ModSec on IIS: Block on bad config (#111)
* ModSec on IIS: Block on bad config
This commit is contained in:
Allan Boll
GitHub
Родитель
bd2a25cd8e
Коммит
7f0eced5bc
|
|
@ -71,6 +71,8 @@ class MODSECURITY_STORED_CONTEXT : public IHttpStoredContext
|
||||||
|
|
||||||
directory_config* config = nullptr;
|
directory_config* config = nullptr;
|
||||||
|
|
||||||
|
bool configLoadingFailed = false;
|
||||||
|
|
||||||
private:
|
private:
|
||||||
HRESULT
|
HRESULT
|
||||||
GetBooleanPropertyValue(
|
GetBooleanPropertyValue(
|
||||||
|
|
|
||||||
|
|
@ -798,7 +798,9 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
|
||||||
HRESULT hr = MODSECURITY_STORED_CONTEXT::GetConfig(httpContext, &config);
|
HRESULT hr = MODSECURITY_STORED_CONTEXT::GetConfig(httpContext, &config);
|
||||||
if (FAILED(hr))
|
if (FAILED(hr))
|
||||||
{
|
{
|
||||||
return RQ_NOTIFICATION_CONTINUE;
|
httpContext->GetResponse()->SetStatus(500, "WAF internal error. Unable to get config.");
|
||||||
|
httpContext->SetRequestHandled();
|
||||||
|
return RQ_NOTIFICATION_FINISH_REQUEST;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If module is disabled, don't go any further
|
// If module is disabled, don't go any further
|
||||||
|
|
@ -808,6 +810,19 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
|
||||||
return RQ_NOTIFICATION_CONTINUE;
|
return RQ_NOTIFICATION_CONTINUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
auto reportConfigurationError = [config, httpContext] {
|
||||||
|
config->configLoadingFailed = true;
|
||||||
|
httpContext->GetResponse()->SetStatus(500, "WAF internal error. Invalid configuration.");
|
||||||
|
httpContext->SetRequestHandled();
|
||||||
|
return RQ_NOTIFICATION_FINISH_REQUEST;
|
||||||
|
};
|
||||||
|
|
||||||
|
// If we previously failed to load the config, don't spam the event log by trying and failing again
|
||||||
|
if (config->configLoadingFailed)
|
||||||
|
{
|
||||||
|
return reportConfigurationError();
|
||||||
|
}
|
||||||
|
|
||||||
if (config->config == nullptr)
|
if (config->config == nullptr)
|
||||||
{
|
{
|
||||||
char *path;
|
char *path;
|
||||||
|
|
@ -816,7 +831,7 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
|
||||||
hr = config->GlobalWideCharToMultiByte(config->GetPath(), wcslen(config->GetPath()), &path, &pathlen);
|
hr = config->GlobalWideCharToMultiByte(config->GetPath(), wcslen(config->GetPath()), &path, &pathlen);
|
||||||
if (FAILED(hr))
|
if (FAILED(hr))
|
||||||
{
|
{
|
||||||
return RQ_NOTIFICATION_FINISH_REQUEST;
|
return reportConfigurationError();
|
||||||
}
|
}
|
||||||
|
|
||||||
config->config = modsecGetDefaultConfig();
|
config->config = modsecGetDefaultConfig();
|
||||||
|
|
@ -829,7 +844,7 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
|
||||||
if (FAILED(hr))
|
if (FAILED(hr))
|
||||||
{
|
{
|
||||||
delete path;
|
delete path;
|
||||||
return RQ_NOTIFICATION_FINISH_REQUEST;
|
return reportConfigurationError();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (path[0] != 0)
|
if (path[0] != 0)
|
||||||
|
|
@ -841,7 +856,7 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
|
||||||
WriteEventViewerLog(err, EVENTLOG_ERROR_TYPE);
|
WriteEventViewerLog(err, EVENTLOG_ERROR_TYPE);
|
||||||
delete apppath;
|
delete apppath;
|
||||||
delete path;
|
delete path;
|
||||||
return RQ_NOTIFICATION_CONTINUE;
|
return reportConfigurationError();
|
||||||
}
|
}
|
||||||
|
|
||||||
modsecReportRemoteLoadedRules();
|
modsecReportRemoteLoadedRules();
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче