This change fixes a number of scenarios when ModSecurity's log entries
may be written to the wrong file descriptors. In particular, there was
an issue with almost any configuration using nginx cache features
(proxy_cache, fastcgi_cache, etc) when garbage from ModSecurity logs
has been sent to the control socket used for communication between
nginx master process and auxiliary processes (workers, cache manager,
cache loader).
Described behavior was observed with nginx/1.7.0, modsecurity/2.8.0
and OWASP CRS v2.2.9.
Add a check for the definition MOVE_REQUEST_CHAIN_TO_MODSEC, whenever it is
set the chain will be moved into the brigade. If it was not set the chain
will be only copied. Moving was causing segfaults on the following
regression tests:
#15 - SecRequestBodyInMemoryLimit
#16 - SecRequestBodyInMemoryLimit (greater)
#19 - SecRequestBodyLimitAction ProcessPartial (multipart/greater - chunked)
(from: regression/config/10-request-directives.t)
Refactoring on the nginx module, including:
- Better handling larger posts;
- Now using nginx echo module during the regression tests.
- Better interacting with neginx chain rules
- Separation of the request handling and content filters.
- Better handling nginx sessions and resource counts to allow a
more efficient garbage collector.
- Handling both http/1.0 and 1.1, including keep-alive.
- Tests are now capable to test nginx as a proxy or end-server.
- Tested agains nginx 1.6 and 1.7.
Duplicates the headers variables while coping data from/to ModSecurity.
This seems to fix the segfault that was happening while using proxy_pass.
The variable is later cleaned, which means that we don't have a leak
because of that.
POST was happening on a file that was not allowed by nginx to receive a POST.
Nginx was returning 405 instead of 200 making the test to fail. Fixed by
change the URL to one that is allowed to receive POST.
This eliminates segfaults caused by unset (NULL) r->port_start
and non-NULL r->port_end. In fact, r->port_start is always NULL,
so it is useless to rely on this pointer.
Add a check for the definition MOVE_REQUEST_CHAIN_TO_MODSEC, whenever it is
set the chain will be moved into the brigade. If it was not set the chain
will be only copied. Moving was causing segfaults on the following
regression tests:
#15 - SecRequestBodyInMemoryLimit
#16 - SecRequestBodyInMemoryLimit (greater)
#19 - SecRequestBodyLimitAction ProcessPartial (multipart/greater - chunked)
(from: regression/config/10-request-directives.t)
Refactoring on the nginx module, including:
- Better handling larger posts;
- Now using nginx echo module during the regression tests.
- Better interacting with neginx chain rules
- Separation of the request handling and content filters.
- Better handling nginx sessions and resource counts to allow a
more efficient garbage collector.
- Handling both http/1.0 and 1.1, including keep-alive.
- Tests are now capable to test nginx as a proxy or end-server.
- Tested agains nginx 1.6 and 1.7.
Remove compile-time setting for generating audit logs
as JSON, creating a new config option (SecAuditLogFormat).
sec_audit_logger is now a wrapper for sec_audit_logger_json
or sec_audit_logger_native. This has the disadvantage of
making the audit log generation code harder to maintain,
but the logger function itself now is no longer pepper
with binary branches.
* Write Stopwatch2 values into a separate map
* Remove legacy Stopwatch
* Proper sanitization of request/response headers
* Lazily open maps for keys that may not have content
At patch 45805be, @littlecho changed the behaviour to set the audit log
index/serial file permission. Before, it was using the default permission now
it is respecting the permission configured via SecAuditLogFileMode. This patch
replicates @littlecho's work to the secundary auditlog file.
Change third parameter(which is the apr file permission flag) from CREATEMODE to dcfg->auditlog_fileperms. Due to the user can specify the desired file permission setting for the audit log files with setting the value of SecAuditLogFileMode, we should follow the file permission setting from the config file. Therefore, as the dcfg->auditlog_fileperms will be modified in cmd_audit_log_dirmode function, we can use the value while calling apr_file_open to meet the file permission that specified in modsecurity.conf.
