packages/mod_security
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mod_security/modsecurity-2.9.5-Allow-no-key-single-value-JSON-body.patch
yaoguangzhong ec5daf48b3 backport allow no-key, single-value JSON body 
From Author: Martin Vierula <martin.vierula@trustwave.com>
From commit 4a98032b7f827c4edd2514ce2af29222bb2ba289
Signed-off-by: Guangzhong Yao <yaoguangzhong@xfusion.com>
2023-01-09 16:08:39 +08:00

90 lines
3.1 KiB
Diff
Raw Blame History

From 630d57d7bd07696a72ac8ded7593bbcf31168a95 Mon Sep 17 00:00:00 2001
From: yaoguangzhong <yaoguangzhong@xfusion.com>
Date: Mon, 9 Jan 2023 16:00:15 +0800
Subject: [PATCH] backport Allow no-key, single-value JSON body
From Author: Martin Vierula <martin.vierula@trustwave.com>
From commit 4a98032b7f827c4edd2514ce2af29222bb2ba289
Signed-off-by: Guangzhong Yao <yaoguangzhong@xfusion.com>
---
apache2/msc_json.c | 3 +--
apache2/msc_json.h | 2 +-
tests/regression/rule/15-json.t | 34 +++++++++++++++++++++++++++++++++
3 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/apache2/msc_json.c b/apache2/msc_json.c
index cbaab0e..bab3a6d 100644
--- a/apache2/msc_json.c
+++ b/apache2/msc_json.c
@@ -27,8 +27,7 @@ int json_add_argument(modsec_rec *msr, const char *value, unsigned length)
* to reference this argument; for now we simply ignore these
*/
if (!msr->json->current_key) {
- msr_log(msr, 3, "Cannot add scalar value without an associated key");
- return 1;
+ msr->json->current_key = "";
}
arg = (msc_arg *) apr_pcalloc(msr->mp, sizeof(msc_arg));
diff --git a/apache2/msc_json.h b/apache2/msc_json.h
index 7e3d725..089dab4 100644
--- a/apache2/msc_json.h
+++ b/apache2/msc_json.h
@@ -39,7 +39,7 @@ struct json_data {
/* prefix is used to create data hierarchy (i.e., 'parent.child.value') */
unsigned char *prefix;
- unsigned char *current_key;
+ const unsigned char *current_key;
long int current_depth;
int depth_limit_exceeded;
};
diff --git a/tests/regression/rule/15-json.t b/tests/regression/rule/15-json.t
index f84355a..65f53ec 100644
--- a/tests/regression/rule/15-json.t
+++ b/tests/regression/rule/15-json.t
@@ -224,6 +224,40 @@
),
),
),
+},
+{
+ type => "rule",
+ comment => "json parser - no-key single value",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecDebugLog $ENV{DEBUG_LOG}
+ SecAuditEngine RelevantOnly
+ SecAuditLog "$ENV{AUDIT_LOG}"
+ SecDebugLogLevel 9
+ SecRequestBodyJsonDepthLimit 3
+ SecRule REQUEST_HEADERS:Content-Type "application/json" \\
+ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+ SecRule REQBODY_ERROR "!\@eq 0" "id:'200444',phase:2,log,deny,status:403,msg:'Failed to parse request body'"
+ SecRule ARGS "\@streq 25" "id:'200445',phase:2,log,deny,status:403"
+ ),
+ match_log => {
+ audit => [ qr/200445/s, 1 ],
+ },
+ match_response => {
+ status => qr/^403$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => "application/json",
+ ],
+ normalize_raw_request_data(
+ q(
+ 25
+ ),
+ ),
+ ),
}
--
2.39.0.windows.2
Reference in New Issue View Git Blame Copy Permalink