|
Packit |
284210 |
/*
|
|
Packit |
284210 |
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
|
|
Packit |
284210 |
* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* You may not use this file except in compliance with
|
|
Packit |
284210 |
* the License. You may obtain a copy of the License at
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* If any of the files related to licensing are missing or if you have any
|
|
Packit |
284210 |
* other questions related to licensing please contact Trustwave Holdings, Inc.
|
|
Packit |
284210 |
* directly using the email address security@modsecurity.org.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#ifndef _MODSECURITY_H_
|
|
Packit |
284210 |
#define _MODSECURITY_H_
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#include <stdio.h>
|
|
Packit |
284210 |
#include <stdlib.h>
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#include <limits.h>
|
|
Packit |
284210 |
#include <libxml/tree.h>
|
|
Packit |
284210 |
#include <libxml/HTMLparser.h>
|
|
Packit |
284210 |
|
|
Packit |
284210 |
typedef struct rule_exception rule_exception;
|
|
Packit |
284210 |
typedef struct rule_exception hash_method;
|
|
Packit |
284210 |
typedef struct modsec_rec modsec_rec;
|
|
Packit |
284210 |
typedef struct directory_config directory_config;
|
|
Packit |
284210 |
typedef struct error_message_t error_message_t;
|
|
Packit |
284210 |
typedef struct msc_engine msc_engine;
|
|
Packit |
284210 |
typedef struct msc_data_chunk msc_data_chunk;
|
|
Packit |
284210 |
typedef struct msc_arg msc_arg;
|
|
Packit |
284210 |
typedef struct msc_string msc_string;
|
|
Packit |
284210 |
typedef struct msc_parm msc_parm;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#include "msc_release.h"
|
|
Packit |
284210 |
#include "msc_logging.h"
|
|
Packit |
284210 |
#include "msc_multipart.h"
|
|
Packit |
284210 |
#include "msc_pcre.h"
|
|
Packit |
284210 |
#include "msc_util.h"
|
|
Packit |
284210 |
#include "msc_json.h"
|
|
Packit |
284210 |
#include "msc_xml.h"
|
|
Packit |
284210 |
#include "msc_tree.h"
|
|
Packit |
284210 |
#include "msc_geo.h"
|
|
Packit |
284210 |
#include "msc_gsb.h"
|
|
Packit |
284210 |
#include "msc_unicode.h"
|
|
Packit |
284210 |
#include "re.h"
|
|
Packit |
284210 |
#include "msc_crypt.h"
|
|
Packit |
284210 |
#include "msc_remote_rules.h"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#include "ap_config.h"
|
|
Packit |
284210 |
#include "apr_md5.h"
|
|
Packit |
284210 |
#include "apr_strings.h"
|
|
Packit |
284210 |
#include "apr_hash.h"
|
|
Packit |
284210 |
#include "httpd.h"
|
|
Packit |
284210 |
#include "http_config.h"
|
|
Packit |
284210 |
#include "http_log.h"
|
|
Packit |
284210 |
#include "http_protocol.h"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#if defined(WITH_LUA)
|
|
Packit |
284210 |
#include "msc_lua.h"
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define PHASE_REQUEST_HEADERS 1
|
|
Packit |
284210 |
#define PHASE_REQUEST_BODY 2
|
|
Packit |
284210 |
#define PHASE_RESPONSE_HEADERS 3
|
|
Packit |
284210 |
#define PHASE_RESPONSE_BODY 4
|
|
Packit |
284210 |
#define PHASE_LOGGING 5
|
|
Packit |
284210 |
#define PHASE_FIRST PHASE_REQUEST_HEADERS
|
|
Packit |
284210 |
#define PHASE_LAST PHASE_LOGGING
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define NOT_SET -1l
|
|
Packit |
284210 |
#define NOT_SET_P ((void *)-1l)
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define CREATEMODE ( APR_UREAD | APR_UWRITE | APR_GREAD )
|
|
Packit |
284210 |
#define CREATEMODE_DIR ( APR_UREAD | APR_UWRITE | APR_UEXECUTE | APR_GREAD | APR_GEXECUTE )
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#if defined(NETWARE)
|
|
Packit |
284210 |
#define CREATEMODE_UNISTD ( S_IREAD | S_IWRITE )
|
|
Packit |
284210 |
#elif defined(WIN32)
|
|
Packit |
284210 |
#define CREATEMODE_UNISTD ( _S_IREAD | _S_IWRITE )
|
|
Packit |
284210 |
#else
|
|
Packit |
284210 |
#define CREATEMODE_UNISTD ( S_IRUSR | S_IWUSR | S_IRGRP )
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#if !defined(O_BINARY)
|
|
Packit |
284210 |
#define O_BINARY (0)
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#ifndef PIPE_BUF
|
|
Packit |
284210 |
#define PIPE_BUF (512)
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define REQUEST_BODY_HARD_LIMIT 1073741824L
|
|
Packit |
284210 |
#define REQUEST_BODY_DEFAULT_INMEMORY_LIMIT 131072
|
|
Packit |
284210 |
#define REQUEST_BODY_DEFAULT_LIMIT 134217728
|
|
Packit |
284210 |
#define REQUEST_BODY_NO_FILES_DEFAULT_LIMIT 1048576
|
|
Packit |
284210 |
#define RESPONSE_BODY_DEFAULT_LIMIT 524288
|
|
Packit |
284210 |
#define RESPONSE_BODY_HARD_LIMIT 1073741824L
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define RESPONSE_BODY_LIMIT_ACTION_REJECT 0
|
|
Packit |
284210 |
#define RESPONSE_BODY_LIMIT_ACTION_PARTIAL 1
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define REQUEST_BODY_FORCEBUF_OFF 0
|
|
Packit |
284210 |
#define REQUEST_BODY_FORCEBUF_ON 1
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define REQUEST_BODY_LIMIT_ACTION_REJECT 0
|
|
Packit |
284210 |
#define REQUEST_BODY_LIMIT_ACTION_PARTIAL 1
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define SECACTION_TARGETS "REMOTE_ADDR"
|
|
Packit |
284210 |
#define SECACTION_ARGS "@unconditionalMatch"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define SECMARKER_TARGETS "REMOTE_ADDR"
|
|
Packit |
284210 |
#define SECMARKER_ARGS "@noMatch"
|
|
Packit |
284210 |
#define SECMARKER_BASE_ACTIONS "t:none,pass,marker:"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE)
|
|
Packit |
284210 |
#include "unixd.h"
|
|
Packit |
284210 |
#define __SET_MUTEX_PERMS
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define COOKIES_V0 0
|
|
Packit |
284210 |
#define COOKIES_V1 1
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#ifdef WIN32
|
|
Packit |
284210 |
#include <direct.h>
|
|
Packit |
284210 |
#else
|
|
Packit |
284210 |
#include <sys/types.h>
|
|
Packit |
284210 |
#include <unistd.h>
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define NOTE_MSR "modsecurity-tx-context"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define FATAL_ERROR "ModSecurity: Fatal error (memory allocation or unexpected internal error)!"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
extern DSOLOCAL char *new_server_signature;
|
|
Packit |
284210 |
extern DSOLOCAL char *real_server_signature;
|
|
Packit |
284210 |
extern DSOLOCAL char *chroot_dir;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
extern module AP_MODULE_DECLARE_DATA security2_module;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
extern DSOLOCAL const command_rec module_directives[];
|
|
Packit |
284210 |
|
|
Packit |
284210 |
extern DSOLOCAL unsigned long int msc_pcre_match_limit;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#ifdef WITH_REMOTE_RULES
|
|
Packit |
284210 |
extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
extern DSOLOCAL int remote_rules_fail_action;
|
|
Packit |
284210 |
extern DSOLOCAL char *remote_rules_fail_message;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
extern DSOLOCAL int status_engine_state;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
extern DSOLOCAL int conn_limits_filter_state;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
extern DSOLOCAL unsigned long int conn_read_state_limit;
|
|
Packit |
284210 |
extern DSOLOCAL TreeRoot *conn_read_state_whitelist;
|
|
Packit |
284210 |
extern DSOLOCAL TreeRoot *conn_read_state_suspicious_list;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
extern DSOLOCAL unsigned long int conn_write_state_limit;
|
|
Packit |
284210 |
extern DSOLOCAL TreeRoot *conn_write_state_whitelist;
|
|
Packit |
284210 |
extern DSOLOCAL TreeRoot *conn_write_state_suspicious_list;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
extern DSOLOCAL unsigned long int unicode_codepage;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
extern DSOLOCAL int *unicode_map_table;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define RESBODY_STATUS_NOT_READ 0 /* we were not configured to read the body */
|
|
Packit |
284210 |
#define RESBODY_STATUS_ERROR 1 /* error occured while we were reading the body */
|
|
Packit |
284210 |
#define RESBODY_STATUS_PARTIAL 2 /* partial body content available in the brigade */
|
|
Packit |
284210 |
#define RESBODY_STATUS_READ_BRIGADE 3 /* body was read but not flattened */
|
|
Packit |
284210 |
#define RESBODY_STATUS_READ 4 /* body was read and flattened */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define IF_STATUS_NONE 0
|
|
Packit |
284210 |
#define IF_STATUS_WANTS_TO_RUN 1
|
|
Packit |
284210 |
#define IF_STATUS_COMPLETE 2
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define OF_STATUS_NOT_STARTED 0
|
|
Packit |
284210 |
#define OF_STATUS_IN_PROGRESS 1
|
|
Packit |
284210 |
#define OF_STATUS_COMPLETE 2
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define MSC_REQBODY_NONE 0
|
|
Packit |
284210 |
#define MSC_REQBODY_MEMORY 1
|
|
Packit |
284210 |
#define MSC_REQBODY_DISK 2
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define ACTION_NONE 0
|
|
Packit |
284210 |
#define ACTION_DENY 1
|
|
Packit |
284210 |
#define ACTION_REDIRECT 2
|
|
Packit |
284210 |
#define ACTION_PROXY 3
|
|
Packit |
284210 |
#define ACTION_DROP 4
|
|
Packit |
284210 |
#define ACTION_ALLOW 5
|
|
Packit |
284210 |
#define ACTION_ALLOW_REQUEST 6
|
|
Packit |
284210 |
#define ACTION_ALLOW_PHASE 7
|
|
Packit |
284210 |
#define ACTION_PAUSE 8
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define MODSEC_DISABLED 0
|
|
Packit |
284210 |
#define MODSEC_DETECTION_ONLY 1
|
|
Packit |
284210 |
#define MODSEC_ENABLED 2
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define STATUS_ENGINE_ENABLED 1
|
|
Packit |
284210 |
#define STATUS_ENGINE_DISABLED 0
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define REMOTE_RULES_ABORT_ON_FAIL 0
|
|
Packit |
284210 |
#define REMOTE_RULES_WARN_ON_FAIL 1
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define HASH_DISABLED 0
|
|
Packit |
284210 |
#define HASH_ENABLED 1
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define HASH_URL_HREF_HASH_RX 0
|
|
Packit |
284210 |
#define HASH_URL_HREF_HASH_PM 1
|
|
Packit |
284210 |
#define HASH_URL_FACTION_HASH_RX 2
|
|
Packit |
284210 |
#define HASH_URL_FACTION_HASH_PM 3
|
|
Packit |
284210 |
#define HASH_URL_LOCATION_HASH_RX 4
|
|
Packit |
284210 |
#define HASH_URL_LOCATION_HASH_PM 5
|
|
Packit |
284210 |
#define HASH_URL_IFRAMESRC_HASH_RX 6
|
|
Packit |
284210 |
#define HASH_URL_IFRAMESRC_HASH_PM 7
|
|
Packit |
284210 |
#define HASH_URL_FRAMESRC_HASH_RX 8
|
|
Packit |
284210 |
#define HASH_URL_FRAMESRC_HASH_PM 9
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define HASH_KEYONLY 0
|
|
Packit |
284210 |
#define HASH_SESSIONID 1
|
|
Packit |
284210 |
#define HASH_REMOTEIP 2
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define MODSEC_CACHE_DISABLED 0
|
|
Packit |
284210 |
#define MODSEC_CACHE_ENABLED 1
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define MODSEC_OFFLINE 0
|
|
Packit |
284210 |
#define MODSEC_ONLINE 1
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define REGEX_CAPTURE_BUFLEN 1024
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define KEEP_FILES_OFF 0
|
|
Packit |
284210 |
#define KEEP_FILES_ON 1
|
|
Packit |
284210 |
#define KEEP_FILES_RELEVANT_ONLY 2
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define RULE_EXCEPTION_IMPORT_ID 1
|
|
Packit |
284210 |
#define RULE_EXCEPTION_IMPORT_MSG 2
|
|
Packit |
284210 |
#define RULE_EXCEPTION_REMOVE_ID 3
|
|
Packit |
284210 |
#define RULE_EXCEPTION_REMOVE_MSG 4
|
|
Packit |
284210 |
#define RULE_EXCEPTION_REMOVE_TAG 5
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define NBSP 160
|
|
Packit |
284210 |
|
|
Packit |
284210 |
struct rule_exception {
|
|
Packit |
284210 |
int type;
|
|
Packit |
284210 |
const char *param;
|
|
Packit |
284210 |
void *param_data;
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
struct modsec_rec {
|
|
Packit |
284210 |
apr_pool_t *mp;
|
|
Packit |
284210 |
msc_engine *modsecurity;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
request_rec *r_early;
|
|
Packit |
284210 |
request_rec *r;
|
|
Packit |
284210 |
directory_config *dcfg1;
|
|
Packit |
284210 |
directory_config *dcfg2;
|
|
Packit |
284210 |
directory_config *usercfg;
|
|
Packit |
284210 |
directory_config *txcfg;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
unsigned int reqbody_should_exist;
|
|
Packit |
284210 |
unsigned int reqbody_chunked;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
unsigned int phase;
|
|
Packit |
284210 |
unsigned int phase_request_headers_complete;
|
|
Packit |
284210 |
unsigned int phase_request_body_complete;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_bucket_brigade *if_brigade;
|
|
Packit |
284210 |
unsigned int if_seen_eos;
|
|
Packit |
284210 |
unsigned int if_status;
|
|
Packit |
284210 |
unsigned int if_started_forwarding;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_size_t reqbody_length;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_bucket_brigade *of_brigade;
|
|
Packit |
284210 |
unsigned int of_status;
|
|
Packit |
284210 |
unsigned int of_done_reading;
|
|
Packit |
284210 |
unsigned int of_skipping;
|
|
Packit |
284210 |
unsigned int of_partial;
|
|
Packit |
284210 |
unsigned int of_is_error;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
unsigned int resbody_status;
|
|
Packit |
284210 |
apr_size_t resbody_length;
|
|
Packit |
284210 |
char *resbody_data;
|
|
Packit |
284210 |
unsigned int resbody_contains_html;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_size_t stream_input_length;
|
|
Packit |
284210 |
char *stream_input_data;
|
|
Packit |
284210 |
apr_size_t stream_output_length;
|
|
Packit |
284210 |
char *stream_output_data;
|
|
Packit |
284210 |
unsigned int of_stream_changed;
|
|
Packit |
284210 |
unsigned int if_stream_changed;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_array_header_t *error_messages;
|
|
Packit |
284210 |
apr_array_header_t *alerts;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
const char *txid;
|
|
Packit |
284210 |
const char *sessionid;
|
|
Packit |
284210 |
const char *userid;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
const char *server_software;
|
|
Packit |
284210 |
const char *local_addr;
|
|
Packit |
284210 |
unsigned int local_port;
|
|
Packit |
284210 |
const char *local_user;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* client */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
const char *remote_addr;
|
|
Packit |
284210 |
unsigned int remote_port;
|
|
Packit |
284210 |
const char *remote_user;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* useragent */
|
|
Packit |
284210 |
const char *useragent_ip;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* request */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
const char *request_line;
|
|
Packit |
284210 |
const char *request_method;
|
|
Packit |
284210 |
const char *request_uri;
|
|
Packit |
284210 |
const char *query_string;
|
|
Packit |
284210 |
const char *request_protocol;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
const char *hostname;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_table_t *request_headers;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_off_t request_content_length;
|
|
Packit |
284210 |
const char *request_content_type;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_table_t *arguments;
|
|
Packit |
284210 |
apr_table_t *arguments_to_sanitize;
|
|
Packit |
284210 |
apr_table_t *request_headers_to_sanitize;
|
|
Packit |
284210 |
apr_table_t *response_headers_to_sanitize;
|
|
Packit |
284210 |
apr_table_t *request_cookies;
|
|
Packit |
284210 |
apr_table_t *pattern_to_sanitize;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
unsigned int urlencoded_error;
|
|
Packit |
284210 |
unsigned int inbound_error;
|
|
Packit |
284210 |
unsigned int outbound_error;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
unsigned int is_relevant;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_table_t *tx_vars;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* ENH: refactor to allow arbitrary var tables */
|
|
Packit |
284210 |
apr_table_t *geo_vars;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* response */
|
|
Packit |
284210 |
unsigned int response_status;
|
|
Packit |
284210 |
const char *status_line;
|
|
Packit |
284210 |
const char *response_protocol;
|
|
Packit |
284210 |
apr_table_t *response_headers;
|
|
Packit |
284210 |
unsigned int response_headers_sent;
|
|
Packit |
284210 |
apr_off_t bytes_sent;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* modsecurity request body processing stuff */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
unsigned int msc_reqbody_storage; /* on disk or in memory */
|
|
Packit |
284210 |
unsigned int msc_reqbody_spilltodisk;
|
|
Packit |
284210 |
unsigned int msc_reqbody_read;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_pool_t *msc_reqbody_mp; /* this is where chunks are allocated from */
|
|
Packit |
284210 |
apr_array_header_t *msc_reqbody_chunks; /* data chunks when stored in memory */
|
|
Packit |
284210 |
unsigned int msc_reqbody_length; /* the amount of data received */
|
|
Packit |
284210 |
int msc_reqbody_chunk_position; /* used when retrieving the body */
|
|
Packit |
284210 |
unsigned int msc_reqbody_chunk_offset; /* offset of the chunk currently in use */
|
|
Packit |
284210 |
msc_data_chunk *msc_reqbody_chunk_current; /* current chunk */
|
|
Packit |
284210 |
char *msc_reqbody_buffer;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
const char *msc_reqbody_filename; /* when stored on disk */
|
|
Packit |
284210 |
int msc_reqbody_fd;
|
|
Packit |
284210 |
msc_data_chunk *msc_reqbody_disk_chunk;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
const char *msc_reqbody_processor;
|
|
Packit |
284210 |
int msc_reqbody_error;
|
|
Packit |
284210 |
const char *msc_reqbody_error_msg;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_size_t msc_reqbody_no_files_length;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
char *msc_full_request_buffer;
|
|
Packit |
284210 |
int msc_full_request_length;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
char *multipart_filename;
|
|
Packit |
284210 |
char *multipart_name;
|
|
Packit |
284210 |
multipart_data *mpd; /* MULTIPART processor data structure */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
xml_data *xml; /* XML processor data structure */
|
|
Packit |
284210 |
#ifdef WITH_YAJL
|
|
Packit |
284210 |
json_data *json; /* JSON processor data structure */
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* audit logging */
|
|
Packit |
284210 |
char *new_auditlog_boundary;
|
|
Packit |
284210 |
char *new_auditlog_filename;
|
|
Packit |
284210 |
apr_file_t *new_auditlog_fd;
|
|
Packit |
284210 |
unsigned int new_auditlog_size;
|
|
Packit |
284210 |
apr_md5_ctx_t new_auditlog_md5ctx;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
unsigned int was_intercepted;
|
|
Packit |
284210 |
unsigned int rule_was_intercepted;
|
|
Packit |
284210 |
unsigned int intercept_phase;
|
|
Packit |
284210 |
msre_actionset *intercept_actionset;
|
|
Packit |
284210 |
const char *intercept_message;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* performance measurement */
|
|
Packit |
284210 |
apr_time_t request_time;
|
|
Packit |
284210 |
apr_time_t time_phase1;
|
|
Packit |
284210 |
apr_time_t time_phase2;
|
|
Packit |
284210 |
apr_time_t time_phase3;
|
|
Packit |
284210 |
apr_time_t time_phase4;
|
|
Packit |
284210 |
apr_time_t time_phase5;
|
|
Packit |
284210 |
apr_time_t time_storage_read;
|
|
Packit |
284210 |
apr_time_t time_storage_write;
|
|
Packit |
284210 |
apr_time_t time_logging;
|
|
Packit |
284210 |
apr_time_t time_gc;
|
|
Packit |
284210 |
apr_table_t *perf_rules;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_array_header_t *matched_rules;
|
|
Packit |
284210 |
msc_string *matched_var;
|
|
Packit |
284210 |
int highest_severity;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* upload */
|
|
Packit |
284210 |
int upload_extract_files;
|
|
Packit |
284210 |
int upload_remove_files;
|
|
Packit |
284210 |
int upload_files_count;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* other */
|
|
Packit |
284210 |
apr_table_t *collections_original;
|
|
Packit |
284210 |
apr_table_t *collections;
|
|
Packit |
284210 |
apr_table_t *collections_dirty;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* rule processing temp pool */
|
|
Packit |
284210 |
apr_pool_t *msc_rule_mptmp;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* content injection */
|
|
Packit |
284210 |
const char *content_prepend;
|
|
Packit |
284210 |
apr_off_t content_prepend_len;
|
|
Packit |
284210 |
const char *content_append;
|
|
Packit |
284210 |
apr_off_t content_append_len;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* data cache */
|
|
Packit |
284210 |
apr_hash_t *tcache;
|
|
Packit |
284210 |
apr_size_t tcache_items;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* removed rules */
|
|
Packit |
284210 |
apr_array_header_t *removed_rules;
|
|
Packit |
284210 |
apr_array_header_t *removed_rules_tag;
|
|
Packit |
284210 |
apr_array_header_t *removed_rules_msg;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* removed targets */
|
|
Packit |
284210 |
apr_table_t *removed_targets;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* When "allow" is executed the variable below is
|
|
Packit |
284210 |
* updated to contain the scope of the allow action. Set
|
|
Packit |
284210 |
* at 0 by default, it will have ACTION_ALLOW if we are
|
|
Packit |
284210 |
* to allow phases 1-4 and ACTION_ALLOW_REQUEST if we
|
|
Packit |
284210 |
* are to allow phases 1-2 only.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
unsigned int allow_scope;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* matched vars */
|
|
Packit |
284210 |
apr_table_t *matched_vars;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Generic request body processor context to be used by custom parsers. */
|
|
Packit |
284210 |
void *reqbody_processor_ctx;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
htmlDocPtr crypto_html_tree;
|
|
Packit |
284210 |
#if defined(WITH_LUA)
|
|
Packit |
284210 |
#ifdef CACHE_LUA
|
|
Packit |
284210 |
lua_State *L;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
int msc_sdbm_delete_error;
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
struct directory_config {
|
|
Packit |
284210 |
apr_pool_t *mp;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
msre_ruleset *ruleset;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
int is_enabled;
|
|
Packit |
284210 |
int reqbody_access;
|
|
Packit |
284210 |
int reqintercept_oe;
|
|
Packit |
284210 |
int reqbody_buffering;
|
|
Packit |
284210 |
long int reqbody_inmemory_limit;
|
|
Packit |
284210 |
long int reqbody_limit;
|
|
Packit |
284210 |
long int reqbody_no_files_limit;
|
|
Packit |
284210 |
int resbody_access;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
long int of_limit;
|
|
Packit |
284210 |
apr_table_t *of_mime_types;
|
|
Packit |
284210 |
int of_mime_types_cleared;
|
|
Packit |
284210 |
int of_limit_action;
|
|
Packit |
284210 |
int if_limit_action;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
const char *debuglog_name;
|
|
Packit |
284210 |
int debuglog_level;
|
|
Packit |
284210 |
apr_file_t *debuglog_fd;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
int cookie_format;
|
|
Packit |
284210 |
int argument_separator;
|
|
Packit |
284210 |
const char *cookiev0_separator;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
int rule_inheritance;
|
|
Packit |
284210 |
apr_array_header_t *rule_exceptions;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* -- Audit log -- */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Max rule time */
|
|
Packit |
284210 |
int max_rule_time;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Whether audit log should be enabled in the context or not */
|
|
Packit |
284210 |
int auditlog_flag;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* AUDITLOG_SERIAL (single file) or AUDITLOG_CONCURRENT (multiple files) */
|
|
Packit |
284210 |
int auditlog_type;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#ifdef WITH_YAJL
|
|
Packit |
284210 |
/* AUDITLOGFORMAT_NATIVE or AUDITLOGFORMAT_JSON */
|
|
Packit |
284210 |
int auditlog_format;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Mode for audit log directories and files */
|
|
Packit |
284210 |
apr_fileperms_t auditlog_dirperms;
|
|
Packit |
284210 |
apr_fileperms_t auditlog_fileperms;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* The name of the audit log file (for the old type), or the
|
|
Packit |
284210 |
* name of the index file (for the new audit log type)
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
char *auditlog_name;
|
|
Packit |
284210 |
/* The name of the secondary index file */
|
|
Packit |
284210 |
char *auditlog2_name;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* The file descriptors for the files above */
|
|
Packit |
284210 |
apr_file_t *auditlog_fd;
|
|
Packit |
284210 |
apr_file_t *auditlog2_fd;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* For the new-style audit log only, the path where
|
|
Packit |
284210 |
* audit log entries will be stored
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
char *auditlog_storage_dir;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* A list of parts to include in the new-style audit log
|
|
Packit |
284210 |
* entry. By default, it contains 'ABCFHZ'. Have a look at
|
|
Packit |
284210 |
* the AUDITLOG_PART_* constants above to decipher the
|
|
Packit |
284210 |
* meaning.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
char *auditlog_parts;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* A regular expression that determines if a response
|
|
Packit |
284210 |
* status is treated as relevant.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
msc_regex_t *auditlog_relevant_regex;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Upload */
|
|
Packit |
284210 |
const char *tmp_dir;
|
|
Packit |
284210 |
const char *upload_dir;
|
|
Packit |
284210 |
int upload_keep_files;
|
|
Packit |
284210 |
int upload_validates_files;
|
|
Packit |
284210 |
int upload_filemode; /* int only so NOT_SET works */
|
|
Packit |
284210 |
int upload_file_limit;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Used only in the configuration phase. */
|
|
Packit |
284210 |
msre_rule *tmp_chain_starter;
|
|
Packit |
284210 |
msre_actionset *tmp_default_actionset;
|
|
Packit |
284210 |
apr_table_t *tmp_rule_placeholders;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Misc */
|
|
Packit |
284210 |
const char *data_dir;
|
|
Packit |
284210 |
const char *webappid;
|
|
Packit |
284210 |
const char *sensor_id;
|
|
Packit |
284210 |
const char *httpBlkey;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Content injection. */
|
|
Packit |
284210 |
int content_injection_enabled;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Stream Inspection */
|
|
Packit |
284210 |
int stream_inbody_inspection;
|
|
Packit |
284210 |
int stream_outbody_inspection;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Geo Lookup */
|
|
Packit |
284210 |
geo_db *geo;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Gsb Lookup */
|
|
Packit |
284210 |
gsb_db *gsb;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Unicode map */
|
|
Packit |
284210 |
unicode_map *u_map;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Cache */
|
|
Packit |
284210 |
int cache_trans;
|
|
Packit |
284210 |
int cache_trans_incremental;
|
|
Packit |
284210 |
apr_size_t cache_trans_min;
|
|
Packit |
284210 |
apr_size_t cache_trans_max;
|
|
Packit |
284210 |
apr_size_t cache_trans_maxitems;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Array to hold signatures of components, which will
|
|
Packit |
284210 |
* appear in the ModSecurity signature in the audit log.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
apr_array_header_t *component_signatures;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Request character encoding. */
|
|
Packit |
284210 |
const char *request_encoding;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
int disable_backend_compression;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Collection timeout */
|
|
Packit |
284210 |
int col_timeout;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* hash of ids */
|
|
Packit |
284210 |
apr_hash_t *rule_id_htab;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Hash */
|
|
Packit |
284210 |
apr_array_header_t *hash_method;
|
|
Packit |
284210 |
const char *crypto_key;
|
|
Packit |
284210 |
int crypto_key_len;
|
|
Packit |
284210 |
const char *crypto_param_name;
|
|
Packit |
284210 |
int hash_is_enabled;
|
|
Packit |
284210 |
int hash_enforcement;
|
|
Packit |
284210 |
int crypto_key_add;
|
|
Packit |
284210 |
int crypto_hash_href_rx;
|
|
Packit |
284210 |
int crypto_hash_faction_rx;
|
|
Packit |
284210 |
int crypto_hash_location_rx;
|
|
Packit |
284210 |
int crypto_hash_iframesrc_rx;
|
|
Packit |
284210 |
int crypto_hash_framesrc_rx;
|
|
Packit |
284210 |
int crypto_hash_href_pm;
|
|
Packit |
284210 |
int crypto_hash_faction_pm;
|
|
Packit |
284210 |
int crypto_hash_location_pm;
|
|
Packit |
284210 |
int crypto_hash_iframesrc_pm;
|
|
Packit |
284210 |
int crypto_hash_framesrc_pm;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* xml */
|
|
Packit |
284210 |
int xml_external_entity;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* This will be used whenever ModSecurity will be ready
|
|
Packit |
284210 |
* to ask the server for newer rules.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
#if 0
|
|
Packit |
284210 |
msc_remote_rules_server *remote_rules;
|
|
Packit |
284210 |
int remote_timeout;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
struct error_message_t {
|
|
Packit |
284210 |
const char *file;
|
|
Packit |
284210 |
int line;
|
|
Packit |
284210 |
int level;
|
|
Packit |
284210 |
apr_status_t status;
|
|
Packit |
284210 |
const char *message;
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
struct msc_engine {
|
|
Packit |
284210 |
apr_pool_t *mp;
|
|
Packit |
284210 |
apr_global_mutex_t *auditlog_lock;
|
|
Packit |
284210 |
apr_global_mutex_t *geo_lock;
|
|
Packit |
284210 |
#ifdef GLOBAL_COLLECTION_LOCK
|
|
Packit |
284210 |
apr_global_mutex_t *dbm_lock;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
msre_engine *msre;
|
|
Packit |
284210 |
unsigned int processing_mode;
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
struct msc_data_chunk {
|
|
Packit |
284210 |
char *data;
|
|
Packit |
284210 |
apr_size_t length;
|
|
Packit |
284210 |
unsigned int is_permanent;
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
struct msc_arg {
|
|
Packit |
284210 |
const char *name;
|
|
Packit |
284210 |
unsigned int name_len;
|
|
Packit |
284210 |
unsigned int name_origin_offset;
|
|
Packit |
284210 |
unsigned int name_origin_len;
|
|
Packit |
284210 |
const char *value;
|
|
Packit |
284210 |
unsigned int value_len;
|
|
Packit |
284210 |
unsigned int value_origin_offset;
|
|
Packit |
284210 |
unsigned int value_origin_len;
|
|
Packit |
284210 |
const char *origin;
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
struct msc_string {
|
|
Packit |
284210 |
char *name;
|
|
Packit |
284210 |
unsigned int name_len;
|
|
Packit |
284210 |
char *value;
|
|
Packit |
284210 |
unsigned int value_len;
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
struct msc_parm {
|
|
Packit |
284210 |
char *value;
|
|
Packit |
284210 |
int pad_1;
|
|
Packit |
284210 |
int pad_2;
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Engine functions */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
msc_engine DSOLOCAL *modsecurity_create(apr_pool_t *mp, int processing_mode);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
int DSOLOCAL modsecurity_init(msc_engine *msce, apr_pool_t *mp);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
void DSOLOCAL modsecurity_child_init(msc_engine *msce);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
void DSOLOCAL modsecurity_shutdown(msc_engine *msce);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_status_t DSOLOCAL modsecurity_tx_init(modsec_rec *msr);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_status_t DSOLOCAL modsecurity_process_phase(modsec_rec *msr, unsigned int phase);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Request body functions */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_status_t DSOLOCAL modsecurity_request_body_start(modsec_rec *msr, char **error_msg);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_status_t DSOLOCAL modsecurity_request_body_store(modsec_rec *msr,
|
|
Packit |
284210 |
const char *data, apr_size_t length, char **error_msg);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_status_t DSOLOCAL modsecurity_request_body_end(modsec_rec *msr, char **error_msg);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_status_t DSOLOCAL modsecurity_request_body_to_stream(modsec_rec *msr, const char *buffer, int buflen, char **error_msg);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_status_t DSOLOCAL modsecurity_request_body_retrieve_start(modsec_rec *msr, char **error_msg);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_status_t DSOLOCAL modsecurity_request_body_retrieve_end(modsec_rec *msr);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Retrieves up to nbytes bytes of the request body. Returns 1 on
|
|
Packit |
284210 |
* success, 0 when there is no more data, or -1 on error. On return
|
|
Packit |
284210 |
* nbytes will contain the number of bytes stored in the buffer.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
apr_status_t DSOLOCAL modsecurity_request_body_retrieve(modsec_rec *msr, msc_data_chunk **chunk,
|
|
Packit |
284210 |
long int nbytes, char **error_msg);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
void DSOLOCAL msc_add(modsec_rec *msr, int level, msre_actionset *actionset,
|
|
Packit |
284210 |
const char *action_message, const char *rule_message);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
const char DSOLOCAL *msc_alert_message(modsec_rec *msr, msre_actionset *actionset, const char *action_message,
|
|
Packit |
284210 |
const char *rule_message);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
void DSOLOCAL msc_alert(modsec_rec *msr, int level, msre_actionset *actionset, const char *action_message,
|
|
Packit |
284210 |
const char *rule_message);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_status_t DSOLOCAL modsecurity_request_body_clear(modsec_rec *msr, char **error_msg);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#endif
|