NotificationsYou must be signed in to change notification settings
Fork0
Star0

Commit1694a0c

Felipe Zimmerle

committed

Merge branch 'nginx_regression'

2 parents93c5b8c +f043ba3 commit1694a0cCopy full SHA for 1694a0c

File tree

24 files changed

+544

-89

lines changed

Makefile.am
apache2
- mod_security2.c
build
- find_lua.m4
configure.ac
nginx/modsecurity
- ngx_http_modsecurity.c
standalone
- api.c
- api.h
tests
- Makefile.am
- regression
  - action
    - 00-disruptive-actions.t
  - config
  - misc
    - 10-tfn-cache.t
  - nginx/conf
  - server_root/conf
    - httpd.conf.in
  - target
    - 00-targets.t
- run-regression-tests-nginx.pl
- run-regression-tests.pl.in

24 files changed

+544

-89

lines changed

`‎Makefile.am‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,10 @@ test: check`
`35`	`35`	`test-regression:`
`36`	`36`	`(cd tests&&$(MAKE) test-regression)`
`37`	`37`
	`38`	`+test-regression-nginx:`
	`39`	`+(cd tests&&$(MAKE) test-regression-nginx)`
	`40`	`+`
	`41`	`+`
`38`	`42`	`cppcheck:`
`39`	`43`	`cppcheck. --enable=all --force2>&1\| sed's/^/warning: /g'1>&2;`
`40`	`44`

`‎apache2/mod_security2.c‎`

Lines changed: 16 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -195,6 +195,7 @@ int perform_interception(modsec_rec *msr) {`
`195`	`195`	`break;`
`196`	`196`
`197`	`197`	`caseACTION_PROXY :`
	`198`	`+#if !(defined(VERSION_IIS))&& !(defined(VERSION_NGINX))&& !(defined(VERSION_STANDALONE))`
`198`	`199`	`if (msr->phase<3) {`
`199`	`200`	`if (ap_find_linked_module("mod_proxy.c")==NULL) {`
`200`	`201`	`log_level=1;`
`@@ -219,6 +220,15 @@ int perform_interception(modsec_rec *msr) {`
`219`	`220`	`"(Configuration Error: Proxy action requested but it does not work in output phases).",`
`220`	`221`	`phase_text);`
`221`	`222`	`}`
	`223`	`+#else`
	`224`	`+log_level=1;`
	`225`	`+status=HTTP_INTERNAL_SERVER_ERROR;`
	`226`	`+message=apr_psprintf(msr->mp,"Access denied with code 500%s "`
	`227`	`+"(Configuration Error: Proxy action to %s requested but "`
	`228`	`+"proxy is only available in Apache version).",`
	`229`	`+phase_text,`
	`230`	`+log_escape_nq(msr->mp,actionset->intercept_uri));`
	`231`	`+#endif`
`222`	`232`	`break;`
`223`	`233`
`224`	`234`	`caseACTION_DROP :`
`@@ -537,6 +547,11 @@ static modsec_rec create_tx_context(request_rec r) {`
`537`	`547`	`staticapr_status_tchange_server_signature(server_rec*s) {`
`538`	`548`	`char*server_version=NULL;`
`539`	`549`
	`550`	`+/* This is a very particular way to handle the server banner. It is Apache`
	`551`	`+ * only. Stanalone and descendants should address that in its specifics`
	`552`	`+ * implementations, e.g. Nginx module.`
	`553`	`+ */`
	`554`	`+#if !(defined(VERSION_IIS))&& !(defined(VERSION_NGINX))&& !(defined(VERSION_STANDALONE))`
`540`	`555`	`if (new_server_signature==NULL)return0;`
`541`	`556`
`542`	`557`	`server_version= (char*)apache_get_server_version();`
`@@ -568,7 +583,7 @@ static apr_status_t change_server_signature(server_rec *s) {`
`568`	`583`	`else {`
`569`	`584`	`ap_log_error(APLOG_MARK,APLOG_DEBUG \|APLOG_NOERRNO,0,s,"SecServerSignature: Changed server signature to \"%s\".",server_version);`
`570`	`585`	`}`
`571`		`-`
	`586`	`+#endif`
`572`	`587`	`return1;`
`573`	`588`	`}`
`574`	`589`

`‎build/find_lua.m4‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ LUA_LDADD=""`
`17`	`17`	`LUA_LDFLAGS=""`
`18`	`18`	`LUA_CONFIG=${PKG_CONFIG}`
`19`	`19`	`LUA_PKGNAMES="lua5.1 lua-5.1 lua_5.1 lua-51 lua_51 lua51 lua5 lua"`
`20`		`-LUA_SONAMES="so la sl dll dylib"`
	`20`	`+LUA_SONAMES="so la sl dll dylib a"`
`21`	`21`
`22`	`22`	`AC_ARG_WITH(`
`23`	`23`	`lua,`

`‎configure.ac‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -618,6 +618,7 @@ VERSION_OK`
`618`	`618`	APXS_PROGNAME="`$APXS -q PROGNAME`"
`619`	`619`	`if test "$verbose_output" -eq 1; thenAC_MSG_NOTICE(apxsPROGNAME:$APXS_PROGNAME); fi`
`620`	`620`	APXS_LIBEXECDIR="`$APXS -q LIBEXECDIR`"
	`621`	+ if test "xx$APXS_LIBEXECDIR" = "xx"; then APXS_LIBEXECDIR="`$APXS -q LIBDIR`/modules"; fi
`621`	`622`	`if test "$verbose_output" -eq 1; thenAC_MSG_NOTICE(apxsLIBEXECDIR:$APXS_LIBEXECDIR); fi`
`622`	`623`	`APXS_MODULES=$APXS_LIBEXECDIR`
`623`	`624`	`if test "$verbose_output" -eq 1; thenAC_MSG_NOTICE(apxsMODULES:$APXS_MODULES); fi`

`‎nginx/modsecurity/ngx_http_modsecurity.c‎`

Lines changed: 12 additions & 32 deletions

Original file line number	Diff line number	Diff line change
`@@ -719,6 +719,14 @@ ngx_http_modsecurity_save_headers_out(ngx_http_request_t *r)`
`719`	`719`	`upstream=r->upstream;`
`720`	`720`	`r->upstream=&ngx_http_modsecurity_upstream;`
`721`	`721`
	`722`	`+/* case SecServerSignature was used, the "Server: ..." header is added`
	`723`	`+ * here, overwriting the default header supplied by nginx.`
	`724`	`+ */`
	`725`	`+if (modsecIsServerSignatureAvailale()!=NULL) {`
	`726`	`+apr_table_add(ctx->req->headers_out,"Server",`
	`727`	`+modsecIsServerSignatureAvailale());`
	`728`	`+ }`
	`729`	`+`
`722`	`730`	`if (apr_table_do(ngx_http_modsecurity_save_headers_out_visitor,`
`723`	`731`	`r,ctx->req->headers_out,NULL)==0) {`
`724`	`732`
`@@ -1019,6 +1027,10 @@ ngx_http_modsecurity_handler(ngx_http_request_t *r)`
`1019`	`1027`	`returnrc;`
`1020`	`1028`	`}`
`1021`	`1029`
	`1030`	`+if (modsecContextState(ctx->req)==MODSEC_DISABLED) {`
	`1031`	`+returnNGX_DECLINED;`
	`1032`	`+ }`
	`1033`	`+`
`1022`	`1034`	`if (r->method==NGX_HTTP_POST`
`1023`	`1035`	`&&modsecIsRequestBodyAccessEnabled(ctx->req) ) {`
`1024`	`1036`
`@@ -1074,8 +1086,6 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r) {`
`1074`	`1086`	`ngx_http_modsecurity_ctx_t*ctx;`
`1075`	`1087`	`constchar*location;`
`1076`	`1088`	`ngx_table_elt_t*h;`
`1077`		`-ngx_int_trc;`
`1078`		`-`
`1079`	`1089`
`1080`	`1090`	`cf=ngx_http_get_module_loc_conf(r,ngx_http_modsecurity);`
`1081`	`1091`	`ctx=ngx_http_get_module_ctx(r,ngx_http_modsecurity);`
`@@ -1112,36 +1122,6 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r) {`
`1112`	`1122`
`1113`	`1123`	`ngx_log_debug0(NGX_LOG_DEBUG_HTTP,r->connection->log,0,"modSecurity: header filter");`
`1114`	`1124`
`1115`		`-/* header only or SecResponseBodyAccess off */`
`1116`		`-if (r->header_only\|\| (!modsecIsResponseBodyAccessEnabled(ctx->req)) ) {`
`1117`		`-`
`1118`		`-ctx->complete=1;`
`1119`		`-`
`1120`		`-if (ngx_http_modsecurity_load_headers_in(r)!=NGX_OK`
`1121`		`-\|\|ngx_http_modsecurity_load_headers_out(r)!=NGX_OK) {`
`1122`		`-`
`1123`		`-returnNGX_HTTP_INTERNAL_SERVER_ERROR;`
`1124`		`- }`
`1125`		`-`
`1126`		`-rc=ngx_http_modsecurity_status(r,modsecProcessResponse(ctx->req));`
`1127`		`-`
`1128`		`-if (rc!=NGX_DECLINED) {`
`1129`		`-returnngx_http_filter_finalize_request(r,&ngx_http_modsecurity,rc);`
`1130`		`- }`
`1131`		`-`
`1132`		`-if (ngx_http_modsecurity_save_headers_in(r)!=NGX_OK`
`1133`		`-\|\|ngx_http_modsecurity_save_headers_out(r)!=NGX_OK) {`
`1134`		`-returnngx_http_filter_finalize_request(r,&ngx_http_modsecurity,NGX_HTTP_INTERNAL_SERVER_ERROR);`
`1135`		`- }`
`1136`		`-`
`1137`		`-returnngx_http_next_header_filter(r);`
`1138`		`- }`
`1139`		`-`
`1140`		`-/* SecResponseBodyAccess on, process rules in body filter */`
`1141`		`-`
`1142`		`-/* pretend we are ngx_http_header_filter */`
`1143`		`-r->header_sent=1;`
`1144`		`-`
`1145`	`1125`	`r->filter_need_in_memory=1;`
`1146`	`1126`	`returnNGX_OK;`
`1147`	`1127`	`}`

`‎standalone/api.c‎`

Lines changed: 19 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -500,6 +500,16 @@ void modsecSetConfigForIISRequestBody(request_rec *r)`
`500`	`500`	`msr->txcfg->stream_inbody_inspection=1;`
`501`	`501`	`}`
`502`	`502`
	`503`	`+intmodsecContextState(request_rec*r)`
	`504`	`+{`
	`505`	`+modsec_rec*msr=retrieve_msr(r);`
	`506`	`+`
	`507`	`+if(msr==NULL\|\|msr->txcfg==NULL)`
	`508`	`+returnNOT_SET;`
	`509`	`+`
	`510`	`+returnmsr->txcfg->is_enabled;`
	`511`	`+}`
	`512`	`+`
`503`	`513`	`intmodsecIsRequestBodyAccessEnabled(request_rec*r)`
`504`	`514`	`{`
`505`	`515`	`modsec_rec*msr=retrieve_msr(r);`
`@@ -673,3 +683,12 @@ void modsecSetWriteResponse(apr_status_t (func)(request_rec r, char *buf, unsi`
`673`	`683`	`voidmodsecSetDropAction(int (func)(request_recr)) {`
`674`	`684`	`modsecDropAction=func;`
`675`	`685`	`}`
	`686`	`+`
	`687`	`+/*`
	`688`	`+ * Case SecServerSignature was used, this function returns the banner that`
	`689`	`+ * should be used, otherwise it returns NULL.`
	`690`	`+ */`
	`691`	`+constchar*modsecIsServerSignatureAvailale(void) {`
	`692`	`+returnnew_server_signature;`
	`693`	`+}`
	`694`	`+`

`‎standalone/api.h‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -112,8 +112,12 @@ void modsecSetDropAction(int (func)(request_rec r));`
`112`	`112`	`intmodsecIsResponseBodyAccessEnabled(request_rec*r);`
`113`	`113`	`intmodsecIsRequestBodyAccessEnabled(request_rec*r);`
`114`	`114`
	`115`	`+intmodsecContextState(request_rec*r);`
	`116`	`+`
`115`	`117`	`voidmodsecSetConfigForIISRequestBody(request_rec*r);`
`116`	`118`
	`119`	`+constchar*modsecIsServerSignatureAvailale(void);`
	`120`	`+`
`117`	`121`	`#ifdef__cplusplus`
`118`	`122`	`}`
`119`	`123`	`#endif`

`‎tests/Makefile.am‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -60,4 +60,7 @@ test: check`
`60`	`60`	`test-regression: run-regression-tests.pl`
`61`	`61`	`$(PERL) run-regression-tests.pl`
`62`	`62`
	`63`	`+test-regression-nginx: run-regression-tests-nginx.pl`
	`64`	`+$(PERL) run-regression-tests-nginx.pl`
	`65`	`+`
`63`	`66`	`.PHONY: test test-regression`

`‎tests/regression/action/00-disruptive-actions.t‎`

Lines changed: 41 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -454,12 +454,22 @@`
`454`	`454`	`SecRule REQUEST_URI"\@streq /test2.txt""phase:1,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500005"`
`455`	`455`	`),`
`456`	`456`	`match_log=> {`
`457`		`-error=> [ qr/ModSecurity: Access denied using proxyto $phase1$/,1 ],`
	`457`	`+error=> {`
	`458`	`+apache=> [qr/ModSecurity: Access denied using proxyto $phase1$/,1],`
	`459`	`+nginx=> [qr/ModSecurity: Access deniedwith code500 $phase1$ $Configuration Error:Proxy actionto.* requestedbut proxyisonlyavailable in Apache version$./,1],`
	`460`	`+},`
`458`	`461`	`},`
`459`	`462`	`match_response=> {`
`460`		`-status=> qr/^200$/,`
`461`		`-content=> qr/^TEST$/,`
	`463`	`+status=> {`
	`464`	`+apache=> qr/^200$/,`
	`465`	`+nginx=> qr/^500$/,`
	`466`	`+},`
	`467`	`+content=> {`
	`468`	`+apache=> qr/^TEST$/,`
	`469`	`+nginx=> qr/^*$/,`
	`470`	`+},`
`462`	`471`	`},`
	`472`	`+`
`463`	`473`	`request=>new HTTP::Request(`
`464`	`474`	`GET=>"http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",`
`465`	`475`	`),`
`@@ -475,11 +485,20 @@`
`475`	`485`	`SecRule REQUEST_URI"\@streq /test2.txt""phase:2,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500006"`
`476`	`486`	`),`
`477`	`487`	`match_log=> {`
`478`		`-error=> [ qr/ModSecurity: Access denied using proxyto $phase2$/,1 ],`
	`488`	`+error=> {`
	`489`	`+apache=> [qr/ModSecurity: Access denied using proxyto $phase2$/,1],`
	`490`	`+nginx=> [qr/ModSecurity: Access deniedwith code500 $phase2$ $Configuration Error:Proxy actionto.* requestedbut proxyisonlyavailable in Apache version$./,1],`
	`491`	`+},`
`479`	`492`	`},`
`480`	`493`	`match_response=> {`
`481`		`-status=> qr/^200$/,`
`482`		`-content=> qr/^TEST$/,`
	`494`	`+status=> {`
	`495`	`+apache=> qr/^200$/,`
	`496`	`+nginx=> qr/^500$/,`
	`497`	`+},`
	`498`	`+content=> {`
	`499`	`+apache=> qr/^TEST$/,`
	`500`	`+nginx=> qr/^*$/,`
	`501`	`+},`
`483`	`502`	`},`
`484`	`503`	`request=>new HTTP::Request(`
`485`	`504`	`GET=>"http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",`
`@@ -498,10 +517,16 @@`
`498`	`517`	`SecRule REQUEST_URI"\@streq /test2.txt""phase:3,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500007"`
`499`	`518`	`),`
`500`	`519`	`match_log=> {`
`501`		`-error=> [ qr/ModSecurity: Access deniedwith code500 $phase3$ $Configuration Error:Proxy action requestedbut itdoesnot work in output phases$./,1 ],`
	`520`	`+error=> {`
	`521`	`+apache=> [qr/ModSecurity: Access deniedwith code500 $phase3$ $Configuration Error:Proxy action requestedbut itdoesnot work in output phases$./,1],`
	`522`	`+nginx=> [qr/ModSecurity: Access deniedwith code500 $phase3$ $Configuration Error:Proxy actionto.* requestedbut proxyisonlyavailable in Apache version$./,1],`
	`523`	`+}`
`502`	`524`	`},`
`503`	`525`	`match_response=> {`
`504`		`-status=> qr/^500$/,`
	`526`	`+status=> {`
	`527`	`+apache=> qr/^500$/,`
	`528`	`+nginx=> qr/^500$/,`
	`529`	`+},`
`505`	`530`	`},`
`506`	`531`	`request=>new HTTP::Request(`
`507`	`532`	`GET=>"http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",`
`@@ -520,10 +545,16 @@`
`520`	`545`	`SecRule REQUEST_URI"\@streq /test2.txt""phase:4,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500008"`
`521`	`546`	`),`
`522`	`547`	`match_log=> {`
`523`		`-error=> [ qr/ModSecurity: Access deniedwith code500 $phase4$ $Configuration Error:Proxy action requestedbut itdoesnot work in output phases$./,1 ],`
	`548`	`+error=> {`
	`549`	`+apache=> [qr/ModSecurity: Access deniedwith code500 $phase4$ $Configuration Error:Proxy action requestedbut itdoesnot work in output phases$./,1],`
	`550`	`+nginx=> [qr/ModSecurity: Access deniedwith code500 $phase4$ $Configuration Error:Proxy actionto.* requestedbut proxyisonlyavailable in Apache version$./,1],`
	`551`	`+}`
`524`	`552`	`},`
`525`	`553`	`match_response=> {`
`526`		`-status=> qr/^500$/,`
	`554`	`+status=> {`
	`555`	`+apache=> qr/^500$/,`
	`556`	`+nginx=> qr/^500$/,`
	`557`	`+},`
`527`	`558`	`},`
`528`	`559`	`request=>new HTTP::Request(`
`529`	`560`	`GET=>"http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",`

`‎tests/regression/config/00-load-modsec.t‎`

Lines changed: 8 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,10 @@`
`2`	`2`	`type=>"config",`
`3`	`3`	`comment=>"module loaded",`
`4`	`4`	`match_log=> {`
`5`		`-error=> [ qr/ModSecurityfor Apache.* configured\./,10 ],`
	`5`	`+error=> {`
	`6`	`+apache=> [ qr/ModSecurityfor Apache.* configured\./,10 ],`
	`7`	`+nginx=> [ qr/ModSecurityfor nginx.* configured\./,10 ],`
	`8`	`+},`
`6`	`9`	`},`
`7`	`10`	`},`
`8`	`11`	`{`
`@@ -18,6 +21,9 @@`
`18`	`21`	`return$conf;`
`19`	`22`	`},`
`20`	`23`	`match_log=> {`
`21`		`-error=> [ qr/ModSecurityfor Apache.* configured\./,10 ],`
	`24`	`+error=> {`
	`25`	`+apache=> [ qr/ModSecurityfor Apache.* configured\./,10 ],`
	`26`	`+nginx=> [ qr/ModSecurityfor nginx.* configured\./,10 ],`
	`27`	`+},`
`22`	`28`	`},`
`23`	`29`	`},`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit1694a0c

File tree

24 files changed

24 files changed

`‎Makefile.am‎`

`‎apache2/mod_security2.c‎`

`‎build/find_lua.m4‎`

`‎configure.ac‎`

`‎nginx/modsecurity/ngx_http_modsecurity.c‎`

`‎standalone/api.c‎`

`‎standalone/api.h‎`

`‎tests/Makefile.am‎`

`‎tests/regression/action/00-disruptive-actions.t‎`

`‎tests/regression/config/00-load-modsec.t‎`

0 commit comments