rpm/apache2-mod_security2
SHA256
1
0
Fork 0
forked from pool/apache2-mod_security2
Code Pull Requests Activity

- version update to 2.9.3

Browse Source 
* Enable optimization for large stream input by default on IIS
   [Issue #1299 - @victorhora, @zimmerle]
 * Allow 0 length JSON requests.
   [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
 * Include unanmed JSON values in unnamed ARGS
   [Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle]
 * Fix buffer size for utf8toUnicode transformation
   [Issue #1208 - @katef, @victorhora]
 * Fix sanitizing JSON request bodies in native audit log format
   [p0pr0ck5, @victorhora]
 * IIS: Update Wix installer to bundle a supported CRS version (3.0)
   [@victorhora, @zimmerle]
 * IIS: Update dependencies for Windows build
   [Issue #1848 - @victorhora, @hsluoyz]
 * IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299)
   [Issue #1299 - @victorhora]
 * IIS: Update modsecurity.conf
   [Issue #788 - @victorhora, @brianclark]
 * Add sanity check for a couple malloc() and make code more resilient
   [Issue #979 - @dogbert2, @victorhora, @zimmerl]
 * Fix NetBSD build by renaming the hmac function to avoid conflicts
   [Issue #1241 - @victorhora, @joerg, @sevan]
 * IIS: Windows build, fix duplicate YAJL dir in script
   [Issue #1612 - @allanbomsft, @victorhora]
 * IIS: Remove body prebuffering due to no locking in modsecProcessRequest
   [Issue #1917 - @allanbomsft, @victorhora]
 * Fix mpm-itk / mod_ruid2 compatibility
   [Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora]
 * Code cosmetics: checks if actionset is not null before use it

OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=83
This commit is contained in:
Petr Gajdos 2021-02-23 07:55:22 +00:00 committed by Git OBS Bridge
parent edc44d368e
commit 1f5c2cdf32
6 changed files with 176 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
apache2-mod_security2.changes
View File

@ -1,3 +1,89 @@
-------------------------------------------------------------------
Tue Feb 23 07:49:57 UTC 2021 - pgajdos@suse.com
- version update to 2.9.3
* Enable optimization for large stream input by default on IIS
[Issue #1299 - @victorhora, @zimmerle]
* Allow 0 length JSON requests.
[Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
* Include unanmed JSON values in unnamed ARGS
[Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle]
* Fix buffer size for utf8toUnicode transformation
[Issue #1208 - @katef, @victorhora]
* Fix sanitizing JSON request bodies in native audit log format
[p0pr0ck5, @victorhora]
* IIS: Update Wix installer to bundle a supported CRS version (3.0)
[@victorhora, @zimmerle]
* IIS: Update dependencies for Windows build
[Issue #1848 - @victorhora, @hsluoyz]
* IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299)
[Issue #1299 - @victorhora]
* IIS: Update modsecurity.conf
[Issue #788 - @victorhora, @brianclark]
* Add sanity check for a couple malloc() and make code more resilient
[Issue #979 - @dogbert2, @victorhora, @zimmerl]
* Fix NetBSD build by renaming the hmac function to avoid conflicts
[Issue #1241 - @victorhora, @joerg, @sevan]
* IIS: Windows build, fix duplicate YAJL dir in script
[Issue #1612 - @allanbomsft, @victorhora]
* IIS: Remove body prebuffering due to no locking in modsecProcessRequest
[Issue #1917 - @allanbomsft, @victorhora]
* Fix mpm-itk / mod_ruid2 compatibility
[Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora]
* Code cosmetics: checks if actionset is not null before use it
[Issue #1556 - @marcstern, @zimmerle, @victorhora]
* Only generate SecHashKey when SecHashEngine is On
[Issue #1671 - @dmuey, @monkburger, @zimmerle]
* Docs: Reformat README to Markdown and update dependencies
[Issue #1857 - @hsluoyz, @victorhora]
* IIS: no lock on ProcessRequest. No reload of config.
[Issue #1826 - @allanbomsft]
* IIS: buffer request body before taking lock
[Issue #1651 - @allanbomsft]
* good practices: Initialize variables before use it
[Issue #1889 - Marc Stern]
* Let body parsers observe SecRequestBodyNoFilesLimit
[Issue #1613 - @allanbomsft]
* potential off by one in parse_arguments
[Issue #1799 - @tinselcity, @zimmerle]
* Fix utf-8 character encoding conversion
[Issue #1794 - @tinselcity, @zimmerle]
* Fix ip tree lookup on netmask content
[Issue #1793 - @tinselcity, @zimmerle]
* IIS: set overrideModeDefault to Allow so that individual websites can
add <ModSecurity ...> to their web.config file
[Issue #1781 - @default-kramer]
* modsecurity.conf-recommended: Fix spelling
[Issue #1721 - @padraigdoran]
* build: fix when multiple lines for curl version
[Issue #1771 - @Artistan]
* Fix arabic charset in unicode_mapping file
[Issue #1619 - @alaa-ahmed-a]
* Optionally preallocates memory when SecStreamInBodyInspection is on
[Issue #1366 - @allanbomsft, @zimmerle]
* Fixed typo in build_yajl.bat
[Issue #1366 - @allanbomsft]
* Fixes SecConnWriteStateLimit
[Issue #1545 - @nicjansma]
* Added "empy chunk" check
[Issue #1347, #1446 - @gravagli, @bostrt, @zimmerle]
* Add capture action to @detectXSS operator
[Issue #1488, #1482 - @victorhora]
* Fix for wildcard operator when loading conf files on Nginx / IIS
[Issue #1486, #1285 - @victorhora and @thierry-f-78]
* Set of fixies to make windows build workable with the buildbots
[Commit 94fe3 - @zimmerle]
* Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH
[Issue #1510 - @marcstern]
* Adds missing headers
[Issue #1454 - @devnexen]
- modified patches
% modsecurity-fixes.patch (fix crash caused by our patch)
[bsc#1180830]
- added patches
+ modsecurity-2.9.3-input_filtering_errors.patch
[bsc#1180830]
-------------------------------------------------------------------
Wed Feb 12 10:26:15 UTC 2020 - pgajdos@suse.com

11
apache2-mod_security2.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package apache2-mod_security2
#
# Copyright (c) 2020 SUSE LLC
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -20,7 +20,7 @@
%define tarballname modsecurity-%{version}
%define usrsharedir %{_datadir}/%{name}
Name: apache2-mod_security2
Version: 2.9.2
Version: 2.9.3
Release: 0
Summary: Web Application Firewall for apache httpd
License: Apache-2.0
@ -34,6 +34,8 @@ Source7: empty.conf
Patch0: apache2-mod_security2-no_rpath.diff
Patch1: modsecurity-fixes.patch
Patch2: apache2-mod_security2_tests_conf.patch
# https://github.com/SpiderLabs/ModSecurity/issues/2514
Patch3: modsecurity-2.9.3-input_filtering_errors.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel
BuildRequires: apache2-prefork
@ -43,7 +45,7 @@ BuildRequires: c++_compiler
BuildRequires: libcurl-devel
BuildRequires: libtool
BuildRequires: libxml2-devel
BuildRequires: lua-devel
BuildRequires: lua53-devel
BuildRequires: pcre-devel
BuildRequires: perl-libwww-perl
BuildRequires: pkgconfig
@ -68,6 +70,7 @@ mv -v SpiderLabs* rules
%patch0
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build
# aclocal only works with newer distributions
@ -120,7 +123,7 @@ mv %{buildroot}/%{usrsharedir}/rules/modsecurity_crs_10_setup.conf.example \
%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt
%{apache_sysconfdir}/mod_security2.d/empty.conf
%{usrsharedir}
%doc README.TXT CHANGES LICENSE NOTICE authors.txt
%doc README.md CHANGES LICENSE NOTICE authors.txt
%doc doc/README.txt
%doc doc/README-SUSE-mod_security2.txt
%doc rules/util/regression-tests

3
modsecurity-2.9.2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:41a8f73476ec891f3a9e8736b98b64ea5c2105f1ce15ea57a1f05b4bf2ffaeb5
size 4298993

80
modsecurity-2.9.3-input_filtering_errors.patch Normal file
View File

@ -0,0 +1,80 @@
diff -ru modsecurity-2.9.3.old/apache2/apache2_io.c modsecurity-2.9.3.new/apache2/apache2_io.c
--- modsecurity-2.9.3.old/apache2/apache2_io.c 2018-12-04 19:49:37.000000000 +0100
+++ modsecurity-2.9.3.new/apache2/apache2_io.c 2021-02-12 13:28:27.739749566 +0100
@@ -209,6 +209,10 @@
* too large and APR_EGENERAL when the client disconnects.
*/
switch(rc) {
+ case AP_FILTER_ERROR :
+ *error_msg = apr_pstrdup(msr->mp, "Error reading request body: filter error");
+ return -8;
+
case APR_INCOMPLETE :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
return -7;
@@ -218,7 +222,7 @@
case APR_TIMEUP :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
return -4;
- case AP_FILTER_ERROR :
+ case APR_ENOSPC:
*error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)");
return -3;
case APR_EGENERAL :
diff -ru modsecurity-2.9.3.old/apache2/mod_security2.c modsecurity-2.9.3.new/apache2/mod_security2.c
--- modsecurity-2.9.3.old/apache2/mod_security2.c 2018-12-04 19:49:37.000000000 +0100
+++ modsecurity-2.9.3.new/apache2/mod_security2.c 2021-02-12 13:34:22.940428406 +0100
@@ -1013,7 +1013,7 @@
}
rc = read_request_body(msr, &my_error_msg);
- if (rc < 0 && msr->txcfg->is_enabled == MODSEC_ENABLED) {
+ if (rc < 0) {
switch(rc) {
case -1 :
if (my_error_msg != NULL) {
@@ -1021,6 +1021,21 @@
}
return HTTP_INTERNAL_SERVER_ERROR;
break;
+ case -2 : /* Bad request. */
+ case -6 : /* EOF when reading request body. */
+ case -7 : /* Partial recieved */
+ if (my_error_msg != NULL) {
+ msr_log(msr, 4, "%s", my_error_msg);
+ }
+ r->connection->keepalive = AP_CONN_CLOSE;
+ return HTTP_BAD_REQUEST;
+ break;
+ case -3 : /* Apache's LimitRequestBody. */
+ if (my_error_msg != NULL) {
+ msr_log(msr, 1, "%s", my_error_msg);
+ }
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ break;
case -4 : /* Timeout. */
if (my_error_msg != NULL) {
msr_log(msr, 4, "%s", my_error_msg);
@@ -1042,19 +1057,11 @@
}
}
break;
- case -6 : /* EOF when reading request body. */
- if (my_error_msg != NULL) {
- msr_log(msr, 4, "%s", my_error_msg);
- }
- r->connection->keepalive = AP_CONN_CLOSE;
- return HTTP_BAD_REQUEST;
- break;
- case -7 : /* Partial recieved */
+ case -8 : /* Filter error. */
if (my_error_msg != NULL) {
- msr_log(msr, 4, "%s", my_error_msg);
+ msr_log(msr, 1, "%s", my_error_msg);
}
- r->connection->keepalive = AP_CONN_CLOSE;
- return HTTP_BAD_REQUEST;
+ return AP_FILTER_ERROR;
break;
default :
/* allow through */

3
modsecurity-2.9.3.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4192019d169d3f1dd82cc4714db6986df54c6ceb4ee1c8f253de78d1a6b62118
size 4307670

36
modsecurity-fixes.patch
View File

@ -1,39 +1,3 @@
Index: modsecurity-2.9.0/apache2/mod_security2.c
===================================================================
--- modsecurity-2.9.0.orig/apache2/mod_security2.c
+++ modsecurity-2.9.0/apache2/mod_security2.c
@@ -457,17 +457,13 @@ static void store_tx_context(modsec_rec
* Creates a new transaction context.
*/
static modsec_rec *create_tx_context(request_rec *r) {
- apr_allocator_t *allocator = NULL;
modsec_rec *msr = NULL;
msr = (modsec_rec *)apr_pcalloc(r->pool, sizeof(modsec_rec));
if (msr == NULL) return NULL;
- apr_allocator_create(&allocator);
- apr_allocator_max_free_set(allocator, 1024);
- apr_pool_create_ex(&msr->mp, r->pool, NULL, allocator);
+ apr_pool_create(&msr->mp, r->pool);
if (msr->mp == NULL) return NULL;
- apr_allocator_owner_set(allocator, msr->mp);
msr->modsecurity = modsecurity;
msr->r = r;
Index: modsecurity-2.9.0/apache2/msc_reqbody.c
===================================================================
--- modsecurity-2.9.0.orig/apache2/msc_reqbody.c
+++ modsecurity-2.9.0/apache2/msc_reqbody.c
@@ -88,7 +88,7 @@ apr_status_t modsecurity_request_body_st
* to allocate structures from (not data, which is allocated
* via malloc).
*/
- apr_pool_create(&msr->msc_reqbody_mp, NULL);
+ apr_pool_create(&msr->msc_reqbody_mp, msr->mp);
/* Initialise request body processors, if any. */
Index: modsecurity-2.9.0/apache2/msc_status_engine.c
===================================================================
--- modsecurity-2.9.0.orig/apache2/msc_status_engine.c