Windows compilation was failing due to the utilization of size_t which is part
of the strings.h. strings.h was not part of windows and so the compilation
was failing. This update fix that. Issue #65 on libinjection:
https://github.com/client9/libinjection/issues/65
Apperantly forcing the charset is not placing any benefits, instead it is
cousing problems as documented on #650. This still experimental, just
testing against our regression tests. Such feature was added by the commit:
177b5b9c989b0095e5c91b01d205df64e65e6c9e.
The Sec{Read|Write}StateLimits are filters related to the connections, when the
server did not know yet which vhost the request goes to. This means that once
those configrations are set it will be applied to entire server. This patch
just renames the Sec{Read|Write}StateLimits to SecConn{Read|Write}StateLimits
to make it more clear to the user. SecConnectionEngine was also renamed to
SecConnEngine.
Different from the Rules or other options, the connections filters are applied
to entire server, not to a single vhost, or so. In order to keep it clear to
the user this patches adds "SecConnectionEngine" which works in the same way
that SecRuleEngine does.
The SecRuleEngine has the capability to Enable, Disable or even to place the
ModSecurity in DetectionOnly mode. The SecReadStateLimit and SecWriteStateLimit
were not honoring such state, due the fact that our configuration belongs to
requests not to connections, the only struct that exists while those filters
are placed. By adding a global variable "conn_limits_filter_state" we are now
able to identify the current state of the ModSecurity, once the configuration
is loaded this variable is set and used by the connections filters.
Used by the operator @ipMatch and variants, this structure storage all the IPs
addresses for later comparison. Last version was using RadixTree only if the
set of IPs was specified from files. IPs specified as parameters, was using
a chained list. Chained lists may affect the performance, since lookups in
worst case will be O(n). RadixTrees could provide better results depending
on the amount of elements and its contents.
The operators @ipMatch, @ipMatchF and @ipMatchFromFile were
added to the functions: SecReadStateLimit and SecReadStateLimit,
by using them it is possible to declare a suspicious list. When
a suspicious list is given, the {Read|Write}StateLimit will be
applied just to the IPs that belongs to that restricted list.
Note that the negative of those operators (e.g. !@ipMatch) can be
used to place a whitelist. The {Read|Write}StateLimit
restrictions will not be applied to those in the whitelist.
This current version the Sec{Read|Write}StateLimit can be used
varios times to add elements to both lists, however, the
last informed limit will be applied for the entire group. This
feature is experimental, and suggestions on how to improve it
are very welcome. For further discussion use the issue: #353.
Testing inet_pton with the help of Steffen. Acording to Steffen we can use
!(NTDDI_VERSION >= NTDDI_VISTA) to identify that the specific Windows version
has this function defined or not, if so we can use the Windows version.
Reverting this commit to avoid to overwrite the Windows' function. And
see the original error that happened before this commit.
Instead of -dPlatform a recent update in the WiX files are demanding
the parameter -arch, although this parameter is not valid nor needed
while running "light".
This script could be used in order to verify all ModSecurity run time
dependencies. It is now part of ModSecurity folder in Program menu.
Cosmetics changes in the installer
Visual C++ 12.0 Runtime files are now part of ModSecurity MSI package.
Users don't have to download the vcredist files anymore. Build script
was also updated, to handle the new flag -arch.
Building with --enable-standalone-module was failing due
the lack of the reference to the msc_json.c file inside the
standalone/Makefile.am. This patch also place the dependency
of the yajl to the nginx module config script.
Now searching for yajl using find_yajl.m4 macro file instead
of using pkg-config directly. If YAJL was not found or if it
was disabled in the configure phase, the code will be compiled
without JSON support.
The status string was too long. By removing meaningless stuff, such as: runtime
version of Lua, we have reduced the length of the status string. Limitations
were also placed regarding the size of the ModSecurity version. Big queries may
lead to failure, due to restrictions of "gethostbyname". There is also a bit of
code cosmetics in this patch: big functions were broken into smaller.
In ModSecurityIIS the configuration is loaded upon the first request
is received. In other words, SecStatusEngine value can be only
loaded once the first request hit the server, and so, the status
function was moved to proceed just after the configuration got loaded.
This update is IIS only.
The Status Engine allow the measurements of how many ModSecurity
instances are running around the world, as long as information
on how many times it had been restarted and so on. Everytime that
the server is started it perform a DNS query that is redirected
to our servers, that query constains information about the
ModSecurity version and it dependencies versions. It also sends a
unique indetification generate locally for the server, avoiding
counting the same server twice while generating the statistics.
This id is a sha-1 hash of the machine name + mac address of the
first network adapter. In this commit it is enabled by default,
in the release will be a configuration option to disable this
functionality. It also important to cite that the information
gather by this query will be also available in ModSecurity website
public open via a JSON stateless API. There will be an fancy
heatmap as well.
A bug was reported related to our utf8toUnicode transformation, so, adding this
unit test to confirm the bug and to check whenever it is fixed. Bug #671.
Add independent modsecFinishConnection API that allows you to independently
destroy the connection and request pools. This is to facilitate reuse of a
connection for multiple requests.
Continuation of kukackajiri's work to provide fixes for errors pointed by
Parfait. The function copy_rules had an integer as return code but it was not
filed proper neither checked by its callers. This commit just adds sanity
checks and documentation for the copy_rules function. Marking were placed
on the copy_rules callers, but the return code is not handled yet.
For kukackajiri's work, see merge request: #612
