Smallfixes

src/mod_security3.c

@@ -10,20 +10,43 @@
  */
 msc_global *msc_apache;
 
+char err_calloc[] = "ModSecurity: can't allocate memory for logmsg.";
 
 void modsecurity_log_cb(void *log, const void* data)
 {
     const char *msg;
+    char *msglog;
+    unsigned int i, j;
+
     if (log == NULL || data == NULL) {
         return;
     }
     msg = (const char *) data;
     request_rec *r = (request_rec *) log;
 
 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
-    ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
-        msg,
-        r->status);
+    msglog = calloc(sizeof(char), strlen(msg)*2);
+    if (msglog == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
+            err_calloc,
+            r->status);
+    }
+    else {
+        // add % escape to avoid the '%' chars placeholder mark in logmsg
+        j = 0;
+        for(i=0; msg[i] != '\0'; i++) {
+            if (msg[i] == '%') {
+                msglog[j++] = '%';
+            }
+            msglog[j++] = msg[i];
+        }
+        msglog[j] = '\0';
+
+        ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
+            msglog,
+            r->status);
+        free(msglog);
+    }
 
 #else
     ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server,
@@ -399,14 +422,6 @@ static int hook_request_late(request_rec *r)
     }
 #endif
 
-
-    msc_process_request_body(msr->t);
-    it = process_intervention(msr->t, r);
-    if (it != N_INTERVENTION_STATUS)
-    {
-        return it;
-    }
-
     return DECLINED;
 }
 

src/msc_filters.c

@@ -11,6 +11,9 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut,
 
     apr_bucket_brigade *pbbTmp;
     int ret;
+    int it;
+    int body_checked = 0;
+    char logmsg[100];
 
     msc_t *msr = (msc_t *)f->ctx;
 
@@ -39,7 +42,6 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut,
         const char *data;
         apr_size_t len;
         apr_size_t n;
-        int it;
 
         if (APR_BUCKET_IS_EOS(pbktIn))
         {
@@ -55,20 +57,34 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut,
         }
 
         msc_append_request_body(msr->t, data, len);
+        msc_process_request_body(msr->t);
+        body_checked = 1;
         it = process_intervention(msr->t, r);
         if (it != N_INTERVENTION_STATUS)
         {
             ap_remove_output_filter(f);
+            f->r->status = it;
             return send_error_bucket(msr, f, it);
         }
 
-        // FIXME: Now we should have the body. Is this sane?
-        msc_process_request_body(msr->t);
-
         pbktOut = apr_bucket_heap_create(data, len, 0, c->bucket_alloc);
         APR_BRIGADE_INSERT_TAIL(pbbOut, pbktOut);
         apr_bucket_delete(pbktIn);
     }
+    if (body_checked == 0) {
+        msc_process_request_body(msr->t);
+        it = process_intervention(msr->t, r);
+        if (it != N_INTERVENTION_STATUS)
+        {
+            ap_remove_output_filter(f);
+            sprintf(logmsg, "it: %d", it);
+            ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
+                logmsg,
+                r->status);
+            r->status = it;
+            return send_error_bucket(msr, f, it);
+        }
+    }
     return APR_SUCCESS;
 }
 

src/msc_utils.c

@@ -1,6 +1,7 @@
 
 #include "msc_utils.h"
 
+char logmsg[100];
 
 int id(const char *fn, const char *format, ...)
 {
@@ -20,6 +21,7 @@ apr_status_t send_error_bucket(msc_t *msr, ap_filter_t *f, int status)
 {
     apr_bucket_brigade *brigade = NULL;
     apr_bucket *bucket = NULL;
+    request_rec *r = f->r;
 
     /* Set the status line explicitly for the error document */
     f->r->status_line = ap_get_status_line(status);

t/conf/extra.conf.in

@@ -9,6 +9,7 @@ LoadModule security3_module "@ServerRoot@/.././src/.libs/mod_security3.so"
 
 # Lets make sure that the engine is on.
 modsecurity_rules 'SecRuleEngine On'
+modsecurity_rules 'SecDefaultAction "phase:2,log,auditlog,deny,status:403"'
 
 # Debug logs
 modsecurity_rules 'SecDebugLog @ServerRoot@/logs/debug_logs.txt'
@@ -20,7 +21,6 @@ modsecurity_rules 'SecDebugLogLevel 9'
 </Directory>
 
 <Directory "@ServerRoot@/htdocs/block-evil-2">
-    modsecurity_rules 'SecRequestBodyAccess On'
     modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:403,block,deny"'
 </Directory>
 
@@ -44,7 +44,6 @@ modsecurity_rules 'SecDebugLogLevel 9'
 </Location>
 
 <Location "/block-evil-2-loc">
-    modsecurity_rules 'SecRequestBodyAccess On'
     modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:402,block,deny"'
 </Location>