Update CHANGES.
Reversion from 2.2. to 2.5. Update @pmFromFile to base relative filenames off of rule file path.
This commit is contained in:
Родитель
de739c60c0
Коммит
b58efb3466
37
CHANGES
37
CHANGES
|
@ -1,7 +1,10 @@
|
|||
|
||||
?? ??? 2007 - 2.2.0-trunk
|
||||
?? ??? 2007 - 2.5.0-trunk
|
||||
-------------------------
|
||||
|
||||
* Removed experimental variable RESPONSE_CONTENT_ENCODING which was not
|
||||
working as intended.
|
||||
|
||||
* Update included core rules to latest version.
|
||||
|
||||
* Do not trigger "pause" action for internal requests.
|
||||
|
@ -9,8 +12,8 @@
|
|||
* Added matching rule filename and line number to audit log.
|
||||
|
||||
* Added new phrase matching operators, @pm and @pmFromFile. These use
|
||||
an alternate set based matching engine to perform faster phrase
|
||||
type matches such as black/white lists, spam keywords, etc.
|
||||
an alternate set based matching engine (Aho-Corasick) to perform faster
|
||||
phrase type matches such as black/white lists, spam keywords, etc.
|
||||
|
||||
* Cache transformations per-request/phase so they are not repeated.
|
||||
|
||||
|
@ -31,6 +34,34 @@
|
|||
* Removed strnlen() calls for non-GNU platforms.
|
||||
|
||||
|
||||
14 June 2007 - 2.1.2-rc1
|
||||
------------------------
|
||||
|
||||
* Update included core rules to latest version.
|
||||
|
||||
* Do not trigger "pause" action for internal requests.
|
||||
|
||||
* Fixed issue with requests that use internal requests. These had the
|
||||
potential to be intercepted incorrectly when other Apache httpd modules
|
||||
that used internal requests were used with mod_security.
|
||||
|
||||
* Added Solaris to the list of platforms not supporting the hidden
|
||||
visibility attribute.
|
||||
|
||||
* Fixed decoding full-width unicode in t:urlDecodeUni.
|
||||
|
||||
* Lessen some overhead of debugging messages and calculations.
|
||||
|
||||
* Do not try to intercept a request after a failed rule. This fixes the
|
||||
issue associated with an "Internal Error: Asked to intercept request
|
||||
but was_intercepted is zero" error message.
|
||||
|
||||
* Added SecAuditLog2 directive to allow redundent concurrent audit log
|
||||
index files. This will allow sending audit data to two consoles, etc.
|
||||
|
||||
* Small performance improvement in memory management for rule execution.
|
||||
|
||||
|
||||
11 May 2007 - 2.2.0-dev1
|
||||
-------------------------
|
||||
|
||||
|
|
|
@ -50,7 +50,7 @@ typedef struct msc_string msc_string;
|
|||
#include "http_protocol.h"
|
||||
|
||||
#define MODULE_NAME "ModSecurity"
|
||||
#define MODULE_RELEASE "2.2.0-trunk"
|
||||
#define MODULE_RELEASE "2.5.0-trunk"
|
||||
#define MODULE_NAME_FULL (MODULE_NAME " v" MODULE_RELEASE " (Apache 2.x)")
|
||||
|
||||
#define PHASE_REQUEST_HEADERS 1
|
||||
|
|
|
@ -190,16 +190,18 @@ static int msre_op_pm_param_init(msre_rule *rule, char **error_msg) {
|
|||
ACMP *p = acmp_create(0, rule->ruleset->mp);
|
||||
if (p == NULL) return 0;
|
||||
|
||||
const char *s = rule->op_param;
|
||||
const char *e = rule->op_param + strlen(rule->op_param);
|
||||
const char *phrase = apr_pstrdup(rule->ruleset->mp, rule->op_param);
|
||||
const char *next = rule->op_param + strlen(rule->op_param);
|
||||
|
||||
/* Loop through phrases */
|
||||
/* ENH: Need to allow quoted phrases w/space */
|
||||
for (;;) {
|
||||
while((isspace(*s) != 0) && (*s != 0)) s++;
|
||||
if (*s == 0) break;
|
||||
e = s;
|
||||
while((isspace(*e) == 0) && (*e != 0)) e++;
|
||||
acmp_add_pattern(p, s, NULL, NULL, e - s);
|
||||
s = e;
|
||||
while((isspace(*phrase) != 0) && (*phrase != '\0')) phrase++;
|
||||
if (*phrase == '\0') break;
|
||||
next = phrase;
|
||||
while((isspace(*next) == 0) && (*next != 0)) next++;
|
||||
acmp_add_pattern(p, phrase, NULL, NULL, next - phrase);
|
||||
phrase = next;
|
||||
}
|
||||
acmp_prepare(p);
|
||||
rule->op_param_data = p;
|
||||
|
@ -211,7 +213,10 @@ static int msre_op_pm_param_init(msre_rule *rule, char **error_msg) {
|
|||
static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
|
||||
char errstr[1024];
|
||||
char buf[HUGE_STRING_LEN + 1];
|
||||
char *ptr = NULL;
|
||||
char *fn;
|
||||
char *next;
|
||||
char *ptr;
|
||||
const char *rulefile_path;
|
||||
apr_status_t rc;
|
||||
apr_file_t *fd;
|
||||
|
||||
|
@ -223,20 +228,38 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
|
|||
ACMP *p = acmp_create(0, rule->ruleset->mp);
|
||||
if (p == NULL) return 0;
|
||||
|
||||
char *fn = apr_pstrdup(rule->ruleset->mp, rule->op_param);
|
||||
char *next = fn + strlen(rule->op_param);
|
||||
fn = apr_pstrdup(rule->ruleset->mp, rule->op_param);
|
||||
next = fn + strlen(rule->op_param);
|
||||
|
||||
/* Get the path of the rule filename to use as a base */
|
||||
rulefile_path = apr_pstrndup(rule->ruleset->mp, rule->filename, strlen(rule->filename) - strlen(apr_filepath_name_get(rule->filename)));
|
||||
|
||||
#ifdef DEBUG_CONF
|
||||
fprintf(stderr, "Rulefile path: \"%s\"\n", rulefile_path);
|
||||
#endif
|
||||
|
||||
/* Loop through filenames */
|
||||
/* ENH: Need to allow quoted filenames w/space */
|
||||
for (;;) {
|
||||
const char *rootpath = NULL;
|
||||
const char *filepath = NULL;
|
||||
int line = 0;
|
||||
|
||||
/* Trim whitespace */
|
||||
while((isspace(*fn) != 0) && (*fn != 0)) fn++;
|
||||
while((isspace(*fn) != 0) && (*fn != '\0')) fn++;
|
||||
if (*fn == '\0') break;
|
||||
next = fn;
|
||||
while((isspace(*next) == 0) && (*next != '\0')) next++;
|
||||
while((isspace(*next) != 0) && (*next != '\0')) *next++ = '\0';
|
||||
|
||||
/* Add path of the rule filename for a relative phrase filename */
|
||||
filepath = fn;
|
||||
if (apr_filepath_root(&rootpath, &filepath, APR_FILEPATH_TRUENAME, rule->ruleset->mp) != APR_SUCCESS) {
|
||||
/* We are not an absolute path. It could mean an error, but
|
||||
* let that pass through to the open call for a better error */
|
||||
apr_filepath_merge(&fn, rulefile_path, fn, APR_FILEPATH_TRUENAME, rule->ruleset->mp);
|
||||
}
|
||||
|
||||
/* Open file and read */
|
||||
rc = apr_file_open(&fd, fn, APR_READ | APR_FILE_NOCLEANUP, 0, rule->ruleset->mp);
|
||||
if (rc != APR_SUCCESS) {
|
||||
|
|
|
@ -4409,17 +4409,35 @@ SecRule ARGS:route "!<emphasis role="bold">@endsWith %{REQUEST_ADDR}</emphasis>"
|
|||
for faster matches of keyword lists. This operator is the same as
|
||||
<literal>@pm</literal> except that it takes a list of files as
|
||||
arguments. It will match any one of the phrases listed in the file(s)
|
||||
anywhere in the target value. The contents of the files should be one
|
||||
phrase per line. End of line markers will be stripped from the phrases,
|
||||
however, whitespace will not be trimmed from phrases in the file.</para>
|
||||
anywhere in the target value.</para>
|
||||
|
||||
<para>Notes:</para>
|
||||
|
||||
<orderedlist continuation="restarts" inheritnum="ignore">
|
||||
<listitem>
|
||||
<para>The contents of the files should be one phrase per line. End
|
||||
of line markers will be stripped from the phrases, however,
|
||||
whitespace will not be trimmed from phrases in the file. Empty lines
|
||||
and comment lines (beginning with a '#') are ignored.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>To allow easier inclusion of phrase files with rulesets,
|
||||
relative paths may be used to the phrase files. In this case, the
|
||||
path of the file containing the rule is prepended to the phrase file
|
||||
path.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting format="linespecific">SecRule REQUEST_HEADERS:User-Agent "<emphasis
|
||||
role="bold">@pm</emphasis> /path/to/blacklist1 /path/to/blacklist2" "deny,status:403</programlisting>
|
||||
role="bold">@pm</emphasis> /path/to/blacklist1 blacklist2" "deny,status:403</programlisting>
|
||||
|
||||
<para>The above would deny access with 403 if any of the patterns in the
|
||||
two files matched within the User-Agent HTTP header value.</para>
|
||||
two files matched within the User-Agent HTTP header value. The
|
||||
<literal>blacklist2</literal> file would need to be placed in the same
|
||||
path as the file containing the rule.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
|
Загрузка…
Ссылка в новой задаче