microsoft
/
ModSecurity
зеркало из https://github.com/microsoft/ModSecurity.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Implement SecMarker. See #416.

This commit is contained in:
brectanus 2007-12-11 17:53:50 +00:00
Родитель 37f5231ccd
Коммит 715a8eae58
7 изменённых файлов: 130 добавлений и 18 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
CHANGES
Просмотреть файл

@ -2,6 +2,8 @@
29 Nov 2007 - 2.5.0-dev3
------------------------
* Added SecMarker <id> directive to allow a fixed target for skipAfter.
* The invoked rule is now logged in the debug log at level 5.
* New audit log part 'K' logs all matching rules.

54
apache2/apache2_config.c
Просмотреть файл

@ -657,18 +657,64 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, const char *
return "Internal Error: Failed to add placeholder to the ruleset.";
}
/* No longer need to search for the ID */
apr_table_unset(dcfg->tmp_rule_placeholders, rule->actionset->id);
}
return NULL;
}
/**
* TODO
*/
static const char *add_marker(cmd_parms *cmd, directory_config *dcfg, const char *p1,
const char *p2, const char *p3)
{
char *my_error_msg = NULL;
msre_rule *rule = NULL;
extern msc_engine *modsecurity;
int p;
/* Create a ruleset if one does not exist. */
if ((dcfg->ruleset == NULL)||(dcfg->ruleset == NOT_SET_P)) {
dcfg->ruleset = msre_ruleset_create(modsecurity->msre, cmd->pool);
if (dcfg->ruleset == NULL) return FATAL_ERROR;
}
/* Create the rule now. */
rule = msre_rule_create(dcfg->ruleset, cmd->directive->filename, cmd->directive->line_num, p1, p2, p3, &my_error_msg);
if (rule == NULL) {
return my_error_msg;
}
/* This is a marker */
rule->placeholder = RULE_PH_MARKER;
/* Add placeholder to each phase */
for (p = PHASE_FIRST; p <= PHASE_LAST; p++) {
if (msre_ruleset_rule_add(dcfg->ruleset, rule, p) < 0) {
return "Internal Error: Failed to add marker to the ruleset.";
}
}
/* No longer need to search for the ID */
apr_table_unset(dcfg->tmp_rule_placeholders, rule->actionset->id);
return NULL;
}
/* -- Configuration directives -- */
static const char *cmd_action(cmd_parms *cmd, void *_dcfg, const char *p1) {
return add_rule(cmd, (directory_config *)_dcfg, SECACTION_TARGETS, SECACTION_ARGS, p1);
}
static const char *cmd_marker(cmd_parms *cmd, void *_dcfg, const char *p1) {
directory_config *dcfg = (directory_config *)_dcfg;
const char *action = apr_pstrcat(dcfg->mp, SECMARKER_BASE_ACTIONS, p1, NULL);
return add_marker(cmd, (directory_config *)_dcfg, SECMARKER_TARGETS, SECMARKER_ARGS, action);
}
static const char *cmd_argument_separator(cmd_parms *cmd, void *_dcfg, const char *p1) {
directory_config *dcfg = (directory_config *)_dcfg;
@ -1638,6 +1684,14 @@ const command_rec module_directives[] = {
"The filename of the filter debugging log file"
),
AP_INIT_TAKE1 (
"SecMarker",
cmd_marker,
NULL,
CMD_SCOPE_ANY,
"marker for a skipAfter target"
),
AP_INIT_FLAG (
"SecPdfProtect",
cmd_pdf_protect,

4
apache2/modsecurity.h
Просмотреть файл

@ -117,6 +117,10 @@ extern DSOLOCAL modsec_build_type_rec modsec_build_type[];
#define SECACTION_TARGETS "REQUEST_URI"
#define SECACTION_ARGS "@unconditionalMatch"
#define SECMARKER_TARGETS "REQUEST_URI"
#define SECMARKER_ARGS "@noMatch"
#define SECMARKER_BASE_ACTIONS "t:none,pass,id:"
#if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE)
#include "unixd.h"
#define __SET_MUTEX_PERMS

3
apache2/re.c
Просмотреть файл

@ -1225,6 +1225,9 @@ msre_rule *msre_rule_create(msre_ruleset *ruleset,
if ((strcmp(SECACTION_TARGETS, targets) == 0) && (strcmp(SECACTION_ARGS, args) == 0)) {
rule->unparsed = apr_pstrcat(ruleset->mp, "SecAction", " \"", actions, "\"", NULL);
}
else if ((strcmp(SECMARKER_TARGETS, targets) == 0) && (strcmp(SECMARKER_ARGS, args) == 0) && (strncmp(SECMARKER_BASE_ACTIONS, actions, strlen(SECMARKER_BASE_ACTIONS)) == 0)) {
rule->unparsed = apr_pstrcat(ruleset->mp, "SecMarker", " \"", (actions + strlen(SECMARKER_BASE_ACTIONS)), "\"", NULL);
}
else {
rule->unparsed = apr_pstrcat(ruleset->mp, "SecRule", " \"", targets, "\" \"", args, "\"", (actions != NULL ? " \"" : ""), (actions != NULL ? actions : ""), (actions != NULL ? "\"" : ""), NULL);
}

3
apache2/re.h
Просмотреть файл

@ -110,7 +110,8 @@ int DSOLOCAL msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset
#define RULE_MATCH 1
#define RULE_PH_NONE 0 /* Not a placeholder */
#define RULE_PH_SKIPAFTER 1 /* Placeholder for skipAfter targets */
#define RULE_PH_SKIPAFTER 1 /* Implicit placeholder for skipAfter */
#define RULE_PH_MARKER 2 /* Explicit placeholder for SecMarker */
struct msre_rule {
apr_array_header_t *targets;

18
apache2/re_operators.c
Просмотреть файл

@ -53,6 +53,17 @@ static int msre_op_unconditionalmatch_execute(modsec_rec *msr, msre_rule *rule,
return 1;
}
/* noMatch */
static int msre_op_nomatch_execute(modsec_rec *msr, msre_rule *rule,
msre_var *var, char **error_msg)
{
*error_msg = "No match.";
/* Never match. */
return 0;
}
/* rx */
static int msre_op_rx_param_init(msre_rule *rule, char **error_msg) {
@ -1731,6 +1742,13 @@ void msre_engine_register_default_operators(msre_engine *engine) {
msre_op_unconditionalmatch_execute
);
/* noMatch */
msre_engine_op_register(engine,
"noMatch",
NULL,
msre_op_nomatch_execute
);
/* rx */
msre_engine_op_register(engine,
"rx",

64
doc/modsecurity2-apache-reference.xml
Просмотреть файл

@ -678,7 +678,8 @@ SecAuditLogStorageDir logs/audit
<listitem>
<para><literal moreinfo="none">K</literal> - This part contains a
full list of every rule that matched (one per line) in the order they were matched.</para>
full list of every rule that matched (one per line) in the order
they were matched.</para>
</listitem>
<listitem>
@ -1167,6 +1168,35 @@ SecAuditLogStorageDir logs/audit
<programlisting format="linespecific">SecGuardianLog |/path/to/httpd-guardian</programlisting>
</section>
<section>
<title><literal>SecMarker</literal></title>
<para><emphasis>Description:</emphasis> Adds a fixed rule marker in the
ruleset to be used as a target in a <emphasis>skipAfter</emphasis>
action.</para>
<para><emphasis>Syntax:</emphasis> <literal moreinfo="none">SecMarker
id</literal></para>
<para><emphasis>Example Usage:</emphasis> <literal
moreinfo="none">SecMarker 9999</literal></para>
<para><emphasis>ProcessingPhase:</emphasis> Any</para>
<para><emphasis>Scope:</emphasis> Any</para>
<para><emphasis>Dependencies/Notes:</emphasis> None</para>
<para><programlisting format="linespecific">SecRule REQUEST_URI "^/$" "chain,<emphasis>skipAfter:960099</emphasis>"
SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain"
SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none"
SecRule &amp;REQUEST_HEADERS:Host "@eq 0" \
"deny,log,status:400,id:960008,severity:4,msg:'Request Missing a Host Header'"
SecRule &amp;REQUEST_HEADERS:Accept "@eq 0" \
"log,deny,log,status:400,id:960015,msg:'Request Missing an Accept Header'"
<emphasis>SecMarker 960099</emphasis></programlisting></para>
</section>
<section>
<title><literal>SecPdfProtect</literal> (Experimental)</title>
@ -1290,7 +1320,7 @@ SecAuditLogStorageDir logs/audit
with status code 413 Request Entity Too Large. There is a hard limit of
1 GB.</para>
</section>
<section>
<title><literal>SecRequestBodyNoFilesLimit</literal></title>
@ -1299,26 +1329,28 @@ SecAuditLogStorageDir logs/audit
files being transported in the request. This directive comes handy to
further reduce susceptability to DoS attacks when someone is sending
request bodies of very large sizes. Web applications that require file
uploads must configure <literal>SecRequestBodyLimit</literal> to a
high value. Since large files are streamed to disk file uploads will
not increase memory consumption. However, it's still possible for
someone to take advantage of a large request body limit and send
non-upload requests with large body sizes. This directive eliminates
that loophole. </para>
uploads must configure <literal>SecRequestBodyLimit</literal> to a high
value. Since large files are streamed to disk file uploads will not
increase memory consumption. However, it's still possible for someone to
take advantage of a large request body limit and send non-upload
requests with large body sizes. This directive eliminates that
loophole.</para>
<para><emphasis>Syntax:</emphasis> <literal
moreinfo="none">SecRequestBodyNoFilesLimit NUMBER_IN_BYTES</literal></para>
moreinfo="none">SecRequestBodyNoFilesLimit
NUMBER_IN_BYTES</literal></para>
<para><emphasis>Example Usage:</emphasis> <literal
moreinfo="none">SecRequestBodyLimit 131072</literal></para>
<para><emphasis>Scope:</emphasis> Any</para>
<para><emphasis>Dependencies/Notes:</emphasis> 1 MB (1048576
bytes) is the default setting. This value is very conservative. For
most applications you should be able to reduce it down to 128 KB or
lower. Anything over the limit will be rejected with status code <literal>413
Request Entity Too Large</literal>. There is a hard limit of 1 GB.</para>
<para><emphasis>Dependencies/Notes:</emphasis> 1 MB (1048576 bytes) is
the default setting. This value is very conservative. For most
applications you should be able to reduce it down to 128 KB or lower.
Anything over the limit will be rejected with status code <literal>413
Request Entity Too Large</literal>. There is a hard limit of 1
GB.</para>
</section>
<section>
@ -4996,8 +5028,6 @@ SecRule XML "<emphasis>@validateSchema /path/to/apache2/conf/xml.xsd</emphasis>,
"phase:2,sanitiseMatched,log,auditlog,pass,msg:'Potential credit card number'"</programlisting>
</section>
<section>
<section>
<title><literal>within</literal></title>
@ -5116,4 +5146,4 @@ SecRule REQUEST_METHOD "!<emphasis>@within %{tx.allowed_methods}</emphasis>" t:l
</section>
</section>
</section>
</article>
</article>