Audit logs are taking too long to be written on the disk. One of the
consequence of that is to have tests that demands to read from audit
log failing. Increase the timeout makes it wait a little bit more for
the logs before gave up.
It was trying to match "ModSecurity for Apache.* configured". This patch
makes it expect for "ModSecurity for nginx.* configured" while nginx
version is being used/tested.
Proxy is not yet ready for nginx. Instead of give a generic error, this patch
adds a clean message explains that such functionality is not available on the
nginx port. This patch also modifies the test cases to reflect this changes.
Some functionalities are just enabled on Apache, not part of nginx or IIS. As
example we have the "proxy", currently just supported in Apache. This patches
add to our regression test suite the ability to expect different contents
based on the targert platform.
SecServerSignature was leading nginx to crash. It was trying to write over a
memory area that it was not allowed to. In order to fix that a new function was
created on the standalone api. This function is called
modsecIsServerSignatureAvailale. Whenever it returns data it means that the
function SecServerSignature was used by the user. Nginx module was also patched
to support this new function.
In an attempt to boost the performance the headers were being checked in two
different situations, the first if SecResponseBodyAccess was Off and in a
second situation if SecResponseBodyAccess was set to On. This makes sense
however functionalities such as content injection demands the body even if
SecResponseBodyAccess was not enabled. This patch removes the first scenario,
leaving just the second one. After this modification the following regression
tests started to pass:
from: regression/action/10-append-prepend.t
1) action - append content: passed
2) action - prepend content: passed
By default Nginx does not allow POST in static files, which is very
used by the regression test. This is a ugly hack just to make possible
to gather some numbers. Better solution will arrive soon.
The problem was caused by the fact that ModSecutiry was telling Nginx that
headers had been sent when, in fact, had not. This modification was added in
the past, along with others, in the following commit: fd2c30fa2311e783eecf3bf02bf3dcfbabc3968a
This patch, just removes the "r->header_sent = 1". After that modification
the following regression tests started to work again:
from: action/00-disruptive-actions.t
3) action - pass in phase:3
4) action - pass in phase:4
11) action - deny in phase:3
12) action - deny in phase:4
19) action - redirect in phase:3 (get)
20) action - redirect in phase:4 (get)
23) action - proxy in phase:3 (get)
24) action - proxy in phase:4 (get)
from: config/10-response-directives.t
2) config - SecResponseBodyAccess On
6) config - SecResponseBodyLimit (greater)
7) config - SecResponseBodyLimitAction Reject
SecXmlExternalEntity was not informed. By default its value is Off. This patch
set the SecXmlExternalEntity to On in order to load the external resources
needed for this test case.
mod_extract_forwarded2.c is already present in this list, but there is a
(seemingly better) alternative for Apache 2.2 which is distributed in
Fedora EPEL that is called mod_extract_forwarded.c.
Pull request #148 by zimmerle doesn't fix the problem. '\0' in format
string won't be processed by "ngx_vslprintf".
When the garbage character is '\n' or '\r', http response is cracked and
browsers may go crashing.
The nginx config file was looking for depedencies by its own,
by doing that it was ignoring the options that were passed to
configure script. This commit deletes this config file and adds
a meta-config which is populated by configure whenever the
standalone-module is enabled.
