Commit2b4ece1

p0pr0ck5

authored and

zimmerle

committed

Remove logdata and msg fields from JSON audit log rule elements

Writing macro-expanded strings to JSON elements during the post-loggingphase can be misleading, because it's possible that variable contents(such as MATCHED_VAR) could have changed after the rule match, alteringtheir expected contents. Writing macro-epanded audit data really onlymakes sense when the macros are expanded immediately following therule match. See issueowasp-modsecurity#1174 for more details.

1 parent5f4a098 commit2b4ece1Copy full SHA for 2b4ece1

File tree

1 file changed

-27

lines changed

apache2
- msc_logging.c

1 file changed

-27

lines changed

`‎apache2/msc_logging.c‎`

Lines changed: 0 additions & 27 deletions

Original file line number	Diff line number	Diff line change
`@@ -559,36 +559,9 @@ static void write_rule_json(modsec_rec msr, const msre_rule rule, yajl_gen g)`
`559`	`559`	`if (rule->actionset->rev) {`
`560`	`560`	`yajl_kv_string(g,"rev",log_escape(msr->mp,rule->actionset->rev));`
`561`	`561`	`}`
`562`		`-if (rule->actionset->msg) {`
`563`		`-msc_stringvar= (msc_string)apr_palloc(msr->mp,sizeof(msc_string));`
`564`		`-var->value= (char*)rule->actionset->msg;`
`565`		`-var->value_len=strlen(rule->actionset->msg);`
`566`		`-expand_macros(msr,var,NULL,msr->mp);`
`567`		`-`
`568`		`-yajl_kv_string(g,"msg",log_escape_ex(msr->mp,var->value,var->value_len));`
`569`		`- }`
`570`	`562`	`if (rule->actionset->version) {`
`571`	`563`	`yajl_kv_string(g,"version",log_escape(msr->mp,rule->actionset->version));`
`572`	`564`	`}`
`573`		`-if (rule->actionset->logdata) {`
`574`		`-char*logdata=NULL;`
`575`		`-msc_stringvar= (msc_string)apr_pcalloc(msr->mp,sizeof(msc_string));`
`576`		`-var->value= (char*)rule->actionset->logdata;`
`577`		`-var->value_len=strlen(rule->actionset->logdata);`
`578`		`-expand_macros(msr,var,NULL,msr->mp);`
`579`		`-`
`580`		`-logdata=apr_pstrdup(msr->mp,log_escape_hex(msr->mp, (unsignedchar*)var->value,var->value_len));`
`581`		`-`
`582`		`-// if it is > 512 bytes, then truncate at 512 with ellipsis.`
`583`		`-if (strlen(logdata)>515) {`
`584`		`-logdata[512]='.';`
`585`		`-logdata[513]='.';`
`586`		`-logdata[514]='.';`
`587`		`-logdata[515]='\0';`
`588`		`- }`
`589`		`-`
`590`		`-yajl_kv_string(g,"logdata",logdata);`
`591`		`- }`
`592`	`565`	`if (rule->actionset->severity!=NOT_SET) {`
`593`	`566`	`yajl_kv_int(g,"severity",rule->actionset->severity);`
`594`	`567`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit2b4ece1

File tree

1 file changed

1 file changed

`‎apache2/msc_logging.c‎`

0 commit comments