Skip to content

Fixed deny not work in response phase, Fixed debug log message #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 1, 2013
Merged

Fixed deny not work in response phase, Fixed debug log message #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 55 additions & 39 deletions nginx/modsecurity/ngx_http_modsecurity.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,8 +183,10 @@ ngx_http_modsecurity_merge_loc_conf(ngx_conf_t *cf, void *parent,
ngx_conf_merge_ptr_value(conf->config, prev->config, NULL);

if (conf->enable && conf->config == NULL) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"ModSecurity: enabled in %V:%ui while no config file is specified ",
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"\"ModSecurityEnabled\" in %V:%ui is set to \"on\""
" while directive \"ModSecurityConfig\" is not found"
" in the same location",
conf->file, conf->line);
return NGX_CONF_ERROR;
}
Expand Down Expand Up @@ -224,6 +226,7 @@ modsec_pcre_free(void *ptr)
static ngx_int_t
ngx_http_modsecurity_preconfiguration(ngx_conf_t *cf)
{
server_rec *s;

/* XXX: temporary hack, nginx uses pcre as well and hijacks these two */
pcre_malloc = modsec_pcre_malloc;
Expand All @@ -232,9 +235,20 @@ ngx_http_modsecurity_preconfiguration(ngx_conf_t *cf)
modsecSetLogHook(cf->log, modsecLog);
modsecSetDropAction(ngx_http_modsecurity_drop_action);

modsecInit();
modsecStartConfig();
s = modsecInit();
if (s == NULL) {
return NGX_ERROR;
}

/* set host name */
s->server_hostname = ngx_palloc(cf->pool, ngx_cycle->hostname.len + 1);
if (s->server_hostname == NULL) {
return NGX_ERROR;
}
ngx_memcpy(s->server_hostname, ngx_cycle->hostname.data, ngx_cycle->hostname.len);
s->server_hostname[ ngx_cycle->hostname.len] = '\0';

modsecStartConfig();
return NGX_OK;
}

Expand Down Expand Up @@ -344,31 +358,27 @@ ngx_http_modsecurity_handler(ngx_http_request_t *r)
ngx_http_modsecurity_ctx_t *ctx;
ngx_int_t rc;

ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: handler");

cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity);

/* Process only main request */
if (r != r->main || r->internal || !cf->enable) {
return NGX_DECLINED;
}

ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: handler");

ctx = ngx_http_modsecurity_create_ctx(r);
if (ctx == NULL) {
return NGX_ERROR;
}
ngx_http_set_ctx(r, ctx, ngx_http_modsecurity);

/* processing request headers */
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: process request headers");

rc = modsecProcessRequestHeaders(ctx->req);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestHeaders %d", rc);
if (rc == DECLINED) {
if (r->method == NGX_HTTP_POST) {
/* Processing POST request body, should we process PUT? */
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: method POST");

rc = ngx_http_read_client_request_body(r, ngx_http_modsecurity_body_handler);
if (rc >= NGX_HTTP_SPECIAL_RESPONSE) {
return rc;
Expand All @@ -377,12 +387,11 @@ ngx_http_modsecurity_handler(ngx_http_request_t *r)
return NGX_DONE;
}
/* other method */
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: process request body");
rc = modsecProcessRequestBody(ctx->req);
rc = modsecProcessRequestBody(ctx->req);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestBody %d", rc);
}

if (rc != DECLINED) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: status: %d, need action", rc);

/* Nginx and Apache share same response code */
if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) {
Expand Down Expand Up @@ -412,7 +421,7 @@ ngx_http_modsecurity_body_handler(ngx_http_request_t *r)
return;
}

ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: process request body");
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: body handler");

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);

Expand All @@ -426,9 +435,9 @@ ngx_http_modsecurity_body_handler(ngx_http_request_t *r)
modsecSetBodyBrigade(ctx->req, ctx->brigade);

rc = modsecProcessRequestBody(ctx->req);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessRequestBody %d", rc);

if (rc != DECLINED) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: status: %d, need action", rc);

/* Nginx and Apache share same response code */
if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) {
Expand Down Expand Up @@ -474,21 +483,17 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r) {
ngx_http_modsecurity_loc_conf_t *cf;
ngx_http_modsecurity_ctx_t *ctx;
const char *lang;
ngx_int_t rc;

cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity);
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);

if (r != r->main || r->internal || !cf->enable || ctx->complete) {
return ngx_http_next_header_filter(r);
}

if (r->method == NGX_HTTP_HEAD || r->header_only
|| !modsecIsResponseBodyAccessEnabled(ctx->req) ) {
/* TODO: RESPONSE HEADERS PHASE
*/
return ngx_http_next_header_filter(r);
}


ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: header filter");

/* copy headers_out */
if (ngx_list_copy_to_apr_table(&r->headers_out.headers,
ctx->req->headers_out,
Expand All @@ -507,6 +512,22 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r) {
*(const char **)apr_array_push(ctx->req->content_languages) = lang;
}

if (r->method == NGX_HTTP_HEAD || r->header_only) {

ctx->complete = 1;
rc = modsecProcessResponse(ctx->req);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessResponse %d", rc);
if (rc == DECLINED || rc == APR_SUCCESS) {
return ngx_http_next_header_filter(r);
}

if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) {
rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
}

return rc;
}

return NGX_OK;
}

Expand All @@ -520,7 +541,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)

cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity);
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);

if (r != r->main || r->internal || !cf->enable || ctx->complete) {
return ngx_http_next_body_filter(r, in);
}
Expand All @@ -532,10 +553,8 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
}

rc = move_chain_to_brigade(in, ctx->brigade, r->pool);
if (rc == NGX_ERROR) {
return NGX_ERROR;
} else if (rc == NGX_AGAIN) {
return NGX_AGAIN;
if (rc != NGX_OK) {
return rc;
}

/* last buf has been saved */
Expand All @@ -544,6 +563,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
modsecSetResponseBrigade(ctx->req, ctx->brigade);

rc = modsecProcessResponse(ctx->req);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: modsecProcessResponse %d", rc);

if (rc == DECLINED || rc == APR_SUCCESS) {

Expand All @@ -565,22 +585,17 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
rc = ngx_http_next_header_filter(r);

if (rc == NGX_ERROR || rc > NGX_OK) {
return rc;
return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc);
}

rc = ngx_http_next_body_filter(r, in);
if (rc == NGX_ERROR || rc >= NGX_HTTP_SPECIAL_RESPONSE) {
return rc;
}

return NGX_OK;
return ngx_http_next_body_filter(r, in);
}

if (rc < NGX_HTTP_SPECIAL_RESPONSE || rc >= 600) {
rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
}

return rc; /* ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc); */
return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc);
}


Expand Down Expand Up @@ -709,7 +724,8 @@ ngx_http_modsecurity_config(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)

msg = modsecProcessConfig(mscf->config, (const char *)value[1].data, NULL);
if (msg != NULL) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "modSecurity: modsecProcessConfig() %s", msg);
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "ModSecurityConfig in %s:%ui: %s",
cf->conf_file->file.name.data, cf->conf_file->line, msg);
return NGX_CONF_ERROR;
}

Expand Down
25 changes: 17 additions & 8 deletions standalone/api.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,11 @@ apr_status_t ap_http_in_filter(ap_filter_t *f, apr_bucket_brigade *bb_out,
return APR_SUCCESS;
}

return AP_NOBODY_READ;
/* cannot read request body */
e = apr_bucket_eos_create(f->c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb_out, e);

return APR_SUCCESS;
}

apr_status_t ap_http_out_filter(ap_filter_t *f, apr_bucket_brigade *b) {
Expand Down Expand Up @@ -560,7 +564,7 @@ int modsecProcessResponse(request_rec *r) {

if (bb == NULL) {
msr_log(msr, 1, "Process response: Failed to create brigade.");
return -1;
return APR_EGENERAL;
}

msr->r = r;
Expand All @@ -583,19 +587,24 @@ int modsecProcessResponse(request_rec *r) {
e = apr_bucket_pool_create(tmp, readcnt, r->pool, r->connection->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, e);
}

if(is_eos) {
e = apr_bucket_eos_create(r->connection->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, e);
}
}

e = apr_bucket_eos_create(r->connection->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, e);
} else {
return AP_NOBODY_WROTE;
/* cannot read response body process header only */

e = apr_bucket_eos_create(r->connection->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, e);
}

f = ap_add_output_filter("HTTP_OUT", msr, r, r->connection);
status = ap_pass_brigade(r->output_filters, bb);
ap_remove_output_filter(f);
if(status > 0
&& msr->intercept_actionset->intercept_status != 0) {
status = msr->intercept_actionset->intercept_status;
}
return status;
}

Expand Down