ModSecurity/review/pre-2.5-brian.review
2008-01-09 00:56:45 +00:00

1724 lines
81 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<Review id="pre-2.5">
<ReviewIssue id="FB137W3T">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 10:55:40:361 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 10:57:29:687 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2204">apache2/re_variables.c</File>
<Type>Suggestion</Type>
<Severity>item.severity.label.normal</Severity>
<Summary>Is ENV really cacheable? It could change via setenv.</Summary>
<Description>/* ENV */
msre_engine_variable_register(engine,
"ENV",
VAR_LIST,
0, 1,
var_env_validate,
var_env_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB13ARFR">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 10:57:54:279 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:16:11:570 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2270">apache2/re_variables.c</File>
<Type>Suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>GEO is probably not cacheable as it changes with every @geoLookup operator.</Summary>
<Description>/* GEO */
msre_engine_variable_register(engine,
"GEO",
VAR_LIST,
1, 1,
var_generic_list_validate,
var_geo_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB13GOJ6">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:02:30:450 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:03:43:300 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2281">apache2/re_variables.c</File>
<Type>Suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>GLOBAL is not documented. Is it cacheable?</Summary>
<Description>/* GLOBAL */
msre_engine_variable_register(engine,
"GLOBAL",
VAR_LIST,
1, 1,
var_generic_list_validate,
var_global_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB13M9C2">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:06:50:690 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:07:26:033 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2303">apache2/re_variables.c</File>
<Type>Suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>IP undocumented. Probably not cacheable as it can change via setvar, etc.</Summary>
<Description>/* IP */
msre_engine_variable_register(engine,
"IP",
VAR_LIST,
1, 1,
var_generic_list_validate,
var_ip_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB13OJ5P">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:08:36:733 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:09:06:681 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2534">apache2/re_variables.c</File>
<Type>Suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>RESOURCE is undocumented. Probably not cacheable as it is easily changed.</Summary>
<Description>/* RESOURCE */
msre_engine_variable_register(engine,
"RESOURCE",
VAR_LIST,
1, 1,
var_generic_list_validate,
var_resource_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB13W5BF">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:14:32:043 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:52:02:794 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2908">apache2/re_variables.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>SESSION is probably not cacheable since it is modifyable via setvar.</Summary>
<Description>/* SESSION */
msre_engine_variable_register(engine,
"SESSION",
VAR_LIST,
1, 1,
var_generic_list_validate,
var_session_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB14A5TJ">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:25:25:879 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:26:10:856 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="95">apache2/apache2_util.c</File>
<Type>Suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Portable way to format sizeof()?</Summary>
<Description>msr_log(msr, 1, "Exec: Unable to allocate %lu bytes.", (unsigned long)sizeof(*procnew));</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB154B83">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:48:52:563 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:50:30:473 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="209">apache2/re_actions.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This #if 0'd out code should be removed.</Summary>
<Description>/* Removed %0-9 macros as it messes up urlEncoding in the match
* where having '%0a' will be treated as %{TX.0}a, which is incorrect.
* */
#if 0
else if ((*(p + 1) &gt;= '0')&amp;&amp;(*(p + 1) &lt;= '9')) {
/* Special case for regex captures. */
var_name = "TX";
var_value = apr_pstrmemdup(mptmp, p + 1, 1);
next_text_start = p + 2;
}
#endif</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB15AL3F">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:53:45:291 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:51:42:573 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="276">apache2/re_actions.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Use apr_array_pstrcat(msr-&gt;mp, arr, NULL) instead?</Summary>
<Description>/* If there's more than one member of the array that
* means there was at least one macro present. Combine
* text parts into a single string now.
*/
if (arr-&gt;nelts &gt; 1) {
/* Figure out the required size for the string. */
var-&gt;value_len = 0;
for(i = 0; i &lt; arr-&gt;nelts; i++) {
part = ((msc_string **)arr-&gt;elts)[i];
var-&gt;value_len += part-&gt;value_len;
}
/* Allocate the string. */
var-&gt;value = apr_palloc(msr-&gt;mp, var-&gt;value_len + 1);
if (var-&gt;value == NULL) return -1;
/* Combine the parts. */
offset = 0;
for(i = 0; i &lt; arr-&gt;nelts; i++) {
part = ((msc_string **)arr-&gt;elts)[i];
memcpy((char *)(var-&gt;value + offset), part-&gt;value, part-&gt;value_len);
offset += part-&gt;value_len;
}
var-&gt;value[offset] = '\0';
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB15JPH9">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 12:00:50:877 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 12:03:50:156 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="246">apache2/re_operators.c</File>
<Type>Suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Use resolve_relative_path() instead? Maybe a config_relative_path() to just get the path?</Summary>
<Description>/* Get the path of the rule filename to use as a base */
rulefile_path = apr_pstrndup(rule-&gt;ruleset-&gt;mp, rule-&gt;filename, strlen(rule-&gt;filename) - strlen(apr_filepath_name_get(rule-&gt;filename)));</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB18IF9M">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 13:23:49:834 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 13:24:14:701 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="265">apache2/re_operators.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*next++ = '\0';</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1BQL2O">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:54:09:456 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:55:05:945 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="310">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Need to check return code and log an error on failure.</Summary>
<Description>acmp_add_pattern(p, buf, NULL, NULL, strlen(buf));</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1BST7G">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:55:53:308 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:56:17:267 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="315">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Need to check return code and log an error on failure.</Summary>
<Description>acmp_prepare(p);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1BVP52">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:58:08:006 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:00:17:190 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="379">apache2/re_operators.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.minor</Severity>
<Summary>See if apr_strmatch is faster.</Summary>
<Description>msre_op_within_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1BXI7P">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:59:32:341 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:59:59:858 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="442">apache2/re_operators.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.minor</Severity>
<Summary>See if apr_strmatch is faster.</Summary>
<Description>msre_op_contains_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1C083S">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:01:39:208 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:02:04:258 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="506">apache2/re_operators.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.minor</Severity>
<Summary>See if apr_strmatch is faster.</Summary>
<Description>msre_op_containsWord_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1C28BC">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:03:12:792 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:04:40:965 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="170">apache2/re_actions.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.minor</Severity>
<Summary>This implementation comment needs to be coded as many string operators now attempt to resolve macros.</Summary>
<Description>/* IMP1 Duplicate the string and create the array on
* demand, thus not having to do it if there are
* no macros in the input data.
*/
data = apr_pstrdup(mptmp, var-&gt;value); /* IMP1 Are we modifying data anywhere? */
arr = apr_array_make(mptmp, 16, sizeof(msc_string *));
if ((data == NULL)||(arr == NULL)) return -1;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1CEPS4">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:12:55:300 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:13:19:677 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.minor</Severity>
<Summary>Need more unit tests for operators. Start with new operators.</Summary>
<Description />
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1D9K44">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:36:54:292 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:37:50:111 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1885">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>@m operator is not documented. This does the same as @contains, so it was suggested earlier to use the @m algorithm for contains (if faster) and drop @m.</Summary>
<Description>/* m */
msre_engine_op_register(engine,
"m",
msre_op_m_param_init,
msre_op_m_execute
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1DI9VN">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:43:40:931 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:45:51:571 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1109">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>@geoLookup should set error_msg on success to something like "Successful geograpical lookup of \"%s\" at %s."</Summary>
<Description>msre_op_geoLookup_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1DMQVA">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:47:09:574 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:48:00:456 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1230">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>@rbl fails to set the var name in error_msg. Should append "at %s".</Summary>
<Description>rc = apr_sockaddr_info_get(&amp;sa, name_to_check,
APR_UNSPEC/*msr-&gt;r-&gt;connection-&gt;remote_addr-&gt;family*/, 0, 0, msr-&gt;mp);
if (rc == APR_SUCCESS) {
*error_msg = apr_psprintf(msr-&gt;r-&gt;pool, "RBL lookup of %s succeeded.",
log_escape_nq(msr-&gt;mp, name_to_check));
return 1; /* Match. */
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1DP8LY">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:49:05:878 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:51:13:090 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1275">apache2/re_operators.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Need to resolve the TODOs introduced by Lua processing.</Summary>
<Description />
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1DW247">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:54:24:055 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:55:22:775 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1259">apache2/re_operators.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Need to remove the LUA #ifdef's</Summary>
<Description>#ifdef WITH_LUA</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1DYM7R">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:56:23:415 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:57:17:579 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1324">apache2/re_operators.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>The LUA #ifdef's should be removed, but if it is decided not to, then this lua call needs to be #ifdef'd.</Summary>
<Description>} else {
/* Execute internally, as Lua script. */
char *target = apr_pstrmemdup(msr-&gt;mp, var-&gt;value, var-&gt;value_len);
msc_script *script = (msc_script *)rule-&gt;op_param_data;
int rc;
rc = lua_execute(script, target, msr, rule, error_msg);
if (rc &lt; 0) {
/* Error. */
return -1;
}
return rc;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1E0Q7Y">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:58:01:918 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:58:58:621 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1330">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Need an error_msg set for lua execution error.</Summary>
<Description>rc = lua_execute(script, target, msr, rule, error_msg);
if (rc &lt; 0) {
/* Error. */
return -1;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1E3GFO">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:00:09:204 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:07:33:188 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1403">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>@validateByteRange does not output the VAR name on match. Need to append " at %s."</Summary>
<Description>msre_op_validateByteRange_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1E5VS3">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:02:02:403 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:06:22:410 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1477">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>@validateurlEncoding does not output VAR name nor offset in error_msg on match.</Summary>
<Description>msre_op_validateUrlEncoding_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1E87O7">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:03:51:127 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:06:13:415 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1659">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Numeric operators (@eq, etc) do not output VAR name on match.</Summary>
<Description>msre_op_eq_execute
msre_op_gt_execute
msre_op_lt_execute
msre_op_ge_execute
msre_op_le_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1EJCRJ">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:12:30:943 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:12:47:358 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="202">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>No.</Summary>
<Description>/* ENH Do we want to support %{DIGIT} as well? */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1EMD8B">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:14:51:515 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:22:10:119 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="402">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement. Need to check if Apache will return an invalid status code</Summary>
<Description>/* status */
static char *msre_action_status_validate(msre_engine *engine, msre_action *action) {
/* ENH action-&gt;param must be a valid HTTP status code. */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1ENQBX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:15:55:149 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:16:52:467 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="422">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement.</Summary>
<Description>/* pause */
static char *msre_action_pause_validate(msre_engine *engine, msre_action *action) {
/* ENH Validate a positive number. */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1EPUYO">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:17:34:464 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:22:35:501 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="434">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement as a valid URI check with apr_uri_parse()?</Summary>
<Description>/* redirect */
static char *msre_action_redirect_validate(msre_engine *engine, msre_action *action) {
/* ENH Add validation. */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1EWH8Q">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:22:43:274 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:22:54:679 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="465">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement as a valid URI check with apr_uri_parse()?</Summary>
<Description>/* proxy */
static char *msre_action_proxy_validate(msre_engine *engine, msre_action *action) {
/* ENH Add validation. */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1EZDG2">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:24:58:322 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:25:17:586 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="530">apache2/re_actions.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>I believe this is already done and comment needs removed.</Summary>
<Description>// TODO: Need to keep track of skipAfter IDs so we can insert placeholders after
// we get to the real rule with that ID.</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1F1P3G">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:26:46:732 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:27:54:881 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="507">apache2/re_actions.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>I do not see a need to validate beyound what is already done in the init function.</Summary>
<Description>msre_action_skip_validate
msre_action_skipAfter_validate</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1F4AX8">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:28:48:332 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:29:03:587 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="570">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement.</Summary>
<Description>/* phase */
static char *msre_action_phase_validate(msre_engine *engine, msre_action *action) {
/* ENH Add validation. */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1FXYL9">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:51:52:029 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:03:32:872 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="612">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Probably should also calc length and validate a length &gt; 0 instead of just checking NULL. Other checks would benefit from checking a length as well, so no harm in calculating that.</Summary>
<Description>if (value == NULL) {
return apr_psprintf(engine-&gt;mp, "Missing ctl value for name: %s", name);
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1G3IER">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:56:10:995 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:59:47:800 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="708">apache2/re_actions.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Why register init() if we do not use it?</Summary>
<Description>static apr_status_t msre_action_ctl_init(msre_engine *engine, msre_actionset *actionset,
msre_action *action)
{
/* Do nothing. */
return 1;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1G9H6K">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:00:49:340 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:02:15:141 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="235">apache2/msc_logging.c</File>
<Type>item.type.label.programLogic</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This allows an empty string as a valid part. This misvalidates "ctl:auditLogParts=+", etc.</Summary>
<Description>is_valid_parts_specification</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1GENRN">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:04:51:155 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:08:12:017 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="726">apache2/re_actions.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Inner if's should be else if's.</Summary>
<Description>if (strcasecmp(name, "ruleEngine") == 0) {
if (strcasecmp(value, "on") == 0) {
msr-&gt;txcfg-&gt;is_enabled = MODSEC_ENABLED;
msr-&gt;usercfg-&gt;is_enabled = MODSEC_ENABLED;
}
if (strcasecmp(value, "off") == 0) {
msr-&gt;txcfg-&gt;is_enabled = MODSEC_DISABLED;
msr-&gt;usercfg-&gt;is_enabled = MODSEC_DISABLED;
}
if (strcasecmp(value, "detectiononly") == 0) {
msr-&gt;txcfg-&gt;is_enabled = MODSEC_DETECTION_ONLY;
msr-&gt;usercfg-&gt;is_enabled = MODSEC_DETECTION_ONLY;
}
return 1;
} else</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1GFT4L">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:05:44:757 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 23:10:38:787 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="774">apache2/re_actions.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>inner if's should be else if's. TODO needs looked into.</Summary>
<Description>if (strcasecmp(name, "auditEngine") == 0) {
if (strcasecmp(value, "on") == 0) {
msr-&gt;txcfg-&gt;auditlog_flag = AUDITLOG_ON;
msr-&gt;usercfg-&gt;auditlog_flag = AUDITLOG_ON;
}
if (strcasecmp(value, "off") == 0) {
msr-&gt;txcfg-&gt;auditlog_flag = AUDITLOG_OFF;
msr-&gt;usercfg-&gt;auditlog_flag = AUDITLOG_OFF;
}
if (strcasecmp(value, "relevantonly") == 0) {
msr-&gt;txcfg-&gt;auditlog_flag = AUDITLOG_RELEVANT;
msr-&gt;usercfg-&gt;auditlog_flag = AUDITLOG_RELEVANT;
}
msr_log(msr, 4, "Ctl: Set auditEngine to %d.", msr-&gt;txcfg-&gt;auditlog_flag); // TODO
return 1;
} else</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1GIPSC">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:08:00:396 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:11:59:825 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="812">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>That warning quieter should be s++. An evil typo that was fixed in 2.1.x, but not trunk!</Summary>
<Description>while(*s != '\0') {
if (*s != c) {
*d++ = *s++;
} else {
(*s)++; /* parens quiet compiler warning */
}
}
*d = '\0';</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1GPE4U">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:13:11:886 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:13:40:681 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="855">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should log an internal error here.</Summary>
<Description>else {
/* ENH Should never happen, but log if it does. */
return -1;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5E7W5S">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:14:40:912 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:15:54:834 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="257">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should log a level 9 msg here.</Summary>
<Description>} else {
/* We could not identify a valid macro so add it as text. */
part = (msc_string *)apr_pcalloc(mptmp, sizeof(msc_string));
if (part == NULL) return -1;
part-&gt;value_len = p - text_start + 1; /* len(text)+len("%") */
part-&gt;value = apr_pstrmemdup(mptmp, text_start, part-&gt;value_len);
*(msc_string **)apr_array_push(arr) = part;
next_text_start = p + 1;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5F0SCX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:37:09:009 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:41:55:614 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1152">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Probably should use apr_strtoi64 where we can tell if there was an error in conversion since we are potentially taking a value from a macro expansion. Also may want to look for overflow.</Summary>
<Description>value += atoi(var_value);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5F8LTP">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:43:13:789 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:43:36:608 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1232">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Missing error log needs implemented.</Summary>
<Description>} else {
/* ENH Log warning detected variable name but no collection. */
return 0;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5FKPU1">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:52:38:857 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:53:56:791 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1288">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Not sure why we would not want to deprecate a TX var. Further rules could use this even if TX is not persisted.</Summary>
<Description>/* IMP1 Add message TX variables cannot deprecate in value. */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5FMRRL">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:54:14:673 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:54:26:858 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1296">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Missing error log needs implemented.</Summary>
<Description>} else {
/* ENH Log warning detected variable name but no collection. */
return 0;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5FYEPM">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 12:03:17:626 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 23:10:15:221 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1383">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>The timeout is hardcoded to 3600. The docs state TIMEOUT is read-only, but this is not true. So, you can modify TIMEOUT.</Summary>
<Description>/* IMP1 Is the timeout hard-coded to 3600? */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5KKC6Q">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:12:19:250 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:14:28:669 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="432">apache2/msc_logging.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>apr_dir_make_recursive will attempt to create the dir straight away and if that fails keep backing off a dir until it can start creating, so I see no need to cache. Besides, what happens if you cache, then someone deletes the path from outside apache?</Summary>
<Description>/* IMP1 Surely it would be more efficient to check the folders for
* the audit log repository base path in the configuration phase, to reduce
* the work we do on every request. Also, since our path depends on time,
* we could cache the time we last checked and don't check if we know
* the folder is there.
*/
rc = apr_dir_make_recursive(entry_basename, CREATEMODE_DIR, msr-&gt;mp);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5KZEQ2">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:24:02:378 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:50:55:762 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1555">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>We already have support for relative filenames, but cannot get to this data from here. This needs solved by passing more data to the validate function (cmd_parms rec). Maybe need a warning here stating we do not support them yet, or it might be confusing to users that we do not here but do elsewhere.</Summary>
<Description>/* TODO Support relative filenames. */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5LC7EW">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:33:59:432 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 15:59:35:056 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="148">apache2/re.h</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Why not stored in op_param_data like @rx, etc. The param_data is used w/exec action for lua.</Summary>
<Description>/* Compiled Lua script. */
msc_script *script;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5O8K70">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 15:55:08:220 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:02:36:938 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1578">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This assumes lua is the only type (which it is now), but should be re-writen with a script_rec stored in param_data.</Summary>
<Description>if (action-&gt;param_data != NULL) { /* Lua */
msc_script *script = (msc_script *)action-&gt;param_data;
char *my_error_msg = NULL;
if (lua_execute(script, NULL, msr, rule, &amp;my_error_msg) &lt; 0) {
msr_log(msr, 1, "%s", my_error_msg);
return 0;
}
} else { /* Execute as shell script. */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5OFXDP">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:00:51:901 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:04:13:185 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1557">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Not sure using an extension is a good idea here. Better I think would be to specify a type: "exec:[type=]/path/to/file" as in "exec:lua=/path/to/script" and make param_data a script_rec with a type and value. Also we use the abstract param_data here vs using a specific field as in SecRuleScript.</Summary>
<Description>/* Process Lua scripts internally. */
if (strlen(filename) &gt; 4) {
char *p = filename + strlen(filename) - 4;
if ((p[0] == '.')&amp;&amp;(p[1] == 'l')&amp;&amp;(p[2] == 'u')&amp;&amp;(p[3] == 'a')) {
/* It's a Lua script. */
msc_script *script = NULL;
/* Compile script. */
char *msg = lua_compile(&amp;script, filename, engine-&gt;mp);
if (msg != NULL) return msg;
action-&gt;param_data = script;
}
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5OQ8VP">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:08:53:365 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:09:41:123 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1341">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should not log_escape the actions as they will get double escaped (once now and again when logged).</Summary>
<Description>} else {
rule-&gt;unparsed = apr_psprintf(ruleset-&gt;mp, "SecRuleScript \"%s\" \"%s\"",
script_filename, log_escape(ruleset-&gt;mp, actions));
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5P1XTB">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:17:58:895 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:18:20:235 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1233">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should not log_escape the actions as they will get double escaped (once now and again when logged).</Summary>
<Description>/* Add the unparsed rule */
if ((strcmp(SECACTION_TARGETS, targets) == 0) &amp;&amp; (strcmp(SECACTION_ARGS, args) == 0)) {
rule-&gt;unparsed = apr_psprintf(ruleset-&gt;mp, "SecAction \"%s\"",
log_escape(ruleset-&gt;mp, actions));
}
else
if ((strcmp(SECMARKER_TARGETS, targets) == 0)
&amp;&amp; (strcmp(SECMARKER_ARGS, args) == 0)
&amp;&amp; (strncmp(SECMARKER_BASE_ACTIONS, actions, strlen(SECMARKER_BASE_ACTIONS)) == 0))
{
rule-&gt;unparsed = apr_psprintf(ruleset-&gt;mp, "SecMarker \"%s\"",
log_escape(ruleset-&gt;mp, actions + strlen(SECMARKER_BASE_ACTIONS)));
}
else {
if (actions == NULL) {
rule-&gt;unparsed = apr_psprintf(ruleset-&gt;mp, "SecRule \"%s\" \"%s\"",
log_escape(ruleset-&gt;mp, targets), log_escape(ruleset-&gt;mp, args));
} else {
rule-&gt;unparsed = apr_psprintf(ruleset-&gt;mp, "SecRule \"%s\" \"%s\" \"%s\"",
log_escape(ruleset-&gt;mp, targets), log_escape(ruleset-&gt;mp, args),
log_escape(ruleset-&gt;mp, actions));
}
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5P819B">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:22:43:295 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:32:24:969 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="200">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>No logging should be done here as we are passing the error_msg back to the parent and they are responsible for this.</Summary>
<Description>if (*error_msg != NULL) {
/* ENH Shouldn't we log the problem? */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5PIA63">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:30:41:403 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:31:00:930 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="47">apache2/re.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Need to log on failure.</Summary>
<Description>var = msre_create_var(ruleset, telts[i].key, telts[i].val, NULL, error_msg);
if (var == NULL) return -1;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5PPSA2">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:36:31:466 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:36:54:189 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="297">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should replace with isvarnamechar() if possible.</Summary>
<Description>while((*p != '\0')&amp;&amp;(*p != '|')&amp;&amp;(*p != ':')&amp;&amp;(*p != ',')&amp;&amp;(!isspace(*p))) p++; /* ENH replace with isvarnamechar() */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5PTFC4">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:39:21:316 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:39:30:027 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="356">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix or remove TODO.</Summary>
<Description>// TODO better 64-bit support here
*error_msg = apr_psprintf(mp, "Missing closing quote at position %d: %s",
(int)(p - text), text);
free(value);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5PTZEE">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:39:47:318 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:39:57:589 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="364">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix or remove TODO.</Summary>
<Description>// TODO better 64-bit support here
*error_msg = apr_psprintf(mp, "Invalid quoted pair at position %d: %s",
(int)(p - text), text);
free(value);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5PUL8Y">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:40:15:634 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:40:35:216 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="371">apache2/re.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*d++ = *p++;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5PV6Q0">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:40:43:464 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:41:41:536 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="379">apache2/re.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*d++ = *p++;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5YNPAO">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 20:46:50:832 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 20:48:20:448 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="181">apache2/acmp.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*ucs_chars++ = *c++;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5YP23X">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 20:47:54:093 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 20:48:06:880 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="127">apache2/msc_multipart.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*t++ = *p++;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5YQ3DS">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 20:48:42:400 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 20:50:00:027 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="814">apache2/re_actions.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*d++ = *s++;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB605I87">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:28:41:095 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:40:15:511 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="149">apache2/msc_reqbody.c</File>
<Type>item.type.label.programLogic</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Potential memory leak if modsecurity_request_body_store_disk() fails. Returning here causes modsecurity_request_body_end() to never be called and never free chunk data. See also notes in read_request_body() in apache_io.c.</Summary>
<Description>/* Write the data we keep in memory */
chunks = (msc_data_chunk **)msr-&gt;msc_reqbody_chunks-&gt;elts;
for(i = 0; i &lt; msr-&gt;msc_reqbody_chunks-&gt;nelts; i++) {
disklen += chunks[i]-&gt;length;
if (modsecurity_request_body_store_disk(msr, chunks[i]-&gt;data, chunks[i]-&gt;length, error_msg) &lt; 0) {
return -1;
}
free(chunks[i]-&gt;data);
chunks[i]-&gt;data = NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB60NQ60">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:42:51:192 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:44:12:097 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="224">apache2/apache2_io.c</File>
<Type>item.type.label.programLogic</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Returning here may fail to free chunks data due to modsecurity_request_body_end() not being called.</Summary>
<Description>int rcbs = modsecurity_request_body_store(msr, buf, buflen, error_msg);
if (rcbs &lt; 0) {
if (rcbs == -5) {
*error_msg = apr_psprintf(msr-&gt;mp, "Requests body no files data length is larger than the "
"configured limit (%lu).", msr-&gt;txcfg-&gt;reqbody_no_files_limit);
return -5;
}
return -1;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB60XMEY">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:50:32:890 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:52:29:239 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="196">apache2/modsecurity.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Good. This looks to solve the other issues noted as possible memory leaks in body chunk data due to modsecurity_request_body_end() not being called. Need to verify, though.</Summary>
<Description>/* Register TX cleanup */
apr_pool_cleanup_register(msr-&gt;mp, msr, modsecurity_tx_cleanup, apr_pool_cleanup_null);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB6197M3">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:59:33:579 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:00:34:198 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="835">apache2/msc_util.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Actually, the parens are *required* for correctness, so remove the comments.</Summary>
<Description>(*invalid_count)++; /* parens quiet compiler warning */
}
} else {
/* Not enough bytes available, copy the raw bytes. */
*d++ = input[i++];
count ++;
(*invalid_count)++; /* parens quiet compiler warning */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB61EAWY">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:03:31:138 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:04:07:108 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="608">apache2/re.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Does not appear to be used anywhere.</Summary>
<Description>/**
* Destroys an engine instance, releasing the consumed memory.
*/
void msre_engine_destroy(msre_engine *engine) {
/* Destroyed automatically by the parent pool.
* apr_pool_destroy(engine-&gt;mp);
*/
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB61FEGU">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:04:22:398 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:04:35:724 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="86">apache2/re.h</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Does not appear to be used anywhere.</Summary>
<Description>void DSOLOCAL msre_engine_destroy(msre_engine *engine);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB624EJX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:23:48:909 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:24:44:929 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="908">apache2/re.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This version should be moved up next to the normal version.</Summary>
<Description>#if defined(PERFORMANCE_MEASUREMENT)
apr_status_t msre_ruleset_process_phase(msre_ruleset *ruleset, modsec_rec *msr) {
...
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB62D9GN">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:30:42:215 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:45:42:260 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1096">apache2/re.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Hmm, I thought this had already been fixed in trunk. Missing logging phase. Need to fix in 2.1.5 as well.</Summary>
<Description>/**
* Removes from the ruleset all rules that match the given exception.
*/
int msre_ruleset_rule_remove_with_exception(msre_ruleset *ruleset, rule_exception *re) {
int count = 0;
if (ruleset == NULL) return 0;
count += msre_ruleset_phase_rule_remove_with_exception(ruleset, re, ruleset-&gt;phase_request_headers);
count += msre_ruleset_phase_rule_remove_with_exception(ruleset, re, ruleset-&gt;phase_request_body);
count += msre_ruleset_phase_rule_remove_with_exception(ruleset, re, ruleset-&gt;phase_response_headers);
count += msre_ruleset_phase_rule_remove_with_exception(ruleset, re, ruleset-&gt;phase_response_body);
return count;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB62Y1B3">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:46:51:423 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:47:22:231 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1119">apache2/re.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should move this to a static global for performance.</Summary>
<Description>static const char *const severities[] = {
"EMERGENCY",
"ALERT",
"CRITICAL",
"ERROR",
"WARNING",
"NOTICE",
"INFO",
"DEBUG",
NULL,
};</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB630W8M">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:49:04:822 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:49:16:740 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1179">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement TODO.</Summary>
<Description>//TODO: restrict to 512 bytes</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB6348JB">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:51:40:727 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:53:13:118 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1150">apache2/re.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>tags set to NULL would be a bit better as it would stop apr_pstrcat() earlier, but tags *must* remain last or wierd results.</Summary>
<Description>char *tags = "";</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB6UPQJW">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 11:44:13:484 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 11:45:29:864 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1528">apache2/re.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This causes two loops through the action list. Perhaps there is a more performant way to do these at the same time? Maybe split into two lists?</Summary>
<Description>/* Perform non-disruptive actions. */
msre_perform_nondisruptive_actions(msr, rule, rule-&gt;actionset, mptmp);
/* Perform disruptive actions, but only if
* this rule is not part of a chain.
*/
if (rule-&gt;actionset-&gt;is_chained == 0) {
msre_perform_disruptive_actions(msr, rule, acting_actionset, mptmp, my_error_msg);
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB6VV1A0">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 12:16:20:280 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 12:16:40:432 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1716">apache2/re.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>These do not appear to be needed.</Summary>
<Description>tfnspath = NULL;
tfnskey = NULL;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB6W0DKJ">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 12:20:29:491 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 12:28:11:109 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1728">apache2/re.c</File>
<Type>item.type.label.programLogic</Type>
<Severity>item.severity.label.major</Severity>
<Summary>This does not appear to work as the tfnskey is not being built here. Need to build the tfnskey in this loop for this to work.</Summary>
<Description>/* check cache, saving the 'most complete' */
crec = (msre_cache_rec *)apr_table_get(cachetab, tfnskey);
if (crec != NULL) {
last_crec = crec;
last_cached_tfn = tfnscount;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
</Review>