From be374895e4511e79b97a205a5ed93e91170bad86 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Tue, 16 Apr 2024 18:27:56 +0200 Subject: [PATCH 1/4] Allow regular expressions in ctl:ruleRemoveTargetByX variable names II. --- apache2/re.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/apache2/re.c b/apache2/re.c index 9ded3be79..8d512906a 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -62,6 +62,9 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va char *c = NULL, *name = NULL, *value = NULL; char *variable = NULL, *myvar = NULL; char *myvalue = NULL, *myname = NULL; + msc_regex_t *regex; + char *errptr; + int erroffset; int match = 0; if(msr == NULL) @@ -115,7 +118,33 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va (strncasecmp(myname, name,strlen(myname)) == 0)) { if(value != NULL && myvalue != NULL) { - if((strlen(myvalue) == strlen(value)) && + if(strlen(value) > 2 && value[0] == '/' && value[strlen(value) - 1] == '/') { + value[strlen(value) - 1] = '\0'; +#ifdef WITH_PCRE2 + regex = msc_pregcomp(msr->mp, value + 1, + PCRE2_DOTALL | PCRE2_CASELESS | PCRE2_DOLLAR_ENDONLY, (const char **)&errptr, &erroffset); +#else + regex = msc_pregcomp(msr->mp, value + 1, + PCRE_DOTALL | PCRE_CASELESS | PCRE_DOLLAR_ENDONLY, (const char **)&errptr, &erroffset); +#endif + if (regex == NULL) { + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "fetch_target_exception: Regexp /%s/ failed to compile at pos %d: %s.", + value + 1, erroffset, errptr); + } + } else { +#ifdef WITH_PCRE2 + if (!(msc_regexec(regex, myvalue, strlen(myvalue), &errptr) == PCRE2_ERROR_NOMATCH)) { +#else + if (!(msc_regexec(regex, myvalue, strlen(myvalue), &errptr) == PCRE_ERROR_NOMATCH)) { +#endif + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "fetch_target_exception: Target %s will not be processed.", var->name); + } + match = 1; + } + } + } else if((strlen(myvalue) == strlen(value)) && strncasecmp(myvalue,value,strlen(myvalue)) == 0) { if (msr->txcfg->debuglog_level >= 9) { msr_log(msr, 9, "fetch_target_exception: Target %s will not be processed.", target); From 2b2535cb18ea9794a0a17402613b6979047fb4d6 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Wed, 17 Apr 2024 17:44:29 +0200 Subject: [PATCH 2/4] Split error handling into two parts; add regular log in case of failed compilation --- apache2/re.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apache2/re.c b/apache2/re.c index 8d512906a..520abb985 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -129,8 +129,18 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va #endif if (regex == NULL) { if (msr->txcfg->debuglog_level >= 9) { +#ifdef WITH_PCRE2 + // in case of PCRE2 the errptr won't fill + msr_log(msr, 9, "fetch_target_exception: Regexp /%s/ failed to compile at pos %d.", + value + 1, erroffset); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: exclusion regexp /%s/ failed to compile at pos %d.", + value + 1, erroffset); +#else msr_log(msr, 9, "fetch_target_exception: Regexp /%s/ failed to compile at pos %d: %s.", value + 1, erroffset, errptr); + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: exclusion regexp /%s/ failed to compile at pos %d: %s.", + value + 1, erroffset, errptr); +#endif } } else { #ifdef WITH_PCRE2 From c796804adf13b5c0efe2de430a3aa68360179c0a Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Wed, 17 Apr 2024 17:46:11 +0200 Subject: [PATCH 3/4] Pre-calculate string length instead of strlen() --- apache2/re.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/apache2/re.c b/apache2/re.c index 520abb985..b15793205 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -66,6 +66,7 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va char *errptr; int erroffset; int match = 0; + size_t value_len; if(msr == NULL) return 0; @@ -114,12 +115,17 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va value = NULL; } + value_len = 0; + if (value != NULL) { + value_len = strlen(value); + } + if((strlen(myname) == strlen(name)) && - (strncasecmp(myname, name,strlen(myname)) == 0)) { + (strncasecmp(myname, name, strlen(myname)) == 0)) { if(value != NULL && myvalue != NULL) { - if(strlen(value) > 2 && value[0] == '/' && value[strlen(value) - 1] == '/') { - value[strlen(value) - 1] = '\0'; + if(value_len > 2 && value[0] == '/' && value[value_len - 1] == '/') { + value[value_len - 1] = '\0'; #ifdef WITH_PCRE2 regex = msc_pregcomp(msr->mp, value + 1, PCRE2_DOTALL | PCRE2_CASELESS | PCRE2_DOLLAR_ENDONLY, (const char **)&errptr, &erroffset); @@ -154,7 +160,7 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va match = 1; } } - } else if((strlen(myvalue) == strlen(value)) && + } else if((strlen(myvalue) == value_len) && strncasecmp(myvalue,value,strlen(myvalue)) == 0) { if (msr->txcfg->debuglog_level >= 9) { msr_log(msr, 9, "fetch_target_exception: Target %s will not be processed.", target); From 1790659237b1071a1d4e39ad03d484ce5a6a5f08 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Wed, 17 Apr 2024 18:08:44 +0200 Subject: [PATCH 4/4] Statement simplification --- apache2/re.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/apache2/re.c b/apache2/re.c index b15793205..d35f4ca04 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -167,12 +167,7 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va } match = 1; } - } else if (value == NULL && myvalue == NULL) { - if (msr->txcfg->debuglog_level >= 9) { - msr_log(msr, 9, "fetch_target_exception: Target %s will not be processed.", target); - } - match = 1; - } else if (value == NULL && myvalue != NULL) { + } else { if (msr->txcfg->debuglog_level >= 9) { msr_log(msr, 9, "fetch_target_exception: Target %s will not be processed.", target); }