NotificationsYou must be signed in to change notification settings
Fork0
Star0

Commit9fe72b7

Felipe Zimmerle

committed

Improves the CA validation

On IIS CA validation was not working as libcurl on windows does not look for acertificate store, unless it is specified. The resource downloads are nowrespecting the SecRemoteRulesFailAction.

1 parentb02256c commit9fe72b7Copy full SHA for 9fe72b7

File tree

9 files changed

+3969

-12

lines changed

apache2
iis
- curl-ca-bundle.crt
- dependencies
  - build_curl.bat
tests
- msc_test.c

9 files changed

+3969

-12

lines changed

`‎apache2/apache2_config.c‎`

Lines changed: 0 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -2217,7 +2217,6 @@ static const char cmd_remote_rules_fail(cmd_parms cmd, void *_dcfg, const char`
`2217`	`2217`	`{`
`2218`	`2218`	`directory_configdcfg= (directory_config)_dcfg;`
`2219`	`2219`	`if (dcfg==NULL)returnNULL;`
`2220`		`-#ifdefWITH_REMOTE_RULES_SUPPORT`
`2221`	`2220`	`if (strncasecmp(p1,"warn",4)==0)`
`2222`	`2221`	`{`
`2223`	`2222`	`remote_rules_fail_action=REMOTE_RULES_WARN_ON_FAIL;`
`@@ -2231,10 +2230,6 @@ static const char cmd_remote_rules_fail(cmd_parms cmd, void *_dcfg, const char`
`2231`	`2230`	`returnapr_psprintf(cmd->pool,"ModSecurity: Invalid value for " \`
`2232`	`2231`	`"SecRemoteRulesFailAction, expected: Abort or Warn.");`
`2233`	`2232`	`}`
`2234`		`-#else`
`2235`		`-returnapr_psprintf(cmd->pool,"ModSecurity: " \`
`2236`		`-"SecRemoteRules: ModSecurity was not compiled with such functionality.");`
`2237`		`-#endif`
`2238`	`2233`
`2239`	`2234`	`returnNULL;`
`2240`	`2235`	`}`

`‎apache2/mod_security2.c‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -70,8 +70,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;`
`70`	`70`
`71`	`71`	`#ifdefWITH_REMOTE_RULES_SUPPORT`
`72`	`72`	`msc_remote_rules_serverDSOLOCAL*remote_rules_server=NULL;`
`73`		`-intDSOLOCALremote_rules_fail_action=REMOTE_RULES_ABORT_ON_FAIL;`
`74`	`73`	`#endif`
	`74`	`+intDSOLOCALremote_rules_fail_action=REMOTE_RULES_ABORT_ON_FAIL;`
`75`	`75`
`76`	`76`	`intDSOLOCALstatus_engine_state=STATUS_ENGINE_DISABLED;`
`77`	`77`

`‎apache2/modsecurity.h‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -148,8 +148,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;`
`148`	`148`
`149`	`149`	`#ifdefWITH_REMOTE_RULES_SUPPORT`
`150`	`150`	`externDSOLOCALmsc_remote_rules_server*remote_rules_server;`
`151`		`-externDSOLOCALintremote_rules_fail_action;`
`152`	`151`	`#endif`
	`152`	`+externDSOLOCALintremote_rules_fail_action;`
`153`	`153`
`154`	`154`	`externDSOLOCALintstatus_engine_state;`
`155`	`155`

`‎apache2/msc_remote_rules.c‎`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -274,6 +274,11 @@ int msc_remote_grab_content(apr_pool_t mp, const char uri, const char *key,`
`274`	`274`	`if (curl)`
`275`	`275`	`{`
`276`	`276`	`structcurl_slist*headers_chunk=NULL;`
	`277`	`+#ifdefWIN32`
	`278`	`+charbuf=malloc(sizeof(TCHAR) (2048+1));`
	`279`	`+char*ptr=NULL;`
	`280`	`+DWORDres_len;`
	`281`	`+#endif`
`277`	`282`	`curl_easy_setopt(curl,CURLOPT_URL,remote_rules_server->uri);`
`278`	`283`
`279`	`284`	`headers_chunk=curl_slist_append(headers_chunk,apr_id);`
`@@ -286,6 +291,14 @@ int msc_remote_grab_content(apr_pool_t mp, const char uri, const char *key,`
`286`	`291`	`/* Make it TLS 1.x only. */`
`287`	`292`	`curl_easy_setopt(curl,CURLOPT_SSLVERSION,CURL_SSLVERSION_TLSv1);`
`288`	`293`
	`294`	`+#ifdefWIN32`
	`295`	`+res_len=SearchPathA(NULL,"curl-ca-bundle.crt",NULL, (2048+1),buf,&ptr);`
	`296`	`+if (res_len>0) {`
	`297`	`+curl_easy_setopt(curl,CURLOPT_CAINFO,strdup(buf));`
	`298`	`+ }`
	`299`	`+free(buf);`
	`300`	`+#endif`
	`301`	`+`
`289`	`302`	`/* those are the default options, but lets make sure */`
`290`	`303`	`curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,1);`
`291`	`304`	`curl_easy_setopt(curl,CURLOPT_SSL_VERIFYHOST,1);`

`‎apache2/msc_util.c‎`

Lines changed: 28 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -2673,6 +2673,11 @@ int ip_tree_from_uri(TreeRoot *rtree, char uri,`
`2673`	`2673`
`2674`	`2674`	`if (curl) {`
`2675`	`2675`	`structcurl_slist*headers_chunk=NULL;`
	`2676`	`+#ifdefWIN32`
	`2677`	`+charbuf=malloc(sizeof(TCHAR) (2048+1));`
	`2678`	`+char*ptr=NULL;`
	`2679`	`+DWORDres_len;`
	`2680`	`+#endif`
`2676`	`2681`	`curl_easy_setopt(curl,CURLOPT_URL,uri);`
`2677`	`2682`
`2678`	`2683`	`headers_chunk=curl_slist_append(headers_chunk,apr_id);`
`@@ -2687,7 +2692,15 @@ int ip_tree_from_uri(TreeRoot *rtree, char uri,`
`2687`	`2692`	`/* Make it TLS 1.x only. */`
`2688`	`2693`	`curl_easy_setopt(curl,CURLOPT_SSLVERSION,CURL_SSLVERSION_TLSv1);`
`2689`	`2694`
`2690`		`-/* those are the default options, but lets make sure */`
	`2695`	`+#ifdefWIN32`
	`2696`	`+res_len=SearchPathA(NULL,"curl-ca-bundle.crt",NULL, (2048+1),buf,&ptr);`
	`2697`	`+if (res_len>0) {`
	`2698`	`+curl_easy_setopt(curl,CURLOPT_CAINFO,strdup(buf));`
	`2699`	`+ }`
	`2700`	`+free(buf);`
	`2701`	`+#endif`
	`2702`	`+`
	`2703`	`+/* thoseeare the default options, but lets make sure */`
`2691`	`2704`	`curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,1);`
`2692`	`2705`	`curl_easy_setopt(curl,CURLOPT_SSL_VERIFYHOST,1);`
`2693`	`2706`
`@@ -2700,8 +2713,20 @@ int ip_tree_from_uri(TreeRoot *rtree, char uri,`
`2700`	`2713`
`2701`	`2714`	`if (res!=CURLE_OK)`
`2702`	`2715`	`{`
`2703`		`-*error_msg=apr_psprintf(mp,"Failed to fetch \"%s\" error: %s ",uri,curl_easy_strerror(res));`
`2704`		`-return-1;`
	`2716`	`+if (remote_rules_fail_action==REMOTE_RULES_WARN_ON_FAIL)`
	`2717`	`+ {`
	`2718`	`+ap_log_error(APLOG_MARK,APLOG_NOTICE,0,NULL,`
	`2719`	`+"Failed to fetch \"%s\" error: %s ",`
	`2720`	`+uri,curl_easy_strerror(res));`
	`2721`	`+return0;`
	`2722`	`+ }`
	`2723`	`+else`
	`2724`	`+ {`
	`2725`	`+*error_msg=apr_psprintf(mp,"Failed to fetch \"%s\" " \`
	`2726`	`+"error: %s ",uri,`
	`2727`	`+curl_easy_strerror(res));`
	`2728`	`+return-1;`
	`2729`	`+ }`
`2705`	`2730`	`}`
`2706`	`2731`
`2707`	`2732`	`curl_easy_cleanup(curl);`

`‎apache2/re_operators.c‎`

Lines changed: 30 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@`
`12`	`12`	`* directly using the email address security@modsecurity.org.`
`13`	`13`	`*/`
`14`	`14`
	`15`	`+#include"modsecurity.h"`
`15`	`16`	`#include"re.h"`
`16`	`17`	`#include"msc_pcre.h"`
`17`	`18`	`#include"msc_geo.h"`
`@@ -1307,6 +1308,11 @@ static int msre_op_pmFromFile_param_init(msre_rule rule, char *error_msg) {`
`1307`	`1308`
`1308`	`1309`	`if (curl) {`
`1309`	`1310`	`structcurl_slist*headers_chunk=NULL;`
	`1311`	`+#ifdefWIN32`
	`1312`	`+charbuf=malloc(sizeof(TCHAR) (2048+1));`
	`1313`	`+char*ptr=NULL;`
	`1314`	`+DWORDres_len;`
	`1315`	`+#endif`
`1310`	`1316`	`curl_easy_setopt(curl,CURLOPT_URL,fn);`
`1311`	`1317`
`1312`	`1318`	`headers_chunk=curl_slist_append(headers_chunk,apr_id);`
`@@ -1321,6 +1327,14 @@ static int msre_op_pmFromFile_param_init(msre_rule rule, char *error_msg) {`
`1321`	`1327`	`/* Make it TLS 1.x only. */`
`1322`	`1328`	`curl_easy_setopt(curl,CURLOPT_SSLVERSION,CURL_SSLVERSION_TLSv1);`
`1323`	`1329`
	`1330`	`+#ifdefWIN32`
	`1331`	`+res_len=SearchPathA(NULL,"curl-ca-bundle.crt",NULL, (2048+1),buf,&ptr);`
	`1332`	`+if (res_len>0) {`
	`1333`	`+curl_easy_setopt(curl,CURLOPT_CAINFO,strdup(buf));`
	`1334`	`+ }`
	`1335`	`+free(buf);`
	`1336`	`+#endif`
	`1337`	`+`
`1324`	`1338`	`/* those are the default options, but lets make sure */`
`1325`	`1339`	`curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,1);`
`1326`	`1340`	`curl_easy_setopt(curl,CURLOPT_SSL_VERIFYHOST,1);`
`@@ -1333,7 +1347,22 @@ static int msre_op_pmFromFile_param_init(msre_rule rule, char *error_msg) {`
`1333`	`1347`	`res=curl_easy_perform(curl);`
`1334`	`1348`
`1335`	`1349`	`if (res!=CURLE_OK)`
`1336`		`-fprintf(stderr,"curl_easy_perform() failed: %s\n",curl_easy_strerror(res));`
	`1350`	`+ {`
	`1351`	`+if (remote_rules_fail_action==REMOTE_RULES_WARN_ON_FAIL)`
	`1352`	`+ {`
	`1353`	`+ap_log_error(APLOG_MARK,APLOG_NOTICE,0,NULL,`
	`1354`	`+"Failed to fetch \"%s\" error: %s ",fn,`
	`1355`	`+curl_easy_strerror(res));`
	`1356`	`+return1;`
	`1357`	`+ }`
	`1358`	`+else`
	`1359`	`+ {`
	`1360`	`+*error_msg=apr_psprintf(rule->ruleset->mp,`
	`1361`	`+"Failed to fetch \"%s\" error: %s ",fn,`
	`1362`	`+curl_easy_strerror(res));`
	`1363`	`+return0;`
	`1364`	`+ }`
	`1365`	`+ }`
`1337`	`1366`
`1338`	`1367`	`curl_easy_cleanup(curl);`
`1339`	`1368`	`curl_slist_free_all(headers_chunk);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9fe72b7

File tree

9 files changed

9 files changed

`‎apache2/apache2_config.c‎`

`‎apache2/mod_security2.c‎`

`‎apache2/modsecurity.h‎`

`‎apache2/msc_remote_rules.c‎`

`‎apache2/msc_util.c‎`

`‎apache2/re_operators.c‎`

0 commit comments