Группа :: Система/Серверы
Пакет: apache2-mod_security3
навигация по пакетам
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: ModSecurity-apache-0.0.9-alt1.git2368a66a.patch
Скачать
Скачать
.travis.yml | 4 +-
CHANGES | 14 ++++
Makefile.am | 21 ++++-
README.md | 106 +++++++++++++++++++++----
build/ax_prog_apache.m4 | 10 ++-
build/find_libmodsec.m4 | 39 ++++-----
configure.ac | 28 +++++++
src/mod_security3.c | 18 ++++-
src/mod_security3.h | 12 ++-
src/msc_filters.c | 3 +
t/conf/extra.conf.in | 6 ++
tests/regression/misc/60-pmfromfile-external.t | 84 --------------------
12 files changed, 213 insertions(+), 132 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 5d4aa71..80ca023 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -29,7 +29,7 @@ env:
before_script:
- curl -L https://cpanmin.us | sudo perl - --sudo App::cpanminus
- cd ..
- - curl https://www.apache.org/dist/httpd/httpd-${VER_APACHE}.tar.gz > httpd-${VER_APACHE}.tar.gz+ - curl https://archive.apache.org/dist/httpd/httpd-${VER_APACHE}.tar.gz > httpd-${VER_APACHE}.tar.gz - tar xvzf httpd-${VER_APACHE}.tar.gz - cd httpd-${VER_APACHE}- ./configure --with-mpm=worker
@@ -54,7 +54,7 @@ before_script:
- export PATH="/usr/local/apache2/bin/:$PATH"
- ls -la /usr/local/apache2/bin/
- ls -la /usr/local/apache2/include/
- - ./configure --with-apxs=/usr/local/apache2/bin/apxs
+ - ./configure --with-apxs=/usr/local/apache2/bin/apxs --with-libmodsecurity=/usr/local/modsecurity
- make
- sudo make install
- pwd
diff --git a/CHANGES b/CHANGES
index c79d207..a52a99d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,17 @@
+v3.0.x - YYYY-MMM-DD (To be released)
+-------------------------------------
+
+ - Asorted fixies on libmodsecurity autoconf.
+ [Issue #51 - @airween]
+ - Fix: avoids crash if UNIQUE_ID is not set
+ [Issue #46 - @Goron1606, @victorhora, @zimmerle]
+ - Adds make install to the build system
+ [Issue #36 - @zimmerle, @ROBERT-MCDOWELL]
+ - Uses mod_unique if available
+ [Issue #42 - @zimmerle, @victorhora, @Goron1606]
+ - Fix duplicate HTTP protocol strings
+ [Issue #21 - @victorhora]
+
v0.0.9-beta1 - 2017-Dec-22
--------------------------
diff --git a/Makefile.am b/Makefile.am
index e7e6b2f..980cd02 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -15,13 +15,21 @@ CLEANFILES = \
t/logs/* \
t/htdocs/index.html \
t/conf/extra.conf \
+ t/conf/httpd.conf \
t/conf/apache_test_config.pm \
t/conf/httpd.conf \
+ t/conf/mime.types \
+ t/conf/modules.conf \
src/*.lo \
- src/*.slo
+ src/*.slo \
+ src/*.o \
+ src/*.so \
+ src/.libs/*.so
+
CLEANDIRECTORIES = \
- t/logs
+ t/logs \
+ src/.libs
all:
@@ -29,6 +37,13 @@ all:
build/apxs-wrapper
test:
- cd t/ && ./TEST
+ cd t/ && ./TEST -clean
+ cd t/ && ./TEST -configure
+ cd t/ && ./TEST -httpd_conf conf/httpd.conf -httpd @APACHE@ -apxs @APXS@
+
+
+install-exec-hook: $(pkglib_LTLIBRARIES)
+ @APXS@ -i -n mod_security3 ./src/.libs/mod_security3.so
+
.PHONY: all
diff --git a/README.md b/README.md
index 1f7db0a..6fc03f9 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
[](https://zenhub.com)
-The ModSecurity-apache connector is the connection point between Apache and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between Apache and libmodsecurity. This connector is required to use LibModSecurity with Apache.
+The ModSecurity-apache connector is the connection point between Apache and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between Apache and libmodsecurity. This connector is required to use LibModSecurity with Apache.
The ModSecurity-apache connector takes the form of an Apache module. The module simply serves as a layer of communication between Apache and ModSecurity.
@@ -14,14 +14,12 @@ Notice that this project depends on libmodsecurity rather than ModSecurity (vers
### What is the difference between this project and the old ModSecurity module for Apache?
-The old version of ModSecurity was origionally designed for and contained within an Apache module. This current version abstracts out some of the details allowing ModSecurity to more easily support multiple platforms and features outside beyond the scope of what Apache internals currently support. As a result using the new libmodsecurity engine is no longer reliant on the use of Apache and can be used to power multiple different connectors. As a result of this the current version is more flexible, has wider support, and allows for the support of new functionality that was not previously possible.
+The old version of ModSecurity was originally designed for and contained within an Apache module. This current version abstracts out some of the details allowing ModSecurity to more easily support multiple platforms and features beyond the scope of what Apache internals currently support. As a result using the new libmodsecurity engine is no longer reliant on the use of Apache and can be used to power multiple different connectors. As a result of this the current version is more flexible, has wider support, and allows for the support of new functionality that was not previously possible.
-NOTICE: libmodsecurity is not feature complete and it is not considerable
-stable, so use is undertaken at your own risk.
# Compilation
-Before compile this software make sure that you have libmodsecurity installed.
+Before you compile this software make sure that you have libmodsecurity installed.
You can download it from the ModSecurity git repository. For information pertaining to the compilation and installation of libmodsecurity please consult the documentation provided along with it.
With libmodsecurity installed, you can proceed with the installation of the ModSecurity-apache connector. Run the following commands:
@@ -33,6 +31,89 @@ $ make
$ sudo make install
```
+# Usage
+
+libModSecurity for Apache extends your configuration directives. In order to load the module into Apache add the following directive to your Apache configuration:
+
+```
+LoadModule security3_module modules/mod_security3.so
+```
+
+The module adds new directives to Apache and some of them are documented below:
+
+modsecurity
+-----------
+**syntax:** *modsecurity on | off*
+
+**context:** *http, server, location*
+
+**default:** *off*
+
+Turns on or off the ModSecurity functionality.
+Note that this configuration directive is no longer related to the SecRule state.
+Instead, it now serves solely as an Apache flag to enable or disable the module.
+
+modsecurity_rules_file
+----------------------
+**syntax:** *modsecurity_rules_file <path to rules file>*
+
+**context:** *http, server, location*
+
+**default:** *no*
+
+Specifies the location of the ModSecurity configuration file, e.g.:
+
+```
+modsecurity on
+modsecurity_rules_file /etc/my_modsecurity_rules.conf;
+```
+
+modsecurity_rules_remote
+------------------------
+**syntax:** *modsecurity_rules_remote <key> <URL to rules>*
+
+**context:** *http, server, location*
+
+**default:** *no*
+
+Specifies from where (on the internet) a modsecurity configuration file will be downloaded.
+It also specifies the key that will be used to authenticate to that server:
+
+```
+modsecurity on
+modsecurity_rules_remote my-server-key https://my-own-server/rules/download;
+```
+
+modsecurity_rules
+-----------------
+**syntax:** *modsecurity_rules <modsecurity rule>*
+
+**context:** *http, server, location*
+
+**default:** *no*
+
+Allows for the direct inclusion of a ModSecurity rule into the Apache configuration.
+The following example is loading rules from a file and injecting specific configurations per directory/alias:
+
+```
+TODO
+```
+
+modsecurity_transaction_id
+--------------------------
+**syntax:** *modsecurity_transaction_id string*
+
+**context:** *http, server, location*
+
+**default:** *no*
+
+Allows to pass transaction ID from Apache instead of generating it in the library.
+This can be useful for tracing purposes, e.g. consider this configuration:
+
+```
+TODO
+```
+
# Contributing
As an open source project we invite (and encourage) anyone from the community to contribute to our project. This may take the form of: new
@@ -41,17 +122,12 @@ are willing to help with. Thank you.
## Providing Patches
-We prefer to have your patch within the GtiHub infrastructure to facilitate our
+We prefer to have your patch within the GitHub infrastructure to facilitate our
review work, and our QA integration. GitHub provides an excellent
documentation on how to perform Б─°Pull RequestsБ─². More information available
here: https://help.github.com/articles/using-pull-requests/
-Please respect the coding style. Pull requests can include various commits, so provide one fix or one piece of functionality per commit. Please do not change anything outside the scope of your target work (e.g. coding style in a function that you have passed by). For further information about the coding style used in this project, please check: https://www.chromium.org/blink/coding-style
-
-Please respect the coding style in use. Pull requests can include various commits, so
-provide one fix or one functionality per commit. Do not change anything outside
-the scope of your target work (e.g. coding style in a function that you have
-passed by).
+Please respect the coding style in use. Pull requests can include various commits, so provide one fix or one piece of functionality per commit. Please do not change anything outside the scope of your target work (e.g. coding style in a function that you have passed by). For further information about the coding style used in this project, please check: https://www.chromium.org/blink/coding-style
### DonБ─≥t know where to start?
@@ -68,7 +144,7 @@ You may also take a look at recent bug reports and open issues to get an idea of
### Testing your patch
Along with the manual testing, we strongly recommend that you to use the Apache test
-utility to make sure that you patch does not adversly affect the behavior or performance of Apache.
+utility to make sure that you patch does not adversly affect the behavior or performance of Apache.
The Apache testing tools are available on: http://httpd.apache.org/test/
@@ -77,7 +153,7 @@ To use those tests ....
If you are facing problems getting your added functionality to pass all the Apache tests, feel free to contact us or the Apache mailing list at: http://httpd.apache.org/lists.html
-### Debugging
+### Debugging
Because the ModSecurity Apache Connector runs as part of Apache, one needs to debug the Apache process. Debugging may require several steps. In general debugging can be enabled by compiling the Apache connector with debugging as follows:
```CFLAGS="-g -O0" ./configure ...normal configure parameters...)```
@@ -105,7 +181,7 @@ security@modsecurity.org to report the issue. Once the problem is fixed we will
## Feature Request
-We would love to discuss any ideas that you may have for a new feature. Please keep in mind this is a community driven project so be sure to contact the community via the mailing list to get feedback first. Alternativly, feel free to open GitHub issues requesting for new features. Before opening a new issue, please check if there is an existing feature request for the desired functionalityt.
+We would love to discuss any ideas that you may have for a new feature. Please keep in mind this is a community driven project so be sure to contact the community via the mailing list to get feedback first. Alternatively, feel free to open GitHub issues requesting for new features. Before opening a new issue, please check if there is an existing feature request for the desired functionality.
## Packing
diff --git a/build/ax_prog_apache.m4 b/build/ax_prog_apache.m4
index b1dd5c6..aad2f2d 100644
--- a/build/ax_prog_apache.m4
+++ b/build/ax_prog_apache.m4
@@ -114,6 +114,9 @@ AC_DEFUN([AX_PROG_APACHE],
if test -z "$APACHE" ; then
AC_PATH_PROG(APACHE, httpd, , /usr/local/apache/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/usr/local/apache2/bin)
fi
+ if test -z "$APACHE" ; then
+ AC_PATH_PROG(APACHE, apache2, , /usr/local/apache/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/usr/local/apache2/bin)
+ fi
AC_SUBST(APACHE)
if test -z "$APACHE" ; then
AC_MSG_ERROR("apache server executable not found");@@ -149,7 +152,12 @@ AC_DEFUN([AX_PROG_APACHE],
#
# Find out if .so modules are in libexec/module.so or modules/module.so
#
- HTTP_ROOT=`$APACHE -V | grep HTTPD_ROOT | sed -e 's/.*"\(.*\)"/\1/'`
+ if test -f /etc/apache2/envvars
+ then
+ HTTP_ROOT=`. /etc/apache2/envvars && $APACHE -V | grep HTTPD_ROOT | sed -e 's/.*"\(.*\)"/\1/'`
+ else
+ HTTP_ROOT=`$APACHE -V | grep HTTPD_ROOT | sed -e 's/.*"\(.*\)"/\1/'`
+ fi
AC_MSG_CHECKING(apache modules)
for dir in libexec modules
do
diff --git a/build/find_libmodsec.m4 b/build/find_libmodsec.m4
index 2a6c82d..3c2bc9d 100644
--- a/build/find_libmodsec.m4
+++ b/build/find_libmodsec.m4
@@ -7,33 +7,24 @@ AC_ARG_WITH(libmodsecurity,
[FILE is the path to libmodsecurity install dir; defaults to "/usr/local/modsecurity/".])],
[
if test "$withval" = "yes"; then
- V3PATH=/usr/local/modsecurity/
+ AC_SUBST(CPPFLAGS, "$CPPFLAGS -I/usr/local/modsecurity/include/ -L/usr/local/modsecurity/lib/")
+ V3INCLUDE="/usr/local/modsecurity/include/"
+ V3LIB="/usr/local/modsecurity/lib/"
else
- V3PATH="$withval"
+ AC_SUBST(CPPFLAGS, "$CPPFLAGS -I${withval}/include/ -L${withval}/lib/")+ V3INCLUDE="${withval}/include/"+ V3LIB="${withval}/lib/"fi
])
-if test -z "$V3PATH"; then
- for i in /usr/local/modsecurity/ \
- /usr/local/sbin \
- /usr/local/bin \
- /usr/sbin \
- /usr/bin;
- do
- if test -f "$i/lib/libmodsecurity.so"; then
- V3LIB="$i/lib/"
- fi
- if test -f "$i/include/modsecurity/modsecurity.h"; then
- V3INCLUDE="$i/include/"
- # TODO: test if V3LIB is set
- break
- fi
- done
-fi
-if test -n "$V3LIB" -a "$V3LIB" != "no" -a -x "$V3LIB" ; then
- AC_MSG_NOTICE(found libmodsecurity at $V3LIB)
-else
- AC_MSG_ERROR(couldn't find libmodsecurity)
-fi
+dnl Check the ModSecurity libraries (modsecurity)
+
+AC_CHECK_LIB([modsecurity], [msc_init], [
+ AC_DEFINE([HAVE_MODSECURITYLIB], [1],
+ [Define to 1 if you have the `libmodsecurity' library (-lmodsecurity).])], [
+ AC_MSG_ERROR([ModSecurity libraries not found!])])
+
+AC_CHECK_HEADERS([modsecurity/modsecurity.h], [], [
+ AC_MSG_ERROR([ModSecurity headers not found...])])
])
diff --git a/configure.ac b/configure.ac
index fbac276..bcb6096 100644
--- a/configure.ac
+++ b/configure.ac
@@ -13,6 +13,7 @@ AC_PATH_PROGS(PERL, [perl perl5], )
AC_SUBST(APXS)
AC_SUBST(V3LIB)
AC_SUBST(V3INCLUDE)
+AC_SUBST(APACHE)
# Some directories
MSC_BASE_DIR=`pwd`
@@ -24,6 +25,17 @@ MSC_REGRESSION_CONF_DIR="$MSC_REGRESSION_SERVERROOT_DIR/conf"
MSC_REGRESSION_LOGS_DIR="$MSC_REGRESSION_SERVERROOT_DIR/logs"
MSC_REGRESSION_DOCROOT_DIR="$MSC_REGRESSION_SERVERROOT_DIR/htdocs"
+if test -f /etc/apache2/envvars
+then
+ SERVER_MPM=`. /etc/apache2/envvars && $APACHE -V | grep Server\ MPM | awk '{print $3}'`+ SERVER_MPM_MODE=`. /etc/apache2/envvars && $APACHE -M | grep mpm_${SERVER_MPM}_module | awk '{print $2}' | sed -e 's/@<:@\@{:@\@:}@@:>@//g'`+ SERVER_AUTHZ_MODE=`. /etc/apache2/envvars && $APACHE -M | grep authz_core_module | awk '{print $2}' | sed -e 's/@<:@\@{:@\@:}@@:>@//g'`+else
+ SERVER_MPM=`$APACHE -V | grep Server\ MPM | awk '{print $3}'`+ SERVER_MPM_MODE=`$APACHE -M | grep mpm_${SERVER_MPM}_module | awk '{print $2}' | sed -e 's/@<:@\@{:@\@:}@@:>@//g'`+ SERVER_AUTHZ_MODE=`$APACHE -M | grep authz_core_module | awk '{print $2}' | sed -e 's/@<:@\@{:@\@:}@@:>@//g'`+fi
+
AC_SUBST(MSC_BASE_DIR)
AC_SUBST(MSC_PKGBASE_DIR)
AC_SUBST(MSC_TEST_DIR)
@@ -33,7 +45,11 @@ AC_SUBST(MSC_REGRESSION_CONF_DIR)
AC_SUBST(MSC_REGRESSION_LOGS_DIR)
AC_SUBST(MSC_REGRESSION_DOCROOT_DIR)
+AC_SUBST(SERVER_MPM)
+AC_SUBST(SERVER_MPM_MODE)
+AC_SUBST(SERVER_AUTHZ_MODE)
+echo "Found Apache with MPM ${SERVER_MPM}, ${SERVER_MPM_MODE}."APXS_SBINDIR="`$APXS -q SBINDIR`"
APXS_PROGNAME="`$APXS -q PROGNAME`"
@@ -44,6 +60,18 @@ APXS_LIBEXECDIR="`$APXS -q LIBEXECDIR`"
if test "xx$APXS_LIBEXECDIR" = "xx"; then APXS_LIBEXECDIR="`$APXS -q LIBDIR`/modules"; fi
AC_SUBST(APXS_LIBEXECDIR)
+# generating apache depends loadable modules
+# authz_core required, if not static
+# one mpm required, if not static
+echo "" > t/conf/modules.conf
+
+if @<:@ ${SERVER_AUTHZ_MODE} == "shared" @:>@; then+ echo "LoadModule authz_core_module ${APXS_LIBEXECDIR}/mod_authz_core.so" >> t/conf/modules.conf+fi
+if @<:@ ${SERVER_MPM_MODE} == "shared" @:>@; then+ echo "LoadModule mpm_${SERVER_MPM}_module ${APXS_LIBEXECDIR}/mod_mpm_${SERVER_MPM}.so" >> t/conf/modules.conf+fi
+echo "" >> t/conf/modules.conf
AC_CONFIG_FILES([\
diff --git a/src/mod_security3.c b/src/mod_security3.c
index 587edcb..76b3fb7 100644
--- a/src/mod_security3.c
+++ b/src/mod_security3.c
@@ -1,4 +1,6 @@
+#include <stdio.h>
+
#include "mod_security3.h"
#include "msc_utils.h"
#include "msc_config.h"
@@ -132,6 +134,8 @@ static void store_tx_context(msc_t *msr, request_rec *r)
static msc_t *create_tx_context(request_rec *r) {msc_t *msr = NULL;
msc_conf_t *z = NULL;
+ char *unique_id = NULL;
+
z = (msc_conf_t *)ap_get_module_config(r->per_dir_config,
&security3_module);
@@ -141,7 +145,14 @@ static msc_t *create_tx_context(request_rec *r) {}
msr->r = r;
- msr->t = msc_new_transaction(msc_apache->modsec, (Rules *)z->rules_set, (void *)r);
+ unique_id = getenv("UNIQUE_ID");+ if (unique_id != NULL && strlen(unique_id) > 0) {+ msr->t = msc_new_transaction_with_id(msc_apache->modsec,
+ z->rules_set, unique_id, (void *)r);
+ } else {+ msr->t = msc_new_transaction(msc_apache->modsec,
+ z->rules_set, (void *)r);
+ }
store_tx_context(msr, r);
@@ -387,6 +398,8 @@ static int hook_request_late(request_rec *r)
return it;
}
#endif
+
+
msc_process_request_body(msr->t);
it = process_intervention(msr->t, r);
if (it != N_INTERVENTION_STATUS)
@@ -464,8 +477,9 @@ static int process_request_headers(request_rec *r, msc_t *msr) {/* process uri */
{int it;
- msc_process_uri(msr->t, r->unparsed_uri, r->method, r->protocol);
+ int offset = (r->protocol && strlen(r->protocol) > 5 && r->protocol[0] == 'H') ? 5 : 0;
+ msc_process_uri(msr->t, r->unparsed_uri, r->method, r->protocol + offset);
it = process_intervention(msr->t, r);
if (it != N_INTERVENTION_STATUS)
{diff --git a/src/mod_security3.h b/src/mod_security3.h
index 258d4eb..b1e9b28 100644
--- a/src/mod_security3.h
+++ b/src/mod_security3.h
@@ -3,7 +3,17 @@
#include <ctype.h>
#include <modsecurity/modsecurity.h>
+#if defined(MODSECURITY_CHECK_VERSION)
+#if MODSECURITY_VERSION_NUM >= 304010
+#define MSC_USE_RULES_SET 1
+#endif
+#endif
+
+#if defined(MSC_USE_RULES_SET)
+#include <modsecurity/rules_set.h>
+#else
#include <modsecurity/rules.h>
+#endif
#include <modsecurity/intervention.h>
#include "apr_buckets.h"
@@ -46,7 +56,7 @@ typedef struct
typedef struct
{- Rules *rules_set;
+ void *rules_set;
int msc_state;
char *name_for_debug;
} msc_conf_t;
diff --git a/src/msc_filters.c b/src/msc_filters.c
index ab9b9dd..3a18e21 100644
--- a/src/msc_filters.c
+++ b/src/msc_filters.c
@@ -62,6 +62,9 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut,
return send_error_bucket(msr, f, it);
}
+ // FIXME: Now we should have the body. Is this sane?
+ msc_process_request_body(msr->t);
+
pbktOut = apr_bucket_heap_create(data, len, 0, c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(pbbOut, pbktOut);
apr_bucket_delete(pbktIn);
diff --git a/t/conf/extra.conf.in b/t/conf/extra.conf.in
index cb68896..6518559 100644
--- a/t/conf/extra.conf.in
+++ b/t/conf/extra.conf.in
@@ -2,6 +2,8 @@
CoreDumpDirectory /tmp/
+Include @ServerRoot@/.././t/conf/modules.conf
+
LoadModule security3_module "@ServerRoot@/.././src/.libs/mod_security3.so"
@@ -18,6 +20,7 @@ modsecurity_rules 'SecDebugLogLevel 9'
</Directory>
<Directory "@ServerRoot@/htdocs/block-evil-2">
+ modsecurity_rules 'SecRequestBodyAccess On'
modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:403,block,deny"'
</Directory>
@@ -26,6 +29,7 @@ modsecurity_rules 'SecDebugLogLevel 9'
</Directory>
<Directory "@ServerRoot@/htdocs/block-evil-4">
+ modsecurity_rules 'SecResponseBodyAccess On'
modsecurity_rules 'SecRule ARGS "evil" "phase:4,id:114,log,status:403,block,deny"'
</Directory>
@@ -40,6 +44,7 @@ modsecurity_rules 'SecDebugLogLevel 9'
</Location>
<Location "/block-evil-2-loc">
+ modsecurity_rules 'SecRequestBodyAccess On'
modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:402,block,deny"'
</Location>
@@ -48,6 +53,7 @@ modsecurity_rules 'SecDebugLogLevel 9'
</Location>
<Location "/block-evil-4-loc">
+ modsecurity_rules 'SecResponseBodyAccess On'
modsecurity_rules 'SecRule ARGS "evil" "phase:4,id:1134,log,status:402,block,deny"'
</Location>
diff --git a/tests/regression/misc/60-pmfromfile-external.t b/tests/regression/misc/60-pmfromfile-external.t
deleted file mode 100644
index 2910ed1..0000000
--- a/tests/regression/misc/60-pmfromfile-external.t
+++ /dev/null
@@ -1,84 +0,0 @@
-### pmfromfile external resource
-
-{- type => "misc",
- comment => "pmfromfile",
- conf => qq(
- SecRuleEngine On
- SecDebugLog $ENV{DEBUG_LOG}- SecDebugLogLevel 9
- SecRequestBodyAccess On
- SecRule REQUEST_FILENAME "\@pmFromFile https://www.modsecurity.org/modsecurity-regression-test.txt" "id:'123',phase:2,log,pass,t:none"
- ),
- match_log => {- error => [ qr/ModSecurity: Warning. Matched phrase \"127.0.0.1\" at REQUEST_FILENAME./, 1],
- debug => [ qr/Matched phrase \"127.0.0.1\" at REQUEST_FILENAME/, 1 ],
- -error => [ qr/ModSecurity: Problems loading external resources:/, 1],
- },
- match_response => {- status => qr/^404$/,
- },
- request => new HTTP::Request(
- POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/127.0.0.1.html",- [
- "Content-Type" => "application/x-www-form-urlencoded",
- ],
- # Args
- "some_variable=-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"- ),
-},
-{- type => "misc",
- comment => "pmfromfile - 404 download",
- conf => qq(
- SecRuleEngine On
- SecDebugLog $ENV{DEBUG_LOG}- SecDebugLogLevel 9
- SecRequestBodyAccess On
- SecRemoteRulesFailAction Warn
- SecRule REQUEST_FILENAME "\@pmFromFile https://www.modsecurity.org/modsecurity-regression-test-404.txt" "id:'123',phase:2,log,pass,t:none"
-
- ),
- match_log => {- error => [ qr/ModSecurity: Problems loading external resources: Failed to download: \"https:\/\/www.modsecurity.org\/modsecurity-regression-test-404.txt\" error: HTTP response code said error./, 1],
- },
- match_response => {- status => qr/^404$/,
- },
- request => new HTTP::Request(
- POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/127.0.0.1.html",- [
- "Content-Type" => "application/x-www-form-urlencoded",
- ],
- # Args
- "some_variable=-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"- ),
-},
-{- type => "misc",
- comment => "pmfromfile - bad certificate name",
- conf => qq(
- SecRuleEngine On
- SecDebugLog $ENV{DEBUG_LOG}- SecDebugLogLevel 9
- SecRequestBodyAccess On
- SecRemoteRulesFailAction Warn
- SecRule REQUEST_FILENAME "\@pmFromFile https://status.modsecurity.org/modsecurity-regression-test.txt" "id:'123',phase:2,log,pass,t:none"
-
- ),
- match_log => {- error => [ qr/ModSecurity: Problems loading external resources: Failed to download: \"https:\/\/status.modsecurity.org\/modsecurity-regression-test.txt\" error: [SSL peer certificate or SSH remote key was not OK.|Couldn't connect to server.]/, 1],
- },
- match_response => {- status => qr/^404$/,
- },
- request => new HTTP::Request(
- POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/127.0.0.1.html",- [
- "Content-Type" => "application/x-www-form-urlencoded",
- ],
- # Args
- "some_variable=-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"- ),
-},
-