Permalink
Browse files

Adds support to Python scripts on ModSecurity core.

Analog of what we have for Lua, Python support is now added by this commit.
This is very experimental.
  • Loading branch information...
1 parent c17bf6a commit 853ead7ec6d236c675e8cb7d04434a6fcead7d1b @zimmerle zimmerle committed Aug 26, 2014
View
@@ -20,6 +20,7 @@ mod_security2_la_SOURCES = acmp.c \
msc_multipart.c \
msc_parsers.c \
msc_pcre.c \
+ msc_python.c \
msc_release.c \
msc_reqbody.c \
msc_tree.c \
@@ -41,6 +42,7 @@ mod_security2_la_CFLAGS = @APR_CFLAGS@ \
@LUA_CFLAGS@ \
@MODSEC_EXTRA_CFLAGS@ \
@PCRE_CFLAGS@ \
+ @PYTHON_CFLAGS@ \
@YAJL_CFLAGS@
@@ -53,6 +55,7 @@ mod_security2_la_LIBADD = @APR_LDADD@ \
@LIBXML2_LDADD@ \
@LUA_LDADD@ \
@PCRE_LDADD@ \
+ @PYTHON_LDADD@ \
@YAJL_LDADD@
if AIX
@@ -63,7 +66,9 @@ mod_security2_la_LDFLAGS = -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PYTHON_LDFLAGS@ \
@YAJL_LDFLAGS@
+
endif
if HPUX
@@ -74,6 +79,7 @@ mod_security2_la_LDFLAGS = -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PYTHON_LDFLAGS@ \
@YAJL_LDFLAGS@
endif
@@ -85,6 +91,7 @@ mod_security2_la_LDFLAGS = -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PYTHON_LDFLAGS@ \
@YAJL_LDFLAGS@
endif
@@ -96,6 +103,7 @@ mod_security2_la_LDFLAGS = -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PYTHON_LDFLAGS@ \
@YAJL_LDFLAGS@
endif
@@ -107,6 +115,7 @@ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PYTHON_LDFLAGS@ \
@YAJL_LDFLAGS@
endif
@@ -118,6 +127,7 @@ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PYTHON_LDFLAGS@ \
@YAJL_LDFLAGS@
endif
@@ -129,6 +139,7 @@ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PYTHON_LDFLAGS@ \
@YAJL_LDFLAGS@
endif
@@ -140,6 +151,7 @@ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PYTHON_LDFLAGS@ \
@YAJL_LDFLAGS@
endif
@@ -26,6 +26,9 @@
#include "msc_lua.h"
#endif
+#ifdef WITH_PYTHON
+#include "msc_python.h"
+#endif
/* -- Directory context creation and initialisation -- */
@@ -771,11 +774,19 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
/* Create the rule now. */
switch(type) {
#if defined(WITH_LUA)
- case RULE_TYPE_LUA :
+ case RULE_TYPE_LUA:
rule = msre_rule_lua_create(dcfg->ruleset, cmd->directive->filename,
cmd->directive->line_num, p1, p2, &my_error_msg);
break;
#endif
+
+ #ifdef WITH_PYTHON
+ case RULE_TYPE_PYTHON:
+ rule = msre_rule_python_create(dcfg->ruleset, cmd->directive->filename,
+ cmd->directive->line_num, p1, p2, &my_error_msg);
+ break;
+ #endif
+
default :
rule = msre_rule_create(dcfg->ruleset, type, cmd->directive->filename,
cmd->directive->line_num, p1, p2, p3, &my_error_msg);
@@ -791,6 +802,9 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
#if defined(WITH_LUA)
type != RULE_TYPE_LUA &&
#endif
+#ifdef WITH_PYTHON
+ type != RULE_TYPE_PYTHON &&
+#endif
(dcfg->tmp_chain_starter == NULL))
if(rule->actionset == NULL)
return "ModSecurity: Rules must have at least id action";
@@ -800,22 +814,31 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
#if defined(WITH_LUA)
&& (type != RULE_TYPE_LUA)
#endif
+#ifdef WITH_PYTHON
+ && (type != RULE_TYPE_PYTHON)
+#endif
)
return "ModSecurity: No action id present within the rule";
-#if defined(WITH_LUA)
- if(type != RULE_TYPE_LUA)
+
+#ifdef WITH_LUA
+ if (type != RULE_TYPE_LUA)
#endif
{
- rid = apr_hash_get(dcfg->rule_id_htab, rule->actionset->id, APR_HASH_KEY_STRING);
- if(rid != NULL) {
- return "ModSecurity: Found another rule with the same id";
- } else {
- apr_hash_set(dcfg->rule_id_htab, apr_pstrdup(dcfg->mp, rule->actionset->id), APR_HASH_KEY_STRING, apr_pstrdup(dcfg->mp, "1"));
- }
+#ifdef WITH_PYTHON
+ if (type != RULE_TYPE_PYTHON)
+#endif
+ {
+ rid = apr_hash_get(dcfg->rule_id_htab, rule->actionset->id, APR_HASH_KEY_STRING);
+ if(rid != NULL) {
+ return "ModSecurity: Found another rule with the same id";
+ } else {
+ apr_hash_set(dcfg->rule_id_htab, apr_pstrdup(dcfg->mp, rule->actionset->id), APR_HASH_KEY_STRING, apr_pstrdup(dcfg->mp, "1"));
+ }
//tmp_rule = msre_ruleset_fetch_rule(dcfg->ruleset, rule->actionset->id, offset);
//if(tmp_rule != NULL)
// return "ModSecurity: Found another rule with the same id";
+ }
}
}
@@ -2246,13 +2269,30 @@ static const char *cmd_rule_inheritance(cmd_parms *cmd, void *_dcfg, int flag)
static const char *cmd_rule_script(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
- #if defined(WITH_LUA)
const char *filename = resolve_relative_path(cmd->pool, cmd->directive->filename, p1);
- return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_LUA, filename, p2, NULL);
- #else
- ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool, "Ignoring SecRuleScript \"%s\" directive (%s:%d): No Lua scripting support.", p1, cmd->directive->filename, cmd->directive->line_num);
+
+ if (strlen(filename) > 3) {
+ const char *p = filename + strlen(filename) - 3;
+
+#ifdef WITH_PYTHON
+ if ((p[0] == '.')&&(p[1] == 'p')&&(p[2] == 'y'))
+ {
+ return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_PYTHON, filename, p2, NULL);
+ }
+#endif
+#ifdef WITH_LUA
+ if ((p[0] == 'l')&&(p[1] == 'u')&&(p[2] == 'a'))
+ {
+ return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_LUA, filename, p2, NULL);
+ }
+#endif
+ }
+
+#if !defined(WITH_PYTHON) || !defined(WITH_LUA)
+ ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool, "Ignoring SecRuleScript \"%s\" directive (%s:%d): No Lua scripting or Python support.", p1, cmd->directive->filename, cmd->directive->line_num);
+#endif
+
return NULL;
- #endif
}
static const char *cmd_rule_remove_by_id(cmd_parms *cmd, void *_dcfg,
@@ -37,6 +37,10 @@
#include "msc_lua.h"
#endif
+#ifdef WITH_PYTHON
+#include "msc_python.h"
+#endif
+
#include "msc_status_engine.h"
/* ModSecurity structure */
@@ -60,6 +60,10 @@ typedef struct msc_parm msc_parm;
#include "msc_lua.h"
#endif
+#ifdef WITH_PYTHON
+#include "msc_python.h"
+#endif
+
#define PHASE_REQUEST_HEADERS 1
#define PHASE_REQUEST_BODY 2
#define PHASE_RESPONSE_HEADERS 3
View
@@ -1,11 +1,13 @@
MOD_SECURITY2 = mod_security2 apache2_config apache2_io apache2_util \
re re_operators re_actions re_tfns re_variables msc_json \
msc_logging msc_xml msc_multipart modsecurity msc_parsers msc_util msc_pcre \
- persist_dbm msc_reqbody pdf_protect msc_geo msc_gsb msc_crypt msc_tree msc_unicode acmp msc_lua
+ persist_dbm msc_reqbody pdf_protect msc_geo msc_gsb msc_crypt msc_tree msc_unicode acmp msc_lua \
+ msc_python
H = re.h modsecurity.h msc_logging.h msc_multipart.h msc_parsers.h msc_json.h \
msc_pcre.h msc_util.h msc_xml.h persist_dbm.h apache2.h pdf_protect.h \
- msc_geo.h msc_gsb.h msc_crypt.h msc_tree.h msc_unicode.h acmp.h utf8tables.h msc_lua.h
+ msc_geo.h msc_gsb.h msc_crypt.h msc_tree.h msc_unicode.h acmp.h utf8tables.h msc_lua.h \
+ msc_python.h
${MOD_SECURITY2:=.slo}: ${H}
${MOD_SECURITY2:=.lo}: ${H}
Oops, something went wrong.

0 comments on commit 853ead7

Please sign in to comment.