diff --git a/mod_security-2.9.3-remote-rules-timeout.patch b/mod_security-2.9.3-remote-rules-timeout.patch new file mode 100644 index 0000000000000000000000000000000000000000..1d347ac9b74fa5e883e836d940c0b3c428569509 --- /dev/null +++ b/mod_security-2.9.3-remote-rules-timeout.patch @@ -0,0 +1,85 @@ +diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c +index 80f8f2b..7912d84 100644 +--- a/apache2/apache2_config.c ++++ b/apache2/apache2_config.c +@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1, + } + + ++static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1) ++{ ++ directory_config *dcfg = (directory_config *)_dcfg; ++ long int timeout; ++ ++ if (dcfg == NULL) return NULL; ++ ++ timeout = strtol(p1, NULL, 10); ++ if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) { ++ return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1); ++ } ++ ++ remote_rules_timeout = timeout; ++ ++ return NULL; ++} ++ ++ + static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1) + { + if (strcasecmp(p1, "on") == 0) { +@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = { + "Abort or Warn" + ), + ++ AP_INIT_TAKE1 ( ++ "SecRemoteTimeout", ++ cmd_remote_timeout, ++ NULL, ++ CMD_SCOPE_ANY, ++ "timeout in seconds" ++ ), ++ + + AP_INIT_TAKE1 ( + "SecXmlExternalEntity", +diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c +index 7bb215e..c155495 100644 +--- a/apache2/mod_security2.c ++++ b/apache2/mod_security2.c +@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL; + #endif + int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL; + char DSOLOCAL *remote_rules_fail_message = NULL; ++unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET; ++ + + int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED; + +diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h +index f24bc75..8bcd453 100644 +--- a/apache2/modsecurity.h ++++ b/apache2/modsecurity.h +@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server; + #endif + extern DSOLOCAL int remote_rules_fail_action; + extern DSOLOCAL char *remote_rules_fail_message; ++extern DSOLOCAL unsigned long int remote_rules_timeout; + + extern DSOLOCAL int status_engine_state; + +diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c +index 99968f0..b8db13e 100644 +--- a/apache2/msc_remote_rules.c ++++ b/apache2/msc_remote_rules.c +@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key + /* We want Curl to return error in case there is an HTTP error code */ + curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1); + ++ /* In case we want different timeout than a default one */ ++ if (remote_rules_timeout != NOT_SET){ ++ curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout); ++ } ++ + res = curl_easy_perform(curl); + + if (res != CURLE_OK) diff --git a/mod_security.conf b/mod_security.conf index 728afc1afd34e9f516859df64b14689f6d17dd68..e9fe3ddcee5fb67af7c78b8c8613b17b06d3465e 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -1,226 +1,56 @@ -# -- Rule engine initialization ---------------------------------------------- - -# Enable ModSecurity, attaching it to every transaction. Use detection -# only to start with, because that minimises the chances of post-installation -# disruption. -# -SecRuleEngine DetectionOnly - - -# -- Request body handling --------------------------------------------------- - -# Allow ModSecurity to access request bodies. If you don't, ModSecurity -# won't be able to see any POST parameters, which opens a large security -# hole for attackers to exploit. -# -SecRequestBodyAccess On - - -# Enable XML request body parser. -# Initiate XML Processor in case of xml content-type -# -SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ - "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" - -# Enable JSON request body parser. -# Initiate JSON Processor in case of JSON content-type; change accordingly -# if your application does not use 'application/json' -# -SecRule REQUEST_HEADERS:Content-Type "application/json" \ - "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" - -# Maximum request body size we will accept for buffering. If you support -# file uploads then the value given on the first line has to be as large -# as the largest file you are willing to accept. The second value refers -# to the size of data, with files excluded. You want to keep that value as -# low as practical. -# -SecRequestBodyLimit 13107200 -SecRequestBodyNoFilesLimit 131072 - -# Store up to 128 KB of request body data in memory. When the multipart -# parser reachers this limit, it will start using your hard disk for -# storage. That is slow, but unavoidable. -# -SecRequestBodyInMemoryLimit 131072 - -# What do do if the request body size is above our configured limit. -# Keep in mind that this setting will automatically be set to ProcessPartial -# when SecRuleEngine is set to DetectionOnly mode in order to minimize -# disruptions when initially deploying ModSecurity. -# -SecRequestBodyLimitAction Reject - -# Verify that we've correctly processed the request body. -# As a rule of thumb, when failing to process a request body -# you should reject the request (when deployed in blocking mode) -# or log a high-severity alert (when deployed in detection-only mode). -# -SecRule REQBODY_ERROR "!@eq 0" \ -"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" - -# By default be strict with what we accept in the multipart/form-data -# request body. If the rule below proves to be too strict for your -# environment consider changing it to detection-only. You are encouraged -# _not_ to remove it altogether. -# -SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ -"id:'200003',phase:2,t:none,log,deny,status:400, \ -msg:'Multipart request body failed strict validation: \ -PE %{REQBODY_PROCESSOR_ERROR}, \ -BQ %{MULTIPART_BOUNDARY_QUOTED}, \ -BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ -DB %{MULTIPART_DATA_BEFORE}, \ -DA %{MULTIPART_DATA_AFTER}, \ -HF %{MULTIPART_HEADER_FOLDING}, \ -LF %{MULTIPART_LF_LINE}, \ -SM %{MULTIPART_MISSING_SEMICOLON}, \ -IQ %{MULTIPART_INVALID_QUOTING}, \ -IP %{MULTIPART_INVALID_PART}, \ -IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ -FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" - -# Did we see anything that might be a boundary? -# -SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ -"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" - -# PCRE Tuning -# We want to avoid a potential RegEx DoS condition -# -SecPcreMatchLimit 1000 -SecPcreMatchLimitRecursion 1000 - -# Some internal errors will set flags in TX and we will need to look for these. -# All of these are prefixed with "MSC_". The following flags currently exist: -# -# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. -# -SecRule TX:/^MSC_/ "!@streq 0" \ - "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" - - -# -- Response body handling -------------------------------------------------- - -# Allow ModSecurity to access response bodies. -# You should have this directive enabled in order to identify errors -# and data leakage issues. -# -# Do keep in mind that enabling this directive does increases both -# memory consumption and response latency. -# -SecResponseBodyAccess On - -# Which response MIME types do you want to inspect? You should adjust the -# configuration below to catch documents but avoid static files -# (e.g., images and archives). -# -SecResponseBodyMimeType text/plain text/html text/xml - -# Buffer response bodies of up to 512 KB in length. -SecResponseBodyLimit 524288 - -# What happens when we encounter a response body larger than the configured -# limit? By default, we process what we have and let the rest through. -# That's somewhat less secure, but does not break any legitimate pages. -# -SecResponseBodyLimitAction ProcessPartial - - -# -- Filesystem configuration ------------------------------------------------ - -# The location where ModSecurity stores temporary files (for example, when -# it needs to handle a file upload that is larger than the configured limit). -# -# This default setting is chosen due to all systems have /tmp available however, -# this is less than ideal. It is recommended that you specify a location that's private. -# -SecTmpDir /tmp/ - -# The location where ModSecurity will keep its persistent data. This default setting -# is chosen due to all systems have /tmp available however, it -# too should be updated to a place that other users can't access. -# -SecDataDir /tmp/ - - -# -- File uploads handling configuration ------------------------------------- - -# The location where ModSecurity stores intercepted uploaded files. This -# location must be private to ModSecurity. You don't want other users on -# the server to access the files, do you? -# -#SecUploadDir /opt/modsecurity/var/upload/ - -# By default, only keep the files that were determined to be unusual -# in some way (by an external inspection script). For this to work you -# will also need at least one file inspection rule. -# -#SecUploadKeepFiles RelevantOnly - -# Uploaded files are by default created with permissions that do not allow -# any other user to access them. You may need to relax that if you want to -# interface ModSecurity to an external program (e.g., an anti-virus). -# -#SecUploadFileMode 0600 - - -# -- Debug log configuration ------------------------------------------------- - -# The default debug log configuration is to duplicate the error, warning -# and notice messages from the error log. -# -#SecDebugLog /opt/modsecurity/var/log/debug.log -#SecDebugLogLevel 3 - - -# -- Audit log configuration ------------------------------------------------- - -# Log the transactions that are marked by a rule, as well as those that -# trigger a server error (determined by a 5xx or 4xx, excluding 404, -# level response status codes). -# -SecAuditEngine RelevantOnly -SecAuditLogRelevantStatus "^(?:5|4(?!04))" - -# Log everything we know about a transaction. -SecAuditLogParts ABIJDEFHZ - -# Use a single file for logging. This is much easier to look at, but -# assumes that you will use the audit log only ocassionally. -# -SecAuditLogType Serial -SecAuditLog /var/log/modsec_audit.log - -# Specify the path for concurrent audit logging. -#SecAuditLogStorageDir /opt/modsecurity/var/audit/ - - -# -- Miscellaneous ----------------------------------------------------------- - -# Use the most commonly used application/x-www-form-urlencoded parameter -# separator. There's probably only one application somewhere that uses -# something else so don't expect to change this value. -# -SecArgumentSeparator & - -# Settle on version 0 (zero) cookies, as that is what most applications -# use. Using an incorrect cookie version may open your installation to -# evasion attacks (against the rules that examine named cookies). -# -SecCookieFormat 0 - -# Specify your Unicode Code Point. -# This mapping is used by the t:urlDecodeUni transformation function -# to properly map encoded data to your language. Properly setting -# these directives helps to reduce false positives and negatives. -# -SecUnicodeMapFile unicode.mapping 20127 - -# Improve the quality of ModSecurity by sharing information about your -# current ModSecurity version and dependencies versions. -# The following information will be shared: ModSecurity version, -# Web Server version, APR version, PCRE version, Lua version, Libxml2 -# version, Anonymous unique id for host. -SecStatusEngine On - + + # Default recommended configuration + SecRuleEngine On + SecRequestBodyAccess On + SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + SecRequestBodyLimit 13107200 + SecRequestBodyNoFilesLimit 131072 + SecRequestBodyInMemoryLimit 131072 + SecRequestBodyLimitAction Reject + SecRule REQBODY_ERROR "!@eq 0" \ + "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ + "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \ + failed strict validation: \ + PE %{REQBODY_PROCESSOR_ERROR}, \ + BQ %{MULTIPART_BOUNDARY_QUOTED}, \ + BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ + DB %{MULTIPART_DATA_BEFORE}, \ + DA %{MULTIPART_DATA_AFTER}, \ + HF %{MULTIPART_HEADER_FOLDING}, \ + LF %{MULTIPART_LF_LINE}, \ + SM %{MULTIPART_MISSING_SEMICOLON}, \ + IQ %{MULTIPART_INVALID_QUOTING}, \ + IP %{MULTIPART_INVALID_PART}, \ + IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ + FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + + SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ + "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" + + SecPcreMatchLimit 1000 + SecPcreMatchLimitRecursion 1000 + + SecRule TX:/^MSC_/ "!@streq 0" \ + "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + + SecResponseBodyAccess Off + SecDebugLog /var/log/httpd/modsec_debug.log + SecDebugLogLevel 0 + SecAuditEngine RelevantOnly + SecAuditLogRelevantStatus "^(?:5|4(?!04))" + SecAuditLogParts ABIJDEFHZ + SecAuditLogType Serial + SecAuditLog /var/log/httpd/modsec_audit.log + SecArgumentSeparator & + SecCookieFormat 0 + SecTmpDir /var/lib/mod_security + SecDataDir /var/lib/mod_security + + # ModSecurity Core Rules Set and Local configuration + Include modsecurity.d/*.conf + Include modsecurity.d/activated_rules/*.conf + Include modsecurity.d/local_rules/*.conf + + diff --git a/mod_security.spec b/mod_security.spec index 027a7a342408227414bb9e5b77069b7a8d21259e..219652165650268e72cd70aaee88db685d54cae7 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -6,8 +6,8 @@ %global mod_audit_log_collector 0 Name: mod_security -Version: 2.9.5 -Release: 8 +Version: 2.9.7 +Release: 1 Summary: Security module for the Apache HTTP Server License: ASL 2.0 URL: http://www.modsecurity.org/ @@ -15,16 +15,13 @@ Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/ Source1: mod_security.conf Source2: 10-mod_security.conf Source3: modsecurity_localrules.conf -Patch0000: modsecurity-2.9.5-lua-54.patch -Patch0001: modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch -Patch0002: modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch -Patch0003: modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch -Patch0004: modsecurity-2.9.5-Fix-memory-leak-that-occurs-on-JSON-parsing-error.patch -Patch0005: modsecurity-2.9.5-Set-SecStatusEngine-Off-in-modsecurity.conf.patch -Patch0006: modsecurity-2.9.5-Allow-no-key-single-value-JSON-body.patch +Patch0000: modsecurity-2.9.3-lua-54.patch +Patch0001: modsecurity-2.9.3-apulibs.patch +Patch0002: mod_security-2.9.3-remote-rules-timeout.patch + Requires: httpd httpd-mmn = %{_httpd_mmn} -BuildRequires: gcc make perl-generators httpd-devel yajl yajl-devel +BuildRequires: gcc make perl-generators httpd-devel yajl yajl-devel pcre2-devel BuildRequires: pkgconfig(lua) pkgconfig(libcurl) pkgconfig(libxml-2.0) pkgconfig(libpcre) BuildRequires: autoconf automake libtool @@ -48,7 +45,13 @@ This package collects mod_security audit log. %build ./autogen.sh -%configure --with-yajl --with-apxs=%{_httpd_apxs} --enable-pcre-match-limit-recursion=1000000 --enable-pcre-match-limit=1000000 +%configure --enable-pcre-match-limit=1000000 \ + --enable-pcre-match-limit-recursion=1000000 \ + --with-apxs=%{_httpd_apxs} \ + --with-yajl \ + --with-pcre2 \ + --disable-static + sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool make %{_smp_mflags} @@ -104,6 +107,9 @@ install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load %endif %changelog +* Mon Jul 17 2023 chenchen - 2.9.7-1 +- Upgrade to version 2.9.7 + * Mon Jan 9 2023 yaoguangzhong - 2.9.5-8 - backport allow no-key, single-value JSON body diff --git a/modsecurity-2.9.3-apulibs.patch b/modsecurity-2.9.3-apulibs.patch new file mode 100644 index 0000000000000000000000000000000000000000..bde44bb3c697ea447408c66b785c537d3a8e4d7b --- /dev/null +++ b/modsecurity-2.9.3-apulibs.patch @@ -0,0 +1,14 @@ + +Strip redundant APR-util dependent libraries, it is sufficient to link against -laprutil-1. + +--- modsecurity-2.9.3/build/find_apu.m4.apulibs ++++ modsecurity-2.9.3/build/find_apu.m4 +@@ -59,7 +59,7 @@ + APU_CFLAGS="`${APU_CONFIG} --includes`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu CFLAGS: $APU_CFLAGS); fi + APU_LDFLAGS="`${APU_CONFIG} --ldflags`" +- APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --libs`" ++ APU_LDFLAGS="$APU_LDFLAGS `${APU_CONFIG} --avoid-ldap --avoid-dbm --libs`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDFLAGS: $APU_LDFLAGS); fi + APU_LDADD="`${APU_CONFIG} --link-libtool`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apu LDADD: $APU_LDADD); fi diff --git a/modsecurity-2.9.5-lua-54.patch b/modsecurity-2.9.3-lua-54.patch similarity index 84% rename from modsecurity-2.9.5-lua-54.patch rename to modsecurity-2.9.3-lua-54.patch index 62dd671b02a0f3c01e79822bd637a84f14065bd9..ca6e56024f158b0feb9d0100a2ba5c412de51292 100644 --- a/modsecurity-2.9.5-lua-54.patch +++ b/modsecurity-2.9.3-lua-54.patch @@ -1,6 +1,6 @@ -diff -ru modsecurity-2.9.5/apache2/msc_lua.c modsecurity-2.9.5-lua-patch/apache2/msc_lua.c ---- modsecurity-2.9.5/apache2/msc_lua.c 2018-12-04 18:49:37.000000000 +0000 -+++ modsecurity-2.9.5-lua-patch/apache2/msc_lua.c 2020-08-08 16:55:14.936045777 +0000 +diff -ru modsecurity-2.9.3/apache2/msc_lua.c modsecurity-2.9.3-lua-patch/apache2/msc_lua.c +--- modsecurity-2.9.3/apache2/msc_lua.c 2018-12-04 18:49:37.000000000 +0000 ++++ modsecurity-2.9.3-lua-patch/apache2/msc_lua.c 2020-08-08 16:55:14.936045777 +0000 @@ -429,12 +429,12 @@ #else diff --git a/modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch b/modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch deleted file mode 100644 index 3918deade2dbef08ded858068a3dfb13f690bd92..0000000000000000000000000000000000000000 --- a/modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d12959e18fccaf12708897baced782b9a63622fa Mon Sep 17 00:00:00 2001 -From: yaoguangzhong -Date: Sat, 7 Jan 2023 11:05:51 +0800 -Subject: [PATCH] Add SecRequestBodyJsonDepthLimit to - modsecurity.conf-recommended - -From Author: Martin Vierula ---- - modsecurity.conf-recommended | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended -index f357d95..c84ddce 100644 ---- a/modsecurity.conf-recommended -+++ b/modsecurity.conf-recommended -@@ -58,6 +58,11 @@ SecRequestBodyInMemoryLimit 131072 - # - SecRequestBodyLimitAction Reject - -+# Maximum parsing depth allowed for JSON objects. You want to keep this -+# value as low as practical. -+# -+SecRequestBodyJsonDepthLimit 512 -+ - # Verify that we've correctly processed the request body. - # As a rule of thumb, when failing to process a request body - # you should reject the request (when deployed in blocking mode) --- -2.27.0 - diff --git a/modsecurity-2.9.5-Allow-no-key-single-value-JSON-body.patch b/modsecurity-2.9.5-Allow-no-key-single-value-JSON-body.patch deleted file mode 100644 index c746e80c6ad881cd2de9e809e910d2f250c002ee..0000000000000000000000000000000000000000 --- a/modsecurity-2.9.5-Allow-no-key-single-value-JSON-body.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 630d57d7bd07696a72ac8ded7593bbcf31168a95 Mon Sep 17 00:00:00 2001 -From: yaoguangzhong -Date: Mon, 9 Jan 2023 16:00:15 +0800 -Subject: [PATCH] backport Allow no-key, single-value JSON body - -From Author: Martin Vierula -From commit 4a98032b7f827c4edd2514ce2af29222bb2ba289 -Signed-off-by: Guangzhong Yao ---- - apache2/msc_json.c | 3 +-- - apache2/msc_json.h | 2 +- - tests/regression/rule/15-json.t | 34 +++++++++++++++++++++++++++++++++ - 3 files changed, 36 insertions(+), 3 deletions(-) - -diff --git a/apache2/msc_json.c b/apache2/msc_json.c -index cbaab0e..bab3a6d 100644 ---- a/apache2/msc_json.c -+++ b/apache2/msc_json.c -@@ -27,8 +27,7 @@ int json_add_argument(modsec_rec *msr, const char *value, unsigned length) - * to reference this argument; for now we simply ignore these - */ - if (!msr->json->current_key) { -- msr_log(msr, 3, "Cannot add scalar value without an associated key"); -- return 1; -+ msr->json->current_key = ""; - } - - arg = (msc_arg *) apr_pcalloc(msr->mp, sizeof(msc_arg)); -diff --git a/apache2/msc_json.h b/apache2/msc_json.h -index 7e3d725..089dab4 100644 ---- a/apache2/msc_json.h -+++ b/apache2/msc_json.h -@@ -39,7 +39,7 @@ struct json_data { - - /* prefix is used to create data hierarchy (i.e., 'parent.child.value') */ - unsigned char *prefix; -- unsigned char *current_key; -+ const unsigned char *current_key; - long int current_depth; - int depth_limit_exceeded; - }; -diff --git a/tests/regression/rule/15-json.t b/tests/regression/rule/15-json.t -index f84355a..65f53ec 100644 ---- a/tests/regression/rule/15-json.t -+++ b/tests/regression/rule/15-json.t -@@ -224,6 +224,40 @@ - ), - ), - ), -+}, -+{ -+ type => "rule", -+ comment => "json parser - no-key single value", -+ conf => qq( -+ SecRuleEngine On -+ SecRequestBodyAccess On -+ SecDebugLog $ENV{DEBUG_LOG} -+ SecAuditEngine RelevantOnly -+ SecAuditLog "$ENV{AUDIT_LOG}" -+ SecDebugLogLevel 9 -+ SecRequestBodyJsonDepthLimit 3 -+ SecRule REQUEST_HEADERS:Content-Type "application/json" \\ -+ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" -+ SecRule REQBODY_ERROR "!\@eq 0" "id:'200444',phase:2,log,deny,status:403,msg:'Failed to parse request body'" -+ SecRule ARGS "\@streq 25" "id:'200445',phase:2,log,deny,status:403" -+ ), -+ match_log => { -+ audit => [ qr/200445/s, 1 ], -+ }, -+ match_response => { -+ status => qr/^403$/, -+ }, -+ request => new HTTP::Request( -+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt", -+ [ -+ "Content-Type" => "application/json", -+ ], -+ normalize_raw_request_data( -+ q( -+ 25 -+ ), -+ ), -+ ), - } - - --- -2.39.0.windows.2 - diff --git a/modsecurity-2.9.5-Fix-memory-leak-that-occurs-on-JSON-parsing-error.patch b/modsecurity-2.9.5-Fix-memory-leak-that-occurs-on-JSON-parsing-error.patch deleted file mode 100644 index 1ee6e1f36cece5e1cc7ef706fa18c3e01eafeca4..0000000000000000000000000000000000000000 --- a/modsecurity-2.9.5-Fix-memory-leak-that-occurs-on-JSON-parsing-error.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 0951ccdfa2eee85e71ddcec6a45c87ce37772c69 Mon Sep 17 00:00:00 2001 -From: yaoguangzhong -Date: Sat, 7 Jan 2023 15:02:18 +0800 -Subject: [PATCH] Fix memory leak that occurs on JSON parsing error - -From Author: Martin Vierula -commit c6582df2e5e3a92ba4b90e2a6cfaeb89f61bcadf ---- - apache2/msc_json.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/apache2/msc_json.c b/apache2/msc_json.c -index d69e9eb..cbaab0e 100644 ---- a/apache2/msc_json.c -+++ b/apache2/msc_json.c -@@ -351,11 +351,12 @@ int json_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char - /* Feed our parser and catch any errors */ - msr->json->status = yajl_parse(msr->json->handle, buf, size); - if (msr->json->status != yajl_status_ok) { -- /* We need to free the yajl error message later, how to do this? */ - if (msr->json->depth_limit_exceeded) { - *error_msg = "JSON depth limit exceeded"; - } else { -- *error_msg = yajl_get_error(msr->json->handle, 0, NULL, 0); -+ char *yajl_err = yajl_get_error(msr->json->handle, 0, buf, size); -+ *error_msg = apr_pstrdup(msr->mp, yajl_err); -+ yajl_free_error(msr->json->handle, yajl_err); - } - return -1; - } -@@ -375,11 +376,12 @@ int json_complete(modsec_rec *msr, char **error_msg) { - /* Wrap up the parsing process */ - msr->json->status = yajl_complete_parse(msr->json->handle); - if (msr->json->status != yajl_status_ok) { -- /* We need to free the yajl error message later, how to do this? */ - if (msr->json->depth_limit_exceeded) { - *error_msg = "JSON depth limit exceeded"; - } else { -- *error_msg = yajl_get_error(msr->json->handle, 0, NULL, 0); -+ char *yajl_err = yajl_get_error(msr->json->handle, 0, NULL, 0); -+ *error_msg = apr_pstrdup(msr->mp, yajl_err); -+ yajl_free_error(msr->json->handle, yajl_err); - } - - return -1; --- -2.27.0 - diff --git a/modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch b/modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch deleted file mode 100644 index e74ddde56f846d9a3a02302ffc9ed4bbd41dad81..0000000000000000000000000000000000000000 --- a/modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 6a5ec1ff7bd5a4a653da417f9a49a50cf5b2429d Mon Sep 17 00:00:00 2001 -From: Vladimir Krivopalov -Date: Mon, 13 Jan 2020 16:36:09 -0800 -Subject: [PATCH] Properly cleanup XML parser contexts upon completion - -It is currently possible that the XML parsing context is not properly -cleaned up if a parsed XML document is malformed. - -This fix makes sure that the context is taken care of. - -Signed-off-by: Vladimir Krivopalov ---- - apache2/msc_xml.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/apache2/msc_xml.c b/apache2/msc_xml.c -index a31decb5..9cc4da65 100644 ---- a/apache2/msc_xml.c -+++ b/apache2/msc_xml.c -@@ -137,6 +137,13 @@ int xml_complete(modsec_rec *msr, char **error_msg) { - * Frees the resources used for XML parsing. - */ - apr_status_t xml_cleanup(modsec_rec *msr) { -+ if (msr->xml->parsing_ctx != NULL) { -+ if (msr->xml->parsing_ctx->myDoc) { -+ xmlFreeDoc(msr->xml->parsing_ctx->myDoc); -+ } -+ xmlFreeParserCtxt(msr->xml->parsing_ctx); -+ msr->xml->parsing_ctx = NULL; -+ } - if (msr->xml->doc != NULL) { - xmlFreeDoc(msr->xml->doc); - msr->xml->doc = NULL; --- -2.27.0 - diff --git a/modsecurity-2.9.5-Set-SecStatusEngine-Off-in-modsecurity.conf.patch b/modsecurity-2.9.5-Set-SecStatusEngine-Off-in-modsecurity.conf.patch deleted file mode 100644 index ce14f7169e7c2052366fa59d78ce90a8f510a319..0000000000000000000000000000000000000000 --- a/modsecurity-2.9.5-Set-SecStatusEngine-Off-in-modsecurity.conf.patch +++ /dev/null @@ -1,28 +0,0 @@ -From fc84c6a3f6c446760350f80189d4bbfc116c143c Mon Sep 17 00:00:00 2001 -From: yaoguangzhong -Date: Sat, 7 Jan 2023 15:26:23 +0800 -Subject: [PATCH] backport Set SecStatusEngine Off in - modsecurity.conf-recommended - -From Author: Martin Vierula -commit 733427197e2fe4fabcbb0f43bd1e636ef923a6b4 ---- - modsecurity.conf-recommended | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended -index c84ddce..923f5d8 100644 ---- a/modsecurity.conf-recommended -+++ b/modsecurity.conf-recommended -@@ -234,5 +234,6 @@ SecUnicodeMapFile unicode.mapping 20127 - # The following information will be shared: ModSecurity version, - # Web Server version, APR version, PCRE version, Lua version, Libxml2 - # version, Anonymous unique id for host. --SecStatusEngine On -- -++# NB: As of April 2022, there is no longer any advantage to turning this -++# setting On, as there is no active receiver for the information. -++SecStatusEngine Off --- -2.27.0 - diff --git a/modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch b/modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch deleted file mode 100644 index 648e6e19815070fe680b32a07c7b380beed18c4d..0000000000000000000000000000000000000000 --- a/modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 46c6cb2759327d94e619454dbe61f1e7639dd607 Mon Sep 17 00:00:00 2001 -From: Armin Abfalterer -Date: Tue, 12 Mar 2019 16:29:43 +0100 -Subject: [PATCH] use uid if user name is not available - ---- - apache2/msc_logging.c | 10 +++++++--- - apache2/persist_dbm.c | 29 +++++++++++++++++++---------- - 2 files changed, 26 insertions(+), 13 deletions(-) - -diff --git a/apache2/msc_logging.c b/apache2/msc_logging.c -index d50f709e..d1a867c3 100644 ---- a/apache2/msc_logging.c -+++ b/apache2/msc_logging.c -@@ -234,16 +234,20 @@ static char *construct_auditlog_filename(apr_pool_t *mp, const char *uniqueid) { - * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations - * It also changes the return statement. - */ -- char *username; -+ char *userinfo; -+ apr_status_t rc; - apr_uid_t uid; - apr_gid_t gid; - apr_uid_current(&uid, &gid, mp); -- apr_uid_name_get(&username, uid, mp); -+ rc = apr_uid_name_get(&userinfo, uid, mp); -+ if (rc != APR_SUCCESS) { -+ userinfo = apr_psprintf(mp, "%u", uid); -+ } - - apr_time_exp_lt(&t, apr_time_now()); - - apr_strftime(tstr, &len, 299, "/%Y%m%d/%Y%m%d-%H%M/%Y%m%d-%H%M%S", &t); -- return apr_psprintf(mp, "/%s%s-%s", username, tstr, uniqueid); -+ return apr_psprintf(mp, "/%s%s-%s", userinfo, tstr, uniqueid); - } - - /** -diff --git a/apache2/persist_dbm.c b/apache2/persist_dbm.c -index efbbf6eb..e4f8036f 100644 ---- a/apache2/persist_dbm.c -+++ b/apache2/persist_dbm.c -@@ -104,11 +104,14 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec - /** - * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations - */ -- char *username; -+ char *userinfo; - apr_uid_t uid; - apr_gid_t gid; - apr_uid_current(&uid, &gid, msr->mp); -- apr_uid_name_get(&username, uid, msr->mp); -+ rc = apr_uid_name_get(&userinfo, uid, msr->mp); -+ if (rc != APR_SUCCESS) { -+ userinfo = apr_psprintf(msr->mp, "%u", uid); -+ } - - if (msr->txcfg->data_dir == NULL) { - msr_log(msr, 1, "collection_retrieve_ex: Unable to retrieve collection (name \"%s\", key \"%s\"). Use " -@@ -117,7 +120,7 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec - goto cleanup; - } - -- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", col_name, NULL); -+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", col_name, NULL); - - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name), -@@ -385,11 +388,14 @@ int collection_store(modsec_rec *msr, apr_table_t *col) { - /** - * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations - */ -- char *username; -+ char *userinfo; - apr_uid_t uid; - apr_gid_t gid; - apr_uid_current(&uid, &gid, msr->mp); -- apr_uid_name_get(&username, uid, msr->mp); -+ rc = apr_uid_name_get(&userinfo, uid, msr->mp); -+ if (rc != APR_SUCCESS) { -+ userinfo = apr_psprintf(msr->mp, "%u", uid); -+ } - - var_name = (msc_string *)apr_table_get(col, "__name"); - if (var_name == NULL) { -@@ -409,7 +415,7 @@ int collection_store(modsec_rec *msr, apr_table_t *col) { - } - - // ENH: lowercase the var name in the filename -- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", var_name->value, NULL); -+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", var_name->value, NULL); - - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "collection_store: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, var_name->value), -@@ -675,11 +681,14 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) { - /** - * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations - */ -- char *username; -+ char *userinfo; - apr_uid_t uid; - apr_gid_t gid; - apr_uid_current(&uid, &gid, msr->mp); -- apr_uid_name_get(&username, uid, msr->mp); -+ rc = apr_uid_name_get(&userinfo, uid, msr->mp); -+ if (rc != APR_SUCCESS) { -+ userinfo = apr_psprintf(msr->mp, "%u", uid); -+ } - - if (msr->txcfg->data_dir == NULL) { - /* The user has been warned about this problem enough times already by now. -@@ -690,9 +699,9 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) { - } - - if(strstr(col_name,"USER") || strstr(col_name,"SESSION") || strstr(col_name, "RESOURCE")) -- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", msr->txcfg->webappid, "_", col_name, NULL); -+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", msr->txcfg->webappid, "_", col_name, NULL); - else -- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", col_name, NULL); -+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", col_name, NULL); - - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "collections_remove_stale: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name), --- -2.27.0 - diff --git a/modsecurity-2.9.5.tar.gz b/modsecurity-2.9.7.tar.gz similarity index 57% rename from modsecurity-2.9.5.tar.gz rename to modsecurity-2.9.7.tar.gz index cbbf85bfd7b30fa238ae6cb1d2d59af9df977379..5f2e728e857e2826964e669b34107b933e68a00f 100644 Binary files a/modsecurity-2.9.5.tar.gz and b/modsecurity-2.9.7.tar.gz differ diff --git a/modsecurity_localrules.conf b/modsecurity_localrules.conf index 13935cd13185526fbf89d4e7bae60c0da363766c..983d7df3c459efa3b0c713f01e9ee7cee12f6419 100644 --- a/modsecurity_localrules.conf +++ b/modsecurity_localrules.conf @@ -1,3 +1,5 @@ +# User defined rules and settings . +# # You can use this file/directory to drop your local rules or # to remove some rules provided by mod_security_crs package with SecRuleRemoveById #