From ec098af676ce90ffc859237f9a3f109fcb000dbc Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Mon, 11 Mar 2019 20:42:16 +0000 Subject: [PATCH 1/4] Call msc_process_request_body() when REQUEST_BODY is empty --- src/msc_filters.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/msc_filters.c b/src/msc_filters.c index 3a18e21..9d81326 100644 --- a/src/msc_filters.c +++ b/src/msc_filters.c @@ -11,6 +11,7 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut, apr_bucket_brigade *pbbTmp; int ret; + int body_checked = 0; msc_t *msr = (msc_t *)f->ctx; @@ -55,6 +56,8 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut, } msc_append_request_body(msr->t, data, len); + msc_process_request_body(msr->t); + body_checked = 1; it = process_intervention(msr->t, r); if (it != N_INTERVENTION_STATUS) { @@ -62,13 +65,13 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut, return send_error_bucket(msr, f, it); } - // FIXME: Now we should have the body. Is this sane? - msc_process_request_body(msr->t); - pbktOut = apr_bucket_heap_create(data, len, 0, c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(pbbOut, pbktOut); apr_bucket_delete(pbktIn); } + if (body_checked == 0) { + msc_process_request_body(msr->t); + } return APR_SUCCESS; } From 98037d112b82183ea5bfa2ae73c4ee8b77bd253f Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Mon, 11 Mar 2019 20:45:16 +0000 Subject: [PATCH 2/4] Remove unwanted msc_process_request_body() --- src/mod_security3.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/src/mod_security3.c b/src/mod_security3.c index f3ce7b0..7d9b227 100644 --- a/src/mod_security3.c +++ b/src/mod_security3.c @@ -399,14 +399,6 @@ static int hook_request_late(request_rec *r) } #endif - - msc_process_request_body(msr->t); - it = process_intervention(msr->t, r); - if (it != N_INTERVENTION_STATUS) - { - return it; - } - return DECLINED; } From e4cbbac2ffab24c67de33918a0323eb06c49c80d Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Mon, 11 Mar 2019 20:48:10 +0000 Subject: [PATCH 3/4] Add extra '%' mark to avoid the format mark --- src/mod_security3.c | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/src/mod_security3.c b/src/mod_security3.c index 7d9b227..bb40c99 100644 --- a/src/mod_security3.c +++ b/src/mod_security3.c @@ -10,10 +10,14 @@ */ msc_global *msc_apache; +char err_calloc[] = "ModSecurity: can't allocate memory for logmsg."; void modsecurity_log_cb(void *log, const void* data) { const char *msg; + char *msglog; + unsigned int i, j; + if (log == NULL || data == NULL) { return; } @@ -21,9 +25,28 @@ void modsecurity_log_cb(void *log, const void* data) request_rec *r = (request_rec *) log; #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2 - ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r, - msg, - r->status); + msglog = calloc(sizeof(char), strlen(msg)*2); + if (msglog == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r, + err_calloc, + r->status); + } + else { + // add % escape to avoid the '%' chars placeholder mark in logmsg + j = 0; + for(i=0; msg[i] != '\0'; i++) { + if (msg[i] == '%') { + msglog[j++] = '%'; + } + msglog[j++] = msg[i]; + } + msglog[j] = '\0'; + + ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r, + msglog, + r->status); + free(msglog); + } #else ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server, From 40e6313b1cc9ed96c9be03a734d96d9b935bddd2 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Tue, 2 Jul 2019 12:29:44 +0000 Subject: [PATCH 4/4] Request body handling - first try --- src/msc_filters.c | 15 ++++++++++++++- src/msc_utils.c | 2 ++ t/conf/extra.conf.in | 3 +-- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/src/msc_filters.c b/src/msc_filters.c index 9d81326..c25237d 100644 --- a/src/msc_filters.c +++ b/src/msc_filters.c @@ -11,7 +11,9 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut, apr_bucket_brigade *pbbTmp; int ret; + int it; int body_checked = 0; + char logmsg[100]; msc_t *msr = (msc_t *)f->ctx; @@ -40,7 +42,6 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut, const char *data; apr_size_t len; apr_size_t n; - int it; if (APR_BUCKET_IS_EOS(pbktIn)) { @@ -62,6 +63,7 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut, if (it != N_INTERVENTION_STATUS) { ap_remove_output_filter(f); + f->r->status = it; return send_error_bucket(msr, f, it); } @@ -71,6 +73,17 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut, } if (body_checked == 0) { msc_process_request_body(msr->t); + it = process_intervention(msr->t, r); + if (it != N_INTERVENTION_STATUS) + { + ap_remove_output_filter(f); + sprintf(logmsg, "it: %d", it); + ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r, + logmsg, + r->status); + r->status = it; + return send_error_bucket(msr, f, it); + } } return APR_SUCCESS; } diff --git a/src/msc_utils.c b/src/msc_utils.c index 1b4d16c..7f48b1a 100644 --- a/src/msc_utils.c +++ b/src/msc_utils.c @@ -1,6 +1,7 @@ #include "msc_utils.h" +char logmsg[100]; int id(const char *fn, const char *format, ...) { @@ -20,6 +21,7 @@ apr_status_t send_error_bucket(msc_t *msr, ap_filter_t *f, int status) { apr_bucket_brigade *brigade = NULL; apr_bucket *bucket = NULL; + request_rec *r = f->r; /* Set the status line explicitly for the error document */ f->r->status_line = ap_get_status_line(status); diff --git a/t/conf/extra.conf.in b/t/conf/extra.conf.in index 6518559..4854268 100644 --- a/t/conf/extra.conf.in +++ b/t/conf/extra.conf.in @@ -9,6 +9,7 @@ LoadModule security3_module "@ServerRoot@/.././src/.libs/mod_security3.so" # Lets make sure that the engine is on. modsecurity_rules 'SecRuleEngine On' +modsecurity_rules 'SecDefaultAction "phase:2,log,auditlog,deny,status:403"' # Debug logs modsecurity_rules 'SecDebugLog @ServerRoot@/logs/debug_logs.txt' @@ -20,7 +21,6 @@ modsecurity_rules 'SecDebugLogLevel 9' - modsecurity_rules 'SecRequestBodyAccess On' modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:403,block,deny"' @@ -44,7 +44,6 @@ modsecurity_rules 'SecDebugLogLevel 9' - modsecurity_rules 'SecRequestBodyAccess On' modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:402,block,deny"'