The method returns information about the ModSecurity's version and the platform
that it was compiled. Further it will be used by the audit logs and by the
connectors. msc_who_am_i was added accordingly, to the C api.
The server ID is a sha-1 identifier generated from the mac address of the first
ethernet device plus the server name. The process is the same used by
ModSecurity 2.9
The property kind is mandatory to be specified by actions who extends the class
Action. The new constructor make simpler the implementation of new actions.
Regression tests was not processing the 'LoggingPhase'. It was stopping in the
'ResponseBodyPhase'. As we are implementing the AuditLogs this phase is now
mandatory.
Deletes all files in the repository does not seems to be a good idea.
The better approach will be to create a new repository. On other hand
we don't want this to be detached from this main repository. We can
push this to other repository if necessary.
It is easy to test old/new code standalone with valgrind;
jst insert the getkey() function into this template:
-----------getkey() goes here-----------------
int main(void)
{
apr_pool_t *p;
apr_initialize();
apr_pool_create(&p, NULL);
printf("%s\n", getkey(p));
return 0;
}
Keep compatibility among different versions of Apache is not a simple
task, in this case it can be avoided by the creation of our own version
of ap_find_command, that is now used by msc_remote_rules.
apr_crypto is not always available, configure scripts are looking for
it and setting WITH_APU_CRYPTO in case it is found. There were two
places where apr_crypto.h was included without validating if
WITH_APU_CRYPTO was set. This patch removes the inclusion from the
first place (it seems not to be mandatory) and add the check for
WITH_APU_CRYPTO in the second one. This fix issue #834.
This definition is currently used in two different circumstances: Report with
accuracy that the server is an IIS (status call), and also show the amount of
loaded remote rules on the windows logs. Different from Apache which loads the
rules twice, IIS just do it once.
As the this new Curl version supports well the Windows certificate storage,
removing the dependency on the OpenSSL. Also changing the build scripts to work
accordingly. As the cmake build of Curl is said to broken abandoning it in
favor of the nmake files. Thanks to Gregg Smith and Steffen.
Resources load mechanism as the SecRemoteRuels were not showing information
about the loaded rules while Apache was reloaded. This patch add such
information to reload in the same way that it was showing on restart.
As reported by Walter Hop, the status call functionality was printing a message
in the console without the expected 'ModSecurity:' prefix. SecServerSignature
was also printing messages without the expected prefix. Both are fixed by this
commit.
As reported by Walter Hop on our dev- mailing list, remote resource download
was not validating the HTTP code, parsing errors pages as resources. This
commit fix this issue, from now one HTTP error codes will be verified and
treated as errors. Operators are now dealing well with empty values that may
be produced in consequence of a download error.
As reported by Christian Folin and Walter Hop on our dev mailing list, Apache
mod_ssl was failing if a remote resource was utilized. That was happening
because Curl clean up was also cleaning up the OpenSSL data used by mod_ssl.
This patch moves Curl initialization to happens while ModSecurity is
initialized.
As reported by Rainer Jung, Curl may not be mandatory to build
ModSecurity core. This patch make it optional by:
- Concentrate all downloads using curl on msc_remote_rules.c
- Split Curl build definitions checks into: WITH_CURL, WITH_REMOTE_RULES
and WITH_CRYPTO.
- WITH_CURL: Contains Culr headers and binaries during the build time.
- WITH_REMOTE_RULES: Currently enabled if Curl is present.
- WITH_CRYPTO: Set if apr tool was compiled with crypto support.
- Renames msc_remote_grab_content to msc_remote_download_content
