OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_security2?expand=0&rev=2

2009-01-23 22:43:58 +00:00 · 2009-01-23 22:43:58 +00:00 · 492d69c20d
commit 492d69c20d
parent b08c840c20
3 changed files with 71 additions and 3 deletions
--- a/apache2-mod_security2.changes
+++ b/apache2-mod_security2.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jan 23 16:56:55 CET 2009 - skh@suse.de
+
+- fix broken config [bnc#457200]
+
 -------------------------------------------------------------------
 Mon Sep 15 14:05:05 CEST 2008 - skh@suse.de

--- a/apache2-mod_security2.spec
+++ b/apache2-mod_security2.spec
@ -1,7 +1,7 @@
 #
 # spec file for package apache2-mod_security2 (Version 2.5.6)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -20,7 +20,7 @@

 Name:           apache2-mod_security2
 Version:        2.5.6
-Release:        1
+Release:        2
 #
 License:        GPL v2 only; GPLv2 with some FLOSS linking exceptions
 Group:          Productivity/Networking/Web/Servers
@ -39,6 +39,7 @@ Requires:       apache2 %{apache_mmn}
 #
 Url:            http://www.modsecurity.org/
 Source:         http://www.modsecurity.org/download/%{tarballname}.tar.gz
+Source1:        mod_security2.conf
 #
 Summary:        ModSecurity Open Source Web Application Firewall

@ -65,7 +66,7 @@ pushd %{apache}
  install -d -m 0755 %{buildroot}%{apache_libexecdir}
  install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so
 popd
-install -D -m 0644 modsecurity.conf-minimal %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf
+install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf

 %clean
 %{__rm} -rf %{buildroot};
@ -79,6 +80,8 @@ install -D -m 0644 modsecurity.conf-minimal %{buildroot}%{apache_sysconfdir}/con
 %doc tools rules

 %changelog
+* Fri Jan 23 2009 skh@suse.de
+- fix broken config [bnc#457200]
 * Mon Sep 15 2008 skh@suse.de
 - update to version 2.5.6
 - initial submit to FACTORY
--- a/mod_security2.conf
+++ b/mod_security2.conf
@ -0,0 +1,60 @@
+<IfModule mod_security2.c>
+	# Basic configuration options
+	SecRuleEngine On
+	SecRequestBodyAccess On
+	SecResponseBodyAccess Off
+
+	# Handling of file uploads
+	# TODO Choose a folder private to Apache.
+	# SecUploadDir /opt/apache-frontend/tmp/
+	SecUploadKeepFiles Off
+
+	# Debug log
+	SecDebugLog /var/log/apache2/modsec_debug.log
+	SecDebugLogLevel 0
+
+	# Serial audit log
+	SecAuditEngine RelevantOnly
+	SecAuditLogRelevantStatus ^5
+	SecAuditLogParts ABIFHZ
+	SecAuditLogType Serial
+	SecAuditLog /var/log/apache2/modsec_audit.log
+
+	# Maximum request body size we will
+	# accept for buffering
+	SecRequestBodyLimit 131072
+
+	# Store up to 128 KB in memory
+	SecRequestBodyInMemoryLimit 131072
+
+	# Buffer response bodies of up to
+	# 512 KB in length
+	SecResponseBodyLimit 524288
+
+	# Verify that we've correctly processed the request body.
+	# As a rule of thumb, when failing to process a request body
+	# you should reject the request (when deployed in blocking mode)
+	# or log a high-severity alert (when deployed in detection-only mode).
+	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
+
+	# By default be strict with what we accept in the multipart/form-data
+	# request body. If the rule below proves to be too strict for your
+	# environment consider changing it to detection-only. You are encouraged
+	# _not_ to remove it altogether.
+	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Multipart request body \
+	failed strict validation: \
+	PE %{REQBODY_PROCESSOR_ERROR}, \
+	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+	DB %{MULTIPART_DATA_BEFORE}, \
+	DA %{MULTIPART_DATA_AFTER}, \
+	HF %{MULTIPART_HEADER_FOLDING}, \
+	LF %{MULTIPART_LF_LINE}, \
+	SM %{MULTIPART_SEMICOLON_MISSING}'"
+
+	# Did we see anything that might be a boundary?
+	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+</IfModule>