ppModule = m_pModule;
Finished: Finished:

9
standalone/config.c
View File

@@ -1153,7 +1153,14 @@ ProcessInclude:
parms->directive = newdir; parms->directive = newdir;
errmsg = invoke_cmd(cmd, parms, mconfig, args); __try
{
errmsg = invoke_cmd(cmd, parms, mconfig, args);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
errmsg = "Command failed to execute (check file/folder permissions, syntax, etc.).";
}
if(errmsg != NULL) if(errmsg != NULL)
break; break;

258
standalone/main.cpp
View File

@@ -21,6 +21,7 @@
char *config_file = NULL; char *config_file = NULL;
char *url_file = NULL;
char *event_files[1024]; char *event_files[1024];
int event_file_cnt; int event_file_cnt;
char *event_file = NULL; char *event_file = NULL;
@@ -31,6 +32,11 @@ int event_file_blocks[256];
#define EVENT_FILE_MAX_SIZE (16*1024*1024) #define EVENT_FILE_MAX_SIZE (16*1024*1024)
#define MAX_URLS 4096
char urls[MAX_URLS][4096];
int url_cnt = 0;
void readeventfile(char *name) void readeventfile(char *name)
{ {
if(event_file == NULL) if(event_file == NULL)
@@ -119,6 +125,12 @@ void parseargs(int argc, char *argv[])
i += 2; i += 2;
continue; continue;
} }
if(argv[i][1] == 'u' && i < argc - 1)
{
url_file = argv[i + 1];
i += 2;
continue;
}
i++; i++;
continue; continue;
} }
@@ -224,7 +236,7 @@ void main(int argc, char *argv[])
if(config_file == NULL || argc < 3) if(config_file == NULL || argc < 3)
{ {
printf("Usage:\n"); printf("Usage:\n");
printf("standalone.exe -c <config_file> <event_file1> [<event_file2> <event_file3> ...]\n"); printf("standalone.exe -c <config_file> [-u <text_file_with_urls>] <event_file1> [<event_file2> <event_file3> ...]\n");
return; return;
} }
@@ -250,133 +262,171 @@ void main(int argc, char *argv[])
modsecInitProcess(); modsecInitProcess();
if(url_file != NULL)
{
FILE *fr = fopen(url_file, "rb");
int i = 0;
while(fgets(urls[i],4096,fr) != NULL)
{
urls[i][4095] = 0;
int l = strlen(urls[i]) - 1;
if(l < 8)
continue;
while(urls[i][l] == 10 || urls[i][l] == 13)
l--;
urls[i++][l + 1] = 0;
}
url_cnt = i;
fclose(fr);
}
for(int i = 0; i < event_file_cnt; i++) for(int i = 0; i < event_file_cnt; i++)
{ {
readeventfile(event_files[i]); if(url_cnt == 0)
parseeventfile(); {
urls[0][0] = 0;
url_cnt = 1;
}
bodypos = 0; for(int ui = 0; ui < url_cnt; ui++)
responsepos = 0; {
readeventfile(event_files[i]);
parseeventfile();
c = modsecNewConnection(); bodypos = 0;
responsepos = 0;
modsecProcessConnection(c); c = modsecNewConnection();
r = modsecNewRequest(c, config); modsecProcessConnection(c);
int j = event_file_blocks['B']; r = modsecNewRequest(c, config);
if(j < 0) int j = event_file_blocks['B'];
continue;
j++; if(j < 0)
continue;
if(event_file_lines[j][0] == 0) j++;
continue;
char *method = event_file_lines[j]; if(event_file_lines[j][0] == 0)
char *url = strchr(method, 32); continue;
char *proto = strchr(url + 1, 32);
if(url == NULL || proto == NULL) char *method = event_file_lines[j];
continue; char *url = strchr(method, 32);
char *proto = strchr(url + 1, 32);
*url++=0; if(url == NULL || proto == NULL)
*proto++=0; continue;
*url++=0;
*proto++=0;
if(urls[ui][0] != 0)
{
url = urls[ui];
}
#define SETMETHOD(m) if(strcmp(method,#m) == 0){ r->method = method; r->method_number = M_##m; } #define SETMETHOD(m) if(strcmp(method,#m) == 0){ r->method = method; r->method_number = M_##m; }
r->method = "INVALID"; r->method = "INVALID";
r->method_number = M_INVALID; r->method_number = M_INVALID;
SETMETHOD(OPTIONS) SETMETHOD(OPTIONS)
SETMETHOD(GET) SETMETHOD(GET)
SETMETHOD(POST) SETMETHOD(POST)
SETMETHOD(PUT) SETMETHOD(PUT)
SETMETHOD(DELETE) SETMETHOD(DELETE)
SETMETHOD(TRACE) SETMETHOD(TRACE)
SETMETHOD(CONNECT) SETMETHOD(CONNECT)
SETMETHOD(MOVE) SETMETHOD(MOVE)
SETMETHOD(COPY) SETMETHOD(COPY)
SETMETHOD(PROPFIND) SETMETHOD(PROPFIND)
SETMETHOD(PROPPATCH) SETMETHOD(PROPPATCH)
SETMETHOD(MKCOL) SETMETHOD(MKCOL)
SETMETHOD(LOCK) SETMETHOD(LOCK)
SETMETHOD(UNLOCK) SETMETHOD(UNLOCK)
r->protocol = proto; r->protocol = proto;
while(event_file_lines[++j][0] != 0) while(event_file_lines[++j][0] != 0)
{ {
char *value = strchr(event_file_lines[j], ':'); char *value = strchr(event_file_lines[j], ':');
if(value == NULL) if(value == NULL)
break; break;
*value++ = 0; *value++ = 0;
while(*value <=32 && *value != 0) while(*value <=32 && *value != 0)
value++; value++;
apr_table_setn(r->headers_in, event_file_lines[j], value); apr_table_setn(r->headers_in, event_file_lines[j], value);
}
r->content_encoding = apr_table_get(r->headers_in, "Content-Encoding");
r->content_type = apr_table_get(r->headers_in, "Content-Type");
r->hostname = apr_table_get(r->headers_in, "Host");
r->path_info = url;
char *query = strchr(url, '?');
char *rawurl = url;
if(query != NULL)
{
rawurl = (char *)apr_palloc(r->pool, strlen(url) + 1);
strcpy(rawurl, url);
*query++ = 0;
r->args = query;
}
const char *lng = apr_table_get(r->headers_in, "Content-Languages");
if(lng != NULL)
{
r->content_languages = apr_array_make(r->pool, 1, sizeof(const char *));
*(const char **)apr_array_push(r->content_languages) = lng;
}
r->request_time = apr_time_now();
r->parsed_uri.scheme = "http";
r->parsed_uri.path = r->path_info;
r->parsed_uri.hostname = (char *)r->hostname;
r->parsed_uri.is_initialized = 1;
r->parsed_uri.port = 80;
r->parsed_uri.port_str = "80";
r->parsed_uri.query = r->args;
r->parsed_uri.dns_looked_up = 0;
r->parsed_uri.dns_resolved = 0;
r->parsed_uri.password = NULL;
r->parsed_uri.user = NULL;
r->parsed_uri.fragment = NULL;
r->unparsed_uri = rawurl;
r->uri = r->unparsed_uri;
r->the_request = (char *)apr_palloc(r->pool, strlen(r->method) + 1 + strlen(r->uri) + 1 + strlen(r->protocol) + 1);
strcpy(r->the_request, r->method);
strcat(r->the_request, " ");
strcat(r->the_request, r->uri);
strcat(r->the_request, " ");
strcat(r->the_request, r->protocol);
apr_table_setn(r->subprocess_env, "UNIQUE_ID", "1");
modsecProcessRequest(r);
modsecProcessResponse(r);
modsecFinishRequest(r);
} }
r->content_encoding = apr_table_get(r->headers_in, "Content-Encoding");
r->content_type = apr_table_get(r->headers_in, "Content-Type");
r->hostname = apr_table_get(r->headers_in, "Host");
r->path_info = url;
char *query = strchr(url, '?');
char *rawurl = url;
if(query != NULL)
{
rawurl = (char *)apr_palloc(r->pool, strlen(url) + 1);
strcpy(rawurl, url);
*query++ = 0;
r->args = query;
}
const char *lng = apr_table_get(r->headers_in, "Content-Languages");
if(lng != NULL)
{
r->content_languages = apr_array_make(r->pool, 1, sizeof(const char *));
*(const char **)apr_array_push(r->content_languages) = lng;
}
r->request_time = apr_time_now();
r->parsed_uri.scheme = "http";
r->parsed_uri.path = r->path_info;
r->parsed_uri.hostname = (char *)r->hostname;
r->parsed_uri.is_initialized = 1;
r->parsed_uri.port = 80;
r->parsed_uri.port_str = "80";
r->parsed_uri.query = r->args;
r->parsed_uri.dns_looked_up = 0;
r->parsed_uri.dns_resolved = 0;
r->parsed_uri.password = NULL;
r->parsed_uri.user = NULL;
r->parsed_uri.fragment = NULL;
r->unparsed_uri = rawurl;
r->uri = r->unparsed_uri;
r->the_request = (char *)apr_palloc(r->pool, strlen(r->method) + 1 + strlen(r->uri) + 1 + strlen(r->protocol) + 1);
strcpy(r->the_request, r->method);
strcat(r->the_request, " ");
strcat(r->the_request, r->uri);
strcat(r->the_request, " ");
strcat(r->the_request, r->protocol);
apr_table_setn(r->subprocess_env, "UNIQUE_ID", "1");
modsecProcessRequest(r);
modsecProcessResponse(r);
modsecFinishRequest(r);
} }
modsecTerminate(); modsecTerminate();

2
standalone/standalone.vcxproj.user
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LocalDebuggerCommandArguments>-c owasp_crs\modsecurity_iis.conf d:\test.dat</LocalDebuggerCommandArguments> <LocalDebuggerCommandArguments>-c d:\temp\antixss.conf -u d:\temp\modsec_urls.txt d:\temp\test1.dat</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor> <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
<LocalDebuggerCommand>$(TargetPath)</LocalDebuggerCommand> <LocalDebuggerCommand>$(TargetPath)</LocalDebuggerCommand>
<LocalDebuggerAttach>false</LocalDebuggerAttach> <LocalDebuggerAttach>false</LocalDebuggerAttach>