Skip to content
Browse files

Added SecXmlExternalEntity

  • Loading branch information...
1 parent 4db1f51 commit d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe @brenosilva brenosilva committed
Showing with 60 additions and 2 deletions.
  1. +46 −2 apache2/apache2_config.c
  2. +3 −0 apache2/modsecurity.h
  3. +11 −0 apache2/msc_xml.c
View
48 apache2/apache2_config.c
@@ -156,6 +156,9 @@ void *create_directory_config(apr_pool_t *mp, char *path)
dcfg->crypto_hash_framesrc_pm = NOT_SET;
+ /* xml external entity */
+ dcfg->xml_external_entity = NOT_SET;
+
return dcfg;
}
@@ -591,6 +594,10 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
merged->crypto_hash_framesrc_pm = (child->crypto_hash_framesrc_pm == NOT_SET
? parent->crypto_hash_framesrc_pm : child->crypto_hash_framesrc_pm);
+ /* xml external entity */
+ merged->xml_external_entity = (child->xml_external_entity == NOT_SET
+ ? parent->xml_external_entity : child->xml_external_entity);
+
return merged;
}
@@ -711,6 +718,9 @@ void init_directory_config(directory_config *dcfg)
if (dcfg->crypto_hash_iframesrc_pm == NOT_SET) dcfg->crypto_hash_iframesrc_pm = 0;
if (dcfg->crypto_hash_framesrc_pm == NOT_SET) dcfg->crypto_hash_framesrc_pm = 0;
+ /* xml external entity */
+ if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0;
+
}
/**
@@ -2282,9 +2292,35 @@ static const char *cmd_sensor_id(cmd_parms *cmd, void *_dcfg, const char *p1)
return NULL;
}
+/**
+* \brief Add SecXmlExternalEntity configuration option
+*
+* \param cmd Pointer to configuration data
+* \param _dcfg Pointer to directory configuration
+* \param p1 Pointer to configuration option
+*
+* \retval NULL On failure
+* \retval apr_psprintf On Success
+*/
+static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
+ directory_config *dcfg = (directory_config *)_dcfg;
+ if (dcfg == NULL) return NULL;
+
+ if (strcasecmp(p1, "on") == 0) {
+ dcfg->xml_external_entity = 1;
+ }
+ else if (strcasecmp(p1, "off") == 0) {
+ dcfg->xml_external_entity = 0;
+ }
+ else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1);
+
+ return NULL;
+}
+
/**
-* \brief Add SecHash configuration option
+* \brief Add SecHashEngine configuration option
*
* \param cmd Pointer to configuration data
* \param _dcfg Pointer to directory configuration
@@ -2306,7 +2342,7 @@ static const char *cmd_hash_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
dcfg->hash_is_enabled = HASH_DISABLED;
dcfg->hash_enforcement = HASH_DISABLED;
}
- else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1);
+ else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SexHashEngine: %s", p1);
@q6r
q6r added a note

s/SexHashEngine/SecHashEngine/ :laughing:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
return NULL;
}
@@ -3223,6 +3259,14 @@ const command_rec module_directives[] = {
"On or Off"
),
+ AP_INIT_TAKE1 (
+ "SecXmlExternalEntity",
+ cmd_xml_external_entity,
+ NULL,
+ CMD_SCOPE_ANY,
+ "On or Off"
+ ),
+
AP_INIT_FLAG (
"SecRuleInheritance",
cmd_rule_inheritance,
View
3 apache2/modsecurity.h
@@ -595,6 +595,9 @@ struct directory_config {
int crypto_hash_location_pm;
int crypto_hash_iframesrc_pm;
int crypto_hash_framesrc_pm;
+
+ /* xml */
+ int xml_external_entity;
};
struct error_message_t {
View
11 apache2/msc_xml.c
@@ -14,17 +14,28 @@
#include "msc_xml.h"
+static xmlParserInputBufferPtr
+xml_unload_external_entity(const char *URI, xmlCharEncoding enc) {
+ return NULL;
+}
+
/**
* Initialise XML parser.
*/
int xml_init(modsec_rec *msr, char **error_msg) {
+ xmlParserInputBufferCreateFilenameFunc entity;
+
if (error_msg == NULL) return -1;
*error_msg = NULL;
msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data));
if (msr->xml == NULL) return -1;
+ if(msr->txcfg->xml_external_entity == 0) {
+ entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity);
+ }
+
return 1;
}

0 comments on commit d4d80b3

Please sign in to comment.
Something went wrong with that request. Please try again.