|
Packit |
284210 |
/*
|
|
Packit |
284210 |
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
|
|
Packit |
284210 |
* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* You may not use this file except in compliance with
|
|
Packit |
284210 |
* the License. You may obtain a copy of the License at
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* If any of the files related to licensing are missing or if you have any
|
|
Packit |
284210 |
* other questions related to licensing please contact Trustwave Holdings, Inc.
|
|
Packit |
284210 |
* directly using the email address security@modsecurity.org.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#include <ngx_http.h>
|
|
Packit |
284210 |
#include <apr_bucket_nginx.h>
|
|
Packit |
284210 |
#include <ngx_pool_context.h>
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#include <apr_base64.h>
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#undef CR
|
|
Packit |
284210 |
#undef LF
|
|
Packit |
284210 |
#undef CRLF
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#include "api.h"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define NOTE_NGINX_REQUEST_CTX "nginx-ctx"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
typedef struct {
|
|
Packit |
284210 |
ngx_flag_t enable;
|
|
Packit |
284210 |
directory_config *config;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_str_t *file;
|
|
Packit |
284210 |
ngx_uint_t line;
|
|
Packit |
284210 |
} ngx_http_modsecurity_loc_conf_t;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
typedef struct {
|
|
Packit |
284210 |
ngx_http_request_t *r;
|
|
Packit |
284210 |
conn_rec *connection;
|
|
Packit |
284210 |
request_rec *req;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_bucket_brigade *brigade;
|
|
Packit |
284210 |
unsigned complete;
|
|
Packit |
284210 |
} ngx_http_modsecurity_ctx_t;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/*
|
|
Packit |
284210 |
** Module's registred function/handlers.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
static ngx_int_t ngx_http_modsecurity_handler(ngx_http_request_t *r);
|
|
Packit |
284210 |
static void ngx_http_modsecurity_body_handler(ngx_http_request_t *r);
|
|
Packit |
284210 |
static ngx_int_t ngx_http_modsecurity_header_filter(ngx_http_request_t *r);
|
|
Packit |
284210 |
static ngx_int_t ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in);
|
|
Packit |
284210 |
static ngx_int_t ngx_http_modsecurity_preconfiguration(ngx_conf_t *cf);
|
|
Packit |
284210 |
static ngx_int_t ngx_http_modsecurity_init(ngx_conf_t *cf);
|
|
Packit |
284210 |
static ngx_int_t ngx_http_modsecurity_init_process(ngx_cycle_t *cycle);
|
|
Packit |
284210 |
static void *ngx_http_modsecurity_create_loc_conf(ngx_conf_t *cf);
|
|
Packit |
284210 |
static char *ngx_http_modsecurity_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child);
|
|
Packit |
284210 |
static char *ngx_http_modsecurity_config(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
|
|
Packit |
284210 |
static char *ngx_http_modsecurity_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_http_modsecurity_ctx_t * ngx_http_modsecurity_create_ctx(ngx_http_request_t *r);
|
|
Packit |
284210 |
static int ngx_http_modsecurity_drop_action(request_rec *r);
|
|
Packit |
284210 |
static void ngx_http_modsecurity_terminate(ngx_cycle_t *cycle);
|
|
Packit |
284210 |
static void ngx_http_modsecurity_cleanup(void *data);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static int ngx_http_modsecurity_save_headers_in_visitor(void *data, const char *key, const char *value);
|
|
Packit |
284210 |
static int ngx_http_modsecurity_save_headers_out_visitor(void *data, const char *key, const char *value);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* command handled by the module */
|
|
Packit |
284210 |
static ngx_command_t ngx_http_modsecurity_commands[] = {
|
|
Packit |
284210 |
{ ngx_string("ModSecurityConfig"),
|
|
Packit |
284210 |
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
|
|
Packit |
284210 |
ngx_http_modsecurity_config,
|
|
Packit |
284210 |
NGX_HTTP_LOC_CONF_OFFSET,
|
|
Packit |
284210 |
0,
|
|
Packit |
284210 |
NULL },
|
|
Packit |
284210 |
{ ngx_string("ModSecurityEnabled"),
|
|
Packit |
284210 |
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF
|
|
Packit |
284210 |
|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1,
|
|
Packit |
284210 |
ngx_http_modsecurity_enable,
|
|
Packit |
284210 |
NGX_HTTP_LOC_CONF_OFFSET,
|
|
Packit |
284210 |
offsetof(ngx_http_modsecurity_loc_conf_t, enable),
|
|
Packit |
284210 |
NULL },
|
|
Packit |
284210 |
ngx_null_command
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/*
|
|
Packit |
284210 |
** handlers for configuration phases of the module
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_http_module_t ngx_http_modsecurity_ctx = {
|
|
Packit |
284210 |
ngx_http_modsecurity_preconfiguration, /* preconfiguration */
|
|
Packit |
284210 |
ngx_http_modsecurity_init, /* postconfiguration */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
NULL, /* create main configuration */
|
|
Packit |
284210 |
NULL, /* init main configuration */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
NULL, /* create server configuration */
|
|
Packit |
284210 |
NULL, /* merge server configuration */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_http_modsecurity_create_loc_conf, /* create location configuration */
|
|
Packit |
284210 |
ngx_http_modsecurity_merge_loc_conf /* merge location configuration */
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_module_t ngx_http_modsecurity = {
|
|
Packit |
284210 |
NGX_MODULE_V1,
|
|
Packit |
284210 |
&ngx_http_modsecurity_ctx, /* module context */
|
|
Packit |
284210 |
ngx_http_modsecurity_commands, /* module directives */
|
|
Packit |
284210 |
NGX_HTTP_MODULE, /* module type */
|
|
Packit |
284210 |
NULL, /* init master */
|
|
Packit |
284210 |
NULL, /* init module */
|
|
Packit |
284210 |
ngx_http_modsecurity_init_process, /* init process */
|
|
Packit |
284210 |
NULL, /* init thread */
|
|
Packit |
284210 |
NULL, /* exit thread */
|
|
Packit |
284210 |
ngx_http_modsecurity_terminate, /* exit process */
|
|
Packit |
284210 |
ngx_http_modsecurity_terminate, /* exit master */
|
|
Packit |
284210 |
NGX_MODULE_V1_PADDING
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_http_output_header_filter_pt ngx_http_next_header_filter;
|
|
Packit |
284210 |
static ngx_http_output_body_filter_pt ngx_http_next_body_filter;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_http_upstream_t ngx_http_modsecurity_upstream;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static struct {
|
|
Packit |
284210 |
char *name;
|
|
Packit |
284210 |
ngx_str_t variable_name;
|
|
Packit |
284210 |
} special_headers_out[] = {
|
|
Packit |
284210 |
{"Content-Type", ngx_string("sent_http_content_type") },
|
|
Packit |
284210 |
{"Content-Length", ngx_string("sent_http_content_length")},
|
|
Packit |
284210 |
{"Location", ngx_string("sent_http_location")},
|
|
Packit |
284210 |
{"Last-Modified", ngx_string("sent_http_last_modified")},
|
|
Packit |
284210 |
{"Connection", ngx_string("sent_http_connection")},
|
|
Packit |
284210 |
{"Keep-Alive", ngx_string("sent_http_keep_alive")},
|
|
Packit |
284210 |
{"Transfer-Encoding", ngx_string("sent_http_transfer_encoding")},
|
|
Packit |
284210 |
{"Cache-Control", ngx_string("sent_http_cache_control")},
|
|
Packit |
284210 |
{NULL, ngx_null_string}
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static inline u_char *
|
|
Packit |
284210 |
ngx_pstrdup0(ngx_pool_t *pool, ngx_str_t *src)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
u_char *dst;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
dst = ngx_pnalloc(pool, src->len + 1);
|
|
Packit |
284210 |
if (dst == NULL) {
|
|
Packit |
284210 |
return NULL;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_memcpy(dst, src->data, src->len);
|
|
Packit |
284210 |
dst[src->len] = '\0';
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return dst;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static inline int
|
|
Packit |
284210 |
ngx_http_modsecurity_method_number(unsigned int nginx)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
/*
|
|
Packit |
284210 |
* http://graphics.stanford.edu/~seander/bithacks.html#ZerosOnRightMultLookup
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
static const int MultiplyDeBruijnBitPosition[32] = {
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 0 */
|
|
Packit |
284210 |
M_GET,
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 28 */
|
|
Packit |
284210 |
M_GET, /* NGX_HTTP_HEAD */
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 29 */
|
|
Packit |
284210 |
M_PATCH,
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 24 */
|
|
Packit |
284210 |
M_POST,
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 30 */
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 22 */
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 20 */
|
|
Packit |
284210 |
M_TRACE,
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 25 */
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 17 */
|
|
Packit |
284210 |
M_PUT,
|
|
Packit |
284210 |
M_MOVE,
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 31 */
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 27 */
|
|
Packit |
284210 |
M_UNLOCK,
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 23 */
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 21 */
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 19 */
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 16 */
|
|
Packit |
284210 |
M_COPY,
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 26 */
|
|
Packit |
284210 |
M_LOCK,
|
|
Packit |
284210 |
M_INVALID, /* 1 >> 18 */
|
|
Packit |
284210 |
M_MKCOL,
|
|
Packit |
284210 |
M_PROPPATCH,
|
|
Packit |
284210 |
M_DELETE,
|
|
Packit |
284210 |
M_PROPFIND,
|
|
Packit |
284210 |
M_OPTIONS
|
|
Packit |
284210 |
};
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return MultiplyDeBruijnBitPosition[((uint32_t)((nginx & -nginx) * 0x077CB531U)) >> 27];
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_inline ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_load_request(ngx_http_request_t *r)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
request_rec *req;
|
|
Packit |
284210 |
size_t root;
|
|
Packit |
284210 |
ngx_str_t path;
|
|
Packit |
284210 |
ngx_uint_t port;
|
|
Packit |
284210 |
struct sockaddr_in *sin;
|
|
Packit |
284210 |
#if (NGX_HAVE_INET6)
|
|
Packit |
284210 |
struct sockaddr_in6 *sin6;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
req = ctx->req;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* request line */
|
|
Packit |
284210 |
req->method = (char *)ngx_pstrdup0(r->pool, &r->method_name);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* TODO: how to use ap_method_number_of ?
|
|
Packit |
284210 |
* req->method_number = ap_method_number_of(req->method);
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->method_number = ngx_http_modsecurity_method_number(r->method);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* ngx_http_map_uri_to_path() allocates memory for terminating '\0' */
|
|
Packit |
284210 |
if (ngx_http_map_uri_to_path(r, &path, &root, 0) == NULL) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->filename = (char *) path.data;
|
|
Packit |
284210 |
req->path_info = req->filename;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->args = (char *)ngx_pstrdup0(r->pool, &r->args);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->proto_num = r->http_major *1000 + r->http_minor;
|
|
Packit |
284210 |
req->protocol = (char *)ngx_pstrdup0(r->pool, &r->http_protocol);
|
|
Packit |
284210 |
req->request_time = apr_time_make(r->start_sec, r->start_msec);
|
|
Packit |
284210 |
req->the_request = (char *)ngx_pstrdup0(r->pool, &r->request_line);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->unparsed_uri = (char *)ngx_pstrdup0(r->pool, &r->unparsed_uri);
|
|
Packit |
284210 |
req->uri = (char *)ngx_pstrdup0(r->pool, &r->uri);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->parsed_uri.scheme = "http";
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#if (NGX_HTTP_SSL)
|
|
Packit |
284210 |
if (r->connection->ssl) {
|
|
Packit |
284210 |
req->parsed_uri.scheme = "https";
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->parsed_uri.path = (char *)ngx_pstrdup0(r->pool, &r->uri);
|
|
Packit |
284210 |
req->parsed_uri.is_initialized = 1;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
switch (r->connection->local_sockaddr->sa_family) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#if (NGX_HAVE_INET6)
|
|
Packit |
284210 |
case AF_INET6:
|
|
Packit |
284210 |
sin6 = (struct sockaddr_in6 *) r->connection->local_sockaddr;
|
|
Packit |
284210 |
port = ntohs(sin6->sin6_port);
|
|
Packit |
284210 |
break;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#if (NGX_HAVE_UNIX_DOMAIN)
|
|
Packit |
284210 |
case AF_UNIX:
|
|
Packit |
284210 |
port = 0;
|
|
Packit |
284210 |
break;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
default: /* AF_INET */
|
|
Packit |
284210 |
sin = (struct sockaddr_in *) r->connection->local_sockaddr;
|
|
Packit |
284210 |
port = ntohs(sin->sin_port);
|
|
Packit |
284210 |
break;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->parsed_uri.port = port;
|
|
Packit |
284210 |
req->parsed_uri.port_str = ngx_pnalloc(r->pool, sizeof("65535"));
|
|
Packit |
284210 |
(void) ngx_sprintf((u_char *)req->parsed_uri.port_str, "%ui%c", port, '\0');
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->parsed_uri.query = r->args.len ? req->args : NULL;
|
|
Packit |
284210 |
req->parsed_uri.dns_looked_up = 0;
|
|
Packit |
284210 |
req->parsed_uri.dns_resolved = 0;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
// req->parsed_uri.password = (char *)ngx_pstrdup0(r->pool, &r->headers_in.passwd);
|
|
Packit |
284210 |
// req->parsed_uri.user = (char *)ngx_pstrdup0(r->pool, &r->headers_in.user);
|
|
Packit |
284210 |
req->parsed_uri.fragment = (char *)ngx_pstrdup0(r->pool, &r->exten);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->hostname = (char *)ngx_pstrdup0(r->pool, (ngx_str_t *)&ngx_cycle->hostname);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->header_only = r->header_only ? r->header_only : (r->method == NGX_HTTP_HEAD);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/*
|
|
Packit |
284210 |
* TODO: deal more headers.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_inline ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_load_headers_in(ngx_http_request_t *r)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
const char *lang;
|
|
Packit |
284210 |
request_rec *req;
|
|
Packit |
284210 |
ngx_list_part_t *part;
|
|
Packit |
284210 |
ngx_table_elt_t *h;
|
|
Packit |
284210 |
ngx_uint_t i;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
req = ctx->req;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
part = &r->headers_in.headers.part;
|
|
Packit |
284210 |
h = part->elts;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
for (i = 0; ; i++) {
|
|
Packit |
284210 |
if (i >= part->nelts) {
|
|
Packit |
284210 |
if (part->next == NULL)
|
|
Packit |
284210 |
break;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
part = part->next;
|
|
Packit |
284210 |
h = part->elts;
|
|
Packit |
284210 |
i = 0;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_table_setn(req->headers_in, (char *)h[i].key.data, (char *)h[i].value.data);
|
|
Packit |
284210 |
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: load headers in: \"%V: %V\"",
|
|
Packit |
284210 |
&h[i].key, &h[i].value);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->clength = r->headers_in.content_length_n;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->range = apr_table_get(req->headers_in, "Range");
|
|
Packit |
284210 |
req->content_type = apr_table_get(req->headers_in, "Content-Type");
|
|
Packit |
284210 |
req->content_encoding = apr_table_get(req->headers_in, "Content-Encoding");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
lang = apr_table_get(ctx->req->headers_in, "Content-Languages");
|
|
Packit |
284210 |
if(lang != NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ctx->req->content_languages = apr_array_make(ctx->req->pool, 1, sizeof(const char *));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
*(const char **)apr_array_push(ctx->req->content_languages) = lang;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->ap_auth_type = (char *)apr_table_get(req->headers_in, "Authorization");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->user = (char *)ngx_pstrdup0(r->pool, &r->headers_in.user);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: load headers in done");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_inline ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_save_headers_in(ngx_http_request_t *r)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* clean up headers_in */
|
|
Packit |
284210 |
ngx_memzero(&r->headers_in, sizeof(ngx_http_headers_in_t));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ngx_list_init(&r->headers_in.headers, r->pool, 20,
|
|
Packit |
284210 |
sizeof(ngx_table_elt_t))
|
|
Packit |
284210 |
!= NGX_OK)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ngx_array_init(&r->headers_in.cookies, r->pool, 2,
|
|
Packit |
284210 |
sizeof(ngx_table_elt_t *))
|
|
Packit |
284210 |
!= NGX_OK)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->headers_in.content_length_n = -1;
|
|
Packit |
284210 |
r->headers_in.keep_alive_n = -1;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->headers_in.headers.part.nelts = 0;
|
|
Packit |
284210 |
r->headers_in.headers.part.next = NULL;
|
|
Packit |
284210 |
r->headers_in.headers.last = &r->headers_in.headers.part;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* shadow copy */
|
|
Packit |
284210 |
if (apr_table_do(ngx_http_modsecurity_save_headers_in_visitor,
|
|
Packit |
284210 |
r, ctx->req->headers_in, NULL) == 0) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: save headers in error");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (r->headers_in.content_length) {
|
|
Packit |
284210 |
r->headers_in.content_length_n =
|
|
Packit |
284210 |
ngx_atoof(r->headers_in.content_length->value.data,
|
|
Packit |
284210 |
r->headers_in.content_length->value.len);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (r->headers_in.content_length_n == NGX_ERROR) {
|
|
Packit |
284210 |
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: invalid \"Content-Length\" header");
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (r->headers_in.connection_type == NGX_HTTP_CONNECTION_KEEP_ALIVE) {
|
|
Packit |
284210 |
if (r->headers_in.keep_alive) {
|
|
Packit |
284210 |
r->headers_in.keep_alive_n =
|
|
Packit |
284210 |
ngx_atotm(r->headers_in.keep_alive->value.data,
|
|
Packit |
284210 |
r->headers_in.keep_alive->value.len);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: save headers in done");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static int
|
|
Packit |
284210 |
ngx_http_modsecurity_save_headers_in_visitor(void *data, const char *key, const char *value)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_request_t *r = data;
|
|
Packit |
284210 |
ngx_table_elt_t *h;
|
|
Packit |
284210 |
ngx_http_header_t *hh;
|
|
Packit |
284210 |
ngx_http_core_main_conf_t *cmcf;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h = ngx_list_push(&r->headers_in.headers);
|
|
Packit |
284210 |
if (h == NULL) {
|
|
Packit |
284210 |
return 0;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h->key.data = (u_char *)key;
|
|
Packit |
284210 |
h->key.len = ngx_strlen(key);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h->value.data = (u_char *)value;
|
|
Packit |
284210 |
h->value.len = ngx_strlen(value);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h->lowcase_key = ngx_pnalloc(r->pool, h->key.len);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (h->lowcase_key == NULL) {
|
|
Packit |
284210 |
return 0;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_strlow(h->lowcase_key, h->key.data, h->key.len);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h->hash = ngx_hash_key(h->lowcase_key, h->key.len);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
hh = ngx_hash_find(&cmcf->headers_in_hash, h->hash,
|
|
Packit |
284210 |
h->lowcase_key, h->key.len);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
|
|
Packit |
284210 |
return 0;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: save headers in: \"%V: %V\"",
|
|
Packit |
284210 |
&h->key, &h->value);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return 1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_inline ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_load_request_body(ngx_http_request_t *r)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
modsecSetBodyBrigade(ctx->req, ctx->brigade);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (r->request_body == NULL || r->request_body->bufs == NULL) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return move_chain_to_brigade(NULL, ctx->brigade, r->pool, 1);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (move_chain_to_brigade(r->request_body->bufs, ctx->brigade, r->pool, 1) != NGX_OK) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->request_body = NULL;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_inline ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_save_request_body(ngx_http_request_t *r)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
apr_off_t content_length;
|
|
Packit |
284210 |
ngx_buf_t *buf;
|
|
Packit |
284210 |
ngx_http_core_srv_conf_t *cscf;
|
|
Packit |
284210 |
size_t size;
|
|
Packit |
284210 |
ngx_http_connection_t *hc;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_brigade_length(ctx->brigade, 0, &content_length);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (r->header_in->end - r->header_in->last >= content_length) {
|
|
Packit |
284210 |
/* use r->header_in */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ngx_buf_size(r->header_in)) {
|
|
Packit |
284210 |
/* move to the end */
|
|
Packit |
284210 |
ngx_memmove(r->header_in->pos + content_length,
|
|
Packit |
284210 |
r->header_in->pos,
|
|
Packit |
284210 |
ngx_buf_size(r->header_in));
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (apr_brigade_flatten(ctx->brigade,
|
|
Packit |
284210 |
(char *)r->header_in->pos,
|
|
Packit |
284210 |
(apr_size_t *)&content_length) != APR_SUCCESS) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_brigade_cleanup(ctx->brigade);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->header_in->last += content_length;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ngx_buf_size(r->header_in)) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/*
|
|
Packit |
284210 |
* ngx_http_set_keepalive will reuse r->header_in if
|
|
Packit |
284210 |
* (r->header_in != c->buffer && r->header_in.last != r->header_in.end),
|
|
Packit |
284210 |
* so we need this code block.
|
|
Packit |
284210 |
* see ngx_http_set_keepalive, ngx_http_alloc_large_header_buffer
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
size = ngx_max(cscf->large_client_header_buffers.size,
|
|
Packit |
284210 |
(size_t)content_length + ngx_buf_size(r->header_in));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
hc = r->http_connection;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#if defined(nginx_version) && nginx_version >= 1011011
|
|
Packit |
284210 |
if (hc->free && size == cscf->large_client_header_buffers.size) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
buf = hc->free->buf;
|
|
Packit |
284210 |
#else
|
|
Packit |
284210 |
if (hc->nfree && size == cscf->large_client_header_buffers.size) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
buf = hc->free[--hc->nfree];
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: use http free large header buffer: %p %uz",
|
|
Packit |
284210 |
buf->pos, buf->end - buf->last);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
} else if (hc->nbusy < cscf->large_client_header_buffers.num) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (hc->busy == NULL) {
|
|
Packit |
284210 |
hc->busy = ngx_palloc(r->connection->pool,
|
|
Packit |
284210 |
cscf->large_client_header_buffers.num * sizeof(ngx_buf_t *));
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (hc->busy == NULL) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
} else {
|
|
Packit |
284210 |
buf = ngx_create_temp_buf(r->connection->pool, size);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
} else {
|
|
Packit |
284210 |
/* TODO: how to deal this case ? */
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
} else {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
buf = ngx_create_temp_buf(r->pool, (size_t) content_length);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (buf == NULL) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (apr_brigade_flatten(ctx->brigade, (char *)buf->pos,
|
|
Packit |
284210 |
(apr_size_t *)&content_length) != APR_SUCCESS) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_brigade_cleanup(ctx->brigade);
|
|
Packit |
284210 |
buf->last += content_length;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_memcpy(buf->last, r->header_in->pos, ngx_buf_size(r->header_in));
|
|
Packit |
284210 |
buf->last += ngx_buf_size(r->header_in);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->header_in = buf;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_inline ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_load_headers_out(ngx_http_request_t *r)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
char *data;
|
|
Packit |
284210 |
request_rec *req;
|
|
Packit |
284210 |
ngx_http_variable_value_t *vv;
|
|
Packit |
284210 |
ngx_list_part_t *part;
|
|
Packit |
284210 |
ngx_table_elt_t *h;
|
|
Packit |
284210 |
ngx_uint_t i;
|
|
Packit |
284210 |
char *key, *value;
|
|
Packit |
284210 |
u_char *buf = NULL;
|
|
Packit |
284210 |
size_t size = 0;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
req = ctx->req;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->status = r->headers_out.status;
|
|
Packit |
284210 |
req->status_line = (char *)ngx_pstrdup0(r->pool, &r->headers_out.status_line);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* deep copy */
|
|
Packit |
284210 |
part = &r->headers_out.headers.part;
|
|
Packit |
284210 |
h = part->elts;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
for (i = 0; ; i++) {
|
|
Packit |
284210 |
if (i >= part->nelts) {
|
|
Packit |
284210 |
if (part->next == NULL)
|
|
Packit |
284210 |
break;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
part = part->next;
|
|
Packit |
284210 |
h = part->elts;
|
|
Packit |
284210 |
i = 0;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
size += h[i].key.len + h[i].value.len + 2;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
buf = ngx_palloc(r->pool, size);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (buf == NULL) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
key = (char *)buf;
|
|
Packit |
284210 |
buf = ngx_cpymem(buf, h[i].key.data, h[i].key.len);
|
|
Packit |
284210 |
*buf++ = '\0';
|
|
Packit |
284210 |
|
|
Packit |
284210 |
value = (char *)buf;
|
|
Packit |
284210 |
buf = ngx_cpymem(buf, h[i].value.data, h[i].value.len);
|
|
Packit |
284210 |
*buf++ = '\0';
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_table_addn(req->headers_out, key, value);
|
|
Packit |
284210 |
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: load headers out: \"%V: %V\"",
|
|
Packit |
284210 |
&h[i].key, &h[i].value);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
for (i = 0; special_headers_out[i].name; i++) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
vv = ngx_http_get_variable(r, &special_headers_out[i].variable_name,
|
|
Packit |
284210 |
ngx_hash_key(special_headers_out[i].variable_name.data,
|
|
Packit |
284210 |
special_headers_out[i].variable_name.len));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (vv && !vv->not_found) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
data = ngx_palloc(r->pool, vv->len + 1);
|
|
Packit |
284210 |
if (data == NULL) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_memcpy(data,vv->data, vv->len);
|
|
Packit |
284210 |
data[vv->len] = '\0';
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_table_setn(req->headers_out, special_headers_out[i].name, data);
|
|
Packit |
284210 |
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: load headers out: \"%s: %s\"",
|
|
Packit |
284210 |
special_headers_out[i].name, data);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
req->content_type = apr_table_get(ctx->req->headers_out, "Content-Type");
|
|
Packit |
284210 |
req->content_encoding = apr_table_get(ctx->req->headers_out, "Content-Encoding");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
data = (char *)apr_table_get(ctx->req->headers_out, "Content-Languages");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if(data != NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ctx->req->content_languages = apr_array_make(ctx->req->pool, 1, sizeof(const char *));
|
|
Packit |
284210 |
*(const char **)apr_array_push(ctx->req->content_languages) = data;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* req->chunked = r->chunked; may be useless */
|
|
Packit |
284210 |
req->clength = r->headers_out.content_length_n;
|
|
Packit |
284210 |
req->mtime = apr_time_make(r->headers_out.last_modified_time, 0);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: load headers out done");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_inline ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_save_headers_out(ngx_http_request_t *r)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
ngx_http_upstream_t *upstream;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* r->chunked = ctx->req->chunked; */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_http_clean_header(r);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
upstream = r->upstream;
|
|
Packit |
284210 |
r->upstream = &ngx_http_modsecurity_upstream;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* case SecServerSignature was used, the "Server: ..." header is added
|
|
Packit |
284210 |
* here, overwriting the default header supplied by nginx.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
if (modsecIsServerSignatureAvailale() != NULL) {
|
|
Packit |
284210 |
apr_table_add(ctx->req->headers_out, "Server",
|
|
Packit |
284210 |
modsecIsServerSignatureAvailale());
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (apr_table_do(ngx_http_modsecurity_save_headers_out_visitor,
|
|
Packit |
284210 |
r, ctx->req->headers_out, NULL) == 0) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: save headers out error");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->upstream = upstream;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->headers_out.status = ctx->req->status;
|
|
Packit |
284210 |
r->headers_out.status_line.data = (u_char *)ctx->req->status_line;
|
|
Packit |
284210 |
r->headers_out.status_line.len = ctx->req->status_line ?
|
|
Packit |
284210 |
ngx_strlen(ctx->req->status_line) : 0;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->headers_out.content_length_n = ctx->req->clength;
|
|
Packit |
284210 |
r->headers_out.last_modified_time = apr_time_sec(ctx->req->mtime);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: save headers out done");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static int
|
|
Packit |
284210 |
ngx_http_modsecurity_save_headers_out_visitor(void *data, const char *key, const char *value)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_request_t *r = data;
|
|
Packit |
284210 |
ngx_table_elt_t *h, he;
|
|
Packit |
284210 |
ngx_http_upstream_header_t *hh;
|
|
Packit |
284210 |
ngx_http_upstream_main_conf_t *umcf;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
umcf = ngx_http_get_module_main_conf(r, ngx_http_upstream_module);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h = &he;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h->key.data = (u_char *)key;
|
|
Packit |
284210 |
h->key.len = ngx_strlen(key);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h->value.data = (u_char *)value;
|
|
Packit |
284210 |
h->value.len = ngx_strlen(value);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h->lowcase_key = ngx_palloc(r->pool, h->key.len);
|
|
Packit |
284210 |
if (h->lowcase_key == NULL) {
|
|
Packit |
284210 |
return 0;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_strlow(h->lowcase_key, h->key.data, h->key.len);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h->hash = ngx_hash_key(h->lowcase_key, h->key.len);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
|
|
Packit |
284210 |
h->lowcase_key, h->key.len);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (hh) {
|
|
Packit |
284210 |
/* copy all */
|
|
Packit |
284210 |
if (hh->copy_handler(r, h, hh->conf) != NGX_OK) {
|
|
Packit |
284210 |
return 0;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
Packit |
284210 |
"ModSecurity: save headers out: \"%V: %V\"",
|
|
Packit |
284210 |
&h->key, &h->value);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return 1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_inline ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_status(ngx_http_request_t *r, int status)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSecurity: status %d", status);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (status == DECLINED || status == APR_SUCCESS) {
|
|
Packit |
284210 |
return NGX_DECLINED;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* nginx known status */
|
|
Packit |
284210 |
if ( (status >= 300 && status < 308) /* 3XX */
|
|
Packit |
284210 |
|| (status >= 400 && status < 417) /* 4XX */
|
|
Packit |
284210 |
|| (status >= 500 && status < 508) /* 5XX */
|
|
Packit |
284210 |
|| (status == NGX_HTTP_CREATED || status == NGX_HTTP_NO_CONTENT) ) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return status;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* create loc conf struct */
|
|
Packit |
284210 |
static void *
|
|
Packit |
284210 |
ngx_http_modsecurity_create_loc_conf(ngx_conf_t *cf)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_loc_conf_t *conf;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
conf = (ngx_http_modsecurity_loc_conf_t *)
|
|
Packit |
284210 |
ngx_palloc(cf->pool, sizeof(ngx_http_modsecurity_loc_conf_t));
|
|
Packit |
284210 |
if (conf == NULL)
|
|
Packit |
284210 |
return NULL;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
conf->config = NGX_CONF_UNSET_PTR;
|
|
Packit |
284210 |
conf->enable = NGX_CONF_UNSET;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return conf;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* merge loc conf */
|
|
Packit |
284210 |
static char *
|
|
Packit |
284210 |
ngx_http_modsecurity_merge_loc_conf(ngx_conf_t *cf, void *parent,
|
|
Packit |
284210 |
void *child)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_loc_conf_t *prev = parent;
|
|
Packit |
284210 |
ngx_http_modsecurity_loc_conf_t *conf = child;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_conf_merge_value(conf->enable, prev->enable, 0);
|
|
Packit |
284210 |
ngx_conf_merge_ptr_value(conf->config, prev->config, NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (conf->enable && conf->config == NULL) {
|
|
Packit |
284210 |
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
|
Packit |
284210 |
"\"ModSecurityEnabled\" in %V:%ui is set to \"on\""
|
|
Packit |
284210 |
" while directive \"ModSecurityConfig\" is not found"
|
|
Packit |
284210 |
" in the same location",
|
|
Packit |
284210 |
conf->file, conf->line);
|
|
Packit |
284210 |
return NGX_CONF_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_CONF_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static void
|
|
Packit |
284210 |
modsecLog(void *obj, int level, char *str)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
if (obj != NULL) {
|
|
Packit |
284210 |
level = (level & APLOG_LEVELMASK) + NGX_LOG_EMERG - APLOG_EMERG;
|
|
Packit |
284210 |
if (level > NGX_LOG_DEBUG) {
|
|
Packit |
284210 |
level = NGX_LOG_DEBUG;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
ngx_log_error((ngx_uint_t)level, (ngx_log_t *)obj, 0, "%s", str);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/*
|
|
Packit |
284210 |
** This is a temporary hack to make PCRE work with ModSecurity
|
|
Packit |
284210 |
** nginx hijacks pcre_malloc and pcre_free, so we have to re-hijack them
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
extern apr_pool_t *pool;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static void *
|
|
Packit |
284210 |
modsec_pcre_malloc(size_t size)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
return apr_palloc(pool, size);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static void
|
|
Packit |
284210 |
modsec_pcre_free(void *ptr)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static server_rec *modsec_server = NULL;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_preconfiguration(ngx_conf_t *cf)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
/* XXX: temporary hack, nginx uses pcre as well and hijacks these two */
|
|
Packit |
284210 |
pcre_malloc = modsec_pcre_malloc;
|
|
Packit |
284210 |
pcre_free = modsec_pcre_free;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
modsecSetLogHook(cf->log, modsecLog);
|
|
Packit |
284210 |
modsecSetDropAction(ngx_http_modsecurity_drop_action);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* TODO: server_rec per server conf */
|
|
Packit |
284210 |
modsec_server = modsecInit();
|
|
Packit |
284210 |
if (modsec_server == NULL) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* set host name */
|
|
Packit |
284210 |
modsec_server->server_hostname = ngx_palloc(cf->pool, ngx_cycle->hostname.len + 1);
|
|
Packit |
284210 |
if (modsec_server->server_hostname == NULL) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
ngx_memcpy(modsec_server->server_hostname, ngx_cycle->hostname.data, ngx_cycle->hostname.len);
|
|
Packit |
284210 |
modsec_server->server_hostname[ ngx_cycle->hostname.len] = '\0';
|
|
Packit |
284210 |
|
|
Packit |
284210 |
modsecStartConfig();
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static void
|
|
Packit |
284210 |
ngx_http_modsecurity_terminate(ngx_cycle_t *cycle)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
if (modsec_server) {
|
|
Packit |
284210 |
modsecTerminate();
|
|
Packit |
284210 |
modsec_server = NULL;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_init(ngx_conf_t *cf)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_handler_pt *h;
|
|
Packit |
284210 |
ngx_http_core_main_conf_t *cmcf;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
modsecFinalizeConfig();
|
|
Packit |
284210 |
|
|
Packit |
284210 |
cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h = ngx_array_push(&cmcf->phases[NGX_HTTP_PREACCESS_PHASE].handlers);
|
|
Packit |
284210 |
if (h == NULL) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
*h = ngx_http_modsecurity_handler;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_http_next_header_filter = ngx_http_top_header_filter;
|
|
Packit |
284210 |
ngx_http_top_header_filter = ngx_http_modsecurity_header_filter;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_http_next_body_filter = ngx_http_top_body_filter;
|
|
Packit |
284210 |
ngx_http_top_body_filter = ngx_http_modsecurity_body_filter;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_memzero(&ngx_http_modsecurity_upstream, sizeof(ngx_http_upstream_t));
|
|
Packit |
284210 |
ngx_http_modsecurity_upstream.cacheable = 1;
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_init_process(ngx_cycle_t *cycle)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
/* must set log hook here cf->log maybe changed */
|
|
Packit |
284210 |
modsecSetLogHook(cycle->log, modsecLog);
|
|
Packit |
284210 |
modsecInitProcess();
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/*
|
|
Packit |
284210 |
** [ENTRY POINT] does : this function called by nginx from the request handler
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
static ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_handler(ngx_http_request_t *r)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_loc_conf_t *cf;
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
ngx_int_t rc;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Process only main request */
|
|
Packit |
284210 |
if (r != r->main || !cf->enable) {
|
|
Packit |
284210 |
return NGX_DECLINED;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: handler");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* create / retrive request ctx */
|
|
Packit |
284210 |
if (r->internal) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx = ngx_http_get_module_pool_ctx(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ctx) {
|
|
Packit |
284210 |
/* we have already processed the request headers */
|
|
Packit |
284210 |
ngx_http_set_ctx(r, ctx, ngx_http_modsecurity);
|
|
Packit |
284210 |
return NGX_DECLINED;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: request pool ctx empty");
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx = ngx_http_modsecurity_create_ctx(r);
|
|
Packit |
284210 |
if (ctx == NULL) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_http_set_ctx(r, ctx, ngx_http_modsecurity);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ngx_http_set_pool_ctx(r, ctx, ngx_http_modsecurity) != NGX_OK) {
|
|
Packit |
284210 |
return NGX_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* load request to request rec */
|
|
Packit |
284210 |
if (ngx_http_modsecurity_load_request(r) != NGX_OK
|
|
Packit |
284210 |
|| ngx_http_modsecurity_load_headers_in(r) != NGX_OK) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* processing request headers */
|
|
Packit |
284210 |
rc = ngx_http_modsecurity_status(r, modsecProcessRequestHeaders(ctx->req));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (rc != NGX_DECLINED) {
|
|
Packit |
284210 |
return rc;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (modsecContextState(ctx->req) == MODSEC_DISABLED) {
|
|
Packit |
284210 |
return NGX_DECLINED;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (r->method == NGX_HTTP_POST
|
|
Packit |
284210 |
&& modsecIsRequestBodyAccessEnabled(ctx->req) ) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* read POST request body, should we process PUT? */
|
|
Packit |
284210 |
rc = ngx_http_read_client_request_body(r, ngx_http_modsecurity_body_handler);
|
|
Packit |
284210 |
if (rc >= NGX_HTTP_SPECIAL_RESPONSE) {
|
|
Packit |
284210 |
return rc;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_DONE;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* other method */
|
|
Packit |
284210 |
return ngx_http_modsecurity_status(r, modsecProcessRequestBody(ctx->req));
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static void
|
|
Packit |
284210 |
ngx_http_modsecurity_body_handler(ngx_http_request_t *r)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
ngx_int_t rc;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: body handler");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ngx_http_modsecurity_load_request_body(r) != NGX_OK) {
|
|
Packit |
284210 |
return ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
rc = ngx_http_modsecurity_status(r, modsecProcessRequestBody(ctx->req));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (rc != NGX_DECLINED) {
|
|
Packit |
284210 |
return ngx_http_finalize_request(r, rc);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ngx_http_modsecurity_save_request_body(r) != NGX_OK
|
|
Packit |
284210 |
|| ngx_http_modsecurity_save_headers_in(r) != NGX_OK ) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->phase_handler++;
|
|
Packit |
284210 |
ngx_http_core_run_phases(r);
|
|
Packit |
284210 |
ngx_http_finalize_request(r, NGX_DONE);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_header_filter(ngx_http_request_t *r) {
|
|
Packit |
284210 |
ngx_http_modsecurity_loc_conf_t *cf;
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
const char *location;
|
|
Packit |
284210 |
ngx_table_elt_t *h;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* already processed, checking redirect action. */
|
|
Packit |
284210 |
if (ctx && ctx->complete
|
|
Packit |
284210 |
&& r->err_status >= NGX_HTTP_MOVED_PERMANENTLY
|
|
Packit |
284210 |
&& r->err_status < 308) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* 3XX load redirect location header so that we can do redirect in phase 3,4 */
|
|
Packit |
284210 |
location = apr_table_get(ctx->req->headers_out, "Location");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (location == NULL) {
|
|
Packit |
284210 |
return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h = ngx_list_push(&r->headers_out.headers);
|
|
Packit |
284210 |
if (h == NULL) {
|
|
Packit |
284210 |
return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
h->hash = 1;
|
|
Packit |
284210 |
h->key.data = (u_char *)"Location";
|
|
Packit |
284210 |
h->key.len = ngx_strlen("Location");
|
|
Packit |
284210 |
h->value.data = (u_char *)location;
|
|
Packit |
284210 |
h->value.len = ngx_strlen(location);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return ngx_http_next_header_filter(r);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (r != r->main || !cf->enable || ctx == NULL ||ctx->complete) {
|
|
Packit |
284210 |
return ngx_http_next_header_filter(r);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: header filter");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->filter_need_in_memory = 1;
|
|
Packit |
284210 |
return NGX_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_int_t
|
|
Packit |
284210 |
ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_loc_conf_t *cf;
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
ngx_int_t rc;
|
|
Packit |
284210 |
apr_off_t content_length;
|
|
Packit |
284210 |
ngx_chain_t *cl, *out;
|
|
Packit |
284210 |
ngx_int_t last_buf = 0;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (r != r->main || !cf->enable || ctx == NULL || ctx->complete) {
|
|
Packit |
284210 |
return ngx_http_next_body_filter(r, in);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "modSecurity: body filter");
|
|
Packit |
284210 |
|
|
Packit |
284210 |
for (cl = in; cl; cl = cl->next) {
|
|
Packit |
284210 |
apr_bucket *e;
|
|
Packit |
284210 |
ngx_buf_t *buf = cl->buf;
|
|
Packit |
284210 |
apr_bucket_brigade *bb = ctx->brigade;
|
|
Packit |
284210 |
off_t size = ngx_buf_size(buf);
|
|
Packit |
284210 |
if (size) {
|
|
Packit |
284210 |
char *data = apr_pmemdup(bb->p, buf->pos, size);
|
|
Packit |
284210 |
if (data == NULL) {
|
|
Packit |
284210 |
return ngx_http_filter_finalize_request(r,
|
|
Packit |
284210 |
&ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
e = apr_bucket_pool_create(data , size, bb->p, bb->bucket_alloc);
|
|
Packit |
284210 |
if (e == NULL) {
|
|
Packit |
284210 |
return ngx_http_filter_finalize_request(r,
|
|
Packit |
284210 |
&ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
APR_BRIGADE_INSERT_TAIL(bb, e);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (buf->last_buf) {
|
|
Packit |
284210 |
last_buf = 1;
|
|
Packit |
284210 |
buf->last_buf = 0;
|
|
Packit |
284210 |
e = apr_bucket_eos_create(bb->bucket_alloc);
|
|
Packit |
284210 |
if (e == NULL) {
|
|
Packit |
284210 |
return ngx_http_filter_finalize_request(r,
|
|
Packit |
284210 |
&ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
APR_BRIGADE_INSERT_TAIL(bb, e);
|
|
Packit |
284210 |
break;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
buf->pos = buf->last;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (!last_buf) {
|
|
Packit |
284210 |
return NGX_AGAIN;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* last buf has been saved */
|
|
Packit |
284210 |
ctx->complete = 1;
|
|
Packit |
284210 |
modsecSetResponseBrigade(ctx->req, ctx->brigade);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ngx_http_modsecurity_load_headers_in(r) != NGX_OK
|
|
Packit |
284210 |
|| ngx_http_modsecurity_load_headers_out(r) != NGX_OK) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return ngx_http_filter_finalize_request(r,
|
|
Packit |
284210 |
&ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
rc = ngx_http_modsecurity_status(r, modsecProcessResponse(ctx->req));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (rc != NGX_DECLINED) {
|
|
Packit |
284210 |
return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_brigade_length(ctx->brigade, 0, &content_length);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
rc = move_brigade_to_chain(ctx->brigade, &out, r->pool);
|
|
Packit |
284210 |
if (rc == NGX_ERROR) {
|
|
Packit |
284210 |
return ngx_http_filter_finalize_request(r,
|
|
Packit |
284210 |
&ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ngx_http_modsecurity_save_headers_in(r) != NGX_OK
|
|
Packit |
284210 |
||ngx_http_modsecurity_save_headers_out(r) != NGX_OK) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return ngx_http_filter_finalize_request(r,
|
|
Packit |
284210 |
&ngx_http_modsecurity, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (r->headers_out.content_length_n != -1) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->headers_out.content_length_n = content_length;
|
|
Packit |
284210 |
r->headers_out.content_length = NULL; /* header filter will set this */
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
r->header_sent = 0;
|
|
Packit |
284210 |
rc = ngx_http_next_header_filter(r);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (rc == NGX_ERROR || rc > NGX_OK) {
|
|
Packit |
284210 |
return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity, rc);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return ngx_http_next_body_filter(r, out);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#define TXID_SIZE 25
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static ngx_http_modsecurity_ctx_t *
|
|
Packit |
284210 |
ngx_http_modsecurity_create_ctx(ngx_http_request_t *r)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_loc_conf_t *cf;
|
|
Packit |
284210 |
ngx_pool_cleanup_t *cln;
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
apr_sockaddr_t *asa;
|
|
Packit |
284210 |
struct sockaddr_in *sin;
|
|
Packit |
284210 |
char *txid;
|
|
Packit |
284210 |
unsigned char salt[TXID_SIZE];
|
|
Packit |
284210 |
int i;
|
|
Packit |
284210 |
#if (NGX_HAVE_INET6)
|
|
Packit |
284210 |
struct sockaddr_in6 *sin6;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_modsecurity_ctx_t));
|
|
Packit |
284210 |
if (ctx == NULL) {
|
|
Packit |
284210 |
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "modSecurity: ctx memory allocation error");
|
|
Packit |
284210 |
return NULL;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
cln = ngx_pool_cleanup_add(r->pool, sizeof(ngx_http_modsecurity_ctx_t));
|
|
Packit |
284210 |
if (cln == NULL) {
|
|
Packit |
284210 |
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "modSecurity: ctx memory allocation error");
|
|
Packit |
284210 |
return NULL;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
cln->handler = ngx_http_modsecurity_cleanup;
|
|
Packit |
284210 |
cln->data = ctx;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx->r = r;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (r->connection->requests == 0 || ctx->connection == NULL) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* TODO: set server_rec, why igonre return value? */
|
|
Packit |
284210 |
ctx->connection = modsecNewConnection();
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* fill apr_sockaddr_t */
|
|
Packit |
284210 |
asa = ngx_palloc(r->pool, sizeof(apr_sockaddr_t));
|
|
Packit |
284210 |
asa->pool = ctx->connection->pool;
|
|
Packit |
284210 |
asa->hostname = (char *)ngx_pstrdup0(r->pool, &r->connection->addr_text);
|
|
Packit |
284210 |
asa->servname = asa->hostname;
|
|
Packit |
284210 |
asa->next = NULL;
|
|
Packit |
284210 |
asa->salen = r->connection->socklen;
|
|
Packit |
284210 |
ngx_memcpy(&asa->sa, r->connection->sockaddr, asa->salen);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
asa->family = ((struct sockaddr *)&asa->sa)->sa_family;
|
|
Packit |
284210 |
switch ( asa->family) {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#if (NGX_HAVE_INET6)
|
|
Packit |
284210 |
case AF_INET6:
|
|
Packit |
284210 |
sin6 = (struct sockaddr_in6 *)&asa->sa;
|
|
Packit |
284210 |
asa->ipaddr_ptr = &sin6->sin6_addr;
|
|
Packit |
284210 |
asa->ipaddr_len = sizeof(sin6->sin6_addr);
|
|
Packit |
284210 |
asa->port = ntohs(sin6->sin6_port);
|
|
Packit |
284210 |
asa->addr_str_len = NGX_INET6_ADDRSTRLEN + 1;
|
|
Packit |
284210 |
break;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
default: /* AF_INET */
|
|
Packit |
284210 |
sin = (struct sockaddr_in *) &asa->sa;
|
|
Packit |
284210 |
asa->ipaddr_ptr = &sin->sin_addr;
|
|
Packit |
284210 |
asa->ipaddr_len = sizeof(sin->sin_addr);
|
|
Packit |
284210 |
asa->port = ntohs(sin->sin_port);
|
|
Packit |
284210 |
asa->addr_str_len = NGX_INET_ADDRSTRLEN + 1;
|
|
Packit |
284210 |
break;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3
|
|
Packit |
284210 |
ctx->connection->remote_addr = asa;
|
|
Packit |
284210 |
ctx->connection->remote_ip = asa->hostname;
|
|
Packit |
284210 |
#else
|
|
Packit |
284210 |
ctx->connection->client_addr = asa;
|
|
Packit |
284210 |
ctx->connection->client_ip = asa->hostname;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
ctx->connection->remote_host = NULL;
|
|
Packit |
284210 |
modsecProcessConnection(ctx->connection);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
cf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx->req = modsecNewRequest(ctx->connection, cf->config);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_table_setn(ctx->req->notes, NOTE_NGINX_REQUEST_CTX, (const char *) ctx);
|
|
Packit |
284210 |
apr_generate_random_bytes(salt, TXID_SIZE);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
txid = apr_pcalloc (ctx->req->pool, TXID_SIZE);
|
|
Packit |
284210 |
apr_base64_encode (txid, (const char*)salt, TXID_SIZE);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
for(i=0;i
|
|
Packit |
284210 |
if((salt[i] >= 0x30) && (salt[i] <= 0x39)) {}
|
|
Packit |
284210 |
else if((salt[i] >= 0x40) && (salt[i] <= 0x5A)) {}
|
|
Packit |
284210 |
else if((salt[i] >= 0x61) && (salt[i] <= 0x7A)) {}
|
|
Packit |
284210 |
else {
|
|
Packit |
284210 |
if((i%2)==0)
|
|
Packit |
284210 |
salt[i] = 0x41;
|
|
Packit |
284210 |
else
|
|
Packit |
284210 |
salt[i] = 0x63;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
salt[TXID_SIZE-1] = '\0';
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_table_setn(ctx->req->subprocess_env, "UNIQUE_ID", apr_psprintf(ctx->req->pool, "%s", salt));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ctx->brigade = apr_brigade_create(ctx->req->pool, ctx->req->connection->bucket_alloc);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ctx->brigade == NULL) {
|
|
Packit |
284210 |
return NULL;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return ctx;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static void
|
|
Packit |
284210 |
ngx_http_modsecurity_cleanup(void *data)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx = data;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ctx->req != NULL) {
|
|
Packit |
284210 |
(void) modsecFinishRequest(ctx->req);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
if (ctx->connection != NULL) {
|
|
Packit |
284210 |
(void) modsecFinishConnection(ctx->connection);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static char *
|
|
Packit |
284210 |
ngx_http_modsecurity_config(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_loc_conf_t *mscf = conf;
|
|
Packit |
284210 |
ngx_str_t *value;
|
|
Packit |
284210 |
const char *msg;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (mscf->config != NGX_CONF_UNSET_PTR) {
|
|
Packit |
284210 |
return "is duplicate";
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
value = cf->args->elts;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ngx_conf_full_name(cf->cycle, &value[1], 1) != NGX_OK) {
|
|
Packit |
284210 |
return NGX_CONF_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
mscf->config = modsecGetDefaultConfig();
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (mscf->config == NULL) {
|
|
Packit |
284210 |
return NGX_CONF_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
msg = modsecProcessConfig(mscf->config, (const char *)value[1].data, NULL);
|
|
Packit |
284210 |
if (msg != NULL) {
|
|
Packit |
284210 |
ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "ModSecurityConfig in %s:%ui: %s",
|
|
Packit |
284210 |
cf->conf_file->file.name.data, cf->conf_file->line, msg);
|
|
Packit |
284210 |
return NGX_CONF_ERROR;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NGX_CONF_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static char *
|
|
Packit |
284210 |
ngx_http_modsecurity_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_loc_conf_t *mscf = conf;
|
|
Packit |
284210 |
char *rc;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
rc = ngx_conf_set_flag_slot(cf, cmd, conf);
|
|
Packit |
284210 |
if (rc != NGX_CONF_OK) {
|
|
Packit |
284210 |
return rc;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
if (mscf->enable) {
|
|
Packit |
284210 |
mscf->file = &cf->conf_file->file.name;
|
|
Packit |
284210 |
mscf->line = cf->conf_file->line;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
return NGX_CONF_OK;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
static int
|
|
Packit |
284210 |
ngx_http_modsecurity_drop_action(request_rec *r)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
ngx_http_modsecurity_ctx_t *ctx;
|
|
Packit |
284210 |
ctx = (ngx_http_modsecurity_ctx_t *) apr_table_get(r->notes, NOTE_NGINX_REQUEST_CTX);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (ctx == NULL) {
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
ctx->r->connection->error = 1;
|
|
Packit |
284210 |
return 0;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|