apr_crypto is not always available, configure scripts are looking for
it and setting WITH_APU_CRYPTO in case it is found. There were two
places where apr_crypto.h was included without validating if
WITH_APU_CRYPTO was set. This patch removes the inclusion from the
first place (it seems not to be mandatory) and add the check for
WITH_APU_CRYPTO in the second one. This fix issue #834.
This definition is currently used in two different circumstances: Report with
accuracy that the server is an IIS (status call), and also show the amount of
loaded remote rules on the windows logs. Different from Apache which loads the
rules twice, IIS just do it once.
As the this new Curl version supports well the Windows certificate storage,
removing the dependency on the OpenSSL. Also changing the build scripts to work
accordingly. As the cmake build of Curl is said to broken abandoning it in
favor of the nmake files. Thanks to Gregg Smith and Steffen.
Resources load mechanism as the SecRemoteRuels were not showing information
about the loaded rules while Apache was reloaded. This patch add such
information to reload in the same way that it was showing on restart.
As reported by Walter Hop, the status call functionality was printing a message
in the console without the expected 'ModSecurity:' prefix. SecServerSignature
was also printing messages without the expected prefix. Both are fixed by this
commit.
As reported by Walter Hop on our dev- mailing list, remote resource download
was not validating the HTTP code, parsing errors pages as resources. This
commit fix this issue, from now one HTTP error codes will be verified and
treated as errors. Operators are now dealing well with empty values that may
be produced in consequence of a download error.
As reported by Christian Folin and Walter Hop on our dev mailing list, Apache
mod_ssl was failing if a remote resource was utilized. That was happening
because Curl clean up was also cleaning up the OpenSSL data used by mod_ssl.
This patch moves Curl initialization to happens while ModSecurity is
initialized.
As reported by Rainer Jung, Curl may not be mandatory to build
ModSecurity core. This patch make it optional by:
- Concentrate all downloads using curl on msc_remote_rules.c
- Split Curl build definitions checks into: WITH_CURL, WITH_REMOTE_RULES
and WITH_CRYPTO.
- WITH_CURL: Contains Culr headers and binaries during the build time.
- WITH_REMOTE_RULES: Currently enabled if Curl is present.
- WITH_CRYPTO: Set if apr tool was compiled with crypto support.
- Renames msc_remote_grab_content to msc_remote_download_content
On IIS CA validation was not working as libcurl on windows does not look for a
certificate store, unless it is specified. The resource downloads are now
respecting the SecRemoteRulesFailAction.
This commit makes ModSecurity to refuse to download or install rules
(SecRemoteRules) from sites that are not running HTTPS with a valid and
trusted certificate.
Originally the SecRemoteRules fetch the rules from an remote server in an
specific format, using cryptography. This patch adds the possibility to
load rules in plain/text format.
SecRemoteRules adds a new dependency to libcurl. Before only mlogc was
depending on libcurl. SecRemoteRules also depends on the apr-tools with
crypto support, which (as reported by our buildbots) is not default in
some environments such as: MacOS X. This commit disable SecRemoteRules
support if apr-tools was not compiled with crypto support.
This directive allows the user to set a default action whenever the
SecRemoteRules failed to download a set of rules. Current the supported
values are: Warn and Abort. By default `Abort' is selected.
Initially those directives were only able to load content from a
local file. This commit extends this functionality allowing the user to
provide an HTTP URI that can be downloaded and loaded by ModSecurity.
Initially the download is associated with a server restart. For next
versions we expect to load such resources as it become outdated (Without
need to resetart the server).
On Apache platform the server signature can be replaced using the
SecServerSignature directive. Status call was using the signature informed by
this directive instead of using the original one. As reported at #702.
As reported at #714 status calls with long `apache version' name was broken.
DNS queries cannot be so long. This field is now limited to 25 characters
which is a valid size when encoded into base32
FuzzyHash operator is optional and only installed if the headers for libfuzzy
was found in the system. Otherwise, the FuzzyHash operator is disable during
the compilation. After this commit, if some rules tries to use it, ModSecurity
will produce an runtime error not a config time error, allowing the web server
to procede normal with its operations.
The fuzzyHash operator can be used to match files. In conjuntcion
with FILES_TMP_CONTENT collection it can scan uploaded files and
try to match it with a pre caculated list of know malicious content,
more details on how it works can be found on ssdeep website:
http://ssdeep.sourceforge.net/
The collection is filled with a key-value set where value is the content of
the file which was uploaded. This collection can be used with all supported
operators, however SecUploadKeepFiles should be set to 'On' in order
to have this collection filled.
The ipv4 representation was only accepting slash notation with masks
represented in 2 digits. In the ipv6 implementation several fixies were made:
The maximum value to a bitmask was 64 which is not the reality, as ipv6 can
handle 128 bits. The second change was also to enable mask representation with
more and less than 2 digits. A more general fix was added to allow the unit
tests to work even if a invalid ip/range was informed during the creation of
the "tree", now it is checking if the tree is NULL while performing the
execution of the operator. Initial problem was reported at the issue: #706.
Windows compilation was failing due to the utilization of size_t which is part
of the strings.h. strings.h was not part of windows and so the compilation
was failing. This update fix that. Issue #65 on libinjection:
https://github.com/client9/libinjection/issues/65
The Sec{Read|Write}StateLimits are filters related to the connections, when the
server did not know yet which vhost the request goes to. This means that once
those configrations are set it will be applied to entire server. This patch
just renames the Sec{Read|Write}StateLimits to SecConn{Read|Write}StateLimits
to make it more clear to the user. SecConnectionEngine was also renamed to
SecConnEngine.
Different from the Rules or other options, the connections filters are applied
to entire server, not to a single vhost, or so. In order to keep it clear to
the user this patches adds "SecConnectionEngine" which works in the same way
that SecRuleEngine does.
The SecRuleEngine has the capability to Enable, Disable or even to place the
ModSecurity in DetectionOnly mode. The SecReadStateLimit and SecWriteStateLimit
were not honoring such state, due the fact that our configuration belongs to
requests not to connections, the only struct that exists while those filters
are placed. By adding a global variable "conn_limits_filter_state" we are now
able to identify the current state of the ModSecurity, once the configuration
is loaded this variable is set and used by the connections filters.
Used by the operator @ipMatch and variants, this structure storage all the IPs
addresses for later comparison. Last version was using RadixTree only if the
set of IPs was specified from files. IPs specified as parameters, was using
a chained list. Chained lists may affect the performance, since lookups in
worst case will be O(n). RadixTrees could provide better results depending
on the amount of elements and its contents.
The operators @ipMatch, @ipMatchF and @ipMatchFromFile were
added to the functions: SecReadStateLimit and SecReadStateLimit,
by using them it is possible to declare a suspicious list. When
a suspicious list is given, the {Read|Write}StateLimit will be
applied just to the IPs that belongs to that restricted list.
Note that the negative of those operators (e.g. !@ipMatch) can be
used to place a whitelist. The {Read|Write}StateLimit
restrictions will not be applied to those in the whitelist.
This current version the Sec{Read|Write}StateLimit can be used
varios times to add elements to both lists, however, the
last informed limit will be applied for the entire group. This
feature is experimental, and suggestions on how to improve it
are very welcome. For further discussion use the issue: #353.
