github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-30 19:47:47 +03:00
Code Issues Packages Projects Releases Wiki Activity
3,468 Commits 55 Branches 109 Tags
2915ee60e23587e9e0ad4d1c1f13a43b9a208a63
Commit Graph

1193 Commits

Author SHA1 Message Date
Ervin Hegedus
4b3e6328e3 Fixed validateByteRange parsing method 2019-02-12 09:10:36 -03:00
Felipe Zimmerle
2dff768262 Removes a memory leak on the JSON parser 2019-02-11 10:17:02 -03:00
WGH
37cf60b8d2 Fix use of deleted Regex copy constructor in LMDB code 
Bug introduced in ad28de4f. Fixes #2008.
 2019-01-28 16:20:02 -03:00
Felipe Zimmerle
dc78c0e180 Fix: Extra whitespace in some configuration directives causing error 
Issue #2006
 2019-01-21 14:44:31 -03:00
Felipe Zimmerle
df3c3f62b7 Cosmetics: coding style 2019-01-18 11:02:22 -03:00
WGH
ad28de4f14 Refactor regex code 
This commit fixes quite a few odd things in regex code:
 * Lack of encapsulation.
 * Non-method functions for matching without retrieving all groups.
 * Regex class being copyable without proper copy-constructor (potential UAF
   and double free due to pointer members m_pc and m_pce).
 * Redundant SMatch::m_length, which always equals to match.size() anyway.
 * Weird SMatch::size_ member which is initialized only by one of the three matching
   functions, and equals to the return value of that function anyways.
 * Several places in code having std::string value instead of reference.
 2019-01-18 10:34:01 -03:00
Andrei Belov
ae02076340 Fixed buffer overflow in Utils::Md5::hexdigest() 
Found via failed test (auditlog.json) on Alpine Linux 3.8.2.
 2019-01-14 16:29:07 -03:00
Felipe Zimmerle
78b7fa4e2c Adds missing drop.h 2018-12-26 11:05:54 -03:00
Felipe Zimmerle
d00ea5111d Adds initial support to drop action 2018-12-24 16:35:41 -03:00
Ervin Hegedus
77854ed1b5 Fix inet addr handling on 64 bit big endian systems 2018-12-10 15:03:09 -03:00
Felipe Zimmerle
407b6c0f4b Fix setenv action to strdup key=variable 2018-11-29 15:18:15 -03:00
Felipe Zimmerle
d2b14de268 Allow 0 length JSON requests 
As discussed at: #1822
 2018-11-29 10:39:46 -03:00
Fred Nicolson
3d2030426c Replaced log locking using mutex with fcntl lock 
When reloading Nginx, there is a race condition which is visible under high
load. As the logging mutex is shared between multiple workers, when a worker
is sent a stop signal during a reload, and the log mutex is held, write()
will never return, which means that the mutex will never unlock. As other
workers share this mutex, they will deadlock.

fcntl does not suffer from this issue.
 2018-11-27 10:09:29 -03:00
Wenfeng Liu
3b3004d24d Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES 2018-11-27 09:23:00 -03:00
Felipe Zimmerle
ce3abf2626 Adds support to multiple ranges in ctl:ruleRemoveById 
Issue #1956
 2018-11-26 20:48:18 -03:00
Felipe Zimmerle
e712d30c56 Fix setvar to understand Rule variable in collections 
Issue #1961
 2018-11-26 19:49:44 -03:00
Victor Hora
b638e523af Make the boundary check less strict as per RFC2046 2018-11-20 22:17:22 -03:00
Victor Hora
ecad8c6c7e Fix buffer size for utf8toUnicode transformation 2018-11-16 14:58:40 -05:00
Felipe Zimmerle
9d80983e55 Fix on top of #1943 + adding test cases 2018-11-01 16:11:39 -03:00
supplient
39f4a5d7d2 Fix double macros bug 
Macro run strangely if I input double macros like "%{ARGS_COMBINED_SIZE}%{ARGS_COMBINED_SIZE}".
 2018-11-01 15:56:54 -03:00
Felipe Zimmerle
18cdffdbca Encapsulates int[N] in a class to avoid compilation issues 
Depending on the compiler, there may be a compilation issue with the
usage of std::unique_ptr<int[]>. Therefore encapsulating it inside a
regular class.
 2018-11-01 11:50:15 -03:00
Victor Hora
e3b9f7c913 Fix SecUnicodeMapFile support 
Makes SecUnicodeMapFile read the file and adjust transformation to use the
right variable.
 2018-10-31 22:57:39 -03:00
Felipe Zimmerle
e1e8a01ed2 Override the default status code if not suitable to redirect action 
Issue #1850
 2018-10-30 18:20:23 -03:00
Felipe Zimmerle
bfe917b6b1 parser: Fix the support for CRLF configuration files 2018-10-30 17:16:44 -03:00
Felipe Zimmerle
3f0ea90970 Test case skeleton for #1941 2018-10-29 11:14:31 -03:00
Felipe Zimmerle
91daeee9f6 Only calling server log if the message is not disruptive 
The disruptive message is already part of the interception object
 2018-10-25 18:04:27 -03:00
Felipe Zimmerle
448897d297 Marking message as disruptive before generate log msg 2018-10-25 18:04:07 -03:00
Felipe Zimmerle
973c1f1028 Fix rule line number 
Issue #1844
 2018-10-24 21:02:35 -03:00
Felipe Zimmerle
fa5f3784f2 Using shared_ptr instead of unique_ptr on rules exceptions 2018-10-23 17:03:18 -03:00
Felipe Zimmerle
ef7f65db90 Changes debuglogs schema to avoid unecessary str allocation 2018-10-23 17:00:16 -03:00
Felipe Zimmerle
23e0d35d2d Fix the SecUnicodeMapFile and SecUnicodeCodePage 2018-10-23 17:00:11 -03:00
Felipe Zimmerle
69cd61439d Changes the timing to save the rule message 2018-10-23 16:58:42 -03:00
Victor Hora
8088d6af71 Fix crash in msc_rules_add_file() when using disruptive action in child rule inside of chain 2018-10-23 16:39:21 -03:00
Wenfeng Liu
ec1112c648 Fix memory leak in AuditLog::init() 2018-10-23 16:39:15 -03:00
Felipe Zimmerle
8bda7c0a45 Fix RULE lookup in chained rules. 2018-10-23 16:37:54 -03:00
Felipe Zimmerle
120108fd33 Adds support for /32 in @ipMatch cidr notation. 
/32 is the representation of the ip itself. Not sure if it is needed,
but there is a complaint for that: #849
 2018-10-23 16:37:53 -03:00
Felipe Zimmerle
a5a40a71a9 Makes matchedvars inline 2018-10-23 16:37:49 -03:00
Felipe Zimmerle
b58018e778 Fix multimatch behavior to match what we have on v2 2018-10-23 16:37:42 -03:00
Felipe Zimmerle
dba73f5367 Using values after transformation at MATCHED_VARS 2018-10-23 16:26:11 -03:00
Felipe Zimmerle
85ecd190d9 Adds full support to UpdateActionById. 
Issue #1800
 2018-10-23 16:26:11 -03:00
Felipe Zimmerle
3e8e28da48 Refactoring on the RULE variable 2018-10-23 16:26:11 -03:00
Felipe Zimmerle
554251bade Refactoring on the Rule class 2018-10-23 16:26:10 -03:00
Felipe Zimmerle
74841779f8 Adds partial support to UpdateActionById 2018-10-23 16:26:10 -03:00
Victor Hora
20ef01d75c Allow LuaJIT 2.1 to be used 2018-10-12 17:32:10 -04:00
Victor Hora
28f6f2201f Match m_id JSON log with RuleMessage and v2 format 2018-10-12 13:10:11 -04:00
Felipe Zimmerle
bc3d3f1915 Adds support to setenv action 
Issue #1044
 2018-09-25 10:19:52 -03:00
Felipe Zimmerle
4dd2812757 Adds new transaction constructor that accepts the transaction id as parameter. 2018-09-24 21:36:06 -03:00
Felipe Zimmerle
c721e101c0 Adds request IDs and URIs to the debug log 2018-09-24 21:07:11 -03:00
Felipe Zimmerle
98b9ae659d Having a better organization for Variables:: 2018-09-24 16:39:48 -03:00
Felipe Zimmerle
ee50fea266 Handling key exceptions on the variable itself 
This is the first step towords to solve #1697
 2018-09-24 16:16:30 -03:00