Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit38b9924

Browse files
author
Felipe Zimmerle
committed
Adds the SecRemoteRulesFailAction directive
This directive allows the user to set a default action whenever theSecRemoteRules failed to download a set of rules. Current the supportedvalues are: Warn and Abort. By default `Abort' is selected.
1 parent9b836b6 commit38b9924

File tree

4 files changed

+61
-3
lines changed

4 files changed

+61
-3
lines changed

‎apache2/apache2_config.c‎

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2213,6 +2213,28 @@ static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
22132213
returnNULL;
22142214
}
22152215

2216+
staticconstchar*cmd_remote_rules_fail(cmd_parms*cmd,void*_dcfg,constchar*p1)
2217+
{
2218+
directory_config*dcfg= (directory_config*)_dcfg;
2219+
if (dcfg==NULL)returnNULL;
2220+
2221+
if (strncasecmp(p1,"warn",4)==0)
2222+
{
2223+
remote_rules_fail_action=REMOTE_RULES_WARN_ON_FAIL;
2224+
}
2225+
elseif (strncasecmp(p1,"abort",5)==0)
2226+
{
2227+
remote_rules_fail_action=REMOTE_RULES_ABORT_ON_FAIL;
2228+
}
2229+
else
2230+
{
2231+
returnapr_psprintf(cmd->pool,"ModSecurity: Invalid value for " \
2232+
"SecRemoteRulesFailAction, expected: Abort or Warn.");
2233+
}
2234+
2235+
returnNULL;
2236+
}
2237+
22162238
staticconstchar*cmd_remote_rules(cmd_parms*cmd,void*_dcfg,constchar*p1,
22172239
constchar*p2)
22182240
{
@@ -3552,6 +3574,15 @@ const command_rec module_directives[] = {
35523574
"key and URI to the remote rules"
35533575
),
35543576

3577+
AP_INIT_TAKE1 (
3578+
"SecRemoteRulesFailAction",
3579+
cmd_remote_rules_fail,
3580+
NULL,
3581+
CMD_SCOPE_ANY,
3582+
"Abort or Warn"
3583+
),
3584+
3585+
35553586
AP_INIT_TAKE1 (
35563587
"SecXmlExternalEntity",
35573588
cmd_xml_external_entity,

‎apache2/mod_security2.c‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,7 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0;
6969
unsigned longintDSOLOCALmsc_pcre_match_limit_recursion=0;
7070

7171
msc_remote_rules_serverDSOLOCAL*remote_rules_server=NULL;
72+
intDSOLOCALremote_rules_fail_action=REMOTE_RULES_ABORT_ON_FAIL;
7273

7374
intDSOLOCALstatus_engine_state=STATUS_ENGINE_DISABLED;
7475

@@ -82,6 +83,7 @@ unsigned long int DSOLOCAL conn_write_state_limit = 0;
8283
TreeRootDSOLOCAL*conn_write_state_whitelist=0;
8384
TreeRootDSOLOCAL*conn_write_state_suspicious_list=0;
8485

86+
8587
#if defined(WIN32)|| defined(VERSION_NGINX)
8688
int (*modsecDropAction)(request_rec*r)=NULL;
8789
#endif

‎apache2/modsecurity.h‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,7 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit;
146146
externDSOLOCAL unsigned longintmsc_pcre_match_limit_recursion;
147147

148148
externDSOLOCALmsc_remote_rules_server*remote_rules_server;
149+
externDSOLOCALintremote_rules_fail_action;
149150

150151
externDSOLOCALintstatus_engine_state;
151152

@@ -198,6 +199,9 @@ extern DSOLOCAL int *unicode_map_table;
198199
#defineSTATUS_ENGINE_ENABLED 1
199200
#defineSTATUS_ENGINE_DISABLED 0
200201

202+
#defineREMOTE_RULES_ABORT_ON_FAIL0
203+
#defineREMOTE_RULES_WARN_ON_FAIL1
204+
201205
#defineHASH_DISABLED 0
202206
#defineHASH_ENABLED 1
203207

‎apache2/msc_remote_rules.c‎

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -300,8 +300,19 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
300300

301301
if (res!=CURLE_OK)
302302
{
303-
*error_msg=apr_psprintf(mp,"Failed to fetch \"%s\" error: %s ",
303+
if (remote_rules_fail_action==REMOTE_RULES_WARN_ON_FAIL)
304+
{
305+
ap_log_error(APLOG_MARK,APLOG_NOTICE,0,NULL,
306+
"Failed to fetch \"%s\" error: %s ",
307+
remote_rules_server->uri,curl_easy_strerror(res));
308+
}
309+
else
310+
{
311+
*error_msg=apr_psprintf(mp,"Failed to fetch \"%s\" " \
312+
"error: %s ",
304313
remote_rules_server->uri,curl_easy_strerror(res));
314+
}
315+
305316
return-1;
306317
}
307318

@@ -444,7 +455,8 @@ int msc_remote_decrypt(apr_pool_t *pool,
444455
// at least size of IV + Salt
445456
if (chunk->size<16+16+1)
446457
{
447-
*error_msg="Unexpected content.";
458+
*error_msg="Failed to download rules from a remote server: " \
459+
"Unexpected content.";
448460
return-1;
449461
}
450462
iv=chunk->memory;
@@ -574,20 +586,29 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
574586
intstart=0;
575587
intend=0;
576588
intadded_rules=0;
589+
intres=0;
577590
apr_size_tplain_text_len=0;
578591

579592
apr_pool_t*mp=orig_parms->pool;
580593

581594
chunk_encrypted.size=0;
582595
chunk_encrypted.memory=NULL;
583596

584-
msc_remote_grab_content(mp,remote_rules_server->uri,
597+
res=msc_remote_grab_content(mp,remote_rules_server->uri,
585598
remote_rules_server->key,&chunk_encrypted,error_msg);
586599
if (*error_msg!=NULL)
587600
{
588601
return-1;
589602
}
590603

604+
/* error_msg is not filled when the user set SecRemoteRulesFailAction
605+
* to warn
606+
*/
607+
if (res!=0)
608+
{
609+
returnres;
610+
}
611+
591612
msc_remote_decrypt(mp,remote_rules_server->key,&chunk_encrypted,
592613
&plain_text,
593614
&plain_text_len,

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp