Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Smallfixes #56

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Smallfixes #56

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ec098af
Call msc_process_request_body() when REQUEST_BODY is empty
airween Mar 11, 2019
98037d1
Remove unwanted msc_process_request_body()
airween Mar 11, 2019
e4cbbac
Add extra '%' mark to avoid the format mark
airween Mar 11, 2019
40e6313
Request body handling - first try
airween Jul 2, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 26 additions & 11 deletions src/mod_security3.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,20 +10,43 @@
*/
msc_global *msc_apache;

char err_calloc[] = "ModSecurity: can't allocate memory for logmsg.";

void modsecurity_log_cb(void *log, const void* data)
{
const char *msg;
char *msglog;
unsigned int i, j;

if (log == NULL || data == NULL) {
return;
}
msg = (const char *) data;
request_rec *r = (request_rec *) log;

#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
msg,
r->status);
msglog = calloc(sizeof(char), strlen(msg)*2);
if (msglog == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
err_calloc,
r->status);
}
else {
// add % escape to avoid the '%' chars placeholder mark in logmsg
j = 0;
for(i=0; msg[i] != '\0'; i++) {
if (msg[i] == '%') {
msglog[j++] = '%';
}
msglog[j++] = msg[i];
}
msglog[j] = '\0';

ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
msglog,
r->status);
free(msglog);
}

#else
ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server,
Expand Down Expand Up @@ -399,14 +422,6 @@ static int hook_request_late(request_rec *r)
}
#endif


msc_process_request_body(msr->t);
it = process_intervention(msr->t, r);
if (it != N_INTERVENTION_STATUS)
{
return it;
}

return DECLINED;
}

Expand Down
24 changes: 20 additions & 4 deletions src/msc_filters.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut,

apr_bucket_brigade *pbbTmp;
int ret;
int it;
int body_checked = 0;
char logmsg[100];

msc_t *msr = (msc_t *)f->ctx;

Expand Down Expand Up @@ -39,7 +42,6 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut,
const char *data;
apr_size_t len;
apr_size_t n;
int it;

if (APR_BUCKET_IS_EOS(pbktIn))
{
Expand All @@ -55,20 +57,34 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut,
}

msc_append_request_body(msr->t, data, len);
msc_process_request_body(msr->t);
body_checked = 1;
it = process_intervention(msr->t, r);
if (it != N_INTERVENTION_STATUS)
{
ap_remove_output_filter(f);
f->r->status = it;
return send_error_bucket(msr, f, it);
}

// FIXME: Now we should have the body. Is this sane?
msc_process_request_body(msr->t);

pbktOut = apr_bucket_heap_create(data, len, 0, c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(pbbOut, pbktOut);
apr_bucket_delete(pbktIn);
}
if (body_checked == 0) {
msc_process_request_body(msr->t);
it = process_intervention(msr->t, r);
if (it != N_INTERVENTION_STATUS)
{
ap_remove_output_filter(f);
sprintf(logmsg, "it: %d", it);
ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
logmsg,
r->status);
r->status = it;
return send_error_bucket(msr, f, it);
}
}
return APR_SUCCESS;
}

Expand Down
2 changes: 2 additions & 0 deletions src/msc_utils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@

#include "msc_utils.h"

char logmsg[100];

int id(const char *fn, const char *format, ...)
{
Expand All @@ -20,6 +21,7 @@ apr_status_t send_error_bucket(msc_t *msr, ap_filter_t *f, int status)
{
apr_bucket_brigade *brigade = NULL;
apr_bucket *bucket = NULL;
request_rec *r = f->r;

/* Set the status line explicitly for the error document */
f->r->status_line = ap_get_status_line(status);
Expand Down
3 changes: 1 addition & 2 deletions t/conf/extra.conf.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ LoadModule security3_module "@ServerRoot@/.././src/.libs/mod_security3.so"

# Lets make sure that the engine is on.
modsecurity_rules 'SecRuleEngine On'
modsecurity_rules 'SecDefaultAction "phase:2,log,auditlog,deny,status:403"'

# Debug logs
modsecurity_rules 'SecDebugLog @ServerRoot@/logs/debug_logs.txt'
Expand All @@ -20,7 +21,6 @@ modsecurity_rules 'SecDebugLogLevel 9'
</Directory>

<Directory "@ServerRoot@/htdocs/block-evil-2">
modsecurity_rules 'SecRequestBodyAccess On'
modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:403,block,deny"'
</Directory>

Expand All @@ -44,7 +44,6 @@ modsecurity_rules 'SecDebugLogLevel 9'
</Location>

<Location "/block-evil-2-loc">
modsecurity_rules 'SecRequestBodyAccess On'
modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:402,block,deny"'
</Location>

Expand Down