From e406bcadcde84b14f2ecba28ea55b653efb3d25a Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Tue, 6 Feb 2024 09:54:07 +0100 Subject: [PATCH 01/18] Fixed compilation issue (variable scope definition) --- apache2/re_operators.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache2/re_operators.c b/apache2/re_operators.c index 138a17d6ff..76aefb41e9 100644 --- a/apache2/re_operators.c +++ b/apache2/re_operators.c @@ -780,8 +780,8 @@ static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_v expand_macros(msr, re_pattern, rule, msr->mp); + const char *pattern = log_escape_re(msr->mp, re_pattern->value); if (msr->txcfg->debuglog_level >= 6) { - const char *pattern = log_escape_re(msr->mp, re_pattern->value); msr_log(msr, 6, "Escaping pattern [%s]",pattern); } From 07f4076f4609463b3c9989f6e7662f5c1e2cae77 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Wed, 7 Feb 2024 12:04:50 +0100 Subject: [PATCH 02/18] Check for NULL pointers --- apache2/apache2_config.c | 16 +-- apache2/msc_tree.c | 1 + apache2/re_operators.c | 285 ++++++++++++++++++++------------------- 3 files changed, 151 insertions(+), 151 deletions(-) diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index 74c76a5810..a14ab39288 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -906,16 +906,16 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type, */ rule->actionset = msre_actionset_merge(modsecurity->msre, cmd->pool, dcfg->tmp_default_actionset, rule->actionset, 1); + if (rule->actionset == NULL) { + return apr_psprintf(cmd->pool, "ModSecurity: cannot merge actionset (memory full?)."); + } /* Keep track of the parent action for "block" */ - if (rule->actionset) { - rule->actionset->parent_intercept_action_rec = dcfg->tmp_default_actionset->intercept_action_rec; - rule->actionset->parent_intercept_action = dcfg->tmp_default_actionset->intercept_action; - } + rule->actionset->parent_intercept_action_rec = dcfg->tmp_default_actionset->intercept_action_rec; + rule->actionset->parent_intercept_action = dcfg->tmp_default_actionset->intercept_action; /* Must NOT specify a disruptive action in logging phase. */ - if ((rule->actionset != NULL) - && (rule->actionset->phase == PHASE_LOGGING) + if ( (rule->actionset->phase == PHASE_LOGGING) && (rule->actionset->intercept_action != ACTION_ALLOW) && (rule->actionset->intercept_action != ACTION_ALLOW_REQUEST) && (rule->actionset->intercept_action != ACTION_NONE) @@ -926,9 +926,7 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type, if (dcfg->tmp_chain_starter != NULL) { rule->chain_starter = dcfg->tmp_chain_starter; - if (rule->actionset) { - rule->actionset->phase = rule->chain_starter->actionset->phase; - } + rule->actionset->phase = rule->chain_starter->actionset->phase; } if (rule->actionset->is_chained != 1) { diff --git a/apache2/msc_tree.c b/apache2/msc_tree.c index 232a363e2c..61f2c916a3 100644 --- a/apache2/msc_tree.c +++ b/apache2/msc_tree.c @@ -656,6 +656,7 @@ TreeNode *CPTFindElementIPNetblock(modsec_rec *msr, unsigned char *ipdata, unsig } node = CPTRetriveNode(msr, ipdata, ip_bitmask, node); + if (node == NULL) return NULL; if (node && node->bit != ip_bitmask) { if (msr && msr->txcfg->debuglog_level >= 9) { diff --git a/apache2/re_operators.c b/apache2/re_operators.c index 76aefb41e9..cbf5c2db79 100644 --- a/apache2/re_operators.c +++ b/apache2/re_operators.c @@ -1098,26 +1098,28 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c } /* Are we supposed to capture subexpressions? */ - capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0; - matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; - if(!matched_bytes) - matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; + if (rule->actionset) { + capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0; + matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; + if(!matched_bytes) + matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; - matched = apr_table_get(rule->actionset->actions, "sanitizeMatched") ? 1 : 0; - if(!matched) - matched = apr_table_get(rule->actionset->actions, "sanitiseMatched") ? 1 : 0; + matched = apr_table_get(rule->actionset->actions, "sanitizeMatched") ? 1 : 0; + if(!matched) + matched = apr_table_get(rule->actionset->actions, "sanitiseMatched") ? 1 : 0; - /* Show when the regex captures but "capture" is not set */ - if (msr->txcfg->debuglog_level >= 6) { - int capcount = 0; + /* Show when the regex captures but "capture" is not set */ + if (msr->txcfg->debuglog_level >= 6) { + int capcount = 0; #ifdef WITH_PCRE2 - rc = msc_fullinfo(regex, PCRE2_INFO_CAPTURECOUNT, &capcount); + rc = msc_fullinfo(regex, PCRE2_INFO_CAPTURECOUNT, &capcount); #else - rc = msc_fullinfo(regex, PCRE_INFO_CAPTURECOUNT, &capcount); + rc = msc_fullinfo(regex, PCRE_INFO_CAPTURECOUNT, &capcount); #endif - if (msr->txcfg->debuglog_level >= 6) { - if ((capture == 0) && (capcount > 0)) { - msr_log(msr, 6, "Ignoring regex captures since \"capture\" action is not enabled."); + if (msr->txcfg->debuglog_level >= 6) { + if ((capture == 0) && (capcount > 0)) { + msr_log(msr, 6, "Ignoring regex captures since \"capture\" action is not enabled."); + } } } } @@ -2934,52 +2936,51 @@ static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var * if (rule->actionset) { matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; - } - if(!matched_bytes) - matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; - - - if (apr_table_get(rule->actionset->actions, "capture")) { - for(; i < rc; i++) { - msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); - if (s == NULL) return -1; - s->name = apr_psprintf(msr->mp, "%d", i); - if (s->name == NULL) return -1; - s->name_len = strlen(s->name); - s->value = apr_pstrmemdup(msr->mp, match, length); - if (s->value == NULL) return -1; - s->value_len = length; - - apr_table_setn(msr->tx_vars, s->name, (void *)s); - - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, - log_escape_nq_ex(msr->mp, s->value, s->value_len)); - } + if(!matched_bytes) + matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; + + if (apr_table_get(rule->actionset->actions, "capture")) { + for(; i < rc; i++) { + msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (s == NULL) return -1; + s->name = apr_psprintf(msr->mp, "%d", i); + if (s->name == NULL) return -1; + s->name_len = strlen(s->name); + s->value = apr_pstrmemdup(msr->mp, match, length); + if (s->value == NULL) return -1; + s->value_len = length; + + apr_table_setn(msr->tx_vars, s->name, (void *)s); + + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, + log_escape_nq_ex(msr->mp, s->value, s->value_len)); + } - if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { - qspos = apr_psprintf(msr->mp, "%s", var->name); - parm = strstr(qspos, ":"); - if (parm != NULL) { - parm++; - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - mparm->pad_1 = rule->actionset->arg_min; - mparm->pad_2 = rule->actionset->arg_max; - apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm); - } else { - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm); + if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { + qspos = apr_psprintf(msr->mp, "%s", var->name); + parm = strstr(qspos, ":"); + if (parm != NULL) { + parm++; + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + + mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); + mparm->pad_1 = rule->actionset->arg_min; + mparm->pad_2 = rule->actionset->arg_max; + apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm); + } else { + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + + mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); + apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm); + } } - } + } } } @@ -3264,51 +3265,51 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var if (rule->actionset) { matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; - } - if(!matched_bytes) - matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; - - if (apr_table_get(rule->actionset->actions, "capture")) { - for(; i < rc; i++) { - msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); - if (s == NULL) return -1; - s->name = apr_psprintf(msr->mp, "%d", i); - if (s->name == NULL) return -1; - s->name_len = strlen(s->name); - s->value = apr_pstrmemdup(msr->mp, match, length); - if (s->value == NULL) return -1; - s->value_len = length; - - apr_table_setn(msr->tx_vars, s->name, (void *)s); - - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, - log_escape_nq_ex(msr->mp, s->value, s->value_len)); - } + if(!matched_bytes) + matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; + + if (apr_table_get(rule->actionset->actions, "capture")) { + for(; i < rc; i++) { + msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (s == NULL) return -1; + s->name = apr_psprintf(msr->mp, "%d", i); + if (s->name == NULL) return -1; + s->name_len = strlen(s->name); + s->value = apr_pstrmemdup(msr->mp, match, length); + if (s->value == NULL) return -1; + s->value_len = length; + + apr_table_setn(msr->tx_vars, s->name, (void *)s); + + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, + log_escape_nq_ex(msr->mp, s->value, s->value_len)); + } - if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { - qspos = apr_psprintf(msr->mp, "%s", var->name); - parm = strstr(qspos, ":"); - if (parm != NULL) { - parm++; - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - mparm->pad_1 = rule->actionset->arg_min; - mparm->pad_2 = rule->actionset->arg_max; - apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm); - } else { - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm); + if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { + qspos = apr_psprintf(msr->mp, "%s", var->name); + parm = strstr(qspos, ":"); + if (parm != NULL) { + parm++; + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + + mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); + mparm->pad_1 = rule->actionset->arg_min; + mparm->pad_2 = rule->actionset->arg_max; + apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm); + } else { + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + + mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); + apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm); + } } - } + } } } @@ -3578,51 +3579,51 @@ static int msre_op_verifySSN_execute(modsec_rec *msr, msre_rule *rule, msre_var if (rule->actionset) { matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; - } - if(!matched_bytes) - matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; - - if (apr_table_get(rule->actionset->actions, "capture")) { - for(; i < rc; i++) { - msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); - if (s == NULL) return -1; - s->name = apr_psprintf(msr->mp, "%d", i); - if (s->name == NULL) return -1; - s->name_len = strlen(s->name); - s->value = apr_pstrmemdup(msr->mp, match, length); - if (s->value == NULL) return -1; - s->value_len = length; - - apr_table_setn(msr->tx_vars, s->name, (void *)s); - - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, - log_escape_nq_ex(msr->mp, s->value, s->value_len)); - } + if(!matched_bytes) + matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; + + if (apr_table_get(rule->actionset->actions, "capture")) { + for(; i < rc; i++) { + msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (s == NULL) return -1; + s->name = apr_psprintf(msr->mp, "%d", i); + if (s->name == NULL) return -1; + s->name_len = strlen(s->name); + s->value = apr_pstrmemdup(msr->mp, match, length); + if (s->value == NULL) return -1; + s->value_len = length; + + apr_table_setn(msr->tx_vars, s->name, (void *)s); + + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, + log_escape_nq_ex(msr->mp, s->value, s->value_len)); + } - if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { - qspos = apr_psprintf(msr->mp, "%s", var->name); - parm = strstr(qspos, ":"); - if (parm != NULL) { - parm++; - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - mparm->pad_1 = rule->actionset->arg_min; - mparm->pad_2 = rule->actionset->arg_max; - apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm); - } else { - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm); + if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { + qspos = apr_psprintf(msr->mp, "%s", var->name); + parm = strstr(qspos, ":"); + if (parm != NULL) { + parm++; + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + + mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); + mparm->pad_1 = rule->actionset->arg_min; + mparm->pad_2 = rule->actionset->arg_max; + apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm); + } else { + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + + mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); + apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm); + } } - } + } } } From 91da5872c1173f6cf42d888be6819f3b180305d2 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Tue, 20 Feb 2024 13:15:52 +0100 Subject: [PATCH 03/18] Many null pointer checks --- apache2/apache2_config.c | 49 ++-- apache2/apache2_io.c | 20 +- apache2/apache2_util.c | 14 + apache2/mod_security2.c | 32 ++- apache2/modsecurity.c | 11 + apache2/msc_crypt.c | 15 +- apache2/msc_geo.c | 4 + apache2/msc_json.c | 10 +- apache2/msc_logging.c | 19 +- apache2/msc_lua.c | 6 +- apache2/msc_multipart.c | 22 +- apache2/msc_parsers.c | 9 + apache2/msc_reqbody.c | 24 ++ apache2/msc_tree.c | 25 +- apache2/msc_util.c | 7 + apache2/msc_util.h | 1 + apache2/msc_xml.c | 9 +- apache2/persist_dbm.c | 8 + apache2/re.c | 66 +++-- apache2/re_actions.c | 65 ++++- apache2/re_operators.c | 535 +++++++++++++++++++++++++-------------- apache2/re_variables.c | 521 +++++++++++++++++++++++++++++++++++++- 22 files changed, 1181 insertions(+), 291 deletions(-) diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index a14ab39288..615d0c38e4 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -30,6 +30,13 @@ APLOG_USE_MODULE(security2); #endif +// Returns the rule id if existing, otherwise the file name & line number +static const char* id_log(msre_rule* rule) { + const char* id = rule->actionset->id; + if (!id || !*id || id == NOT_SET_P) id = apr_psprintf(rule->ruleset->mp, "%s (%d)", rule->filename, rule->line_num); + return id; +} + /* -- Directory context creation and initialisation -- */ /** @@ -239,19 +246,19 @@ static void copy_rules_phase(apr_pool_t *mp, if (copy > 0) { #ifdef DEBUG_CONF - ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, mp, "Copy rule %pp [id \"%s\"]", rule, rule->actionset->id); + ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, mp, "Copy rule %pp [id \"%s\"]", rule, id_log(rule)); #endif /* Copy the rule. */ *(msre_rule **)apr_array_push(child_phase_arr) = rule; - if (rule->actionset && rule->actionset->is_chained) mode = 2; + if (rule->actionset->is_chained) mode = 2; } else { - if (rule->actionset && rule->actionset->is_chained) mode = 1; + if (rule->actionset->is_chained) mode = 1; } } else { if (mode == 2) { #ifdef DEBUG_CONF - ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, mp, "Copy chain %pp for rule %pp [id \"%s\"]", rule, rule->chain_starter, rule->chain_starter->actionset->id); + ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, mp, "Copy chain %pp for rule %pp [id \"%s\"]", rule, rule->chain_starter, id_log(rule->chain_starter)); #endif /* Copy the rule (it belongs to the chain we want to include. */ @@ -906,9 +913,7 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type, */ rule->actionset = msre_actionset_merge(modsecurity->msre, cmd->pool, dcfg->tmp_default_actionset, rule->actionset, 1); - if (rule->actionset == NULL) { - return apr_psprintf(cmd->pool, "ModSecurity: cannot merge actionset (memory full?)."); - } + if (rule->actionset == NULL) return apr_psprintf(cmd->pool, "ModSecurity: cannot merge actionset (memory full?)."); /* Keep track of the parent action for "block" */ rule->actionset->parent_intercept_action_rec = dcfg->tmp_default_actionset->intercept_action_rec; @@ -965,8 +970,7 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type, #ifdef DEBUG_CONF ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool, - "Adding rule %pp phase=%d id=\"%s\".", rule, rule->actionset->phase, (rule->actionset->id == NOT_SET_P - ? "(none)" : rule->actionset->id)); + "Adding rule %pp phase=%d id=\"%s\".", rule, rule->actionset->phase, id_log(rule)); #endif /* Add rule to the recipe. */ @@ -1040,8 +1044,7 @@ static const char *add_marker(cmd_parms *cmd, directory_config *dcfg, for (p = PHASE_FIRST; p <= PHASE_LAST; p++) { #ifdef DEBUG_CONF ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool, - "Adding marker %pp phase=%d id=\"%s\".", rule, p, (rule->actionset->id == NOT_SET_P - ? "(none)" : rule->actionset->id)); + "Adding marker %pp phase=%d id=\"%s\".", rule, p, id_log(rule)); #endif if (msre_ruleset_rule_add(dcfg->ruleset, rule, p) < 0) { @@ -1089,11 +1092,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg, return NULL; } - /* Check the rule actionset */ - /* ENH: Can this happen? */ - if (rule->actionset == NULL) { - return apr_psprintf(cmd->pool, "ModSecurity: Attempt to update action for rule \"%s\" failed: Rule does not have an actionset.", p1); - } + assert(rule->actionset != NULL); /* Create a new actionset */ new_actionset = msre_actionset_create(modsecurity->msre, cmd->pool, p2, &my_error_msg); @@ -1115,9 +1114,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg, char *actions = msre_actionset_generate_action_string(ruleset->mp, rule->actionset); ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool, "Update rule %pp id=\"%s\" old action: \"%s\"", - rule, - (rule->actionset->id == NOT_SET_P ? "(none)" : rule->actionset->id), - actions); + rule, id_log(rule), actions); } #endif @@ -1125,6 +1122,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg, /* ENH: Will this leak the old actionset? */ rule->actionset = msre_actionset_merge(modsecurity->msre, cmd->pool, rule->actionset, new_actionset, 1); + if (rule->actionset == NULL) return apr_psprintf(cmd->pool, "ModSecurity: cannot merge actionset (memory full?)."); msre_actionset_set_defaults(rule->actionset); /* Update the unparsed rule */ @@ -1135,9 +1133,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg, char *actions = msre_actionset_generate_action_string(ruleset->mp, rule->actionset); ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool, "Update rule %pp id=\"%s\" new action: \"%s\"", - rule, - (rule->actionset->id == NOT_SET_P ? "(none)" : rule->actionset->id), - actions); + rule, id_log(rule), actions); } #endif @@ -1744,6 +1740,9 @@ char *parser_conn_limits_operator(apr_pool_t *mp, const char *p2, config_orig_path = apr_pstrndup(mp, filename, strlen(filename) - strlen(apr_filepath_name_get(filename))); + if (config_orig_path == NULL) { + return apr_psprintf(mp, "ModSecurity: failed to duplicate filename in parser_conn_limits_operator"); + } apr_filepath_merge(&file, config_orig_path, param, APR_FILEPATH_TRUENAME, mp); @@ -2450,8 +2449,12 @@ static const char *cmd_rule_remove_by_id(cmd_parms *cmd, void *_dcfg, const char *p1) { directory_config *dcfg = (directory_config *)_dcfg; - rule_exception *re = apr_pcalloc(cmd->pool, sizeof(rule_exception)); if (dcfg == NULL) return NULL; + rule_exception* re = apr_pcalloc(cmd->pool, sizeof(rule_exception)); + if (re == NULL) { + ap_log_perror(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, cmd->pool, "cmd_rule_remove_by_id: Cannot allocate memory"); + return NULL; + } re->type = RULE_EXCEPTION_REMOVE_ID; re->param = p1; diff --git a/apache2/apache2_io.c b/apache2/apache2_io.c index 6490d61b5d..b8117d91ce 100644 --- a/apache2/apache2_io.c +++ b/apache2/apache2_io.c @@ -179,12 +179,13 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *bb_out, * Reads request body from a client. */ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert( error_msg!= NULL); request_rec *r = msr->r; unsigned int finished_reading; apr_bucket_brigade *bb_in; apr_bucket *bucket; - if (error_msg == NULL) return -1; *error_msg = NULL; if (msr->reqbody_should_exist != 1) { @@ -368,6 +369,8 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) { * run or not. */ static int output_filter_should_run(modsec_rec *msr, request_rec *r) { + assert(msr != NULL); + assert(r != NULL); char *content_type = NULL; /* Check configuration. */ @@ -429,10 +432,13 @@ static int output_filter_should_run(modsec_rec *msr, request_rec *r) { static apr_status_t output_filter_init(modsec_rec *msr, ap_filter_t *f, apr_bucket_brigade *bb_in) { + assert(msr != NULL); + assert(f != NULL); request_rec *r = f->r; const char *s_content_length = NULL; apr_status_t rc; + assert(msr != NULL); msr->of_brigade = apr_brigade_create(msr->mp, f->c->bucket_alloc); if (msr->of_brigade == NULL) { msr_log(msr, 1, "Output filter: Failed to create brigade."); @@ -496,6 +502,8 @@ static apr_status_t output_filter_init(modsec_rec *msr, ap_filter_t *f, * and to the client. */ static apr_status_t send_of_brigade(modsec_rec *msr, ap_filter_t *f) { + assert(msr != NULL); + assert(f != NULL); apr_status_t rc; rc = ap_pass_brigade(f->next, msr->of_brigade); @@ -537,6 +545,8 @@ static apr_status_t send_of_brigade(modsec_rec *msr, ap_filter_t *f) { * */ static void inject_content_to_of_brigade(modsec_rec *msr, ap_filter_t *f) { + assert(msr != NULL); + assert(f != NULL); apr_bucket *b; if (msr->txcfg->content_injection_enabled && msr->stream_output_data != NULL) { @@ -563,6 +573,8 @@ static void inject_content_to_of_brigade(modsec_rec *msr, ap_filter_t *f) { * */ static void prepend_content_to_of_brigade(modsec_rec *msr, ap_filter_t *f) { + assert(msr != NULL); + assert(f != NULL); if ((msr->txcfg->content_injection_enabled) && (msr->content_prepend) && (!msr->of_skipping)) { apr_bucket *bucket_ci = NULL; @@ -1008,6 +1020,12 @@ apr_status_t output_filter(ap_filter_t *f, apr_bucket_brigade *bb_in) { /* Now send data down the filter stream * (full-buffering only). */ + if (!eos_bucket) { + ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, f->r->server, + "ModSecurity: Internal Error: eos_bucket is NULL."); + return APR_EGENERAL; + } + if ((msr->of_skipping == 0)&&(!msr->of_partial)) { if(msr->of_stream_changed == 1) { inject_content_to_of_brigade(msr,f); diff --git a/apache2/apache2_util.c b/apache2/apache2_util.c index d76da7558d..20ea940ee5 100644 --- a/apache2/apache2_util.c +++ b/apache2/apache2_util.c @@ -25,6 +25,8 @@ * Sends a brigade with an error bucket down the filter chain. */ apr_status_t send_error_bucket(modsec_rec *msr, ap_filter_t *f, int status) { + assert(msr != NULL); + assert(f != NULL); apr_bucket_brigade *brigade = NULL; apr_bucket *bucket = NULL; @@ -61,6 +63,9 @@ apr_status_t send_error_bucket(modsec_rec *msr, ap_filter_t *f, int status) { * the "output" parameter. */ int apache2_exec(modsec_rec *msr, const char *command, const char **argv, char **output) { + assert(msr != NULL); + assert(command != NULL); + apr_procattr_t *procattr = NULL; apr_proc_t *procnew = NULL; apr_status_t rc = APR_SUCCESS; @@ -204,6 +209,9 @@ char *get_env_var(request_rec *r, char *name) { static void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *msr, int level, int fixup, const char *text, va_list ap) { + assert(r != NULL); + assert(msr != NULL); + assert(text != NULL); apr_size_t nbytes, nbytes_written; apr_file_t *debuglog_fd = NULL; int filter_debug_level = 0; @@ -303,6 +311,8 @@ static void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec * * Apache error log if the message is important enough. */ void msr_log(modsec_rec *msr, int level, const char *text, ...) { + assert(msr != NULL); + assert(text != NULL); va_list ap; va_start(ap, text); @@ -316,6 +326,8 @@ void msr_log(modsec_rec *msr, int level, const char *text, ...) { * Apache error log. This is intended for error callbacks. */ void msr_log_error(modsec_rec *msr, const char *text, ...) { + assert(msr != NULL); + assert(text != NULL); va_list ap; va_start(ap, text); @@ -330,6 +342,8 @@ void msr_log_error(modsec_rec *msr, const char *text, ...) { * The 'text' will first be escaped. */ void msr_log_warn(modsec_rec *msr, const char *text, ...) { + assert(msr != NULL); + assert(text != NULL); va_list ap; va_start(ap, text); diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index 7786543a12..091aa0e040 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -475,6 +475,8 @@ static modsec_rec *retrieve_tx_context(request_rec *r) { * phases, redirections, or subrequests. */ static void store_tx_context(modsec_rec *msr, request_rec *r) { + assert(msr != NULL); + assert(r != NULL); apr_table_setn(r->notes, NOTE_MSR, (void *)msr); } @@ -491,7 +493,10 @@ static modsec_rec *create_tx_context(request_rec *r) { apr_allocator_create(&allocator); apr_allocator_max_free_set(allocator, 1024); apr_pool_create_ex(&msr->mp, r->pool, NULL, allocator); - if (msr->mp == NULL) return NULL; + if (msr->mp == NULL) { + apr_allocator_destroy(allocator); + return NULL; + } apr_allocator_owner_set(allocator, msr->mp); msr->modsecurity = modsecurity; @@ -862,7 +867,13 @@ static int hook_request_early(request_rec *r) { * create the initial configuration. */ msr = create_tx_context(r); - if (msr == NULL) return DECLINED; + if (msr == NULL) { + msr_log(msr, 9, "Failed to create context after request failure."); + return DECLINED; + } + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Context created after request failure."); + } #ifdef REQUEST_EARLY @@ -1150,17 +1161,16 @@ static void hook_error_log(const char *file, int line, int level, apr_status_t s #endif if (msr_ap_server) { #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2 - msr = create_tx_context((request_rec *)info->r); + msr = create_tx_context((request_rec*)info->r); #else - msr = create_tx_context((request_rec *)r); + msr = create_tx_context((request_rec*)r); #endif - if (msr != NULL && msr->txcfg->debuglog_level >= 9) { - if (msr == NULL) { - msr_log(msr, 9, "Failed to create context after request failure."); - } - else { - msr_log(msr, 9, "Context created after request failure."); - } + if (msr == NULL) { + msr_log(msr, 9, "Failed to create context after request failure."); + return; + } + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Context created after request failure."); } } if (msr == NULL) return; diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c index af5294668b..d6f2034990 100644 --- a/apache2/modsecurity.c +++ b/apache2/modsecurity.c @@ -41,6 +41,8 @@ int DSOLOCAL *unicode_map_table = NULL; const char * msc_alert_message(modsec_rec *msr, msre_actionset *actionset, const char *action_message, const char *rule_message) { + assert(msr != NULL); + assert(actionset != NULL); const char *message = NULL; if (rule_message == NULL) rule_message = "Unknown error."; @@ -63,6 +65,8 @@ const char * msc_alert_message(modsec_rec *msr, msre_actionset *actionset, const void msc_alert(modsec_rec *msr, int level, msre_actionset *actionset, const char *action_message, const char *rule_message) { + assert(msr != NULL); + assert(actionset != NULL); const char *message = msc_alert_message(msr, actionset, action_message, rule_message); msr_log(msr, level, "%s", message); @@ -126,6 +130,11 @@ msc_engine *modsecurity_create(apr_pool_t *mp, int processing_mode) { int modsecurity_init(msc_engine *msce, apr_pool_t *mp) { apr_status_t rc; + msce->auditlog_lock = msce->geo_lock = NULL; +#ifdef GLOBAL_COLLECTION_LOCK + msce->geo_lock = NULL; +#endif + /** * Notice that curl is initialized here but never cleaned up. First version * of this implementation curl was initialized and cleaned for every @@ -547,6 +556,7 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) { * */ static int is_response_status_relevant(modsec_rec *msr, int status) { + assert(msr != NULL); char *my_error_msg = NULL; apr_status_t rc; char buf[32]; @@ -780,6 +790,7 @@ static apr_status_t modsecurity_process_phase_logging(modsec_rec *msr) { * in the modsec_rec structure. */ apr_status_t modsecurity_process_phase(modsec_rec *msr, unsigned int phase) { + assert(msr != NULL); /* Check if we should run. */ if ((msr->was_intercepted)&&(phase != PHASE_LOGGING)) { if (msr->txcfg->debuglog_level >= 4) { diff --git a/apache2/msc_crypt.c b/apache2/msc_crypt.c index 3fe18c78b4..3287eeff2e 100644 --- a/apache2/msc_crypt.c +++ b/apache2/msc_crypt.c @@ -32,14 +32,12 @@ * \retval NULL on fail */ char *normalize_path(modsec_rec *msr, char *input) { + assert(msr != NULL); + assert(input != NULL); xmlURI *uri = NULL; char *parsed_content = NULL; char *content = NULL; - if(msr == NULL) return NULL; - - if(input == NULL) return NULL; - uri = xmlParseURI(input); if(uri != NULL && uri->path) { @@ -195,6 +193,8 @@ char *mschmac(modsec_rec *msr, const char *key, int key_len, char *hmac(modsec_rec *msr, const char *key, int key_len, unsigned char *msg, int msglen) { #endif + assert(msr != NULL); + assert(msg != NULL); apr_sha1_ctx_t ctx; unsigned char digest[APR_SHA1_DIGESTSIZE]; unsigned char hmac_ipad[HMAC_PAD_SIZE], hmac_opad[HMAC_PAD_SIZE]; @@ -346,6 +346,8 @@ int init_response_body_html_parser(modsec_rec *msr) { * \retval -1 on fail */ int do_hash_method(modsec_rec *msr, char *link, int type) { + assert(msr != NULL); + assert(link != NULL); hash_method **em = NULL; int i = 0; char *error_msg = NULL; @@ -1051,6 +1053,7 @@ int hash_response_body_links(modsec_rec *msr) { * \retval -1 On fail */ int inject_hashed_response_body(modsec_rec *msr, int elts) { + assert(msr != NULL); xmlOutputBufferPtr output_buf = NULL; xmlCharEncodingHandlerPtr handler = NULL; char *p = NULL; @@ -1290,13 +1293,13 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) { * \retval NULL on fail */ char *do_hash_link(modsec_rec *msr, char *link, int type) { + assert(msr != NULL); + assert(link != NULL); char *mac_link = NULL; char *path_chunk = NULL; char *hash_value = NULL; char *qm = NULL; - if(msr == NULL) return NULL; - if(strlen(link) > 7 && strncmp("http:",(char*)link,5)==0){ path_chunk = strchr(link+7,'/'); if(path_chunk != NULL) { diff --git a/apache2/msc_geo.c b/apache2/msc_geo.c index a849b4f9e2..e77e4f5056 100644 --- a/apache2/msc_geo.c +++ b/apache2/msc_geo.c @@ -263,6 +263,10 @@ int geo_init(directory_config *dcfg, const char *dbfn, char **error_msg) */ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **error_msg) { + assert(msr != NULL); + assert(georec != NULL); + assert(target != NULL); + assert(error_msg != NULL); apr_sockaddr_t *addr; long ipnum = 0; char *targetip = NULL; diff --git a/apache2/msc_json.c b/apache2/msc_json.c index e9d0c99d0d..b42aa96a80 100644 --- a/apache2/msc_json.c +++ b/apache2/msc_json.c @@ -20,6 +20,7 @@ const char *base_offset=NULL; int json_add_argument(modsec_rec *msr, const char *value, unsigned length) { + assert(msr != NULL); msc_arg *arg = (msc_arg *) NULL; /** @@ -298,6 +299,8 @@ static int yajl_end_map(void *ctx) * Initialise JSON parser. */ int json_init(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); /** * yajl configuration and callbacks */ @@ -315,7 +318,6 @@ int json_init(modsec_rec *msr, char **error_msg) { yajl_end_array }; - if (error_msg == NULL) return -1; *error_msg = NULL; msr_log(msr, 4, "JSON parser initialization"); @@ -352,7 +354,8 @@ int json_init(modsec_rec *msr, char **error_msg) { * Feed one chunk of data to the JSON parser. */ int json_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char **error_msg) { - if (error_msg == NULL) return -1; + assert(msr != NULL); + assert(error_msg != NULL); *error_msg = NULL; // Take a copy in case libyajl decodes the buffer inline base_offset = apr_pstrmemdup(msr->mp, buf, size); @@ -378,9 +381,10 @@ int json_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char * Finalise JSON parsing. */ int json_complete(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); char *json_data = (char *) NULL; - if (error_msg == NULL) return -1; *error_msg = NULL; /* Wrap up the parsing process */ diff --git a/apache2/msc_logging.c b/apache2/msc_logging.c index cdd116f8ff..1e537b6d95 100644 --- a/apache2/msc_logging.c +++ b/apache2/msc_logging.c @@ -35,6 +35,7 @@ * the size counters, update the hash context. */ static int sec_auditlog_write(modsec_rec *msr, const char *data, unsigned int len) { + assert(msr != NULL); apr_size_t nbytes_written, nbytes = len; apr_status_t rc; @@ -86,6 +87,8 @@ static int sec_auditlog_write(modsec_rec *msr, const char *data, unsigned int le * some of the fields to make the log line shorter than _limit bytes. */ char *construct_log_vcombinedus_limited(modsec_rec *msr, int _limit, int *was_limited) { + assert(msr != NULL); + assert(was_limited != NULL); char *hostname; char *local_user, *remote_user; char *referer, *user_agent, *uniqueid; @@ -397,6 +400,7 @@ static void sec_auditlog_write_producer_header(modsec_rec *msr) { * Ouput the Producer header into a JSON generator */ static void sec_auditlog_write_producer_header_json(modsec_rec *msr, yajl_gen g) { + assert(msr != NULL); char **signatures = NULL; int i; @@ -512,6 +516,7 @@ static msre_rule *return_chained_rule(const msre_rule *current, modsec_rec *msr) * \retval 1 On Success */ static int chained_is_matched(modsec_rec *msr, const msre_rule *next_rule) { + assert(msr != NULL); int i = 0; const msre_rule *rule = NULL; @@ -530,6 +535,7 @@ static int chained_is_matched(modsec_rec *msr, const msre_rule *next_rule) { * Write detailed information about performance metrics into a JSON generator */ static void format_performance_variables_json(modsec_rec *msr, yajl_gen g) { + assert(msr != NULL); yajl_string(g, "stopwatch"); yajl_gen_map_open(g); @@ -550,6 +556,8 @@ static void format_performance_variables_json(modsec_rec *msr, yajl_gen g) { * Write detailed information about a rule and its actionset into a JSON generator */ static void write_rule_json(modsec_rec *msr, const msre_rule *rule, yajl_gen g) { + assert(msr != NULL); + assert(rule != NULL); const apr_array_header_t *tarr; const apr_table_entry_t *telts; int been_opened = 0; @@ -740,10 +748,13 @@ void sec_audit_logger_json(modsec_rec *msr) { /* Lock the mutex, but only if we are using serial format. */ if (msr->txcfg->auditlog_type != AUDITLOG_CONCURRENT) { - rc = apr_global_mutex_lock(msr->modsecurity->auditlog_lock); - if (rc != APR_SUCCESS) { - msr_log(msr, 1, "Audit log: Failed to lock global mutex: %s", - get_apr_error(msr->mp, rc)); + if (!msr->modsecurity->auditlog_lock) msr_log(msr, 1, "Audit log: Global mutex was not created"); + else { + rc = apr_global_mutex_lock(msr->modsecurity->auditlog_lock); + if (rc != APR_SUCCESS) { + msr_log(msr, 1, "Audit log: Failed to lock global mutex: %s", + get_apr_error(msr->mp, rc)); + } } } diff --git a/apache2/msc_lua.c b/apache2/msc_lua.c index 2f05df651d..e1715c03b5 100644 --- a/apache2/msc_lua.c +++ b/apache2/msc_lua.c @@ -154,6 +154,8 @@ static int l_log(lua_State *L) { * */ static apr_array_header_t *resolve_tfns(lua_State *L, int idx, modsec_rec *msr, apr_pool_t *mp) { + assert(msr != NULL); + assert(mp != NULL); apr_array_header_t *tfn_arr = NULL; msre_tfn_metadata *tfn = NULL; char *name = NULL; @@ -406,11 +408,13 @@ static const struct luaL_Reg mylib[] = { * */ int lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rule, char **error_msg) { + assert(script != NULL); + assert(msr != NULL); + assert(error_msg != NULL); apr_time_t time_before; lua_State *L = NULL; int rc = 0; - if (error_msg == NULL) return -1; *error_msg = NULL; if (msr->txcfg->debuglog_level >= 8) { diff --git a/apache2/msc_multipart.c b/apache2/msc_multipart.c index 9309d4df29..e40136b4fd 100644 --- a/apache2/msc_multipart.c +++ b/apache2/msc_multipart.c @@ -21,6 +21,7 @@ #include "msc_parsers.h" void validate_quotes(modsec_rec *msr, char *data, char quote) { + assert(msr != NULL); int i, len; if(msr == NULL) @@ -84,6 +85,8 @@ static char *multipart_construct_filename(modsec_rec *msr) { * */ static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value) { + assert(msr != NULL); + assert(c_d_value != NULL); char *p = NULL, *t = NULL; /* accept only what we understand */ @@ -255,9 +258,10 @@ static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value) * */ static int multipart_process_part_header(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); int i, len, rc; - if (error_msg == NULL) return -1; *error_msg = NULL; /* Check for nul bytes. */ @@ -454,11 +458,12 @@ static int multipart_process_part_header(modsec_rec *msr, char **error_msg) { * */ static int multipart_process_part_data(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); char *p = msr->mpd->buf + (MULTIPART_BUF_SIZE - msr->mpd->bufleft); char localreserve[2] = { '\0', '\0' }; /* initialized to quiet warning */ int bytes_reserved = 0; - if (error_msg == NULL) return -1; *error_msg = NULL; msr->mpd->mpp_substate_part_data_read = 1; @@ -628,6 +633,8 @@ static int multipart_process_part_data(modsec_rec *msr, char **error_msg) { * */ static char *multipart_combine_value_parts(modsec_rec *msr, apr_array_header_t *value_parts) { + assert(msr != NULL); + assert(value_parts != NULL); value_part_t **parts = NULL; char *rval = apr_palloc(msr->mp, msr->mpd->mpp->length + 1); unsigned long int offset; @@ -652,6 +659,7 @@ static char *multipart_combine_value_parts(modsec_rec *msr, apr_array_header_t * * */ static int multipart_process_boundary(modsec_rec *msr, int last_part, char **error_log) { + assert(msr != NULL); /* if there was a part being built finish it */ if (msr->mpd->mpp != NULL) { /* close the temp file */ @@ -788,7 +796,8 @@ static int multipart_count_boundary_params(apr_pool_t *mp, const char *header_va * */ int multipart_init(modsec_rec *msr, char **error_msg) { - if (error_msg == NULL) return -1; + assert(msr != NULL); + assert(error_msg != NULL); *error_msg = NULL; msr->mpd = (multipart_data *)apr_pcalloc(msr->mp, sizeof(multipart_data)); @@ -952,6 +961,8 @@ int multipart_init(modsec_rec *msr, char **error_msg) { * is clear that there is no more data to be processed. */ int multipart_complete(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); if (msr->mpd == NULL) return 1; if (msr->txcfg->debuglog_level >= 4) { @@ -1055,10 +1066,12 @@ int multipart_complete(modsec_rec *msr, char **error_msg) { int multipart_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char **error_msg) { + assert(msr != NULL); + assert(buf != NULL); + assert(error_msg != NULL); char *inptr = (char *)buf; unsigned int inleft = size; - if (error_msg == NULL) return -1; *error_msg = NULL; if (size == 0) return 1; @@ -1433,6 +1446,7 @@ apr_status_t multipart_cleanup(modsec_rec *msr) { * */ int multipart_get_arguments(modsec_rec *msr, char *origin, apr_table_t *arguments) { + assert(msr != NULL); multipart_part **parts; int i; diff --git a/apache2/msc_parsers.c b/apache2/msc_parsers.c index 8bbf972689..894c84b9de 100644 --- a/apache2/msc_parsers.c +++ b/apache2/msc_parsers.c @@ -21,6 +21,9 @@ int parse_cookies_v0(modsec_rec *msr, char *_cookie_header, apr_table_t *cookies, const char *delim) { + assert(msr != NULL); + assert(cookies != NULL); + assert(delim != NULL); char *attr_name = NULL, *attr_value = NULL; char *cookie_header; char *saveptr = NULL; @@ -95,6 +98,8 @@ int parse_cookies_v0(modsec_rec *msr, char *_cookie_header, int parse_cookies_v1(modsec_rec *msr, char *_cookie_header, apr_table_t *cookies) { + assert(msr != NULL); + assert(cookies != NULL); char *attr_name = NULL, *attr_value = NULL, *p = NULL; char *prev_attr_name = NULL; char *cookie_header = NULL; @@ -239,6 +244,7 @@ int parse_arguments(modsec_rec *msr, const char *s, apr_size_t inputlength, int argument_separator, const char *origin, apr_table_t *arguments, int *invalid_count) { + assert(msr != NULL); msc_arg *arg; apr_size_t i, j; char *value = NULL; @@ -340,6 +346,9 @@ int parse_arguments(modsec_rec *msr, const char *s, apr_size_t inputlength, */ void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg) { + assert(msr != NULL); + assert(arguments != NULL); + assert(arg != NULL); if (msr->txcfg->debuglog_level >= 5) { msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value \"%s\"", arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len), diff --git a/apache2/msc_reqbody.c b/apache2/msc_reqbody.c index e84c33a391..ba8bdfd416 100644 --- a/apache2/msc_reqbody.c +++ b/apache2/msc_reqbody.c @@ -41,6 +41,8 @@ void msre_engine_reqbody_processor_register(msre_engine *engine, * Prepare to accept the request body (part 2). */ static apr_status_t modsecurity_request_body_start_init(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); *error_msg = NULL; if(msr->msc_reqbody_storage == MSC_REQBODY_MEMORY) { @@ -80,6 +82,8 @@ static apr_status_t modsecurity_request_body_start_init(modsec_rec *msr, char ** * Prepare to accept the request body (part 1). */ apr_status_t modsecurity_request_body_start(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); *error_msg = NULL; msr->msc_reqbody_length = 0; msr->stream_input_length = 0; @@ -161,6 +165,8 @@ apr_status_t modsecurity_request_body_start(modsec_rec *msr, char **error_msg) { static apr_status_t modsecurity_request_body_store_disk(modsec_rec *msr, const char *data, apr_size_t length, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); apr_size_t i; *error_msg = NULL; @@ -181,6 +187,8 @@ static apr_status_t modsecurity_request_body_store_disk(modsec_rec *msr, static apr_status_t modsecurity_request_body_store_memory(modsec_rec *msr, const char *data, apr_size_t length, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); *error_msg = NULL; /* Would storing this chunk mean going over the limit? */ @@ -309,6 +317,8 @@ static apr_status_t modsecurity_request_body_store_memory(modsec_rec *msr, apr_status_t modsecurity_request_body_store(modsec_rec *msr, const char *data, apr_size_t length, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); *error_msg = NULL; /* If we have a processor for this request body send @@ -428,6 +438,8 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr, } apr_status_t modsecurity_request_body_to_stream(modsec_rec *msr, const char *buffer, int buflen, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); #ifndef MSC_LARGE_STREAM_INPUT char *stream_input_body = NULL; char *data = NULL; @@ -541,6 +553,8 @@ apr_status_t modsecurity_request_body_to_stream(modsec_rec *msr, const char *buf * Replace a bunch of chunks holding a request body with a single large chunk. */ static apr_status_t modsecurity_request_body_end_raw(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); msc_data_chunk **chunks, *one_chunk; char *d; int i, sofar; @@ -614,6 +628,8 @@ static apr_status_t modsecurity_request_body_end_raw(modsec_rec *msr, char **err * */ static apr_status_t modsecurity_request_body_end_urlencoded(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); int invalid_count = 0; *error_msg = NULL; @@ -643,6 +659,8 @@ static apr_status_t modsecurity_request_body_end_urlencoded(modsec_rec *msr, cha * Stops receiving the request body. */ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); *error_msg = NULL; /* Close open file descriptors, if any. */ @@ -753,6 +771,8 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) { * Prepares to forward the request body. */ apr_status_t modsecurity_request_body_retrieve_start(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); *error_msg = NULL; if (msr->msc_reqbody_storage == MSC_REQBODY_MEMORY) { @@ -821,6 +841,8 @@ apr_status_t modsecurity_request_body_retrieve_end(modsec_rec *msr) { apr_status_t modsecurity_request_body_retrieve(modsec_rec *msr, msc_data_chunk **chunk, long int nbytes, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); msc_data_chunk **chunks; *error_msg = NULL; @@ -922,6 +944,8 @@ apr_status_t modsecurity_request_body_retrieve(modsec_rec *msr, * */ apr_status_t modsecurity_request_body_clear(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); *error_msg = NULL; /* Release memory we used to store request body data. */ diff --git a/apache2/msc_tree.c b/apache2/msc_tree.c index 61f2c916a3..f8610b39e3 100644 --- a/apache2/msc_tree.c +++ b/apache2/msc_tree.c @@ -535,6 +535,8 @@ int TreeCheckData(TreePrefix *prefix, CPTData *prefix_data, unsigned int netmask } int TreePrefixNetmask(modsec_rec *msr, TreePrefix *prefix, unsigned int netmask, int flag) { + // msr can be NULL; + assert(!msr || msr->txcfg != NULL); CPTData *prefix_data = NULL; int ret = 0; @@ -574,6 +576,8 @@ int TreePrefixNetmask(modsec_rec *msr, TreePrefix *prefix, unsigned int netmask, } TreeNode *CPTRetriveNode(modsec_rec *msr, unsigned char *buffer, unsigned int ip_bitmask, TreeNode *node) { + // msr can be NULL; + assert(!msr || msr->txcfg != NULL); unsigned int x, y; if(node == NULL) { @@ -620,6 +624,8 @@ TreeNode *CPTRetriveParentNode(TreeNode *node) { } TreeNode *CPTFindElementIPNetblock(modsec_rec *msr, unsigned char *ipdata, unsigned char ip_bitmask, TreeNode *node) { + // msr can be NULL; + assert(!msr || msr->txcfg != NULL); TreeNode *netmask_node = NULL; int mask = 0, bytes = 0; int i = 0, j = 0; @@ -656,16 +662,22 @@ TreeNode *CPTFindElementIPNetblock(modsec_rec *msr, unsigned char *ipdata, unsig } node = CPTRetriveNode(msr, ipdata, ip_bitmask, node); - if (node == NULL) return NULL; + if (!node) { + if (msr && msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "CPTFindElementIPNetblock: No tree node found."); + } + return NULL; + } + - if (node && node->bit != ip_bitmask) { + if (node->bit != ip_bitmask) { if (msr && msr->txcfg->debuglog_level >= 9) { msr_log(msr, 9, "CPTFindElementIPNetblock: Found a tree node but netmask is different."); } return NULL; } - if (node && node->prefix == NULL) { + if (node->prefix == NULL) { if (msr && msr->txcfg->debuglog_level >= 9) { msr_log(msr, 9, "CPTFindElementIPNetblock: Found a tree node but prefix is NULL."); } @@ -701,6 +713,8 @@ TreeNode *CPTFindElementIPNetblock(modsec_rec *msr, unsigned char *ipdata, unsig } TreeNode *CPTFindElement(modsec_rec *msr, unsigned char *ipdata, unsigned int ip_bitmask, CPTTree *tree) { + // msr can be NULL; + assert(!msr || msr->txcfg != NULL); TreeNode *node = NULL; int mask = 0, bytes = 0; unsigned char temp_data[NETMASK_256-1]; @@ -782,6 +796,8 @@ TreeNode *CPTFindElement(modsec_rec *msr, unsigned char *ipdata, unsigned int ip } TreeNode *CPTIpMatch(modsec_rec *msr, unsigned char *ipdata, CPTTree *tree, int type) { + // msr can be NULL; + assert(!msr || msr->txcfg != NULL); if(tree == NULL) { if (msr && msr->txcfg->debuglog_level >= 9) { @@ -840,6 +856,7 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) { *(ip_strv4 + (sizeof(ip_strv4) - 1)) = '\0'; ptr = strdup(ip_strv4); + if (ptr == NULL) return NULL; // No way to return a clean error message netmask_v4 = is_netmask_v4(ptr); if (netmask_v4 > NETMASK_32) { @@ -876,6 +893,7 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) { *(ip_strv6 + sizeof(ip_strv6) - 1) = '\0'; ptr = strdup(ip_strv6); + if (ptr == NULL) return NULL; // No way to return a clean error message netmask_v6 = is_netmask_v6(ptr); if (netmask_v6 > NETMASK_128) { @@ -912,4 +930,3 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) { return NULL; } - diff --git a/apache2/msc_util.c b/apache2/msc_util.c index 0ce58f919e..535975718f 100644 --- a/apache2/msc_util.c +++ b/apache2/msc_util.c @@ -667,6 +667,7 @@ int convert_to_int(const char c) * \retval 0 On Sucess|Fail */ int set_match_to_tx(modsec_rec *msr, int capture, const char *match, int tx_n) { + assert(msr != NULL); if (capture) { msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); @@ -2378,6 +2379,7 @@ apr_fileperms_t mode2fileperms(int mode) { * Generate a single variable. */ char *construct_single_var(modsec_rec *msr, char *name) { + assert(msr != NULL); char *varname = NULL; char *param = NULL; msre_var *var = NULL; @@ -2386,6 +2388,7 @@ char *construct_single_var(modsec_rec *msr, char *name) { /* Extract variable name and its parameter from the script. */ varname = apr_pstrdup(msr->mp, name); + if (varname == NULL) return NULL; param = strchr(varname, '.'); if (param != NULL) { *param = '\0'; @@ -2703,6 +2706,10 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri, int tree_contains_ip(apr_pool_t *mp, TreeRoot *rtree, const char *value, modsec_rec *msr, char **error_msg) { + assert(mp != NULL); + assert(value != NULL); + // msr can be NULL; + assert(error_msg != NULL); struct in_addr in; #if APR_HAVE_IPV6 struct in6_addr in6; diff --git a/apache2/msc_util.h b/apache2/msc_util.h index e4e043de16..cd2016e89e 100644 --- a/apache2/msc_util.h +++ b/apache2/msc_util.h @@ -15,6 +15,7 @@ #ifndef _UTIL_H_ #define _UTIL_H_ +#include #include #include diff --git a/apache2/msc_xml.c b/apache2/msc_xml.c index 5b5bbb1a25..808f7e9097 100644 --- a/apache2/msc_xml.c +++ b/apache2/msc_xml.c @@ -24,9 +24,10 @@ xml_unload_external_entity(const char *URI, xmlCharEncoding enc) { * Initialise XML parser. */ int xml_init(modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(error_msg != NULL); xmlParserInputBufferCreateFilenameFunc entity; - if (error_msg == NULL) return -1; *error_msg = NULL; msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data)); @@ -59,7 +60,8 @@ static void xml_receive_sax_error(void *data, const char *msg, ...) { * Feed one chunk of data to the XML parser. */ int xml_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char **error_msg) { - if (error_msg == NULL) return -1; + assert(msr != NULL); + assert(error_msg != NULL); *error_msg = NULL; /* We want to initialise our parsing context here, to @@ -107,7 +109,8 @@ int xml_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char * Finalise XML parsing. */ int xml_complete(modsec_rec *msr, char **error_msg) { - if (error_msg == NULL) return -1; + assert(msr != NULL); + assert(error_msg != NULL); *error_msg = NULL; /* Only if we have a context, meaning we've done some work. */ diff --git a/apache2/persist_dbm.c b/apache2/persist_dbm.c index edd41c11ab..fd9c4fc72b 100644 --- a/apache2/persist_dbm.c +++ b/apache2/persist_dbm.c @@ -21,6 +21,8 @@ static apr_table_t *collection_unpack(modsec_rec *msr, const unsigned char *blob, unsigned int blob_size, int log_vars) { + assert(msr != NULL); + assert(blob != NULL); apr_table_t *col = NULL; unsigned int blob_offset; @@ -90,6 +92,8 @@ static apr_table_t *collection_unpack(modsec_rec *msr, const unsigned char *blob static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec *msr, const char *col_name, const char *col_key, int col_key_len) { + assert(msr != NULL); + assert(col_name != NULL); char *dbm_filename = NULL; apr_status_t rc; apr_sdbm_datum_t key; @@ -346,6 +350,7 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec apr_table_t *collection_retrieve(modsec_rec *msr, const char *col_name, const char *col_key, int col_key_len) { + assert(msr != NULL); apr_time_t time_before = apr_time_now(); apr_table_t *rtable = NULL; @@ -360,6 +365,7 @@ apr_table_t *collection_retrieve(modsec_rec *msr, const char *col_name, * */ int collection_store(modsec_rec *msr, apr_table_t *col) { + assert(msr != NULL); char *dbm_filename = NULL; msc_string *var_name = NULL, *var_key = NULL; unsigned char *blob = NULL; @@ -647,6 +653,8 @@ int collection_store(modsec_rec *msr, apr_table_t *col) { * */ int collections_remove_stale(modsec_rec *msr, const char *col_name) { + assert(msr != NULL); + assert(col_name != NULL); char *dbm_filename = NULL; apr_sdbm_datum_t key, value; apr_sdbm_t *dbm = NULL; diff --git a/apache2/re.c b/apache2/re.c index 41e1eb1412..77ea8ead16 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -57,6 +57,7 @@ static apr_status_t msre_rule_process(msre_rule *rule, modsec_rec *msr); * \param targets Exception list. */ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *var, const char *exceptions) { + assert(msr != NULL); const char *targets = NULL; char *savedptr = NULL, *target = NULL; char *c = NULL, *name = NULL, *value = NULL; @@ -64,9 +65,6 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va char *myvalue = NULL, *myname = NULL; int match = 0; - if(msr == NULL) - return 0; - if(var == NULL) return 0; @@ -76,6 +74,8 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va if(rule->actionset == NULL) return 0; + assert(exceptions != NULL); + { myvar = apr_pstrdup(msr->mp, var->name); @@ -162,6 +162,7 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va * \param p3 Pointer to configuration option REPLACED_TARGET */ char *msre_ruleset_rule_update_target_matching_exception(modsec_rec *msr, msre_ruleset *ruleset, rule_exception *re, const char *p2, const char *p3) { + assert(msr != NULL); char *err; if(ruleset == NULL) @@ -203,6 +204,8 @@ char *msre_ruleset_phase_rule_update_target_matching_exception(modsec_rec *msr, apr_array_header_t *phase_arr, const char *p2, const char *p3) { + assert(msr != NULL); + assert(ruleset != NULL); msre_rule **rules; int i, j, mode; char *err; @@ -238,6 +241,8 @@ char *msre_ruleset_phase_rule_update_target_matching_exception(modsec_rec *msr, char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *rule, const char *p2, const char *p3) { + assert(msr != NULL); + assert(ruleset != NULL); msre_var **targets = NULL; const char *current_targets = NULL; @@ -948,6 +953,9 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char * static msre_var *msre_create_var(msre_ruleset *ruleset, const char *name, const char *param, modsec_rec *msr, char **error_msg) { + assert(msr != NULL); + assert(ruleset != NULL); + assert(error_msg != NULL); msre_var *var = msre_create_var_ex(ruleset->mp, ruleset->engine, name, param, msr, error_msg); if (var == NULL) return NULL; @@ -1549,6 +1557,7 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re #if defined(PERFORMANCE_MEASUREMENT) apr_time_t time1 = 0; #endif + assert(rule->actionset != NULL); /* Reset the rule interception flag */ msr->rule_was_intercepted = 0; @@ -1767,11 +1776,11 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re fn = apr_psprintf(p, " [file \"%s\"] [line \"%d\"]", rule->filename, rule->line_num); } - if (rule->actionset != NULL && rule->actionset->id != NULL) { + if (rule->actionset->id != NULL) { id = apr_psprintf(p, " [id \"%s\"]", rule->actionset->id); } - if (rule->actionset != NULL && rule->actionset->rev != NULL) { + if (rule->actionset->rev != NULL) { rev = apr_psprintf(p, " [rev \"%s\"]", rule->actionset->rev); } @@ -1905,13 +1914,11 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re else if (rc < 0) { const char *id = ""; const char *msg = ""; - if (rule->actionset) { - if (rule->actionset->id) { - id = rule->actionset->id; - } - if (rule->actionset->msg) { - msg = rule->actionset->msg; - } + if (rule->actionset->id) { + id = rule->actionset->id; + } + if (rule->actionset->msg) { + msg = rule->actionset->msg; } msr_log(msr, 1, "Rule processing failed (id=%s, msg=%s).", id, msg); @@ -1919,7 +1926,7 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re apr_table_clear(msr->matched_vars); return -1; } else { - if (rule->actionset && rule->actionset->is_chained) { + if (rule->actionset->is_chained) { /* If the current rule is part of a chain then * we need to skip over all the rules in the chain. */ @@ -1945,13 +1952,11 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re else { const char *id = ""; const char *msg = ""; - if (rule->actionset) { - if (rule->actionset->id) { - id = rule->actionset->id; - } - if (rule->actionset->msg) { - msg = rule->actionset->msg; - } + if (rule->actionset->id) { + id = rule->actionset->id; + } + if (rule->actionset->msg) { + msg = rule->actionset->msg; } msr_log(msr, 1, "Rule processing failed with unknown return code: %d (id=%s, msg=%s).", rc, id, msg); apr_table_clear(msr->matched_vars); @@ -2091,6 +2096,8 @@ static int msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset, rules = (msre_rule **)phase_arr->elts; for (i = 0; i < phase_arr->nelts; i++) { msre_rule *rule = (msre_rule *)rules[i]; + assert(rule != NULL); + assert(rule->actionset != NULL); if (mode == 0) { /* Looking for next rule. */ int remove_rule = 0; @@ -2099,7 +2106,7 @@ static int msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset, if (rule->placeholder == RULE_PH_NONE) { switch(re->type) { case RULE_EXCEPTION_REMOVE_ID : - if ((rule->actionset != NULL)&&(rule->actionset->id != NULL)) { + if (rule->actionset->id != NULL) { int ruleid = atoi(rule->actionset->id); if (rule_id_in_range(ruleid, re->param)) { @@ -2152,9 +2159,9 @@ static int msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset, if (remove_rule) { /* Do not increment j. */ removed_count++; - if (rule->actionset && rule->actionset->is_chained) mode = 2; /* Remove rules in this chain. */ + if (rule->actionset->is_chained) mode = 2; /* Remove rules in this chain. */ } else { - if (rule->actionset && rule->actionset->is_chained) mode = 1; /* Keep rules in this chain. */ + if (rule->actionset->is_chained) mode = 1; /* Keep rules in this chain. */ rules[j++] = rules[i]; } } else { /* Handling rule that is part of a chain. */ @@ -2211,6 +2218,7 @@ static const char *msre_format_severity(int severity) { * Creates a string containing the metadata of the supplied rule. */ char *msre_format_metadata(modsec_rec *msr, msre_actionset *actionset) { + assert(msr != NULL); const apr_array_header_t *tarr; const apr_table_entry_t *telts; char *id = ""; @@ -2507,6 +2515,8 @@ msre_rule *msre_rule_lua_create(msre_ruleset *ruleset, static void msre_perform_nondisruptive_actions(modsec_rec *msr, msre_rule *rule, msre_actionset *actionset, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(actionset != NULL); const apr_array_header_t *tarr; const apr_table_entry_t *telts; int i; @@ -2529,6 +2539,8 @@ static void msre_perform_nondisruptive_actions(modsec_rec *msr, msre_rule *rule, static void msre_perform_disruptive_actions(modsec_rec *msr, msre_rule *rule, msre_actionset *actionset, apr_pool_t *mptmp, const char *message) { + assert(msr != NULL); + assert(actionset != NULL); const apr_array_header_t *tarr; const apr_table_entry_t *telts; int i; @@ -2613,6 +2625,14 @@ static void msre_perform_disruptive_actions(modsec_rec *msr, msre_rule *rule, static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr, msre_actionset *acting_actionset, apr_pool_t *mptmp) { + assert(var != NULL); + assert(rule != NULL); + assert(rule->actionset != NULL); + assert(rule->op_metadata != NULL); + assert(rule->op_metadata->execute != NULL); + assert(msr != NULL); + assert(acting_actionset != NULL); + assert(mptmp != NULL); apr_time_t time_before_op = 0; char *my_error_msg = NULL; const char *full_varname = NULL; diff --git a/apache2/re_actions.c b/apache2/re_actions.c index 5b6b9dd184..149c73dbb1 100644 --- a/apache2/re_actions.c +++ b/apache2/re_actions.c @@ -51,6 +51,7 @@ static void msre_engine_action_register(msre_engine *engine, const char *name, msre_var *generate_single_var(modsec_rec *msr, msre_var *var, apr_array_header_t *tfn_arr, msre_rule *rule, apr_pool_t *mptmp) { + assert(msr != NULL); apr_table_t *vartab = NULL; const apr_table_entry_t *te = NULL; const apr_array_header_t *arr = NULL; @@ -108,6 +109,7 @@ msre_var *generate_single_var(modsec_rec *msr, msre_var *var, apr_array_header_t apr_table_t *generate_multi_var(modsec_rec *msr, msre_var *var, apr_array_header_t *tfn_arr, msre_rule *rule, apr_pool_t *mptmp) { + assert(msr != NULL); const apr_array_header_t *tarr; const apr_table_entry_t *telts; apr_table_t *vartab = NULL, *tvartab = NULL; @@ -169,6 +171,8 @@ apr_table_t *generate_multi_var(modsec_rec *msr, msre_var *var, apr_array_header * in the given variable. */ int expand_macros(modsec_rec *msr, msc_string *var, msre_rule *rule, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); char *data = NULL; apr_array_header_t *arr = NULL; char *p = NULL, *q = NULL, *t = NULL; @@ -316,6 +320,7 @@ int expand_macros(modsec_rec *msr, msc_string *var, msre_rule *rule, apr_pool_t * value that is set. */ apr_status_t collection_original_setvar(modsec_rec *msr, const char *col_name, const msc_string *orig_var) { + assert(msr != NULL); apr_table_t *table = NULL; msc_string *var = NULL; const char *var_name = NULL; @@ -628,6 +633,8 @@ static apr_status_t msre_action_redirect_init(msre_engine *engine, apr_pool_t *m static apr_status_t msre_action_redirect_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); msc_string *var = NULL; var = apr_pcalloc(mptmp, sizeof(msc_string)); @@ -660,6 +667,8 @@ static apr_status_t msre_action_proxy_init(msre_engine *engine, apr_pool_t *mp, static apr_status_t msre_action_proxy_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); msc_string *var = NULL; var = apr_pcalloc(mptmp, sizeof(msc_string)); @@ -968,6 +977,8 @@ static apr_status_t msre_action_ctl_init(msre_engine *engine, apr_pool_t *mp, ms static apr_status_t msre_action_ctl_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); char *name = NULL; char *value = NULL; @@ -1236,13 +1247,21 @@ static apr_status_t msre_action_ctl_execute(modsec_rec *msr, apr_pool_t *mptmp, msr_log(msr, 4, "Ctl: ruleRemoveTargetById id=%s targets=%s", p1, p2); } if (p2 == NULL) { - msr_log(msr, 1, "ModSecurity: Missing target for id \"%s\"", p1); + msr_log(msr, 1, "Ctl: ruleRemoveTargetById: Missing target for id \"%s\"", p1); return -1; } re = apr_pcalloc(msr->mp, sizeof(rule_exception)); + if (re == NULL) { + msr_log(msr, 1, "Ctl: Memory allocation error"); + return -1; + } re->type = RULE_EXCEPTION_REMOVE_ID; re->param = (const char *)apr_pstrdup(msr->mp, p1); + if (re->param == NULL) { + msr_log(msr, 1, "Ctl: Memory allocation error"); + return -1; + } apr_table_addn(msr->removed_targets, apr_pstrdup(msr->mp, p2), (void *)re); return 1; } else @@ -1336,6 +1355,8 @@ static char *msre_action_xmlns_validate(msre_engine *engine, apr_pool_t *mp, msr static apr_status_t msre_action_sanitizeArg_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); const char *sargname = NULL; const apr_array_header_t *tarr; const apr_table_entry_t *telts; @@ -1364,6 +1385,8 @@ static apr_status_t msre_action_sanitizeArg_execute(modsec_rec *msr, apr_pool_t static apr_status_t msre_action_sanitizeMatched_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); const char *sargname = NULL; const apr_array_header_t *tarr; const apr_table_entry_t *telts; @@ -1439,6 +1462,8 @@ static apr_status_t msre_action_sanitizeMatched_execute(modsec_rec *msr, apr_poo static apr_status_t msre_action_sanitizeRequestHeader_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); apr_table_set(msr->request_headers_to_sanitize, action->param, "1"); return 1; } @@ -1447,6 +1472,8 @@ static apr_status_t msre_action_sanitizeRequestHeader_execute(modsec_rec *msr, a static apr_status_t msre_action_sanitizeResponseHeader_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); apr_table_set(msr->response_headers_to_sanitize, action->param, "1"); return 1; } @@ -1455,6 +1482,8 @@ static apr_status_t msre_action_sanitizeResponseHeader_execute(modsec_rec *msr, static apr_status_t msre_action_setenv_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); char *data = apr_pstrdup(mptmp, action->param); char *env_name = NULL, *env_value = NULL; char *s = NULL; @@ -1528,6 +1557,9 @@ static apr_status_t msre_action_setenv_execute(modsec_rec *msr, apr_pool_t *mptm apr_status_t msre_action_setvar_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, char *var_name, char *var_value) { + assert(msr != NULL); + assert(var_name != NULL); + assert(var_value != NULL); char *col_name = NULL; char *s = NULL; apr_table_t *target_col = NULL; @@ -1549,9 +1581,13 @@ apr_status_t msre_action_setvar_execute(modsec_rec *msr, apr_pool_t *mptmp, var->value_len = strlen(var->value); expand_macros(msr, var, rule, mptmp); var_name = log_escape_nq_ex(msr->mp, var->value, var->value_len); + if (var_name == NULL) { + msr_log(msr, 1, "Failed to allocate space to expand name macros"); + return -1; + } /* Handle the exclamation mark. */ - if (var_name != NULL && var_name[0] == '!') { + if (var_name[0] == '!') { var_name = var_name + 1; is_negated = 1; } @@ -1711,6 +1747,8 @@ apr_status_t msre_action_setvar_execute(modsec_rec *msr, apr_pool_t *mptmp, static apr_status_t msre_action_setvar_parse(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); char *data = apr_pstrdup(mptmp, action->param); char *var_name = NULL, *var_value = NULL; char *s = NULL; @@ -1736,6 +1774,8 @@ static apr_status_t msre_action_setvar_parse(modsec_rec *msr, apr_pool_t *mptmp, static apr_status_t msre_action_expirevar_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); char *data = apr_pstrdup(mptmp, action->param); char *col_name = NULL, *var_name = NULL, *var_value = NULL; char *s = NULL; @@ -1833,6 +1873,8 @@ static apr_status_t msre_action_expirevar_execute(modsec_rec *msr, apr_pool_t *m static apr_status_t msre_action_deprecatevar_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); char *data = apr_pstrdup(mptmp, action->param); char *col_name = NULL, *var_name = NULL, *var_value = NULL; char *s = NULL; @@ -1967,6 +2009,8 @@ static apr_status_t msre_action_deprecatevar_execute(modsec_rec *msr, apr_pool_t static apr_status_t init_collection(modsec_rec *msr, const char *real_col_name, const char *col_name, const char *col_key, unsigned int col_key_len) { + assert(msr != NULL); + assert(real_col_name != NULL); apr_table_t *table = NULL; msc_string *var = NULL; @@ -1980,7 +2024,6 @@ static apr_status_t init_collection(modsec_rec *msr, const char *real_col_name, /* Init collection from storage. */ table = collection_retrieve(msr, real_col_name, col_key, col_key_len); - if (table == NULL) { /* Does not exist yet - create new. */ @@ -2101,6 +2144,8 @@ static apr_status_t init_collection(modsec_rec *msr, const char *real_col_name, static apr_status_t msre_action_initcol_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); char *data = apr_pstrdup(msr->mp, action->param); char *col_name = NULL, *col_key = NULL; unsigned int col_key_len; @@ -2132,6 +2177,8 @@ static apr_status_t msre_action_initcol_execute(modsec_rec *msr, apr_pool_t *mpt static apr_status_t msre_action_setsid_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); msc_string *var = NULL; char *real_col_name = NULL, *col_key = NULL; unsigned int col_key_len; @@ -2156,6 +2203,8 @@ static apr_status_t msre_action_setsid_execute(modsec_rec *msr, apr_pool_t *mptm static apr_status_t msre_action_setuid_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); msc_string *var = NULL; char *real_col_name = NULL, *col_key = NULL; unsigned int col_key_len; @@ -2180,6 +2229,8 @@ static apr_status_t msre_action_setuid_execute(modsec_rec *msr, apr_pool_t *mptm static apr_status_t msre_action_setrsc_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); msc_string *var = NULL; char *real_col_name = NULL, *col_key = NULL; unsigned int col_key_len; @@ -2228,7 +2279,9 @@ static char *msre_action_exec_validate(msre_engine *engine, apr_pool_t *mp, msre static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { - #if defined(WITH_LUA) + assert(msr != NULL); + assert(action != NULL); +#if defined(WITH_LUA) if (action->param_data != NULL) { /* Lua */ msc_script *script = (msc_script *)action->param_data; char *my_error_msg = NULL; @@ -2256,6 +2309,8 @@ static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp, static apr_status_t msre_action_prepend_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); msc_string *var = NULL; /* Expand any macros in the text */ @@ -2276,6 +2331,8 @@ static apr_status_t msre_action_prepend_execute(modsec_rec *msr, apr_pool_t *mpt static apr_status_t msre_action_append_execute(modsec_rec *msr, apr_pool_t *mptmp, msre_rule *rule, msre_action *action) { + assert(msr != NULL); + assert(action != NULL); msc_string *var = NULL; /* Expand any macros in the text */ diff --git a/apache2/re_operators.c b/apache2/re_operators.c index cbf5c2db79..b5c171f430 100644 --- a/apache2/re_operators.c +++ b/apache2/re_operators.c @@ -70,6 +70,7 @@ msre_op_metadata *msre_engine_op_resolve(msre_engine *engine, const char *name) static int msre_op_unconditionalmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(error_msg != NULL); *error_msg = "Unconditional match in SecAction."; /* Always match. */ @@ -81,6 +82,7 @@ static int msre_op_unconditionalmatch_execute(modsec_rec *msr, msre_rule *rule, static int msre_op_nomatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(error_msg != NULL); *error_msg = "No match."; /* Never match. */ @@ -131,13 +133,13 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) { * \retval 0 On No Match */ static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(var != NULL); + assert(error_msg != NULL); TreeRoot *rtree = NULL; int res = 0; - if (error_msg == NULL) - return -1; - else - *error_msg = NULL; + *error_msg = NULL; if (rule == NULL || rule->ip_op == NULL) { msr_log(msr, 1, "ipMatch Internal Error: ipmatch value is null."); @@ -258,14 +260,14 @@ static int msre_op_ipmatchFromFile_param_init(msre_rule *rule, char **error_msg) */ static int msre_op_ipmatchFromFile_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { - + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); TreeRoot *rtree = (TreeRoot *)rule->op_param_data; int res = 0; - if (error_msg == NULL) - return -1; - else - *error_msg = NULL; + *error_msg = NULL; if (rtree == NULL) { @@ -469,8 +471,20 @@ static int msre_op_rsub_param_init(msre_rule *rule, char **error_msg) { * \retval 0 On No Match */ static int msre_op_rsub_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (!str) { + msr_log(msr, 1, "rsub: Memory allocation error"); + return -1; + } msc_string *re_pattern = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (!re_pattern) { + msr_log(msr, 1, "rsub: Memory allocation error"); + return -1; + } char *offset = NULL; char *data = NULL, *pattern = NULL; char *data_out = NULL; @@ -483,7 +497,6 @@ static int msre_op_rsub_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, regmatch_t pmatch[AP_MAX_REG_MATCH]; #endif - if (error_msg == NULL) return -1; *error_msg = NULL; if(strcmp(var->name,"STREAM_OUTPUT_BODY") == 0 ) { @@ -741,8 +754,16 @@ static int msre_op_validateHash_param_init(msre_rule *rule, char **error_msg) { * \retval 0 On fail */ static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_regex_t *regex = (msc_regex_t *)rule->op_param_data; msc_string *re_pattern = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (!re_pattern) { + msr_log(msr, 1, "validateHash: Memory allocation error"); + return -1; + } const char *target; const char *errptr = NULL; int erroffset; @@ -757,8 +778,6 @@ static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_v #endif #endif - - if (error_msg == NULL) return -1; *error_msg = NULL; if (msr->txcfg->hash_enforcement == HASH_DISABLED || msr->txcfg->hash_is_enabled == HASH_DISABLED) @@ -999,8 +1018,21 @@ static int msre_op_rx_param_init(msre_rule *rule, char **error_msg) { } static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(rule->actionset != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_regex_t *regex = (msc_regex_t *)rule->op_param_data; + if (!regex) { + msr_log(msr, 1, "rx: Memory allocation error"); + return -1; + } msc_string *re_pattern = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (!re_pattern) { + msr_log(msr, 1, "rx: Memory allocation error"); + return -1; + } const char *target; const char *errptr = NULL; int erroffset; @@ -1021,8 +1053,6 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c #endif #endif - - if (error_msg == NULL) return -1; *error_msg = NULL; if (regex == NULL) { @@ -1097,29 +1127,30 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c target_length = var->value_len; } - /* Are we supposed to capture subexpressions? */ - if (rule->actionset) { + if (rule->actionset->actions) { + /* Are we supposed to capture subexpressions? */ capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0; matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; - if(!matched_bytes) + if (!matched_bytes) matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; matched = apr_table_get(rule->actionset->actions, "sanitizeMatched") ? 1 : 0; - if(!matched) + if (!matched) matched = apr_table_get(rule->actionset->actions, "sanitiseMatched") ? 1 : 0; + } + else capture = 0; - /* Show when the regex captures but "capture" is not set */ - if (msr->txcfg->debuglog_level >= 6) { - int capcount = 0; + /* Show when the regex captures but "capture" is not set */ + if (msr->txcfg->debuglog_level >= 6) { + int capcount = 0; #ifdef WITH_PCRE2 - rc = msc_fullinfo(regex, PCRE2_INFO_CAPTURECOUNT, &capcount); + rc = msc_fullinfo(regex, PCRE2_INFO_CAPTURECOUNT, &capcount); #else - rc = msc_fullinfo(regex, PCRE_INFO_CAPTURECOUNT, &capcount); + rc = msc_fullinfo(regex, PCRE_INFO_CAPTURECOUNT, &capcount); #endif - if (msr->txcfg->debuglog_level >= 6) { - if ((capture == 0) && (capcount > 0)) { - msr_log(msr, 6, "Ignoring regex captures since \"capture\" action is not enabled."); - } + if (msr->txcfg->debuglog_level >= 6) { + if ((capture == 0) && (capcount > 0)) { + msr_log(msr, 6, "Ignoring regex captures since \"capture\" action is not enabled."); } } } @@ -1447,6 +1478,11 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) { } static int msre_op_pm_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(rule->actionset != NULL); + assert(var != NULL); + assert(error_msg != NULL); const char *match = NULL; apr_status_t rc = 0; int capture; @@ -1456,7 +1492,9 @@ static int msre_op_pm_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c if ((var->value == NULL) || (var->value_len == 0)) return 0; /* Are we supposed to capture subexpressions? */ - capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0; + if (rule->actionset->actions) + capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0; + else capture = 0; if (rule->op_param_data == NULL) { @@ -1633,6 +1671,9 @@ static const char *gsb_reduce_char(apr_pool_t *pool, const char *domain) { * \retval 0 On No Match */ static int verify_gsb(gsb_db *gsb, modsec_rec *msr, const char *match, unsigned int match_length) { + assert(gsb != NULL); + assert(msr != NULL); + assert(match != NULL); apr_md5_ctx_t ctx; apr_status_t rc; unsigned char digest[APR_MD5_DIGESTSIZE]; @@ -1710,6 +1751,10 @@ static int msre_op_gsbLookup_param_init(msre_rule *rule, char **error_msg) { * \retval 0 On No Match */ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_regex_t *regex = (msc_regex_t *)rule->op_param_data; char *my_error_msg = NULL; int ovector[33]; @@ -2056,7 +2101,6 @@ static int msre_op_within_execute(modsec_rec *msr, msre_rule *rule, msre_var *va unsigned int target_length = 0; unsigned int i, i_max; - if (error_msg == NULL) return -1; *error_msg = NULL; str->value = (char *)rule->op_param; @@ -2119,15 +2163,22 @@ static int msre_op_within_execute(modsec_rec *msr, msre_rule *rule, msre_var *va /* contains */ static int msre_op_contains_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { - msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); const char *match = NULL; const char *target; unsigned int match_length; unsigned int target_length = 0; unsigned int i, i_max; + msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (str == NULL) { + *error_msg = "Internal Error: cannot allocate memory."; + return -1; + } str->value = (char *)rule->op_param; - if (str->value == NULL) { *error_msg = "Internal Error: match string is null."; return -1; @@ -2198,7 +2249,13 @@ static int msre_op_contains_execute(modsec_rec *msr, msre_rule *rule, msre_var * */ static int msre_op_detectSQLi_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { - + assert(msr != NULL); + assert(rule != NULL); + assert(rule->actionset != NULL); + assert(rule->actionset->actions != NULL); + assert(var != NULL); + assert(var != NULL); + assert(error_msg != NULL); char fingerprint[8]; int issqli; int capture; @@ -2230,6 +2287,11 @@ static int msre_op_detectSQLi_execute(modsec_rec *msr, msre_rule *rule, msre_var */ static int msre_op_detectXSS_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(rule->actionset != NULL); + assert(rule->actionset->actions != NULL); + assert(error_msg != NULL); int capture; int is_xss; @@ -2256,16 +2318,23 @@ static int msre_op_detectXSS_execute(modsec_rec *msr, msre_rule *rule, msre_var /* containsWord */ static int msre_op_containsWord_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { - msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); const char *match = NULL; const char *target; unsigned int match_length; unsigned int target_length = 0; unsigned int i, i_max; int rc = 0; + msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (str == NULL) { + *error_msg = "Internal Error: cannot allocate memory."; + return -1; + } str->value = (char *)rule->op_param; - if (str->value == NULL) { *error_msg = "Internal Error: match string is null."; return -1; @@ -2273,7 +2342,6 @@ static int msre_op_containsWord_execute(modsec_rec *msr, msre_rule *rule, msre_v str->value_len = strlen(str->value); - if (error_msg == NULL) return -1; *error_msg = NULL; expand_macros(msr, str, rule, msr->mp); @@ -2351,14 +2419,21 @@ static int msre_op_containsWord_execute(modsec_rec *msr, msre_rule *rule, msre_v /* streq */ static int msre_op_streq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (!str) { + msr_log(msr, 1, "streq: Memory allocation error"); + return -1; + } const char *match = NULL; const char *target; unsigned int match_length; unsigned int target_length; str->value = (char *)rule->op_param; - if (str->value == NULL) { *error_msg = "Internal Error: match string is null."; return -1; @@ -2366,7 +2441,6 @@ static int msre_op_streq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var str->value_len = strlen(str->value); - if (error_msg == NULL) return -1; *error_msg = NULL; expand_macros(msr, str, rule, msr->mp); @@ -2407,14 +2481,21 @@ static int msre_op_streq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var /* beginsWith */ static int msre_op_beginsWith_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { - msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); const char *match = NULL; const char *target; unsigned int match_length; unsigned int target_length; + msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (str == NULL) { + *error_msg = "Internal Error: cannot allocate memory."; + return -1; + } str->value = (char *)rule->op_param; - if (str->value == NULL) { *error_msg = "Internal Error: match string is null."; return -1; @@ -2470,14 +2551,19 @@ static int msre_op_beginsWith_execute(modsec_rec *msr, msre_rule *rule, msre_var /* endsWith */ static int msre_op_endsWith_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { - msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + assert(msr != NULL); + assert(rule != NULL); const char *match = NULL; const char *target; unsigned int match_length; unsigned int target_length; + msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (str == NULL) { + *error_msg = "Internal Error: cannot allocate memory."; + return -1; + } str->value = (char *)rule->op_param; - if (str->value == NULL) { *error_msg = "Internal Error: match string is null."; return -1; @@ -2485,7 +2571,6 @@ static int msre_op_endsWith_execute(modsec_rec *msr, msre_rule *rule, msre_var * str->value_len = strlen(str->value); - if (error_msg == NULL) return -1; *error_msg = NULL; expand_macros(msr, str, rule, msr->mp); @@ -2562,12 +2647,15 @@ static int msre_op_strmatch_param_init(msre_rule *rule, char **error_msg) { } static int msre_op_strmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); apr_strmatch_pattern *compiled_pattern = (apr_strmatch_pattern *)rule->op_param_data; const char *target; unsigned int target_length; const char *rc; - if (error_msg == NULL) return -1; *error_msg = NULL; if (compiled_pattern == NULL) { @@ -2610,6 +2698,10 @@ static int msre_op_validateDTD_init(msre_rule *rule, char **error_msg) { static int msre_op_validateDTD_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); xmlValidCtxtPtr cvp; xmlDtdPtr dtd; @@ -2680,6 +2772,10 @@ static int msre_op_validateSchema_init(msre_rule *rule, char **error_msg) { static int msre_op_validateSchema_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); xmlSchemaParserCtxtPtr parserCtx; xmlSchemaValidCtxtPtr validCtx; xmlSchemaPtr schema; @@ -2817,6 +2913,10 @@ static int msre_op_verifyCC_init(msre_rule *rule, char **error_msg) { } static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_regex_t *regex = (msc_regex_t *)rule->op_param_data; const char *target; unsigned int target_length; @@ -2836,7 +2936,6 @@ static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var * #endif #endif - if (error_msg == NULL) return -1; *error_msg = NULL; if (regex == NULL) { @@ -2844,6 +2943,8 @@ static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var * return -1; } + assert(rule->actionset != NULL); + memset(ovector, 0, sizeof(ovector)); #ifdef WITH_PCRE_STUDY @@ -2934,53 +3035,51 @@ static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var * * and we are done. */ - if (rule->actionset) { - matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; - if(!matched_bytes) - matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; - - if (apr_table_get(rule->actionset->actions, "capture")) { - for(; i < rc; i++) { - msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); - if (s == NULL) return -1; - s->name = apr_psprintf(msr->mp, "%d", i); - if (s->name == NULL) return -1; - s->name_len = strlen(s->name); - s->value = apr_pstrmemdup(msr->mp, match, length); - if (s->value == NULL) return -1; - s->value_len = length; - - apr_table_setn(msr->tx_vars, s->name, (void *)s); - - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, - log_escape_nq_ex(msr->mp, s->value, s->value_len)); - } + matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; + if(!matched_bytes) + matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; + + if (apr_table_get(rule->actionset->actions, "capture")) { + for(; i < rc; i++) { + msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (s == NULL) return -1; + s->name = apr_psprintf(msr->mp, "%d", i); + if (s->name == NULL) return -1; + s->name_len = strlen(s->name); + s->value = apr_pstrmemdup(msr->mp, match, length); + if (s->value == NULL) return -1; + s->value_len = length; + + apr_table_setn(msr->tx_vars, s->name, (void *)s); + + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, + log_escape_nq_ex(msr->mp, s->value, s->value_len)); + } - if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { - qspos = apr_psprintf(msr->mp, "%s", var->name); - parm = strstr(qspos, ":"); - if (parm != NULL) { - parm++; - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - mparm->pad_1 = rule->actionset->arg_min; - mparm->pad_2 = rule->actionset->arg_max; - apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm); - } else { - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm); - } + if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { + qspos = apr_psprintf(msr->mp, "%s", var->name); + parm = strstr(qspos, ":"); + if (parm != NULL) { + parm++; + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + + mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); + mparm->pad_1 = rule->actionset->arg_min; + mparm->pad_2 = rule->actionset->arg_max; + apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm); + } else { + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + + mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); + apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm); } - } + } } @@ -3146,6 +3245,11 @@ static int msre_op_verifyCPF_init(msre_rule *rule, char **error_msg) { * \retval 0 On No Match */ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(rule->actionset != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_regex_t *regex = (msc_regex_t *)rule->op_param_data; const char *target; unsigned int target_length; @@ -3165,8 +3269,6 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var #endif #endif - - if (error_msg == NULL) return -1; *error_msg = NULL; if (regex == NULL) { @@ -3174,6 +3276,8 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var return -1; } + assert(rule->actionset != NULL); + memset(ovector, 0, sizeof(ovector)); #ifdef WITH_PCRE_STUDY @@ -3241,11 +3345,11 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var /* Verify a match. */ if (rc > 0) { - const char *match = target + ovector[0]; + const char* match = target + ovector[0]; int length = ovector[1] - ovector[0]; int i = 0; - offset = ovector[2*i]; + offset = ovector[2 * i]; /* Check CPF using the match string */ is_cpf = cpf_verify(match, length); @@ -3263,58 +3367,57 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var * and we are done. */ - if (rule->actionset) { - matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; - if(!matched_bytes) - matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; - - if (apr_table_get(rule->actionset->actions, "capture")) { - for(; i < rc; i++) { - msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); - if (s == NULL) return -1; - s->name = apr_psprintf(msr->mp, "%d", i); - if (s->name == NULL) return -1; - s->name_len = strlen(s->name); - s->value = apr_pstrmemdup(msr->mp, match, length); - if (s->value == NULL) return -1; - s->value_len = length; - - apr_table_setn(msr->tx_vars, s->name, (void *)s); - - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, - log_escape_nq_ex(msr->mp, s->value, s->value_len)); - } + matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; + if (!matched_bytes) + matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; + + if (apr_table_get(rule->actionset->actions, "capture")) { + for (; i < rc; i++) { + msc_string* s = (msc_string*)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (s == NULL) return -1; + s->name = apr_psprintf(msr->mp, "%d", i); + if (s->name == NULL) return -1; + s->name_len = strlen(s->name); + s->value = apr_pstrmemdup(msr->mp, match, length); + if (s->value == NULL) return -1; + s->value_len = length; + + apr_table_setn(msr->tx_vars, s->name, (void*)s); + + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, + log_escape_nq_ex(msr->mp, s->value, s->value_len)); + } - if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { - qspos = apr_psprintf(msr->mp, "%s", var->name); - parm = strstr(qspos, ":"); - if (parm != NULL) { - parm++; - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - mparm->pad_1 = rule->actionset->arg_min; - mparm->pad_2 = rule->actionset->arg_max; - apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm); - } else { - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm); - } + if ((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { + qspos = apr_psprintf(msr->mp, "%s", var->name); + parm = strstr(qspos, ":"); + if (parm != NULL) { + parm++; + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + + mparm->value = apr_pstrmemdup(msr->mp, s->value, s->value_len); + mparm->pad_1 = rule->actionset->arg_min; + mparm->pad_2 = rule->actionset->arg_max; + apr_table_addn(msr->pattern_to_sanitize, parm, (void*)mparm); } + else { + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + mparm->value = apr_pstrmemdup(msr->mp, s->value, s->value_len); + apr_table_addn(msr->pattern_to_sanitize, qspos, (void*)mparm); + } } + } } /* Unset the remaining TX vars (from previous invocations). */ - for(; i <= 9; i++) { + for (; i <= 9; i++) { char buf[24]; apr_snprintf(buf, sizeof(buf), "%i", i); apr_table_unset(msr->tx_vars, buf); @@ -3349,6 +3452,8 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var * \retval 1 On Valid SSN */ static int ssn_verify(modsec_rec *msr, const char *ssnumber, int len) { + assert(msr != NULL); + assert(ssnumber != NULL); int i; int num[9]; int digits = 0; @@ -3460,6 +3565,11 @@ static int msre_op_verifySSN_init(msre_rule *rule, char **error_msg) { * \retval 0 On No Match */ static int msre_op_verifySSN_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(rule->actionset != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_regex_t *regex = (msc_regex_t *)rule->op_param_data; const char *target; unsigned int target_length; @@ -3488,6 +3598,8 @@ static int msre_op_verifySSN_execute(modsec_rec *msr, msre_rule *rule, msre_var return -1; } + assert(rule->actionset != NULL); + memset(ovector, 0, sizeof(ovector)); #ifdef WITH_PCRE_STUDY @@ -3577,53 +3689,51 @@ static int msre_op_verifySSN_execute(modsec_rec *msr, msre_rule *rule, msre_var * and we are done. */ - if (rule->actionset) { - matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; - if(!matched_bytes) - matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; - - if (apr_table_get(rule->actionset->actions, "capture")) { - for(; i < rc; i++) { - msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); - if (s == NULL) return -1; - s->name = apr_psprintf(msr->mp, "%d", i); - if (s->name == NULL) return -1; - s->name_len = strlen(s->name); - s->value = apr_pstrmemdup(msr->mp, match, length); - if (s->value == NULL) return -1; - s->value_len = length; - - apr_table_setn(msr->tx_vars, s->name, (void *)s); - - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, - log_escape_nq_ex(msr->mp, s->value, s->value_len)); - } + matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0; + if(!matched_bytes) + matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0; + + if (apr_table_get(rule->actionset->actions, "capture")) { + for(; i < rc; i++) { + msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (s == NULL) return -1; + s->name = apr_psprintf(msr->mp, "%d", i); + if (s->name == NULL) return -1; + s->name_len = strlen(s->name); + s->value = apr_pstrmemdup(msr->mp, match, length); + if (s->value == NULL) return -1; + s->value_len = length; + + apr_table_setn(msr->tx_vars, s->name, (void *)s); + + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i, + log_escape_nq_ex(msr->mp, s->value, s->value_len)); + } - if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { - qspos = apr_psprintf(msr->mp, "%s", var->name); - parm = strstr(qspos, ":"); - if (parm != NULL) { - parm++; - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - mparm->pad_1 = rule->actionset->arg_min; - mparm->pad_2 = rule->actionset->arg_max; - apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm); - } else { - mparm = apr_palloc(msr->mp, sizeof(msc_parm)); - if (mparm == NULL) - continue; - - mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); - apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm); - } + if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) { + qspos = apr_psprintf(msr->mp, "%s", var->name); + parm = strstr(qspos, ":"); + if (parm != NULL) { + parm++; + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + + mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); + mparm->pad_1 = rule->actionset->arg_min; + mparm->pad_2 = rule->actionset->arg_max; + apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm); + } else { + mparm = apr_palloc(msr->mp, sizeof(msc_parm)); + if (mparm == NULL) + continue; + + mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len); + apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm); } - } + } } @@ -3658,6 +3768,9 @@ static int msre_op_verifySSN_execute(modsec_rec *msr, msre_rule *rule, msre_var static int msre_op_geoLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(var != NULL); + assert(error_msg != NULL); geo_rec rec; geo_db *geo = msr->txcfg->geo; const char *geo_host = var->value; @@ -3784,6 +3897,11 @@ static int msre_op_geoLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var /* rbl */ static int msre_op_rbl_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(rule->actionset != NULL); + assert(var != NULL); + assert(error_msg != NULL); unsigned int h0, h1, h2, h3; unsigned int high8bits = 0; char *name_to_check = NULL; @@ -3792,10 +3910,11 @@ static int msre_op_rbl_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, apr_status_t rc; int capture = 0; - if (error_msg == NULL) return -1; *error_msg = NULL; - capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0; + if (rule->actionset->actions) + capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0; + else capture = 0; /* ENH Add IPv6 support. */ @@ -4072,18 +4191,16 @@ static int msre_op_fuzzy_hash_init(msre_rule *rule, char **error_msg) static int msre_op_fuzzy_hash_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { - + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); #ifdef WITH_SSDEEP char result[FUZZY_MAX_RESULT]; struct fuzzy_hash_param_data *param = rule->op_param_data; struct fuzzy_hash_chunk *chunk = param->head; #endif - if (error_msg == NULL) - { - return -1; - } - *error_msg = NULL; #ifdef WITH_SSDEEP @@ -4164,7 +4281,10 @@ static int msre_op_inspectFile_init(msre_rule *rule, char **error_msg) { static int msre_op_inspectFile_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { - if (error_msg == NULL) return -1; + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); *error_msg = NULL; if (rule->op_param_data == NULL) { @@ -4288,10 +4408,13 @@ static int msre_op_validateByteRange_init(msre_rule *rule, char **error_msg) { static int msre_op_validateByteRange_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); char *table = rule->op_param_data; unsigned int i, count; - if (error_msg == NULL) return -1; *error_msg = NULL; if (table == NULL) { @@ -4362,6 +4485,9 @@ static int validate_url_encoding(const char *input, long int input_length) { static int msre_op_validateUrlEncoding_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(var != NULL); + assert(error_msg != NULL); int rc = validate_url_encoding(var->value, var->value_len); switch(rc) { case 1 : @@ -4482,6 +4608,9 @@ static int detect_utf8_character(const unsigned char *p_read, unsigned int lengt static int msre_op_validateUtf8Encoding_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(var != NULL); + assert(error_msg != NULL); unsigned int i, bytes_left; bytes_left = var->value_len; @@ -4539,6 +4668,9 @@ static int msre_op_validateUtf8Encoding_execute(modsec_rec *msr, msre_rule *rule static int msre_op_eq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(error_msg != NULL); msc_string str; int left, right; char *target = NULL; @@ -4577,6 +4709,10 @@ static int msre_op_eq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, static int msre_op_gt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_string str; int left, right; char *target = NULL; @@ -4620,16 +4756,14 @@ static int msre_op_gt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, static int msre_op_lt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_string str; int left, right; char *target = NULL; - if ((var->value == NULL)||(rule->op_param == NULL)) { - /* NULL values do not match anything. */ - return 0; - } - - if (error_msg == NULL) return -1; *error_msg = NULL; if ((var->value == NULL)||(rule->op_param == NULL)) { @@ -4663,6 +4797,10 @@ static int msre_op_lt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, static int msre_op_ge_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_string str; int left, right; char *target = NULL; @@ -4706,6 +4844,10 @@ static int msre_op_ge_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, static int msre_op_le_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { + assert(msr != NULL); + assert(rule != NULL); + assert(var != NULL); + assert(error_msg != NULL); msc_string str; int left, right; char *target = NULL; @@ -4715,7 +4857,6 @@ static int msre_op_le_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, return 0; } - if (error_msg == NULL) return -1; *error_msg = NULL; if ((var->value == NULL)||(rule->op_param == NULL)) { diff --git a/apache2/re_variables.c b/apache2/re_variables.c index a53140b2c1..5aa7589a2b 100644 --- a/apache2/re_variables.c +++ b/apache2/re_variables.c @@ -99,6 +99,10 @@ static char *var_generic_list_validate(msre_ruleset *ruleset, msre_var *var) { static int var_args_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -144,6 +148,10 @@ static int var_args_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_args_combined_size_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; unsigned int combined_size = 0; @@ -171,6 +179,10 @@ static int var_args_combined_size_generate(modsec_rec *msr, msre_var *var, msre_ static int var_args_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -214,6 +226,10 @@ static int var_args_names_generate(modsec_rec *msr, msre_var *var, msre_rule *ru static int var_args_get_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -262,6 +278,10 @@ static int var_args_get_generate(modsec_rec *msr, msre_var *var, msre_rule *rule static int var_args_get_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -308,6 +328,10 @@ static int var_args_get_names_generate(modsec_rec *msr, msre_var *var, msre_rule static int var_args_post_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -356,6 +380,10 @@ static int var_args_post_generate(modsec_rec *msr, msre_var *var, msre_rule *rul static int var_args_post_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -402,10 +430,14 @@ static int var_args_post_names_generate(modsec_rec *msr, msre_var *var, msre_rul static int var_rule_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(rule != NULL); + assert(rule->actionset != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_actionset *actionset = NULL; - if (rule == NULL) return 0; - actionset = rule->actionset; if (rule->chain_starter != NULL) actionset = rule->chain_starter->actionset; @@ -437,13 +469,13 @@ static int var_rule_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, return var_simple_generate(var, vartab, mptmp, value); } - return 0; } /* ENV */ static char *var_env_validate(msre_ruleset *ruleset, msre_var *var) { + assert(ruleset != NULL); if (var->param == NULL) { return apr_psprintf(ruleset->mp, "Parameter required for ENV."); } @@ -458,6 +490,8 @@ static char *var_env_validate(msre_ruleset *ruleset, msre_var *var) { static int var_env_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); char *value = get_env_var(msr->r, (char *)var->param); if (value != NULL) { return var_simple_generate(var, vartab, mptmp, value); @@ -470,6 +504,7 @@ static int var_env_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_request_uri_raw_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->r->unparsed_uri); } @@ -478,6 +513,8 @@ static int var_request_uri_raw_generate(modsec_rec *msr, msre_var *var, msre_rul static int var_uniqueid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); char *value = get_env_var(msr->r, "UNIQUE_ID"); if (value != NULL) { return var_simple_generate(var, vartab, mptmp, value); @@ -492,10 +529,18 @@ static int var_uniqueid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule static int var_request_uri_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) /* dynamic */ { + assert(msr != NULL); + assert(msr->r != NULL); char *value = NULL; if (msr->r->parsed_uri.query == NULL) value = msr->r->parsed_uri.path; - else value = apr_pstrcat(mptmp, msr->r->parsed_uri.path, "?", msr->r->parsed_uri.query, NULL); + else { + value = apr_pstrcat(mptmp, msr->r->parsed_uri.path, "?", msr->r->parsed_uri.query, NULL); + if (!value) { + msr_log(msr, 1, "REQUEST_URI: Memory allocation error"); + return -1; + } + } return var_simple_generate(var, vartab, mptmp, value); } @@ -505,7 +550,12 @@ static int var_request_uri_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_reqbody_processor_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "REQBODY_PROCESSOR: Memory allocation error"); + return -1; + } if (msr->msc_reqbody_processor == NULL) { rvar->value = apr_pstrdup(mptmp, ""); @@ -524,9 +574,22 @@ static int var_reqbody_processor_generate(modsec_rec *msr, msre_var *var, msre_r static int var_sdbm_delete_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "SDBM_DELETE_ERROR: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%d", msr->msc_sdbm_delete_error); + if (!rvar->value) { + msr_log(msr, 1, "SDBM_DELETE_ERROR: Memory allocation error"); + return -1; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -538,7 +601,12 @@ static int var_sdbm_delete_error_generate(modsec_rec *msr, msre_var *var, msre_r static int var_reqbody_processor_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "REQBODY_ERROR: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%d", msr->msc_reqbody_error); rvar->value_len = strlen(rvar->value); @@ -552,7 +620,16 @@ static int var_reqbody_processor_error_generate(modsec_rec *msr, msre_var *var, static int var_reqbody_processor_error_msg_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(rule != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "REQBODY_ERROR_MSG: Memory allocation error"); + return -1; + } if (msr->msc_reqbody_error_msg == NULL) { rvar->value = apr_pstrdup(mptmp, ""); @@ -581,6 +658,13 @@ static char *var_xml_validate(msre_ruleset *ruleset, msre_var *var) { static int var_xml_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(var->name != NULL); + assert(rule != NULL); + assert(rule->actionset != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *tarr; const apr_table_entry_t *telts; xmlXPathContextPtr xpathCtx; @@ -667,9 +751,19 @@ static int var_xml_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, content = (char *)xmlNodeGetContent(nodes->nodeTab[i]); if (content != NULL) { + xmlFree(content); rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "XML: Memory allocation error"); + count = -1; + goto var_xml_generate_Error; + } rvar->value = apr_pstrdup(mptmp, content); - xmlFree(content); + if (!rvar->value) { + msr_log(msr, 1, "XML: Memory allocation error"); + count = -1; + goto var_xml_generate_Error; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -677,6 +771,7 @@ static int var_xml_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, } } +var_xml_generate_Error: xmlXPathFreeObject(xpathObj); xmlXPathFreeContext(xpathCtx); @@ -688,6 +783,11 @@ static int var_xml_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_webserver_error_log_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(var->name != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; int i, count = 0; @@ -698,7 +798,15 @@ static int var_webserver_error_log_generate(modsec_rec *msr, msre_var *var, msre fem = format_error_log_message(mptmp, em); if (fem != NULL) { rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "WEBSERVER_ERROR_LOG: Memory allocation error"); + return -1; + } rvar->value = apr_pstrdup(mptmp, fem); + if (!rvar->value) { + msr_log(msr, 1, "WEBSERVER_ERROR_LOG: Memory allocation error"); + return -1; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -713,6 +821,7 @@ static int var_webserver_error_log_generate(modsec_rec *msr, msre_var *var, msre static int var_useragent_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->useragent_ip ? msr->useragent_ip : "0.0.0.0"); } #endif @@ -722,6 +831,7 @@ static int var_useragent_ip_generate(modsec_rec *msr, msre_var *var, msre_rule * static int var_remote_addr_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); #if !defined(MSC_TEST) #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 3 if (ap_find_linked_module("mod_remoteip.c") != NULL) { @@ -739,6 +849,7 @@ static int var_remote_addr_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_remote_host_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); const char *value1 = ap_get_remote_host(msr->r->connection, msr->r->per_dir_config, REMOTE_NAME, NULL); return var_simple_generate(var, vartab, mptmp, value1); @@ -749,6 +860,7 @@ static int var_remote_host_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_remote_port_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); char *value = apr_psprintf(mptmp, "%u", msr->remote_port); return var_simple_generate(var, vartab, mptmp, value); } @@ -758,6 +870,7 @@ static int var_remote_port_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_remote_user_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->remote_user); } @@ -766,6 +879,10 @@ static int var_remote_user_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_tx_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -792,10 +909,18 @@ static int var_tx_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, /* If we had a match add this argument to the collection. */ if (match) { msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "TX: Memory allocation error"); + return -1; + } rvar->value = str->value; rvar->value_len = str->value_len; rvar->name = apr_psprintf(mptmp, "TX:%s", log_escape_nq_ex(mptmp, str->name, str->name_len)); + if (!rvar->name) { + msr_log(msr, 1, "TX: Memory allocation error"); + return -1; + } apr_table_addn(vartab, rvar->name, (void *)rvar); count++; @@ -810,6 +935,10 @@ static int var_tx_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_geo_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -863,6 +992,10 @@ static int var_highest_severity_generate(modsec_rec *msr, msre_var *var, msre_ru static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -911,6 +1044,8 @@ static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_matched_var_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->matched_var != NULL); return var_simple_generate_ex(var, vartab, mptmp, apr_pmemdup(mptmp, msr->matched_var->value, @@ -923,6 +1058,8 @@ static int var_matched_var_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_matched_var_name_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->matched_var != NULL); return var_simple_generate_ex(var, vartab, mptmp, apr_pmemdup(mptmp, msr->matched_var->name, @@ -935,6 +1072,10 @@ static int var_matched_var_name_generate(modsec_rec *msr, msre_var *var, msre_ru static int var_session_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -965,6 +1106,10 @@ static int var_session_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, /* If we had a match add this argument to the collection. */ if (match) { msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "SESSION: Memory allocation error"); + return -1; + } rvar->value = str->value; rvar->value_len = str->value_len; @@ -983,6 +1128,10 @@ static int var_session_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_user_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -1013,10 +1162,18 @@ static int var_user_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, /* If we had a match add this argument to the collection. */ if (match) { msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "USER: Memory allocation error"); + return -1; + } rvar->value = str->value; rvar->value_len = str->value_len; rvar->name = apr_psprintf(mptmp, "USER:%s", log_escape_nq_ex(mptmp, str->name, str->name_len)); + if (!rvar->name) { + msr_log(msr, 1, "USER: Memory allocation error"); + return -1; + } apr_table_addn(vartab, rvar->name, (void *)rvar); count++; @@ -1031,6 +1188,10 @@ static int var_user_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_global_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -1079,6 +1240,10 @@ static int var_global_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_resource_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -1109,6 +1274,10 @@ static int var_resource_generate(modsec_rec *msr, msre_var *var, msre_rule *rule /* If we had a match add this argument to the collection. */ if (match) { msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "RESOURCE: Memory allocation error"); + return -1; + } rvar->value = str->value; rvar->value_len = str->value_len; @@ -1127,6 +1296,10 @@ static int var_resource_generate(modsec_rec *msr, msre_var *var, msre_rule *rule static int var_files_tmp_contents_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); multipart_part **parts = NULL; int i, count = 0; @@ -1224,6 +1397,10 @@ static int var_files_tmp_contents_generate(modsec_rec *msr, msre_var *var, static int var_files_tmpnames_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); multipart_part **parts = NULL; int i, count = 0; @@ -1269,6 +1446,10 @@ static int var_files_tmpnames_generate(modsec_rec *msr, msre_var *var, msre_rule static int var_files_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); multipart_part **parts = NULL; int i, count = 0; @@ -1314,6 +1495,10 @@ static int var_files_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_files_sizes_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); multipart_part **parts = NULL; int i, count = 0; @@ -1359,6 +1544,10 @@ static int var_files_sizes_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_files_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); multipart_part **parts = NULL; int i, count = 0; @@ -1368,6 +1557,10 @@ static int var_files_names_generate(modsec_rec *msr, msre_var *var, msre_rule *r for(i = 0; i < msr->mpd->parts->nelts; i++) { if (parts[i]->type == MULTIPART_FILE) { msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "FILES_NAMES: Memory allocation error"); + return count; + } rvar->value = parts[i]->name; rvar->value_len = strlen(rvar->value); @@ -1387,6 +1580,9 @@ static int var_files_names_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_files_combined_size_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); multipart_part **parts = NULL; msre_var *rvar = NULL; unsigned int combined_size = 0; @@ -1402,6 +1598,10 @@ static int var_files_combined_size_generate(modsec_rec *msr, msre_var *var, msre } rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "FILES_NAMES: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%u", combined_size); rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -1414,6 +1614,10 @@ static int var_files_combined_size_generate(modsec_rec *msr, msre_var *var, msre static int var_multipart_part_headers_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); multipart_part **parts = NULL; int i, j, count = 0; @@ -1470,6 +1674,7 @@ static int var_modsec_build_generate(modsec_rec *msr, msre_var *var, msre_rule * static int var_multipart_filename_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->multipart_filename); } @@ -1478,6 +1683,7 @@ static int var_multipart_filename_generate(modsec_rec *msr, msre_var *var, msre_ static int var_multipart_name_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->multipart_name); } @@ -1486,6 +1692,7 @@ static int var_multipart_name_generate(modsec_rec *msr, msre_var *var, msre_rule static int var_multipart_boundary_quoted_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_boundary_quoted != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1498,6 +1705,7 @@ static int var_multipart_boundary_quoted_generate(modsec_rec *msr, msre_var *var static int var_multipart_boundary_whitespace_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_boundary_whitespace != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1510,6 +1718,7 @@ static int var_multipart_boundary_whitespace_generate(modsec_rec *msr, msre_var static int var_multipart_data_after_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_data_after != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1522,6 +1731,7 @@ static int var_multipart_data_after_generate(modsec_rec *msr, msre_var *var, msr static int var_multipart_data_before_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_data_before != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1534,6 +1744,7 @@ static int var_multipart_data_before_generate(modsec_rec *msr, msre_var *var, ms static int var_multipart_header_folding_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_header_folding != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1546,6 +1757,7 @@ static int var_multipart_header_folding_generate(modsec_rec *msr, msre_var *var, static int var_multipart_crlf_line_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_crlf_line != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1558,6 +1770,7 @@ static int var_multipart_crlf_line_generate(modsec_rec *msr, msre_var *var, msre static int var_multipart_crlf_lf_lines_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_lf_line != 0)&&(msr->mpd->flag_crlf_line != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1570,6 +1783,7 @@ static int var_multipart_crlf_lf_lines_generate(modsec_rec *msr, msre_var *var, static int var_multipart_lf_line_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_lf_line != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1582,6 +1796,7 @@ static int var_multipart_lf_line_generate(modsec_rec *msr, msre_var *var, msre_r static int var_multipart_missing_semicolon_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_missing_semicolon != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1594,6 +1809,7 @@ static int var_multipart_missing_semicolon_generate(modsec_rec *msr, msre_var *v static int var_multipart_invalid_part_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_part != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1606,6 +1822,7 @@ static int var_multipart_invalid_part_generate(modsec_rec *msr, msre_var *var, m static int var_multipart_invalid_quoting_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_quoting != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1618,6 +1835,7 @@ static int var_multipart_invalid_quoting_generate(modsec_rec *msr, msre_var *var static int var_multipart_invalid_header_folding_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_header_folding != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1630,6 +1848,7 @@ static int var_multipart_invalid_header_folding_generate(modsec_rec *msr, msre_v static int var_multipart_file_limit_exceeded_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_file_limit_exceeded != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1642,6 +1861,7 @@ static int var_multipart_file_limit_exceeded_generate(modsec_rec *msr, msre_var static int var_multipart_strict_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if (msr->mpd != NULL) { /* Respond positive if at least one of the multipart flags is raised. */ if ( (msr->mpd->flag_error) @@ -1669,6 +1889,7 @@ static int var_multipart_strict_error_generate(modsec_rec *msr, msre_var *var, m static int var_multipart_unmatched_boundary_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if ((msr->mpd != NULL)&&(msr->mpd->flag_unmatched_boundary != 0)) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1681,6 +1902,7 @@ static int var_multipart_unmatched_boundary_generate(modsec_rec *msr, msre_var * static int var_urlencoded_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if (msr->urlencoded_error) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1693,6 +1915,7 @@ static int var_urlencoded_error_generate(modsec_rec *msr, msre_var *var, msre_ru static int var_inbound_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if (msr->inbound_error) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1705,6 +1928,7 @@ static int var_inbound_error_generate(modsec_rec *msr, msre_var *var, msre_rule static int var_outbound_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if (msr->outbound_error) { return var_simple_generate(var, vartab, mptmp, "1"); } else { @@ -1719,6 +1943,8 @@ static apr_time_t calculate_perf_combined(modsec_rec *msr) { } char *format_all_performance_variables(modsec_rec *msr, apr_pool_t *mp) { + assert(msr != NULL); + assert(mp != NULL); return apr_psprintf(mp, "combined=%" APR_TIME_T_FMT ", p1=%" APR_TIME_T_FMT ", p2=%" APR_TIME_T_FMT ", p3=%" APR_TIME_T_FMT ", p4=%" APR_TIME_T_FMT ", p5=%" APR_TIME_T_FMT ", sr=%" APR_TIME_T_FMT ", sw=%" APR_TIME_T_FMT @@ -1731,6 +1957,10 @@ char *format_all_performance_variables(modsec_rec *msr, apr_pool_t *mp) { static int generate_performance_variable(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp, apr_time_t value) { + assert(msr != NULL); + assert(var != NULL); + assert( vartab!= NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); @@ -1747,6 +1977,10 @@ static int generate_performance_variable(modsec_rec *msr, msre_var *var, msre_ru static int var_perf_all_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); @@ -1771,6 +2005,7 @@ static int var_perf_combined_generate(modsec_rec *msr, msre_var *var, msre_rule static int var_perf_gc_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_gc); } @@ -1779,6 +2014,7 @@ static int var_perf_gc_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_perf_phase1_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_phase1); } @@ -1787,6 +2023,7 @@ static int var_perf_phase1_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_perf_phase2_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_phase2); } @@ -1795,6 +2032,7 @@ static int var_perf_phase2_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_perf_phase3_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_phase3); } @@ -1803,6 +2041,7 @@ static int var_perf_phase3_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_perf_phase4_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_phase4); } @@ -1811,6 +2050,7 @@ static int var_perf_phase4_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_perf_phase5_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_phase5); } @@ -1819,6 +2059,7 @@ static int var_perf_phase5_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_perf_sread_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_storage_read); } @@ -1827,6 +2068,7 @@ static int var_perf_sread_generate(modsec_rec *msr, msre_var *var, msre_rule *ru static int var_perf_swrite_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_storage_write); } @@ -1835,6 +2077,7 @@ static int var_perf_swrite_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_perf_logging_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_logging); } @@ -1844,6 +2087,10 @@ static int var_perf_logging_generate(modsec_rec *msr, msre_var *var, msre_rule * static int var_perf_rules_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -1887,9 +2134,16 @@ static int var_perf_rules_generate(modsec_rec *msr, msre_var *var, msre_rule *ru static int var_duration_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { - msre_var *rvar = NULL; + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); + msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "DURATION: Memory allocation error"); + return -1; + } - rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); rvar->value = apr_psprintf(mptmp, "%" APR_TIME_T_FMT, (apr_time_now() - msr->r->request_time)); rvar->value_len = strlen(rvar->value); @@ -1903,6 +2157,10 @@ static int var_duration_generate(modsec_rec *msr, msre_var *var, msre_rule *rule static int var_time_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; struct tm *tm; time_t tc; @@ -1910,10 +2168,18 @@ static int var_time_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, tc = time(NULL); tm = localtime(&tc); rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "TIME: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%02d%02d%02d%02d%02d%02d%02d", (tm->tm_year / 100) + 19, (tm->tm_year % 100), tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec); + if (!rvar->value) { + msr_log(msr, 1, "TIME: Memory allocation error"); + return -1; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -1925,6 +2191,10 @@ static int var_time_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_time_year_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; struct tm *tm; time_t tc; @@ -1932,9 +2202,17 @@ static int var_time_year_generate(modsec_rec *msr, msre_var *var, msre_rule *rul tc = time(NULL); tm = localtime(&tc); rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "TIME_YEAR: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%02d%02d", (tm->tm_year / 100) + 19, tm->tm_year % 100); + if (!rvar->value) { + msr_log(msr, 1, "TIME_YEAR: Memory allocation error"); + return -1; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -1946,6 +2224,10 @@ static int var_time_year_generate(modsec_rec *msr, msre_var *var, msre_rule *rul static int var_time_wday_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; struct tm *tm; time_t tc; @@ -1953,7 +2235,15 @@ static int var_time_wday_generate(modsec_rec *msr, msre_var *var, msre_rule *rul tc = time(NULL); tm = localtime(&tc); rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "TIME_WDAY: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%d", tm->tm_wday); + if (!rvar->value) { + msr_log(msr, 1, "TIME_WDAY: Memory allocation error"); + return -1; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -1965,6 +2255,10 @@ static int var_time_wday_generate(modsec_rec *msr, msre_var *var, msre_rule *rul static int var_time_sec_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; struct tm *tm; time_t tc; @@ -1972,7 +2266,15 @@ static int var_time_sec_generate(modsec_rec *msr, msre_var *var, msre_rule *rule tc = time(NULL); tm = localtime(&tc); rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "TIME_SEC: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%02d", tm->tm_sec); + if (!rvar->value) { + msr_log(msr, 1, "TIME_SEC: Memory allocation error"); + return -1; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -1984,6 +2286,10 @@ static int var_time_sec_generate(modsec_rec *msr, msre_var *var, msre_rule *rule static int var_time_min_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; struct tm *tm; time_t tc; @@ -1991,7 +2297,15 @@ static int var_time_min_generate(modsec_rec *msr, msre_var *var, msre_rule *rule tc = time(NULL); tm = localtime(&tc); rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "TIME_MIN: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%02d", tm->tm_min); + if (!rvar->value) { + msr_log(msr, 1, "TIME_MIN: Memory allocation error"); + return -1; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -2002,6 +2316,10 @@ static int var_time_min_generate(modsec_rec *msr, msre_var *var, msre_rule *rule static int var_time_hour_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; struct tm *tm; time_t tc; @@ -2009,7 +2327,15 @@ static int var_time_hour_generate(modsec_rec *msr, msre_var *var, msre_rule *rul tc = time(NULL); tm = localtime(&tc); rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "TIME_HOUR: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%02d", tm->tm_hour); + if (!rvar->value) { + msr_log(msr, 1, "TIME_HOUR: Memory allocation error"); + return -1; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -2021,6 +2347,10 @@ static int var_time_hour_generate(modsec_rec *msr, msre_var *var, msre_rule *rul static int var_time_mon_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; struct tm *tm; time_t tc; @@ -2028,7 +2358,21 @@ static int var_time_mon_generate(modsec_rec *msr, msre_var *var, msre_rule *rule tc = time(NULL); tm = localtime(&tc); rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + assert(msr != NULL); + assert(msr->r != NULL); + assert(var != NULL); + assert(rule != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); + if (!rvar) { + msr_log(msr, 1, "TIME_MON: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%02d", tm->tm_mon + 1); + if (!rvar->value) { + msr_log(msr, 1, "TIME_MON: Memory allocation error"); + return -1; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -2040,6 +2384,11 @@ static int var_time_mon_generate(modsec_rec *msr, msre_var *var, msre_rule *rule static int var_time_day_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; struct tm *tm; time_t tc; @@ -2047,7 +2396,15 @@ static int var_time_day_generate(modsec_rec *msr, msre_var *var, msre_rule *rule tc = time(NULL); tm = localtime(&tc); rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "TIME_DAY: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%02d", tm->tm_mday); + if (!rvar->value) { + msr_log(msr, 1, "TIME_DAY: Memory allocation error"); + return -1; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -2059,12 +2416,24 @@ static int var_time_day_generate(modsec_rec *msr, msre_var *var, msre_rule *rule static int var_time_epoch_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); msre_var *rvar = NULL; time_t tc; tc = time(NULL); rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "TIME_EPOCH: Memory allocation error"); + return -1; + } rvar->value = apr_psprintf(mptmp, "%ld", (long)tc); + if (!rvar->value) { + msr_log(msr, 1, "TIME_EPOCH: Memory allocation error"); + return -1; + } rvar->value_len = strlen(rvar->value); apr_table_addn(vartab, rvar->name, (void *)rvar); @@ -2076,6 +2445,7 @@ static int var_time_epoch_generate(modsec_rec *msr, msre_var *var, msre_rule *ru static int var_query_string_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->query_string); } @@ -2084,6 +2454,8 @@ static int var_query_string_generate(modsec_rec *msr, msre_var *var, msre_rule * static int var_request_basename_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); char *value = file_basename(mptmp, msr->r->parsed_uri.path); return var_simple_generate(var, vartab, mptmp, value); } @@ -2155,6 +2527,10 @@ static int var_full_request_generate(modsec_rec *msr, msre_var *var, static int var_full_request_length_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; char *value = NULL; int headers_length = 0; @@ -2173,6 +2549,7 @@ static int var_full_request_length_generate(modsec_rec *msr, msre_var *var, msre static int var_request_body_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if (msr->msc_reqbody_buffer != NULL) { return var_simple_generate_ex(var, vartab, mptmp, msr->msc_reqbody_buffer, msr->msc_reqbody_length); @@ -2185,6 +2562,7 @@ static int var_request_body_generate(modsec_rec *msr, msre_var *var, msre_rule * static int var_request_body_length_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); char *value = apr_psprintf(mptmp, "%d", msr->msc_reqbody_length); return var_simple_generate(var, vartab, mptmp, value); } @@ -2194,6 +2572,10 @@ static int var_request_body_length_generate(modsec_rec *msr, msre_var *var, msre static int var_matched_vars_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -2259,6 +2641,10 @@ static int var_matched_vars_names_generate(modsec_rec *msr, msre_var *var, msre_ static int var_matched_vars_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -2324,6 +2710,10 @@ static int var_matched_vars_generate(modsec_rec *msr, msre_var *var, msre_rule * static int var_request_cookies_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -2348,11 +2738,19 @@ static int var_request_cookies_generate(modsec_rec *msr, msre_var *var, msre_rul /* If we had a match add this argument to the collection. */ if (match) { msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "REQUEST_COOKIES: Memory allocation error"); + return -1; + } rvar->value = te[i].val; rvar->value_len = strlen(rvar->value); rvar->name = apr_psprintf(mptmp, "REQUEST_COOKIES:%s", log_escape_nq(mptmp, te[i].key)); + if (!rvar->name) { + msr_log(msr, 1, "REQUEST_COOKIES: Memory allocation error"); + return -1; + } apr_table_addn(vartab, rvar->name, (void *)rvar); count++; @@ -2367,6 +2765,10 @@ static int var_request_cookies_generate(modsec_rec *msr, msre_var *var, msre_rul static int var_request_cookies_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -2391,11 +2793,19 @@ static int var_request_cookies_names_generate(modsec_rec *msr, msre_var *var, ms /* If we had a match add this argument to the collection. */ if (match) { msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "REQUEST_COOKIES_NAMES: Memory allocation error"); + return -1; + } rvar->value = te[i].key; rvar->value_len = strlen(rvar->value); rvar->name = apr_psprintf(mptmp, "REQUEST_COOKIES_NAMES:%s", log_escape_nq(mptmp, te[i].key)); + if (!rvar->name) { + msr_log(msr, 1, "REQUEST_COOKIES_NAMES: Memory allocation error"); + return -1; + } apr_table_addn(vartab, rvar->name, (void *)rvar); count++; @@ -2410,6 +2820,10 @@ static int var_request_cookies_names_generate(modsec_rec *msr, msre_var *var, ms static int var_request_headers_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -2434,11 +2848,19 @@ static int var_request_headers_generate(modsec_rec *msr, msre_var *var, msre_rul /* If we had a match add this argument to the collection. */ if (match) { msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "REQUEST_HEADERS: Memory allocation error"); + return -1; + } rvar->value = te[i].val; rvar->value_len = strlen(rvar->value); rvar->name = apr_psprintf(mptmp, "REQUEST_HEADERS:%s", log_escape_nq(mptmp, te[i].key)); + if (!rvar->name) { + msr_log(msr, 1, "REQUEST_HEADERS: Memory allocation error"); + return -1; + } apr_table_addn(vartab, rvar->name, (void *)rvar); count++; @@ -2453,6 +2875,10 @@ static int var_request_headers_generate(modsec_rec *msr, msre_var *var, msre_rul static int var_request_headers_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -2477,11 +2903,19 @@ static int var_request_headers_names_generate(modsec_rec *msr, msre_var *var, ms /* If we had a match add this argument to the collection. */ if (match) { msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "REQUEST_HEADERS_NAMES: Memory allocation error"); + return -1; + } rvar->value = te[i].key; rvar->value_len = strlen(rvar->value); rvar->name = apr_psprintf(mptmp, "REQUEST_HEADERS_NAMES:%s", log_escape_nq(mptmp, te[i].key)); + if (!rvar->name) { + msr_log(msr, 1, "REQUEST_HEADERS_NAMES: Memory allocation error"); + return -1; + } apr_table_addn(vartab, rvar->name, (void *)rvar); count++; @@ -2496,6 +2930,7 @@ static int var_request_headers_names_generate(modsec_rec *msr, msre_var *var, ms static int var_request_filename_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->r->parsed_uri.path); } @@ -2504,6 +2939,7 @@ static int var_request_filename_generate(modsec_rec *msr, msre_var *var, msre_ru static int var_request_line_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->request_line); } @@ -2512,6 +2948,7 @@ static int var_request_line_generate(modsec_rec *msr, msre_var *var, msre_rule * static int var_request_method_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->request_method); } @@ -2520,6 +2957,7 @@ static int var_request_method_generate(modsec_rec *msr, msre_var *var, msre_rule static int var_request_protocol_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->request_protocol); } @@ -2528,6 +2966,7 @@ static int var_request_protocol_generate(modsec_rec *msr, msre_var *var, msre_ru static int var_server_addr_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->local_addr); } @@ -2536,6 +2975,7 @@ static int var_server_addr_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_server_name_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); return var_simple_generate(var, vartab, mptmp, msr->hostname); } @@ -2544,7 +2984,12 @@ static int var_server_name_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_server_port_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); char *value = apr_psprintf(mptmp, "%u", msr->local_port); + if (!value) { + msr_log(msr, 1, "SERVER_PORT: Memory allocation error"); + return -1; + } return var_simple_generate(var, vartab, mptmp, value); } @@ -2553,6 +2998,8 @@ static int var_server_port_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_script_basename_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); char *value = file_basename(mptmp, msr->r->filename); return var_simple_generate(var, vartab, mptmp, value); } @@ -2562,6 +3009,8 @@ static int var_script_basename_generate(modsec_rec *msr, msre_var *var, msre_rul static int var_script_filename_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); char *value = msr->r->filename; return var_simple_generate(var, vartab, mptmp, value); } @@ -2571,7 +3020,13 @@ static int var_script_filename_generate(modsec_rec *msr, msre_var *var, msre_rul static int var_script_gid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); char *value = apr_psprintf(mptmp, "%ld", (long)msr->r->finfo.group); + if (!value) { + msr_log(msr, 1, "SCRIPT_GID: Memory allocation error"); + return -1; + } return var_simple_generate(var, vartab, mptmp, value); } @@ -2580,6 +3035,9 @@ static int var_script_gid_generate(modsec_rec *msr, msre_var *var, msre_rule *ru static int var_script_groupname_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); + assert(mptmp != NULL); char *value = NULL; if (apr_gid_name_get(&value, msr->r->finfo.group, mptmp) == APR_SUCCESS) { return var_simple_generate(var, vartab, mptmp, value); @@ -2592,6 +3050,9 @@ static int var_script_groupname_generate(modsec_rec *msr, msre_var *var, msre_ru static int var_script_mode_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); + assert(mptmp != NULL); char *value = apr_psprintf(mptmp, "%04x", msr->r->finfo.protection); return var_simple_generate(var, vartab, mptmp, value); } @@ -2601,6 +3062,9 @@ static int var_script_mode_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_script_uid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); + assert(mptmp != NULL); char *value = apr_psprintf(mptmp, "%ld", (long)msr->r->finfo.user); return var_simple_generate(var, vartab, mptmp, value); } @@ -2610,6 +3074,9 @@ static int var_script_uid_generate(modsec_rec *msr, msre_var *var, msre_rule *ru static int var_script_username_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); + assert(mptmp != NULL); char *value = NULL; if (apr_uid_name_get(&value, msr->r->finfo.user, mptmp) == APR_SUCCESS) { return var_simple_generate(var, vartab, mptmp, value); @@ -2622,6 +3089,7 @@ static int var_script_username_generate(modsec_rec *msr, msre_var *var, msre_rul static int var_auth_type_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); char *value = msr->r->ap_auth_type; return var_simple_generate(var, vartab, mptmp, value); } @@ -2631,6 +3099,7 @@ static int var_auth_type_generate(modsec_rec *msr, msre_var *var, msre_rule *rul static int var_path_info_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); const char *value = msr->r->path_info; return var_simple_generate(var, vartab, mptmp, value); } @@ -2640,6 +3109,7 @@ static int var_path_info_generate(modsec_rec *msr, msre_var *var, msre_rule *rul static int var_stream_output_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if (msr->stream_output_data != NULL) { return var_simple_generate_ex(var, vartab, mptmp, msr->stream_output_data, msr->stream_output_length); @@ -2653,6 +3123,7 @@ static int var_stream_output_generate(modsec_rec *msr, msre_var *var, msre_rule static int var_stream_input_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if (msr->stream_input_data != NULL) { return var_simple_generate_ex(var, vartab, mptmp, msr->stream_input_data, msr->stream_input_length); @@ -2666,6 +3137,7 @@ static int var_stream_input_generate(modsec_rec *msr, msre_var *var, msre_rule * static int var_response_body_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); if (msr->resbody_data != NULL) { return var_simple_generate_ex(var, vartab, mptmp, msr->resbody_data, msr->resbody_length); @@ -2679,6 +3151,10 @@ static int var_response_body_generate(modsec_rec *msr, msre_var *var, msre_rule static int var_response_headers_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -2705,11 +3181,19 @@ static int var_response_headers_generate(modsec_rec *msr, msre_var *var, msre_ru /* If we had a match add this argument to the collection. */ if (match) { msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "RESPONSE_HEADERS: Memory allocation error"); + return -1; + } rvar->value = te[i].val; rvar->value_len = strlen(rvar->value); rvar->name = apr_psprintf(mptmp, "RESPONSE_HEADERS:%s", log_escape_nq(mptmp, te[i].key)); + if (!rvar->name) { + msr_log(msr, 1, "RESPONSE_HEADERS: Memory allocation error"); + return -1; + } apr_table_addn(vartab, rvar->name, (void *)rvar); count++; @@ -2724,6 +3208,10 @@ static int var_response_headers_generate(modsec_rec *msr, msre_var *var, msre_ru static int var_response_headers_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(var != NULL); + assert(vartab != NULL); + assert(mptmp != NULL); const apr_array_header_t *arr = NULL; const apr_table_entry_t *te = NULL; int i, count = 0; @@ -2748,11 +3236,19 @@ static int var_response_headers_names_generate(modsec_rec *msr, msre_var *var, m /* If we had a match add this argument to the collection. */ if (match) { msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + if (!rvar) { + msr_log(msr, 1, "RESPONSE_HEADERS_NAMES: Memory allocation error"); + return -1; + } rvar->value = te[i].key; rvar->value_len = strlen(rvar->value); rvar->name = apr_psprintf(mptmp, "RESPONSE_HEADERS_NAMES:%s", log_escape_nq(mptmp, te[i].key)); + if (!rvar) { + msr_log(msr, 1, "RESPONSE_HEADERS_NAMES: Memory allocation error"); + return -1; + } apr_table_addn(vartab, rvar->name, (void *)rvar); count++; @@ -2767,6 +3263,7 @@ static int var_response_headers_names_generate(modsec_rec *msr, msre_var *var, m static int var_status_line_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); const char *value = msr->status_line; return var_simple_generate(var, vartab, mptmp, value); } @@ -2776,6 +3273,7 @@ static int var_status_line_generate(modsec_rec *msr, msre_var *var, msre_rule *r static int var_response_protocol_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); const char *value = msr->response_protocol; return var_simple_generate(var, vartab, mptmp, value); } @@ -2785,6 +3283,7 @@ static int var_response_protocol_generate(modsec_rec *msr, msre_var *var, msre_r static int var_response_status_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); const char *value = apr_psprintf(mptmp, "%u", msr->response_status); return var_simple_generate(var, vartab, mptmp, value); } @@ -2794,6 +3293,8 @@ static int var_response_status_generate(modsec_rec *msr, msre_var *var, msre_rul static int var_response_content_type(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); return var_simple_generate(var, vartab, mptmp, msr->r->content_type); } @@ -2802,6 +3303,8 @@ static int var_response_content_type(modsec_rec *msr, msre_var *var, msre_rule * static int var_response_content_length(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->r != NULL); const char *value = apr_psprintf(mptmp, "%" APR_OFF_T_FMT, msr->r->clength); return var_simple_generate(var, vartab, mptmp, value); } @@ -2811,6 +3314,7 @@ static int var_response_content_length(modsec_rec *msr, msre_var *var, msre_rule static int var_userid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); const char *value = msr->userid; return var_simple_generate(var, vartab, mptmp, value); } @@ -2820,6 +3324,7 @@ static int var_userid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_sessionid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); const char *value = msr->sessionid; return var_simple_generate(var, vartab, mptmp, value); } @@ -2829,6 +3334,8 @@ static int var_sessionid_generate(modsec_rec *msr, msre_var *var, msre_rule *rul static int var_webappid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { + assert(msr != NULL); + assert(msr->txcfg != NULL); const char *value = msr->txcfg->webappid; return var_simple_generate(var, vartab, mptmp, value); } From 538ffa6baa655c2c846d605889f695904d44f47e Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Thu, 4 Apr 2024 15:45:55 +0200 Subject: [PATCH 04/18] Added some null pointer checks. Added a design doc. --- apache2/mod_security2.c | 11 ++--------- apache2/msc_json.c | 9 +++++++++ apache2/msc_multipart.c | 3 --- apache2/re.c | 6 +++--- design.md | 29 +++++++++++++++++++++++++++++ 5 files changed, 43 insertions(+), 15 deletions(-) create mode 100644 design.md diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index 091aa0e040..0ee72865fc 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -867,10 +867,7 @@ static int hook_request_early(request_rec *r) { * create the initial configuration. */ msr = create_tx_context(r); - if (msr == NULL) { - msr_log(msr, 9, "Failed to create context after request failure."); - return DECLINED; - } + if (msr == NULL) return DECLINED; if (msr->txcfg->debuglog_level >= 9) { msr_log(msr, 9, "Context created after request failure."); } @@ -1165,11 +1162,7 @@ static void hook_error_log(const char *file, int line, int level, apr_status_t s #else msr = create_tx_context((request_rec*)r); #endif - if (msr == NULL) { - msr_log(msr, 9, "Failed to create context after request failure."); - return; - } - if (msr->txcfg->debuglog_level >= 9) { + if (msr && msr->txcfg->debuglog_level >= 9) { msr_log(msr, 9, "Context created after request failure."); } } diff --git a/apache2/msc_json.c b/apache2/msc_json.c index b42aa96a80..db0f9f025e 100644 --- a/apache2/msc_json.c +++ b/apache2/msc_json.c @@ -87,6 +87,7 @@ int json_add_argument(modsec_rec *msr, const char *value, unsigned length) static int yajl_map_key(void *ctx, const unsigned char *key, size_t length) { modsec_rec *msr = (modsec_rec *) ctx; + assert(msr != NULL); unsigned char *safe_key = (unsigned char *) NULL; /** @@ -118,6 +119,7 @@ static int yajl_map_key(void *ctx, const unsigned char *key, size_t length) static int yajl_null(void *ctx) { modsec_rec *msr = (modsec_rec *) ctx; + assert(msr != NULL); return json_add_argument(msr, "", 0); } @@ -128,6 +130,7 @@ static int yajl_null(void *ctx) static int yajl_boolean(void *ctx, int value) { modsec_rec *msr = (modsec_rec *) ctx; + assert(msr != NULL); if (value) { return json_add_argument(msr, "true", strlen("true")); @@ -143,6 +146,7 @@ static int yajl_boolean(void *ctx, int value) static int yajl_string(void *ctx, const unsigned char *value, size_t length) { modsec_rec *msr = (modsec_rec *) ctx; + assert(msr != NULL); return json_add_argument(msr, value, length); } @@ -155,12 +159,14 @@ static int yajl_string(void *ctx, const unsigned char *value, size_t length) static int yajl_number(void *ctx, const char *value, size_t length) { modsec_rec *msr = (modsec_rec *) ctx; + assert(msr != NULL); return json_add_argument(msr, value, length); } static int yajl_start_array(void *ctx) { modsec_rec *msr = (modsec_rec *) ctx; + assert(msr != NULL); if (!msr->json->current_key && !msr->json->prefix) { msr->json->prefix = apr_pstrdup(msr->mp, "array"); @@ -190,6 +196,7 @@ static int yajl_start_array(void *ctx) { static int yajl_end_array(void *ctx) { modsec_rec *msr = (modsec_rec *) ctx; + assert(msr != NULL); unsigned char *separator = (unsigned char *) NULL; /** @@ -226,6 +233,7 @@ static int yajl_end_array(void *ctx) { static int yajl_start_map(void *ctx) { modsec_rec *msr = (modsec_rec *) ctx; + assert(msr != NULL); /** * If we do not have a current_key, this is a top-level hash, so we do not @@ -264,6 +272,7 @@ static int yajl_start_map(void *ctx) static int yajl_end_map(void *ctx) { modsec_rec *msr = (modsec_rec *) ctx; + assert(msr != NULL); unsigned char *separator = (unsigned char *) NULL; /** diff --git a/apache2/msc_multipart.c b/apache2/msc_multipart.c index e40136b4fd..7d56dd64e0 100644 --- a/apache2/msc_multipart.c +++ b/apache2/msc_multipart.c @@ -24,9 +24,6 @@ void validate_quotes(modsec_rec *msr, char *data, char quote) { assert(msr != NULL); int i, len; - if(msr == NULL) - return; - if(msr->mpd == NULL) return; diff --git a/apache2/re.c b/apache2/re.c index 77ea8ead16..816b911d18 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -215,11 +215,9 @@ char *msre_ruleset_phase_rule_update_target_matching_exception(modsec_rec *msr, rules = (msre_rule **)phase_arr->elts; for (i = 0; i < phase_arr->nelts; i++) { msre_rule *rule = (msre_rule *)rules[i]; - if (mode == 0) { /* Looking for next rule. */ if (msre_ruleset_rule_matches_exception(rule, re)) { - - err = update_rule_target_ex(NULL, ruleset, rule, p2, p3); + err = update_rule_target_ex(msr, ruleset, rule, p2, p3); if (err) return err; if (rule->actionset->is_chained) mode = 2; /* Match all rules in this chain. */ } else { @@ -3141,6 +3139,8 @@ static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) { /* Perform transformations. */ tarr = apr_table_elts(normtab); + /* if no transformation, multi_match makes no sense and breaks the logic */ + if (tarr->nelts == 0) multi_match = 0; /* Execute transformations in a loop. */ diff --git a/design.md b/design.md new file mode 100644 index 0000000000..a8e56e128e --- /dev/null +++ b/design.md @@ -0,0 +1,29 @@ +Design notes for source code +== +This file give some explanations and guidelines regarding ModSecurity v2 source code. +The goal is to discuss topics that are not related to a specific location in the code, so that cannot be best explained by comments. +The goal is not to replace comments where it is probably better. +It's quite short for the moment, but the goal is to extend it from time to time. + +## Null pointer check +The default behaviour is to check for null pointer dereference everywhere it may be needed. +In case a pointer cannot be null, it has to be explained with a comment at the beginning of the function of when dereferencing the pointer. +On top of that, an explicit check should be done when compiling in debug mode with the following code: +``` + assert(mypointer); +``` +In case a pointer that cannot be null is used at several locations (say more than 3 times), +the explanation could be given globally in this file. + +### Pointers never null +The following pointers can never be null: + +#### msr + +msr is assigned at the following places: +- mod_security2.c (14 x): initialization +In all the above calls, and all calling functions, it immediately returns (with an error code) in case msr is null, up to a place where no mod_security2 processing at all occurs. +In subsequent calls, there's thus no possibility to have msr null. +- apache2_io.c (2 x): assign a previously initialized msr +- msc_json (9 x): assign a previously initialized msr +- msc_lua.c (4 x): assign a previously initialized msr From 518b8ba6abc5011e5a4f56c8ae666d7fa7bc80d0 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Thu, 4 Apr 2024 16:01:51 +0200 Subject: [PATCH 05/18] more null pointer checks --- apache2/re.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/apache2/re.c b/apache2/re.c index 816b911d18..5999eb826b 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -48,6 +48,13 @@ static apr_status_t msre_rule_process(msre_rule *rule, modsec_rec *msr); /* -- Actions, variables, functions and operator functions ----------------- */ +// Returns the rule id if existing, otherwise the file name & line number +static const char* id_log(msre_rule* rule) { + const char* id = rule->actionset->id; + if (!id || !*id || id == NOT_SET_P) id = apr_psprintf(rule->ruleset->mp, "%s (%d)", rule->filename, rule->line_num); + return id; +} + /** * \brief Remove rule targets to be processed * @@ -94,7 +101,7 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va if(targets != NULL) { if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "fetch_target_exception: Found exception target list [%s] for rule id %s", targets, rule->actionset->id); + msr_log(msr, 9, "fetch_target_exception: Found exception target list [%s] for rule id %s", targets, id_log(rule)); } target = apr_strtok((char *)targets, ",", &savedptr); @@ -139,7 +146,7 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va } } else { if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "fetch_target_exception: No exception target found for rule id %s.", rule->actionset->id); + msr_log(msr, 9, "fetch_target_exception: No exception target found for rule id %s.", id_log(rule)); } } @@ -1583,7 +1590,7 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re saw_starter = 0; if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "Current rule is id=\"%s\" [chained %d] is trying to find the SecMarker=\"%s\" [stater %d]",rule->actionset->id,last_rule->actionset->is_chained,skip_after,saw_starter); + msr_log(msr, 9, "Current rule is id=\"%s\" [chained %d] is trying to find the SecMarker=\"%s\" [stater %d]", id_log(rule),last_rule->actionset->is_chained,skip_after,saw_starter); } } @@ -1740,7 +1747,7 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re msr_log(msr, 5, "Not processing %srule id=\"%s\": " "removed by ctl action", rule->actionset->is_chained ? "chained " : "", - rule->actionset->id); + id_log(rule)); } /* Skip the whole chain, if this is a chained rule */ @@ -1910,15 +1917,11 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re } } else if (rc < 0) { - const char *id = ""; const char *msg = ""; - if (rule->actionset->id) { - id = rule->actionset->id; - } if (rule->actionset->msg) { msg = rule->actionset->msg; } - msr_log(msr, 1, "Rule processing failed (id=%s, msg=%s).", id, msg); + msr_log(msr, 1, "Rule processing failed (id=%s, msg=%s).", id_log(rule), msg); if (msr->txcfg->reqintercept_oe == 1) { apr_table_clear(msr->matched_vars); @@ -1948,15 +1951,11 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re } } else { - const char *id = ""; const char *msg = ""; - if (rule->actionset->id) { - id = rule->actionset->id; - } if (rule->actionset->msg) { msg = rule->actionset->msg; } - msr_log(msr, 1, "Rule processing failed with unknown return code: %d (id=%s, msg=%s).", rc, id, msg); + msr_log(msr, 1, "Rule processing failed with unknown return code: %d (id=%s, msg=%s).", rc, id_log(rule), msg); apr_table_clear(msr->matched_vars); return -1; } From 1014e479b7769cc2ee7a5606f705f6a2f9205519 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Fri, 5 Apr 2024 18:17:25 +0200 Subject: [PATCH 06/18] Added missing prototype --- apache2/msc_util.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apache2/msc_util.h b/apache2/msc_util.h index 373e23e214..1925a155f1 100644 --- a/apache2/msc_util.h +++ b/apache2/msc_util.h @@ -165,6 +165,8 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri, apr_pool_t *mp, char **error_msg); #endif +char DSOLOCAL *get_username(apr_pool_t* mp); + int read_line(char *buff, int size, FILE *fp); size_t msc_curl_write_memory_cb(void *contents, size_t size, From c8e1904da80600c08880a3180d4439e36f455aa7 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Fri, 5 Apr 2024 18:21:02 +0200 Subject: [PATCH 07/18] Missing function --- apache2/msc_util.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/apache2/msc_util.c b/apache2/msc_util.c index c4d498417d..fd318a087a 100644 --- a/apache2/msc_util.c +++ b/apache2/msc_util.c @@ -2850,3 +2850,14 @@ char* strtok_r( } #endif +// we cannot log an error message as this happens much too often +char* get_username(apr_pool_t* mp) { + char* username; + apr_uid_t uid; + apr_gid_t gid; + int rc = apr_uid_current(&uid, &gid, mp); + if (rc != APR_SUCCESS) return "apache"; + rc = apr_uid_name_get(&username, uid, mp); + if (rc != APR_SUCCESS) return "apache"; + return username; +} From 5f938536a0aa541eb3089877bdd4cfc2c84e4b5e Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Mon, 8 Apr 2024 11:01:29 +0200 Subject: [PATCH 08/18] fixed a NULL check --- apache2/re.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apache2/re.c b/apache2/re.c index 4b44f0f371..a7451f8fba 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -873,6 +873,7 @@ static msre_action_metadata *msre_resolve_action(msre_engine *engine, const char msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *name, const char *param, modsec_rec *msr, char **error_msg) { + // msr can be NULL const char *varparam = param; msre_var *var = apr_pcalloc(pool, sizeof(msre_var)); if (var == NULL) return NULL; @@ -953,7 +954,7 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char * static msre_var *msre_create_var(msre_ruleset *ruleset, const char *name, const char *param, modsec_rec *msr, char **error_msg) { - assert(msr != NULL); + // msr can be NULL assert(ruleset != NULL); assert(error_msg != NULL); msre_var *var = msre_create_var_ex(ruleset->mp, ruleset->engine, name, param, msr, error_msg); From a01b9b527e0e8b4a15f13798d224624e2bf1f684 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Wed, 10 Apr 2024 14:04:34 +0200 Subject: [PATCH 09/18] minor fixes --- apache2/apache2_config.c | 5 +++-- apache2/re.c | 8 ++++---- apache2/re.h | 4 ++++ 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index 615d0c38e4..17f529ce20 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -32,8 +32,9 @@ // Returns the rule id if existing, otherwise the file name & line number static const char* id_log(msre_rule* rule) { - const char* id = rule->actionset->id; - if (!id || !*id || id == NOT_SET_P) id = apr_psprintf(rule->ruleset->mp, "%s (%d)", rule->filename, rule->line_num); + char* id = rule->actionset->id; + if (id == NOT_SET_P || !id || !*id) + id = apr_psprintf(rule->ruleset->mp, "%s (%d)", rule->filename, rule->line_num); return id; } diff --git a/apache2/re.c b/apache2/re.c index a7451f8fba..e775d546b6 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -168,7 +168,6 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va * \param p3 Pointer to configuration option REPLACED_TARGET */ char *msre_ruleset_rule_update_target_matching_exception(modsec_rec *msr, msre_ruleset *ruleset, rule_exception *re, const char *p2, const char *p3) { - assert(msr != NULL); char *err; if(ruleset == NULL) @@ -210,7 +209,6 @@ char *msre_ruleset_phase_rule_update_target_matching_exception(modsec_rec *msr, apr_array_header_t *phase_arr, const char *p2, const char *p3) { - assert(msr != NULL); assert(ruleset != NULL); msre_rule **rules; int i, j, mode; @@ -245,7 +243,6 @@ char *msre_ruleset_phase_rule_update_target_matching_exception(modsec_rec *msr, char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *rule, const char *p2, const char *p3) { - assert(msr != NULL); assert(ruleset != NULL); msre_var **targets = NULL; @@ -646,7 +643,10 @@ static char *msre_generate_target_string(apr_pool_t *pool, msre_rule *rule) { /** * Generate an action string from an actionset. */ -static char *msre_actionset_generate_action_string(apr_pool_t *pool, const msre_actionset *actionset) { +#ifndef DEBUG_CONF +static +#endif +char *msre_actionset_generate_action_string(apr_pool_t *pool, const msre_actionset *actionset) { const apr_array_header_t *tarr = NULL; const apr_table_entry_t *telts = NULL; char *actions = NULL; diff --git a/apache2/re.h b/apache2/re.h index c0c5433965..db6c190455 100644 --- a/apache2/re.h +++ b/apache2/re.h @@ -75,6 +75,10 @@ int DSOLOCAL rule_id_in_range(int ruleid, const char *range); msre_var DSOLOCAL *generate_single_var(modsec_rec *msr, msre_var *var, apr_array_header_t *tfn_arr, msre_rule *rule, apr_pool_t *mptmp); +#ifdef DEBUG_CONF +char DSOLOCAL* msre_actionset_generate_action_string(apr_pool_t* pool, const msre_actionset* actionset); +#endif + #if defined(WITH_LUA) apr_table_t DSOLOCAL *generate_multi_var(modsec_rec *msr, msre_var *var, apr_array_header_t *tfn_arr, msre_rule *rule, apr_pool_t *mptmp); From bd435277a96af5436f5ccad57b97af1e3e3ec025 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Wed, 10 Apr 2024 17:10:03 +0200 Subject: [PATCH 10/18] Added --enable-assertions configure flag --- configure.ac | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index aac9d52dbc..1058d2623a 100644 --- a/configure.ac +++ b/configure.ac @@ -304,7 +304,20 @@ if test "$build_docs" -eq 1; then AC_CONFIG_FILES([doc/Makefile]) fi - +AC_ARG_ENABLE(assertions, + AS_HELP_STRING([--enable-assertions], + [Turn on assertions checks (undefine NDEBUG])), +[ + if test "${enableval}" = "yes"; then + assertions=-UNDEBUG + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $assertions" + else + assertions= + fi +]], +[ + assertions= +]) # Add PCRE Studying AC_ARG_ENABLE(pcre-study, @@ -827,7 +840,8 @@ else EXTRA_CFLAGS="-O2 -g -Wall $strict_compile" fi fi - +EXTRA_CFLAGS="$EXTRA_CFLAGS $assertions" + MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type $unique_id $log_filename $log_server $log_collection_delete_problem $log_dechunk $log_stopwatch $log_handler $log_server_context $collection_global_lock $large_stream_input" APXS_WRAPPER=build/apxs-wrapper @@ -905,7 +919,7 @@ AC_LINK_IFELSE( CFLAGS="$ORIG_CFLAGS" CPPFLAGS="$ORIG_CPPFLAGS" -# Current our unique download backend is curl, furhter we can support more. +# Currently our unique download backend is curl, further we can support more. if test ! -z "${CURL_VERSION}"; then AC_DEFINE([WITH_REMOTE_RULES], [1], [Enables SecRemoteRules support]) MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_REMOTE_RULES" From 931c081ba6cba6fbdebafa9ffd055155b4832d98 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Thu, 11 Apr 2024 13:42:37 +0200 Subject: [PATCH 11/18] Enforcing -DNDEBUG (default normally) --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 1058d2623a..0b86132c45 100644 --- a/configure.ac +++ b/configure.ac @@ -312,11 +312,11 @@ AC_ARG_ENABLE(assertions, assertions=-UNDEBUG MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $assertions" else - assertions= + assertions=-DNDEBUG fi ]], [ - assertions= + assertions=-DNDEBUG ]) # Add PCRE Studying From 38d4b5c898cc1aea39a8bed74e225178378212a2 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Fri, 12 Apr 2024 16:28:45 +0200 Subject: [PATCH 12/18] typo --- configure.ac | 1930 +++++++++++++++++++++++++------------------------- 1 file changed, 965 insertions(+), 965 deletions(-) diff --git a/configure.ac b/configure.ac index 0b86132c45..3de3a53764 100644 --- a/configure.ac +++ b/configure.ac @@ -1,965 +1,965 @@ -dnl -dnl Autoconf configuration for ModSecurity -dnl -dnl Use ./autogen.sh to produce a configure script -dnl - -AC_PREREQ(2.63) - -AC_INIT([modsecurity], [2.9], [support@modsecurity.org]) - -AC_CONFIG_MACRO_DIR([build]) -AC_CONFIG_SRCDIR([LICENSE]) -AC_CONFIG_HEADERS([apache2/modsecurity_config_auto.h]) -AC_CONFIG_AUX_DIR([build]) -AC_PREFIX_DEFAULT([/usr/local/modsecurity]) - -AM_INIT_AUTOMAKE([-Wall foreign subdir-objects]) -m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) - -LT_PREREQ([2.2]) -LT_INIT([dlopen]) - -# Checks for programs. -AC_PROG_AWK -AC_PROG_CC -AC_PROG_CPP -AC_PROG_INSTALL -AC_PROG_LN_S -AC_PROG_MAKE_SET -AC_PROG_GREP -AC_PATH_PROGS(PERL, [perl perl5], ) -AC_PATH_PROGS(ENV_CMD, [env printenv], ) -PKG_PROG_PKG_CONFIG - -# Checks for header files. -AC_CHECK_HEADERS([fcntl.h limits.h stdlib.h string.h unistd.h sys/types.h sys/stat.h sys/utsname.h]) - -# Checks for typedefs, structures, and compiler characteristics. -AC_C_CONST -AC_C_INLINE -AC_C_RESTRICT -AC_TYPE_PID_T -AC_TYPE_SIZE_T -AC_STRUCT_TM -AC_TYPE_UINT8_T - -# Checks for library functions. -AC_FUNC_MALLOC -AC_FUNC_MEMCMP -AC_CHECK_FUNCS([atexit getcwd memmove memset strcasecmp strchr strdup strerror strncasecmp strrchr strstr strtol fchmod strcasestr]) - -# Some directories -MSC_BASE_DIR=`pwd` -MSC_PKGBASE_DIR="$MSC_BASE_DIR/.." -MSC_TEST_DIR="$MSC_BASE_DIR/tests" -MSC_REGRESSION_DIR="$MSC_TEST_DIR/regression" -MSC_REGRESSION_SERVERROOT_DIR="$MSC_REGRESSION_DIR/server_root" -MSC_REGRESSION_CONF_DIR="$MSC_REGRESSION_SERVERROOT_DIR/conf" -MSC_REGRESSION_LOGS_DIR="$MSC_REGRESSION_SERVERROOT_DIR/logs" -MSC_REGRESSION_DOCROOT_DIR="$MSC_REGRESSION_SERVERROOT_DIR/htdocs" - -AC_SUBST(MSC_BASE_DIR) -AC_SUBST(MSC_PKGBASE_DIR) -AC_SUBST(MSC_TEST_DIR) -AC_SUBST(MSC_REGRESSION_DIR) -AC_SUBST(MSC_REGRESSION_SERVERROOT_DIR) -AC_SUBST(MSC_REGRESSION_CONF_DIR) -AC_SUBST(MSC_REGRESSION_LOGS_DIR) -AC_SUBST(MSC_REGRESSION_DOCROOT_DIR) - -### Configure Options - -# Verbose output -AC_ARG_ENABLE(verbose-output, - AS_HELP_STRING([--enable-verbose-output], - [Enable more verbose configure output.]), -[ - if test "$enableval" != "no"; then - verbose_output=1 - else - verbose_output=0 - fi -], -[ - verbose_output=0 -]) - - -#OS type - -AC_CANONICAL_HOST -CANONICAL_HOST=$host - -AH_TEMPLATE([AIX], [Define if the operating system is AIX]) -AH_TEMPLATE([LINUX], [Define if the operating system is LINUX]) -AH_TEMPLATE([OPENBSD], [Define if the operating system is OpenBSD]) -AH_TEMPLATE([SOLARIS], [Define if the operating system is SOLARIS]) -AH_TEMPLATE([HPUX], [Define if the operating system is HPUX]) -AH_TEMPLATE([MACOSX], [Define if the operating system is Macintosh OSX]) -AH_TEMPLATE([FREEBSD], [Define if the operating system is FREEBSD]) -AH_TEMPLATE([NETBSD], [Define if the operating system is NetBSD]) - - -case $host in - *-*-aix*) - echo "Checking platform... Identified as AIX" - aixos=true - ;; - *-*-hpux*) - echo "Checking platform... Identified as HPUX" - hpuxos=true - ;; - *-*-darwin*) - echo "Checking platform... Identified as Macintosh OS X" - macos=true - ;; - *-*-linux*) - echo "Checking platform... Identified as Linux" - linuxos=true - case "${host_cpu}" in - s390x) - cpu_type="-DLINUX_S390" - ;; - esac - ;; - *-*-solaris*) - echo "Checking platform... Identified as Solaris" - solarisos=true - ;; - *-*-freebsd*) - echo "Checking platform... Identified as FreeBSD" - freebsdos=true - ;; - *-*-netbsd*) - echo "Checking platform... Identified as NetBSD" - netbsdos=true - ;; - *-*-openbsd*) - echo "Checking platform... Identified as OpenBSD" - openbsdos=true - ;; - *-*-kfreebsd*) - echo "Checking platform... Identified as kFreeBSD, treating as linux" - linuxos=true - ;; - *-*-gnu*.*) - echo "Checking platform... Identified as HURD, treating as linux" - linuxos=true - ;; - *) - echo "Unknown CANONICAL_HOST $host" - exit - ;; -esac - -AM_CONDITIONAL([AIX], [test x$aixos = xtrue]) -AM_CONDITIONAL([HPUX], [test x$hpuxos = xtrue]) -AM_CONDITIONAL([MACOSX], [test x$macos = xtrue]) -AM_CONDITIONAL([LINUX], [test x$linuxos = xtrue]) -AM_CONDITIONAL([LINUX390], [test x$linuxos390 = xtrue]) -AM_CONDITIONAL([SOLARIS], [test x$solarisos = xtrue]) -AM_CONDITIONAL([FREEBSD], [test x$freebsdos = xtrue]) -AM_CONDITIONAL([OPENBSD], [test x$openbsdos = xtrue]) -AM_CONDITIONAL([NETBSD], [test x$netbsdos = xtrue]) - -#Subdirs -TOPLEVEL_SUBDIRS="tools" - -# Apache2 Module -AC_ARG_ENABLE(apache2-module, - AS_HELP_STRING([--disable-apache2-module], - [Disable building Apache2 module.]), -[ - if test "$enableval" != "no"; then - build_apache2_module=1 - else - build_apache2_module=0 - fi -], -[ - build_apache2_module=1 -]) -AM_CONDITIONAL([BUILD_APACHE2_MODULE], [test "$build_apache2_module" -eq 1]) -if test "$build_apache2_module" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS apache2" -fi - - -# Standalone Module -AC_ARG_ENABLE(standalone-module, - AS_HELP_STRING([--enable-standalone-module], - [Enable building standalone module.]), -[ - if test "$enableval" != "no"; then - build_standalone_module=1 - else - build_standalone_module=0 - fi -], -[ - build_standalone_module=0 -]) -AM_CONDITIONAL([BUILD_STANDALONE_MODULE], [test "$build_standalone_module" -eq 1]) -if test "$build_standalone_module" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS standalone" -fi - - -# Extensions -AC_ARG_ENABLE(extentions, - AS_HELP_STRING([--enable-extentions], - [Enable building extension.]), -[ - if test "$enableval" != "no"; then - build_extentions=1 - else - build_extentions=0 - fi -], -[ - build_extentions=0 -]) -AM_CONDITIONAL([BUILD_extentions], [test "$build_extentions" -eq 1]) -if test "$build_extentions" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS ext" -fi - - -# Mlogc -AC_ARG_ENABLE(mlogc, - AS_HELP_STRING([--disable-mlogc], - [Disable building mlogc.]), -[ - if test "$enableval" != "no"; then - build_mlogc=1 - else - build_mlogc=0 - fi -], -[ - build_mlogc=1 -]) - -CHECK_CURL() - -if test -z "${CURL_VERSION}"; then - AC_MSG_NOTICE([NOTE: mlogc compilation was disabled.]) - build_mlogc=0 -fi - -AM_CONDITIONAL([BUILD_MLOGC], [test "$build_mlogc" -eq 1]) -if test "$build_mlogc" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS mlogc" -fi - -# Audit Log Parser v2 (ALP2) -AC_ARG_ENABLE(alp2, - AS_HELP_STRING([--enable-alp2], - [Enable building audit log parser lib.]), -[ - if test "$enableval" != "no"; then - build_alp2=1 - else - build_alp2=0 - fi -], -[ - build_alp2=0 -]) -AM_CONDITIONAL([BUILD_ALP2], [test "$build_alp2" -eq 1]) -if test "$build_alp2" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS alp2" -fi - -# Documentation -AC_ARG_ENABLE(docs, - AS_HELP_STRING([--enable-docs], - [Enable building documentation.]), -[ - if test "$enableval" != "no"; then - build_docs=1 - else - build_docs=0 - fi -], -[ - build_docs=0 -]) -AM_CONDITIONAL([BUILD_DOCS], [test "$build_docs" -eq 1]) -if test "$build_docs" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS doc" - AC_CHECK_PROGS([DOXYGEN], [doxygen]) - if test -z "$DOXYGEN"; then - AC_MSG_WARN([Doxygen not found - continue without Doxygen support]) - fi - if test "$build_apache2_module" -eq 1; then - AC_CONFIG_FILES([doc/doxygen-apache]) - fi - if test "$build_standalone_module" -eq 1; then - AC_CONFIG_FILES([doc/doxygen-nginx]) - AC_CONFIG_FILES([doc/doxygen-iis]) - AC_CONFIG_FILES([doc/doxygen-standalone]) - fi - AC_CONFIG_FILES([doc/Makefile]) -fi - -AC_ARG_ENABLE(assertions, - AS_HELP_STRING([--enable-assertions], - [Turn on assertions checks (undefine NDEBUG])), -[ - if test "${enableval}" = "yes"; then - assertions=-UNDEBUG - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $assertions" - else - assertions=-DNDEBUG - fi -]], -[ - assertions=-DNDEBUG -]) -# Add PCRE Studying - -AC_ARG_ENABLE(pcre-study, - AS_HELP_STRING([--enable-pcre-study], - [Enable PCRE regex studying during configure.]), -[ - if test "$enableval" != "no"; then - pcre_study='-DWITH_PCRE_STUDY' - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_study" - else - pcre_study='' - fi -], -[ - pcre_study='-DWITH_PCRE_STUDY' -]) - -# Add PCRE JIT - -AC_ARG_ENABLE(pcre-jit, - AS_HELP_STRING([--enable-pcre-jit], - [Enable PCRE regex jit support during configure.]), -[ - if test "$enableval" != "no"; then - pcre_jit='-DWITH_PCRE_JIT' - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_jit" - else - pcre_jit='' - fi -], -[ - pcre_jit='' -]) - - -# Limit PCRE matching -AC_ARG_ENABLE(pcre-match-limit, - AS_HELP_STRING([--enable-pcre-match-limit], - [Enable PCRE regex match limit during configure.]), -[ - if test "$enableval" = "yes"; then - AC_MSG_ERROR([PCRE match limits require a numeric value]) - elif test "$enableval" = "no"; then - pcre_match_limit='' - else - pcre_match_limit="-DMODSEC_PCRE_MATCH_LIMIT=$enableval" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_match_limit" - fi -], -[ - pcre_match_limit='-DMODSEC_PCRE_MATCH_LIMIT=1500' -]) - -# Limit PCRE matching recursion -AC_ARG_ENABLE(pcre-match-limit-recursion, - AS_HELP_STRING([--enable-pcre-match-limit-recursion], - [Enable PCRE regex match limit recursion during configure.]), -[ - if test "$enableval" = "yes"; then - AC_MSG_ERROR([PCRE match limits require a numeric value]) - elif test "$enableval" = "no"; then - pcre_match_limit_recursion='' - else - pcre_match_limit_recursion="-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=$enableval" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_match_limit_recursion" - fi -], -[ - pcre_match_limit_recursion='-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500' -]) - -# Enable Lua per transaction cache -AC_ARG_ENABLE(lua-cache, - AS_HELP_STRING([--enable-lua-cache], - [Enable Lua per transaction cache.]), -[ - if test "$enableval" != "no"; then - lua_cache="-DCACHE_LUA" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $lua_cache" - else - lua_cache= - fi -], -[ - lua_cache= -]) - -# Enable phase-1 in post_read_request -AC_ARG_ENABLE(htaccess-config, - AS_HELP_STRING([--enable-htaccess-config], - [Enable some mod_security directives into htaccess files.]), -[ - if test "$enableval" != "no"; then - htaccess_config="-DHTACCESS_CONFIG" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $htaccess_config" - else - htaccess_config= - fi -], -[ - htaccess_config= -]) - -# Enable phase-1 in post_read_request -AC_ARG_ENABLE(request-early, - AS_HELP_STRING([--enable-request-early], - [Place phase1 into post_read_request hook. default is hook_request_early]), -[ - if test "$enableval" != "no"; then - request_early="-DREQUEST_EARLY" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $request_early" - else - request_early= - fi -], -[ - request_early='-DREQUEST_EARLY' -]) - -# Enable duplicate rules id -AC_ARG_ENABLE(rule-id-validation, - AS_HELP_STRING([--enable-rule-id-validation], - [Forbid duplicate rule ids and missing ones. This is the default]), -[ - if test "$enableval" != "no"; then - unique_id= - else - unique_id="-DALLOW_ID_NOT_UNIQUE" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $unique_id" - fi -], -[ - unique_id='' -]) - -# Disable logging of filename -AC_ARG_ENABLE(filename-logging, - AS_HELP_STRING([--enable-filename-logging], - [Enable logging of filename in audit log. This is the default]), -[ - if test "$enableval" != "no"; then - log_filename= - else - log_filename="-DLOG_NO_FILENAME" - fi -], -[ - log_filename='' -]) - -# Disable logging of "Server" -AC_ARG_ENABLE(server-logging, - AS_HELP_STRING([--enable-server-logging], - [Enable logging of "Server" in audit log when log level < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_server= - else - log_server="-DLOG_NO_SERVER" - fi -], -[ - log_server='' -]) - -# Disable logging of problem when deleting collection -AC_ARG_ENABLE(collection-delete-problem-logging, - AS_HELP_STRING([--enable-collection-delete-problem-logging], - [Enable logging of collection delete problem even when log level is < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_collection_delete_problem= - else - log_collection_delete_problem="-DLOG_NO_COLL_DELET_PB" - fi -], -[ - log_collection_delete_problem='' -]) - -# Disable logging of Apache handler -AC_ARG_ENABLE(handler-logging, - AS_HELP_STRING([--enable-handler-logging], - [Enable logging of Apache handler in audit log even when log level is < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_handler= - else - log_handler="-DLOG_NO_HANDLER" - fi -], -[ - log_handler='' -]) - -# Disable logging of dechunking -AC_ARG_ENABLE(dechunk-logging, - AS_HELP_STRING([--enable-dechunk-logging], - [Enable logging of dechunking even when log level is < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_dechunk= - else - log_dechunk="-DLOG_NO_DECHUNK" - fi -], -[ - log_dechunk='' -]) - -# Disable logging of stopwatches -AC_ARG_ENABLE(stopwatch-logging, - AS_HELP_STRING([--enable-stopwatch-logging], - [Enable logging of stopwatches even when log level is < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_stopwatch= - else - log_stopwatch="-DLOG_NO_STOPWATCH" - fi -], -[ - log_stopwatch='' -]) - -# Disable logging of server context -AC_ARG_ENABLE(server-context-logging, - AS_HELP_STRING([--enable-server-context-logging], - [Enable logging of server info (log producer, sanitized objects, ...) in audit log even when log level < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_server_context= - else - log_server_context="-DLOG_NO_SERVER_CONTEXT" - fi -], -[ - log_server_context='' -]) - - -# Enable collection's global lock -AC_ARG_ENABLE(collection-global-lock, - AS_HELP_STRING([--enable-collection-global-lock], - [Enable collection correctness by using a global lock. May reduce performance significatively. This is disabled by default]), -[ - if test "$enableval" != "yes"; then - collection_global_lock="" - else - collection_global_lock="-DGLOBAL_COLLECTION_LOCK" - fi -], -[ - collection_global_lock='' -]) - - -# Ignore configure errors -AC_ARG_ENABLE(errors, - AS_HELP_STRING([--disable-errors], - [Disable errors during configure.]), -[ - if test "$enableval" != "no"; then - report_errors=1 - else - report_errors=0 - fi -], -[ - report_errors=1 -]) - - -# Strict Compile -AC_ARG_ENABLE(strict-compile, - AS_HELP_STRING([--enable-strict-compile], - [Enable strict compilation (warnings are errors).]), -[ - if test "$enableval" != "no"; then - strict_compile="-std=c99 -Wstrict-overflow=1 -Wextra -Wno-missing-field-initializers -Wshadow -Wpointer-arith -Wstrict-prototypes -Wmissing-prototypes -Wno-unused-parameter -Wformat -Wformat-security -Werror -fstack-protector -D_FORTIFY_SOURCE=2" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $strict_compile" - else - strict_compile= - fi -], -[ - strict_compile= -]) - -# DEBUG_CONF -AC_ARG_ENABLE(debug-conf, - AS_HELP_STRING([--enable-debug-conf], - [Enable debug during configuration.]), -[ - if test "$enableval" != "no"; then - debug_conf="-DDEBUG_CONF" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_conf" - else - debug_conf= - fi -], -[ - debug_conf= -]) - -# CACHE_DEBUG -AC_ARG_ENABLE(debug-cache, - AS_HELP_STRING([--enable-debug-cache], - [Enable debug for transformation caching.]), -[ - if test "$enableval" != "no"; then - debug_cache="-DCACHE_DEBUG" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_cache" - else - debug_cache= - fi -], -[ - debug_cache= -]) - -# DEBUG_ACMP -AC_ARG_ENABLE(debug-acmp, - AS_HELP_STRING([--enable-debug-acmp], - [Enable debugging acmp code.]), -[ - if test "$enableval" != "no"; then - debug_acmp="-DDEBUG_ACMP" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_acmp" - else - debug_acmp= - fi -], -[ - debug_acmp= -]) - -# DEBUG_MEM -AC_ARG_ENABLE(debug-mem, - AS_HELP_STRING([--enable-debug-mem], - [Enable debug during configuration.]), -[ - if test "$enableval" != "no"; then - debug_mem="-DDEBUG_MEM" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_mem" - else - debug_mem= - fi -], -[ - debug_mem= -]) - -# PERFORMANCE_MEASUREMENT -AC_ARG_ENABLE(performance-measurement, - AS_HELP_STRING([--enable-performance-measurement], - [Enable performance-measurement stats.]), -[ - if test "$enableval" != "no"; then - perf_meas="-DPERFORMANCE_MEASUREMENT" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $perf_meas" - else - perf_meas= - fi -], -[ - perf_meas= -]) - -# NO_MODSEC_API -AC_ARG_ENABLE(modsec-api, - AS_HELP_STRING([--disable-modsec-api], - [Disable the API; compiling against some older Apache versions require this.]), -[ - if test "$enableval" != "yes"; then - modsec_api="-DNO_MODSEC_API" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $modsec_api" - else - modsec_api= - fi -], -[ - modsec_api= -]) - -# MSC_LARGE_STREAM_INPUT -AC_ARG_ENABLE(large-stream-input, - AS_HELP_STRING([--enable-large-stream-input], - [Enable optimization for large stream input]), -[ - if test "$enableval" = "yes"; then - large_stream_input="-DMSC_LARGE_STREAM_INPUT" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $large_stream_input" - else - large_stream_input= - fi -], -[ - large_stream_input= -]) - -# Find apxs -AC_MSG_NOTICE(looking for Apache module support via DSO through APXS) -AC_ARG_WITH(apxs, - [AS_HELP_STRING([[--with-apxs=FILE]], - [FILE is the path to apxs; defaults to "apxs".])], -[ - if test "$withval" = "yes"; then - APXS=apxs - else - APXS="$withval" - fi -]) - -if test -z "$APXS"; then - for i in /usr/local/apache22/bin \ - /usr/local/apache2/bin \ - /usr/local/apache/bin \ - /usr/local/sbin \ - /usr/local/bin \ - /usr/sbin \ - /usr/bin; - do - if test -f "$i/apxs2"; then - APXS="$i/apxs2" - break - elif test -f "$i/apxs"; then - APXS="$i/apxs" - break - fi - done -fi - -# arbitrarily picking the same version subversion looks for, don't know how -# accurate this really is, but at least it'll force us to have apache2... -HTTPD_WANTED_MMN=20020903 - -if test -n "$APXS" -a "$APXS" != "no" -a -x "$APXS" ; then - APXS_INCLUDE="`$APXS -q INCLUDEDIR`" - if test -r $APXS_INCLUDE/httpd.h; then - AC_MSG_NOTICE(found apxs at $APXS) - AC_MSG_NOTICE(checking httpd version) - AC_EGREP_CPP(VERSION_OK, - [ -#include "$APXS_INCLUDE/ap_mmn.h" -#if AP_MODULE_MAGIC_AT_LEAST($HTTPD_WANTED_MMN,0) -VERSION_OK -#endif], - [AC_MSG_NOTICE(httpd is recent enough)], - [ - if test "$report_errors" -eq 1; then - AC_MSG_ERROR(apache is too old, mmn must be at least $HTTPD_WANTED_MMN) - else - AC_MSG_NOTICE(apache is too old, mmn must be at least $HTTPD_WANTED_MMN) - fi - ]) - fi - APXS_INCLUDEDIR="`$APXS -q INCLUDEDIR`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs INCLUDEDIR: $APXS_INCLUDEDIR); fi - # Make sure the include dir is used - if test -n "$APXS_INCLUDEDIR"; then - APXS_INCLUDES="-I${APXS_INCLUDEDIR} `$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`" - else - APXS_INCLUDES="`$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`" - fi - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs INCLUDES: $APXS_INCLUDES); fi - APXS_CFLAGS=-I`$APXS -q INCLUDEDIR` - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs CFLAGS: $APXS_CFLAGS); fi - APXS_LDFLAGS= - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LDFLAGS: $APXS_LDFLAGS); fi - APXS_LIBDIR="`$APXS -q LIBDIR`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBDIR: $APXS_LIBDIR); fi - # Make sure the lib dir is used - if test -n "$APXS_LIBDIR"; then - APXS_LIBS="-L${APXS_LIBDIR} `$APXS -q LIBS` `$APXS -q EXTRA_LIBS`" - else - APXS_LIBS="`$APXS -q LIBS` `$APXS -q EXTRA_LIBS`" - fi - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBS: $APXS_LIBS); fi - APXS_LIBTOOL="`$APXS -q LIBTOOL`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBTOOL: $APXS_LIBTOOL); fi - APXS_CC="`$APXS -q CC`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs CC: $APXS_CC); fi - APXS_BINDIR="`$APXS -q BINDIR`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs BINDIR: $APXS_BINDIR); fi - APXS_SBINDIR="`$APXS -q SBINDIR`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs SBINDIR: $APXS_SBINDIR); fi - APXS_PROGNAME="`$APXS -q PROGNAME`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs PROGNAME: $APXS_PROGNAME); fi - APXS_LIBEXECDIR="`$APXS -q LIBEXECDIR`" - if test "xx$APXS_LIBEXECDIR" = "xx"; then APXS_LIBEXECDIR="`$APXS -q LIBDIR`/modules"; fi - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBEXECDIR: $APXS_LIBEXECDIR); fi - APXS_MODULES=$APXS_LIBEXECDIR - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs MODULES: $APXS_MODULES); fi - if test "$APXS_SBINDIR" = "/"; then - APXS_HTTPD="$APXS_SBINDIR/$APXS_PROGNAME" - else - APXS_HTTPD="$APXS_SBINDIR/$APXS_PROGNAME" - fi - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs HTTPD: $APXS_HTTPD); fi -else - if test "$report_errors" -eq 1; then - AC_MSG_ERROR(couldn't find APXS) - else - AC_MSG_NOTICE(couldn't find APXS) - fi -fi - -### Build *EXTRA_CFLAGS vars - -# Allow overriding EXTRA_CFLAGS -if $ENV_CMD | $GREP "^EXTRA_CFLAGS" > /dev/null 2>&1; then - if test -z "$debug_mem"; then - EXTRA_CFLAGS="$EXTRA_CFLAGS $strict_compile" - fi -else - if test -n "$debug_mem"; then - EXTRA_CFLAGS="-O0 -g -Wall" - else - EXTRA_CFLAGS="-O2 -g -Wall $strict_compile" - fi -fi -EXTRA_CFLAGS="$EXTRA_CFLAGS $assertions" - -MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type $unique_id $log_filename $log_server $log_collection_delete_problem $log_dechunk $log_stopwatch $log_handler $log_server_context $collection_global_lock $large_stream_input" - -APXS_WRAPPER=build/apxs-wrapper -APXS_EXTRA_CFLAGS="" -for f in $EXTRA_CFLAGS; do - APXS_EXTRA_CFLAGS="$APXS_EXTRA_CFLAGS -Wc,$f" -done; -MODSEC_APXS_EXTRA_CFLAGS="" -for f in $MODSEC_EXTRA_CFLAGS; do - MODSEC_APXS_EXTRA_CFLAGS="$MODSEC_APXS_EXTRA_CFLAGS -Wc,$f" -done; - -### Substitute the vars - -AC_SUBST(TOPLEVEL_SUBDIRS) -AC_SUBST(EXTRA_CFLAGS) -AC_SUBST(MODSEC_EXTRA_CFLAGS) -AC_SUBST(APXS) -AC_SUBST(APXS_WRAPPER) -AC_SUBST(APXS_INCLUDEDIR) -AC_SUBST(APXS_INCLUDES) -AC_SUBST(APXS_EXTRA_CFLAGS) -AC_SUBST(MODSEC_APXS_EXTRA_CFLAGS) -AC_SUBST(APXS_LDFLAGS) -AC_SUBST(APXS_LIBS) -AC_SUBST(APXS_CFLAGS) -AC_SUBST(APXS_LIBTOOL) -AC_SUBST(APXS_CC) -AC_SUBST(APXS_LIBDIR) -AC_SUBST(APXS_BINDIR) -AC_SUBST(APXS_SBINDIR) -AC_SUBST(APXS_PROGNAME) -AC_SUBST(APXS_LIBEXECDIR) -AC_SUBST(APXS_MODULES) -AC_SUBST(APXS_HTTPD) - -CHECK_PCRE() -CHECK_PCRE2() -if test "$build_apache2_module" -ne 0 -o "$build_mlogc" -ne 0; then -CHECK_APR() -CHECK_APU() -fi -CHECK_LIBXML2() -CHECK_LUA() -#if test "$build_mlogc" -ne 0; then -#CHECK_CURL() -#fi - -# Check for YAJL libs (for JSON body processor) -CHECK_YAJL() -#AC_SEARCH_LIBS([yajl_alloc], [yajl]) -CHECK_SSDEEP() -#AC_SEARCH_LIBS([fuzzy_hash_buf], [fuzzy]) - -# Temporarily set cflags for apr_crypto check, then restore -# since it's already used correctly to compile modsecurity module. -ORIG_CFLAGS="$CFLAGS $APU_CFLAGS" -ORIG_CPPFLAGS="$CPPFLAGS" -CFLAGS="$CFLAGS $APR_CFLAGS" -CPPFLAGS="$CPPFLAGS $APR_CPPFLAGS" -AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[ #include ]], - [[ - #if APU_HAVE_CRYPTO == 0 - #error APR util was not compiled with crypto support. - #endif - ]])], - [ AC_DEFINE([WITH_APU_CRYPTO], [1], [APR util was compiled with crypto support]) - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_APU_CRYPTO" - ], - [ AC_MSG_WARN([APR util was not compiled with crypto support. SecRemoteRule will not support the parameter 'crypto']) ] -) -# Restore env vars so that we don't clutter with duplicates that -# are eventually appended later on -CFLAGS="$ORIG_CFLAGS" -CPPFLAGS="$ORIG_CPPFLAGS" - -# Currently our unique download backend is curl, further we can support more. -if test ! -z "${CURL_VERSION}"; then - AC_DEFINE([WITH_REMOTE_RULES], [1], [Enables SecRemoteRules support]) - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_REMOTE_RULES" -fi - -AC_CONFIG_FILES([Makefile]) -AC_CONFIG_FILES([tools/Makefile]) -if test "$build_alp2" -ne 0; then -AC_CONFIG_FILES([alp2/Makefile]) -fi -if test "$build_apache2_module" -ne 0; then -AC_CONFIG_FILES([apache2/Makefile]) -fi -if test "$build_standalone_module" -ne 0; then -AC_CONFIG_FILES([standalone/Makefile]) -AC_CONFIG_FILES([nginx/modsecurity/config]) -fi -if test "$build_extentions" -ne 0; then -AC_CONFIG_FILES([ext/Makefile]) -fi -AC_CONFIG_FILES([build/apxs-wrapper], [chmod +x build/apxs-wrapper]) -if test -e "$PERL"; then - if test "$build_mlogc" -ne 0; then - AC_CONFIG_FILES([mlogc/mlogc-batch-load.pl], [chmod +x mlogc/mlogc-batch-load.pl]) - AC_CONFIG_FILES([tests/regression/misc/40-secRemoteRules.t]) - AC_CONFIG_FILES([tests/regression/misc/50-ipmatchfromfile-external.t]) - AC_CONFIG_FILES([tests/regression/misc/60-pmfromfile-external.t]) - fi - AC_CONFIG_FILES([tests/run-unit-tests.pl], [chmod +x tests/run-unit-tests.pl]) - AC_CONFIG_FILES([tests/run-regression-tests.pl], [chmod +x tests/run-regression-tests.pl]) - AC_CONFIG_FILES([tests/gen_rx-pm.pl], [chmod +x tests/gen_rx-pm.pl]) - AC_CONFIG_FILES([tests/csv_rx-pm.pl], [chmod +x tests/csv_rx-pm.pl]) - AC_CONFIG_FILES([tests/regression/server_root/conf/httpd.conf]) - - # Perl based tools - AC_CONFIG_FILES([tools/rules-updater.pl], [chmod +x tools/rules-updater.pl]) -fi -if test "$build_mlogc" -ne 0; then - AC_CONFIG_FILES([mlogc/Makefile]) -fi -AC_CONFIG_FILES([tests/Makefile]) - -AC_OUTPUT +dnl +dnl Autoconf configuration for ModSecurity +dnl +dnl Use ./autogen.sh to produce a configure script +dnl + +AC_PREREQ(2.63) + +AC_INIT([modsecurity], [2.9], [support@modsecurity.org]) + +AC_CONFIG_MACRO_DIR([build]) +AC_CONFIG_SRCDIR([LICENSE]) +AC_CONFIG_HEADERS([apache2/modsecurity_config_auto.h]) +AC_CONFIG_AUX_DIR([build]) +AC_PREFIX_DEFAULT([/usr/local/modsecurity]) + +AM_INIT_AUTOMAKE([-Wall foreign subdir-objects]) +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) + +LT_PREREQ([2.2]) +LT_INIT([dlopen]) + +# Checks for programs. +AC_PROG_AWK +AC_PROG_CC +AC_PROG_CPP +AC_PROG_INSTALL +AC_PROG_LN_S +AC_PROG_MAKE_SET +AC_PROG_GREP +AC_PATH_PROGS(PERL, [perl perl5], ) +AC_PATH_PROGS(ENV_CMD, [env printenv], ) +PKG_PROG_PKG_CONFIG + +# Checks for header files. +AC_CHECK_HEADERS([fcntl.h limits.h stdlib.h string.h unistd.h sys/types.h sys/stat.h sys/utsname.h]) + +# Checks for typedefs, structures, and compiler characteristics. +AC_C_CONST +AC_C_INLINE +AC_C_RESTRICT +AC_TYPE_PID_T +AC_TYPE_SIZE_T +AC_STRUCT_TM +AC_TYPE_UINT8_T + +# Checks for library functions. +AC_FUNC_MALLOC +AC_FUNC_MEMCMP +AC_CHECK_FUNCS([atexit getcwd memmove memset strcasecmp strchr strdup strerror strncasecmp strrchr strstr strtol fchmod strcasestr]) + +# Some directories +MSC_BASE_DIR=`pwd` +MSC_PKGBASE_DIR="$MSC_BASE_DIR/.." +MSC_TEST_DIR="$MSC_BASE_DIR/tests" +MSC_REGRESSION_DIR="$MSC_TEST_DIR/regression" +MSC_REGRESSION_SERVERROOT_DIR="$MSC_REGRESSION_DIR/server_root" +MSC_REGRESSION_CONF_DIR="$MSC_REGRESSION_SERVERROOT_DIR/conf" +MSC_REGRESSION_LOGS_DIR="$MSC_REGRESSION_SERVERROOT_DIR/logs" +MSC_REGRESSION_DOCROOT_DIR="$MSC_REGRESSION_SERVERROOT_DIR/htdocs" + +AC_SUBST(MSC_BASE_DIR) +AC_SUBST(MSC_PKGBASE_DIR) +AC_SUBST(MSC_TEST_DIR) +AC_SUBST(MSC_REGRESSION_DIR) +AC_SUBST(MSC_REGRESSION_SERVERROOT_DIR) +AC_SUBST(MSC_REGRESSION_CONF_DIR) +AC_SUBST(MSC_REGRESSION_LOGS_DIR) +AC_SUBST(MSC_REGRESSION_DOCROOT_DIR) + +### Configure Options + +# Verbose output +AC_ARG_ENABLE(verbose-output, + AS_HELP_STRING([--enable-verbose-output], + [Enable more verbose configure output.]), +[ + if test "$enableval" != "no"; then + verbose_output=1 + else + verbose_output=0 + fi +], +[ + verbose_output=0 +]) + + +#OS type + +AC_CANONICAL_HOST +CANONICAL_HOST=$host + +AH_TEMPLATE([AIX], [Define if the operating system is AIX]) +AH_TEMPLATE([LINUX], [Define if the operating system is LINUX]) +AH_TEMPLATE([OPENBSD], [Define if the operating system is OpenBSD]) +AH_TEMPLATE([SOLARIS], [Define if the operating system is SOLARIS]) +AH_TEMPLATE([HPUX], [Define if the operating system is HPUX]) +AH_TEMPLATE([MACOSX], [Define if the operating system is Macintosh OSX]) +AH_TEMPLATE([FREEBSD], [Define if the operating system is FREEBSD]) +AH_TEMPLATE([NETBSD], [Define if the operating system is NetBSD]) + + +case $host in + *-*-aix*) + echo "Checking platform... Identified as AIX" + aixos=true + ;; + *-*-hpux*) + echo "Checking platform... Identified as HPUX" + hpuxos=true + ;; + *-*-darwin*) + echo "Checking platform... Identified as Macintosh OS X" + macos=true + ;; + *-*-linux*) + echo "Checking platform... Identified as Linux" + linuxos=true + case "${host_cpu}" in + s390x) + cpu_type="-DLINUX_S390" + ;; + esac + ;; + *-*-solaris*) + echo "Checking platform... Identified as Solaris" + solarisos=true + ;; + *-*-freebsd*) + echo "Checking platform... Identified as FreeBSD" + freebsdos=true + ;; + *-*-netbsd*) + echo "Checking platform... Identified as NetBSD" + netbsdos=true + ;; + *-*-openbsd*) + echo "Checking platform... Identified as OpenBSD" + openbsdos=true + ;; + *-*-kfreebsd*) + echo "Checking platform... Identified as kFreeBSD, treating as linux" + linuxos=true + ;; + *-*-gnu*.*) + echo "Checking platform... Identified as HURD, treating as linux" + linuxos=true + ;; + *) + echo "Unknown CANONICAL_HOST $host" + exit + ;; +esac + +AM_CONDITIONAL([AIX], [test x$aixos = xtrue]) +AM_CONDITIONAL([HPUX], [test x$hpuxos = xtrue]) +AM_CONDITIONAL([MACOSX], [test x$macos = xtrue]) +AM_CONDITIONAL([LINUX], [test x$linuxos = xtrue]) +AM_CONDITIONAL([LINUX390], [test x$linuxos390 = xtrue]) +AM_CONDITIONAL([SOLARIS], [test x$solarisos = xtrue]) +AM_CONDITIONAL([FREEBSD], [test x$freebsdos = xtrue]) +AM_CONDITIONAL([OPENBSD], [test x$openbsdos = xtrue]) +AM_CONDITIONAL([NETBSD], [test x$netbsdos = xtrue]) + +#Subdirs +TOPLEVEL_SUBDIRS="tools" + +# Apache2 Module +AC_ARG_ENABLE(apache2-module, + AS_HELP_STRING([--disable-apache2-module], + [Disable building Apache2 module.]), +[ + if test "$enableval" != "no"; then + build_apache2_module=1 + else + build_apache2_module=0 + fi +], +[ + build_apache2_module=1 +]) +AM_CONDITIONAL([BUILD_APACHE2_MODULE], [test "$build_apache2_module" -eq 1]) +if test "$build_apache2_module" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS apache2" +fi + + +# Standalone Module +AC_ARG_ENABLE(standalone-module, + AS_HELP_STRING([--enable-standalone-module], + [Enable building standalone module.]), +[ + if test "$enableval" != "no"; then + build_standalone_module=1 + else + build_standalone_module=0 + fi +], +[ + build_standalone_module=0 +]) +AM_CONDITIONAL([BUILD_STANDALONE_MODULE], [test "$build_standalone_module" -eq 1]) +if test "$build_standalone_module" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS standalone" +fi + + +# Extensions +AC_ARG_ENABLE(extentions, + AS_HELP_STRING([--enable-extentions], + [Enable building extension.]), +[ + if test "$enableval" != "no"; then + build_extentions=1 + else + build_extentions=0 + fi +], +[ + build_extentions=0 +]) +AM_CONDITIONAL([BUILD_extentions], [test "$build_extentions" -eq 1]) +if test "$build_extentions" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS ext" +fi + + +# Mlogc +AC_ARG_ENABLE(mlogc, + AS_HELP_STRING([--disable-mlogc], + [Disable building mlogc.]), +[ + if test "$enableval" != "no"; then + build_mlogc=1 + else + build_mlogc=0 + fi +], +[ + build_mlogc=1 +]) + +CHECK_CURL() + +if test -z "${CURL_VERSION}"; then + AC_MSG_NOTICE([NOTE: mlogc compilation was disabled.]) + build_mlogc=0 +fi + +AM_CONDITIONAL([BUILD_MLOGC], [test "$build_mlogc" -eq 1]) +if test "$build_mlogc" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS mlogc" +fi + +# Audit Log Parser v2 (ALP2) +AC_ARG_ENABLE(alp2, + AS_HELP_STRING([--enable-alp2], + [Enable building audit log parser lib.]), +[ + if test "$enableval" != "no"; then + build_alp2=1 + else + build_alp2=0 + fi +], +[ + build_alp2=0 +]) +AM_CONDITIONAL([BUILD_ALP2], [test "$build_alp2" -eq 1]) +if test "$build_alp2" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS alp2" +fi + +# Documentation +AC_ARG_ENABLE(docs, + AS_HELP_STRING([--enable-docs], + [Enable building documentation.]), +[ + if test "$enableval" != "no"; then + build_docs=1 + else + build_docs=0 + fi +], +[ + build_docs=0 +]) +AM_CONDITIONAL([BUILD_DOCS], [test "$build_docs" -eq 1]) +if test "$build_docs" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS doc" + AC_CHECK_PROGS([DOXYGEN], [doxygen]) + if test -z "$DOXYGEN"; then + AC_MSG_WARN([Doxygen not found - continue without Doxygen support]) + fi + if test "$build_apache2_module" -eq 1; then + AC_CONFIG_FILES([doc/doxygen-apache]) + fi + if test "$build_standalone_module" -eq 1; then + AC_CONFIG_FILES([doc/doxygen-nginx]) + AC_CONFIG_FILES([doc/doxygen-iis]) + AC_CONFIG_FILES([doc/doxygen-standalone]) + fi + AC_CONFIG_FILES([doc/Makefile]) +fi + +AC_ARG_ENABLE(assertions, + AS_HELP_STRING([--enable-assertions], + [Turn on assertions checks (undefine NDEBUG)]), +[ + if test "${enableval}" = "yes"; then + assertions=-UNDEBUG + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $assertions" + else + assertions=-DNDEBUG + fi +], +[ + assertions=-DNDEBUG +]) +# Add PCRE Studying + +AC_ARG_ENABLE(pcre-study, + AS_HELP_STRING([--enable-pcre-study], + [Enable PCRE regex studying during configure.]), +[ + if test "$enableval" != "no"; then + pcre_study='-DWITH_PCRE_STUDY' + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_study" + else + pcre_study='' + fi +], +[ + pcre_study='-DWITH_PCRE_STUDY' +]) + +# Add PCRE JIT + +AC_ARG_ENABLE(pcre-jit, + AS_HELP_STRING([--enable-pcre-jit], + [Enable PCRE regex jit support during configure.]), +[ + if test "$enableval" != "no"; then + pcre_jit='-DWITH_PCRE_JIT' + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_jit" + else + pcre_jit='' + fi +], +[ + pcre_jit='' +]) + + +# Limit PCRE matching +AC_ARG_ENABLE(pcre-match-limit, + AS_HELP_STRING([--enable-pcre-match-limit], + [Enable PCRE regex match limit during configure.]), +[ + if test "$enableval" = "yes"; then + AC_MSG_ERROR([PCRE match limits require a numeric value]) + elif test "$enableval" = "no"; then + pcre_match_limit='' + else + pcre_match_limit="-DMODSEC_PCRE_MATCH_LIMIT=$enableval" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_match_limit" + fi +], +[ + pcre_match_limit='-DMODSEC_PCRE_MATCH_LIMIT=1500' +]) + +# Limit PCRE matching recursion +AC_ARG_ENABLE(pcre-match-limit-recursion, + AS_HELP_STRING([--enable-pcre-match-limit-recursion], + [Enable PCRE regex match limit recursion during configure.]), +[ + if test "$enableval" = "yes"; then + AC_MSG_ERROR([PCRE match limits require a numeric value]) + elif test "$enableval" = "no"; then + pcre_match_limit_recursion='' + else + pcre_match_limit_recursion="-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=$enableval" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_match_limit_recursion" + fi +], +[ + pcre_match_limit_recursion='-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500' +]) + +# Enable Lua per transaction cache +AC_ARG_ENABLE(lua-cache, + AS_HELP_STRING([--enable-lua-cache], + [Enable Lua per transaction cache.]), +[ + if test "$enableval" != "no"; then + lua_cache="-DCACHE_LUA" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $lua_cache" + else + lua_cache= + fi +], +[ + lua_cache= +]) + +# Enable phase-1 in post_read_request +AC_ARG_ENABLE(htaccess-config, + AS_HELP_STRING([--enable-htaccess-config], + [Enable some mod_security directives into htaccess files.]), +[ + if test "$enableval" != "no"; then + htaccess_config="-DHTACCESS_CONFIG" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $htaccess_config" + else + htaccess_config= + fi +], +[ + htaccess_config= +]) + +# Enable phase-1 in post_read_request +AC_ARG_ENABLE(request-early, + AS_HELP_STRING([--enable-request-early], + [Place phase1 into post_read_request hook. default is hook_request_early]), +[ + if test "$enableval" != "no"; then + request_early="-DREQUEST_EARLY" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $request_early" + else + request_early= + fi +], +[ + request_early='-DREQUEST_EARLY' +]) + +# Enable duplicate rules id +AC_ARG_ENABLE(rule-id-validation, + AS_HELP_STRING([--enable-rule-id-validation], + [Forbid duplicate rule ids and missing ones. This is the default]), +[ + if test "$enableval" != "no"; then + unique_id= + else + unique_id="-DALLOW_ID_NOT_UNIQUE" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $unique_id" + fi +], +[ + unique_id='' +]) + +# Disable logging of filename +AC_ARG_ENABLE(filename-logging, + AS_HELP_STRING([--enable-filename-logging], + [Enable logging of filename in audit log. This is the default]), +[ + if test "$enableval" != "no"; then + log_filename= + else + log_filename="-DLOG_NO_FILENAME" + fi +], +[ + log_filename='' +]) + +# Disable logging of "Server" +AC_ARG_ENABLE(server-logging, + AS_HELP_STRING([--enable-server-logging], + [Enable logging of "Server" in audit log when log level < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_server= + else + log_server="-DLOG_NO_SERVER" + fi +], +[ + log_server='' +]) + +# Disable logging of problem when deleting collection +AC_ARG_ENABLE(collection-delete-problem-logging, + AS_HELP_STRING([--enable-collection-delete-problem-logging], + [Enable logging of collection delete problem even when log level is < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_collection_delete_problem= + else + log_collection_delete_problem="-DLOG_NO_COLL_DELET_PB" + fi +], +[ + log_collection_delete_problem='' +]) + +# Disable logging of Apache handler +AC_ARG_ENABLE(handler-logging, + AS_HELP_STRING([--enable-handler-logging], + [Enable logging of Apache handler in audit log even when log level is < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_handler= + else + log_handler="-DLOG_NO_HANDLER" + fi +], +[ + log_handler='' +]) + +# Disable logging of dechunking +AC_ARG_ENABLE(dechunk-logging, + AS_HELP_STRING([--enable-dechunk-logging], + [Enable logging of dechunking even when log level is < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_dechunk= + else + log_dechunk="-DLOG_NO_DECHUNK" + fi +], +[ + log_dechunk='' +]) + +# Disable logging of stopwatches +AC_ARG_ENABLE(stopwatch-logging, + AS_HELP_STRING([--enable-stopwatch-logging], + [Enable logging of stopwatches even when log level is < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_stopwatch= + else + log_stopwatch="-DLOG_NO_STOPWATCH" + fi +], +[ + log_stopwatch='' +]) + +# Disable logging of server context +AC_ARG_ENABLE(server-context-logging, + AS_HELP_STRING([--enable-server-context-logging], + [Enable logging of server info (log producer, sanitized objects, ...) in audit log even when log level < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_server_context= + else + log_server_context="-DLOG_NO_SERVER_CONTEXT" + fi +], +[ + log_server_context='' +]) + + +# Enable collection's global lock +AC_ARG_ENABLE(collection-global-lock, + AS_HELP_STRING([--enable-collection-global-lock], + [Enable collection correctness by using a global lock. May reduce performance significatively. This is disabled by default]), +[ + if test "$enableval" != "yes"; then + collection_global_lock="" + else + collection_global_lock="-DGLOBAL_COLLECTION_LOCK" + fi +], +[ + collection_global_lock='' +]) + + +# Ignore configure errors +AC_ARG_ENABLE(errors, + AS_HELP_STRING([--disable-errors], + [Disable errors during configure.]), +[ + if test "$enableval" != "no"; then + report_errors=1 + else + report_errors=0 + fi +], +[ + report_errors=1 +]) + + +# Strict Compile +AC_ARG_ENABLE(strict-compile, + AS_HELP_STRING([--enable-strict-compile], + [Enable strict compilation (warnings are errors).]), +[ + if test "$enableval" != "no"; then + strict_compile="-std=c99 -Wstrict-overflow=1 -Wextra -Wno-missing-field-initializers -Wshadow -Wpointer-arith -Wstrict-prototypes -Wmissing-prototypes -Wno-unused-parameter -Wformat -Wformat-security -Werror -fstack-protector -D_FORTIFY_SOURCE=2" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $strict_compile" + else + strict_compile= + fi +], +[ + strict_compile= +]) + +# DEBUG_CONF +AC_ARG_ENABLE(debug-conf, + AS_HELP_STRING([--enable-debug-conf], + [Enable debug during configuration.]), +[ + if test "$enableval" != "no"; then + debug_conf="-DDEBUG_CONF" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_conf" + else + debug_conf= + fi +], +[ + debug_conf= +]) + +# CACHE_DEBUG +AC_ARG_ENABLE(debug-cache, + AS_HELP_STRING([--enable-debug-cache], + [Enable debug for transformation caching.]), +[ + if test "$enableval" != "no"; then + debug_cache="-DCACHE_DEBUG" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_cache" + else + debug_cache= + fi +], +[ + debug_cache= +]) + +# DEBUG_ACMP +AC_ARG_ENABLE(debug-acmp, + AS_HELP_STRING([--enable-debug-acmp], + [Enable debugging acmp code.]), +[ + if test "$enableval" != "no"; then + debug_acmp="-DDEBUG_ACMP" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_acmp" + else + debug_acmp= + fi +], +[ + debug_acmp= +]) + +# DEBUG_MEM +AC_ARG_ENABLE(debug-mem, + AS_HELP_STRING([--enable-debug-mem], + [Enable debug during configuration.]), +[ + if test "$enableval" != "no"; then + debug_mem="-DDEBUG_MEM" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_mem" + else + debug_mem= + fi +], +[ + debug_mem= +]) + +# PERFORMANCE_MEASUREMENT +AC_ARG_ENABLE(performance-measurement, + AS_HELP_STRING([--enable-performance-measurement], + [Enable performance-measurement stats.]), +[ + if test "$enableval" != "no"; then + perf_meas="-DPERFORMANCE_MEASUREMENT" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $perf_meas" + else + perf_meas= + fi +], +[ + perf_meas= +]) + +# NO_MODSEC_API +AC_ARG_ENABLE(modsec-api, + AS_HELP_STRING([--disable-modsec-api], + [Disable the API; compiling against some older Apache versions require this.]), +[ + if test "$enableval" != "yes"; then + modsec_api="-DNO_MODSEC_API" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $modsec_api" + else + modsec_api= + fi +], +[ + modsec_api= +]) + +# MSC_LARGE_STREAM_INPUT +AC_ARG_ENABLE(large-stream-input, + AS_HELP_STRING([--enable-large-stream-input], + [Enable optimization for large stream input]), +[ + if test "$enableval" = "yes"; then + large_stream_input="-DMSC_LARGE_STREAM_INPUT" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $large_stream_input" + else + large_stream_input= + fi +], +[ + large_stream_input= +]) + +# Find apxs +AC_MSG_NOTICE(looking for Apache module support via DSO through APXS) +AC_ARG_WITH(apxs, + [AS_HELP_STRING([[--with-apxs=FILE]], + [FILE is the path to apxs; defaults to "apxs".])], +[ + if test "$withval" = "yes"; then + APXS=apxs + else + APXS="$withval" + fi +]) + +if test -z "$APXS"; then + for i in /usr/local/apache22/bin \ + /usr/local/apache2/bin \ + /usr/local/apache/bin \ + /usr/local/sbin \ + /usr/local/bin \ + /usr/sbin \ + /usr/bin; + do + if test -f "$i/apxs2"; then + APXS="$i/apxs2" + break + elif test -f "$i/apxs"; then + APXS="$i/apxs" + break + fi + done +fi + +# arbitrarily picking the same version subversion looks for, don't know how +# accurate this really is, but at least it'll force us to have apache2... +HTTPD_WANTED_MMN=20020903 + +if test -n "$APXS" -a "$APXS" != "no" -a -x "$APXS" ; then + APXS_INCLUDE="`$APXS -q INCLUDEDIR`" + if test -r $APXS_INCLUDE/httpd.h; then + AC_MSG_NOTICE(found apxs at $APXS) + AC_MSG_NOTICE(checking httpd version) + AC_EGREP_CPP(VERSION_OK, + [ +#include "$APXS_INCLUDE/ap_mmn.h" +#if AP_MODULE_MAGIC_AT_LEAST($HTTPD_WANTED_MMN,0) +VERSION_OK +#endif], + [AC_MSG_NOTICE(httpd is recent enough)], + [ + if test "$report_errors" -eq 1; then + AC_MSG_ERROR(apache is too old, mmn must be at least $HTTPD_WANTED_MMN) + else + AC_MSG_NOTICE(apache is too old, mmn must be at least $HTTPD_WANTED_MMN) + fi + ]) +ÿfi + APXS_INCLUDEDIR="`$APXS -q INCLUDEDIR`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs INCLUDEDIR: $APXS_INCLUDEDIR); fi + # Make sure the include dir is used + if test -n "$APXS_INCLUDEDIR"; then + APXS_INCLUDES="-I${APXS_INCLUDEDIR} `$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`" + else + APXS_INCLUDES="`$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`" + fi + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs INCLUDES: $APXS_INCLUDES); fi + APXS_CFLAGS=-I`$APXS -q INCLUDEDIR` + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs CFLAGS: $APXS_CFLAGS); fi + APXS_LDFLAGS= + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LDFLAGS: $APXS_LDFLAGS); fi + APXS_LIBDIR="`$APXS -q LIBDIR`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBDIR: $APXS_LIBDIR); fi + # Make sure the lib dir is used + if test -n "$APXS_LIBDIR"; then + APXS_LIBS="-L${APXS_LIBDIR} `$APXS -q LIBS` `$APXS -q EXTRA_LIBS`" + else + APXS_LIBS="`$APXS -q LIBS` `$APXS -q EXTRA_LIBS`" + fi + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBS: $APXS_LIBS); fi + APXS_LIBTOOL="`$APXS -q LIBTOOL`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBTOOL: $APXS_LIBTOOL); fi + APXS_CC="`$APXS -q CC`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs CC: $APXS_CC); fi + APXS_BINDIR="`$APXS -q BINDIR`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs BINDIR: $APXS_BINDIR); fi + APXS_SBINDIR="`$APXS -q SBINDIR`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs SBINDIR: $APXS_SBINDIR); fi + APXS_PROGNAME="`$APXS -q PROGNAME`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs PROGNAME: $APXS_PROGNAME); fi + APXS_LIBEXECDIR="`$APXS -q LIBEXECDIR`" + if test "xx$APXS_LIBEXECDIR" = "xx"; then APXS_LIBEXECDIR="`$APXS -q LIBDIR`/modules"; fi + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBEXECDIR: $APXS_LIBEXECDIR); fi + APXS_MODULES=$APXS_LIBEXECDIR + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs MODULES: $APXS_MODULES); fi + if test "$APXS_SBINDIR" = "/"; then + APXS_HTTPD="$APXS_SBINDIR/$APXS_PROGNAME" + else + APXS_HTTPD="$APXS_SBINDIR/$APXS_PROGNAME" + fi + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs HTTPD: $APXS_HTTPD); fi +else + if test "$report_errors" -eq 1; then + AC_MSG_ERROR(couldn't find APXS) + else + AC_MSG_NOTICE(couldn't find APXS) + fi +fi + +### Build *EXTRA_CFLAGS vars + +# Allow overriding EXTRA_CFLAGS +if $ENV_CMD | $GREP "^EXTRA_CFLAGS" > /dev/null 2>&1; then + if test -z "$debug_mem"; then + EXTRA_CFLAGS="$EXTRA_CFLAGS $strict_compile" + fi +else + if test -n "$debug_mem"; then + EXTRA_CFLAGS="-O0 -g -Wall" + else + EXTRA_CFLAGS="-O2 -g -Wall $strict_compile" + fi +fi +EXTRA_CFLAGS="$EXTRA_CFLAGS $assertions" + +MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type $unique_id $log_filename $log_server $log_collection_delete_problem $log_dechunk $log_stopwatch $log_handler $log_server_context $collection_global_lock $large_stream_input" + +APXS_WRAPPER=build/apxs-wrapper +APXS_EXTRA_CFLAGS="" +for f in $EXTRA_CFLAGS; do + APXS_EXTRA_CFLAGS="$APXS_EXTRA_CFLAGS -Wc,$f" +done; +MODSEC_APXS_EXTRA_CFLAGS="" +for f in $MODSEC_EXTRA_CFLAGS; do + MODSEC_APXS_EXTRA_CFLAGS="$MODSEC_APXS_EXTRA_CFLAGS -Wc,$f" +done; + +### Substitute the vars + +AC_SUBST(TOPLEVEL_SUBDIRS) +AC_SUBST(EXTRA_CFLAGS) +AC_SUBST(MODSEC_EXTRA_CFLAGS) +AC_SUBST(APXS) +AC_SUBST(APXS_WRAPPER) +AC_SUBST(APXS_INCLUDEDIR) +AC_SUBST(APXS_INCLUDES) +AC_SUBST(APXS_EXTRA_CFLAGS) +AC_SUBST(MODSEC_APXS_EXTRA_CFLAGS) +AC_SUBST(APXS_LDFLAGS) +AC_SUBST(APXS_LIBS) +AC_SUBST(APXS_CFLAGS) +AC_SUBST(APXS_LIBTOOL) +AC_SUBST(APXS_CC) +AC_SUBST(APXS_LIBDIR) +AC_SUBST(APXS_BINDIR) +AC_SUBST(APXS_SBINDIR) +AC_SUBST(APXS_PROGNAME) +AC_SUBST(APXS_LIBEXECDIR) +AC_SUBST(APXS_MODULES) +AC_SUBST(APXS_HTTPD) + +CHECK_PCRE() +CHECK_PCRE2() +if test "$build_apache2_module" -ne 0 -o "$build_mlogc" -ne 0; then +CHECK_APR() +CHECK_APU() +fi +CHECK_LIBXML2() +CHECK_LUA() +#if test "$build_mlogc" -ne 0; then +#CHECK_CURL() +#fi + +# Check for YAJL libs (for JSON body processor) +CHECK_YAJL() +#AC_SEARCH_LIBS([yajl_alloc], [yajl]) +CHECK_SSDEEP() +#AC_SEARCH_LIBS([fuzzy_hash_buf], [fuzzy]) + +# Temporarily set cflags for apr_crypto check, then restore +# since it's already used correctly to compile modsecurity module. +ORIG_CFLAGS="$CFLAGS $APU_CFLAGS" +ORIG_CPPFLAGS="$CPPFLAGS" +CFLAGS="$CFLAGS $APR_CFLAGS" +CPPFLAGS="$CPPFLAGS $APR_CPPFLAGS" +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ #include ]], + [[ + #if APU_HAVE_CRYPTO == 0 + #error APR util was not compiled with crypto support. + #endif + ]])], + [ AC_DEFINE([WITH_APU_CRYPTO], [1], [APR util was compiled with crypto support]) + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_APU_CRYPTO" + ], + [ AC_MSG_WARN([APR util was not compiled with crypto support. SecRemoteRule will not support the parameter 'crypto']) ] +) +# Restore env vars so that we don't clutter with duplicates that +# are eventually appended later on +CFLAGS="$ORIG_CFLAGS" +CPPFLAGS="$ORIG_CPPFLAGS" + +# Currently our unique download backend is curl, further we can support more. +if test ! -z "${CURL_VERSION}"; then + AC_DEFINE([WITH_REMOTE_RULES], [1], [Enables SecRemoteRules support]) + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_REMOTE_RULES" +fi + +AC_CONFIG_FILES([Makefile]) +AC_CONFIG_FILES([tools/Makefile]) +if test "$build_alp2" -ne 0; then +AC_CONFIG_FILES([alp2/Makefile]) +fi +if test "$build_apache2_module" -ne 0; then +AC_CONFIG_FILES([apache2/Makefile]) +fi +if test "$build_standalone_module" -ne 0; then +AC_CONFIG_FILES([standalone/Makefile]) +AC_CONFIG_FILES([nginx/modsecurity/config]) +fi +if test "$build_extentions" -ne 0; then +AC_CONFIG_FILES([ext/Makefile]) +fi +AC_CONFIG_FILES([build/apxs-wrapper], [chmod +x build/apxs-wrapper]) +if test -e "$PERL"; then + if test "$build_mlogc" -ne 0; then + AC_CONFIG_FILES([mlogc/mlogc-batch-load.pl], [chmod +x mlogc/mlogc-batch-load.pl]) + AC_CONFIG_FILES([tests/regression/misc/40-secRemoteRules.t]) + AC_CONFIG_FILES([tests/regression/misc/50-ipmatchfromfile-external.t]) + AC_CONFIG_FILES([tests/regression/misc/60-pmfromfile-external.t]) + fi + AC_CONFIG_FILES([tests/run-unit-tests.pl], [chmod +x tests/run-unit-tests.pl]) + AC_CONFIG_FILES([tests/run-regression-tests.pl], [chmod +x tests/run-regression-tests.pl]) + AC_CONFIG_FILES([tests/gen_rx-pm.pl], [chmod +x tests/gen_rx-pm.pl]) + AC_CONFIG_FILES([tests/csv_rx-pm.pl], [chmod +x tests/csv_rx-pm.pl]) + AC_CONFIG_FILES([tests/regression/server_root/conf/httpd.conf]) + + # Perl based tools + AC_CONFIG_FILES([tools/rules-updater.pl], [chmod +x tools/rules-updater.pl]) +fi +if test "$build_mlogc" -ne 0; then + AC_CONFIG_FILES([mlogc/Makefile]) +fi +AC_CONFIG_FILES([tests/Makefile]) + +AC_OUTPUT From 556835c6fe04c8691f90de7564da3573480fe7b2 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Fri, 12 Apr 2024 18:04:16 +0200 Subject: [PATCH 13/18] Fixed corrupted character --- configure.ac | 1934 +++++++++++++++++++++++++------------------------- 1 file changed, 969 insertions(+), 965 deletions(-) diff --git a/configure.ac b/configure.ac index 3de3a53764..24a3dba7ef 100644 --- a/configure.ac +++ b/configure.ac @@ -1,965 +1,969 @@ -dnl -dnl Autoconf configuration for ModSecurity -dnl -dnl Use ./autogen.sh to produce a configure script -dnl - -AC_PREREQ(2.63) - -AC_INIT([modsecurity], [2.9], [support@modsecurity.org]) - -AC_CONFIG_MACRO_DIR([build]) -AC_CONFIG_SRCDIR([LICENSE]) -AC_CONFIG_HEADERS([apache2/modsecurity_config_auto.h]) -AC_CONFIG_AUX_DIR([build]) -AC_PREFIX_DEFAULT([/usr/local/modsecurity]) - -AM_INIT_AUTOMAKE([-Wall foreign subdir-objects]) -m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) - -LT_PREREQ([2.2]) -LT_INIT([dlopen]) - -# Checks for programs. -AC_PROG_AWK -AC_PROG_CC -AC_PROG_CPP -AC_PROG_INSTALL -AC_PROG_LN_S -AC_PROG_MAKE_SET -AC_PROG_GREP -AC_PATH_PROGS(PERL, [perl perl5], ) -AC_PATH_PROGS(ENV_CMD, [env printenv], ) -PKG_PROG_PKG_CONFIG - -# Checks for header files. -AC_CHECK_HEADERS([fcntl.h limits.h stdlib.h string.h unistd.h sys/types.h sys/stat.h sys/utsname.h]) - -# Checks for typedefs, structures, and compiler characteristics. -AC_C_CONST -AC_C_INLINE -AC_C_RESTRICT -AC_TYPE_PID_T -AC_TYPE_SIZE_T -AC_STRUCT_TM -AC_TYPE_UINT8_T - -# Checks for library functions. -AC_FUNC_MALLOC -AC_FUNC_MEMCMP -AC_CHECK_FUNCS([atexit getcwd memmove memset strcasecmp strchr strdup strerror strncasecmp strrchr strstr strtol fchmod strcasestr]) - -# Some directories -MSC_BASE_DIR=`pwd` -MSC_PKGBASE_DIR="$MSC_BASE_DIR/.." -MSC_TEST_DIR="$MSC_BASE_DIR/tests" -MSC_REGRESSION_DIR="$MSC_TEST_DIR/regression" -MSC_REGRESSION_SERVERROOT_DIR="$MSC_REGRESSION_DIR/server_root" -MSC_REGRESSION_CONF_DIR="$MSC_REGRESSION_SERVERROOT_DIR/conf" -MSC_REGRESSION_LOGS_DIR="$MSC_REGRESSION_SERVERROOT_DIR/logs" -MSC_REGRESSION_DOCROOT_DIR="$MSC_REGRESSION_SERVERROOT_DIR/htdocs" - -AC_SUBST(MSC_BASE_DIR) -AC_SUBST(MSC_PKGBASE_DIR) -AC_SUBST(MSC_TEST_DIR) -AC_SUBST(MSC_REGRESSION_DIR) -AC_SUBST(MSC_REGRESSION_SERVERROOT_DIR) -AC_SUBST(MSC_REGRESSION_CONF_DIR) -AC_SUBST(MSC_REGRESSION_LOGS_DIR) -AC_SUBST(MSC_REGRESSION_DOCROOT_DIR) - -### Configure Options - -# Verbose output -AC_ARG_ENABLE(verbose-output, - AS_HELP_STRING([--enable-verbose-output], - [Enable more verbose configure output.]), -[ - if test "$enableval" != "no"; then - verbose_output=1 - else - verbose_output=0 - fi -], -[ - verbose_output=0 -]) - - -#OS type - -AC_CANONICAL_HOST -CANONICAL_HOST=$host - -AH_TEMPLATE([AIX], [Define if the operating system is AIX]) -AH_TEMPLATE([LINUX], [Define if the operating system is LINUX]) -AH_TEMPLATE([OPENBSD], [Define if the operating system is OpenBSD]) -AH_TEMPLATE([SOLARIS], [Define if the operating system is SOLARIS]) -AH_TEMPLATE([HPUX], [Define if the operating system is HPUX]) -AH_TEMPLATE([MACOSX], [Define if the operating system is Macintosh OSX]) -AH_TEMPLATE([FREEBSD], [Define if the operating system is FREEBSD]) -AH_TEMPLATE([NETBSD], [Define if the operating system is NetBSD]) - - -case $host in - *-*-aix*) - echo "Checking platform... Identified as AIX" - aixos=true - ;; - *-*-hpux*) - echo "Checking platform... Identified as HPUX" - hpuxos=true - ;; - *-*-darwin*) - echo "Checking platform... Identified as Macintosh OS X" - macos=true - ;; - *-*-linux*) - echo "Checking platform... Identified as Linux" - linuxos=true - case "${host_cpu}" in - s390x) - cpu_type="-DLINUX_S390" - ;; - esac - ;; - *-*-solaris*) - echo "Checking platform... Identified as Solaris" - solarisos=true - ;; - *-*-freebsd*) - echo "Checking platform... Identified as FreeBSD" - freebsdos=true - ;; - *-*-netbsd*) - echo "Checking platform... Identified as NetBSD" - netbsdos=true - ;; - *-*-openbsd*) - echo "Checking platform... Identified as OpenBSD" - openbsdos=true - ;; - *-*-kfreebsd*) - echo "Checking platform... Identified as kFreeBSD, treating as linux" - linuxos=true - ;; - *-*-gnu*.*) - echo "Checking platform... Identified as HURD, treating as linux" - linuxos=true - ;; - *) - echo "Unknown CANONICAL_HOST $host" - exit - ;; -esac - -AM_CONDITIONAL([AIX], [test x$aixos = xtrue]) -AM_CONDITIONAL([HPUX], [test x$hpuxos = xtrue]) -AM_CONDITIONAL([MACOSX], [test x$macos = xtrue]) -AM_CONDITIONAL([LINUX], [test x$linuxos = xtrue]) -AM_CONDITIONAL([LINUX390], [test x$linuxos390 = xtrue]) -AM_CONDITIONAL([SOLARIS], [test x$solarisos = xtrue]) -AM_CONDITIONAL([FREEBSD], [test x$freebsdos = xtrue]) -AM_CONDITIONAL([OPENBSD], [test x$openbsdos = xtrue]) -AM_CONDITIONAL([NETBSD], [test x$netbsdos = xtrue]) - -#Subdirs -TOPLEVEL_SUBDIRS="tools" - -# Apache2 Module -AC_ARG_ENABLE(apache2-module, - AS_HELP_STRING([--disable-apache2-module], - [Disable building Apache2 module.]), -[ - if test "$enableval" != "no"; then - build_apache2_module=1 - else - build_apache2_module=0 - fi -], -[ - build_apache2_module=1 -]) -AM_CONDITIONAL([BUILD_APACHE2_MODULE], [test "$build_apache2_module" -eq 1]) -if test "$build_apache2_module" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS apache2" -fi - - -# Standalone Module -AC_ARG_ENABLE(standalone-module, - AS_HELP_STRING([--enable-standalone-module], - [Enable building standalone module.]), -[ - if test "$enableval" != "no"; then - build_standalone_module=1 - else - build_standalone_module=0 - fi -], -[ - build_standalone_module=0 -]) -AM_CONDITIONAL([BUILD_STANDALONE_MODULE], [test "$build_standalone_module" -eq 1]) -if test "$build_standalone_module" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS standalone" -fi - - -# Extensions -AC_ARG_ENABLE(extentions, - AS_HELP_STRING([--enable-extentions], - [Enable building extension.]), -[ - if test "$enableval" != "no"; then - build_extentions=1 - else - build_extentions=0 - fi -], -[ - build_extentions=0 -]) -AM_CONDITIONAL([BUILD_extentions], [test "$build_extentions" -eq 1]) -if test "$build_extentions" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS ext" -fi - - -# Mlogc -AC_ARG_ENABLE(mlogc, - AS_HELP_STRING([--disable-mlogc], - [Disable building mlogc.]), -[ - if test "$enableval" != "no"; then - build_mlogc=1 - else - build_mlogc=0 - fi -], -[ - build_mlogc=1 -]) - -CHECK_CURL() - -if test -z "${CURL_VERSION}"; then - AC_MSG_NOTICE([NOTE: mlogc compilation was disabled.]) - build_mlogc=0 -fi - -AM_CONDITIONAL([BUILD_MLOGC], [test "$build_mlogc" -eq 1]) -if test "$build_mlogc" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS mlogc" -fi - -# Audit Log Parser v2 (ALP2) -AC_ARG_ENABLE(alp2, - AS_HELP_STRING([--enable-alp2], - [Enable building audit log parser lib.]), -[ - if test "$enableval" != "no"; then - build_alp2=1 - else - build_alp2=0 - fi -], -[ - build_alp2=0 -]) -AM_CONDITIONAL([BUILD_ALP2], [test "$build_alp2" -eq 1]) -if test "$build_alp2" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS alp2" -fi - -# Documentation -AC_ARG_ENABLE(docs, - AS_HELP_STRING([--enable-docs], - [Enable building documentation.]), -[ - if test "$enableval" != "no"; then - build_docs=1 - else - build_docs=0 - fi -], -[ - build_docs=0 -]) -AM_CONDITIONAL([BUILD_DOCS], [test "$build_docs" -eq 1]) -if test "$build_docs" -eq 1; then - TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS doc" - AC_CHECK_PROGS([DOXYGEN], [doxygen]) - if test -z "$DOXYGEN"; then - AC_MSG_WARN([Doxygen not found - continue without Doxygen support]) - fi - if test "$build_apache2_module" -eq 1; then - AC_CONFIG_FILES([doc/doxygen-apache]) - fi - if test "$build_standalone_module" -eq 1; then - AC_CONFIG_FILES([doc/doxygen-nginx]) - AC_CONFIG_FILES([doc/doxygen-iis]) - AC_CONFIG_FILES([doc/doxygen-standalone]) - fi - AC_CONFIG_FILES([doc/Makefile]) -fi - -AC_ARG_ENABLE(assertions, - AS_HELP_STRING([--enable-assertions], - [Turn on assertions checks (undefine NDEBUG)]), -[ - if test "${enableval}" = "yes"; then - assertions=-UNDEBUG - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $assertions" - else - assertions=-DNDEBUG - fi -], -[ - assertions=-DNDEBUG -]) -# Add PCRE Studying - -AC_ARG_ENABLE(pcre-study, - AS_HELP_STRING([--enable-pcre-study], - [Enable PCRE regex studying during configure.]), -[ - if test "$enableval" != "no"; then - pcre_study='-DWITH_PCRE_STUDY' - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_study" - else - pcre_study='' - fi -], -[ - pcre_study='-DWITH_PCRE_STUDY' -]) - -# Add PCRE JIT - -AC_ARG_ENABLE(pcre-jit, - AS_HELP_STRING([--enable-pcre-jit], - [Enable PCRE regex jit support during configure.]), -[ - if test "$enableval" != "no"; then - pcre_jit='-DWITH_PCRE_JIT' - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_jit" - else - pcre_jit='' - fi -], -[ - pcre_jit='' -]) - - -# Limit PCRE matching -AC_ARG_ENABLE(pcre-match-limit, - AS_HELP_STRING([--enable-pcre-match-limit], - [Enable PCRE regex match limit during configure.]), -[ - if test "$enableval" = "yes"; then - AC_MSG_ERROR([PCRE match limits require a numeric value]) - elif test "$enableval" = "no"; then - pcre_match_limit='' - else - pcre_match_limit="-DMODSEC_PCRE_MATCH_LIMIT=$enableval" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_match_limit" - fi -], -[ - pcre_match_limit='-DMODSEC_PCRE_MATCH_LIMIT=1500' -]) - -# Limit PCRE matching recursion -AC_ARG_ENABLE(pcre-match-limit-recursion, - AS_HELP_STRING([--enable-pcre-match-limit-recursion], - [Enable PCRE regex match limit recursion during configure.]), -[ - if test "$enableval" = "yes"; then - AC_MSG_ERROR([PCRE match limits require a numeric value]) - elif test "$enableval" = "no"; then - pcre_match_limit_recursion='' - else - pcre_match_limit_recursion="-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=$enableval" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_match_limit_recursion" - fi -], -[ - pcre_match_limit_recursion='-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500' -]) - -# Enable Lua per transaction cache -AC_ARG_ENABLE(lua-cache, - AS_HELP_STRING([--enable-lua-cache], - [Enable Lua per transaction cache.]), -[ - if test "$enableval" != "no"; then - lua_cache="-DCACHE_LUA" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $lua_cache" - else - lua_cache= - fi -], -[ - lua_cache= -]) - -# Enable phase-1 in post_read_request -AC_ARG_ENABLE(htaccess-config, - AS_HELP_STRING([--enable-htaccess-config], - [Enable some mod_security directives into htaccess files.]), -[ - if test "$enableval" != "no"; then - htaccess_config="-DHTACCESS_CONFIG" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $htaccess_config" - else - htaccess_config= - fi -], -[ - htaccess_config= -]) - -# Enable phase-1 in post_read_request -AC_ARG_ENABLE(request-early, - AS_HELP_STRING([--enable-request-early], - [Place phase1 into post_read_request hook. default is hook_request_early]), -[ - if test "$enableval" != "no"; then - request_early="-DREQUEST_EARLY" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $request_early" - else - request_early= - fi -], -[ - request_early='-DREQUEST_EARLY' -]) - -# Enable duplicate rules id -AC_ARG_ENABLE(rule-id-validation, - AS_HELP_STRING([--enable-rule-id-validation], - [Forbid duplicate rule ids and missing ones. This is the default]), -[ - if test "$enableval" != "no"; then - unique_id= - else - unique_id="-DALLOW_ID_NOT_UNIQUE" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $unique_id" - fi -], -[ - unique_id='' -]) - -# Disable logging of filename -AC_ARG_ENABLE(filename-logging, - AS_HELP_STRING([--enable-filename-logging], - [Enable logging of filename in audit log. This is the default]), -[ - if test "$enableval" != "no"; then - log_filename= - else - log_filename="-DLOG_NO_FILENAME" - fi -], -[ - log_filename='' -]) - -# Disable logging of "Server" -AC_ARG_ENABLE(server-logging, - AS_HELP_STRING([--enable-server-logging], - [Enable logging of "Server" in audit log when log level < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_server= - else - log_server="-DLOG_NO_SERVER" - fi -], -[ - log_server='' -]) - -# Disable logging of problem when deleting collection -AC_ARG_ENABLE(collection-delete-problem-logging, - AS_HELP_STRING([--enable-collection-delete-problem-logging], - [Enable logging of collection delete problem even when log level is < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_collection_delete_problem= - else - log_collection_delete_problem="-DLOG_NO_COLL_DELET_PB" - fi -], -[ - log_collection_delete_problem='' -]) - -# Disable logging of Apache handler -AC_ARG_ENABLE(handler-logging, - AS_HELP_STRING([--enable-handler-logging], - [Enable logging of Apache handler in audit log even when log level is < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_handler= - else - log_handler="-DLOG_NO_HANDLER" - fi -], -[ - log_handler='' -]) - -# Disable logging of dechunking -AC_ARG_ENABLE(dechunk-logging, - AS_HELP_STRING([--enable-dechunk-logging], - [Enable logging of dechunking even when log level is < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_dechunk= - else - log_dechunk="-DLOG_NO_DECHUNK" - fi -], -[ - log_dechunk='' -]) - -# Disable logging of stopwatches -AC_ARG_ENABLE(stopwatch-logging, - AS_HELP_STRING([--enable-stopwatch-logging], - [Enable logging of stopwatches even when log level is < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_stopwatch= - else - log_stopwatch="-DLOG_NO_STOPWATCH" - fi -], -[ - log_stopwatch='' -]) - -# Disable logging of server context -AC_ARG_ENABLE(server-context-logging, - AS_HELP_STRING([--enable-server-context-logging], - [Enable logging of server info (log producer, sanitized objects, ...) in audit log even when log level < 9. This is the default]), -[ - if test "$enableval" != "no"; then - log_server_context= - else - log_server_context="-DLOG_NO_SERVER_CONTEXT" - fi -], -[ - log_server_context='' -]) - - -# Enable collection's global lock -AC_ARG_ENABLE(collection-global-lock, - AS_HELP_STRING([--enable-collection-global-lock], - [Enable collection correctness by using a global lock. May reduce performance significatively. This is disabled by default]), -[ - if test "$enableval" != "yes"; then - collection_global_lock="" - else - collection_global_lock="-DGLOBAL_COLLECTION_LOCK" - fi -], -[ - collection_global_lock='' -]) - - -# Ignore configure errors -AC_ARG_ENABLE(errors, - AS_HELP_STRING([--disable-errors], - [Disable errors during configure.]), -[ - if test "$enableval" != "no"; then - report_errors=1 - else - report_errors=0 - fi -], -[ - report_errors=1 -]) - - -# Strict Compile -AC_ARG_ENABLE(strict-compile, - AS_HELP_STRING([--enable-strict-compile], - [Enable strict compilation (warnings are errors).]), -[ - if test "$enableval" != "no"; then - strict_compile="-std=c99 -Wstrict-overflow=1 -Wextra -Wno-missing-field-initializers -Wshadow -Wpointer-arith -Wstrict-prototypes -Wmissing-prototypes -Wno-unused-parameter -Wformat -Wformat-security -Werror -fstack-protector -D_FORTIFY_SOURCE=2" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $strict_compile" - else - strict_compile= - fi -], -[ - strict_compile= -]) - -# DEBUG_CONF -AC_ARG_ENABLE(debug-conf, - AS_HELP_STRING([--enable-debug-conf], - [Enable debug during configuration.]), -[ - if test "$enableval" != "no"; then - debug_conf="-DDEBUG_CONF" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_conf" - else - debug_conf= - fi -], -[ - debug_conf= -]) - -# CACHE_DEBUG -AC_ARG_ENABLE(debug-cache, - AS_HELP_STRING([--enable-debug-cache], - [Enable debug for transformation caching.]), -[ - if test "$enableval" != "no"; then - debug_cache="-DCACHE_DEBUG" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_cache" - else - debug_cache= - fi -], -[ - debug_cache= -]) - -# DEBUG_ACMP -AC_ARG_ENABLE(debug-acmp, - AS_HELP_STRING([--enable-debug-acmp], - [Enable debugging acmp code.]), -[ - if test "$enableval" != "no"; then - debug_acmp="-DDEBUG_ACMP" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_acmp" - else - debug_acmp= - fi -], -[ - debug_acmp= -]) - -# DEBUG_MEM -AC_ARG_ENABLE(debug-mem, - AS_HELP_STRING([--enable-debug-mem], - [Enable debug during configuration.]), -[ - if test "$enableval" != "no"; then - debug_mem="-DDEBUG_MEM" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_mem" - else - debug_mem= - fi -], -[ - debug_mem= -]) - -# PERFORMANCE_MEASUREMENT -AC_ARG_ENABLE(performance-measurement, - AS_HELP_STRING([--enable-performance-measurement], - [Enable performance-measurement stats.]), -[ - if test "$enableval" != "no"; then - perf_meas="-DPERFORMANCE_MEASUREMENT" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $perf_meas" - else - perf_meas= - fi -], -[ - perf_meas= -]) - -# NO_MODSEC_API -AC_ARG_ENABLE(modsec-api, - AS_HELP_STRING([--disable-modsec-api], - [Disable the API; compiling against some older Apache versions require this.]), -[ - if test "$enableval" != "yes"; then - modsec_api="-DNO_MODSEC_API" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $modsec_api" - else - modsec_api= - fi -], -[ - modsec_api= -]) - -# MSC_LARGE_STREAM_INPUT -AC_ARG_ENABLE(large-stream-input, - AS_HELP_STRING([--enable-large-stream-input], - [Enable optimization for large stream input]), -[ - if test "$enableval" = "yes"; then - large_stream_input="-DMSC_LARGE_STREAM_INPUT" - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $large_stream_input" - else - large_stream_input= - fi -], -[ - large_stream_input= -]) - -# Find apxs -AC_MSG_NOTICE(looking for Apache module support via DSO through APXS) -AC_ARG_WITH(apxs, - [AS_HELP_STRING([[--with-apxs=FILE]], - [FILE is the path to apxs; defaults to "apxs".])], -[ - if test "$withval" = "yes"; then - APXS=apxs - else - APXS="$withval" - fi -]) - -if test -z "$APXS"; then - for i in /usr/local/apache22/bin \ - /usr/local/apache2/bin \ - /usr/local/apache/bin \ - /usr/local/sbin \ - /usr/local/bin \ - /usr/sbin \ - /usr/bin; - do - if test -f "$i/apxs2"; then - APXS="$i/apxs2" - break - elif test -f "$i/apxs"; then - APXS="$i/apxs" - break - fi - done -fi - -# arbitrarily picking the same version subversion looks for, don't know how -# accurate this really is, but at least it'll force us to have apache2... -HTTPD_WANTED_MMN=20020903 - -if test -n "$APXS" -a "$APXS" != "no" -a -x "$APXS" ; then - APXS_INCLUDE="`$APXS -q INCLUDEDIR`" - if test -r $APXS_INCLUDE/httpd.h; then - AC_MSG_NOTICE(found apxs at $APXS) - AC_MSG_NOTICE(checking httpd version) - AC_EGREP_CPP(VERSION_OK, - [ -#include "$APXS_INCLUDE/ap_mmn.h" -#if AP_MODULE_MAGIC_AT_LEAST($HTTPD_WANTED_MMN,0) -VERSION_OK -#endif], - [AC_MSG_NOTICE(httpd is recent enough)], - [ - if test "$report_errors" -eq 1; then - AC_MSG_ERROR(apache is too old, mmn must be at least $HTTPD_WANTED_MMN) - else - AC_MSG_NOTICE(apache is too old, mmn must be at least $HTTPD_WANTED_MMN) - fi - ]) -ÿfi - APXS_INCLUDEDIR="`$APXS -q INCLUDEDIR`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs INCLUDEDIR: $APXS_INCLUDEDIR); fi - # Make sure the include dir is used - if test -n "$APXS_INCLUDEDIR"; then - APXS_INCLUDES="-I${APXS_INCLUDEDIR} `$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`" - else - APXS_INCLUDES="`$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`" - fi - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs INCLUDES: $APXS_INCLUDES); fi - APXS_CFLAGS=-I`$APXS -q INCLUDEDIR` - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs CFLAGS: $APXS_CFLAGS); fi - APXS_LDFLAGS= - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LDFLAGS: $APXS_LDFLAGS); fi - APXS_LIBDIR="`$APXS -q LIBDIR`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBDIR: $APXS_LIBDIR); fi - # Make sure the lib dir is used - if test -n "$APXS_LIBDIR"; then - APXS_LIBS="-L${APXS_LIBDIR} `$APXS -q LIBS` `$APXS -q EXTRA_LIBS`" - else - APXS_LIBS="`$APXS -q LIBS` `$APXS -q EXTRA_LIBS`" - fi - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBS: $APXS_LIBS); fi - APXS_LIBTOOL="`$APXS -q LIBTOOL`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBTOOL: $APXS_LIBTOOL); fi - APXS_CC="`$APXS -q CC`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs CC: $APXS_CC); fi - APXS_BINDIR="`$APXS -q BINDIR`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs BINDIR: $APXS_BINDIR); fi - APXS_SBINDIR="`$APXS -q SBINDIR`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs SBINDIR: $APXS_SBINDIR); fi - APXS_PROGNAME="`$APXS -q PROGNAME`" - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs PROGNAME: $APXS_PROGNAME); fi - APXS_LIBEXECDIR="`$APXS -q LIBEXECDIR`" - if test "xx$APXS_LIBEXECDIR" = "xx"; then APXS_LIBEXECDIR="`$APXS -q LIBDIR`/modules"; fi - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBEXECDIR: $APXS_LIBEXECDIR); fi - APXS_MODULES=$APXS_LIBEXECDIR - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs MODULES: $APXS_MODULES); fi - if test "$APXS_SBINDIR" = "/"; then - APXS_HTTPD="$APXS_SBINDIR/$APXS_PROGNAME" - else - APXS_HTTPD="$APXS_SBINDIR/$APXS_PROGNAME" - fi - if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs HTTPD: $APXS_HTTPD); fi -else - if test "$report_errors" -eq 1; then - AC_MSG_ERROR(couldn't find APXS) - else - AC_MSG_NOTICE(couldn't find APXS) - fi -fi - -### Build *EXTRA_CFLAGS vars - -# Allow overriding EXTRA_CFLAGS -if $ENV_CMD | $GREP "^EXTRA_CFLAGS" > /dev/null 2>&1; then - if test -z "$debug_mem"; then - EXTRA_CFLAGS="$EXTRA_CFLAGS $strict_compile" - fi -else - if test -n "$debug_mem"; then - EXTRA_CFLAGS="-O0 -g -Wall" - else - EXTRA_CFLAGS="-O2 -g -Wall $strict_compile" - fi -fi -EXTRA_CFLAGS="$EXTRA_CFLAGS $assertions" - -MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type $unique_id $log_filename $log_server $log_collection_delete_problem $log_dechunk $log_stopwatch $log_handler $log_server_context $collection_global_lock $large_stream_input" - -APXS_WRAPPER=build/apxs-wrapper -APXS_EXTRA_CFLAGS="" -for f in $EXTRA_CFLAGS; do - APXS_EXTRA_CFLAGS="$APXS_EXTRA_CFLAGS -Wc,$f" -done; -MODSEC_APXS_EXTRA_CFLAGS="" -for f in $MODSEC_EXTRA_CFLAGS; do - MODSEC_APXS_EXTRA_CFLAGS="$MODSEC_APXS_EXTRA_CFLAGS -Wc,$f" -done; - -### Substitute the vars - -AC_SUBST(TOPLEVEL_SUBDIRS) -AC_SUBST(EXTRA_CFLAGS) -AC_SUBST(MODSEC_EXTRA_CFLAGS) -AC_SUBST(APXS) -AC_SUBST(APXS_WRAPPER) -AC_SUBST(APXS_INCLUDEDIR) -AC_SUBST(APXS_INCLUDES) -AC_SUBST(APXS_EXTRA_CFLAGS) -AC_SUBST(MODSEC_APXS_EXTRA_CFLAGS) -AC_SUBST(APXS_LDFLAGS) -AC_SUBST(APXS_LIBS) -AC_SUBST(APXS_CFLAGS) -AC_SUBST(APXS_LIBTOOL) -AC_SUBST(APXS_CC) -AC_SUBST(APXS_LIBDIR) -AC_SUBST(APXS_BINDIR) -AC_SUBST(APXS_SBINDIR) -AC_SUBST(APXS_PROGNAME) -AC_SUBST(APXS_LIBEXECDIR) -AC_SUBST(APXS_MODULES) -AC_SUBST(APXS_HTTPD) - -CHECK_PCRE() -CHECK_PCRE2() -if test "$build_apache2_module" -ne 0 -o "$build_mlogc" -ne 0; then -CHECK_APR() -CHECK_APU() -fi -CHECK_LIBXML2() -CHECK_LUA() -#if test "$build_mlogc" -ne 0; then -#CHECK_CURL() -#fi - -# Check for YAJL libs (for JSON body processor) -CHECK_YAJL() -#AC_SEARCH_LIBS([yajl_alloc], [yajl]) -CHECK_SSDEEP() -#AC_SEARCH_LIBS([fuzzy_hash_buf], [fuzzy]) - -# Temporarily set cflags for apr_crypto check, then restore -# since it's already used correctly to compile modsecurity module. -ORIG_CFLAGS="$CFLAGS $APU_CFLAGS" -ORIG_CPPFLAGS="$CPPFLAGS" -CFLAGS="$CFLAGS $APR_CFLAGS" -CPPFLAGS="$CPPFLAGS $APR_CPPFLAGS" -AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[ #include ]], - [[ - #if APU_HAVE_CRYPTO == 0 - #error APR util was not compiled with crypto support. - #endif - ]])], - [ AC_DEFINE([WITH_APU_CRYPTO], [1], [APR util was compiled with crypto support]) - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_APU_CRYPTO" - ], - [ AC_MSG_WARN([APR util was not compiled with crypto support. SecRemoteRule will not support the parameter 'crypto']) ] -) -# Restore env vars so that we don't clutter with duplicates that -# are eventually appended later on -CFLAGS="$ORIG_CFLAGS" -CPPFLAGS="$ORIG_CPPFLAGS" - -# Currently our unique download backend is curl, further we can support more. -if test ! -z "${CURL_VERSION}"; then - AC_DEFINE([WITH_REMOTE_RULES], [1], [Enables SecRemoteRules support]) - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_REMOTE_RULES" -fi - -AC_CONFIG_FILES([Makefile]) -AC_CONFIG_FILES([tools/Makefile]) -if test "$build_alp2" -ne 0; then -AC_CONFIG_FILES([alp2/Makefile]) -fi -if test "$build_apache2_module" -ne 0; then -AC_CONFIG_FILES([apache2/Makefile]) -fi -if test "$build_standalone_module" -ne 0; then -AC_CONFIG_FILES([standalone/Makefile]) -AC_CONFIG_FILES([nginx/modsecurity/config]) -fi -if test "$build_extentions" -ne 0; then -AC_CONFIG_FILES([ext/Makefile]) -fi -AC_CONFIG_FILES([build/apxs-wrapper], [chmod +x build/apxs-wrapper]) -if test -e "$PERL"; then - if test "$build_mlogc" -ne 0; then - AC_CONFIG_FILES([mlogc/mlogc-batch-load.pl], [chmod +x mlogc/mlogc-batch-load.pl]) - AC_CONFIG_FILES([tests/regression/misc/40-secRemoteRules.t]) - AC_CONFIG_FILES([tests/regression/misc/50-ipmatchfromfile-external.t]) - AC_CONFIG_FILES([tests/regression/misc/60-pmfromfile-external.t]) - fi - AC_CONFIG_FILES([tests/run-unit-tests.pl], [chmod +x tests/run-unit-tests.pl]) - AC_CONFIG_FILES([tests/run-regression-tests.pl], [chmod +x tests/run-regression-tests.pl]) - AC_CONFIG_FILES([tests/gen_rx-pm.pl], [chmod +x tests/gen_rx-pm.pl]) - AC_CONFIG_FILES([tests/csv_rx-pm.pl], [chmod +x tests/csv_rx-pm.pl]) - AC_CONFIG_FILES([tests/regression/server_root/conf/httpd.conf]) - - # Perl based tools - AC_CONFIG_FILES([tools/rules-updater.pl], [chmod +x tools/rules-updater.pl]) -fi -if test "$build_mlogc" -ne 0; then - AC_CONFIG_FILES([mlogc/Makefile]) -fi -AC_CONFIG_FILES([tests/Makefile]) - -AC_OUTPUT +dnl +dnl Autoconf configuration for ModSecurity +dnl +dnl Use ./autogen.sh to produce a configure script +dnl + +AC_PREREQ(2.63) + +AC_INIT([modsecurity], [2.9], [support@modsecurity.org]) + +AC_CONFIG_MACRO_DIR([build]) +AC_CONFIG_SRCDIR([LICENSE]) +AC_CONFIG_HEADERS([apache2/modsecurity_config_auto.h]) +AC_CONFIG_AUX_DIR([build]) +AC_PREFIX_DEFAULT([/usr/local/modsecurity]) + +AM_INIT_AUTOMAKE([-Wall foreign subdir-objects]) +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) + +LT_PREREQ([2.2]) +LT_INIT([dlopen]) + +# Checks for programs. +AC_PROG_AWK +AC_PROG_CC +AC_PROG_CPP +AC_PROG_INSTALL +AC_PROG_LN_S +AC_PROG_MAKE_SET +AC_PROG_GREP +AC_PATH_PROGS(PERL, [perl perl5], ) +AC_PATH_PROGS(ENV_CMD, [env printenv], ) +PKG_PROG_PKG_CONFIG + +# Checks for header files. +AC_CHECK_HEADERS([fcntl.h limits.h stdlib.h string.h unistd.h sys/types.h sys/stat.h sys/utsname.h]) + +# Checks for typedefs, structures, and compiler characteristics. +AC_C_CONST +AC_C_INLINE +AC_C_RESTRICT +AC_TYPE_PID_T +AC_TYPE_SIZE_T +AC_STRUCT_TM +AC_TYPE_UINT8_T + +# Checks for library functions. +AC_FUNC_MALLOC +AC_FUNC_MEMCMP +AC_CHECK_FUNCS([atexit getcwd memmove memset strcasecmp strchr strdup strerror strncasecmp strrchr strstr strtol fchmod strcasestr]) + +# Some directories +MSC_BASE_DIR=`pwd` +MSC_PKGBASE_DIR="$MSC_BASE_DIR/.." +MSC_TEST_DIR="$MSC_BASE_DIR/tests" +MSC_REGRESSION_DIR="$MSC_TEST_DIR/regression" +MSC_REGRESSION_SERVERROOT_DIR="$MSC_REGRESSION_DIR/server_root" +MSC_REGRESSION_CONF_DIR="$MSC_REGRESSION_SERVERROOT_DIR/conf" +MSC_REGRESSION_LOGS_DIR="$MSC_REGRESSION_SERVERROOT_DIR/logs" +MSC_REGRESSION_DOCROOT_DIR="$MSC_REGRESSION_SERVERROOT_DIR/htdocs" + +AC_SUBST(MSC_BASE_DIR) +AC_SUBST(MSC_PKGBASE_DIR) +AC_SUBST(MSC_TEST_DIR) +AC_SUBST(MSC_REGRESSION_DIR) +AC_SUBST(MSC_REGRESSION_SERVERROOT_DIR) +AC_SUBST(MSC_REGRESSION_CONF_DIR) +AC_SUBST(MSC_REGRESSION_LOGS_DIR) +AC_SUBST(MSC_REGRESSION_DOCROOT_DIR) + +### Configure Options + +# Verbose output +AC_ARG_ENABLE(verbose-output, + AS_HELP_STRING([--enable-verbose-output], + [Enable more verbose configure output.]), +[ + if test "$enableval" != "no"; then + verbose_output=1 + else + verbose_output=0 + fi +], +[ + verbose_output=0 +]) + + +#OS type + +AC_CANONICAL_HOST +CANONICAL_HOST=$host + +AH_TEMPLATE([AIX], [Define if the operating system is AIX]) +AH_TEMPLATE([LINUX], [Define if the operating system is LINUX]) +AH_TEMPLATE([OPENBSD], [Define if the operating system is OpenBSD]) +AH_TEMPLATE([SOLARIS], [Define if the operating system is SOLARIS]) +AH_TEMPLATE([HPUX], [Define if the operating system is HPUX]) +AH_TEMPLATE([MACOSX], [Define if the operating system is Macintosh OSX]) +AH_TEMPLATE([FREEBSD], [Define if the operating system is FREEBSD]) +AH_TEMPLATE([NETBSD], [Define if the operating system is NetBSD]) + + +case $host in + *-*-aix*) + echo "Checking platform... Identified as AIX" + aixos=true + ;; + *-*-hpux*) + echo "Checking platform... Identified as HPUX" + hpuxos=true + ;; + *-*-darwin*) + echo "Checking platform... Identified as Macintosh OS X" + macos=true + ;; + *-*-linux*) + echo "Checking platform... Identified as Linux" + linuxos=true + case "${host_cpu}" in + s390x) + cpu_type="-DLINUX_S390" + ;; + esac + ;; + *-*-solaris*) + echo "Checking platform... Identified as Solaris" + solarisos=true + ;; + *-*-freebsd*) + echo "Checking platform... Identified as FreeBSD" + freebsdos=true + ;; + *-*-netbsd*) + echo "Checking platform... Identified as NetBSD" + netbsdos=true + ;; + *-*-openbsd*) + echo "Checking platform... Identified as OpenBSD" + openbsdos=true + ;; + *-*-kfreebsd*) + echo "Checking platform... Identified as kFreeBSD, treating as linux" + linuxos=true + ;; + *-*-gnu*.*) + echo "Checking platform... Identified as HURD, treating as linux" + linuxos=true + ;; + *) + echo "Unknown CANONICAL_HOST $host" + exit + ;; +esac + +AM_CONDITIONAL([AIX], [test x$aixos = xtrue]) +AM_CONDITIONAL([HPUX], [test x$hpuxos = xtrue]) +AM_CONDITIONAL([MACOSX], [test x$macos = xtrue]) +AM_CONDITIONAL([LINUX], [test x$linuxos = xtrue]) +AM_CONDITIONAL([LINUX390], [test x$linuxos390 = xtrue]) +AM_CONDITIONAL([SOLARIS], [test x$solarisos = xtrue]) +AM_CONDITIONAL([FREEBSD], [test x$freebsdos = xtrue]) +AM_CONDITIONAL([OPENBSD], [test x$openbsdos = xtrue]) +AM_CONDITIONAL([NETBSD], [test x$netbsdos = xtrue]) + +#Subdirs +TOPLEVEL_SUBDIRS="tools" + +# Apache2 Module +AC_ARG_ENABLE(apache2-module, + AS_HELP_STRING([--disable-apache2-module], + [Disable building Apache2 module.]), +[ + if test "$enableval" != "no"; then + build_apache2_module=1 + else + build_apache2_module=0 + fi +], +[ + build_apache2_module=1 +]) +AM_CONDITIONAL([BUILD_APACHE2_MODULE], [test "$build_apache2_module" -eq 1]) +if test "$build_apache2_module" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS apache2" +fi + + +# Standalone Module +AC_ARG_ENABLE(standalone-module, + AS_HELP_STRING([--enable-standalone-module], + [Enable building standalone module.]), +[ + if test "$enableval" != "no"; then + build_standalone_module=1 + else + build_standalone_module=0 + fi +], +[ + build_standalone_module=0 +]) +AM_CONDITIONAL([BUILD_STANDALONE_MODULE], [test "$build_standalone_module" -eq 1]) +if test "$build_standalone_module" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS standalone" +fi + + +# Extensions +AC_ARG_ENABLE(extentions, + AS_HELP_STRING([--enable-extentions], + [Enable building extension.]), +[ + if test "$enableval" != "no"; then + build_extentions=1 + else + build_extentions=0 + fi +], +[ + build_extentions=0 +]) +AM_CONDITIONAL([BUILD_extentions], [test "$build_extentions" -eq 1]) +if test "$build_extentions" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS ext" +fi + + +# Mlogc +AC_ARG_ENABLE(mlogc, + AS_HELP_STRING([--disable-mlogc], + [Disable building mlogc.]), +[ + if test "$enableval" != "no"; then + build_mlogc=1 + else + build_mlogc=0 + fi +], +[ + build_mlogc=1 +]) + +CHECK_CURL() + +if test -z "${CURL_VERSION}"; then + AC_MSG_NOTICE([NOTE: mlogc compilation was disabled.]) + build_mlogc=0 +fi + +AM_CONDITIONAL([BUILD_MLOGC], [test "$build_mlogc" -eq 1]) +if test "$build_mlogc" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS mlogc" +fi + +# Audit Log Parser v2 (ALP2) +AC_ARG_ENABLE(alp2, + AS_HELP_STRING([--enable-alp2], + [Enable building audit log parser lib.]), +[ + if test "$enableval" != "no"; then + build_alp2=1 + else + build_alp2=0 + fi +], +[ + build_alp2=0 +]) +AM_CONDITIONAL([BUILD_ALP2], [test "$build_alp2" -eq 1]) +if test "$build_alp2" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS alp2" +fi + +# Documentation +AC_ARG_ENABLE(docs, + AS_HELP_STRING([--enable-docs], + [Enable building documentation.]), +[ + if test "$enableval" != "no"; then + build_docs=1 + else + build_docs=0 + fi +], +[ + build_docs=0 +]) +AM_CONDITIONAL([BUILD_DOCS], [test "$build_docs" -eq 1]) +if test "$build_docs" -eq 1; then + TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS doc" + AC_CHECK_PROGS([DOXYGEN], [doxygen]) + if test -z "$DOXYGEN"; then + AC_MSG_WARN([Doxygen not found - continue without Doxygen support]) + fi + if test "$build_apache2_module" -eq 1; then + AC_CONFIG_FILES([doc/doxygen-apache]) + fi + if test "$build_standalone_module" -eq 1; then + AC_CONFIG_FILES([doc/doxygen-nginx]) + AC_CONFIG_FILES([doc/doxygen-iis]) + AC_CONFIG_FILES([doc/doxygen-standalone]) + fi + AC_CONFIG_FILES([doc/Makefile]) +fi + + +# Add assert() usage + +AC_ARG_ENABLE(assertions, + AS_HELP_STRING([--enable-assertions], + [Turn on assertions checks (undefine NDEBUG)]), +[ + if test "${enableval}" = "yes"; then + assertions='-UNDEBUG' + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $assertions" + else + assertions='-DNDEBUG' + fi +], +[ + assertions='-DNDEBUG' +]) + +# Add PCRE Studying + +AC_ARG_ENABLE(pcre-study, + AS_HELP_STRING([--enable-pcre-study], + [Enable PCRE regex studying during configure.]), +[ + if test "$enableval" != "no"; then + pcre_study='-DWITH_PCRE_STUDY' + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_study" + else + pcre_study='' + fi +], +[ + pcre_study='-DWITH_PCRE_STUDY' +]) + +# Add PCRE JIT + +AC_ARG_ENABLE(pcre-jit, + AS_HELP_STRING([--enable-pcre-jit], + [Enable PCRE regex jit support during configure.]), +[ + if test "$enableval" != "no"; then + pcre_jit='-DWITH_PCRE_JIT' + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_jit" + else + pcre_jit='' + fi +], +[ + pcre_jit='' +]) + + +# Limit PCRE matching +AC_ARG_ENABLE(pcre-match-limit, + AS_HELP_STRING([--enable-pcre-match-limit], + [Enable PCRE regex match limit during configure.]), +[ + if test "$enableval" = "yes"; then + AC_MSG_ERROR([PCRE match limits require a numeric value]) + elif test "$enableval" = "no"; then + pcre_match_limit='' + else + pcre_match_limit="-DMODSEC_PCRE_MATCH_LIMIT=$enableval" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_match_limit" + fi +], +[ + pcre_match_limit='-DMODSEC_PCRE_MATCH_LIMIT=1500' +]) + +# Limit PCRE matching recursion +AC_ARG_ENABLE(pcre-match-limit-recursion, + AS_HELP_STRING([--enable-pcre-match-limit-recursion], + [Enable PCRE regex match limit recursion during configure.]), +[ + if test "$enableval" = "yes"; then + AC_MSG_ERROR([PCRE match limits require a numeric value]) + elif test "$enableval" = "no"; then + pcre_match_limit_recursion='' + else + pcre_match_limit_recursion="-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=$enableval" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $pcre_match_limit_recursion" + fi +], +[ + pcre_match_limit_recursion='-DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500' +]) + +# Enable Lua per transaction cache +AC_ARG_ENABLE(lua-cache, + AS_HELP_STRING([--enable-lua-cache], + [Enable Lua per transaction cache.]), +[ + if test "$enableval" != "no"; then + lua_cache="-DCACHE_LUA" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $lua_cache" + else + lua_cache= + fi +], +[ + lua_cache= +]) + +# Enable phase-1 in post_read_request +AC_ARG_ENABLE(htaccess-config, + AS_HELP_STRING([--enable-htaccess-config], + [Enable some mod_security directives into htaccess files.]), +[ + if test "$enableval" != "no"; then + htaccess_config="-DHTACCESS_CONFIG" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $htaccess_config" + else + htaccess_config= + fi +], +[ + htaccess_config= +]) + +# Enable phase-1 in post_read_request +AC_ARG_ENABLE(request-early, + AS_HELP_STRING([--enable-request-early], + [Place phase1 into post_read_request hook. default is hook_request_early]), +[ + if test "$enableval" != "no"; then + request_early="-DREQUEST_EARLY" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $request_early" + else + request_early= + fi +], +[ + request_early='-DREQUEST_EARLY' +]) + +# Enable duplicate rules id +AC_ARG_ENABLE(rule-id-validation, + AS_HELP_STRING([--enable-rule-id-validation], + [Forbid duplicate rule ids and missing ones. This is the default]), +[ + if test "$enableval" != "no"; then + unique_id= + else + unique_id="-DALLOW_ID_NOT_UNIQUE" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $unique_id" + fi +], +[ + unique_id='' +]) + +# Disable logging of filename +AC_ARG_ENABLE(filename-logging, + AS_HELP_STRING([--enable-filename-logging], + [Enable logging of filename in audit log. This is the default]), +[ + if test "$enableval" != "no"; then + log_filename= + else + log_filename="-DLOG_NO_FILENAME" + fi +], +[ + log_filename='' +]) + +# Disable logging of "Server" +AC_ARG_ENABLE(server-logging, + AS_HELP_STRING([--enable-server-logging], + [Enable logging of "Server" in audit log when log level < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_server= + else + log_server="-DLOG_NO_SERVER" + fi +], +[ + log_server='' +]) + +# Disable logging of problem when deleting collection +AC_ARG_ENABLE(collection-delete-problem-logging, + AS_HELP_STRING([--enable-collection-delete-problem-logging], + [Enable logging of collection delete problem even when log level is < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_collection_delete_problem= + else + log_collection_delete_problem="-DLOG_NO_COLL_DELET_PB" + fi +], +[ + log_collection_delete_problem='' +]) + +# Disable logging of Apache handler +AC_ARG_ENABLE(handler-logging, + AS_HELP_STRING([--enable-handler-logging], + [Enable logging of Apache handler in audit log even when log level is < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_handler= + else + log_handler="-DLOG_NO_HANDLER" + fi +], +[ + log_handler='' +]) + +# Disable logging of dechunking +AC_ARG_ENABLE(dechunk-logging, + AS_HELP_STRING([--enable-dechunk-logging], + [Enable logging of dechunking even when log level is < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_dechunk= + else + log_dechunk="-DLOG_NO_DECHUNK" + fi +], +[ + log_dechunk='' +]) + +# Disable logging of stopwatches +AC_ARG_ENABLE(stopwatch-logging, + AS_HELP_STRING([--enable-stopwatch-logging], + [Enable logging of stopwatches even when log level is < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_stopwatch= + else + log_stopwatch="-DLOG_NO_STOPWATCH" + fi +], +[ + log_stopwatch='' +]) + +# Disable logging of server context +AC_ARG_ENABLE(server-context-logging, + AS_HELP_STRING([--enable-server-context-logging], + [Enable logging of server info (log producer, sanitized objects, ...) in audit log even when log level < 9. This is the default]), +[ + if test "$enableval" != "no"; then + log_server_context= + else + log_server_context="-DLOG_NO_SERVER_CONTEXT" + fi +], +[ + log_server_context='' +]) + + +# Enable collection's global lock +AC_ARG_ENABLE(collection-global-lock, + AS_HELP_STRING([--enable-collection-global-lock], + [Enable collection correctness by using a global lock. May reduce performance significatively. This is disabled by default]), +[ + if test "$enableval" != "yes"; then + collection_global_lock="" + else + collection_global_lock="-DGLOBAL_COLLECTION_LOCK" + fi +], +[ + collection_global_lock='' +]) + + +# Ignore configure errors +AC_ARG_ENABLE(errors, + AS_HELP_STRING([--disable-errors], + [Disable errors during configure.]), +[ + if test "$enableval" != "no"; then + report_errors=1 + else + report_errors=0 + fi +], +[ + report_errors=1 +]) + + +# Strict Compile +AC_ARG_ENABLE(strict-compile, + AS_HELP_STRING([--enable-strict-compile], + [Enable strict compilation (warnings are errors).]), +[ + if test "$enableval" != "no"; then + strict_compile="-std=c99 -Wstrict-overflow=1 -Wextra -Wno-missing-field-initializers -Wshadow -Wpointer-arith -Wstrict-prototypes -Wmissing-prototypes -Wno-unused-parameter -Wformat -Wformat-security -Werror -fstack-protector -D_FORTIFY_SOURCE=2" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $strict_compile" + else + strict_compile= + fi +], +[ + strict_compile= +]) + +# DEBUG_CONF +AC_ARG_ENABLE(debug-conf, + AS_HELP_STRING([--enable-debug-conf], + [Enable debug during configuration.]), +[ + if test "$enableval" != "no"; then + debug_conf="-DDEBUG_CONF" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_conf" + else + debug_conf= + fi +], +[ + debug_conf= +]) + +# CACHE_DEBUG +AC_ARG_ENABLE(debug-cache, + AS_HELP_STRING([--enable-debug-cache], + [Enable debug for transformation caching.]), +[ + if test "$enableval" != "no"; then + debug_cache="-DCACHE_DEBUG" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_cache" + else + debug_cache= + fi +], +[ + debug_cache= +]) + +# DEBUG_ACMP +AC_ARG_ENABLE(debug-acmp, + AS_HELP_STRING([--enable-debug-acmp], + [Enable debugging acmp code.]), +[ + if test "$enableval" != "no"; then + debug_acmp="-DDEBUG_ACMP" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_acmp" + else + debug_acmp= + fi +], +[ + debug_acmp= +]) + +# DEBUG_MEM +AC_ARG_ENABLE(debug-mem, + AS_HELP_STRING([--enable-debug-mem], + [Enable debug during configuration.]), +[ + if test "$enableval" != "no"; then + debug_mem="-DDEBUG_MEM" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $debug_mem" + else + debug_mem= + fi +], +[ + debug_mem= +]) + +# PERFORMANCE_MEASUREMENT +AC_ARG_ENABLE(performance-measurement, + AS_HELP_STRING([--enable-performance-measurement], + [Enable performance-measurement stats.]), +[ + if test "$enableval" != "no"; then + perf_meas="-DPERFORMANCE_MEASUREMENT" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $perf_meas" + else + perf_meas= + fi +], +[ + perf_meas= +]) + +# NO_MODSEC_API +AC_ARG_ENABLE(modsec-api, + AS_HELP_STRING([--disable-modsec-api], + [Disable the API; compiling against some older Apache versions require this.]), +[ + if test "$enableval" != "yes"; then + modsec_api="-DNO_MODSEC_API" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $modsec_api" + else + modsec_api= + fi +], +[ + modsec_api= +]) + +# MSC_LARGE_STREAM_INPUT +AC_ARG_ENABLE(large-stream-input, + AS_HELP_STRING([--enable-large-stream-input], + [Enable optimization for large stream input]), +[ + if test "$enableval" = "yes"; then + large_stream_input="-DMSC_LARGE_STREAM_INPUT" + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $large_stream_input" + else + large_stream_input= + fi +], +[ + large_stream_input= +]) + +# Find apxs +AC_MSG_NOTICE(looking for Apache module support via DSO through APXS) +AC_ARG_WITH(apxs, + [AS_HELP_STRING([[--with-apxs=FILE]], + [FILE is the path to apxs; defaults to "apxs".])], +[ + if test "$withval" = "yes"; then + APXS=apxs + else + APXS="$withval" + fi +]) + +if test -z "$APXS"; then + for i in /usr/local/apache22/bin \ + /usr/local/apache2/bin \ + /usr/local/apache/bin \ + /usr/local/sbin \ + /usr/local/bin \ + /usr/sbin \ + /usr/bin; + do + if test -f "$i/apxs2"; then + APXS="$i/apxs2" + break + elif test -f "$i/apxs"; then + APXS="$i/apxs" + break + fi + done +fi + +# arbitrarily picking the same version subversion looks for, don't know how +# accurate this really is, but at least it'll force us to have apache2... +HTTPD_WANTED_MMN=20020903 + +if test -n "$APXS" -a "$APXS" != "no" -a -x "$APXS" ; then + APXS_INCLUDE="`$APXS -q INCLUDEDIR`" + if test -r $APXS_INCLUDE/httpd.h; then + AC_MSG_NOTICE(found apxs at $APXS) + AC_MSG_NOTICE(checking httpd version) + AC_EGREP_CPP(VERSION_OK, + [ +#include "$APXS_INCLUDE/ap_mmn.h" +#if AP_MODULE_MAGIC_AT_LEAST($HTTPD_WANTED_MMN,0) +VERSION_OK +#endif], + [AC_MSG_NOTICE(httpd is recent enough)], + [ + if test "$report_errors" -eq 1; then + AC_MSG_ERROR(apache is too old, mmn must be at least $HTTPD_WANTED_MMN) + else + AC_MSG_NOTICE(apache is too old, mmn must be at least $HTTPD_WANTED_MMN) + fi + ]) + fi + APXS_INCLUDEDIR="`$APXS -q INCLUDEDIR`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs INCLUDEDIR: $APXS_INCLUDEDIR); fi + # Make sure the include dir is used + if test -n "$APXS_INCLUDEDIR"; then + APXS_INCLUDES="-I${APXS_INCLUDEDIR} `$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`" + else + APXS_INCLUDES="`$APXS -q INCLUDES` `$APXS -q EXTRA_INCLUDES`" + fi + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs INCLUDES: $APXS_INCLUDES); fi + APXS_CFLAGS=-I`$APXS -q INCLUDEDIR` + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs CFLAGS: $APXS_CFLAGS); fi + APXS_LDFLAGS= + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LDFLAGS: $APXS_LDFLAGS); fi + APXS_LIBDIR="`$APXS -q LIBDIR`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBDIR: $APXS_LIBDIR); fi + # Make sure the lib dir is used + if test -n "$APXS_LIBDIR"; then + APXS_LIBS="-L${APXS_LIBDIR} `$APXS -q LIBS` `$APXS -q EXTRA_LIBS`" + else + APXS_LIBS="`$APXS -q LIBS` `$APXS -q EXTRA_LIBS`" + fi + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBS: $APXS_LIBS); fi + APXS_LIBTOOL="`$APXS -q LIBTOOL`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBTOOL: $APXS_LIBTOOL); fi + APXS_CC="`$APXS -q CC`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs CC: $APXS_CC); fi + APXS_BINDIR="`$APXS -q BINDIR`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs BINDIR: $APXS_BINDIR); fi + APXS_SBINDIR="`$APXS -q SBINDIR`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs SBINDIR: $APXS_SBINDIR); fi + APXS_PROGNAME="`$APXS -q PROGNAME`" + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs PROGNAME: $APXS_PROGNAME); fi + APXS_LIBEXECDIR="`$APXS -q LIBEXECDIR`" + if test "xx$APXS_LIBEXECDIR" = "xx"; then APXS_LIBEXECDIR="`$APXS -q LIBDIR`/modules"; fi + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs LIBEXECDIR: $APXS_LIBEXECDIR); fi + APXS_MODULES=$APXS_LIBEXECDIR + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs MODULES: $APXS_MODULES); fi + if test "$APXS_SBINDIR" = "/"; then + APXS_HTTPD="$APXS_SBINDIR/$APXS_PROGNAME" + else + APXS_HTTPD="$APXS_SBINDIR/$APXS_PROGNAME" + fi + if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(apxs HTTPD: $APXS_HTTPD); fi +else + if test "$report_errors" -eq 1; then + AC_MSG_ERROR(couldn't find APXS) + else + AC_MSG_NOTICE(couldn't find APXS) + fi +fi + +### Build *EXTRA_CFLAGS vars + +# Allow overriding EXTRA_CFLAGS +if $ENV_CMD | $GREP "^EXTRA_CFLAGS" > /dev/null 2>&1; then + if test -z "$debug_mem"; then + EXTRA_CFLAGS="$EXTRA_CFLAGS $strict_compile" + fi +else + if test -n "$debug_mem"; then + EXTRA_CFLAGS="-O0 -g -Wall" + else + EXTRA_CFLAGS="-O2 -g -Wall $strict_compile" + fi +fi +EXTRA_CFLAGS="$EXTRA_CFLAGS $assertions" + +MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type $unique_id $log_filename $log_server $log_collection_delete_problem $log_dechunk $log_stopwatch $log_handler $log_server_context $collection_global_lock $large_stream_input" + +APXS_WRAPPER=build/apxs-wrapper +APXS_EXTRA_CFLAGS="" +for f in $EXTRA_CFLAGS; do + APXS_EXTRA_CFLAGS="$APXS_EXTRA_CFLAGS -Wc,$f" +done; +MODSEC_APXS_EXTRA_CFLAGS="" +for f in $MODSEC_EXTRA_CFLAGS; do + MODSEC_APXS_EXTRA_CFLAGS="$MODSEC_APXS_EXTRA_CFLAGS -Wc,$f" +done; + +### Substitute the vars + +AC_SUBST(TOPLEVEL_SUBDIRS) +AC_SUBST(EXTRA_CFLAGS) +AC_SUBST(MODSEC_EXTRA_CFLAGS) +AC_SUBST(APXS) +AC_SUBST(APXS_WRAPPER) +AC_SUBST(APXS_INCLUDEDIR) +AC_SUBST(APXS_INCLUDES) +AC_SUBST(APXS_EXTRA_CFLAGS) +AC_SUBST(MODSEC_APXS_EXTRA_CFLAGS) +AC_SUBST(APXS_LDFLAGS) +AC_SUBST(APXS_LIBS) +AC_SUBST(APXS_CFLAGS) +AC_SUBST(APXS_LIBTOOL) +AC_SUBST(APXS_CC) +AC_SUBST(APXS_LIBDIR) +AC_SUBST(APXS_BINDIR) +AC_SUBST(APXS_SBINDIR) +AC_SUBST(APXS_PROGNAME) +AC_SUBST(APXS_LIBEXECDIR) +AC_SUBST(APXS_MODULES) +AC_SUBST(APXS_HTTPD) + +CHECK_PCRE() +CHECK_PCRE2() +if test "$build_apache2_module" -ne 0 -o "$build_mlogc" -ne 0; then +CHECK_APR() +CHECK_APU() +fi +CHECK_LIBXML2() +CHECK_LUA() +#if test "$build_mlogc" -ne 0; then +#CHECK_CURL() +#fi + +# Check for YAJL libs (for JSON body processor) +CHECK_YAJL() +#AC_SEARCH_LIBS([yajl_alloc], [yajl]) +CHECK_SSDEEP() +#AC_SEARCH_LIBS([fuzzy_hash_buf], [fuzzy]) + +# Temporarily set cflags for apr_crypto check, then restore +# since it's already used correctly to compile modsecurity module. +ORIG_CFLAGS="$CFLAGS $APU_CFLAGS" +ORIG_CPPFLAGS="$CPPFLAGS" +CFLAGS="$CFLAGS $APR_CFLAGS" +CPPFLAGS="$CPPFLAGS $APR_CPPFLAGS" +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ #include ]], + [[ + #if APU_HAVE_CRYPTO == 0 + #error APR util was not compiled with crypto support. + #endif + ]])], + [ AC_DEFINE([WITH_APU_CRYPTO], [1], [APR util was compiled with crypto support]) + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_APU_CRYPTO" + ], + [ AC_MSG_WARN([APR util was not compiled with crypto support. SecRemoteRule will not support the parameter 'crypto']) ] +) +# Restore env vars so that we don't clutter with duplicates that +# are eventually appended later on +CFLAGS="$ORIG_CFLAGS" +CPPFLAGS="$ORIG_CPPFLAGS" + +# Currently our unique download backend is curl, further we can support more. +if test ! -z "${CURL_VERSION}"; then + AC_DEFINE([WITH_REMOTE_RULES], [1], [Enables SecRemoteRules support]) + MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_REMOTE_RULES" +fi + +AC_CONFIG_FILES([Makefile]) +AC_CONFIG_FILES([tools/Makefile]) +if test "$build_alp2" -ne 0; then +AC_CONFIG_FILES([alp2/Makefile]) +fi +if test "$build_apache2_module" -ne 0; then +AC_CONFIG_FILES([apache2/Makefile]) +fi +if test "$build_standalone_module" -ne 0; then +AC_CONFIG_FILES([standalone/Makefile]) +AC_CONFIG_FILES([nginx/modsecurity/config]) +fi +if test "$build_extentions" -ne 0; then +AC_CONFIG_FILES([ext/Makefile]) +fi +AC_CONFIG_FILES([build/apxs-wrapper], [chmod +x build/apxs-wrapper]) +if test -e "$PERL"; then + if test "$build_mlogc" -ne 0; then + AC_CONFIG_FILES([mlogc/mlogc-batch-load.pl], [chmod +x mlogc/mlogc-batch-load.pl]) + AC_CONFIG_FILES([tests/regression/misc/40-secRemoteRules.t]) + AC_CONFIG_FILES([tests/regression/misc/50-ipmatchfromfile-external.t]) + AC_CONFIG_FILES([tests/regression/misc/60-pmfromfile-external.t]) + fi + AC_CONFIG_FILES([tests/run-unit-tests.pl], [chmod +x tests/run-unit-tests.pl]) + AC_CONFIG_FILES([tests/run-regression-tests.pl], [chmod +x tests/run-regression-tests.pl]) + AC_CONFIG_FILES([tests/gen_rx-pm.pl], [chmod +x tests/gen_rx-pm.pl]) + AC_CONFIG_FILES([tests/csv_rx-pm.pl], [chmod +x tests/csv_rx-pm.pl]) + AC_CONFIG_FILES([tests/regression/server_root/conf/httpd.conf]) + + # Perl based tools + AC_CONFIG_FILES([tools/rules-updater.pl], [chmod +x tools/rules-updater.pl]) +fi +if test "$build_mlogc" -ne 0; then + AC_CONFIG_FILES([mlogc/Makefile]) +fi +AC_CONFIG_FILES([tests/Makefile]) + +AC_OUTPUT From 5122f890057285d6d9d6eda16ca5702e6e969984 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Tue, 16 Apr 2024 13:28:37 +0200 Subject: [PATCH 14/18] defined id_log() only once --- apache2/apache2_config.c | 5 ++--- apache2/msc_util.h | 1 + apache2/re.c | 7 ------- configure.ac | 5 ++--- 4 files changed, 5 insertions(+), 13 deletions(-) diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index 17f529ce20..18208c821f 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -31,10 +31,9 @@ #endif // Returns the rule id if existing, otherwise the file name & line number -static const char* id_log(msre_rule* rule) { +const char* id_log(msre_rule* rule) { char* id = rule->actionset->id; - if (id == NOT_SET_P || !id || !*id) - id = apr_psprintf(rule->ruleset->mp, "%s (%d)", rule->filename, rule->line_num); + if (!id || !*id || id == NOT_SET_P) id = apr_psprintf(rule->ruleset->mp, "%s (%d)", rule->filename, rule->line_num); return id; } diff --git a/apache2/msc_util.h b/apache2/msc_util.h index 1925a155f1..afff3e7f64 100644 --- a/apache2/msc_util.h +++ b/apache2/msc_util.h @@ -166,6 +166,7 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri, #endif char DSOLOCAL *get_username(apr_pool_t* mp); +const char* id_log(msre_rule* rule); int read_line(char *buff, int size, FILE *fp); diff --git a/apache2/re.c b/apache2/re.c index e775d546b6..8e69f5bafa 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -48,13 +48,6 @@ static apr_status_t msre_rule_process(msre_rule *rule, modsec_rec *msr); /* -- Actions, variables, functions and operator functions ----------------- */ -// Returns the rule id if existing, otherwise the file name & line number -static const char* id_log(msre_rule* rule) { - const char* id = rule->actionset->id; - if (!id || !*id || id == NOT_SET_P) id = apr_psprintf(rule->ruleset->mp, "%s (%d)", rule->filename, rule->line_num); - return id; -} - /** * \brief Remove rule targets to be processed * diff --git a/configure.ac b/configure.ac index 24a3dba7ef..a9025c717f 100644 --- a/configure.ac +++ b/configure.ac @@ -313,7 +313,6 @@ AC_ARG_ENABLE(assertions, [ if test "${enableval}" = "yes"; then assertions='-UNDEBUG' - MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $assertions" else assertions='-DNDEBUG' fi @@ -844,9 +843,9 @@ else EXTRA_CFLAGS="-O2 -g -Wall $strict_compile" fi fi -EXTRA_CFLAGS="$EXTRA_CFLAGS $assertions" +EXTRA_CFLAGS="$EXTRA_CFLAGS" -MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type $unique_id $log_filename $log_server $log_collection_delete_problem $log_dechunk $log_stopwatch $log_handler $log_server_context $collection_global_lock $large_stream_input" +MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type $unique_id $log_filename $log_server $log_collection_delete_problem $log_dechunk $log_stopwatch $log_handler $log_server_context $collection_global_lock $large_stream_input $assertions" APXS_WRAPPER=build/apxs-wrapper APXS_EXTRA_CFLAGS="" From 62302c2474a9d4651930e6f411e18937ebc34d10 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Tue, 16 Apr 2024 17:59:43 +0200 Subject: [PATCH 15/18] Update apache2/apache2_io.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Felipe Zipitría <3012076+fzipi@users.noreply.github.com> --- apache2/apache2_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache2/apache2_io.c b/apache2/apache2_io.c index b8117d91ce..5d2ef85bd9 100644 --- a/apache2/apache2_io.c +++ b/apache2/apache2_io.c @@ -180,7 +180,7 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *bb_out, */ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) { assert(msr != NULL); - assert( error_msg!= NULL); + assert(error_msg!= NULL); request_rec *r = msr->r; unsigned int finished_reading; apr_bucket_brigade *bb_in; From d35018ef3f6de8fecef9949762da7c9b8b91a48b Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Tue, 16 Apr 2024 18:02:06 +0200 Subject: [PATCH 16/18] another null check --- apache2/apache2_config.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index 18208c821f..f5c3fea7e2 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -32,7 +32,9 @@ // Returns the rule id if existing, otherwise the file name & line number const char* id_log(msre_rule* rule) { - char* id = rule->actionset->id; + assert(rule != NULL); + assert(rule->actionset != NULL); + char* id = rule->actionset->id; if (!id || !*id || id == NOT_SET_P) id = apr_psprintf(rule->ruleset->mp, "%s (%d)", rule->filename, rule->line_num); return id; } From 4961f46a6f1772c53a1951dfa2b80c4429846986 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Tue, 16 Apr 2024 18:09:00 +0200 Subject: [PATCH 17/18] (re)fixed const type --- apache2/apache2_config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index f5c3fea7e2..c0464f50eb 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -34,7 +34,7 @@ const char* id_log(msre_rule* rule) { assert(rule != NULL); assert(rule->actionset != NULL); - char* id = rule->actionset->id; + const char* id = rule->actionset->id; if (!id || !*id || id == NOT_SET_P) id = apr_psprintf(rule->ruleset->mp, "%s (%d)", rule->filename, rule->line_num); return id; } From dd400f7fa31da8174a930806e9c46bc99062db06 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Fri, 26 Apr 2024 17:22:16 +0200 Subject: [PATCH 18/18] Added --enable-assertions in CI Removed useless line --- .github/workflows/ci.yml | 2 +- configure.ac | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e5ca97df84..d931133834 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,7 +32,7 @@ jobs: - name: autogen.sh run: ./autogen.sh - name: configure ${{ matrix.configure.label }} - run: ./configure ${{ matrix.configure.opt }} + run: ./configure --enable-assertions ${{ matrix.configure.opt }} - uses: ammaraskar/gcc-problem-matcher@master - name: make run: make -j `nproc` diff --git a/configure.ac b/configure.ac index a9025c717f..c75335c14d 100644 --- a/configure.ac +++ b/configure.ac @@ -843,7 +843,6 @@ else EXTRA_CFLAGS="-O2 -g -Wall $strict_compile" fi fi -EXTRA_CFLAGS="$EXTRA_CFLAGS" MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type $unique_id $log_filename $log_server $log_collection_delete_problem $log_dechunk $log_stopwatch $log_handler $log_server_context $collection_global_lock $large_stream_input $assertions"