backport Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended

From Author: Martin Vierula <martin.vierula@trustwave.com> commit 60be05914ce3b23bc126cfa61face7b75650448f Signed-off-by: Guangzhong Yao <yaoguangzhong@xfusion.com>
2023-01-07 11:18:55 +08:00 · 2023-01-07 11:18:55 +08:00 · 2c6b55eb86
commit 2c6b55eb86
parent e7266bde00
2 changed files with 35 additions and 1 deletions
--- a/mod_security.spec
+++ b/mod_security.spec
@ -7,7 +7,7 @@

 Name: mod_security
 Version: 2.9.5
-Release: 4
+Release: 5
 Summary: Security module for the Apache HTTP Server
 License: ASL 2.0
 URL: http://www.modsecurity.org/
@ -18,6 +18,7 @@ Source3: modsecurity_localrules.conf
 Patch0000: modsecurity-2.9.5-lua-54.patch
 Patch0001: modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch
 Patch0002: modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch
+Patch0003: modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch

 Requires: httpd httpd-mmn = %{_httpd_mmn}
 BuildRequires: gcc make perl-generators httpd-devel yajl yajl-devel
@ -100,6 +101,9 @@ install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
 %endif

 %changelog
+* Sat Jan 7 2023 yaoguangzhong <yaoguangzhong@xfusion.com> - 2.9.5-5
+- backport Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
+
 * Fri Jan 6 2023 yaoguangzhong <yaoguangzhong@xfusion.com> - 2.9.5-4
 - backport properly cleanup XML parser contexts upon completion

--- a/modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch
+++ b/modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch
@ -0,0 +1,30 @@
+From d12959e18fccaf12708897baced782b9a63622fa Mon Sep 17 00:00:00 2001
+From: yaoguangzhong <yaoguangzhong@xfusion.com>
+Date: Sat, 7 Jan 2023 11:05:51 +0800
+Subject: [PATCH] Add SecRequestBodyJsonDepthLimit to
+ modsecurity.conf-recommended
+
+From Author: Martin Vierula <martin.vierula@trustwave.com>
+---
+ modsecurity.conf-recommended | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended
+index f357d95..c84ddce 100644
+--- a/modsecurity.conf-recommended
+++ b/modsecurity.conf-recommended
+@@ -58,6 +58,11 @@ SecRequestBodyInMemoryLimit 131072
+ #
+ SecRequestBodyLimitAction Reject
+ 
+# Maximum parsing depth allowed for JSON objects. You want to keep this
+# value as low as practical.
+#
+SecRequestBodyJsonDepthLimit 512
+
+ # Verify that we've correctly processed the request body.
+ # As a rule of thumb, when failing to process a request body
+ # you should reject the request (when deployed in blocking mode)
+-- 
+2.27.0
+