github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity
ModSecurity/review/pre-2.5-brian.review
brectanus 9fb03d277d Fixing code based on review comments... 
Cleaned up what vars are cacheable.
Added parens around "*foo++" where it clarified the operation to be "*(foo++)".
Added " at VARNAME" to operator matches where needed.
Escaped var->name in the var generation (user-supplied data).
Marked a bunch of TODOs as ENHs instead.
Transformed some C++ style comments to C style.
Removed the %0-9 macros code which was commented out.
Optimized some ctl action code so that multiple ifs are else ifs.
Implemented some error messages marked as ENH.
Make commented out acmp debugging a configure-time option.
Cleanup GEO debug log messages.
Added relative filename support for geo dbs.
Added help text to Sec* directives.
2008-01-18 00:47:30 +00:00

3437 lines
160 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<Review id="pre-2.5">
<ReviewIssue id="FB137W3T">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 10:55:40:361 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:47:15:701 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2204">apache2/re_variables.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.normal</Severity>
<Summary>Is ENV really cacheable? It could change via setenv.</Summary>
<Description>/* ENV */
msre_engine_variable_register(engine,
"ENV",
VAR_LIST,
0, 1,
var_env_validate,
var_env_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB13ARFR">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 10:57:54:279 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:43:38:825 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2270">apache2/re_variables.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>GEO is probably not cacheable as it changes with every @geoLookup operator.</Summary>
<Description>/* GEO */
msre_engine_variable_register(engine,
"GEO",
VAR_LIST,
1, 1,
var_generic_list_validate,
var_geo_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB13GOJ6">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:02:30:450 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:43:20:652 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2281">apache2/re_variables.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>GLOBAL is not documented. Is it cacheable?</Summary>
<Description>/* GLOBAL */
msre_engine_variable_register(engine,
"GLOBAL",
VAR_LIST,
1, 1,
var_generic_list_validate,
var_global_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB13M9C2">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:06:50:690 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:43:02:916 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2303">apache2/re_variables.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>IP undocumented. Probably not cacheable as it can change via setvar, etc.</Summary>
<Description>/* IP */
msre_engine_variable_register(engine,
"IP",
VAR_LIST,
1, 1,
var_generic_list_validate,
var_ip_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB13OJ5P">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:08:36:733 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:42:44:589 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2534">apache2/re_variables.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>RESOURCE is undocumented. Probably not cacheable as it is easily changed.</Summary>
<Description>/* RESOURCE */
msre_engine_variable_register(engine,
"RESOURCE",
VAR_LIST,
1, 1,
var_generic_list_validate,
var_resource_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB13W5BF">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:14:32:043 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:41:31:558 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="2908">apache2/re_variables.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>SESSION is probably not cacheable since it is modifyable via setvar.</Summary>
<Description>/* SESSION */
msre_engine_variable_register(engine,
"SESSION",
VAR_LIST,
1, 1,
var_generic_list_validate,
var_session_generate,
VAR_CACHE,
PHASE_REQUEST_HEADERS
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB14A5TJ">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:25:25:879 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 17:00:23:571 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="95">apache2/apache2_util.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Portable way to format sizeof()?</Summary>
<Description>msr_log(msr, 1, "Exec: Unable to allocate %lu bytes.", (unsigned long)sizeof(*procnew));</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB154B83">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:48:52:563 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:50:30:473 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="209">apache2/re_actions.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This #if 0'd out code should be removed.</Summary>
<Description>/* Removed %0-9 macros as it messes up urlEncoding in the match
* where having '%0a' will be treated as %{TX.0}a, which is incorrect.
* */
#if 0
else if ((*(p + 1) &gt;= '0')&amp;&amp;(*(p + 1) &lt;= '9')) {
/* Special case for regex captures. */
var_name = "TX";
var_value = apr_pstrmemdup(mptmp, p + 1, 1);
next_text_start = p + 2;
}
#endif</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB15AL3F">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 11:53:45:291 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:51:42:573 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="276">apache2/re_actions.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Use apr_array_pstrcat(msr-&gt;mp, arr, NULL) instead?</Summary>
<Description>/* If there's more than one member of the array that
* means there was at least one macro present. Combine
* text parts into a single string now.
*/
if (arr-&gt;nelts &gt; 1) {
/* Figure out the required size for the string. */
var-&gt;value_len = 0;
for(i = 0; i &lt; arr-&gt;nelts; i++) {
part = ((msc_string **)arr-&gt;elts)[i];
var-&gt;value_len += part-&gt;value_len;
}
/* Allocate the string. */
var-&gt;value = apr_palloc(msr-&gt;mp, var-&gt;value_len + 1);
if (var-&gt;value == NULL) return -1;
/* Combine the parts. */
offset = 0;
for(i = 0; i &lt; arr-&gt;nelts; i++) {
part = ((msc_string **)arr-&gt;elts)[i];
memcpy((char *)(var-&gt;value + offset), part-&gt;value, part-&gt;value_len);
offset += part-&gt;value_len;
}
var-&gt;value[offset] = '\0';
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB15JPH9">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 12:00:50:877 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 12:03:50:156 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="246">apache2/re_operators.c</File>
<Type>Suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Use resolve_relative_path() instead? Maybe a config_relative_path() to just get the path?</Summary>
<Description>/* Get the path of the rule filename to use as a base */
rulefile_path = apr_pstrndup(rule-&gt;ruleset-&gt;mp, rule-&gt;filename, strlen(rule-&gt;filename) - strlen(apr_filepath_name_get(rule-&gt;filename)));</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB18IF9M">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 13:23:49:834 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:26:24:257 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="265">apache2/re_operators.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*next++ = '\0';</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB1BQL2O">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:54:09:456 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:55:05:945 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="310">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Need to check return code and log an error on failure.</Summary>
<Description>acmp_add_pattern(p, buf, NULL, NULL, strlen(buf));</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1BST7G">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:55:53:308 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:56:17:267 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="315">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Need to check return code and log an error on failure.</Summary>
<Description>acmp_prepare(p);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1BVP52">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:58:08:006 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:00:17:190 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="379">apache2/re_operators.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.minor</Severity>
<Summary>See if apr_strmatch is faster.</Summary>
<Description>msre_op_within_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1BXI7P">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:59:32:341 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 14:59:59:858 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="442">apache2/re_operators.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.minor</Severity>
<Summary>See if apr_strmatch is faster.</Summary>
<Description>msre_op_contains_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1C083S">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:01:39:208 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:02:04:258 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="506">apache2/re_operators.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.minor</Severity>
<Summary>See if apr_strmatch is faster.</Summary>
<Description>msre_op_containsWord_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1C28BC">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:03:12:792 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:04:40:965 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="170">apache2/re_actions.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.minor</Severity>
<Summary>This implementation comment needs to be coded as many string operators now attempt to resolve macros.</Summary>
<Description>/* IMP1 Duplicate the string and create the array on
* demand, thus not having to do it if there are
* no macros in the input data.
*/
data = apr_pstrdup(mptmp, var-&gt;value); /* IMP1 Are we modifying data anywhere? */
arr = apr_array_make(mptmp, 16, sizeof(msc_string *));
if ((data == NULL)||(arr == NULL)) return -1;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1CEPS4">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:12:55:300 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:13:19:677 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.minor</Severity>
<Summary>Need more unit tests for operators. Start with new operators.</Summary>
<Description />
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1D9K44">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:36:54:292 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:37:50:111 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1885">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>@m operator is not documented. This does the same as @contains, so it was suggested earlier to use the @m algorithm for contains (if faster) and drop @m.</Summary>
<Description>/* m */
msre_engine_op_register(engine,
"m",
msre_op_m_param_init,
msre_op_m_execute
);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1DI9VN">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:43:40:931 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:38:59:940 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1109">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>@geoLookup should set error_msg on success to something like "Successful geograpical lookup of \"%s\" at %s."</Summary>
<Description>msre_op_geoLookup_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB1DMQVA">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:47:09:574 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:40:07:483 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1230">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>@rbl fails to set the var name in error_msg. Should append "at %s".</Summary>
<Description>rc = apr_sockaddr_info_get(&amp;sa, name_to_check,
APR_UNSPEC/*msr-&gt;r-&gt;connection-&gt;remote_addr-&gt;family*/, 0, 0, msr-&gt;mp);
if (rc == APR_SUCCESS) {
*error_msg = apr_psprintf(msr-&gt;r-&gt;pool, "RBL lookup of %s succeeded.",
log_escape_nq(msr-&gt;mp, name_to_check));
return 1; /* Match. */
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB1DP8LY">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:49:05:878 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:56:55:081 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1275">apache2/re_operators.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Change from TODO to ENH.</Summary>
<Description />
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB1DW247">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:54:24:055 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:57:08:520 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1259">apache2/re_operators.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Need to remove the LUA #ifdef's</Summary>
<Description>#ifdef WITH_LUA</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB1DYM7R">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:56:23:415 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:57:21:641 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1324">apache2/re_operators.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>The LUA #ifdef's should be removed, but if it is decided not to, then this lua call needs to be #ifdef'd.</Summary>
<Description>} else {
/* Execute internally, as Lua script. */
char *target = apr_pstrmemdup(msr-&gt;mp, var-&gt;value, var-&gt;value_len);
msc_script *script = (msc_script *)rule-&gt;op_param_data;
int rc;
rc = lua_execute(script, target, msr, rule, error_msg);
if (rc &lt; 0) {
/* Error. */
return -1;
}
return rc;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB1E0Q7Y">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:58:01:918 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 15:58:58:621 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1330">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Need an error_msg set for lua execution error.</Summary>
<Description>rc = lua_execute(script, target, msr, rule, error_msg);
if (rc &lt; 0) {
/* Error. */
return -1;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1E3GFO">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:00:09:204 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:38:08:350 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1403">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>@validateByteRange does not output the VAR name on match. Need to append " at %s."</Summary>
<Description>msre_op_validateByteRange_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.invalidWontfix</Resolution>
<Status>item.status.label.closed</Status>
</ReviewIssue>
<ReviewIssue id="FB1E5VS3">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:02:02:403 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:06:22:410 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1477">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>@validateurlEncoding does not output VAR name nor offset in error_msg on match.</Summary>
<Description>msre_op_validateUrlEncoding_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1E87O7">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:03:51:127 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:30:07:550 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1659">apache2/re_operators.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Numeric operators (@eq, etc) do not output VAR name on match.</Summary>
<Description>msre_op_eq_execute
msre_op_gt_execute
msre_op_lt_execute
msre_op_ge_execute
msre_op_le_execute</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB1EJCRJ">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:12:30:943 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:57:45:711 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="202">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>No.</Summary>
<Description>/* ENH Do we want to support %{DIGIT} as well? */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB1EMD8B">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:14:51:515 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:22:10:119 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="402">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement. Need to check if Apache will return an invalid status code</Summary>
<Description>/* status */
static char *msre_action_status_validate(msre_engine *engine, msre_action *action) {
/* ENH action-&gt;param must be a valid HTTP status code. */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1ENQBX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:15:55:149 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:16:52:467 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="422">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement.</Summary>
<Description>/* pause */
static char *msre_action_pause_validate(msre_engine *engine, msre_action *action) {
/* ENH Validate a positive number. */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1EPUYO">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:17:34:464 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:22:35:501 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="434">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement as a valid URI check with apr_uri_parse()?</Summary>
<Description>/* redirect */
static char *msre_action_redirect_validate(msre_engine *engine, msre_action *action) {
/* ENH Add validation. */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1EWH8Q">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:22:43:274 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:22:54:679 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="465">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement as a valid URI check with apr_uri_parse()?</Summary>
<Description>/* proxy */
static char *msre_action_proxy_validate(msre_engine *engine, msre_action *action) {
/* ENH Add validation. */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1EZDG2">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:24:58:322 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:13:48:178 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="530">apache2/re_actions.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>I believe this is already done and comment needs removed.</Summary>
<Description>// TODO: Need to keep track of skipAfter IDs so we can insert placeholders after
// we get to the real rule with that ID.</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB1F1P3G">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:26:46:732 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:27:54:881 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="507">apache2/re_actions.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>I do not see a need to validate beyound what is already done in the init function.</Summary>
<Description>msre_action_skip_validate
msre_action_skipAfter_validate</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1F4AX8">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:28:48:332 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:29:03:587 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="570">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement.</Summary>
<Description>/* phase */
static char *msre_action_phase_validate(msre_engine *engine, msre_action *action) {
/* ENH Add validation. */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1FXYL9">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:51:52:029 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:03:32:872 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="612">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Probably should also calc length and validate a length &gt; 0 instead of just checking NULL. Other checks would benefit from checking a length as well, so no harm in calculating that.</Summary>
<Description>if (value == NULL) {
return apr_psprintf(engine-&gt;mp, "Missing ctl value for name: %s", name);
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1G3IER">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:56:10:995 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 16:59:47:800 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="708">apache2/re_actions.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Why register init() if we do not use it?</Summary>
<Description>static apr_status_t msre_action_ctl_init(msre_engine *engine, msre_actionset *actionset,
msre_action *action)
{
/* Do nothing. */
return 1;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1G9H6K">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:00:49:340 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:02:15:141 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="235">apache2/msc_logging.c</File>
<Type>item.type.label.programLogic</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This allows an empty string as a valid part. This misvalidates "ctl:auditLogParts=+", etc.</Summary>
<Description>is_valid_parts_specification</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1GENRN">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:04:51:155 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:12:33:664 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="726">apache2/re_actions.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Inner if's should be else if's.</Summary>
<Description>if (strcasecmp(name, "ruleEngine") == 0) {
if (strcasecmp(value, "on") == 0) {
msr-&gt;txcfg-&gt;is_enabled = MODSEC_ENABLED;
msr-&gt;usercfg-&gt;is_enabled = MODSEC_ENABLED;
}
if (strcasecmp(value, "off") == 0) {
msr-&gt;txcfg-&gt;is_enabled = MODSEC_DISABLED;
msr-&gt;usercfg-&gt;is_enabled = MODSEC_DISABLED;
}
if (strcasecmp(value, "detectiononly") == 0) {
msr-&gt;txcfg-&gt;is_enabled = MODSEC_DETECTION_ONLY;
msr-&gt;usercfg-&gt;is_enabled = MODSEC_DETECTION_ONLY;
}
return 1;
} else</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB1GFT4L">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:05:44:757 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:12:12:876 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="774">apache2/re_actions.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>TODO needs looked into.</Summary>
<Description>if (strcasecmp(name, "auditEngine") == 0) {
if (strcasecmp(value, "on") == 0) {
msr-&gt;txcfg-&gt;auditlog_flag = AUDITLOG_ON;
msr-&gt;usercfg-&gt;auditlog_flag = AUDITLOG_ON;
}
if (strcasecmp(value, "off") == 0) {
msr-&gt;txcfg-&gt;auditlog_flag = AUDITLOG_OFF;
msr-&gt;usercfg-&gt;auditlog_flag = AUDITLOG_OFF;
}
if (strcasecmp(value, "relevantonly") == 0) {
msr-&gt;txcfg-&gt;auditlog_flag = AUDITLOG_RELEVANT;
msr-&gt;usercfg-&gt;auditlog_flag = AUDITLOG_RELEVANT;
}
msr_log(msr, 4, "Ctl: Set auditEngine to %d.", msr-&gt;txcfg-&gt;auditlog_flag); // TODO
return 1;
} else</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB1GIPSC">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:08:00:396 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:59:05:782 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="812">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>That warning quieter should be s++. An evil typo that was fixed in 2.1.x, but not trunk!</Summary>
<Description>while(*s != '\0') {
if (*s != c) {
*d++ = *s++;
} else {
(*s)++; /* parens quiet compiler warning */
}
}
*d = '\0';</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB1GPE4U">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:13:11:886 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-04 :: 17:13:40:681 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="855">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should log an internal error here.</Summary>
<Description>else {
/* ENH Should never happen, but log if it does. */
return -1;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5E7W5S">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:14:40:912 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:15:54:834 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="257">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should log a level 9 msg here.</Summary>
<Description>} else {
/* We could not identify a valid macro so add it as text. */
part = (msc_string *)apr_pcalloc(mptmp, sizeof(msc_string));
if (part == NULL) return -1;
part-&gt;value_len = p - text_start + 1; /* len(text)+len("%") */
part-&gt;value = apr_pstrmemdup(mptmp, text_start, part-&gt;value_len);
*(msc_string **)apr_array_push(arr) = part;
next_text_start = p + 1;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5F0SCX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:37:09:009 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:41:55:614 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1152">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Probably should use apr_strtoi64 where we can tell if there was an error in conversion since we are potentially taking a value from a macro expansion. Also may want to look for overflow.</Summary>
<Description>value += atoi(var_value);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5F8LTP">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:43:13:789 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:10:24:140 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1232">apache2/re_actions.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Missing error log needs implemented.</Summary>
<Description>} else {
/* ENH Log warning detected variable name but no collection. */
return 0;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB5FKPU1">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:52:38:857 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:53:56:791 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1288">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Not sure why we would not want to deprecate a TX var. Further rules could use this even if TX is not persisted.</Summary>
<Description>/* IMP1 Add message TX variables cannot deprecate in value. */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5FMRRL">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 11:54:14:673 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:04:13:383 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1296">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Missing error log needs implemented.</Summary>
<Description>} else {
/* ENH Log warning detected variable name but no collection. */
return 0;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB5FYEPM">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 12:03:17:626 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 23:10:15:221 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1383">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>The timeout is hardcoded to 3600. The docs state TIMEOUT is read-only, but this is not true. So, you can modify TIMEOUT.</Summary>
<Description>/* IMP1 Is the timeout hard-coded to 3600? */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5KKC6Q">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:12:19:250 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:14:28:669 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="432">apache2/msc_logging.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>apr_dir_make_recursive will attempt to create the dir straight away and if that fails keep backing off a dir until it can start creating, so I see no need to cache. Besides, what happens if you cache, then someone deletes the path from outside apache?</Summary>
<Description>/* IMP1 Surely it would be more efficient to check the folders for
* the audit log repository base path in the configuration phase, to reduce
* the work we do on every request. Also, since our path depends on time,
* we could cache the time we last checked and don't check if we know
* the folder is there.
*/
rc = apr_dir_make_recursive(entry_basename, CREATEMODE_DIR, msr-&gt;mp);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5KZEQ2">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:24:02:378 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:50:55:762 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1555">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>We already have support for relative filenames, but cannot get to this data from here. This needs solved by passing more data to the validate function (cmd_parms rec). Maybe need a warning here stating we do not support them yet, or it might be confusing to users that we do not here but do elsewhere.</Summary>
<Description>/* TODO Support relative filenames. */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5LC7EW">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 14:33:59:432 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 15:59:35:056 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="148">apache2/re.h</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Why not stored in op_param_data like @rx, etc. The param_data is used w/exec action for lua.</Summary>
<Description>/* Compiled Lua script. */
msc_script *script;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5O8K70">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 15:55:08:220 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:02:36:938 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1578">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This assumes lua is the only type (which it is now), but should be re-writen with a script_rec stored in param_data.</Summary>
<Description>if (action-&gt;param_data != NULL) { /* Lua */
msc_script *script = (msc_script *)action-&gt;param_data;
char *my_error_msg = NULL;
if (lua_execute(script, NULL, msr, rule, &amp;my_error_msg) &lt; 0) {
msr_log(msr, 1, "%s", my_error_msg);
return 0;
}
} else { /* Execute as shell script. */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5OFXDP">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:00:51:901 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:04:13:185 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1557">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Not sure using an extension is a good idea here. Better I think would be to specify a type: "exec:[type=]/path/to/file" as in "exec:lua=/path/to/script" and make param_data a script_rec with a type and value. Also we use the abstract param_data here vs using a specific field as in SecRuleScript.</Summary>
<Description>/* Process Lua scripts internally. */
if (strlen(filename) &gt; 4) {
char *p = filename + strlen(filename) - 4;
if ((p[0] == '.')&amp;&amp;(p[1] == 'l')&amp;&amp;(p[2] == 'u')&amp;&amp;(p[3] == 'a')) {
/* It's a Lua script. */
msc_script *script = NULL;
/* Compile script. */
char *msg = lua_compile(&amp;script, filename, engine-&gt;mp);
if (msg != NULL) return msg;
action-&gt;param_data = script;
}
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5OQ8VP">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:08:53:365 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:25:58:269 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1341">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should not log_escape the actions as they will get double escaped (once now and again when logged).</Summary>
<Description>} else {
rule-&gt;unparsed = apr_psprintf(ruleset-&gt;mp, "SecRuleScript \"%s\" \"%s\"",
script_filename, log_escape(ruleset-&gt;mp, actions));
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.invalidWontfix</Resolution>
<Status>item.status.label.closed</Status>
</ReviewIssue>
<ReviewIssue id="FB5P1XTB">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:17:58:895 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:26:18:631 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1233">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should not log_escape the actions as they will get double escaped (once now and again when logged).</Summary>
<Description>/* Add the unparsed rule */
if ((strcmp(SECACTION_TARGETS, targets) == 0) &amp;&amp; (strcmp(SECACTION_ARGS, args) == 0)) {
rule-&gt;unparsed = apr_psprintf(ruleset-&gt;mp, "SecAction \"%s\"",
log_escape(ruleset-&gt;mp, actions));
}
else
if ((strcmp(SECMARKER_TARGETS, targets) == 0)
&amp;&amp; (strcmp(SECMARKER_ARGS, args) == 0)
&amp;&amp; (strncmp(SECMARKER_BASE_ACTIONS, actions, strlen(SECMARKER_BASE_ACTIONS)) == 0))
{
rule-&gt;unparsed = apr_psprintf(ruleset-&gt;mp, "SecMarker \"%s\"",
log_escape(ruleset-&gt;mp, actions + strlen(SECMARKER_BASE_ACTIONS)));
}
else {
if (actions == NULL) {
rule-&gt;unparsed = apr_psprintf(ruleset-&gt;mp, "SecRule \"%s\" \"%s\"",
log_escape(ruleset-&gt;mp, targets), log_escape(ruleset-&gt;mp, args));
} else {
rule-&gt;unparsed = apr_psprintf(ruleset-&gt;mp, "SecRule \"%s\" \"%s\" \"%s\"",
log_escape(ruleset-&gt;mp, targets), log_escape(ruleset-&gt;mp, args),
log_escape(ruleset-&gt;mp, actions));
}
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.invalidWontfix</Resolution>
<Status>item.status.label.closed</Status>
</ReviewIssue>
<ReviewIssue id="FB5P819B">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:22:43:295 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:26:48:665 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="200">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>No logging should be done here as we are passing the error_msg back to the parent and they are responsible for this.</Summary>
<Description>if (*error_msg != NULL) {
/* ENH Shouldn't we log the problem? */
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB5PIA63">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:30:41:403 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:31:00:930 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="47">apache2/re.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Need to log on failure.</Summary>
<Description>var = msre_create_var(ruleset, telts[i].key, telts[i].val, NULL, error_msg);
if (var == NULL) return -1;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5PPSA2">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:36:31:466 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:36:54:189 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="297">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should replace with isvarnamechar() if possible.</Summary>
<Description>while((*p != '\0')&amp;&amp;(*p != '|')&amp;&amp;(*p != ':')&amp;&amp;(*p != ',')&amp;&amp;(!isspace(*p))) p++; /* ENH replace with isvarnamechar() */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB5PTFC4">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:39:21:316 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:28:02:997 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="356">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix or remove TODO.</Summary>
<Description>// TODO better 64-bit support here
*error_msg = apr_psprintf(mp, "Missing closing quote at position %d: %s",
(int)(p - text), text);
free(value);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB5PTZEE">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:39:47:318 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:28:24:355 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="364">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix or remove TODO.</Summary>
<Description>// TODO better 64-bit support here
*error_msg = apr_psprintf(mp, "Invalid quoted pair at position %d: %s",
(int)(p - text), text);
free(value);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB5PUL8Y">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:40:15:634 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:07:58:168 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="371">apache2/re.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*d++ = *p++;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB5PV6Q0">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 16:40:43:464 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:07:34:306 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="379">apache2/re.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*d++ = *p++;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB5YNPAO">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 20:46:50:832 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:06:54:324 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="181">apache2/acmp.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*ucs_chars++ = *c++;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB5YP23X">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 20:47:54:093 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:06:02:231 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="127">apache2/msc_multipart.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*t++ = *p++;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB5YQ3DS">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 20:48:42:400 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:05:23:686 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="814">apache2/re_actions.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add parens for clarity.</Summary>
<Description>*d++ = *s++;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB60NQ60">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:42:51:192 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:44:12:097 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="224">apache2/apache2_io.c</File>
<Type>item.type.label.programLogic</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Returning here may fail to free chunks data due to modsecurity_request_body_end() not being called.</Summary>
<Description>int rcbs = modsecurity_request_body_store(msr, buf, buflen, error_msg);
if (rcbs &lt; 0) {
if (rcbs == -5) {
*error_msg = apr_psprintf(msr-&gt;mp, "Requests body no files data length is larger than the "
"configured limit (%lu).", msr-&gt;txcfg-&gt;reqbody_no_files_limit);
return -5;
}
return -1;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB60XMEY">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:50:32:890 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:52:29:239 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="196">apache2/modsecurity.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Good. This looks to solve the other issues noted as possible memory leaks in body chunk data due to modsecurity_request_body_end() not being called. Need to verify, though.</Summary>
<Description>/* Register TX cleanup */
apr_pool_cleanup_register(msr-&gt;mp, msr, modsecurity_tx_cleanup, apr_pool_cleanup_null);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB6197M3">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 21:59:33:579 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:29:21:240 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="835">apache2/msc_util.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Actually, the parens are *required* for correctness, so remove the comments.</Summary>
<Description>(*invalid_count)++; /* parens quiet compiler warning */
}
} else {
/* Not enough bytes available, copy the raw bytes. */
*d++ = input[i++];
count ++;
(*invalid_count)++; /* parens quiet compiler warning */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB61EAWY">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:03:31:138 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:04:07:108 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="608">apache2/re.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Does not appear to be used anywhere.</Summary>
<Description>/**
* Destroys an engine instance, releasing the consumed memory.
*/
void msre_engine_destroy(msre_engine *engine) {
/* Destroyed automatically by the parent pool.
* apr_pool_destroy(engine-&gt;mp);
*/
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB61FEGU">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:04:22:398 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:04:35:724 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="86">apache2/re.h</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Does not appear to be used anywhere.</Summary>
<Description>void DSOLOCAL msre_engine_destroy(msre_engine *engine);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB624EJX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:23:48:909 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:04:30:061 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="908">apache2/re.c</File>
<Type>item.type.label.clarity</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This version should be moved up next to the normal version.</Summary>
<Description>#if defined(PERFORMANCE_MEASUREMENT)
apr_status_t msre_ruleset_process_phase(msre_ruleset *ruleset, modsec_rec *msr) {
...
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB62D9GN">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:30:42:215 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:02:09:916 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1096">apache2/re.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Hmm, I thought this had already been fixed in trunk. Missing logging phase. Need to fix in 2.1.5 as well.</Summary>
<Description>/**
* Removes from the ruleset all rules that match the given exception.
*/
int msre_ruleset_rule_remove_with_exception(msre_ruleset *ruleset, rule_exception *re) {
int count = 0;
if (ruleset == NULL) return 0;
count += msre_ruleset_phase_rule_remove_with_exception(ruleset, re, ruleset-&gt;phase_request_headers);
count += msre_ruleset_phase_rule_remove_with_exception(ruleset, re, ruleset-&gt;phase_request_body);
count += msre_ruleset_phase_rule_remove_with_exception(ruleset, re, ruleset-&gt;phase_response_headers);
count += msre_ruleset_phase_rule_remove_with_exception(ruleset, re, ruleset-&gt;phase_response_body);
return count;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB62Y1B3">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:46:51:423 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:01:31:111 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1119">apache2/re.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should move this to a static global for performance.</Summary>
<Description>static const char *const severities[] = {
"EMERGENCY",
"ALERT",
"CRITICAL",
"ERROR",
"WARNING",
"NOTICE",
"INFO",
"DEBUG",
NULL,
};</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB630W8M">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:49:04:822 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:49:16:740 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1179">apache2/re.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Implement TODO.</Summary>
<Description>//TODO: restrict to 512 bytes</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB6348JB">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:51:40:727 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-07 :: 22:53:13:118 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1150">apache2/re.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>tags set to NULL would be a bit better as it would stop apr_pstrcat() earlier, but tags *must* remain last or wierd results.</Summary>
<Description>char *tags = "";</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB6UPQJW">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 11:44:13:484 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 11:45:29:864 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1528">apache2/re.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This causes two loops through the action list. Perhaps there is a more performant way to do these at the same time? Maybe split into two lists?</Summary>
<Description>/* Perform non-disruptive actions. */
msre_perform_nondisruptive_actions(msr, rule, rule-&gt;actionset, mptmp);
/* Perform disruptive actions, but only if
* this rule is not part of a chain.
*/
if (rule-&gt;actionset-&gt;is_chained == 0) {
msre_perform_disruptive_actions(msr, rule, acting_actionset, mptmp, my_error_msg);
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB6VV1A0">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 12:16:20:280 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:59:48:300 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1716">apache2/re.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>These do not appear to be needed.</Summary>
<Description>tfnspath = NULL;
tfnskey = NULL;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB6W0DKJ">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 12:20:29:491 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:59:23:210 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1728">apache2/re.c</File>
<Type>item.type.label.programLogic</Type>
<Severity>item.severity.label.major</Severity>
<Summary>This does not appear to work as the tfnskey is not being built here. Need to build the tfnskey in this loop for this to work.</Summary>
<Description>/* check cache, saving the 'most complete' */
crec = (msre_cache_rec *)apr_table_get(cachetab, tfnskey);
if (crec != NULL) {
last_crec = crec;
last_cached_tfn = tfnscount;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB7FM2YX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 21:29:14:889 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 21:30:41:759 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="77">apache2/re_tfns.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>No need to set this on all. Only set it once when we find the first non-space char.</Summary>
<Description>(*rval)[i] = '\0';</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB7H1FEN">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 22:09:10:463 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:20:53:411 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="841">apache2/re_variables.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Indention off.</Summary>
<Description>return var_simple_generate_ex(var, vartab, mptmp,
apr_pmemdup(mptmp,
msr-&gt;matched_var-&gt;value,
msr-&gt;matched_var-&gt;value_len),
msr-&gt;matched_var-&gt;value_len);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB7H1YUO">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-08 :: 22:09:35:664 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:21:28:242 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="853">apache2/re_variables.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Indention off.</Summary>
<Description>return var_simple_generate_ex(var, vartab, mptmp,
apr_pmemdup(mptmp,
msr-&gt;matched_var-&gt;name,
msr-&gt;matched_var-&gt;name_len),
msr-&gt;matched_var-&gt;name_len);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB88F43Z">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 10:55:38:639 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:25:15:860 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="278">apache2/acmp.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Remove comment.</Summary>
<Description>//return acmp_child_for_code(node, letter)</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB88M1H3">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 11:01:01:815 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:55:50:363 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="316">apache2/acmp.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Change to #idef DEBUG_ACMP or similar.</Summary>
<Description>/* printf("%c -&gt;left %c \n", node-&gt;node-&gt;letter, node-&gt;left-&gt;node-&gt;letter); */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB88MW1C">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 11:01:41:424 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:56:10:175 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="323">apache2/acmp.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Change to #idef DEBUG_ACMP or similar.</Summary>
<Description>/* printf("%c -&gt;right %c \n", node-&gt;node-&gt;letter, node-&gt;right-&gt;node-&gt;letter); */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB88NRK7">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 11:02:22:279 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:56:41:045 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="385">apache2/acmp.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Change to #idef DEBUG_ACMP or similar.</Summary>
<Description>/* printf("fail direction: *%s* =&gt; *%s*\n", child-&gt;text, child-&gt;fail-&gt;text); */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB88O7GX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 11:02:42:897 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:54:16:807 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="396">apache2/acmp.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Change to #idef DEBUG_ACMP or similar.</Summary>
<Description>/* printf("fail direction: *%s* =&gt; *%s*\n", node-&gt;text, node-&gt;fail-&gt;text); */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB88Y45H">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 11:10:25:157 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:24:57:212 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="586">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>The 'tag' and 'severity' metadata actions should be included. Some actions are missing from the log msg.</Summary>
<Description>/* Must NOT use metadata actions. */
if ((rule-&gt;actionset-&gt;id != NOT_SET_P)
||(rule-&gt;actionset-&gt;rev != NOT_SET_P)
||(rule-&gt;actionset-&gt;msg != NOT_SET_P)
||(rule-&gt;actionset-&gt;logdata != NOT_SET_P))
{
return apr_psprintf(cmd-&gt;pool, "ModSecurity: Metadata actions (id, rev, msg) "
" can only be specified by chain starter rules.");
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB898OY8">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 11:18:38:672 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:29:49:134 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="678">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Probably should check we were able to allocate.</Summary>
<Description>msre_rule *phrule = apr_palloc(rule-&gt;ruleset-&gt;mp, sizeof(msre_rule));</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8AX6MT">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:05:40:949 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:30:01:771 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="702">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Comment or remove.</Summary>
<Description>TODO</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8AYMVH">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:06:48:653 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:30:40:514 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="937">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>ENH instead of TODO</Summary>
<Description>TODO</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8B1TFE">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:09:17:114 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:31:50:812 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1010">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>The 'tag' and 'severity' metadata actions should be included. Some actions are missing from the log msg.</Summary>
<Description>/* Must not use metadata actions. */
if ((dcfg-&gt;tmp_default_actionset-&gt;id != NOT_SET_P)
||(dcfg-&gt;tmp_default_actionset-&gt;rev != NOT_SET_P)
||(dcfg-&gt;tmp_default_actionset-&gt;msg != NOT_SET_P)
||(dcfg-&gt;tmp_default_actionset-&gt;logdata != NOT_SET_P))
{
return apr_psprintf(cmd-&gt;pool, "ModSecurity: SecDefaultAction must not "
"contain any metadata actions (id, rev, msg).");
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8BBVRS">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:17:06:712 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:33:23:560 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1149">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or make ENH</Summary>
<Description>// TODO Validate encoding
// return apr_psprintf(cmd-&gt;pool, "ModSecurity: Invalid value for SecRequestBodyAccess: %s", p1);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8BCXG9">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:17:55:545 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:25:33:617 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1251">apache2/apache2_config.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Remove code?</Summary>
<Description>/*
static const char *cmd_rule_import_by_id(cmd_parms *cmd, void *_dcfg, const char *p1) {
directory_config *dcfg = (directory_config *)_dcfg;
rule_exception *re = apr_pcalloc(cmd-&gt;pool, sizeof(rule_exception));
if (dcfg == NULL) return NULL;
re-&gt;type = RULE_EXCEPTION_IMPORT_ID;
// TODO verify p1
re-&gt;param = p1;
*(rule_exception **)apr_array_push(dcfg-&gt;rule_exceptions) = re;
return NULL;
}
static const char *cmd_rule_import_by_msg(cmd_parms *cmd, void *_dcfg, const char *p1) {
directory_config *dcfg = (directory_config *)_dcfg;
rule_exception *re = apr_pcalloc(cmd-&gt;pool, sizeof(rule_exception));
if (dcfg == NULL) return NULL;
re-&gt;type = RULE_EXCEPTION_IMPORT_MSG;
// TODO verify p1
re-&gt;param = p1;
*(rule_exception **)apr_array_push(dcfg-&gt;rule_exceptions) = re;
return NULL;
}
*/</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8BDRFJ">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:18:34:399 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:34:07:673 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1384">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix or TODO-&gt;ENH</Summary>
<Description>// TODO enforce format (letters, digits, ., _, -)</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8BFY0A">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:20:16:234 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:40:53:633 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1464">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Need to allow for relative filename based of rule file.</Summary>
<Description>/* -- Geo Lookup configuration -- */
static const char *cmd_geo_lookup_db(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
char *error_msg;
directory_config *dcfg = (directory_config *)_dcfg;
if (dcfg == NULL) return NULL;
if (geo_init(dcfg, p1, &amp;error_msg) &lt;= 0) {
return error_msg;
}
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8BJFFY">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:22:58:798 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:23:11:462 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1522">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Portable?</Summary>
<Description>/* The NOT_SET indicator is -1, a signed long, and therfore
* we cannot be &gt;= the unsigned value of NOT_SET.
*/
if ((unsigned long)intval &gt;= (unsigned long)NOT_SET) {
return apr_psprintf(cmd-&gt;pool, "ModSecurity: SecCacheTransformations minlen must be less than: %lu", (unsigned long)NOT_SET);
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8BK6CS">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:23:33:676 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:23:39:437 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1542">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Portable?</Summary>
<Description>/* The NOT_SET indicator is -1, a signed long, and therfore
* we cannot be &gt;= the unsigned value of NOT_SET.
*/
if ((unsigned long)intval &gt;= (unsigned long)NOT_SET) {
return apr_psprintf(cmd-&gt;pool, "ModSecurity: SecCacheTransformations maxlen must be less than: %lu", (unsigned long)NOT_SET);
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8BKVAP">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:24:06:001 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:24:23:994 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1514">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Could use strtol as Ivan has as well.</Summary>
<Description>intval = apr_atoi64(charval);
if (errno == ERANGE) {
return apr_psprintf(cmd-&gt;pool, "ModSecurity: SecCacheTransformations minlen out of range: %s", charval);
}
if (intval &lt; 0) {
return apr_psprintf(cmd-&gt;pool, "ModSecurity: SecCacheTransformations minlen must be positive: %s", charval);
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8BLJKD">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:24:37:453 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:24:42:462 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1534">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Could use strtol as Ivan has as well.</Summary>
<Description>intval = apr_atoi64(charval);
if (errno == ERANGE) {
return apr_psprintf(cmd-&gt;pool, "ModSecurity: SecCacheTransformations maxlen out of range: %s", charval);
}
if (intval &lt; 0) {
return apr_psprintf(cmd-&gt;pool, "ModSecurity: SecCacheTransformations maxlen must be positive: %s", charval);
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8BMTCV">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:25:36:799 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:31:35:264 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="17">apache2/apache2_io.c</File>
<Type>item.type.label.programLogic</Type>
<Severity>item.severity.label.major</Severity>
<Summary>Remove code? It is actually used below, so need to verify.</Summary>
<Description>#if 0
static void dummy_free_func(void *data) {}
#endif</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8BOTGS">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:27:10:252 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:29:31:617 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="92">apache2/apache2_io.c</File>
<Type>item.type.label.programLogic</Type>
<Severity>item.severity.label.major</Severity>
<Summary>dummy_free_func() is defined where? It is ifdef'd out at the top of source, so need to verify it is valid.</Summary>
<Description>/* Do not make a copy of the data we received in the chunk. */
bucket = apr_bucket_heap_create(chunk-&gt;data, chunk-&gt;length, dummy_free_func,
f-&gt;r-&gt;connection-&gt;bucket_alloc);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8BZCLP">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:35:21:613 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:02:40:668 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="246">apache2/apache2_io.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Yes, why do we ignore the rc - why have one at all?</Summary>
<Description>// TODO: Why ignore the return code here?</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8CP101">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:55:19:633 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 17:00:04:416 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="199">apache2/msc_reqbody.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Portable way to format sizeof()?</Summary>
<Description>*error_msg = apr_psprintf(msr-&gt;mp, "Input filter: Failed to allocate %lu bytes for request body chunk.", (unsigned long)sizeof(msc_data_chunk));</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CPGE9">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:55:39:585 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:58:16:438 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="465">apache2/msc_reqbody.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Portable way to format sizeof()?</Summary>
<Description>*error_msg = apr_psprintf(msr-&gt;mp, "Failed to allocate %lu bytes for request body disk chunk.", (unsigned long)sizeof(msc_data_chunk));</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CQ08M">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:56:05:302 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:57:58:049 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="474">apache2/msc_reqbody.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Portable way to format sizeof()?</Summary>
<Description>*error_msg = apr_psprintf(msr-&gt;mp, "Failed to allocate %lu bytes for request body disk chunk.", (unsigned long)sizeof(msc_data_chunk));</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CR02E">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:56:51:734 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:41:50:773 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1205">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or change to ENH.</Summary>
<Description>// TODO check whether the parameter is a valid MIME type of "null"</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CSPHF">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:58:11:331 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:42:59:645 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1567">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or change to ENH.</Summary>
<Description>AP_INIT_TAKE1 (
"SecAction",
cmd_action,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CT3H1">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:58:29:461 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:46:15:813 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1679">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or change to ENH.</Summary>
<Description>AP_INIT_TAKE1 (
"SecDataDir",
cmd_data_dir,
NULL,
CMD_SCOPE_MAIN,
"" // TODO
),</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CTFYN">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:58:45:647 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:46:51:173 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1704">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or change to ENH.</Summary>
<Description>AP_INIT_TAKE1 (
"SecDefaultAction",
cmd_default_action,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CTU3B">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:59:03:959 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:47:05:294 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1832">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or change to ENH.</Summary>
<Description>AP_INIT_TAKE1 (
"SecResponseBodyLimit",
cmd_response_body_limit,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CU4LO">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 12:59:17:580 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:49:00:349 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1840">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or change to ENH.</Summary>
<Description>AP_INIT_TAKE1 (
"SecResponseBodyLimitAction",
cmd_response_body_limit_action,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CV4KT">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:00:04:205 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:50:22:367 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1864">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or change to ENH.</Summary>
<Description>AP_INIT_TAKE23 (
"SecRule",
cmd_rule,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CVOY6">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:00:30:606 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:51:16:772 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1888">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or change to ENH.</Summary>
<Description>AP_INIT_TAKE12 (
"SecRuleScript",
cmd_rule_script,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),
AP_INIT_ITERATE (
"SecRuleRemoveById",
cmd_rule_remove_by_id,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),
AP_INIT_ITERATE (
"SecRuleRemoveByMsg",
cmd_rule_remove_by_msg,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CW8SF">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:00:56:319 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:52:48:192 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1920">apache2/apache2_config.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or change to ENH.</Summary>
<Description>AP_INIT_TAKE1 (
"SecTmpDir",
cmd_tmp_dir,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),
AP_INIT_TAKE1 (
"SecUploadDir",
cmd_upload_dir,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),
AP_INIT_TAKE1 (
"SecUploadKeepFiles",
cmd_upload_keep_files,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),
AP_INIT_TAKE1 (
"SecWebAppId",
cmd_web_app_id,
NULL,
CMD_SCOPE_ANY,
"" // TODO
),</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CX138">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:01:32:996 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:54:32:209 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="685">apache2/mod_security2.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or change to ENH.</Summary>
<Description>/* Update the request headers. They might have changed after
* the body was read (trailers).
*/
// TODO We still need to keep a copy of the original headers
// to log in the audit log.
msr-&gt;request_headers = apr_table_copy(msr-&gt;mp, r-&gt;headers_in);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8CXPT7">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:02:05:035 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:02:47:482 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="178">apache2/modsecurity.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Yes, why do we ignore the rc - why have one at all?</Summary>
<Description>// TODO: Why do we ignore return code here?
modsecurity_request_body_clear(msr, &amp;my_error_msg);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8CZFGG">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:03:24:928 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:04:49:633 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="153">apache2/msc_geo.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO.</Summary>
<Description>offset = -3;
apr_file_seek(geo-&gt;db, APR_END, &amp;offset);
/* TODO check offset */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8D0MO9">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:04:20:937 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:04:39:295 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="176">apache2/msc_geo.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO.</Summary>
<Description>rc = apr_file_read_full(geo-&gt;db, &amp;buf, 1, &amp;nbytes);
/* TODO: check rc */
geo-&gt;dbtype = (int)buf[0];</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8D1TBG">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:05:16:204 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:05:27:720 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="325">apache2/msc_geo.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO.</Summary>
<Description>apr_file_seek(geo-&gt;db, APR_SET, &amp;seekto);
/* TODO: check rc */
rc = apr_file_read_full(geo-&gt;db, &amp;buf, (2 * reclen), &amp;nbytes);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8D2QAX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:05:58:953 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:06:03:494 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="374">apache2/msc_geo.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO.</Summary>
<Description>apr_file_seek(geo-&gt;db, APR_SET, &amp;seekto);
/* TODO: check rc */
rc = apr_file_read_full(geo-&gt;db, &amp;cbuf, sizeof(cbuf), &amp;nbytes);</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8D3Q5Q">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:06:45:422 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:55:10:355 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="406">apache2/msc_logging.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Fix TODO or change to ENH.</Summary>
<Description>/* The audit log storage directory should be explicitly
* defined. But if it isn't try to write to the same
* directory where the index file is placed. Of course,
* it is *very* bad practice to allow the Apache user
* to write to the same directory where a root user is
* writing to but it's not us that's causing the problem
* and there isn't anything we can do about that.
*
* TODO Actually there is something we can do! We will make
* SecAuditStorageDir mandatory, ask the user to explicitly
* define the storage location *and* refuse to work if the
* index and the storage location are in the same folder.
*/
if (msr-&gt;txcfg-&gt;auditlog_storage_dir == NULL) {
entry_filename = file_dirname(msr-&gt;mp, msr-&gt;txcfg-&gt;auditlog_name);
}
else {
entry_filename = msr-&gt;txcfg-&gt;auditlog_storage_dir;
}
if (entry_filename == NULL) return;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8D4IOU">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:07:22:398 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 14:55:42:896 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="876">apache2/msc_logging.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Change TODO to ENH.</Summary>
<Description>/* AUDITLOG_PART_UPLOADS */
// TODO: Implement</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8D5DPX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:08:02:613 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:51:28:546 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="155">apache2/msc_lua.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Log an error.</Summary>
<Description>} else {
// TODO Error
return NULL;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8D6FT6">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:08:51:978 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:09:44:680 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1186">apache2/msc_util.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.normal</Severity>
<Summary>Fix TODO.</Summary>
<Description>char *resolve_relative_path(apr_pool_t *pool, const char *parent_filename, const char *filename) {
if (filename == NULL) return NULL;
// TODO Support paths on operating systems other than Unix.
if (filename[0] == '/') return (char *)filename;
return apr_pstrcat(pool, apr_pstrndup(pool, parent_filename,
strlen(parent_filename) - strlen(apr_filepath_name_get(parent_filename))),
filename, NULL);
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8D8DVM">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:10:22:786 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:10:31:982 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="26">apache2/pdf_protect.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Change from TODO to ENH.</Summary>
<Description>// TODO We need ID and REV values for the PDF XSS alert.
// TODO It would be nice if the user could choose the ID/REV/SEVERITY/MESSAGE, etc.</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8D91BX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:10:53:181 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:11:06:931 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="217">apache2/pdf_protect.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Change from TODO to ENH.</Summary>
<Description>// TODO Should we look at err_headers_out too?</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8D9OJ7">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:11:23:251 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:11:28:132 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="244">apache2/pdf_protect.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Change from TODO to ENH.</Summary>
<Description>// TODO application/x-pdf, application/vnd.fdf, application/vnd.adobe.xfdf,
// application/vnd.adobe.xdp+xml, application/vnd.adobe.xfd+xml, application/vnd.pdf
// application/acrobat, text/pdf, text/x-pdf ???</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8DACZI">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:11:54:942 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:12:24:617 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="472">apache2/pdf_protect.c</File>
<Type>item.type.label.missing</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Add the missing alert.</Summary>
<Description>// TODO Log alert</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8DBUE7">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:13:04:159 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:13:38:064 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="790">apache2/re_actions.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Not positive why the TODO here. Perhaps for a decision as to log and/or at what level?</Summary>
<Description>msr_log(msr, 4, "Ctl: Set auditEngine to %d.", msr-&gt;txcfg-&gt;auditlog_flag); // TODO</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8DD3BF">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:14:02:379 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:42:21:749 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1260">apache2/re_operators.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Change from TODO to ENH.</Summary>
<Description>// TODO Write &amp; use string_ends(s, e).</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8DDOAR">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:14:29:571 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:43:53:997 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1259">apache2/re_operators.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Remove the ifdef as lua is required?</Summary>
<Description>#ifdef WITH_LUA</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8DHX7Z">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:17:47:759 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:41:12:538 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="227">CHANGES</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Remove TODO.</Summary>
<Description>TODO: more to come</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8E42E3">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:35:00:891 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:35:40:975 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="363">apache2/modsecurity.h</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Need to re-test implementing this as just a table.</Summary>
<Description>/* data cache */
apr_hash_t *tcache;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8E6PL4">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:37:04:264 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 13:37:25:196 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="63">apache2/modsecurity.h</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Should probably use STRINGIFY and define the numeric value.</Summary>
<Description>#define MODSEC_VERSION_MAJOR "2"
#define MODSEC_VERSION_MINOR "5"
#define MODSEC_VERSION_MAINT "0"
#define MODSEC_VERSION_TYPE "rc"
#define MODSEC_VERSION_RELEASE "1"</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8FASAX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 14:08:14:025 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:40:12:054 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="50">apache2/msc_logging.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Spelling.</Summary>
<Description>throught</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB8FRWMM">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 14:21:32:782 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 14:22:32:803 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="16">apache2/msc_geo.h</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This value may not be portable based on endianness. The algorithm compares it to the IP address as int in host order.</Summary>
<Description>#define GEO_COUNTRY_OFFSET 0xffff00</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8G4M54">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 14:31:25:720 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 14:45:20:612 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1">apache2/msc_geo.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Check portability due to endianness. It seems that the DB values are assumed to be in host order. Perhaps the compiled DB is little-endian and we need to compensate?</Summary>
<Description />
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8I5OF7">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 15:28:14:563 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 15:28:24:203 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="18">apache2/msc_multipart.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Remove code?</Summary>
<Description>#if 0
static char *multipart_construct_filename(modsec_rec *msr) {
char c, *p, *q = msr-&gt;mpd-&gt;mpp-&gt;filename;
char *filename;
/* find the last backward slash and consider the
* filename to be only what's right from it
*/
p = strrchr(q, '\\');
if (p != NULL) q = p + 1;
/* do the same for the forward slash */
p = strrchr(q, '/');
if (p != NULL) q = p + 1;
/* allow letters, digits and dots, replace
* everything else with underscores
*/
p = filename = apr_pstrdup(msr-&gt;mp, q);
while((c = *p) != 0) {
if (!( isalnum(c)||(c == '.') )) *p = '_';
p++;
}
return filename;
}
#endif</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8IFGLE">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 15:35:50:978 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 15:49:54:128 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="52">apache2/msc_multipart.c</File>
<Type>item.type.label.programLogic</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>The multipart C-D header is case insensitive (rfc 2183), so we should probably use strncasecmp() here.</Summary>
<Description>/* accept only what we understand */
if (strncmp(c_d_value, "form-data", 9) != 0) {
return -1;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8JH2GX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 16:05:05:601 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 16:07:17:436 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="75">apache2/msc_multipart.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This allows for a name of "", so maybe check for name[0] == '\0' and return an error. Although we catch this later on as an unrecognized name and return -10.</Summary>
<Description>start = p;
while((*p != '\0')&amp;&amp;(*p != '=')&amp;&amp;(*p != '\t')&amp;&amp;(*p != ' ')) p++;
if (*p == '\0') return -4;
name = apr_pstrmemdup(msr-&gt;mp, start, (p - start));</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8JTATV">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 16:14:36:307 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 17:02:47:324 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="122">apache2/msc_multipart.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>For a quoted value we just include everything until the end quote. The field values should be US-ASCII 'qtext' or 'quoted-pair' (RFC 822) or escaped using RFC 2047.</Summary>
<Description>if (*p == '"') {
*t = '\0';
break;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8LENT4">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 16:59:12:520 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 17:00:55:566 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="106">apache2/msc_multipart.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>I think this is wrong. RFC 822 defines a quoted-string as &lt;"&gt; *(qtext/quoted-pair) &lt;"&gt; and quoted-par being able to quote any CHAR.</Summary>
<Description>/* only " and \ can be escaped */
if ((*(p + 1) == '"')||(*(p + 1) == '\\')) {
p++;
}
else {
/* improper escaping */
/* We allow for now because IE sends
* improperly escaped content and there's
* nothing we can do about it.
*
* return -9;
*/
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB8LLH1X">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 17:04:30:357 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-09 :: 17:05:19:369 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="143">apache2/msc_multipart.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>RFC 2045 defines an 'attribute' as "ALWAYS case-insensitive", so these should be strncasecmp()</Summary>
<Description>if (strcmp(name, "name") == 0) {
if (msr-&gt;mpd-&gt;mpp-&gt;name != NULL) return -14;
msr-&gt;mpd-&gt;mpp-&gt;name = value;
if (msr-&gt;txcfg-&gt;debuglog_level &gt;= 9) {
msr_log(msr, 9, "Multipart: Content-Disposition name: %s",
log_escape_nq(msr-&gt;mp, value));
}
}
else
if (strcmp(name, "filename") == 0) {</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB9R1V3P">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 12:24:59:317 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:58:44:275 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="199">apache2/msc_multipart.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>len is always assumed to be at least 1. What is preventing a len of 0?</Summary>
<Description>if (len &gt; 1) {</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB9R56TK">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 12:27:34:472 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:39:17:001 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="286">apache2/msc_multipart.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Use MULTIPART_BUF_SIZE for the constant.</Summary>
<Description>if (strlen(new_value) &gt; 4096) {</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB9SGM20">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:04:27:048 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:04:57:229 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="722">apache2/msc_multipart.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Cannot find anything that supports that this is or is not allowed.</Summary>
<Description>/* Flag for whitespace after parameter name. */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB9SHGAA">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:05:06:226 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:05:11:552 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="735">apache2/msc_multipart.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Cannot find anything that supports that this is or is not allowed.</Summary>
<Description>/* Flag for whitespace before parameter value. */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB9SQR7V">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:12:20:299 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:38:39:261 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="861">apache2/msc_multipart.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Use '\r' vs 0x0d as is done elsewhere.</Summary>
<Description>if ((c == 0x0d)&amp;&amp;(msr-&gt;mpd-&gt;bufleft == 1)) {
/* we don't want to take 0x0d as the last byte in the buffer */</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB9SRHG7">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:12:54:295 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:36:43:726 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="876">apache2/msc_multipart.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Use '\n' vs 0x0a as is done elsewhere.</Summary>
<Description>if ((c == 0x0a)||(msr-&gt;mpd-&gt;bufleft == 0)||(process_buffer)) {</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB9SZOE3">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:19:16:539 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:35:53:104 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="12">apache2/msc_parsers.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Headers are not used. I think they were added for iconv support, but Ivan removed it.</Summary>
<Description>#include "iconv.h"
#include &lt;errno.h&gt;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB9T9JDT">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:26:56:609 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:27:21:817 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="24">apache2/msc_util.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Be more consistent in naming.</Summary>
<Description>#define VALID_HEX(X) (((X &gt;= '0')&amp;&amp;(X &lt;= '9')) || ((X &gt;= 'a')&amp;&amp;(X &lt;= 'f')) || ((X &gt;= 'A')&amp;&amp;(X &lt;= 'F')))
#define ISODIGIT(X) ((X &gt;= '0')&amp;&amp;(X &lt;= '7'))</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB9TGO2M">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:32:29:278 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 16:51:13:950 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1175">apache2/msc_util.c</File>
<Type>item.type.label.optimization</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>No need to do a strlen twice *and* loop through the string. Just loop and exit on non-space.</Summary>
<Description>if (strlen(string) == 0) return 1;
for(i = 0; i &lt; strlen(string); i++) {
if (!isspace(string[i])) {
return 0;
}
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
<ReviewIssue id="FB9TKRGZ">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:35:40:307 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:36:03:933 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="100">apache2/modsecurity.c</File>
<Type>item.type.label.irrelevant</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Remove commented code?</Summary>
<Description>/* Serial audit log mutext */
rc = apr_global_mutex_create(&amp;msce-&gt;auditlog_lock, NULL, APR_LOCK_DEFAULT, mp);
if (rc != APR_SUCCESS) {
//ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, "mod_security: Could not create modsec_auditlog_lock");
//return HTTP_INTERNAL_SERVER_ERROR;
return -1;
}
#ifdef __SET_MUTEX_PERMS
rc = unixd_set_global_mutex_perms(msce-&gt;auditlog_lock);
if (rc != APR_SUCCESS) {
// ap_log_error(APLOG_MARK, APLOG_ERR, rc, s, "mod_security: Could not set permissions on modsec_auditlog_lock; check User and Group directives");
// return HTTP_INTERNAL_SERVER_ERROR;
return -1;
}
#endif</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB9TLSG5">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:36:28:229 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:36:52:702 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="126">apache2/modsecurity.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>What *should* we do on error here?</Summary>
<Description>if (rc != APR_SUCCESS) {
// ap_log_error(APLOG_MARK, APLOG_ERR, rs, s, "Failed to child-init auditlog mutex");
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB9TMUBY">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:37:17:326 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:37:25:682 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="132">apache2/modsecurity.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>This does nothing.</Summary>
<Description>/**
* Releases resources held by engine instance.
*/
void modsecurity_shutdown(msc_engine *msce) {
if (msce == NULL) return;
}</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB9TP2J5">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:39:01:265 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:39:22:070 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="298">apache2/modsecurity.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Figure out the optimal initial size for the arrays/tables.</Summary>
<Description>/* Collections. */
msr-&gt;tx_vars = apr_table_make(msr-&gt;mp, 32);
if (msr-&gt;tx_vars == NULL) return -1;
msr-&gt;geo_vars = apr_table_make(msr-&gt;mp, 8);
if (msr-&gt;geo_vars == NULL) return -1;
msr-&gt;collections = apr_table_make(msr-&gt;mp, 8);
if (msr-&gt;collections == NULL) return -1;
msr-&gt;collections_dirty = apr_table_make(msr-&gt;mp, 8);
if (msr-&gt;collections_dirty == NULL) return -1;
/* Other */
msr-&gt;tcache = apr_hash_make(msr-&gt;mp);
if (msr-&gt;tcache == NULL) return -1;
msr-&gt;matched_rules = apr_array_make(msr-&gt;mp, 16, sizeof(void *));
if (msr-&gt;matched_rules == NULL) return -1;
msr-&gt;matched_var = (msc_string *)apr_pcalloc(msr-&gt;mp, sizeof(msc_string));
if (msr-&gt;matched_var == NULL) return -1;
msr-&gt;highest_severity = 255; /* high, invalid value */
msr-&gt;removed_rules = apr_array_make(msr-&gt;mp, 16, sizeof(char *));
if (msr-&gt;removed_rules == NULL) return -1;</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB9TTMB2">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:42:33:518 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:42:50:351 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="27">apache2/msc_xml.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Remove #if 0'd code?</Summary>
<Description>#if 0
static void xml_receive_sax_error(void *data, const char *msg, ...) {
modsec_rec *msr = (modsec_rec *)data;
char message[256];
if (msr == NULL) return;
apr_snprintf(message, sizeof(message), "%s (line %d offset %d)",
log_escape_nq(msr-&gt;mp, msr-&gt;xml-&gt;parsing_ctx-&gt;lastError.message),
msr-&gt;xml-&gt;parsing_ctx-&gt;lastError.line,
msr-&gt;xml-&gt;parsing_ctx-&gt;lastError.int2);
msr_log(msr, 5, "XML: Parsing error: %s", message);
}
#endif</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB9U8OHT">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:54:16:193 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:54:45:610 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="1074">apache2/mod_security2.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>What is the history of this?</Summary>
<Description>/* Our own hook to handle RPC transactions (not used at the moment).
* // ap_hook_handler(hook_handler, NULL, NULL, APR_HOOK_MIDDLE);
*/</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.open</Status>
</ReviewIssue>
<ReviewIssue id="FB9UC5NX">
<ReviewIssueMeta>
<CreationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-10 :: 13:56:58:413 GMT-08:00</CreationDate>
<LastModificationDate format="yyyy-MM-dd :: HH:mm:ss:SSS z">2008-01-11 :: 15:34:14:676 GMT-08:00</LastModificationDate>
</ReviewIssueMeta>
<ReviewerId>brian</ReviewerId>
<AssignedTo>brian</AssignedTo>
<File line="363">apache2/msc_lua.c</File>
<Type>item.type.label.suggestion</Type>
<Severity>item.severity.label.trivial</Severity>
<Summary>Change C++ to C style comment.</Summary>
<Description>// Get the response from the script.</Description>
<Annotation />
<Revision />
<Resolution>item.resolution.label.validNeedsfixing</Resolution>
<Status>item.status.label.resolved</Status>
</ReviewIssue>
</Review>
Reference in New Issue View Git Blame Copy Permalink