Add independent modsecFinishConnection API that allows you to independently
destroy the connection and request pools. This is to facilitate reuse of a
connection for multiple requests.
For some reason the state of modsec (enable, disable or detecting only) was not
being checked under certain circumstances. For instance, while reading the
body. This was leading ModSecurity to fail and consequently nginx. This patch
added the to standalone implementation mechanism to verify the state that is now
verified under the nginx module.
SecServerSignature was leading nginx to crash. It was trying to write over a
memory area that it was not allowed to. In order to fix that a new function was
created on the standalone api. This function is called
modsecIsServerSignatureAvailale. Whenever it returns data it means that the
function SecServerSignature was used by the user. Nginx module was also patched
to support this new function.
In an attempt to boost the performance the headers were being checked in two
different situations, the first if SecResponseBodyAccess was Off and in a
second situation if SecResponseBodyAccess was set to On. This makes sense
however functionalities such as content injection demands the body even if
SecResponseBodyAccess was not enabled. This patch removes the first scenario,
leaving just the second one. After this modification the following regression
tests started to pass:
from: regression/action/10-append-prepend.t
1) action - append content: passed
2) action - prepend content: passed
The problem was caused by the fact that ModSecutiry was telling Nginx that
headers had been sent when, in fact, had not. This modification was added in
the past, along with others, in the following commit: fd2c30fa2311e783eecf3bf02bf3dcfbabc3968a
This patch, just removes the "r->header_sent = 1". After that modification
the following regression tests started to work again:
from: action/00-disruptive-actions.t
3) action - pass in phase:3
4) action - pass in phase:4
11) action - deny in phase:3
12) action - deny in phase:4
19) action - redirect in phase:3 (get)
20) action - redirect in phase:4 (get)
23) action - proxy in phase:3 (get)
24) action - proxy in phase:4 (get)
from: config/10-response-directives.t
2) config - SecResponseBodyAccess On
6) config - SecResponseBodyLimit (greater)
7) config - SecResponseBodyLimitAction Reject
Pull request #148 by zimmerle doesn't fix the problem. '\0' in format
string won't be processed by "ngx_vslprintf".
When the garbage character is '\n' or '\r', http response is cracked and
browsers may go crashing.
The headers are represented in the format of an apr_table, which
is able to handle elements with the same key, however the function
apr_table_setn checks if the key exists before add the element, if so
it replaces the old value with the new one. This was making our
implementation to just keep the last added Cookie. The apr_table_addn
function, which is now used, just add a new item without check for
olders one.
The charset in headers is mounted using ngx_snprintf which
does not place the string terminator. This patch adds the
terminator at the end of the string. The size was correctly
allocated, just missing the terminator.
This bug was report at:
- https://www.modsecurity.org/tracker/browse/MODSEC-420
- https://github.com/SpiderLabs/ModSecurity/issues/142
Both reports cames with patch, first by Veli Pekka Jutila and
second by wellumies.
- after post request is processed
the calling to ngx_http_read_client_request_body will ingore
r->request_body_in_file_only option, which is not expected.
