packages/mod_security
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to version 2.9.7

Browse Source
This commit is contained in:
chen-jan 2023-07-17 17:08:39 +08:00
parent abb3b9a470
commit e6cd66a2f2
13 changed files with 172 additions and 592 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
mod_security-2.9.3-remote-rules-timeout.patch Normal file
View File

@ -0,0 +1,85 @@
diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
index 80f8f2b..7912d84 100644
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
}
+static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
+ directory_config *dcfg = (directory_config *)_dcfg;
+ long int timeout;
+
+ if (dcfg == NULL) return NULL;
+
+ timeout = strtol(p1, NULL, 10);
+ if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) {
+ return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1);
+ }
+
+ remote_rules_timeout = timeout;
+
+ return NULL;
+}
+
+
static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
{
if (strcasecmp(p1, "on") == 0) {
@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = {
"Abort or Warn"
),
+ AP_INIT_TAKE1 (
+ "SecRemoteTimeout",
+ cmd_remote_timeout,
+ NULL,
+ CMD_SCOPE_ANY,
+ "timeout in seconds"
+ ),
+
AP_INIT_TAKE1 (
"SecXmlExternalEntity",
diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
index 7bb215e..c155495 100644
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
#endif
int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
char DSOLOCAL *remote_rules_fail_message = NULL;
+unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET;
+
int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
index f24bc75..8bcd453 100644
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
#endif
extern DSOLOCAL int remote_rules_fail_action;
extern DSOLOCAL char *remote_rules_fail_message;
+extern DSOLOCAL unsigned long int remote_rules_timeout;
extern DSOLOCAL int status_engine_state;
diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
index 99968f0..b8db13e 100644
--- a/apache2/msc_remote_rules.c
+++ b/apache2/msc_remote_rules.c
@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
/* We want Curl to return error in case there is an HTTP error code */
curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
+ /* In case we want different timeout than a default one */
+ if (remote_rules_timeout != NOT_SET){
+ curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout);
+ }
+
res = curl_easy_perform(curl);
if (res != CURLE_OK)

272
mod_security.conf
View File

@ -1,226 +1,56 @@
# -- Rule engine initialization ----------------------------------------------
<IfModule mod_security2.c>
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
# -- Request body handling ---------------------------------------------------
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On
# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# Enable JSON request body parser.
# Initiate JSON Processor in case of JSON content-type; change accordingly
# if your application does not use 'application/json'
#
SecRule REQUEST_HEADERS:Content-Type "application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072
# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
# -- Response body handling --------------------------------------------------
# Allow ModSecurity to access response bodies.
# You should have this directive enabled in order to identify errors
# and data leakage issues.
#
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On
# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml
# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288
# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial
# -- Filesystem configuration ------------------------------------------------
# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
#
# This default setting is chosen due to all systems have /tmp available however,
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir /tmp/
# The location where ModSecurity will keep its persistent data. This default setting
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/
# -- File uploads handling configuration -------------------------------------
# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/
# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly
# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600
# -- Debug log configuration -------------------------------------------------
# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log
# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/
# -- Miscellaneous -----------------------------------------------------------
# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &
# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0
# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
SecUnicodeMapFile unicode.mapping 20127
# Improve the quality of ModSecurity by sharing information about your
# current ModSecurity version and dependencies versions.
# The following information will be shared: ModSecurity version,
# Web Server version, APR version, PCRE version, Lua version, Libxml2
# version, Anonymous unique id for host.
SecStatusEngine On
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
# ModSecurity Core Rules Set and Local configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
Include modsecurity.d/local_rules/*.conf
</IfModule>

28
mod_security.spec
View File

@ -6,8 +6,8 @@
%global mod_audit_log_collector 0
Name: mod_security
Version: 2.9.5
Release: 8
Version: 2.9.7
Release: 1
Summary: Security module for the Apache HTTP Server
License: ASL 2.0
URL: http://www.modsecurity.org/
@ -15,16 +15,13 @@ Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/
Source1: mod_security.conf
Source2: 10-mod_security.conf
Source3: modsecurity_localrules.conf
Patch0000: modsecurity-2.9.5-lua-54.patch
Patch0001: modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch
Patch0002: modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch
Patch0003: modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch
Patch0004: modsecurity-2.9.5-Fix-memory-leak-that-occurs-on-JSON-parsing-error.patch
Patch0005: modsecurity-2.9.5-Set-SecStatusEngine-Off-in-modsecurity.conf.patch
Patch0006: modsecurity-2.9.5-Allow-no-key-single-value-JSON-body.patch
Patch0000: modsecurity-2.9.3-lua-54.patch
Patch0001: modsecurity-2.9.3-apulibs.patch
Patch0002: mod_security-2.9.3-remote-rules-timeout.patch
Requires: httpd httpd-mmn = %{_httpd_mmn}
BuildRequires: gcc make perl-generators httpd-devel yajl yajl-devel
BuildRequires: gcc make perl-generators httpd-devel yajl yajl-devel pcre2-devel
BuildRequires: pkgconfig(lua) pkgconfig(libcurl) pkgconfig(libxml-2.0) pkgconfig(libpcre)
BuildRequires: autoconf automake libtool
@ -48,7 +45,13 @@ This package collects mod_security audit log.
%build
./autogen.sh
%configure --with-yajl --with-apxs=%{_httpd_apxs} --enable-pcre-match-limit-recursion=1000000 --enable-pcre-match-limit=1000000
%configure --enable-pcre-match-limit=1000000 \
--enable-pcre-match-limit-recursion=1000000 \
--with-apxs=%{_httpd_apxs} \
--with-yajl \
--with-pcre2 \
--disable-static
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
make %{_smp_mflags}
@ -104,6 +107,9 @@ install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
%endif
%changelog
* Mon Jul 17 2023 chenchen <chen_aka_jan@163.com> - 2.9.7-1
- Upgrade to version 2.9.7
* Mon Jan 9 2023 yaoguangzhong <yaoguangzhong@xfusion.com> - 2.9.5-8
- backport allow no-key, single-value JSON body

14
modsecurity-2.9.3-apulibs.patch Normal file
View File

@ -0,0 +1,14 @@
Strip redundant APR-util dependent libraries, it is sufficient to link against -laprutil-1.
--- modsecurity-2.9.3/build/find_apu.m4.apulibs
+++ modsecurity-2.9.3/build/find_apu.m4
@@ -59,7 +59,7 @@
APU_CFLAGS="`${APU_CONFIG} --includes`"
if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu CFLAGS: $APU_CFLAGS); fi
APU_LDFLAGS="`${APU_CONFIG} --ldflags`"
- APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --libs`"
+ APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --avoid-ldap --avoid-dbm --libs`"
if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDFLAGS: $APU_LDFLAGS); fi
APU_LDADD="`${APU_CONFIG} --link-libtool`"
if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDADD: $APU_LDADD); fi

6
modsecurity-2.9.5-lua-54.patch → modsecurity-2.9.3-lua-54.patch
View File

@ -1,6 +1,6 @@
diff -ru modsecurity-2.9.5/apache2/msc_lua.c modsecurity-2.9.5-lua-patch/apache2/msc_lua.c
--- modsecurity-2.9.5/apache2/msc_lua.c 2018-12-04 18:49:37.000000000 +0000
+++ modsecurity-2.9.5-lua-patch/apache2/msc_lua.c 2020-08-08 16:55:14.936045777 +0000
diff -ru modsecurity-2.9.3/apache2/msc_lua.c modsecurity-2.9.3-lua-patch/apache2/msc_lua.c
--- modsecurity-2.9.3/apache2/msc_lua.c 2018-12-04 18:49:37.000000000 +0000
+++ modsecurity-2.9.3-lua-patch/apache2/msc_lua.c 2020-08-08 16:55:14.936045777 +0000
@@ -429,12 +429,12 @@
#else

30
modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch
View File

@ -1,30 +0,0 @@
From d12959e18fccaf12708897baced782b9a63622fa Mon Sep 17 00:00:00 2001
From: yaoguangzhong <yaoguangzhong@xfusion.com>
Date: Sat, 7 Jan 2023 11:05:51 +0800
Subject: [PATCH] Add SecRequestBodyJsonDepthLimit to
modsecurity.conf-recommended
From Author: Martin Vierula <martin.vierula@trustwave.com>
---
modsecurity.conf-recommended | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended
index f357d95..c84ddce 100644
--- a/modsecurity.conf-recommended
+++ b/modsecurity.conf-recommended
@@ -58,6 +58,11 @@ SecRequestBodyInMemoryLimit 131072
#
SecRequestBodyLimitAction Reject
+# Maximum parsing depth allowed for JSON objects. You want to keep this
+# value as low as practical.
+#
+SecRequestBodyJsonDepthLimit 512
+
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
--
2.27.0

89
modsecurity-2.9.5-Allow-no-key-single-value-JSON-body.patch
View File

@ -1,89 +0,0 @@
From 630d57d7bd07696a72ac8ded7593bbcf31168a95 Mon Sep 17 00:00:00 2001
From: yaoguangzhong <yaoguangzhong@xfusion.com>
Date: Mon, 9 Jan 2023 16:00:15 +0800
Subject: [PATCH] backport Allow no-key, single-value JSON body
From Author: Martin Vierula <martin.vierula@trustwave.com>
From commit 4a98032b7f827c4edd2514ce2af29222bb2ba289
Signed-off-by: Guangzhong Yao <yaoguangzhong@xfusion.com>
---
apache2/msc_json.c | 3 +--
apache2/msc_json.h | 2 +-
tests/regression/rule/15-json.t | 34 +++++++++++++++++++++++++++++++++
3 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/apache2/msc_json.c b/apache2/msc_json.c
index cbaab0e..bab3a6d 100644
--- a/apache2/msc_json.c
+++ b/apache2/msc_json.c
@@ -27,8 +27,7 @@ int json_add_argument(modsec_rec *msr, const char *value, unsigned length)
* to reference this argument; for now we simply ignore these
*/
if (!msr->json->current_key) {
- msr_log(msr, 3, "Cannot add scalar value without an associated key");
- return 1;
+ msr->json->current_key = "";
}
arg = (msc_arg *) apr_pcalloc(msr->mp, sizeof(msc_arg));
diff --git a/apache2/msc_json.h b/apache2/msc_json.h
index 7e3d725..089dab4 100644
--- a/apache2/msc_json.h
+++ b/apache2/msc_json.h
@@ -39,7 +39,7 @@ struct json_data {
/* prefix is used to create data hierarchy (i.e., 'parent.child.value') */
unsigned char *prefix;
- unsigned char *current_key;
+ const unsigned char *current_key;
long int current_depth;
int depth_limit_exceeded;
};
diff --git a/tests/regression/rule/15-json.t b/tests/regression/rule/15-json.t
index f84355a..65f53ec 100644
--- a/tests/regression/rule/15-json.t
+++ b/tests/regression/rule/15-json.t
@@ -224,6 +224,40 @@
),
),
),
+},
+{
+ type => "rule",
+ comment => "json parser - no-key single value",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecDebugLog $ENV{DEBUG_LOG}
+ SecAuditEngine RelevantOnly
+ SecAuditLog "$ENV{AUDIT_LOG}"
+ SecDebugLogLevel 9
+ SecRequestBodyJsonDepthLimit 3
+ SecRule REQUEST_HEADERS:Content-Type "application/json" \\
+ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+ SecRule REQBODY_ERROR "!\@eq 0" "id:'200444',phase:2,log,deny,status:403,msg:'Failed to parse request body'"
+ SecRule ARGS "\@streq 25" "id:'200445',phase:2,log,deny,status:403"
+ ),
+ match_log => {
+ audit => [ qr/200445/s, 1 ],
+ },
+ match_response => {
+ status => qr/^403$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => "application/json",
+ ],
+ normalize_raw_request_data(
+ q(
+ 25
+ ),
+ ),
+ ),
}
--
2.39.0.windows.2

48
modsecurity-2.9.5-Fix-memory-leak-that-occurs-on-JSON-parsing-error.patch
View File

@ -1,48 +0,0 @@
From 0951ccdfa2eee85e71ddcec6a45c87ce37772c69 Mon Sep 17 00:00:00 2001
From: yaoguangzhong <yaoguangzhong@xfusion.com>
Date: Sat, 7 Jan 2023 15:02:18 +0800
Subject: [PATCH] Fix memory leak that occurs on JSON parsing error
From Author: Martin Vierula <martin.vierula@trustwave.com>
commit c6582df2e5e3a92ba4b90e2a6cfaeb89f61bcadf
---
apache2/msc_json.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/apache2/msc_json.c b/apache2/msc_json.c
index d69e9eb..cbaab0e 100644
--- a/apache2/msc_json.c
+++ b/apache2/msc_json.c
@@ -351,11 +351,12 @@ int json_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char
/* Feed our parser and catch any errors */
msr->json->status = yajl_parse(msr->json->handle, buf, size);
if (msr->json->status != yajl_status_ok) {
- /* We need to free the yajl error message later, how to do this? */
if (msr->json->depth_limit_exceeded) {
*error_msg = "JSON depth limit exceeded";
} else {
- *error_msg = yajl_get_error(msr->json->handle, 0, NULL, 0);
+ char *yajl_err = yajl_get_error(msr->json->handle, 0, buf, size);
+ *error_msg = apr_pstrdup(msr->mp, yajl_err);
+ yajl_free_error(msr->json->handle, yajl_err);
}
return -1;
}
@@ -375,11 +376,12 @@ int json_complete(modsec_rec *msr, char **error_msg) {
/* Wrap up the parsing process */
msr->json->status = yajl_complete_parse(msr->json->handle);
if (msr->json->status != yajl_status_ok) {
- /* We need to free the yajl error message later, how to do this? */
if (msr->json->depth_limit_exceeded) {
*error_msg = "JSON depth limit exceeded";
} else {
- *error_msg = yajl_get_error(msr->json->handle, 0, NULL, 0);
+ char *yajl_err = yajl_get_error(msr->json->handle, 0, NULL, 0);
+ *error_msg = apr_pstrdup(msr->mp, yajl_err);
+ yajl_free_error(msr->json->handle, yajl_err);
}
return -1;
--
2.27.0

36
modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch
View File

@ -1,36 +0,0 @@
From 6a5ec1ff7bd5a4a653da417f9a49a50cf5b2429d Mon Sep 17 00:00:00 2001
From: Vladimir Krivopalov <vlkrivop@microsoft.com>
Date: Mon, 13 Jan 2020 16:36:09 -0800
Subject: [PATCH] Properly cleanup XML parser contexts upon completion
It is currently possible that the XML parsing context is not properly
cleaned up if a parsed XML document is malformed.
This fix makes sure that the context is taken care of.
Signed-off-by: Vladimir Krivopalov <vlkrivop@microsoft.com>
---
apache2/msc_xml.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/apache2/msc_xml.c b/apache2/msc_xml.c
index a31decb5..9cc4da65 100644
--- a/apache2/msc_xml.c
+++ b/apache2/msc_xml.c
@@ -137,6 +137,13 @@ int xml_complete(modsec_rec *msr, char **error_msg) {
* Frees the resources used for XML parsing.
*/
apr_status_t xml_cleanup(modsec_rec *msr) {
+ if (msr->xml->parsing_ctx != NULL) {
+ if (msr->xml->parsing_ctx->myDoc) {
+ xmlFreeDoc(msr->xml->parsing_ctx->myDoc);
+ }
+ xmlFreeParserCtxt(msr->xml->parsing_ctx);
+ msr->xml->parsing_ctx = NULL;
+ }
if (msr->xml->doc != NULL) {
xmlFreeDoc(msr->xml->doc);
msr->xml->doc = NULL;
--
2.27.0

28
modsecurity-2.9.5-Set-SecStatusEngine-Off-in-modsecurity.conf.patch
View File

@ -1,28 +0,0 @@
From fc84c6a3f6c446760350f80189d4bbfc116c143c Mon Sep 17 00:00:00 2001
From: yaoguangzhong <yaoguangzhong@xfusion.com>
Date: Sat, 7 Jan 2023 15:26:23 +0800
Subject: [PATCH] backport Set SecStatusEngine Off in
modsecurity.conf-recommended
From Author: Martin Vierula <martin.vierula@trustwave.com>
commit 733427197e2fe4fabcbb0f43bd1e636ef923a6b4
---
modsecurity.conf-recommended | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended
index c84ddce..923f5d8 100644
--- a/modsecurity.conf-recommended
+++ b/modsecurity.conf-recommended
@@ -234,5 +234,6 @@ SecUnicodeMapFile unicode.mapping 20127
# The following information will be shared: ModSecurity version,
# Web Server version, APR version, PCRE version, Lua version, Libxml2
# version, Anonymous unique id for host.
-SecStatusEngine On
-
++# NB: As of April 2022, there is no longer any advantage to turning this
++# setting On, as there is no active receiver for the information.
++SecStatusEngine Off
--
2.27.0

126
modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch
View File

@ -1,126 +0,0 @@
From 46c6cb2759327d94e619454dbe61f1e7639dd607 Mon Sep 17 00:00:00 2001
From: Armin Abfalterer <armin.abfalterer@united-security-providers.ch>
Date: Tue, 12 Mar 2019 16:29:43 +0100
Subject: [PATCH] use uid if user name is not available
---
apache2/msc_logging.c | 10 +++++++---
apache2/persist_dbm.c | 29 +++++++++++++++++++----------
2 files changed, 26 insertions(+), 13 deletions(-)
diff --git a/apache2/msc_logging.c b/apache2/msc_logging.c
index d50f709e..d1a867c3 100644
--- a/apache2/msc_logging.c
+++ b/apache2/msc_logging.c
@@ -234,16 +234,20 @@ static char *construct_auditlog_filename(apr_pool_t *mp, const char *uniqueid) {
* This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
* It also changes the return statement.
*/
- char *username;
+ char *userinfo;
+ apr_status_t rc;
apr_uid_t uid;
apr_gid_t gid;
apr_uid_current(&uid, &gid, mp);
- apr_uid_name_get(&username, uid, mp);
+ rc = apr_uid_name_get(&userinfo, uid, mp);
+ if (rc != APR_SUCCESS) {
+ userinfo = apr_psprintf(mp, "%u", uid);
+ }
apr_time_exp_lt(&t, apr_time_now());
apr_strftime(tstr, &len, 299, "/%Y%m%d/%Y%m%d-%H%M/%Y%m%d-%H%M%S", &t);
- return apr_psprintf(mp, "/%s%s-%s", username, tstr, uniqueid);
+ return apr_psprintf(mp, "/%s%s-%s", userinfo, tstr, uniqueid);
}
/**
diff --git a/apache2/persist_dbm.c b/apache2/persist_dbm.c
index efbbf6eb..e4f8036f 100644
--- a/apache2/persist_dbm.c
+++ b/apache2/persist_dbm.c
@@ -104,11 +104,14 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
/**
* This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
*/
- char *username;
+ char *userinfo;
apr_uid_t uid;
apr_gid_t gid;
apr_uid_current(&uid, &gid, msr->mp);
- apr_uid_name_get(&username, uid, msr->mp);
+ rc = apr_uid_name_get(&userinfo, uid, msr->mp);
+ if (rc != APR_SUCCESS) {
+ userinfo = apr_psprintf(msr->mp, "%u", uid);
+ }
if (msr->txcfg->data_dir == NULL) {
msr_log(msr, 1, "collection_retrieve_ex: Unable to retrieve collection (name \"%s\", key \"%s\"). Use "
@@ -117,7 +120,7 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec
goto cleanup;
}
- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", col_name, NULL);
+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", col_name, NULL);
if (msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name),
@@ -385,11 +388,14 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
/**
* This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
*/
- char *username;
+ char *userinfo;
apr_uid_t uid;
apr_gid_t gid;
apr_uid_current(&uid, &gid, msr->mp);
- apr_uid_name_get(&username, uid, msr->mp);
+ rc = apr_uid_name_get(&userinfo, uid, msr->mp);
+ if (rc != APR_SUCCESS) {
+ userinfo = apr_psprintf(msr->mp, "%u", uid);
+ }
var_name = (msc_string *)apr_table_get(col, "__name");
if (var_name == NULL) {
@@ -409,7 +415,7 @@ int collection_store(modsec_rec *msr, apr_table_t *col) {
}
// ENH: lowercase the var name in the filename
- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", var_name->value, NULL);
+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", var_name->value, NULL);
if (msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "collection_store: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, var_name->value),
@@ -675,11 +681,14 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) {
/**
* This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
*/
- char *username;
+ char *userinfo;
apr_uid_t uid;
apr_gid_t gid;
apr_uid_current(&uid, &gid, msr->mp);
- apr_uid_name_get(&username, uid, msr->mp);
+ rc = apr_uid_name_get(&userinfo, uid, msr->mp);
+ if (rc != APR_SUCCESS) {
+ userinfo = apr_psprintf(msr->mp, "%u", uid);
+ }
if (msr->txcfg->data_dir == NULL) {
/* The user has been warned about this problem enough times already by now.
@@ -690,9 +699,9 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) {
}
if(strstr(col_name,"USER") || strstr(col_name,"SESSION") || strstr(col_name, "RESOURCE"))
- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", msr->txcfg->webappid, "_", col_name, NULL);
+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", msr->txcfg->webappid, "_", col_name, NULL);
else
- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", col_name, NULL);
+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", col_name, NULL);
if (msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "collections_remove_stale: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name),
--
2.27.0

BIN
modsecurity-2.9.5.tar.gz → modsecurity-2.9.7.tar.gz
View File

Binary file not shown.

2
modsecurity_localrules.conf
View File

@ -1,3 +1,5 @@
# User defined rules and settings .
#
# You can use this file/directory to drop your local rules or
# to remove some rules provided by mod_security_crs package with SecRuleRemoveById
#