diff --git a/.github/ISSUE_TEMPLATE/bug-report-for-version-2-x.md b/.github/ISSUE_TEMPLATE/bug-report-for-version-2-x.md
new file mode 100644
index 0000000000..b39db8633f
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug-report-for-version-2-x.md
@@ -0,0 +1,46 @@
+---
+name: Bug report for version 2.x
+about: Create a report to help us improve
+
+---
+
+**Describe the bug**
+
+A clear and concise description of what the bug is.
+
+**Logs and dumps**
+
+Output of:
+ 1. DebugLogs (level 9)
+ 2. AuditLogs
+ 3. Error logs
+ 4. If there is a crash, the core dump file.
+
+_Notice:_ Be carefully to not leak any confidential information.
+
+**To Reproduce**
+
+Steps to reproduce the behavior:
+
+A **curl** command line that mimics the original request and reproduces the problem. Or a ModSecurity v3 test case.
+
+[e.g: curl "modsec-full/ca/..\\..\\..\\..\\..\\..\\/\\etc/\\passwd" or [issue-394.json](https://github.com/SpiderLabs/ModSecurity/blob/v3/master/test/test-cases/regression/issue-394.json)]
+
+
+**Expected behavior**
+
+A clear and concise description of what you expected to happen.
+
+**Server (please complete the following information):**
+ - ModSecurity version (and connector): [e.g. ModSecurity v3.0.1 with nginx-connector v1.0.0]
+ - WebServer: [e.g. nginx-1.15.5]
+ - OS (and distro): [e.g. Linux, archlinux]
+
+
+**Rule Set (please complete the following information):**
+ - Running any public or commercial rule set? [e.g. SpiderLabs commercial rules]
+ - What is the version number? [e.g. 2018-08-11]
+
+**Additional context**
+
+Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/bug-report-for-version-3-x.md b/.github/ISSUE_TEMPLATE/bug-report-for-version-3-x.md
new file mode 100644
index 0000000000..58874dfb42
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug-report-for-version-3-x.md
@@ -0,0 +1,47 @@
+---
+name: Bug report for version 3.x
+about: Create a report to help us improve. If you don't know a specific detail or
+ piece of information leave it blank, if necessary we will help you to figure out.
+
+---
+
+**Describe the bug**
+
+A clear and concise description of what the bug is.
+
+**Logs and dumps**
+
+Output of:
+ 1. DebugLogs (level 9)
+ 2. AuditLogs
+ 3. Error logs
+ 4. If there is a crash, the core dump file.
+
+_Notice:_ Be carefully to not leak any confidential information.
+
+**To Reproduce**
+
+Steps to reproduce the behavior:
+
+A **curl** command line that mimics the original request and reproduces the problem. Or a ModSecurity v3 test case.
+
+[e.g: curl "modsec-full/ca/..\\..\\..\\..\\..\\..\\/\\etc/\\passwd" or [issue-394.json](https://github.com/SpiderLabs/ModSecurity/blob/v3/master/test/test-cases/regression/issue-394.json)]
+
+
+**Expected behavior**
+
+A clear and concise description of what you expected to happen.
+
+**Server (please complete the following information):**
+ - ModSecurity version (and connector): [e.g. ModSecurity v3.0.1 with nginx-connector v1.0.0]
+ - WebServer: [e.g. nginx-1.15.5]
+ - OS (and distro): [e.g. Linux, archlinux]
+
+
+**Rule Set (please complete the following information):**
+ - Running any public or commercial rule set? [e.g. SpiderLabs commercial rules]
+ - What is the version number? [e.g. 2018-08-11]
+
+**Additional context**
+
+Add any other context about the problem here.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 0000000000..4d274644a4
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,24 @@
+<!-- Thank you for contributing to OWASP ModSecurity, your effort is greatly appreciated -->
+<!-- Please help us by adding the information below in this PR so it aids reviewers -->
+
+## what
+
+<!--
+- Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?)
+- Use bullet points to be concise and to the point.
+-->
+
+## why
+
+<!--
+- Provide the justifications for the changes (e.g. business case).
+- Describe why these changes were made (e.g. why do these commits fix the problem?)
+- Use bullet points to be concise and to the point.
+-->
+
+## references
+
+<!--
+- Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow).
+- Use `closes #123`, if this PR closes a GitHub issue `#123`
+-->
diff --git a/.github/security2.conf b/.github/security2.conf
new file mode 100644
index 0000000000..d9051b007c
--- /dev/null
+++ b/.github/security2.conf
@@ -0,0 +1,8 @@
+LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so
+
+<IfModule security2_module>
+ SecDataDir /var/cache/modsecurity
+ Include /etc/apache2/modsecurity.conf
+</IfModule>
+
+SecAuditLog /var/log/apache2/modsec_audit.log
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000000..5e625415a1
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,76 @@
+name: Quality Assurance
+
+on:
+ push:
+ pull_request:
+
+jobs:
+ build-linux:
+ runs-on: ${{ matrix.os }}
+ strategy:
+ matrix:
+ os: [ubuntu-22.04]
+ platform: [x32, x64]
+ compiler: [gcc, clang]
+ configure:
+ - {label: "with pcre, no study, no jit", opt: "--enable-pcre-study=no" }
+ - {label: "with pcre, with study, no jit", opt: "--enable-pcre-study=yes" }
+ - {label: "with pcre, no study, with jit", opt: "--enable-pcre-study=no --enable-pcre-jit" }
+ - {label: "with pcre, with study, with jit", opt: "--enable-pcre-study=yes --enable-pcre-jit" }
+ - {label: "with pcre2", opt: "--with-pcre2 --enable-pcre-study=no" }
+ - {label: "with pcre2, with study, no jit", opt: "--with-pcre2 --enable-pcre-study=yes" }
+ - {label: "with pcre2, no study, with jit", opt: "--with-pcre2 --enable-pcre-study=no --enable-pcre-jit" }
+ - {label: "with pcre2, with study, with jit", opt: "--with-pcre2 --enable-pcre-study=yes --enable-pcre-jit" }
+ - {label: "with lua", opt: "--with-lua" }
+ - {label: "wo lua", opt: "--without-lua" }
+ steps:
+ - name: Setup Dependencies
+ run: |
+ sudo apt-get update -y -qq
+ sudo apt-get install -y apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev pkg-config libyajl-dev apache2 apache2-bin apache2-data
+ - uses: actions/checkout@v2
+ - name: autogen.sh
+ run: ./autogen.sh
+ - name: configure ${{ matrix.configure.label }}
+ run: ./configure --enable-assertions ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security'
+ - uses: ammaraskar/gcc-problem-matcher@master
+ - name: make
+ run: make -j `nproc`
+ - name: install module
+ run: sudo make install
+ - name: prepare config
+ run: |
+ sudo cp .github/security2.conf /etc/apache2/mods-enabled/
+ sudo cp modsecurity.conf-recommended /etc/apache2/modsecurity.conf
+ sudo cp unicode.mapping /etc/apache2/
+ sudo mkdir -p /var/cache/modsecurity
+ sudo chown -R www-data:www-data /var/cache/modsecurity
+ - name: first check config (to get syntax errors)
+ run: sudo apachectl configtest
+ - name: start apache with module
+ run: sudo systemctl restart apache2.service
+ - name: Search for errors/warnings in error log
+ run: |
+ # '|| :' handles the case grep doesn't match, otherwise the script exits with 1 (error)
+ errors=$(grep -E ':(?error|warn)[]]' /var/log/apache2/error.log) || :
+ if [[ -z "${errors}" ]]; then exit 0; fi
+ echo "::error:: Found errors/warnings in error.log"
+ echo "${errors}"
+ exit 1
+ - name: Check error.log
+ run: |
+ # Send requests & check log format
+ # Valid request
+ curl -s http://127.0.01/ > /dev/null || echo $?
+ # Invalid request
+ curl -s http://127.0.01/%2e%2f > /dev/null || echo $?
+ # Check log format
+ grep -F ModSecurity < /var/log/apache2/error.log | grep -vP "^\[[^\]]+\] \[security2:[a-z]+\] \[pid [0-9]+:tid [0-9]+\] (?:\[client [0-9.:]+\] )?ModSecurity" || exit 0
+ # grep -v succeeded => found some lines with invalid format
+ exit 1
+ - name: Show httpd error log
+ if: always()
+ run: sudo cat /var/log/apache2/error.log
+ - name: Show mod_security2 audit log
+ if: always()
+ run: sudo cat /var/log/apache2/modsec_audit.log
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000..3391ea5134
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,111 @@
+# Prerequisites
+*.d
+
+# Object files
+*.o
+*.ko
+*.obj
+*.elf
+
+# Linker output
+*.ilk
+*.map
+*.exp
+
+# Precompiled Headers
+*.gch
+*.pch
+
+# Libraries
+*.lib
+*.a
+*.la
+*.lo
+
+# Shared objects (inc. Windows DLLs)
+*.dll
+*.so
+*.so.*
+*.dylib
+
+# Executables
+*.exe
+*.out
+*.app
+*.i*86
+*.x86_64
+*.hex
+
+# Debug files
+*.dSYM/
+*.su
+*.idb
+*.pdb
+
+# Backup files
+*~
+
+# Kernel Module Compile Results
+*.mod*
+*.cmd
+.tmp_versions/
+modules.order
+Module.symvers
+Mkfile.old
+dkms.conf
+
+# http://www.gnu.org/software/automake
+
+Makefile.in
+/ar-lib
+/mdate-sh
+/py-compile
+/test-driver
+/ylwrap
+.deps/
+.dirstamp
+
+# http://www.gnu.org/software/autoconf
+
+autom4te.cache
+/autoscan.log
+/autoscan-*.log
+/aclocal.m4
+/compile
+/config.cache
+/config.guess
+/config.h.in
+/config.log
+/config.status
+/config.sub
+/configure
+/configure.scan
+/depcomp
+/install-sh
+/missing
+/stamp-h1
+
+# https://www.gnu.org/software/libtool/
+
+/ltmain.sh
+
+# http://www.gnu.org/software/texinfo
+
+/texinfo.tex
+
+# http://www.gnu.org/software/m4/
+
+m4/libtool.m4
+m4/ltoptions.m4
+m4/ltsugar.m4
+m4/ltversion.m4
+m4/lt~obsolete.m4
+
+# Generated Makefile
+# (meta build system like autotools,
+# can automatically generate from config.status script
+# (which is called by configure script))
+Makefile
+
+# IDEs
+.idea
\ No newline at end of file
diff --git a/CHANGES b/CHANGES
index 031648e4d5..416d6fd399 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,443 @@
-DD mmm YYYY - X.Y.Z (To be released)
-------------------------------------
+(to be released) - 2.9.x
+------------------------
+ * Fixed apr_global_mutex_create() usage (no filename)
+ [PR #3269 - @marcstern]
+* handle errors from apr_global_mutex_lock
+ [PR #3257 - @marcstern]
+
+03 Sep 2024 - 2.9.8
+-------------------
+
+ * Fixed ap_log_perror() usage
+ [PR #3241 - @marcstern]
+ * Memory leaks + enhanced logging
+ [PR #3191 - @marcstern]
+ * CI improvement: First check syntax & always display error/audit logs
+ [PR #3190 - @marcstern]
+ * Fixed assert() usage
+ [PR #3202 - @marcstern]
+ * Removed useless code
+ [PR #3193 - @marcstern]
+ * feat: Check if the MP header contains invalid character
+ [PR #3226 - @airween]
+ * Use standard httpd logging format in error log
+ [PR #3192 - @marcstern]
+ * fix msc_regexec() != PCRE_ERROR_NOMATCH strict check
+ [PR #3194 - @marcstern]
+ * Move xmlFree() call to the right place
+ [Issue #3199 - @airween]
+ * Add collection size in log in case of writing error
+ [Issue #3198 - @marcstern]
+ * Passing address of lock instead of lock in acquire_global_lock()
+ [Issue #3188 - @marcstern]
+ * Invalid pointer access in case rule id == NOT_SET_P
+ [Issue #3187 - @marcstern]
+ * Show error.log after httpd start in CI
+ [Issue #3171 - @marcstern]
+ * chore: add pull request template
+ [Issue #3159 - @fzipi]
+ * chore: add gitignore file
+ [Issue #3158 - @fzipi]
+ * Possible double free
+ [Issue #3155 - @marcstern]
+ * Set 'jit' variable's initial value
+ [Issue #3154 - @marcstern]
+ * Missing null byte + optimization
+ [Issue #3153 - @marcstern]
+ * fix: remove usage of insecure tmpname
+ [Issue #3149 - @fzipi]
+ * docs: update copyright
+ [Issue #3148 - @fzipi]
+ * Enhanced logging [Issue #3107]
+ [Issue #3139 - @marcstern]
+ * Check for null pointer dereference (almost) everywhere
+ [Issue #3120 - @marcstern]
+ * Fix possible segfault in collection_unpack
+ [Issue #3099 - @twouters]
+ * fix: Replace obsolete macros
+ [Issue #3094 - @airween]
+ * chore: update bug-report-for-version-2-x.md
+ [Issue #3087 - @fzipi]
+ * feat: Add more steps: install built module and restart the server
+ [Issue #3078 - @airween]
+ * Add new flag: --without-lua
+ [Issue #3076 - @airween]
+ * Initial release of CI worklow
+ [Issue #3075 - @airween]
+ * V2/fixbuildissue
+ [Issue #3074 - @airween]
+ * ; incorrectly replaced by space in cmdline
+ [Issue #3051 - @marcstern]
+ * Detailed error message when writing collections
+ [Issue #3050 - @marcstern]
+ * docs: Fix organization name in references and security e-mail (v2)
+ [Issue #3043 - @airween]
+ * ctl:ruleRemoveByTag isn't executed if no rule id is present in the rule
+ [Issue #3012 - @marcstern]
+ * Suppress useless loop on tag matching
+ [Issue #3009 - @marcstern]
+ * Optimization: Avoid last loop and storing an empty value in case nothing
+ after last %{..} macro
+ [Issue #3004 - @marcstern]
+ * Ignore (consistently) empty actions
+ [Issue #3003 - @marcstern]
+ * Add context info to error message
+ [Issue #2997 - @marcstern]
+ * Implement msre_action_phase_validate()
+ [Issue #2994 - @marcstern]
+ * Avoid some useless code and memory allocation in case no macro is present
+ [Issue #2992 - @marcstern]
+ * 'jit' variable not initialized when WITH_PCRE2 is defined
+ [Issue #2987 - @marcstern]
+ * Configure: do not check for pcre1 if pcre2 requested
+ [Issue #2975 - @martinhsv]
+ * Double memory allocation
+ [Issue #2969 - @marcstern]
+ * Fix for DEBUG_CONF compile flag
+ [Issue #2963 - @marcstern]
+ * Enhance logging
+ [Issue #3107 - @marcstern]
+ * Fix possible segfault in collection_unpack
+ [Issue #3072 - @twouters]
+ * Set the minimum security protocol version for SecRemoteRules
+ [Issue security/code-scanning/2 - @airween]
+ * Allow lua version 5.4
+ [Issue #2996 - @3eka, @martinhsv]
+ * Configure: do not check for pcre1 if pcre2 requested
+ [Issue #2975 - @zhaoshikui, @martinhsv]
+ * Check return code of apr_procattr_io_set()
+ [Issue #2958 - @marcstern]
+ * Do not escape special chars in rx pattern with macro
+ [Issue #2357 - @marcstern, @martinhsv]
+ * Substitute two equals-equals operators in build
+ [Issue #2883 - @Polynomial-C]
+
+04 Jan 2023 - 2.9.7
+-------------------
+
+ * Fix: FILES_TMP_CONTENT may sometimes lack complete content
+ [Issue #2857 - gieltje, @airween, @dune73, @martinhsv]
+ * Support configurable limit on number of arguments processed
+ [Issue #2844 - @jleproust, @martinhsv]
+ * Silence compiler warning about discarded const
+ [Issue #2843 - @Steve8291, @martinhsv]
+ * Support for JIT option for PCRE2
+ [Issue #2840 - @martinhsv]
+ * Use uid for user if apr_uid_name_get() fails
+ [Issue #2046 - @arminabf, @marcstern]
+ * Fix: handle error with SecConnReadStateLimit configuration
+ [Issue #2815, #2834 - @marcstern, @martinhsv]
+ * Only check for pcre2 install if required
+ [Issue #2833 - @martinhsv]
+ * Adjustment of previous fix for log messages
+ [Issue #2832 - @marcstern, @erkia]
+ * Mark apache error log messages as from mod_security2
+ [Issue #2781 - @erkia]
+ * Use pkg-config to find libxml2 first
+ [Issue #2818 - @hughmcmaster]
+ * Support for PCRE2 in mlogc
+ [Issue #2737, #2827 - @martinhsv]
+ * Support for PCRE2
+ [Issue #2737 - @martinhsv]
+
+07 Sep 2022 - 2.9.6
+-------------------
+
+ * Adjust parser activation rules in modsecurity.conf-recommended
+ [Issue #2799 - @terjanq, @martinhsv]
+ * Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
+ [Issue #2797 - @terjanq, @martinhsv]
+ * Limit rsub null termination to where necessary
+ [Issue #2794 - @marcstern, @martinhsv]
+ * IIS: Update dependencies for next planned release
+ [@martinhsv]
+ * XML parser cleanup: NULL duplicate pointer
+ [Issue #2760 - @martinhsv]
+ * Properly cleanup XML parser contexts upon completion
+ [Issue #2239 - @argenet]
+ * Fix memory leak in streams
+ [Issue #2208 - @marcstern, @vloup, @JamesColeman-LW]
+ * Fix: negative usec on log line when data type long is 32b
+ [Issue #2753 - @ABrauer-CPT, @martinhsv]
+ * mlogc log-line parsing fails due to enhanced timestamp
+ [Issue #2682 - @bozhinov, @ABrauer-CPT, @martinhsv]
+ * Allow no-key, single-value JSON body
+ [Issue #2735 - @marcstern, @martinhsv]
+ * Set SecStatusEngine Off in modsecurity.conf-recommended
+ [Issue #2717 - @un99known99, @martinhsv]
+ * Fix memory leak that occurs on JSON parsing error
+ [Issue #2236 @argenet, @vloup, @martinhsv]
+ * Multipart names/filenames may include single quote if double-quote enclosed
+ [Issue #2352 @martinhsv]
+ * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
+ [Issue #2647 @theMiddleBlue, @airween, @877509395 ,@martinhsv]
+ * IIS: Update dependencies for Windows build as of v2.9.5
+ [@martinhsv]
+
+22 Nov 2021 - 2.9.5
+-------------------
+
+ * Support configurable limit on depth of JSON parsing
+ [@theMiddleBlue, @airween, @dune73, @martinhsv]
+
+21 Jun 2021 - 2.9.4
+-------------------
+
+ * Add microsec timestamp resolution to the formatted log timestamp
+ [Issue #2095 - @rainerjung]
+ * Store temporaries in the request pool for regexes compiled per-request.
+ [Issue #890, #2049 - @lightsey]
+ * Fix other usage of the global pool for request temporaries in re_operators.c
+ [Issue #890, #2049 - @lightsey]
+ * Adds a sanity check before use ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByMsg.
+ [Issue #2033 - @studersi]
+ * Fix the order of error_msg validation
+ [Issue #2128 - @marcstern, @zimmerle]
+ * Added missing Geo Countries
+ [Issue #2123, #2124 - @emphazer]
+ * When the input filter finishes, check whether we returned data
+ [Issue #2091, #2092 - @rainerjung]
+ * fix: care non-null terminated chunk data
+ [Issue #2097 - @orisano]
+ * Fix for apr_global_mutex_create() crashes with mod_security
+ [Issue #1957 - @blappm]
+ * Fix inet addr handling on 64 bit big endian systems
+ [Issue #1980 - @zimmerle, @airween]
+
+
+05 Dec 2018 - 2.9.3
+-------------------
+
+ * Enable optimization for large stream input by default on IIS
+ [Issue #1299 - @victorhora, @zimmerle]
+ * Allow 0 length JSON requests.
+ [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
+ * Include unanmed JSON values in unnamed ARGS
+ [Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle]
+ * Fix buffer size for utf8toUnicode transformation
+ [Issue #1208 - @katef, @victorhora]
+ * Fix sanitizing JSON request bodies in native audit log format
+ [p0pr0ck5, @victorhora]
+ * IIS: Update Wix installer to bundle a supported CRS version (3.0)
+ [@victorhora, @zimmerle]
+ * IIS: Update dependencies for Windows build
+ [Issue #1848 - @victorhora, @hsluoyz]
+ * IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299)
+ [Issue #1299 - @victorhora]
+ * IIS: Update modsecurity.conf
+ [Issue #788 - @victorhora, @brianclark]
+ * Add sanity check for a couple malloc() and make code more resilient
+ [Issue #979 - @dogbert2, @victorhora, @zimmerl]
+ * Fix NetBSD build by renaming the hmac function to avoid conflicts
+ [Issue #1241 - @victorhora, @joerg, @sevan]
+ * IIS: Windows build, fix duplicate YAJL dir in script
+ [Issue #1612 - @allanbomsft, @victorhora]
+ * IIS: Remove body prebuffering due to no locking in modsecProcessRequest
+ [Issue #1917 - @allanbomsft, @victorhora]
+ * Fix mpm-itk / mod_ruid2 compatibility
+ [Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora]
+ * Code cosmetics: checks if actionset is not null before use it
+ [Issue #1556 - @marcstern, @zimmerle, @victorhora]
+ * Only generate SecHashKey when SecHashEngine is On
+ [Issue #1671 - @dmuey, @monkburger, @zimmerle]
+ * Docs: Reformat README to Markdown and update dependencies
+ [Issue #1857 - @hsluoyz, @victorhora]
+ * IIS: no lock on ProcessRequest. No reload of config.
+ [Issue #1826 - @allanbomsft]
+ * IIS: buffer request body before taking lock
+ [Issue #1651 - @allanbomsft]
+ * good practices: Initialize variables before use it
+ [Issue #1889 - Marc Stern]
+ * Let body parsers observe SecRequestBodyNoFilesLimit
+ [Issue #1613 - @allanbomsft]
+ * potential off by one in parse_arguments
+ [Issue #1799 - @tinselcity, @zimmerle]
+ * Fix utf-8 character encoding conversion
+ [Issue #1794 - @tinselcity, @zimmerle]
+ * Fix ip tree lookup on netmask content
+ [Issue #1793 - @tinselcity, @zimmerle]
+ * IIS: set overrideModeDefault to Allow so that individual websites can
+ add <ModSecurity ...> to their web.config file
+ [Issue #1781 - @default-kramer]
+ * modsecurity.conf-recommended: Fix spelling
+ [Issue #1721 - @padraigdoran]
+ * build: fix when multiple lines for curl version
+ [Issue #1771 - @Artistan]
+ * Fix arabic charset in unicode_mapping file
+ [Issue #1619 - @alaa-ahmed-a]
+ * Optionally preallocates memory when SecStreamInBodyInspection is on
+ [Issue #1366 - @allanbomsft, @zimmerle]
+ * Fixed typo in build_yajl.bat
+ [Issue #1366 - @allanbomsft]
+ * Fixes SecConnWriteStateLimit
+ [Issue #1545 - @nicjansma]
+ * Added "empy chunk" check
+ [Issue #1347, #1446 - @gravagli, @bostrt, @zimmerle]
+ * Add capture action to @detectXSS operator
+ [Issue #1488, #1482 - @victorhora]
+ * Fix for wildcard operator when loading conf files on Nginx / IIS
+ [Issue #1486, #1285 - @victorhora and @thierry-f-78]
+ * Set of fixies to make windows build workable with the buildbots
+ [Commit 94fe3 - @zimmerle]
+ * Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH
+ [Issue #1510 - @marcstern]
+ * Adds missing headers
+ [Issue #1454 - @devnexen]
+
+
+18 Jul 2017 - 2.9.2
+-------------------
+
+ * IIS build refactoring and dependencies update
+ [Issue #1487 - @victorhora]
+ * Best practice: Initialize msre_var pointers
+ [Commit fbd57 - Allan Boll]
+ * nginx: Obtain port from r->connection->local_sockaddr.
+ [Commit 51314 - @defanator]
+ * Updates libinjection to v3.10.0
+ [Issue #1412 - @client9, @zimmerle and @bjdijk]
+ * Avoid log flood while using SecConnEngine
+ [Issue #1436 - @victorhora]
+ * Make url path absolute for SecHashEngine only when it is relative
+ in the first place.
+ [Issue #752, #1071 - @hideaki]
+ * Fix the hex digit size for SHA1 on msc_crypt implementation.
+ [Issue #1354 - @zimmerle and @parthasarathi204]
+ * Avoid to flush xml buffer while assembling the injected html.
+ [Issue #742 - @zimmerle]
+ * Avoid additional operator invokation if last transform of a multimatch
+ doesn't modify the input
+ [Issue #1086, #1087 - Daniel Stelter-Gliese]
+ * Adds a sanity check before use ctl:ruleRemoveTargetByTag.
+ [Issue #1353 - @LukeP21 and @zimmerle]
+ * Uses an optional global lock while manipulating collections.
+ [Issues #1224 - @mturk and @zimmerle]
+ * Fix collection naming problem while merging collections.
+ [Issue #1274 - Coty Sutherland and @zimmerle]
+ * Fix --enable-docs adding missing Makefile, modifying autoconf and filenames
+ [Issue #1322 - @victorhora]
+ * Change from using rand() to thread-safe ap_random_pick.
+ [Issue #1289 - Robert Bost]
+ * Cosmetics: added comments on odd looking code to prevent future
+ scrutiny
+ [Issue #1279 - Coty Sutherland]
+ * {dis|en}able-server-context-logging: Option to disable logging of
+ server info (log producer, sanitized objects, ...) in audit log.
+ [Issue #1069 - Marc Stern]
+ * Allow drop to work with mod_http2
+ [Issue #1308, #992 - @bazzadp]
+ * Fix SecConn(Read|Write)StateLimit on Apache 2.4
+ [Issue #1340, #1337, #786 - Sander Hoentjen]
+ * {dis|en}able-stopwatch-logging: Option to disable logging of stopwatches
+ in audit log.
+ [Issue #1067 - Marc Stern]
+ * {dis|en}able-dechunk-logging: Option to disable logging of
+ dechunking in audit log when log level < 9.
+ [Issue #1068 - Marc Stern]
+ * Updates libinjection to: da027ab52f9cf14401dd92e34e6683d183bdb3b4
+ [ModSecurity team]
+ * {dis|en}able-handler-logging: Option to disable logging of Apache handler
+ in audit log
+ [Issue #1070, #1381 - Marc Stern]
+ * {dis|en}able-collection-delete-problem-logging: Option to disable logging of
+ collection delete problem in audit log when log level < 9.
+ [Issue #1380 - Marc Stern]
+ * Adds rule id in logs whenever a rule fail.
+ [Issue #1379, #391 - Marc Stern]
+ * {dis|en}able-server-logging: Option to disable logging of
+ "Server" in audit log when log level < 9.
+ [Issue #1070 - Marc Stern]
+ * {dis|en}able-filename-logging: Option to disable logging of filename
+ in audit log.
+ [Issue #1065 - Marc Stern]
+ * Reads fuzzy hash databases on init
+ [Issue #1339 - Robert Paprocki and @Rendername]
+ * Changes the configuration to recognize soap+xml as XML
+ [Issue #1374 - @emphazer and Chaim Sanders]
+ * Fix building with nginx >= 1.11.11
+ [Issue #1373, #1359 - Andrei Belov and Thomas Deutschmann]
+ * Using Czechia instea of Czech Republic
+ [Issue #1258 - Michael Kjeldsen]
+ * {dis|en}able-rule-id-validation: Option to disable rule id validation
+ [Issue #1150 - Marc Stern and ModSecurity team]
+ * JSON Log: Append a newline to concurrent JSON audit logs
+ [Issue #1233 - Robert Paprocki]
+ * JSON Log: Don't unnecessarily rename request body parts in cleanup
+ [Issue #1223 - Robert Paprocki]
+ * Fix error message inside audit logs
+ [Issue #1216 and #1073 - Armin Abfalterer]
+ * Remove port from IPV4 address when running under IIS.
+ [Issue #1220, #1109 and #734 - Robert Culyer]
+ * Remove logdata and msg fields from JSON audit log rule.
+ [Issue #1190 and #1174 - Robert Paprocki]
+ * Better handle the json parser cleanup
+ [Issue #1204 - Ephraim Vider]
+ * Fix status failing to report in Nginx auditlogs
+ [Issue #977, #1171 - @charlymps and Chaim Sanders]
+ * Fix file upload JSON audit log entry
+ [Issue #1181 and #1173 - Robert Paprocki and Christian Folini]
+ * configure: Fix detection whether libcurl is linked against gnutls and,
+ move verbose_output declaration up to the beginning.
+ [Issue #1158 - Thomas Deutschmann (@Whissi)]
+ * Treat APR_INCOMPLETE as APR_EOF while receiving the request body.
+ [Issue #1060, #334 - Alexey Sintsov]
+
+
+Security issues
+
+ * Allan Boll reported an uninitialized variable that may lead to a crash on
+ Windows platform.
+ * Brian Adeloye reported an infinite loop on the version of libinjection used
+ on ModSecurity 2.9.1.
+
+
+09 Mar 2016 - 2.9.1
+-------------------
+
+ * No changes.
+
+03 Feb 2016 - 2.9.1-RC1
+-----------------------
+
+ * Added support to generate audit logs in JSON format.
+ [Issue #914, #897, #656 - Robert Paprocki]
+ * Creating AuditLog serial file (or parallel index) respecting the
+ permission configured with SecAuditLogFileMode. Previously, it was
+ used only to save the transactions while in parallel mode.
+ [Issue #852 - @littlecho and ModSecurity team]
+ * Checking for hashing injection response, to report in case of failure.
+ [Issue #1041 - ModSecurity team]
+ * Stop buffering when the request is larger than SecRequestBodyLimit
+ in ProcessPartial mode
+ [Issue #709, #705, #728 - Justin Gerace and ModSecurity team]
+ * Extended Lua support to include version 5.3
+ [Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team]
+ * mlogc: Allows user to choose between TLS versions (TLSProtocol option
+ introduced).
+ [Issue #881 - Ishwor Gurung]
+ * Allows mod_proxy's "nocanon" behavior to be specified in proxy actions
+ [Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team]
+ * Refactoring conditional #if/#defs directives.
+ [Issue #996 - Wesley M and ModSecurity team]
+ * mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir
+ files with Apache 2.4
+ [Issue #775 - Elia Pinto]
+ * Understands IIS 10 as compatible on Windows installer.
+ [Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team]
+ * Fix apache logging limitation by using correct Apache call.
+ [Issue #840 - Christian Folini]
+ * Fix apr_crypto.h check on 32-bit Linux platform
+ [Issue #882, #883 - Kurt Newman]
+ * Fix variable resolution duration (Content of the DURATION variable).
+ [Issue #662 - Andrew Elble]
+ * Fix crash while adding empty keys to persistent collections.
+ [Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team]
+ * Remove misguided call to srand()
+ [Issues #778, #781 and #836 - Michael Bunk, @gilperon]
* Fix compilation problem while ssdeep is installed in non-standard
location.
- [Issude #872 - Kurt Newman]
+ [Issue #872 - Kurt Newman]
* Fix invalid storage reference by apr_psprintf at msc_crypt.c
[Issue #609 - Jeff Trawick]
diff --git a/LICENSE b/LICENSE
index 261eeb9e9f..9135230d95 100644
--- a/LICENSE
+++ b/LICENSE
@@ -175,18 +175,7 @@
END OF TERMS AND CONDITIONS
- APPENDIX: How to apply the Apache License to your work.
-
- To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "[]"
- replaced with your own identifying information. (Don't include
- the brackets!) The text should be enclosed in the appropriate
- comment syntax for the file format. We also recommend that a
- file or class name and description of purpose be included on the
- same "printed page" as the copyright notice for easier
- identification within third-party archives.
-
- Copyright [yyyy] [name of copyright owner]
+ Copyright 2016 ModSecurity
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff --git a/README.TXT b/README.TXT
deleted file mode 100644
index 9442e83a2f..0000000000
--- a/README.TXT
+++ /dev/null
@@ -1,110 +0,0 @@
-ModSecurity for Apache 2.x, http://www.modsecurity.org/
-Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
-
-You may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-If any of the files related to licensing are missing or if you have any
-other questions related to licensing please contact Trustwave Holdings, Inc.
-directly using the email address security@modsecurity.org.
-
-
-DOCUMENTATION
-
-Please refer to the documentation folder (/doc) for
-the reference manual.
-
-
-##############################################
-----------------------------------
-OWASP ModSecurity Core Rule Set (CRS)
-
-
-Project Site:
-https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
-
-
-Download:
-https://github.com/SpiderLabs/owasp-modsecurity-crs
-
-----------------------------------
-
-ModSecurity™ is a web application firewall engine that provides very
-little protection on its own. In order to become useful, ModSecurity™ must
-be configured with rules. In order to enable users to take full advantage
-of ModSecurity™ out of the box, Trustwave's SpiderLabs is providing a free
-certified rule set for ModSecurity™ 2.x. Unlike intrusion detection and
-prevention systems, which rely on signatures specific to known
-vulnerabilities, the Core Rules provide generic protection from unknown
-vulnerabilities often found in web applications, which are in most cases
-custom coded. The Core Rules are heavily commented to allow it to be used
-as a step-by-step deployment guide for ModSecurity™.
-Core Rules Content
-
-In order to provide generic web applications protection, the Core Rules
-use the following techniques:
-
-* HTTP Protection - detecting violations of the HTTP protocol and a
-locally defined usage policy.
-* Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation
-* Web-based Malware Detection - identifies malicious web content by check
-against the Google Safe Browsing API.
-* HTTP Denial of Service Protections - defense against HTTP Flooding and
-Slow HTTP DoS Attacks.
-* Common Web Attacks Protection - detecting common web application
-security attack.
-* Automation Detection - Detecting bots, crawlers, scanners and other
-surface malicious activity.
-* Integration with AV Scanning for File Uploads - detects malicious files
-uploaded through the web application.
-* Tracking Sensitive Data - Tracks Credit Card usage and blocks leakages.
-* Trojan Protection - Detecting access to Trojans horses.
-* Identification of Application Defects - alerts on application
-misconfigurations.
-* Error Detection and Hiding - Disguising error messages sent by the
-server.
-
-
-----------------------------------
-ModSecurity Rules from Trustwave SpiderLabs
-
-Project Site:
-https://www.trustwave.com/modsecurity-rules-support.php
-
-Download:
-https://ssl.trustwave.com/web-application-firewall
-
-----------------------------------
-
-
-
-Trustwave now provides a commercial certified rule set for ModSecurity 2.x
-that protects against known attacks that target vulnerabilities in public
-software and are based on intelligence gathered from real-world
-investigations, honeypot data and research.
-
-1. More than 16,000 specific rules, broken out into the following attack
-categories:
- * SQL injection
- * Cross-site Scripting (XSS)
- * Local File Include
- * Remote File Include
-
-2. User option for application specific rules, covering the same
-vulnerability classes for applications such as:
- * WordPress
- * cPanel
- * osCommerce
- * Joomla
- * For a complete listing of application coverage, please refer to this
-link (which is updated daily).
-https://modsecurity.org/projects/commercial/rules/application_coverage.html
-
-3. Complements and integrates with the OWASP Core Rule Set
-4. IP Reputation capabilities which provide protection against malicious
-clients identified by the Trustwave SpiderLabs Distributed Web Honeypots
-5. Malware Detection capabilities which prevent your web site from
-distributing malicious code to clients.
-##############################################
diff --git a/README.md b/README.md
new file mode 100644
index 0000000000..a823585172
--- /dev/null
+++ b/README.md
@@ -0,0 +1,22 @@
+# ModSecurity 2
+
+https://www.modsecurity.org/
+
+Copyright (c) 2004-2024 Trustwave Holdings, Inc. (https://www.trustwave.com/)
+Copyright (c) 2024-2024 OWASP ModSecurity Project (https://www.owasp.org/)
+
+You may not use this file except in compliance with the License. You may obtain a copy of the License at: https://www.apache.org/licenses/LICENSE-2.0
+
+If any of the files related to licensing are missing or if you have any other questions related to licensing please contact us here: modsecurity@owasp.org.
+
+## Documentation
+
+Please refer to: [the documentation folder](https://github.com/owasp-modsecurity/ModSecurity/tree/v2/master/doc) for the reference manual.
+
+## Sponsor Note
+
+Original Development of ModSecurity was sponsored by Trustwave. In 2024, [stewardship was transferred to OWASP](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-transfers-modsecurity-custodianship-to-the-open-worldwide-application-security-project/).
+
+Contact us for sponsorship!
+
+You can also send us donations using the [OWASP donations page](https://owasp.org/donate/?reponame=www-project-modsecurity&title=OWASP+ModSecurity).
diff --git a/README_WINDOWS.TXT b/README_WINDOWS.TXT
deleted file mode 100644
index 94c2bc9db9..0000000000
--- a/README_WINDOWS.TXT
+++ /dev/null
@@ -1,192 +0,0 @@
-=====================================================================
-MOD_SECURITY 2.6 Command-line Build notes for Windows 4/2/2011
-by Tom Donovam
-=====================================================================
-
-PREREQUISITES:
-
- Microsoft Visual Studio C++ tested with Visual Studio 2008 (aka VC9)
-
- CMake build system from: http://www.cmake.org/ tested with CMake v2.8.0
-
- Apache 2.2.x from: http://httpd.apache.org/ tested with Apache 2.2.17
- Apache must be built from source using the same Visual Studio compiler as mod_security.
-
- PCRE Perl Compatible Regular Expression library from: http://www.pcre.org/ tested with PCRE v8.12
-
- LibXML2 from: http://xmlsoft.org/ tested with LibXML2 v2.7.7
- Note that LibXML2 v2.7.8 does not build correctly for Windows
-
- Lua Scripting Language from: http://www.lua.org/ tested with Lua v5.1.4
-
- cURL multiprotocol file transfer library from: http://curl.haxx.se/ tested with cURL v7.21.4
-
-
-BEFORE BUILDING
-
-The directory where you build software from source ( C:\work in this exmaple)
-must contain the Apache source you used to build the Apache web serverand the mod_security source
-
- Apache source is in C:\work\httpd-2.2.17 in this example.
- Apache has been installed to C:\Apache2217 in this example.
- Mod_security source is in C:\work\mod_security in this example.
-
-Download and untar the prerequite library sources:
-
- Download pcre-8.12.tar.gz from ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
- untar it into C:\work\ creating C:\work\pcre-8.12
-
- Download libxml2-2.7.7.tar.gz from ftp://xmlsoft.org/libxml2/
- untar it into C:\work\ creating C:\work\libxml2-2.7.7
-
- Download lua-5.1.4.tar.gz from http://www.lua.org/ftp/
- untar it into C:\work\ creating C:\work\lua-5.1.4
-
- Download curl-7.21.4.tar.gz from http://curl.haxx.se/download.html
- untar it into C:\work\ creating C:\work\curl-7.21.4
-
-Setup your build environment:
-
- The PATH environment variable must include the Visual Studio variables as set by vsvars32.bat
- The PATH environment variable must also include the CMAKE bin\ directory
-
- Set an environment variable to the Apache source code directory:
-
- SET HTTPD_BUILD=C:\work\httpd-2.2.17
-
- If OpenSSL and Zlib support were included when you built Apache 2.2, and you want them available to LIBXML2 and CURL
-
- Ensure that cURL and libXML2 can find the OpenSSL and Zlib includes and libraries that Apache was built with.
-
- SET INCLUDE=%INCLUDE%;%HTTPD_BUILD%\srclib\openssl\inc32;%HTTPD_BUILD%\srclib\zlib
- SET LIB=%LIB%;%HTTPD_BUILD%\srclib\openssl\out32dll;%HTTPD_BUILD%\srclib\zlib
-
- Ensure that cURL and libXML2 don't use the static zlib library: zlib.lib.
- Force cURL and libXML2 to use zdll.lib instead, requiring zlib1.dll at runtime:
-
- IF EXIST %HTTPD_BUILD%\srclib\zlib\zlib.lib DEL %HTTPD_BUILD%\srclib\zlib\zlib.lib
-
-BUILD PCRE-8.12
-
- CD C:\work\pcre-8.12
- CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True
- NMAKE
-
-BUILD LIBXML2-2.7.7 (note: the more recent version: 2.7.8 does not build correctly on Windows)
-
- CD C:\work\libxml2-2.7.7\win32
- CSCRIPT configure.js iconv=no vcmanifest=yes zlib=yes
- NMAKE -f Makefile.msvc
-
-BUILD LUA-5.1.4
-
- CD C:\work\lua-5.1.4\src
- CL /Ox /arch:SSE2 /GF /GL /Gy /FD /EHsc /MD /Zi /TC /wd4005 /D "_MBCS" /D "LUA_CORE" /D "LUA_BUILD_AS_DLL" /D "_CRT_SECURE_NO_WARNINGS" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_WIN32" /D "_WINDLL" /c *.c
- DEL lua.obj luac.obj
- LINK /DLL /LTCG /DEBUG /OUT:lua5.1.dll *.obj
- IF EXIST lua5.1.dll.manifest MT -manifest lua5.1.dll.manifest -outputresource:lua5.1.dll;2
-
-BUILD CURL-7.21.4
-
- CD C:\work\curl-7.21.4
- CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True -DCURL_ZLIB=True
- NMAKE
-
-BUILD MOD_SECURITY-2.6
-
- CD C:\work\mod_security\apache2
- NMAKE -f Makefile.win APACHE=C:\Apache2217 PCRE=C:\work\pcre-8.12 LIBXML2=C:\work\libxml2-2.7.7 LUA=C:\work\lua-5.1.4\src
-
-INSTALL MOD_SECURITY AND RUN APACHE
-
-Copy these five files to C:\Apache2217\bin:
- C:\work\pcre-8.12\pcre.dll C:\Apache2217\bin\
- C:\work\lua-5.1.4\src\lua5.1.dll C:\Apache2217\bin\
- C:\work\libxml2-2.7.7\win32\bin.msvc\libxml2.dll C:\Apache2217\bin\
- C:\work\curl-7.21.4\libcurl.dll C:\Apache2217\bin\
- C:\work\mod_security\apache2\mlogc-src\mlogc.exe
-
-Copy this one file to C:\Apache2217\modules:
-
- C:\work\mod_security\apache2\mod_security2.so
-
-You may also copy C:\work\curl-7.21.4\curl.exe to C:\Apache2217\bin, if you want to use the cURL command-line program.
-
-Download the core rules from http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/
-and unzip them into C:\Apache2217\conf\modsecurity_crs
-
-Add configuration directives to your Apache conf\httpd.conf:
-
- # mod_security requires mod_unique_id
- LoadModule unique_id_module modules/mod_unique_id.so
-
- # mod_security
- LoadModule security2_module modules/mod_security2.so
- <IfModule security2_module>
- SecRuleEngine On
- SecDataDir logs
- Include conf/modsecurity_crs/*.conf
- Include conf/modsecurity_crs/base_rules/*.conf
- SecAuditEngine RelevantOnly
- SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
- SecAuditLogType Serial
- SecAuditLogParts ABCDEFGHZ
- SecAuditLog logs/modsecurity.log
- </IfModule>
-
-
-==============================================================================================
-OPTIONAL: BUILD AND CONFIGURE THE MOD_SECURITY-2.6 MLOGC piped-logging program
-
-Edit the top of C:\work\mod_security\apache2\mlogc-src\Makefile.win and set your local paths
-
- # Path to Apache httpd installation
- BASE = C:\Apache2217
-
- # Paths to required libraries
- PCRE = C:\work\pcre-8.12
- CURL = C:\work\curl-7.21.4
-
- # Linking libraries
- LIBS = $(BASE)\lib\libapr-1.lib \
- $(BASE)\lib\libaprutil-1.lib \
- $(PCRE)\pcre.lib \
- $(CURL)\libcurl_imp.lib \
- wsock32.lib
-
-Build the mlogc.exe program:
-
- CD C:\work\mod_security_trunk\mlogc
- NMAKE -f Makefile.win
-
-Copy mlocg.exe to C:\Apache2217\bin\
-
-Create a new command file C:\Apache2217\bin\mlogc.bat with one line:
-
- C:\Apache2217\bin\mlogc.exe C:\Apache2217\conf\mlogc.conf
-
-Create a new configuration file C:\Apache2217\conf\mlogc.conf to control the piped-logging program mlogc.exe.
-Here is an example conf\mlogc.conf:
-
- CollectorRoot "C:/Apache2217/logs"
- ConsoleURI "https://localhost:8888/rpc/auditLogReceiver"
- SensorUsername "test"
- SensorPassword "testtest"
- LogStorageDir "data"
- TransactionLog "mlogc-transaction.log"
- QueuePath "mlogc-queue.log"
- ErrorLog "mlogc-error.log"
- LockFile "mlogc.lck"
- KeepEntries 0
- ErrorLogLevel 2
- MaxConnections 10
- MaxWorkerRequests 1000
- TransactionDelay 50
- StartupDelay 5000
- CheckpointInterval 15
- ServerErrorTimeout 60
-
-Change the SecAuditLog directive in conf\httpd.conf to pipe the log data to mlogc
-instead of writing them to a file:
-
- SecAuditLog |C:/Apache2217/bin/mlogc.bat
diff --git a/README_WINDOWS.md b/README_WINDOWS.md
new file mode 100644
index 0000000000..dcb7e0db3a
--- /dev/null
+++ b/README_WINDOWS.md
@@ -0,0 +1,194 @@
+
+## ModSecurity 2.x Command-line build notes for Windows
+
+by Tom Donovam, 4/2/2011
+
+
+## Prerequisites:
+
+Dependency | Tested with | Note
+----|------|----
+Microsoft Visual Studio C++ | Visual Studio 2013 (aka VC12) |
+[CMake build system](http://www.cmake.org/) | CMake v3.8.2 |
+[Apache 2.4.x](http://httpd.apache.org/) | Apache 2.4.27 | Apache must be built from source using the same Visual Studio compiler as mod_security.
+[PCRE, Perl Compatible Regular Expression library](http://www.pcre.org/) | PCRE v8.40
+[LibXML2](http://xmlsoft.org/) | LibXML2 v2.9.4 |
+[Lua Scripting Language](http://www.lua.org/) | Lua v5.3.4
+[cURL multiprotocol file transfer library](http://curl.haxx.se/) | cURL v7.54.0
+
+
+## Before building
+
+The directory where you build software from source ( ``C:\work`` in this exmaple)
+must contain the Apache source you used to build the Apache web serverand the mod_security source
+
+ Apache source is in C:\work\httpd-2.4.27 in this example.
+ Apache has been installed to C:\Apache2427 in this example.
+ Mod_security source is in C:\work\mod_security in this example.
+
+## Download and untar the prerequisite library sources:
+
+ Download pcre-8.40.tar.gz from ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
+ untar it into C:\work\ creating C:\work\pcre-8.40
+
+ Download libxml2-2.9.4.tar.gz from ftp://xmlsoft.org/libxml2/
+ untar it into C:\work\ creating C:\work\libxml2-2.9.4
+
+ Download lua-5.3.4.tar.gz from http://www.lua.org/ftp/
+ untar it into C:\work\ creating C:\work\lua-5.3.4
+
+ Download curl-7.54.0.tar.gz from http://curl.haxx.se/download.html
+ untar it into C:\work\ creating C:\work\curl-7.54.0
+
+## Setup your build environment:
+
+1. The ``PATH`` environment variable must include the Visual Studio variables as set by ``vsvars32.bat``
+
+2. The ``PATH`` environment variable must also include the CMAKE ``bin\`` directory
+
+3. Set an environment variable to the Apache source code directory:
+
+```
+ SET HTTPD_BUILD=C:\work\httpd-2.4.27
+```
+
+### Optional:
+
+If OpenSSL and zlib support were included when you built Apache 2.4, and you want them available to LibXML2 and cURL
+
+1. Ensure that cURL and LibXML2 can find the OpenSSL and zlib includes and libraries that Apache was built with.
+
+```
+ SET INCLUDE=%INCLUDE%;%HTTPD_BUILD%\srclib\openssl\inc32;%HTTPD_BUILD%\srclib\zlib
+ SET LIB=%LIB%;%HTTPD_BUILD%\srclib\openssl\out32dll;%HTTPD_BUILD%\srclib\zlib
+```
+
+2. Ensure that cURL and libXML2 don't use the static zlib library: ``zlib.lib``. Force cURL and libXML2 to use ``zdll.lib`` instead, requiring ``zlib1.dll`` at runtime:
+
+```
+ IF EXIST %HTTPD_BUILD%\srclib\zlib\zlib.lib DEL %HTTPD_BUILD%\srclib\zlib\zlib.lib
+```
+
+## Build
+
+### PCRE-8.40
+
+ CD C:\work\pcre-8.40
+ CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True
+ NMAKE
+
+### LibXML2-2.9.4
+
+ CD C:\work\libxml2-2.9.4\win32
+ CSCRIPT configure.js iconv=no vcmanifest=yes zlib=yes
+ NMAKE -f Makefile.msvc
+
+### Lua-5.3.4
+
+ CD C:\work\lua-5.3.4\src
+ CL /Ox /arch:SSE2 /GF /GL /Gy /FD /EHsc /MD /Zi /TC /wd4005 /D "_MBCS" /D "LUA_CORE" /D "LUA_BUILD_AS_DLL" /D "_CRT_SECURE_NO_WARNINGS" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_WIN32" /D "_WINDLL" /c *.c
+ DEL lua.obj luac.obj
+ LINK /DLL /LTCG /DEBUG /OUT:lua5.1.dll *.obj
+ IF EXIST lua5.1.dll.manifest MT -manifest lua5.1.dll.manifest -outputresource:lua5.1.dll;2
+
+### cURL-7.54.0
+
+ CD C:\work\curl-7.54.0
+ CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True -DCURL_ZLIB=True
+ NMAKE
+
+### ModSecurity-2.9.x
+
+ CD C:\work\mod_security\apache2
+ NMAKE -f Makefile.win APACHE=C:\Apache2427 PCRE=C:\work\pcre-8.40 LIBXML2=C:\work\libxml2-2.9.4 LUA=C:\work\lua-5.3.4\src
+
+## Install ModSecurity and run Apache
+
+Copy these five files to ``C:\Apache2427\bin``:
+
+ C:\work\pcre-8.40\pcre.dll C:\Apache2427\bin\
+ C:\work\lua-5.3.4\src\lua5.1.dll C:\Apache2427\bin\
+ C:\work\libxml2-2.9.4\win32\bin.msvc\libxml2.dll C:\Apache2427\bin\
+ C:\work\curl-7.54.0\libcurl.dll C:\Apache2427\bin\
+ C:\work\mod_security\apache2\mlogc-src\mlogc.exe
+
+Copy this one file to ``C:\Apache2427\modules``:
+
+ C:\work\mod_security\apache2\mod_security2.so
+
+You may also copy ``C:\work\curl-7.54.0\curl.exe`` to ``C:\Apache2427\bin``, if you want to use the cURL command-line program.
+
+Download the core rules from http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/ and unzip them into ``C:\Apache2427\conf\modsecurity_crs``
+
+Add configuration directives to your Apache conf\httpd.conf:
+
+ # mod_security requires mod_unique_id
+ LoadModule unique_id_module modules/mod_unique_id.so
+
+ # mod_security
+ LoadModule security2_module modules/mod_security2.so
+ <IfModule security2_module>
+ SecRuleEngine On
+ SecDataDir logs
+ Include conf/modsecurity_crs/*.conf
+ Include conf/modsecurity_crs/base_rules/*.conf
+ SecAuditEngine RelevantOnly
+ SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
+ SecAuditLogType Serial
+ SecAuditLogParts ABCDEFGHZ
+ SecAuditLog logs/modsecurity.log
+ </IfModule>
+
+## Optional: Build and configure the ModSecurity-2.x MLOGC piped-logging program
+
+Edit the top of ``C:\work\mod_security\apache2\mlogc-src\Makefile.win`` and set your local paths
+
+ # Path to Apache httpd installation
+ BASE = C:\Apache2427
+
+ # Paths to required libraries
+ PCRE = C:\work\pcre-8.40
+ CURL = C:\work\curl-7.54.0
+
+ # Linking libraries
+ LIBS = $(BASE)\lib\libapr-1.lib \
+ $(BASE)\lib\libaprutil-1.lib \
+ $(PCRE)\pcre.lib \
+ $(CURL)\libcurl_imp.lib \
+ wsock32.lib
+
+Build the ``mlogc.exe`` program:
+
+ CD C:\work\mod_security_trunk\mlogc
+ NMAKE -f Makefile.win
+
+Copy ``mlocg.exe`` to ``C:\Apache2427\bin\``
+
+Create a new command file ``C:\Apache2427\bin\mlogc.bat`` with one line:
+
+ C:\Apache2427\bin\mlogc.exe C:\Apache2427\conf\mlogc.conf
+
+Create a new configuration file ``C:\Apache2427\conf\mlogc.conf`` to control the piped-logging program ``mlogc.exe``.
+Here is an example ``conf\mlogc.conf``:
+
+ CollectorRoot "C:/Apache2427/logs"
+ ConsoleURI "https://localhost:8888/rpc/auditLogReceiver"
+ SensorUsername "test"
+ SensorPassword "testtest"
+ LogStorageDir "data"
+ TransactionLog "mlogc-transaction.log"
+ QueuePath "mlogc-queue.log"
+ ErrorLog "mlogc-error.log"
+ LockFile "mlogc.lck"
+ KeepEntries 0
+ ErrorLogLevel 2
+ MaxConnections 10
+ MaxWorkerRequests 1000
+ TransactionDelay 50
+ StartupDelay 5000
+ CheckpointInterval 15
+ ServerErrorTimeout 60
+
+Change the SecAuditLog directive in ``conf\httpd.conf`` to pipe the log data to mlogc instead of writing them to a file:
+
+ SecAuditLog |C:/Apache2427/bin/mlogc.bat
diff --git a/apache2/Makefile.am b/apache2/Makefile.am
index e7bf787bdc..9af9633a30 100644
--- a/apache2/Makefile.am
+++ b/apache2/Makefile.am
@@ -42,6 +42,7 @@ mod_security2_la_CFLAGS = @APR_CFLAGS@ \
@LUA_CFLAGS@ \
@MODSEC_EXTRA_CFLAGS@ \
@PCRE_CFLAGS@ \
+ @PCRE2_CFLAGS@ \
@YAJL_CFLAGS@ \
@SSDEEP_CFLAGS@
@@ -50,7 +51,8 @@ mod_security2_la_CPPFLAGS = @APR_CPPFLAGS@ \
@CURL_CPPFLAGS@ \
@LIBXML2_CFLAGS@ \
@LIBXML2_CPPFLAGS@ \
- @PCRE_CPPFLAGS@
+ @PCRE_CPPFLAGS@ \
+ @PCRE2_CPPFLAGS@
mod_security2_la_LIBADD = @APR_LDADD@ \
@APU_LDADD@ \
@@ -59,6 +61,7 @@ mod_security2_la_LIBADD = @APR_LDADD@ \
@LIBXML2_LDADD@ \
@LUA_LDADD@ \
@PCRE_LDADD@ \
+ @PCRE2_LDADD@ \
@YAJL_LDADD@
if AIX
@@ -71,6 +74,7 @@ mod_security2_la_LDFLAGS = -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PCRE2_LDFLAGS@ \
@YAJL_LDFLAGS@ \
@SSDEEP_LDFLAGS@
endif
@@ -85,6 +89,7 @@ mod_security2_la_LDFLAGS = -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PCRE2_LDFLAGS@ \
@YAJL_LDFLAGS@ \
@SSDEEP_LDFLAGS@
endif
@@ -99,6 +104,7 @@ mod_security2_la_LDFLAGS = -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PCRE2_LDFLAGS@ \
@YAJL_LDFLAGS@ \
@SSDEEP_LDFLAGS@
endif
@@ -113,6 +119,7 @@ mod_security2_la_LDFLAGS = -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PCRE2_LDFLAGS@ \
@YAJL_LDFLAGS@ \
@SSDEEP_LDFLAGS@
endif
@@ -127,6 +134,7 @@ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version -R @PCRE_LD_PATH
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PCRE2_LDFLAGS@ \
@YAJL_LDFLAGS@ \
@SSDEEP_LDFLAGS@
endif
@@ -141,6 +149,7 @@ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PCRE2_LDFLAGS@ \
@YAJL_LDFLAGS@ \
@SSDEEP_LDFLAGS@
endif
@@ -155,6 +164,7 @@ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PCRE2_LDFLAGS@ \
@YAJL_LDFLAGS@ \
@SSDEEP_LDFLAGS@
endif
@@ -169,6 +179,7 @@ mod_security2_la_LDFLAGS = -no-undefined -module -avoid-version \
@LIBXML2_LDFLAGS@ \
@LUA_LDFLAGS@ \
@PCRE_LDFLAGS@ \
+ @PCRE2_LDFLAGS@ \
@YAJL_LDFLAGS@ \
@SSDEEP_LDFLAGS@
endif
diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
index bfbcb83468..da10b4bfe6 100644
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -26,6 +26,9 @@
#include "msc_lua.h"
#endif
+#ifdef APLOG_USE_MODULE
+ APLOG_USE_MODULE(security2);
+#endif
/* -- Directory context creation and initialisation -- */
@@ -50,6 +53,8 @@ void *create_directory_config(apr_pool_t *mp, char *path)
dcfg->reqbody_inmemory_limit = NOT_SET;
dcfg->reqbody_limit = NOT_SET;
dcfg->reqbody_no_files_limit = NOT_SET;
+ dcfg->reqbody_json_depth_limit = NOT_SET;
+ dcfg->arguments_limit = NOT_SET;
dcfg->resbody_access = NOT_SET;
dcfg->debuglog_name = NOT_SET_P;
@@ -73,6 +78,9 @@ void *create_directory_config(apr_pool_t *mp, char *path)
/* audit log variables */
dcfg->auditlog_flag = NOT_SET;
dcfg->auditlog_type = NOT_SET;
+ #ifdef WITH_YAJL
+ dcfg->auditlog_format = NOT_SET;
+ #endif
dcfg->max_rule_time = NOT_SET;
dcfg->auditlog_dirperms = NOT_SET;
dcfg->auditlog_fileperms = NOT_SET;
@@ -171,6 +179,9 @@ static void copy_rules_phase(apr_pool_t *mp,
apr_array_header_t *child_phase_arr,
apr_array_header_t *exceptions_arr)
{
+ assert(parent_phase_arr != NULL);
+ assert(child_phase_arr != NULL);
+ assert(exceptions_arr != NULL);
rule_exception **exceptions;
msre_rule **rules;
int i, j;
@@ -179,11 +190,14 @@ static void copy_rules_phase(apr_pool_t *mp,
rules = (msre_rule **)parent_phase_arr->elts;
for(i = 0; i < parent_phase_arr->nelts; i++) {
msre_rule *rule = (msre_rule *)rules[i];
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
int copy = 1;
if (mode == 0) {
/* First rule in the chain. */
exceptions = (rule_exception **)exceptions_arr->elts;
+ assert(exceptions != NULL);
for(j = 0; j < exceptions_arr->nelts; j++) {
/* Process exceptions. */
@@ -231,7 +245,7 @@ static void copy_rules_phase(apr_pool_t *mp,
if (copy > 0) {
#ifdef DEBUG_CONF
- ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, mp, "Copy rule %pp [id \"%s\"]", rule, rule->actionset->id);
+ ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, mp, "Copy rule %pp [id \"%s\"]", rule, id_log(rule));
#endif
/* Copy the rule. */
@@ -243,7 +257,7 @@ static void copy_rules_phase(apr_pool_t *mp,
} else {
if (mode == 2) {
#ifdef DEBUG_CONF
- ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, mp, "Copy chain %pp for rule %pp [id \"%s\"]", rule, rule->chain_starter, rule->chain_starter->actionset->id);
+ ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, mp, "Copy chain %pp for rule %pp [id \"%s\"]", rule, rule->chain_starter, id_log(rule->chain_starter));
#endif
/* Copy the rule (it belongs to the chain we want to include. */
@@ -269,18 +283,21 @@ static void copy_rules_phase(apr_pool_t *mp,
* @retval -1 Something went wrong.
*
*/
-static int copy_rules(apr_pool_t *mp, msre_ruleset *parent_ruleset,
+static void copy_rules(apr_pool_t *mp, msre_ruleset *parent_ruleset,
msre_ruleset *child_ruleset,
apr_array_header_t *exceptions_arr)
{
- int ret = 0;
-
- if (parent_ruleset == NULL || child_ruleset == NULL ||
- exceptions_arr == NULL) {
- ret = -1;
- goto failed;
+ assert(parent_ruleset != NULL);
+ assert(child_ruleset != NULL);
+ assert(exceptions_arr != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (parent_ruleset == NULL || child_ruleset == NULL || exceptions_arr == NULL) {
+ if (parent_ruleset == NULL) ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, mp, "copy_rules: parent_ruleset is NULL");
+ if (child_ruleset == NULL) ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, mp, "copy_rules: child_ruleset is NULL");
+ if (exceptions_arr == NULL) ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, mp, "copy_rules: exceptions_arr is NULL");
+ return;
}
-
+
copy_rules_phase(mp, parent_ruleset->phase_request_headers,
child_ruleset->phase_request_headers, exceptions_arr);
copy_rules_phase(mp, parent_ruleset->phase_request_body,
@@ -291,9 +308,6 @@ static int copy_rules(apr_pool_t *mp, msre_ruleset *parent_ruleset,
child_ruleset->phase_response_body, exceptions_arr);
copy_rules_phase(mp, parent_ruleset->phase_logging,
child_ruleset->phase_logging, exceptions_arr);
-
-failed:
- return ret;
}
/**
@@ -301,6 +315,8 @@ static int copy_rules(apr_pool_t *mp, msre_ruleset *parent_ruleset,
*/
void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
{
+ assert(_parent != NULL);
+ assert(_child != NULL);
directory_config *parent = (directory_config *)_parent;
directory_config *child = (directory_config *)_child;
directory_config *merged = create_directory_config(mp, NULL);
@@ -329,6 +345,10 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
? parent->reqbody_limit : child->reqbody_limit);
merged->reqbody_no_files_limit = (child->reqbody_no_files_limit == NOT_SET
? parent->reqbody_no_files_limit : child->reqbody_no_files_limit);
+ merged->reqbody_json_depth_limit = (child->reqbody_json_depth_limit == NOT_SET
+ ? parent->reqbody_json_depth_limit : child->reqbody_json_depth_limit);
+ merged->arguments_limit = (child->arguments_limit == NOT_SET
+ ? parent->arguments_limit : child->arguments_limit);
merged->resbody_access = (child->resbody_access == NOT_SET
? parent->resbody_access : child->resbody_access);
@@ -412,7 +432,6 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
/* Copy the rules from the parent context. */
merged->ruleset = msre_ruleset_create(parent->ruleset->engine, mp);
- /* TODO: copy_rules return code should be taken into consideration. */
copy_rules(mp, parent->ruleset, merged->ruleset, child->rule_exceptions);
} else
if (parent->ruleset == NULL) {
@@ -439,7 +458,6 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
/* Copy parent rules, then add child rules to it. */
merged->ruleset = msre_ruleset_create(parent->ruleset->engine, mp);
- /* TODO: copy_rules return code should be taken into consideration. */
copy_rules(mp, parent->ruleset, merged->ruleset, child->rule_exceptions);
apr_array_cat(merged->ruleset->phase_request_headers,
@@ -503,6 +521,10 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
merged->auditlog2_fd = parent->auditlog2_fd;
merged->auditlog2_name = parent->auditlog2_name;
}
+ #ifdef WITH_YAJL
+ merged->auditlog_format = (child->auditlog_format == NOT_SET
+ ? parent->auditlog_format : child->auditlog_format);
+ #endif
merged->auditlog_storage_dir = (child->auditlog_storage_dir == NOT_SET_P
? parent->auditlog_storage_dir : child->auditlog_storage_dir);
merged->auditlog_parts = (child->auditlog_parts == NOT_SET_P
@@ -641,6 +663,8 @@ void init_directory_config(directory_config *dcfg)
dcfg->reqbody_inmemory_limit = REQUEST_BODY_DEFAULT_INMEMORY_LIMIT;
if (dcfg->reqbody_limit == NOT_SET) dcfg->reqbody_limit = REQUEST_BODY_DEFAULT_LIMIT;
if (dcfg->reqbody_no_files_limit == NOT_SET) dcfg->reqbody_no_files_limit = REQUEST_BODY_NO_FILES_DEFAULT_LIMIT;
+ if (dcfg->reqbody_json_depth_limit == NOT_SET) dcfg->reqbody_json_depth_limit = REQUEST_BODY_JSON_DEPTH_DEFAULT_LIMIT;
+ if (dcfg->arguments_limit == NOT_SET) dcfg->arguments_limit = ARGUMENTS_LIMIT;
if (dcfg->resbody_access == NOT_SET) dcfg->resbody_access = 0;
if (dcfg->of_limit == NOT_SET) dcfg->of_limit = RESPONSE_BODY_DEFAULT_LIMIT;
if (dcfg->if_limit_action == NOT_SET) dcfg->if_limit_action = REQUEST_BODY_LIMIT_ACTION_REJECT;
@@ -667,6 +691,9 @@ void init_directory_config(directory_config *dcfg)
/* audit log variables */
if (dcfg->auditlog_flag == NOT_SET) dcfg->auditlog_flag = 0;
if (dcfg->auditlog_type == NOT_SET) dcfg->auditlog_type = AUDITLOG_SERIAL;
+ #ifdef WITH_YAJL
+ if (dcfg->auditlog_format == NOT_SET) dcfg->auditlog_format = AUDITLOGFORMAT_NATIVE;
+ #endif
if (dcfg->max_rule_time == NOT_SET) dcfg->max_rule_time = 0;
if (dcfg->auditlog_dirperms == NOT_SET) dcfg->auditlog_dirperms = CREATEMODE_DIR;
if (dcfg->auditlog_fileperms == NOT_SET) dcfg->auditlog_fileperms = CREATEMODE;
@@ -722,8 +749,13 @@ void init_directory_config(directory_config *dcfg)
if (dcfg->col_timeout == NOT_SET) dcfg->col_timeout = 3600;
/* Hash */
- if (dcfg->crypto_key == NOT_SET_P) dcfg->crypto_key = getkey(dcfg->mp);
- if (dcfg->crypto_key_len == NOT_SET) dcfg->crypto_key_len = strlen(dcfg->crypto_key);
+ if (dcfg->hash_is_enabled == HASH_ENABLED) {
+ if (dcfg->crypto_key == NOT_SET_P) dcfg->crypto_key = getkey(dcfg->mp);
+ if (dcfg->crypto_key_len == NOT_SET) dcfg->crypto_key_len = strlen(dcfg->crypto_key);
+ } else {
+ if (dcfg->crypto_key == NOT_SET_P) dcfg->crypto_key = "";
+ if (dcfg->crypto_key_len == NOT_SET) dcfg->crypto_key_len = 0;
+ }
if (dcfg->crypto_key_add == NOT_SET) dcfg->crypto_key_add = HASH_KEYONLY;
if (dcfg->crypto_param_name == NOT_SET_P) dcfg->crypto_param_name = "crypt";
if (dcfg->hash_is_enabled == NOT_SET) dcfg->hash_is_enabled = HASH_DISABLED;
@@ -750,11 +782,17 @@ void init_directory_config(directory_config *dcfg)
static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
const char *p1, const char *p2, const char *p3)
{
+ assert(cmd != NULL);
+ assert(dcfg != NULL);
char *my_error_msg = NULL;
//msre_rule *rule = NULL, *tmp_rule = NULL;
char *rid = NULL;
msre_rule *rule = NULL;
extern msc_engine *modsecurity;
+ assert(modsecurity != NULL);
+ int type_with_lua = 1;
+ int type_rule;
+ int rule_actionset;
int offset = 0;
#ifdef DEBUG_CONF
@@ -786,26 +824,27 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
return my_error_msg;
}
- /* Rules must have uniq ID */
- if (
+#ifndef ALLOW_ID_NOT_UNIQUE
+ /* Rules must have uniq ID */
+ type_rule = (dcfg->tmp_chain_starter == NULL);
#if defined(WITH_LUA)
- type != RULE_TYPE_LUA &&
+ type_rule = (type != RULE_TYPE_LUA && type_rule);
#endif
- (dcfg->tmp_chain_starter == NULL))
+ if (type_rule)
if(rule->actionset == NULL)
return "ModSecurity: Rules must have at least id action";
if(rule->actionset != NULL && (dcfg->tmp_chain_starter == NULL)) {
- if(rule->actionset->id == NOT_SET_P
+ rule_actionset = (rule->actionset->id == NOT_SET_P);
#if defined(WITH_LUA)
- && (type != RULE_TYPE_LUA)
+ rule_actionset = (rule_actionset && (type != RULE_TYPE_LUA));
#endif
- )
- return "ModSecurity: No action id present within the rule";
+ if (rule_actionset)
+ return "ModSecurity: No action id present within the rule";
#if defined(WITH_LUA)
- if(type != RULE_TYPE_LUA)
+ type_with_lua = (type != RULE_TYPE_LUA);
#endif
- {
+ if (type_with_lua){
rid = apr_hash_get(dcfg->rule_id_htab, rule->actionset->id, APR_HASH_KEY_STRING);
if(rid != NULL) {
return "ModSecurity: Found another rule with the same id";
@@ -818,6 +857,7 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
// return "ModSecurity: Found another rule with the same id";
}
}
+#endif
/* Create default actionset if one does not already exist. */
if (dcfg->tmp_default_actionset == NULL) {
@@ -875,14 +915,14 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
*/
rule->actionset = msre_actionset_merge(modsecurity->msre, cmd->pool, dcfg->tmp_default_actionset,
rule->actionset, 1);
+ if (rule->actionset == NULL) return apr_psprintf(cmd->pool, "ModSecurity: cannot merge actionset (memory full?).");
/* Keep track of the parent action for "block" */
rule->actionset->parent_intercept_action_rec = dcfg->tmp_default_actionset->intercept_action_rec;
rule->actionset->parent_intercept_action = dcfg->tmp_default_actionset->intercept_action;
/* Must NOT specify a disruptive action in logging phase. */
- if ((rule->actionset != NULL)
- && (rule->actionset->phase == PHASE_LOGGING)
+ if ( (rule->actionset->phase == PHASE_LOGGING)
&& (rule->actionset->intercept_action != ACTION_ALLOW)
&& (rule->actionset->intercept_action != ACTION_ALLOW_REQUEST)
&& (rule->actionset->intercept_action != ACTION_NONE)
@@ -932,8 +972,7 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
#ifdef DEBUG_CONF
ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool,
- "Adding rule %pp phase=%d id=\"%s\".", rule, rule->actionset->phase, (rule->actionset->id == NOT_SET_P
- ? "(none)" : rule->actionset->id));
+ "Adding rule %pp phase=%d id=\"%s\".", rule, rule->actionset->phase, id_log(rule));
#endif
/* Add rule to the recipe. */
@@ -978,9 +1017,12 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
static const char *add_marker(cmd_parms *cmd, directory_config *dcfg,
const char *p1, const char *p2, const char *p3)
{
+ assert(cmd != NULL);
+ assert(dcfg != NULL);
char *my_error_msg = NULL;
msre_rule *rule = NULL;
extern msc_engine *modsecurity;
+ assert(modsecurity != NULL);
int p;
#ifdef DEBUG_CONF
@@ -1007,8 +1049,7 @@ static const char *add_marker(cmd_parms *cmd, directory_config *dcfg,
for (p = PHASE_FIRST; p <= PHASE_LAST; p++) {
#ifdef DEBUG_CONF
ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool,
- "Adding marker %pp phase=%d id=\"%s\".", rule, p, (rule->actionset->id == NOT_SET_P
- ? "(none)" : rule->actionset->id));
+ "Adding marker %pp phase=%d id=\"%s\".", rule, p, id_log(rule));
#endif
if (msre_ruleset_rule_add(dcfg->ruleset, rule, p) < 0) {
@@ -1030,11 +1071,14 @@ static const char *add_marker(cmd_parms *cmd, directory_config *dcfg,
static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,
const char *p1, const char *p2, int offset)
{
+ assert(cmd != NULL);
+ assert(dcfg != NULL);
char *my_error_msg = NULL;
msre_rule *rule = NULL;
msre_actionset *new_actionset = NULL;
msre_ruleset *ruleset = dcfg->ruleset;
extern msc_engine *modsecurity;
+ assert(modsecurity != NULL);
/* Get the ruleset if one exists */
if ((ruleset == NULL)||(ruleset == NOT_SET_P)) {
@@ -1056,11 +1100,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,
return NULL;
}
- /* Check the rule actionset */
- /* ENH: Can this happen? */
- if (rule->actionset == NULL) {
- return apr_psprintf(cmd->pool, "ModSecurity: Attempt to update action for rule \"%s\" failed: Rule does not have an actionset.", p1);
- }
+ assert(rule->actionset != NULL);
/* Create a new actionset */
new_actionset = msre_actionset_create(modsecurity->msre, cmd->pool, p2, &my_error_msg);
@@ -1082,9 +1122,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,
char *actions = msre_actionset_generate_action_string(ruleset->mp, rule->actionset);
ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool,
"Update rule %pp id=\"%s\" old action: \"%s\"",
- rule,
- (rule->actionset->id == NOT_SET_P ? "(none)" : rule->actionset->id),
- actions);
+ rule, id_log(rule), actions);
}
#endif
@@ -1092,6 +1130,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,
/* ENH: Will this leak the old actionset? */
rule->actionset = msre_actionset_merge(modsecurity->msre, cmd->pool, rule->actionset,
new_actionset, 1);
+ if (rule->actionset == NULL) return apr_psprintf(cmd->pool, "ModSecurity: cannot merge actionset (memory full?).");
msre_actionset_set_defaults(rule->actionset);
/* Update the unparsed rule */
@@ -1102,9 +1141,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,
char *actions = msre_actionset_generate_action_string(ruleset->mp, rule->actionset);
ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool,
"Update rule %pp id=\"%s\" new action: \"%s\"",
- rule,
- (rule->actionset->id == NOT_SET_P ? "(none)" : rule->actionset->id),
- actions);
+ rule, id_log(rule), actions);
}
#endif
@@ -1120,6 +1157,12 @@ static const char *cmd_action(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_marker(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(_dcfg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_marker: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
const char *action = apr_pstrcat(dcfg->mp, SECMARKER_BASE_ACTIONS, p1, NULL);
return add_marker(cmd, (directory_config *)_dcfg, SECMARKER_TARGETS, SECMARKER_ARGS, action);
@@ -1128,6 +1171,14 @@ static const char *cmd_marker(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_cookiev0_separator(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_cookiev0_separator: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
if (strlen(p1) != 1) {
@@ -1142,6 +1193,14 @@ static const char *cmd_cookiev0_separator(cmd_parms *cmd, void *_dcfg,
static const char *cmd_argument_separator(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_argument_separator: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
if (strlen(p1) != 1) {
@@ -1155,6 +1214,9 @@ static const char *cmd_argument_separator(cmd_parms *cmd, void *_dcfg,
static const char *cmd_audit_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = _dcfg;
if (strcasecmp(p1, "On") == 0) dcfg->auditlog_flag = AUDITLOG_ON;
@@ -1171,6 +1233,9 @@ static const char *cmd_audit_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_audit_log(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = _dcfg;
dcfg->auditlog_name = (char *)p1;
@@ -1189,10 +1254,13 @@ static const char *cmd_audit_log(cmd_parms *cmd, void *_dcfg, const char *p1)
else {
const char *file_name = ap_server_root_relative(cmd->pool, dcfg->auditlog_name);
apr_status_t rc;
-
+
+ if (dcfg->auditlog_fileperms == NOT_SET) {
+ dcfg->auditlog_fileperms = CREATEMODE;
+ }
rc = apr_file_open(&dcfg->auditlog_fd, file_name,
APR_WRITE | APR_APPEND | APR_CREATE | APR_BINARY,
- CREATEMODE, cmd->pool);
+ dcfg->auditlog_fileperms, cmd->pool);
if (rc != APR_SUCCESS) {
return apr_psprintf(cmd->pool, "ModSecurity: Failed to open the audit log file: %s",
@@ -1205,6 +1273,9 @@ static const char *cmd_audit_log(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_audit_log2(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = _dcfg;
if (dcfg->auditlog_name == NOT_SET_P) {
@@ -1228,9 +1299,12 @@ static const char *cmd_audit_log2(cmd_parms *cmd, void *_dcfg, const char *p1)
const char *file_name = ap_server_root_relative(cmd->pool, dcfg->auditlog2_name);
apr_status_t rc;
+ if (dcfg->auditlog_fileperms == NOT_SET) {
+ dcfg->auditlog_fileperms = CREATEMODE;
+ }
rc = apr_file_open(&dcfg->auditlog2_fd, file_name,
APR_WRITE | APR_APPEND | APR_CREATE | APR_BINARY,
- CREATEMODE, cmd->pool);
+ dcfg->auditlog_fileperms, cmd->pool);
if (rc != APR_SUCCESS) {
return apr_psprintf(cmd->pool, "ModSecurity: Failed to open the secondary audit log file: %s",
@@ -1244,6 +1318,9 @@ static const char *cmd_audit_log2(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_audit_log_parts(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = _dcfg;
if (is_valid_parts_specification((char *)p1) != 1) {
@@ -1257,9 +1334,16 @@ static const char *cmd_audit_log_parts(cmd_parms *cmd, void *_dcfg,
static const char *cmd_audit_log_relevant_status(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = _dcfg;
+#ifdef WITH_PCRE2
+ dcfg->auditlog_relevant_regex = msc_pregcomp(cmd->pool, p1, PCRE2_DOTALL, NULL, NULL);
+#else
dcfg->auditlog_relevant_regex = msc_pregcomp(cmd->pool, p1, PCRE_DOTALL, NULL, NULL);
+#endif
if (dcfg->auditlog_relevant_regex == NULL) {
return apr_psprintf(cmd->pool, "ModSecurity: Invalid regular expression: %s", p1);
}
@@ -1270,6 +1354,9 @@ static const char *cmd_audit_log_relevant_status(cmd_parms *cmd, void *_dcfg,
static const char *cmd_audit_log_type(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = _dcfg;
if (strcasecmp(p1, "Serial") == 0) dcfg->auditlog_type = AUDITLOG_SERIAL;
@@ -1282,13 +1369,39 @@ static const char *cmd_audit_log_type(cmd_parms *cmd, void *_dcfg,
return NULL;
}
+#ifdef WITH_YAJL
+static const char *cmd_audit_log_mode(cmd_parms *cmd, void *_dcfg,
+ const char *p1)
+{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ directory_config *dcfg = _dcfg;
+
+ if (strcasecmp(p1, "JSON") == 0) dcfg->auditlog_format = AUDITLOGFORMAT_JSON;
+ else
+ if (strcasecmp(p1, "Native") == 0) dcfg->auditlog_format = AUDITLOGFORMAT_NATIVE;
+ else
+ return (const char *)apr_psprintf(cmd->pool,
+ "ModSecurity: Unrecognised parameter value for SecAuditLogFormat: %s", p1);
+
+ return NULL;
+}
+#endif
+
static const char *cmd_audit_log_dirmode(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_audit_log_dirmode: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "default") == 0) {
dcfg->auditlog_dirperms = NOT_SET;
}
@@ -1307,10 +1420,16 @@ static const char *cmd_audit_log_dirmode(cmd_parms *cmd, void *_dcfg,
static const char *cmd_audit_log_filemode(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_audit_log_filemode: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "default") == 0) {
dcfg->auditlog_fileperms = NOT_SET;
}
@@ -1329,6 +1448,9 @@ static const char *cmd_audit_log_filemode(cmd_parms *cmd, void *_dcfg,
static const char *cmd_audit_log_storage_dir(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = _dcfg;
dcfg->auditlog_storage_dir = ap_server_root_relative(cmd->pool, p1);
@@ -1339,6 +1461,9 @@ static const char *cmd_audit_log_storage_dir(cmd_parms *cmd, void *_dcfg,
static const char *cmd_cookie_format(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = (directory_config *)_dcfg;
if (strcmp(p1, "0") == 0) dcfg->cookie_format = COOKIES_V0;
@@ -1353,6 +1478,8 @@ static const char *cmd_cookie_format(cmd_parms *cmd, void *_dcfg,
static const char *cmd_chroot_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(p1 != NULL);
char cwd[1025] = "";
if (cmd->server->is_virtual) {
@@ -1384,6 +1511,13 @@ static const char *cmd_chroot_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_component_signature(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_component_signature: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
/* ENH Enforce "Name/VersionX.Y.Z (comment)" format. */
@@ -1394,14 +1528,22 @@ static const char *cmd_component_signature(cmd_parms *cmd, void *_dcfg,
static const char *cmd_content_injection(cmd_parms *cmd, void *_dcfg, int flag)
{
+ assert(_dcfg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_content_injection: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
dcfg->content_injection_enabled = flag;
return NULL;
}
static const char *cmd_data_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = (directory_config *)_dcfg;
if (cmd->server->is_virtual) {
@@ -1415,6 +1557,9 @@ static const char *cmd_data_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_debug_log(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = (directory_config *)_dcfg;
apr_status_t rc;
@@ -1445,6 +1590,9 @@ static const char *cmd_debug_log(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_collection_timeout(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = (directory_config *)_dcfg;
dcfg->col_timeout = atoi(p1);
@@ -1457,6 +1605,9 @@ static const char *cmd_collection_timeout(cmd_parms *cmd, void *_dcfg,
static const char *cmd_debug_log_level(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
directory_config *dcfg = (directory_config *)_dcfg;
dcfg->debuglog_level = atoi(p1);
@@ -1468,6 +1619,8 @@ static const char *cmd_debug_log_level(cmd_parms *cmd, void *_dcfg,
static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
directory_config *dcfg = (directory_config *)_dcfg;
extern msc_engine *modsecurity;
char *my_error_msg = NULL;
@@ -1544,8 +1697,13 @@ static const char *cmd_default_action(cmd_parms *cmd, void *_dcfg,
static const char *cmd_disable_backend_compression(cmd_parms *cmd, void *_dcfg, int flag)
{
- directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
+ assert(_dcfg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_disable_backend_compression: _dcfg is NULL");
+ return NULL;
+ }
+ directory_config* dcfg = (directory_config*)_dcfg;
dcfg->disable_backend_compression = flag;
return NULL;
}
@@ -1553,6 +1711,8 @@ static const char *cmd_disable_backend_compression(cmd_parms *cmd, void *_dcfg,
static const char *cmd_guardian_log(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
+ assert(cmd != NULL);
+ assert(p1 != NULL);
extern char *guardianlog_name;
extern apr_file_t *guardianlog_fd;
extern char *guardianlog_condition;
@@ -1613,8 +1773,13 @@ static const char *cmd_guardian_log(cmd_parms *cmd, void *_dcfg,
*/
static const char *cmd_stream_inbody_inspection(cmd_parms *cmd, void *_dcfg, int flag)
{
+ assert(_dcfg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_stream_inbody_inspection: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
dcfg->stream_inbody_inspection = flag;
return NULL;
}
@@ -1632,8 +1797,13 @@ static const char *cmd_stream_inbody_inspection(cmd_parms *cmd, void *_dcfg, int
*/
static const char *cmd_stream_outbody_inspection(cmd_parms *cmd, void *_dcfg, int flag)
{
+ assert(_dcfg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_stream_outbody_inspection: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
dcfg->stream_outbody_inspection = flag;
return NULL;
}
@@ -1650,11 +1820,17 @@ static const char *cmd_stream_outbody_inspection(cmd_parms *cmd, void *_dcfg, in
static const char *cmd_rule_perf_time(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_rule_perf_time: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
long int limit;
- if (dcfg == NULL) return NULL;
-
limit = strtol(p1, NULL, 10);
if ((limit == LONG_MAX)||(limit == LONG_MIN)||(limit <= 0)) {
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRulePerfTime: %s", p1);
@@ -1666,18 +1842,31 @@ static const char *cmd_rule_perf_time(cmd_parms *cmd, void *_dcfg,
}
char *parser_conn_limits_operator(apr_pool_t *mp, const char *p2,
- TreeRoot **whitelist, TreeRoot **suspicious_list,
+ TreeRoot **whitelist, TreeRoot **suspicious_list,
const char *filename)
{
+ assert(p2 != NULL);
+ assert(whitelist != NULL);
+ assert(suspicious_list != NULL);
+ assert(filename != NULL);
int res = 0;
char *config_orig_path;
char *param = strchr(p2, ' ');
char *file = NULL;
char *error_msg = NULL;
+
+ if (param == NULL) {
+ return apr_psprintf(mp, "ModSecurity: Space character between operator " \
+ "and parameter not found with ConnReadStateLimit: %s", p2);
+ }
+
param++;
config_orig_path = apr_pstrndup(mp, filename,
strlen(filename) - strlen(apr_filepath_name_get(filename)));
+ if (config_orig_path == NULL) {
+ return apr_psprintf(mp, "ModSecurity: failed to duplicate filename in parser_conn_limits_operator");
+ }
apr_filepath_merge(&file, config_orig_path, param, APR_FILEPATH_TRUENAME,
mp);
@@ -1734,11 +1923,17 @@ char *parser_conn_limits_operator(apr_pool_t *mp, const char *p2,
static const char *cmd_conn_read_state_limit(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_conn_read_state_limit: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
long int limit;
- if (dcfg == NULL) return NULL;
-
limit = strtol(p1, NULL, 10);
if ((limit == LONG_MAX) || (limit == LONG_MIN) || (limit <= 0)) {
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
@@ -1753,7 +1948,7 @@ static const char *cmd_conn_read_state_limit(cmd_parms *cmd, void *_dcfg,
if (param)
return param;
}
-
+
conn_read_state_limit = limit;
return NULL;
@@ -1762,6 +1957,7 @@ static const char *cmd_conn_read_state_limit(cmd_parms *cmd, void *_dcfg,
static const char *cmd_read_state_limit(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
+ assert(cmd != NULL);
ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool,
"SecReadStateLimit is depricated, use SecConnReadStateLimit " \
"instead.");
@@ -1783,11 +1979,17 @@ static const char *cmd_read_state_limit(cmd_parms *cmd, void *_dcfg,
static const char *cmd_conn_write_state_limit(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_conn_write_state_limit: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
long int limit;
- if (dcfg == NULL) return NULL;
-
limit = strtol(p1, NULL, 10);
if ((limit == LONG_MAX) || (limit == LONG_MIN) || (limit <= 0)) {
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
@@ -1810,6 +2012,7 @@ static const char *cmd_conn_write_state_limit(cmd_parms *cmd, void *_dcfg,
static const char *cmd_write_state_limit(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
+ assert(cmd != NULL);
ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool,
"SecWriteStateLimit is depricated, use SecConnWriteStateLimit " \
"instead.");
@@ -1822,11 +2025,17 @@ static const char *cmd_write_state_limit(cmd_parms *cmd, void *_dcfg,
static const char *cmd_request_body_inmemory_limit(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_request_body_inmemory_limit: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
long int limit;
- if (dcfg == NULL) return NULL;
-
limit = strtol(p1, NULL, 10);
if ((limit == LONG_MAX)||(limit == LONG_MIN)||(limit <= 0)) {
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRequestBodyInMemoryLimit: %s", p1);
@@ -1840,11 +2049,17 @@ static const char *cmd_request_body_inmemory_limit(cmd_parms *cmd, void *_dcfg,
static const char *cmd_request_body_limit(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_request_body_limit: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
long int limit;
- if (dcfg == NULL) return NULL;
-
limit = strtol(p1, NULL, 10);
if ((limit == LONG_MAX)||(limit == LONG_MIN)||(limit <= 0)) {
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRequestBodyLimit: %s", p1);
@@ -1858,11 +2073,17 @@ static const char *cmd_request_body_limit(cmd_parms *cmd, void *_dcfg,
static const char *cmd_request_body_no_files_limit(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_request_body_no_files_limit: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
long int limit;
- if (dcfg == NULL) return NULL;
-
limit = strtol(p1, NULL, 10);
if ((limit == LONG_MAX)||(limit == LONG_MIN)||(limit <= 0)) {
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRequestBodyNoFilesLimit: %s", p1);
@@ -1873,12 +2094,67 @@ static const char *cmd_request_body_no_files_limit(cmd_parms *cmd, void *_dcfg,
return NULL;
}
+static const char *cmd_request_body_json_depth_limit(cmd_parms *cmd, void *_dcfg,
+ const char *p1)
+{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_request_body_json_depth_limit: _dcfg is NULL");
+ return NULL;
+ }
+ directory_config *dcfg = (directory_config *)_dcfg;
+ long int limit;
+
+ limit = strtol(p1, NULL, 10);
+ if ((limit == LONG_MAX)||(limit == LONG_MIN)||(limit <= 0)) {
+ return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRequestBodyJsonDepthLimit: %s", p1);
+ }
+
+ dcfg->reqbody_json_depth_limit = limit;
+
+ return NULL;
+}
+
+static const char *cmd_arguments_limit(cmd_parms *cmd, void *_dcfg,
+ const char *p1)
+{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_arguments_limit: _dcfg is NULL");
+ return NULL;
+ }
+ directory_config *dcfg = (directory_config *)_dcfg;
+ long int limit;
+
+ limit = strtol(p1, NULL, 10);
+ if ((limit == LONG_MAX)||(limit == LONG_MIN)||(limit <= 0)) {
+ return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecArgumentsLimit: %s", p1);
+ }
+
+ dcfg->arguments_limit = limit;
+
+ return NULL;
+}
+
static const char *cmd_request_body_access(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_request_body_access: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
+
if (strcasecmp(p1, "on") == 0) dcfg->reqbody_access = 1;
else
if (strcasecmp(p1, "off") == 0) dcfg->reqbody_access = 0;
@@ -1901,9 +2177,16 @@ static const char *cmd_request_body_access(cmd_parms *cmd, void *_dcfg,
static const char *cmd_request_intercept_on_error(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_request_intercept_on_error: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
+
if (strcasecmp(p1, "on") == 0) dcfg->reqintercept_oe = 1;
else
if (strcasecmp(p1, "off") == 0) dcfg->reqintercept_oe = 0;
@@ -1917,11 +2200,15 @@ static const char *cmd_request_intercept_on_error(cmd_parms *cmd, void *_dcfg,
static const char *cmd_request_encoding(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(_dcfg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_request_encoding: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
+
/* ENH Validate encoding */
-
dcfg->request_encoding = p1;
return NULL;
@@ -1930,9 +2217,16 @@ static const char *cmd_request_encoding(cmd_parms *cmd, void *_dcfg,
static const char *cmd_response_body_access(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_response_body_access: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
+
if (strcasecmp(p1, "on") == 0) dcfg->resbody_access = 1;
else
if (strcasecmp(p1, "off") == 0) dcfg->resbody_access = 0;
@@ -1945,6 +2239,14 @@ static const char *cmd_response_body_access(cmd_parms *cmd, void *_dcfg,
static const char *cmd_response_body_limit(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_response_body_limit: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
long int limit;
@@ -1965,9 +2267,16 @@ static const char *cmd_response_body_limit(cmd_parms *cmd, void *_dcfg,
static const char *cmd_response_body_limit_action(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_response_body_limit_action: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
+
if (dcfg->is_enabled == MODSEC_DETECTION_ONLY) {
dcfg->of_limit_action = RESPONSE_BODY_LIMIT_ACTION_PARTIAL;
return NULL;
@@ -1995,9 +2304,16 @@ static const char *cmd_response_body_limit_action(cmd_parms *cmd, void *_dcfg,
static const char *cmd_resquest_body_limit_action(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_resquest_body_limit_action: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
+
if (dcfg->is_enabled == MODSEC_DETECTION_ONLY) {
dcfg->if_limit_action = REQUEST_BODY_LIMIT_ACTION_PARTIAL;
return NULL;
@@ -2015,6 +2331,14 @@ static const char *cmd_resquest_body_limit_action(cmd_parms *cmd, void *_dcfg,
static const char *cmd_response_body_mime_type(cmd_parms *cmd, void *_dcfg,
const char *_p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(_p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_response_body_mime_type: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
char *p1 = apr_pstrdup(cmd->pool, _p1);
@@ -2033,9 +2357,14 @@ static const char *cmd_response_body_mime_type(cmd_parms *cmd, void *_dcfg,
static const char *cmd_response_body_mime_types_clear(cmd_parms *cmd,
void *_dcfg)
{
+ assert(_dcfg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_response_body_mime_types_clear: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
+
dcfg->of_mime_types_cleared = 1;
if ((dcfg->of_mime_types != NULL)&&(dcfg->of_mime_types != NOT_SET_P)) {
@@ -2059,10 +2388,16 @@ static const char *cmd_response_body_mime_types_clear(cmd_parms *cmd,
static const char *cmd_rule_update_target_by_id(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2, const char *p3)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_rule_update_target_by_id: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
rule_exception *re = apr_pcalloc(cmd->pool, sizeof(rule_exception));
- if (dcfg == NULL) return NULL;
-
+
if(p1 == NULL) {
return apr_psprintf(cmd->pool, "Updating target by ID with no ID");
}
@@ -2096,10 +2431,16 @@ static const char *cmd_rule_update_target_by_id(cmd_parms *cmd, void *_dcfg,
static const char *cmd_rule_update_target_by_tag(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2, const char *p3)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_rule_update_target_by_tag: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
rule_exception *re = apr_pcalloc(cmd->pool, sizeof(rule_exception));
- if (dcfg == NULL) return NULL;
-
+
if(p1 == NULL) {
return apr_psprintf(cmd->pool, "Updating target by tag with no tag");
}
@@ -2131,10 +2472,17 @@ static const char *cmd_rule_update_target_by_tag(cmd_parms *cmd, void *_dcfg,
static const char *cmd_rule_update_target_by_msg(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2, const char *p3)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_rule_update_target_by_msg: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
rule_exception *re = apr_pcalloc(cmd->pool, sizeof(rule_exception));
- if (dcfg == NULL) return NULL;
-
+
if(p1 == NULL) {
return apr_psprintf(cmd->pool, "Updating target by message with no message");
}
@@ -2159,10 +2507,16 @@ static const char *cmd_rule(cmd_parms *cmd, void *_dcfg,
static const char *cmd_sever_conn_filters_engine(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_sever_conn_filters_engine: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "on") == 0)
{
conn_limits_filter_state = MODSEC_ENABLED;
@@ -2186,10 +2540,16 @@ static const char *cmd_sever_conn_filters_engine(cmd_parms *cmd, void *_dcfg,
static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_rule_engine: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "on") == 0)
{
dcfg->is_enabled = MODSEC_ENABLED;
@@ -2215,8 +2575,16 @@ static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_remote_rules_fail: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
+
if (strncasecmp(p1, "warn", 4) == 0)
{
remote_rules_fail_action = REMOTE_RULES_WARN_ON_FAIL;
@@ -2237,7 +2605,15 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char
static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
const char *p2, const char *p3)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
char *error_msg = NULL;
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_remote_rules: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
#ifdef WITH_REMOTE_RULES
int crypto = 0;
@@ -2245,8 +2621,6 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
const char *key = p1;
#endif
- if (dcfg == NULL) return NULL;
-
#ifdef WITH_REMOTE_RULES
if (strncasecmp(p1, "crypto", 6) == 0)
{
@@ -2309,6 +2683,8 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(p1 != NULL);
if (strcasecmp(p1, "on") == 0) {
status_engine_state = STATUS_ENGINE_ENABLED;
}
@@ -2326,8 +2702,13 @@ static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1
static const char *cmd_rule_inheritance(cmd_parms *cmd, void *_dcfg, int flag)
{
+ assert(_dcfg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_rule_inheritance: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
dcfg->rule_inheritance = flag;
return NULL;
}
@@ -2335,7 +2716,9 @@ static const char *cmd_rule_inheritance(cmd_parms *cmd, void *_dcfg, int flag)
static const char *cmd_rule_script(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
- #if defined(WITH_LUA)
+ assert(cmd != NULL);
+ assert(p1 != NULL);
+#if defined(WITH_LUA)
const char *filename = resolve_relative_path(cmd->pool, cmd->directive->filename, p1);
return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_LUA, filename, p2, NULL);
#else
@@ -2347,9 +2730,20 @@ static const char *cmd_rule_script(cmd_parms *cmd, void *_dcfg,
static const char *cmd_rule_remove_by_id(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_rule_remove_by_id: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- rule_exception *re = apr_pcalloc(cmd->pool, sizeof(rule_exception));
- if (dcfg == NULL) return NULL;
+ rule_exception* re = apr_pcalloc(cmd->pool, sizeof(rule_exception));
+ if (re == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, cmd->pool, "cmd_rule_remove_by_id: Cannot allocate memory");
+ return NULL;
+ }
re->type = RULE_EXCEPTION_REMOVE_ID;
re->param = p1;
@@ -2374,10 +2768,21 @@ static const char *cmd_rule_remove_by_id(cmd_parms *cmd, void *_dcfg,
static const char *cmd_rule_remove_by_tag(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_rule_remove_by_tag: _dcfg is NULL");
+ return NULL;
+ }
+ if (p1 == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_rule_remove_by_tag: p1 is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
rule_exception *re = apr_pcalloc(cmd->pool, sizeof(rule_exception));
- if (dcfg == NULL) return NULL;
-
+
re->type = RULE_EXCEPTION_REMOVE_TAG;
re->param = p1;
re->param_data = msc_pregcomp(cmd->pool, p1, 0, NULL, NULL);
@@ -2399,10 +2804,17 @@ static const char *cmd_rule_remove_by_tag(cmd_parms *cmd, void *_dcfg,
static const char *cmd_rule_remove_by_msg(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_rule_remove_by_msg: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
rule_exception *re = apr_pcalloc(cmd->pool, sizeof(rule_exception));
- if (dcfg == NULL) return NULL;
-
+
re->type = RULE_EXCEPTION_REMOVE_MSG;
re->param = p1;
re->param_data = msc_pregcomp(cmd->pool, p1, 0, NULL, NULL);
@@ -2424,6 +2836,8 @@ static const char *cmd_rule_remove_by_msg(cmd_parms *cmd, void *_dcfg,
static const char *cmd_rule_update_action_by_id(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
+ assert(cmd != NULL);
+ assert(p1 != NULL);
int offset = 0, rule_id = atoi(p1);
char *opt = strchr(p1,':');
char *savedptr = NULL;
@@ -2446,6 +2860,8 @@ static const char *cmd_rule_update_action_by_id(cmd_parms *cmd, void *_dcfg,
static const char *cmd_server_signature(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(p1 != NULL);
if (cmd->server->is_virtual) {
return "ModSecurity: SecServerSignature not allowed in VirtualHost";
}
@@ -2455,10 +2871,16 @@ static const char *cmd_server_signature(cmd_parms *cmd, void *_dcfg,
static const char *cmd_tmp_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_tmp_dir: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "none") == 0) dcfg->tmp_dir = NULL;
else dcfg->tmp_dir = ap_server_root_relative(cmd->pool, p1);
@@ -2467,10 +2889,16 @@ static const char *cmd_tmp_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_upload_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_upload_dir: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "none") == 0) dcfg->upload_dir = NULL;
else dcfg->upload_dir = ap_server_root_relative(cmd->pool, p1);
@@ -2480,10 +2908,16 @@ static const char *cmd_upload_dir(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_upload_file_limit(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_upload_file_limit: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "default") == 0) {
dcfg->upload_file_limit = NOT_SET;
}
@@ -2497,10 +2931,16 @@ static const char *cmd_upload_file_limit(cmd_parms *cmd, void *_dcfg,
static const char *cmd_upload_filemode(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_upload_filemode: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "default") == 0) {
dcfg->upload_filemode = NOT_SET;
}
@@ -2519,10 +2959,16 @@ static const char *cmd_upload_filemode(cmd_parms *cmd, void *_dcfg,
static const char *cmd_upload_keep_files(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_upload_keep_files: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "on") == 0) {
dcfg->upload_keep_files = KEEP_FILES_ON;
} else
@@ -2541,10 +2987,16 @@ static const char *cmd_upload_keep_files(cmd_parms *cmd, void *_dcfg,
static const char *cmd_upload_save_tmp_files(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_upload_save_tmp_files: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "on") == 0)
{
dcfg->upload_validates_files = 1;
@@ -2564,6 +3016,14 @@ static const char *cmd_upload_save_tmp_files(cmd_parms *cmd, void *_dcfg,
static const char *cmd_web_app_id(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_web_app_id: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
/* ENH enforce format (letters, digits, ., _, -) */
@@ -2574,6 +3034,14 @@ static const char *cmd_web_app_id(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_sensor_id(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_sensor_id: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
/* ENH enforce format (letters, digits, ., _, -) */
@@ -2594,9 +3062,15 @@ static const char *cmd_sensor_id(cmd_parms *cmd, void *_dcfg, const char *p1)
*/
static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_xml_external_entity: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "on") == 0) {
dcfg->xml_external_entity = 1;
}
@@ -2621,9 +3095,15 @@ static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const ch
*/
static const char *cmd_hash_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_hash_engine: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "on") == 0) {
dcfg->hash_is_enabled = HASH_ENABLED;
dcfg->hash_enforcement = HASH_ENABLED;
@@ -2638,7 +3118,7 @@ static const char *cmd_hash_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
}
/**
-* \brief Add SecHashPram configuration option
+* \brief Add SecHashParam configuration option
*
* \param cmd Pointer to configuration data
* \param _dcfg Pointer to directory configuration
@@ -2648,11 +3128,20 @@ static const char *cmd_hash_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
*/
static const char *cmd_hash_param(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_hash_param: _dcfg is NULL");
+ return NULL;
+ }
+ if (p1 == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_hash_param: p1 is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
- if (p1 == NULL) return NULL;
dcfg->crypto_param_name = p1;
return NULL;
@@ -2670,12 +3159,26 @@ static const char *cmd_hash_param(cmd_parms *cmd, void *_dcfg, const char *p1)
*/
static const char *cmd_hash_key(cmd_parms *cmd, void *_dcfg, const char *_p1, const char *_p2)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(_p1 != NULL);
+ assert(_p2 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_hash_key: _dcfg is NULL");
+ return NULL;
+ }
+ if (_p1 == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_hash_key: _p1 is NULL");
+ return NULL;
+ }
+ if (_p2 == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_hash_key: _p2 is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
char *p1 = NULL;
- if (dcfg == NULL) return NULL;
- if (_p1 == NULL) return NULL;
-
if (strcasecmp(_p1, "Rand") == 0) {
p1 = apr_pstrdup(cmd->pool, getkey(cmd->pool));
dcfg->crypto_key = p1;
@@ -2686,16 +3189,13 @@ static const char *cmd_hash_key(cmd_parms *cmd, void *_dcfg, const char *_p1, co
dcfg->crypto_key_len = strlen(p1);
}
- if(_p2 == NULL) {
- return NULL;
- } else {
- if (strcasecmp(_p2, "KeyOnly") == 0)
- dcfg->crypto_key_add = HASH_KEYONLY;
- else if (strcasecmp(_p2, "SessionID") == 0)
- dcfg->crypto_key_add = HASH_SESSIONID;
- else if (strcasecmp(_p2, "RemoteIP") == 0)
- dcfg->crypto_key_add = HASH_REMOTEIP;
- }
+ if (strcasecmp(_p2, "KeyOnly") == 0)
+ dcfg->crypto_key_add = HASH_KEYONLY;
+ else if (strcasecmp(_p2, "SessionID") == 0)
+ dcfg->crypto_key_add = HASH_SESSIONID;
+ else if (strcasecmp(_p2, "RemoteIP") == 0)
+ dcfg->crypto_key_add = HASH_REMOTEIP;
+
return NULL;
}
@@ -2713,6 +3213,19 @@ static const char *cmd_hash_key(cmd_parms *cmd, void *_dcfg, const char *_p1, co
static const char *cmd_hash_method_pm(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ assert(p2 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_hash_method_pm: _dcfg is NULL");
+ return NULL;
+ }
+ if (p1 == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_hash_method_pm: p1 is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
rule_exception *re = apr_pcalloc(cmd->pool, sizeof(hash_method));
const char *_p2 = apr_pstrdup(cmd->pool, p2);
@@ -2720,8 +3233,6 @@ static const char *cmd_hash_method_pm(cmd_parms *cmd, void *_dcfg,
const char *phrase = NULL;
const char *next = NULL;
- if (dcfg == NULL) return NULL;
-
p = acmp_create(0, cmd->pool);
if (p == NULL) return NULL;
@@ -2804,11 +3315,19 @@ static const char *cmd_hash_method_pm(cmd_parms *cmd, void *_dcfg,
static const char *cmd_hash_method_rx(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ assert(p2 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_hash_method_rx: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
rule_exception *re = apr_pcalloc(cmd->pool, sizeof(hash_method));
const char *_p2 = apr_pstrdup(cmd->pool, p2);
- if (dcfg == NULL) return NULL;
-
+
if (strcasecmp(p1, "HashHref") == 0) {
re->type = HASH_URL_HREF_HASH_RX;
re->param = _p2;
@@ -2871,11 +3390,20 @@ static const char *cmd_hash_method_rx(cmd_parms *cmd, void *_dcfg,
*/
static const char *cmd_httpBl_key(cmd_parms *cmd, void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_httpBl_key: _dcfg is NULL");
+ return NULL;
+ }
+ if (p1 == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_httpBl_key: p1 is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
- if (p1 == NULL) return NULL;
dcfg->httpBlkey = p1;
return NULL;
@@ -2886,6 +3414,13 @@ static const char *cmd_httpBl_key(cmd_parms *cmd, void *_dcfg, const char *p1)
static const char *cmd_pcre_match_limit(cmd_parms *cmd,
void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (p1 == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_pcre_match_limit: p1 is NULL");
+ return NULL;
+ }
long val;
if (cmd->server->is_virtual) {
@@ -2905,6 +3440,13 @@ static const char *cmd_pcre_match_limit(cmd_parms *cmd,
static const char *cmd_pcre_match_limit_recursion(cmd_parms *cmd,
void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (p1 == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_pcre_match_limit_recursion: p1 is NULL");
+ return NULL;
+ }
long val;
if (cmd->server->is_virtual) {
@@ -2927,11 +3469,22 @@ static const char *cmd_pcre_match_limit_recursion(cmd_parms *cmd,
static const char *cmd_geo_lookup_db(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(p1 != NULL);
+ assert(_dcfg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_geo_lookup_db: _dcfg is NULL");
+ return NULL;
+ }
+ if (p1 == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_geo_lookup_db: p1 is NULL");
+ return NULL;
+ }
const char *filename = resolve_relative_path(cmd->pool, cmd->directive->filename, p1);
char *error_msg;
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
+
if (geo_init(dcfg, filename, &error_msg) <= 0) {
return error_msg;
}
@@ -2953,6 +3506,8 @@ static const char *cmd_geo_lookup_db(cmd_parms *cmd, void *_dcfg,
static const char *cmd_unicode_codepage(cmd_parms *cmd,
void *_dcfg, const char *p1)
{
+ assert(cmd != NULL);
+ assert(p1 != NULL);
long val;
val = atol(p1);
@@ -2978,12 +3533,19 @@ static const char *cmd_unicode_codepage(cmd_parms *cmd,
static const char *cmd_unicode_map(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
+ assert(cmd != NULL);
+ assert(p1 != NULL);
+ assert(p2 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_unicode_map: _dcfg is NULL");
+ return NULL;
+ }
const char *filename = resolve_relative_path(cmd->pool, cmd->directive->filename, p1);
char *error_msg;
long val = 0;
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
+
if(p2 != NULL) {
val = atol(p2);
if (val <= 0) {
@@ -3013,11 +3575,12 @@ static const char *cmd_unicode_map(cmd_parms *cmd, void *_dcfg,
static const char *cmd_gsb_lookup_db(cmd_parms *cmd, void *_dcfg,
const char *p1)
{
+ assert(cmd != NULL);
+ assert(p1 != NULL);
const char *filename = resolve_relative_path(cmd->pool, cmd->directive->filename, p1);
char *error_msg;
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
+
if (gsb_db_init(dcfg, filename, &error_msg) <= 0) {
return error_msg;
}
@@ -3030,10 +3593,16 @@ static const char *cmd_gsb_lookup_db(cmd_parms *cmd, void *_dcfg,
static const char *cmd_cache_transformations(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2)
{
+ assert(cmd != NULL);
+ assert(_dcfg != NULL);
+ assert(p1 != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (_dcfg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, cmd->pool, "cmd_cache_transformations: _dcfg is NULL");
+ return NULL;
+ }
directory_config *dcfg = (directory_config *)_dcfg;
- if (dcfg == NULL) return NULL;
-
if (strcasecmp(p1, "on") == 0)
dcfg->cache_trans = MODSEC_CACHE_ENABLED;
else if (strcasecmp(p1, "off") == 0)
@@ -3223,6 +3792,16 @@ const command_rec module_directives[] = {
"whether to use the old audit log format (Serial) or new (Concurrent)"
),
+#ifdef WITH_YAJL
+ AP_INIT_TAKE1 (
+ "SecAuditLogFormat",
+ cmd_audit_log_mode,
+ NULL,
+ CMD_SCOPE_ANY,
+ "whether to emit audit log data in native format or JSON"
+ ),
+#endif
+
AP_INIT_TAKE1 (
"SecAuditLogStorageDir",
cmd_audit_log_storage_dir,
@@ -3496,6 +4075,22 @@ const command_rec module_directives[] = {
"maximum request body size ModSecurity will accept, but excluding the size of uploaded files."
),
+ AP_INIT_TAKE1 (
+ "SecRequestBodyJsonDepthLimit",
+ cmd_request_body_json_depth_limit,
+ NULL,
+ CMD_SCOPE_ANY,
+ "maximum request body JSON parsing depth ModSecurity will accept."
+ ),
+
+ AP_INIT_TAKE1 (
+ "SecArgumentsLimit",
+ cmd_arguments_limit,
+ NULL,
+ CMD_SCOPE_ANY,
+ "maximum number of ARGS that ModSecurity will accept."
+ ),
+
AP_INIT_TAKE1 (
"SecRequestEncoding",
cmd_request_encoding,
diff --git a/apache2/apache2_io.c b/apache2/apache2_io.c
index 88f1903183..405b649ae4 100644
--- a/apache2/apache2_io.c
+++ b/apache2/apache2_io.c
@@ -18,6 +18,10 @@
#include "apache2.h"
#include "msc_crypt.h"
+#ifdef APLOG_USE_MODULE
+ APLOG_USE_MODULE(security2);
+#endif
+
/* -- Input filter -- */
#if 0
@@ -36,6 +40,7 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *bb_out,
msc_data_chunk *chunk = NULL;
apr_bucket *bucket;
apr_status_t rc;
+ int no_data = 1;
char *my_error_msg = NULL;
if (msr == NULL) {
@@ -85,10 +90,11 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *bb_out,
return APR_EGENERAL;
}
- if (chunk && (!msr->txcfg->stream_inbody_inspection || (msr->txcfg->stream_inbody_inspection && msr->if_stream_changed == 0))) {
- /* Copy the data we received in the chunk */
- bucket = apr_bucket_heap_create(chunk->data, chunk->length, NULL,
- f->r->connection->bucket_alloc);
+ if (chunk && chunk->length > 0) {
+ if (chunk && (!msr->txcfg->stream_inbody_inspection || (msr->txcfg->stream_inbody_inspection && msr->if_stream_changed == 0))) {
+ /* Copy the data we received in the chunk */
+ bucket = apr_bucket_heap_create(chunk->data, chunk->length, NULL,
+ f->r->connection->bucket_alloc);
#if 0
@@ -107,44 +113,50 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *bb_out,
#endif
- if (bucket == NULL) return APR_EGENERAL;
- APR_BRIGADE_INSERT_TAIL(bb_out, bucket);
+ if (bucket == NULL) return APR_EGENERAL;
+ APR_BRIGADE_INSERT_TAIL(bb_out, bucket);
+ no_data = 0;
- if (msr->txcfg->debuglog_level >= 4) {
- msr_log(msr, 4, "Input filter: Forwarded %" APR_SIZE_T_FMT " bytes.", chunk->length);
- }
- } else if (msr->stream_input_data != NULL) {
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Input filter: Forwarded %" APR_SIZE_T_FMT " bytes.", chunk->length);
+ }
+ } else if (msr->stream_input_data != NULL) {
- msr->if_stream_changed = 0;
+ msr->if_stream_changed = 0;
- bucket = apr_bucket_heap_create(msr->stream_input_data, msr->stream_input_length, NULL,
- f->r->connection->bucket_alloc);
+ bucket = apr_bucket_heap_create(msr->stream_input_data, msr->stream_input_length, NULL,
+ f->r->connection->bucket_alloc);
- if (msr->txcfg->stream_inbody_inspection) {
- if(msr->stream_input_data != NULL) {
- free(msr->stream_input_data);
- msr->stream_input_data = NULL;
+ if (msr->txcfg->stream_inbody_inspection) {
+ if(msr->stream_input_data != NULL) {
+ free(msr->stream_input_data);
+ msr->stream_input_data = NULL;
+ }
}
- }
- if (bucket == NULL) return APR_EGENERAL;
- APR_BRIGADE_INSERT_TAIL(bb_out, bucket);
+ if (bucket == NULL) return APR_EGENERAL;
+ APR_BRIGADE_INSERT_TAIL(bb_out, bucket);
+ no_data = 0;
- if (msr->txcfg->debuglog_level >= 4) {
- msr_log(msr, 4, "Input stream filter: Forwarded %" APR_SIZE_T_FMT " bytes.", msr->stream_input_length);
- }
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Input stream filter: Forwarded %" APR_SIZE_T_FMT " bytes.", msr->stream_input_length);
+ }
+ }
}
if (rc == 0) {
modsecurity_request_body_retrieve_end(msr);
- bucket = apr_bucket_eos_create(f->r->connection->bucket_alloc);
- if (bucket == NULL) return APR_EGENERAL;
- APR_BRIGADE_INSERT_TAIL(bb_out, bucket);
+ if (msr->if_seen_eos) {
+ bucket = apr_bucket_eos_create(f->r->connection->bucket_alloc);
+ if (bucket == NULL) return APR_EGENERAL;
+ APR_BRIGADE_INSERT_TAIL(bb_out, bucket);
+ no_data = 0;
- if (msr->txcfg->debuglog_level >= 4) {
- msr_log(msr, 4, "Input filter: Sent EOS.");
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Input filter: Sent EOS.");
+ }
}
/* We're done */
@@ -154,6 +166,10 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *bb_out,
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Input filter: Input forwarding complete.");
}
+
+ if (no_data) {
+ return ap_get_brigade(f->next, bb_out, mode, block, nbytes);
+ }
}
return APR_SUCCESS;
@@ -163,12 +179,13 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *bb_out,
* Reads request body from a client.
*/
apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg!= NULL);
request_rec *r = msr->r;
- unsigned int seen_eos;
+ unsigned int finished_reading;
apr_bucket_brigade *bb_in;
apr_bucket *bucket;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if (msr->reqbody_should_exist != 1) {
@@ -188,12 +205,12 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Input filter: Reading request body.");
}
-
if (modsecurity_request_body_start(msr, error_msg) < 0) {
return -1;
}
- seen_eos = 0;
+ finished_reading = 0;
+ msr->if_seen_eos = 0;
bb_in = apr_brigade_create(msr->mp, r->connection->bucket_alloc);
if (bb_in == NULL) return -1;
do {
@@ -205,6 +222,9 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
* too large and APR_EGENERAL when the client disconnects.
*/
switch(rc) {
+ case APR_INCOMPLETE :
+ *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
+ return -7;
case APR_EOF :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
return -6;
@@ -275,14 +295,25 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
}
if (msr->txcfg->stream_inbody_inspection == 1) {
+#ifndef MSC_LARGE_STREAM_INPUT
msr->stream_input_length+=buflen;
modsecurity_request_body_to_stream(msr, buf, buflen, error_msg);
+#else
+ if (modsecurity_request_body_to_stream(msr, buf, buflen, error_msg) < 0) {
+ return -1;
+ }
+#endif
}
msr->reqbody_length += buflen;
if (buflen != 0) {
int rcbs = modsecurity_request_body_store(msr, buf, buflen, error_msg);
+
+ if (msr->reqbody_length > (apr_size_t)msr->txcfg->reqbody_limit && msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL) {
+ finished_reading = 1;
+ }
+
if (rcbs < 0) {
if (rcbs == -5) {
if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
@@ -309,15 +340,15 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
}
if (APR_BUCKET_IS_EOS(bucket)) {
- seen_eos = 1;
+ finished_reading = 1;
+ msr->if_seen_eos = 1;
}
}
apr_brigade_cleanup(bb_in);
- } while(!seen_eos);
+ } while(!finished_reading);
- // TODO: Why ignore the return code here?
- modsecurity_request_body_end(msr, error_msg);
+ apr_status_t rcbe = modsecurity_request_body_end(msr, error_msg);
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Input filter: Completed receiving request body (length %" APR_SIZE_T_FMT ").",
@@ -326,7 +357,7 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
msr->if_status = IF_STATUS_WANTS_TO_RUN;
- return 1;
+ return rcbe;
}
@@ -338,6 +369,8 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
* run or not.
*/
static int output_filter_should_run(modsec_rec *msr, request_rec *r) {
+ assert(msr != NULL);
+ assert(r != NULL);
char *content_type = NULL;
/* Check configuration. */
@@ -399,10 +432,13 @@ static int output_filter_should_run(modsec_rec *msr, request_rec *r) {
static apr_status_t output_filter_init(modsec_rec *msr, ap_filter_t *f,
apr_bucket_brigade *bb_in)
{
+ assert(msr != NULL);
+ assert(f != NULL);
request_rec *r = f->r;
const char *s_content_length = NULL;
apr_status_t rc;
+ assert(msr != NULL);
msr->of_brigade = apr_brigade_create(msr->mp, f->c->bucket_alloc);
if (msr->of_brigade == NULL) {
msr_log(msr, 1, "Output filter: Failed to create brigade.");
@@ -466,6 +502,8 @@ static apr_status_t output_filter_init(modsec_rec *msr, ap_filter_t *f,
* and to the client.
*/
static apr_status_t send_of_brigade(modsec_rec *msr, ap_filter_t *f) {
+ assert(msr != NULL);
+ assert(f != NULL);
apr_status_t rc;
rc = ap_pass_brigade(f->next, msr->of_brigade);
@@ -507,6 +545,8 @@ static apr_status_t send_of_brigade(modsec_rec *msr, ap_filter_t *f) {
*
*/
static void inject_content_to_of_brigade(modsec_rec *msr, ap_filter_t *f) {
+ assert(msr != NULL);
+ assert(f != NULL);
apr_bucket *b;
if (msr->txcfg->content_injection_enabled && msr->stream_output_data != NULL) {
@@ -533,6 +573,8 @@ static void inject_content_to_of_brigade(modsec_rec *msr, ap_filter_t *f) {
*
*/
static void prepend_content_to_of_brigade(modsec_rec *msr, ap_filter_t *f) {
+ assert(msr != NULL);
+ assert(f != NULL);
if ((msr->txcfg->content_injection_enabled) && (msr->content_prepend) && (!msr->of_skipping)) {
apr_bucket *bucket_ci = NULL;
@@ -587,7 +629,6 @@ static int flatten_response_body(modsec_rec *msr) {
return -1;
}
- memset(msr->stream_output_data, 0, msr->stream_output_length+1);
memcpy(msr->stream_output_data, msr->resbody_data, msr->stream_output_length);
msr->stream_output_data[msr->stream_output_length] = '\0';
} else if (msr->txcfg->stream_outbody_inspection && msr->txcfg->hash_is_enabled == HASH_ENABLED) {
@@ -600,8 +641,12 @@ static int flatten_response_body(modsec_rec *msr) {
retval = hash_response_body_links(msr);
if(retval > 0) {
retval = inject_hashed_response_body(msr, retval);
- if (msr->txcfg->debuglog_level >= 4) {
- msr_log(msr, 4, "Hash completed in %" APR_TIME_T_FMT " usec.", (apr_time_now() - time1));
+ if(retval < 0){
+ msr_log(msr, 1, "inject_hashed_response_body: Unable to inject hash into response body. Returning response without changes." );
+ }else{
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Hash completed in %" APR_TIME_T_FMT " usec.", (apr_time_now() - time1));
+ }
}
}
@@ -616,7 +661,6 @@ static int flatten_response_body(modsec_rec *msr) {
return -1;
}
- memset(msr->stream_output_data, 0, msr->stream_output_length+1);
memcpy(msr->stream_output_data, msr->resbody_data, msr->stream_output_length);
msr->stream_output_data[msr->stream_output_length] = '\0';
}
@@ -974,6 +1018,12 @@ apr_status_t output_filter(ap_filter_t *f, apr_bucket_brigade *bb_in) {
/* Now send data down the filter stream
* (full-buffering only).
*/
+ if (!eos_bucket) {
+ ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, f->r->server,
+ "ModSecurity: Internal Error: eos_bucket is NULL.");
+ return APR_EGENERAL;
+ }
+
if ((msr->of_skipping == 0)&&(!msr->of_partial)) {
if(msr->of_stream_changed == 1) {
inject_content_to_of_brigade(msr,f);
diff --git a/apache2/apache2_util.c b/apache2/apache2_util.c
index 0960dc8e63..f42436790f 100644
--- a/apache2/apache2_util.c
+++ b/apache2/apache2_util.c
@@ -17,10 +17,16 @@
#include "http_core.h"
#include "util_script.h"
+#ifdef APLOG_USE_MODULE
+ APLOG_USE_MODULE(security2);
+#endif
+
/**
* Sends a brigade with an error bucket down the filter chain.
*/
apr_status_t send_error_bucket(modsec_rec *msr, ap_filter_t *f, int status) {
+ assert(msr != NULL);
+ assert(f != NULL);
apr_bucket_brigade *brigade = NULL;
apr_bucket *bucket = NULL;
@@ -57,6 +63,9 @@ apr_status_t send_error_bucket(modsec_rec *msr, ap_filter_t *f, int status) {
* the "output" parameter.
*/
int apache2_exec(modsec_rec *msr, const char *command, const char **argv, char **output) {
+ assert(msr != NULL);
+ assert(command != NULL);
+
apr_procattr_t *procattr = NULL;
apr_proc_t *procnew = NULL;
apr_status_t rc = APR_SUCCESS;
@@ -95,7 +104,12 @@ int apache2_exec(modsec_rec *msr, const char *command, const char **argv, char *
return -1;
}
- apr_procattr_io_set(procattr, APR_NO_PIPE, APR_FULL_BLOCK, APR_NO_PIPE);
+ rc = apr_procattr_io_set(procattr, APR_NO_PIPE, APR_FULL_BLOCK, APR_NO_PIPE);
+ if (rc != APR_SUCCESS) {
+ msr_log(msr, 1, "Exec: apr_procattr_io_set failed: %d (%s)", rc, get_apr_error(r->pool, rc));
+ return -1;
+ }
+
apr_procattr_cmdtype_set(procattr, APR_SHELLCMD);
if (msr->txcfg->debuglog_level >= 9) {
@@ -195,6 +209,9 @@ char *get_env_var(request_rec *r, char *name) {
static void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *msr,
int level, int fixup, const char *text, va_list ap)
{
+ assert(r != NULL);
+ assert(msr != NULL);
+ assert(text != NULL);
apr_size_t nbytes, nbytes_written;
apr_file_t *debuglog_fd = NULL;
int filter_debug_level = 0;
@@ -268,20 +285,17 @@ static void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *
else hostname = "";
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
- ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server,
- "[client %s] ModSecurity: %s%s [uri \"%s\"]%s", r->useragent_ip ? r->useragent_ip : r->connection->client_ip, str1,
- hostname, log_escape(msr->mp, r->uri), unique_id);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
+ "ModSecurity: %s%s [uri \"%s\"]%s", str1, hostname, log_escape(msr->mp, r->uri), unique_id);
#else
ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server,
- "[client %s] ModSecurity: %s%s [uri \"%s\"]%s", msr->remote_addr ? msr->remote_addr : r->connection->remote_ip, str1,
- hostname, log_escape(msr->mp, r->uri), unique_id);
+ "ModSecurity: %s%s [uri \"%s\"]%s", str1, hostname, log_escape(msr->mp, r->uri), unique_id);
#endif
/* Add this message to the list. */
if (msr != NULL) {
/* Force relevency if this is an alert */
msr->is_relevant++;
-
*(const char **)apr_array_push(msr->alerts) = apr_pstrdup(msr->mp, str1);
}
}
@@ -294,6 +308,8 @@ static void internal_log_ex(request_rec *r, directory_config *dcfg, modsec_rec *
* Apache error log if the message is important enough.
*/
void msr_log(modsec_rec *msr, int level, const char *text, ...) {
+ assert(msr != NULL);
+ assert(text != NULL);
va_list ap;
va_start(ap, text);
@@ -307,6 +323,8 @@ void msr_log(modsec_rec *msr, int level, const char *text, ...) {
* Apache error log. This is intended for error callbacks.
*/
void msr_log_error(modsec_rec *msr, const char *text, ...) {
+ assert(msr != NULL);
+ assert(text != NULL);
va_list ap;
va_start(ap, text);
@@ -321,6 +339,8 @@ void msr_log_error(modsec_rec *msr, const char *text, ...) {
* The 'text' will first be escaped.
*/
void msr_log_warn(modsec_rec *msr, const char *text, ...) {
+ assert(msr != NULL);
+ assert(text != NULL);
va_list ap;
va_start(ap, text);
@@ -339,6 +359,7 @@ char *format_error_log_message(apr_pool_t *mp, error_message_t *em) {
if (em == NULL) return NULL;
+#ifndef LOG_NO_FILENAME
if (em->file != NULL) {
s_file = apr_psprintf(mp, "[file \"%s\"] ",
log_escape(mp, (char *)em->file));
@@ -349,6 +370,7 @@ char *format_error_log_message(apr_pool_t *mp, error_message_t *em) {
s_line = apr_psprintf(mp, "[line %d] ", em->line);
if (s_line == NULL) return NULL;
}
+#endif
s_level = apr_psprintf(mp, "[level %d] ", em->level);
if (s_level == NULL) return NULL;
diff --git a/apache2/libinjection/libinjection.h b/apache2/libinjection/libinjection.h
index 11b14ac5f3..6b40b1df6a 100644
--- a/apache2/libinjection/libinjection.h
+++ b/apache2/libinjection/libinjection.h
@@ -1,5 +1,5 @@
/**
- * Copyright 2012, 2013 Nick Galbreath
+ * Copyright 2012-2016 Nick Galbreath
* nickg@client9.com
* BSD License -- see COPYING.txt for details
*
@@ -7,8 +7,8 @@
*
*/
-#ifndef _LIBINJECTION_H
-#define _LIBINJECTION_H
+#ifndef LIBINJECTION_H
+#define LIBINJECTION_H
#ifdef __cplusplus
# define LIBINJECTION_BEGIN_DECLS extern "C" {
@@ -49,9 +49,9 @@ const char* libinjection_version(void);
*/
int libinjection_sqli(const char* s, size_t slen, char fingerprint[]);
-/** ALPHA version of xss detector.
+/** ALPHA version of xss detector.
*
- * NOT DONE.
+ * NOT DONE.
*
* \param[in] s input string, may contain nulls, does not need to be null-terminated
* \param[in] slen input string length
@@ -62,4 +62,4 @@ int libinjection_xss(const char* s, size_t slen);
LIBINJECTION_END_DECLS
-#endif /* _LIBINJECTION_H */
+#endif /* LIBINJECTION_H */
diff --git a/apache2/libinjection/libinjection_html5.c b/apache2/libinjection/libinjection_html5.c
index 38ef9f0f64..a380ca0ad6 100644
--- a/apache2/libinjection/libinjection_html5.c
+++ b/apache2/libinjection/libinjection_html5.c
@@ -71,20 +71,20 @@ void libinjection_h5_init(h5_state_t* hs, const char* s, size_t len, enum html5_
switch (flags) {
case DATA_STATE:
- hs->state = h5_state_data;
- break;
+ hs->state = h5_state_data;
+ break;
case VALUE_NO_QUOTE:
- hs->state = h5_state_before_attribute_name;
- break;
+ hs->state = h5_state_before_attribute_name;
+ break;
case VALUE_SINGLE_QUOTE:
- hs->state = h5_state_attribute_value_single_quote;
- break;
+ hs->state = h5_state_attribute_value_single_quote;
+ break;
case VALUE_DOUBLE_QUOTE:
- hs->state = h5_state_attribute_value_double_quote;
- break;
+ hs->state = h5_state_attribute_value_double_quote;
+ break;
case VALUE_BACK_QUOTE:
- hs->state = h5_state_attribute_value_back_quote;
- break;
+ hs->state = h5_state_attribute_value_back_quote;
+ break;
}
}
@@ -100,10 +100,18 @@ int libinjection_h5_next(h5_state_t* hs)
/**
* Everything below here is private
*
-*/
+ */
+
static int h5_is_white(char ch)
{
+ /*
+ * \t = horizontal tab = 0x09
+ * \n = newline = 0x0A
+ * \v = vertical tab = 0x0B
+ * \f = form feed = 0x0C
+ * \r = cr = 0x0D
+ */
return strchr(" \t\n\v\f\r", ch) != NULL;
}
@@ -112,19 +120,19 @@ static int h5_skip_white(h5_state_t* hs)
char ch;
while (hs->pos < hs->len) {
ch = hs->s[hs->pos];
- switch (ch) {
- case 0x00: /* IE only */
- case 0x20:
- case 0x09:
- case 0x0A:
- case 0x0B: /* IE only */
- case 0x0C:
+ switch (ch) {
+ case 0x00: /* IE only */
+ case 0x20:
+ case 0x09:
+ case 0x0A:
+ case 0x0B: /* IE only */
+ case 0x0C:
case 0x0D: /* IE only */
hs->pos += 1;
- break;
- default:
+ break;
+ default:
return ch;
- }
+ }
}
return CHAR_EOF;
}
@@ -172,6 +180,9 @@ static int h5_state_tag_open(h5_state_t* hs)
char ch;
TRACE();
+ if (hs->pos >= hs->len) {
+ return 0;
+ }
ch = hs->s[hs->pos];
if (ch == CHAR_BANG) {
hs->pos += 1;
@@ -259,12 +270,12 @@ static int h5_state_tag_name(h5_state_t* hs)
pos = hs->pos;
while (pos < hs->len) {
ch = hs->s[pos];
- if (ch == 0) {
- /* special non-standard case */
- /* allow nulls in tag name */
- /* some old browsers apparently allow and ignore them */
- pos += 1;
- } else if (h5_is_white(ch)) {
+ if (ch == 0) {
+ /* special non-standard case */
+ /* allow nulls in tag name */
+ /* some old browsers apparently allow and ignore them */
+ pos += 1;
+ } else if (h5_is_white(ch)) {
hs->token_start = hs->s + hs->pos;
hs->token_len = pos - hs->pos;
hs->token_type = TAG_NAME_OPEN;
@@ -332,7 +343,7 @@ static int h5_state_before_attribute_name(h5_state_t* hs)
default: {
return h5_state_attribute_name(hs);
}
- }
+ }
}
static int h5_state_attribute_name(h5_state_t* hs)
@@ -450,12 +461,12 @@ static int h5_state_attribute_value_quote(h5_state_t* hs, char qchar)
TRACE();
/* skip initial quote in normal case.
- * dont do this is pos == 0 since it means we have started
+ * don't do this "if (pos == 0)" since it means we have started
* in a non-data state. given an input of '><foo
* we want to make 0-length attribute name
*/
if (hs->pos > 0) {
- hs->pos += 1;
+ hs->pos += 1;
}
@@ -705,10 +716,13 @@ static int h5_state_comment(h5_state_t* hs)
char ch;
const char* idx;
size_t pos;
+ size_t offset;
+ const char* end = hs->s + hs->len;
TRACE();
pos = hs->pos;
while (1) {
+
idx = (const char*) memchr(hs->s + pos, CHAR_DASH, hs->len - pos);
/* did not find anything or has less than 3 chars left */
@@ -719,21 +733,62 @@ static int h5_state_comment(h5_state_t* hs)
hs->token_type = TAG_COMMENT;
return 1;
}
- ch = *(idx + 1);
+ offset = 1;
+
+ /* skip all nulls */
+ while (idx + offset < end && *(idx + offset) == 0) {
+ offset += 1;
+ }
+ if (idx + offset == end) {
+ hs->state = h5_state_eof;
+ hs->token_start = hs->s + hs->pos;
+ hs->token_len = hs->len - hs->pos;
+ hs->token_type = TAG_COMMENT;
+ return 1;
+ }
+
+ ch = *(idx + offset);
if (ch != CHAR_DASH && ch != CHAR_BANG) {
pos = (size_t)(idx - hs->s) + 1;
continue;
}
- ch = *(idx + 2);
+
+ /* need to test */
+#if 0
+ /* skip all nulls */
+ while (idx + offset < end && *(idx + offset) == 0) {
+ offset += 1;
+ }
+ if (idx + offset == end) {
+ hs->state = h5_state_eof;
+ hs->token_start = hs->s + hs->pos;
+ hs->token_len = hs->len - hs->pos;
+ hs->token_type = TAG_COMMENT;
+ return 1;
+ }
+#endif
+
+ offset += 1;
+ if (idx + offset == end) {
+ hs->state = h5_state_eof;
+ hs->token_start = hs->s + hs->pos;
+ hs->token_len = hs->len - hs->pos;
+ hs->token_type = TAG_COMMENT;
+ return 1;
+ }
+
+
+ ch = *(idx + offset);
if (ch != CHAR_GT) {
pos = (size_t)(idx - hs->s) + 1;
continue;
}
+ offset += 1;
/* ends in --> or -!> */
hs->token_start = hs->s + hs->pos;
hs->token_len = (size_t)(idx - hs->s) - hs->pos;
- hs->pos = (size_t)(idx - hs->s) + 3;
+ hs->pos = (size_t)(idx + offset - hs->s);
hs->state = h5_state_data;
hs->token_type = TAG_COMMENT;
return 1;
diff --git a/apache2/libinjection/libinjection_sqli.c b/apache2/libinjection/libinjection_sqli.c
index 0b67c5cc49..cecbbea3fb 100644
--- a/apache2/libinjection/libinjection_sqli.c
+++ b/apache2/libinjection/libinjection_sqli.c
@@ -1,5 +1,5 @@
/**
- * Copyright 2012,2013 Nick Galbreath
+ * Copyright 2012,2016 Nick Galbreath
* nickg@client9.com
* BSD License -- see COPYING.txt for details
*
@@ -18,7 +18,7 @@
#include "libinjection_sqli.h"
#include "libinjection_sqli_data.h"
-#define LIBINJECTION_VERSION "3.9.1"
+#define LIBINJECTION_VERSION "3.9.2"
#define LIBINJECTION_SQLI_TOKEN_SIZE sizeof(((stoken_t*)(0))->val)
#define LIBINJECTION_SQLI_MAX_TOKENS 5
@@ -112,15 +112,11 @@ memchr2(const char *haystack, size_t haystack_len, char c0, char c1)
}
while (cur < last) {
- if (cur[0] == c0) {
- if (cur[1] == c1) {
- return cur;
- } else {
- cur += 2; /* (c0 == c1) ? 1 : 2; */
- }
- } else {
- cur += 1;
+ /* safe since cur < len - 1 always */
+ if (cur[0] == c0 && cur[1] == c1) {
+ return cur;
}
+ cur += 1;
}
return NULL;
@@ -191,11 +187,11 @@ static int char_is_white(char ch) {
/* ' ' space is 0x32
'\t 0x09 \011 horizontal tab
'\n' 0x0a \012 new line
- '\v' 0x0b \013 verical tab
+ '\v' 0x0b \013 vertical tab
'\f' 0x0c \014 new page
'\r' 0x0d \015 carriage return
0x00 \000 null (oracle)
- 0xa0 \240 is latin1
+ 0xa0 \240 is Latin-1
*/
return strchr(" \t\n\v\f\r\240\000", ch) != NULL;
}
@@ -294,7 +290,7 @@ static void st_clear(stoken_t * st)
static void st_assign_char(stoken_t * st, const char stype, size_t pos, size_t len,
const char value)
{
- /* done to elimiate unused warning */
+ /* done to eliminate unused warning */
(void)len;
st->type = (char) stype;
st->pos = pos;
@@ -402,7 +398,7 @@ static size_t parse_eol_comment(struct libinjection_sqli_state * sf)
}
}
-/** In Ansi mode, hash is an operator
+/** In ANSI mode, hash is an operator
* In MYSQL mode, it's a EOL comment like '--'
*/
static size_t parse_hash(struct libinjection_sqli_state * sf)
@@ -842,7 +838,7 @@ static size_t parse_bstring(struct libinjection_sqli_state *sf)
/*
* hex literal string
- * re: [XX]'[0123456789abcdefABCDEF]*'
+ * re: [xX]'[0123456789abcdefABCDEF]*'
* mysql has requirement of having EVEN number of chars,
* but pgsql does not
*/
@@ -1072,7 +1068,7 @@ static size_t parse_money(struct libinjection_sqli_state *sf)
/* we have $foobar$ ... find it again */
strend = my_memmem(cs+xlen+2, slen - (pos+xlen+2), cs + pos, xlen+2);
- if (strend == NULL) {
+ if (strend == NULL || ((size_t)(strend - cs) < (pos+xlen+2))) {
/* fell off edge */
st_assign(sf->current, TYPE_STRING, pos+xlen+2, slen - pos - xlen - 2, cs+pos+xlen+2);
sf->current->str_open = '$';
@@ -1104,7 +1100,6 @@ static size_t parse_number(struct libinjection_sqli_state * sf)
const char *cs = sf->s;
const size_t slen = sf->slen;
size_t pos = sf->pos;
- int have_dot = 0;
int have_e = 0;
int have_exp = 0;
@@ -1136,7 +1131,6 @@ static size_t parse_number(struct libinjection_sqli_state * sf)
}
if (pos < slen && cs[pos] == '.') {
- have_dot = 1;
pos += 1;
while (pos < slen && ISDIGIT(cs[pos])) {
pos += 1;
@@ -1185,7 +1179,7 @@ static size_t parse_number(struct libinjection_sqli_state * sf)
}
}
- if (have_dot == 1 && have_e == 1 && have_exp == 0) {
+ if (have_e == 1 && have_exp == 0) {
/* very special form of
* "1234.e"
* "10.10E"
@@ -1242,29 +1236,13 @@ int libinjection_sqli_tokenize(struct libinjection_sqli_state * sf)
const unsigned char ch = (unsigned char) (s[*pos]);
/*
- * if not ascii, then continue...
- * actually probably need to just assuming
- * it's a string
+ * look up the parser, and call it
+ *
+ * Porting Note: this is mapping of char to function
+ * charparsers[ch]()
*/
- if (ch > 127) {
+ fnptr = char_parse_map[ch];
- /* 160 or 0xA0 or octal 240 is "latin1 non-breaking space"
- * but is treated as a space in mysql.
- */
- if (ch == 160) {
- fnptr = parse_white;
- } else {
- fnptr = parse_word;
- }
- } else {
- /*
- * look up the parser, and call it
- *
- * Porting Note: this is mapping of char to function
- * charparsers[ch]()
- */
- fnptr = char_parse_map[ch];
- }
*pos = (*fnptr) (sf);
/*
@@ -1349,16 +1327,22 @@ static int syntax_merge_words(struct libinjection_sqli_state * sf,stoken_t * a,
a->type == TYPE_UNION ||
a->type == TYPE_FUNCTION ||
a->type == TYPE_EXPRESSION ||
+ a->type == TYPE_TSQL ||
a->type == TYPE_SQLTYPE)) {
- return CHAR_NULL;
+ return FALSE;
}
- if (b->type != TYPE_KEYWORD && b->type != TYPE_BAREWORD &&
- b->type != TYPE_OPERATOR && b->type != TYPE_SQLTYPE &&
- b->type != TYPE_LOGIC_OPERATOR &&
- b->type != TYPE_FUNCTION &&
- b->type != TYPE_UNION && b->type != TYPE_EXPRESSION) {
- return CHAR_NULL;
+ if (!
+ (b->type == TYPE_KEYWORD ||
+ b->type == TYPE_BAREWORD ||
+ b->type == TYPE_OPERATOR ||
+ b->type == TYPE_UNION ||
+ b->type == TYPE_FUNCTION ||
+ b->type == TYPE_EXPRESSION ||
+ b->type == TYPE_TSQL ||
+ b->type == TYPE_SQLTYPE ||
+ b->type == TYPE_LOGIC_OPERATOR)) {
+ return FALSE;
}
sz1 = a->len;
@@ -1374,7 +1358,6 @@ static int syntax_merge_words(struct libinjection_sqli_state * sf,stoken_t * a,
tmp[sz1] = ' ';
memcpy(tmp + sz1 + 1, b->val, sz2);
tmp[sz3] = CHAR_NULL;
-
ch = sf->lookup(sf, LOOKUP_WORD, tmp, sz3);
if (ch != CHAR_NULL) {
@@ -1450,6 +1433,13 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
sf->tokenvec[2].type == TYPE_COMMA &&
sf->tokenvec[3].type == TYPE_LEFTPARENS &&
sf->tokenvec[4].type == TYPE_NUMBER
+ ) ||
+ (
+ sf->tokenvec[0].type == TYPE_BAREWORD &&
+ sf->tokenvec[1].type == TYPE_RIGHTPARENS &&
+ sf->tokenvec[2].type == TYPE_OPERATOR &&
+ sf->tokenvec[3].type == TYPE_LEFTPARENS &&
+ sf->tokenvec[4].type == TYPE_BAREWORD
)
)
{
@@ -1506,16 +1496,6 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
pos -= 1;
sf->stats_folds += 1;
continue;
- } else if (sf->tokenvec[left].type == TYPE_SEMICOLON &&
- sf->tokenvec[left+1].type == TYPE_FUNCTION &&
- cstrcasecmp("IF", sf->tokenvec[left+1].val, sf->tokenvec[left+1].len) == 0) {
- /* IF is normally a function, except in Transact-SQL where it can be used as a
- * standalone control flow operator, e.g. ; IF 1=1 ...
- * if found after a semicolon, convert from 'f' type to 'T' type
- */
- sf->tokenvec[left+1].type = TYPE_TSQL;
- left += 2;
- continue; /* reparse everything, but we probably can advance left, and pos */
} else if ((sf->tokenvec[left].type == TYPE_OPERATOR ||
sf->tokenvec[left].type == TYPE_LOGIC_OPERATOR) &&
(st_is_unary_op(&sf->tokenvec[left+1]) ||
@@ -1539,9 +1519,22 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
left -= 1;
}
continue;
+ } else if (sf->tokenvec[left].type == TYPE_SEMICOLON &&
+ sf->tokenvec[left+1].type == TYPE_FUNCTION &&
+ (sf->tokenvec[left+1].val[0] == 'I' ||
+ sf->tokenvec[left+1].val[0] == 'i' ) &&
+ (sf->tokenvec[left+1].val[1] == 'F' ||
+ sf->tokenvec[left+1].val[1] == 'f' )) {
+ /* IF is normally a function, except in Transact-SQL where it can be used as a
+ * standalone control flow operator, e.g. ; IF 1=1 ...
+ * if found after a semicolon, convert from 'f' type to 'T' type
+ */
+ sf->tokenvec[left+1].type = TYPE_TSQL;
+ /* left += 2; */
+ continue; /* reparse everything, but we probably can advance left, and pos */
} else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_VARIABLE) &&
sf->tokenvec[left+1].type == TYPE_LEFTPARENS && (
- /* TSQL functions but common enough to be collumn names */
+ /* TSQL functions but common enough to be column names */
cstrcasecmp("USER_ID", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 ||
cstrcasecmp("USER_NAME", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 ||
@@ -1564,7 +1557,7 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
/* pos is the same
* other conversions need to go here... for instance
- * password CAN be a function, coalese CAN be a function
+ * password CAN be a function, coalesce CAN be a function
*/
sf->tokenvec[left].type = TYPE_FUNCTION;
continue;
@@ -1828,7 +1821,7 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
* 1,-sin(1) --> 1 (1)
* Here, just do
* 1,-sin(1) --> 1,sin(1)
- * just remove unary opartor
+ * just remove unary operator
*/
st_copy(&sf->tokenvec[left+1], &sf->tokenvec[left+2]);
pos -= 1;
@@ -1852,9 +1845,21 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
pos -= 1;
left = 0;
continue;
+ } else if ((sf->tokenvec[left].type == TYPE_FUNCTION) &&
+ (sf->tokenvec[left+1].type == TYPE_LEFTPARENS) &&
+ (sf->tokenvec[left+2].type != TYPE_RIGHTPARENS)) {
+ /*
+ * whats going on here
+ * Some SQL functions like USER() have 0 args
+ * if we get User(foo), then User is not a function
+ * This should be expanded since it eliminated a lot of false
+ * positives.
+ */
+ if (cstrcasecmp("USER", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0) {
+ sf->tokenvec[left].type = TYPE_BAREWORD;
+ }
}
-
/* no folding -- assume left-most token is
is good, now use the existing 2 tokens --
do not get another
@@ -2019,7 +2024,7 @@ int libinjection_sqli_blacklist(struct libinjection_sqli_state* sql_state)
}
/*
- * return TRUE if sqli, false is benign
+ * return TRUE if SQLi, false is benign
*/
int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
{
@@ -2033,10 +2038,10 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
if (tlen > 1 && sql_state->fingerprint[tlen-1] == TYPE_COMMENT) {
/*
- * if ending comment is contains 'sp_password' then it's sqli!
+ * if ending comment is contains 'sp_password' then it's SQLi!
* MS Audit log apparently ignores anything with
- * 'sp_password' in it. Unable to find primary refernece to
- * this "feature" of SQL Server but seems to be known sqli
+ * 'sp_password' in it. Unable to find primary reference to
+ * this "feature" of SQL Server but seems to be known SQLi
* technique
*/
if (my_memmem(sql_state->s, sql_state->slen,
@@ -2055,7 +2060,7 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
if (sql_state->fingerprint[1] == TYPE_UNION) {
if (sql_state->stats_tokens == 2) {
- /* not sure why but 1U comes up in Sqli attack
+ /* not sure why but 1U comes up in SQLi attack
* likely part of parameter splitting/etc.
* lots of reasons why "1 union" might be normal
* input, so beep only if other SQLi things are present
@@ -2080,7 +2085,7 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
/*
* for fingerprint like 'nc', only comments of /x are treated
- * as SQL... ending comments of "--" and "#" are not sqli
+ * as SQL... ending comments of "--" and "#" are not SQLi
*/
if (sql_state->tokenvec[0].type == TYPE_BAREWORD &&
sql_state->tokenvec[1].type == TYPE_COMMENT &&
@@ -2090,7 +2095,7 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
}
/*
- * if '1c' ends with '/x' then it's sqli
+ * if '1c' ends with '/x' then it's SQLi
*/
if (sql_state->tokenvec[0].type == TYPE_NUMBER &&
sql_state->tokenvec[1].type == TYPE_COMMENT &&
@@ -2113,13 +2118,13 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
if (sql_state->tokenvec[0].type == TYPE_NUMBER &&
sql_state->tokenvec[1].type == TYPE_COMMENT) {
if (sql_state->stats_tokens > 2) {
- /* we have some folding going on, highly likely sqli */
+ /* we have some folding going on, highly likely SQLi */
sql_state->reason = __LINE__;
return TRUE;
}
/*
* we check that next character after the number is either whitespace,
- * or '/' or a '-' ==> sqli.
+ * or '/' or a '-' ==> SQLi.
*/
ch = sql_state->s[sql_state->tokenvec[0].len];
if ( ch <= 32 ) {
@@ -2141,7 +2146,7 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
}
/*
- * detect obvious sqli scans.. many people put '--' in plain text
+ * detect obvious SQLi scans.. many people put '--' in plain text
* so only detect if input ends with '--', e.g. 1-- but not 1-- foo
*/
if ((sql_state->tokenvec[1].len > 2)
@@ -2177,7 +2182,7 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
}
/*
- * not sqli
+ * not SQLi
*/
sql_state->reason = __LINE__;
return FALSE;
@@ -2186,8 +2191,8 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state* sql_state)
streq(sql_state->fingerprint, "1&1") ||
streq(sql_state->fingerprint, "1&v") ||
streq(sql_state->fingerprint, "1&s")) {
- /* 'sexy and 17' not sqli
- * 'sexy and 17<18' sqli
+ /* 'sexy and 17' not SQLi
+ * 'sexy and 17<18' SQLi
*/
if (sql_state->stats_tokens == 3) {
sql_state->reason = __LINE__;
@@ -2243,7 +2248,7 @@ int libinjection_is_sqli(struct libinjection_sqli_state * sql_state)
size_t slen = sql_state->slen;
/*
- * no input? not sqli
+ * no input? not SQLi
*/
if (slen == 0) {
return FALSE;
diff --git a/apache2/libinjection/libinjection_sqli.h b/apache2/libinjection/libinjection_sqli.h
index 4f16db8dbf..b9746555a7 100644
--- a/apache2/libinjection/libinjection_sqli.h
+++ b/apache2/libinjection/libinjection_sqli.h
@@ -1,14 +1,14 @@
/**
- * Copyright 2012, 2013 Nick Galbreath
+ * Copyright 2012-2016 Nick Galbreath
* nickg@client9.com
- * BSD License -- see COPYING.txt for details
+ * BSD License -- see `COPYING.txt` for details
*
* https://libinjection.client9.com/
*
*/
-#ifndef _LIBINJECTION_SQLI_H
-#define _LIBINJECTION_SQLI_H
+#ifndef LIBINJECTION_SQLI_H
+#define LIBINJECTION_SQLI_H
#ifdef __cplusplus
extern "C" {
@@ -40,10 +40,6 @@ struct libinjection_sqli_token {
#ifdef SWIG
%immutable;
#endif
- char type;
- char str_open;
- char str_close;
-
/*
* position and length of token
* in original string
@@ -53,17 +49,20 @@ struct libinjection_sqli_token {
/* count:
* in type 'v', used for number of opening '@'
- * but maybe unsed in other contexts
+ * but maybe used in other contexts
*/
int count;
+ char type;
+ char str_open;
+ char str_close;
char val[32];
};
typedef struct libinjection_sqli_token stoken_t;
/**
- * Pointer to function, takes cstr input,
+ * Pointer to function, takes c-string input,
* returns '\0' for no match, else a char
*/
struct libinjection_sqli_state;
@@ -97,7 +96,7 @@ struct libinjection_sqli_state {
int flags;
/*
- * pos is index in string we are at when tokenizing
+ * pos is the index in the string during tokenization
*/
size_t pos;
@@ -118,7 +117,7 @@ struct libinjection_sqli_state {
/*
* fingerprint pattern c-string
* +1 for ending null
- * Mimimum of 8 bytes to add gcc's -fstack-protector to work
+ * Minimum of 8 bytes to add gcc's -fstack-protector to work
*/
char fingerprint[8];
@@ -156,7 +155,7 @@ struct libinjection_sqli_state {
*/
int stats_comment_c;
- /* '#' operators or mysql EOL comments found
+ /* '#' operators or MySQL EOL comments found
*
*/
int stats_comment_hash;
@@ -208,8 +207,8 @@ void libinjection_sqli_init(struct libinjection_sqli_state* sql_state,
*/
int libinjection_is_sqli(struct libinjection_sqli_state* sql_state);
-/* FOR H@CKERS ONLY
- *
+/* FOR HACKERS ONLY
+ * provides deep hooks into the decision making process
*/
void libinjection_sqli_callback(struct libinjection_sqli_state* sql_state,
ptr_lookup_fn fn,
@@ -269,7 +268,7 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sql_state);
* two functions. With this, you over-ride one part or the other.
*
* return libinjection_sqli_blacklist(sql_state) &&
- * libinject_sqli_not_whitelist(sql_state);
+ * libinjection_sqli_not_whitelist(sql_state);
*
* \param sql_state should be filled out after libinjection_sqli_fingerprint is called
*/
@@ -284,7 +283,7 @@ int libinjection_sqli_blacklist(struct libinjection_sqli_state* sql_state);
/* Given a positive match for a pattern (i.e. pattern is SQLi), this function
* does additional analysis to reduce false positives.
*
- * \return TRUE if sqli, false otherwise
+ * \return TRUE if SQLi, false otherwise
*/
int libinjection_sqli_not_whitelist(struct libinjection_sqli_state * sql_state);
@@ -292,4 +291,4 @@ int libinjection_sqli_not_whitelist(struct libinjection_sqli_state * sql_state);
}
#endif
-#endif /* _LIBINJECTION_SQLI_H */
+#endif /* LIBINJECTION_SQLI_H */
diff --git a/apache2/libinjection/libinjection_sqli_data.h b/apache2/libinjection/libinjection_sqli_data.h
index 8f3a2e0e23..f5e1454143 100644
--- a/apache2/libinjection/libinjection_sqli_data.h
+++ b/apache2/libinjection/libinjection_sqli_data.h
@@ -1,6 +1,6 @@
-#ifndef _LIBINJECTION_SQLI_DATA_H
-#define _LIBINJECTION_SQLI_DATA_H
+#ifndef LIBINJECTION_SQLI_DATA_H
+#define LIBINJECTION_SQLI_DATA_H
#include "libinjection.h"
#include "libinjection_sqli.h"
@@ -164,6 +164,134 @@ static const pt2Function char_parse_map[] = {
&parse_char, /* 125 */
&parse_operator1, /* 126 */
&parse_white, /* 127 */
+ &parse_word, /* 128 */
+ &parse_word, /* 129 */
+ &parse_word, /* 130 */
+ &parse_word, /* 131 */
+ &parse_word, /* 132 */
+ &parse_word, /* 133 */
+ &parse_word, /* 134 */
+ &parse_word, /* 135 */
+ &parse_word, /* 136 */
+ &parse_word, /* 137 */
+ &parse_word, /* 138 */
+ &parse_word, /* 139 */
+ &parse_word, /* 140 */
+ &parse_word, /* 141 */
+ &parse_word, /* 142 */
+ &parse_word, /* 143 */
+ &parse_word, /* 144 */
+ &parse_word, /* 145 */
+ &parse_word, /* 146 */
+ &parse_word, /* 147 */
+ &parse_word, /* 148 */
+ &parse_word, /* 149 */
+ &parse_word, /* 150 */
+ &parse_word, /* 151 */
+ &parse_word, /* 152 */
+ &parse_word, /* 153 */
+ &parse_word, /* 154 */
+ &parse_word, /* 155 */
+ &parse_word, /* 156 */
+ &parse_word, /* 157 */
+ &parse_word, /* 158 */
+ &parse_word, /* 159 */
+ &parse_white, /* 160 */
+ &parse_word, /* 161 */
+ &parse_word, /* 162 */
+ &parse_word, /* 163 */
+ &parse_word, /* 164 */
+ &parse_word, /* 165 */
+ &parse_word, /* 166 */
+ &parse_word, /* 167 */
+ &parse_word, /* 168 */
+ &parse_word, /* 169 */
+ &parse_word, /* 170 */
+ &parse_word, /* 171 */
+ &parse_word, /* 172 */
+ &parse_word, /* 173 */
+ &parse_word, /* 174 */
+ &parse_word, /* 175 */
+ &parse_word, /* 176 */
+ &parse_word, /* 177 */
+ &parse_word, /* 178 */
+ &parse_word, /* 179 */
+ &parse_word, /* 180 */
+ &parse_word, /* 181 */
+ &parse_word, /* 182 */
+ &parse_word, /* 183 */
+ &parse_word, /* 184 */
+ &parse_word, /* 185 */
+ &parse_word, /* 186 */
+ &parse_word, /* 187 */
+ &parse_word, /* 188 */
+ &parse_word, /* 189 */
+ &parse_word, /* 190 */
+ &parse_word, /* 191 */
+ &parse_word, /* 192 */
+ &parse_word, /* 193 */
+ &parse_word, /* 194 */
+ &parse_word, /* 195 */
+ &parse_word, /* 196 */
+ &parse_word, /* 197 */
+ &parse_word, /* 198 */
+ &parse_word, /* 199 */
+ &parse_word, /* 200 */
+ &parse_word, /* 201 */
+ &parse_word, /* 202 */
+ &parse_word, /* 203 */
+ &parse_word, /* 204 */
+ &parse_word, /* 205 */
+ &parse_word, /* 206 */
+ &parse_word, /* 207 */
+ &parse_word, /* 208 */
+ &parse_word, /* 209 */
+ &parse_word, /* 210 */
+ &parse_word, /* 211 */
+ &parse_word, /* 212 */
+ &parse_word, /* 213 */
+ &parse_word, /* 214 */
+ &parse_word, /* 215 */
+ &parse_word, /* 216 */
+ &parse_word, /* 217 */
+ &parse_word, /* 218 */
+ &parse_word, /* 219 */
+ &parse_word, /* 220 */
+ &parse_word, /* 221 */
+ &parse_word, /* 222 */
+ &parse_word, /* 223 */
+ &parse_word, /* 224 */
+ &parse_word, /* 225 */
+ &parse_word, /* 226 */
+ &parse_word, /* 227 */
+ &parse_word, /* 228 */
+ &parse_word, /* 229 */
+ &parse_word, /* 230 */
+ &parse_word, /* 231 */
+ &parse_word, /* 232 */
+ &parse_word, /* 233 */
+ &parse_word, /* 234 */
+ &parse_word, /* 235 */
+ &parse_word, /* 236 */
+ &parse_word, /* 237 */
+ &parse_word, /* 238 */
+ &parse_word, /* 239 */
+ &parse_word, /* 240 */
+ &parse_word, /* 241 */
+ &parse_word, /* 242 */
+ &parse_word, /* 243 */
+ &parse_word, /* 244 */
+ &parse_word, /* 245 */
+ &parse_word, /* 246 */
+ &parse_word, /* 247 */
+ &parse_word, /* 248 */
+ &parse_word, /* 249 */
+ &parse_word, /* 250 */
+ &parse_word, /* 251 */
+ &parse_word, /* 252 */
+ &parse_word, /* 253 */
+ &parse_word, /* 254 */
+ &parse_word, /* 255 */
};
static const keyword_t sql_keywords[] = {
@@ -317,6 +445,8 @@ static const keyword_t sql_keywords[] = {
{"0&VUEN", 'F'},
{"0&VUES", 'F'},
{"0&VUEV", 'F'},
+ {"0)&(EK", 'F'},
+ {"0)&(EN", 'F'},
{"0)UE(1", 'F'},
{"0)UE(F", 'F'},
{"0)UE(N", 'F'},
@@ -395,7 +525,6 @@ static const keyword_t sql_keywords[] = {
{"01&1KV", 'F'},
{"01&1O(", 'F'},
{"01&1OF", 'F'},
- {"01&1OO", 'F'},
{"01&1OS", 'F'},
{"01&1OV", 'F'},
{"01&1TN", 'F'},
@@ -458,6 +587,7 @@ static const keyword_t sql_keywords[] = {
{"01&K(S", 'F'},
{"01&K(V", 'F'},
{"01&K1O", 'F'},
+ {"01&KC", 'F'},
{"01&KF(", 'F'},
{"01&KNK", 'F'},
{"01&KO(", 'F'},
@@ -522,7 +652,6 @@ static const keyword_t sql_keywords[] = {
{"01&S1", 'F'},
{"01&S1;", 'F'},
{"01&S1C", 'F'},
- {"01&S1O", 'F'},
{"01&S;", 'F'},
{"01&S;C", 'F'},
{"01&S;E", 'F'},
@@ -547,7 +676,6 @@ static const keyword_t sql_keywords[] = {
{"01&SO1", 'F'},
{"01&SOF", 'F'},
{"01&SON", 'F'},
- {"01&SOO", 'F'},
{"01&SOS", 'F'},
{"01&SOV", 'F'},
{"01&STN", 'F'},
@@ -593,7 +721,6 @@ static const keyword_t sql_keywords[] = {
{"01&VKV", 'F'},
{"01&VO(", 'F'},
{"01&VOF", 'F'},
- {"01&VOO", 'F'},
{"01&VOS", 'F'},
{"01&VS", 'F'},
{"01&VS;", 'F'},
@@ -730,6 +857,7 @@ static const keyword_t sql_keywords[] = {
{"01)ESO", 'F'},
{"01)EVC", 'F'},
{"01)EVO", 'F'},
+ {"01)F(F", 'F'},
{"01)K(1", 'F'},
{"01)K(F", 'F'},
{"01)K(N", 'F'},
@@ -751,6 +879,7 @@ static const keyword_t sql_keywords[] = {
{"01)KN&", 'F'},
{"01)KN;", 'F'},
{"01)KNB", 'F'},
+ {"01)KNC", 'F'},
{"01)KNE", 'F'},
{"01)KNK", 'F'},
{"01)KNU", 'F'},
@@ -877,11 +1006,13 @@ static const keyword_t sql_keywords[] = {
{"01;EVT", 'F'},
{"01;N:T", 'F'},
{"01;T(1", 'F'},
+ {"01;T(C", 'F'},
{"01;T(E", 'F'},
{"01;T(F", 'F'},
{"01;T(N", 'F'},
{"01;T(S", 'F'},
{"01;T(V", 'F'},
+ {"01;T1(", 'F'},
{"01;T1,", 'F'},
{"01;T1;", 'F'},
{"01;T1C", 'F'},
@@ -913,6 +1044,7 @@ static const keyword_t sql_keywords[] = {
{"01;TNT", 'F'},
{"01;TNV", 'F'},
{"01;TO(", 'F'},
+ {"01;TS(", 'F'},
{"01;TS,", 'F'},
{"01;TS;", 'F'},
{"01;TSC", 'F'},
@@ -920,12 +1052,8 @@ static const keyword_t sql_keywords[] = {
{"01;TSK", 'F'},
{"01;TSO", 'F'},
{"01;TST", 'F'},
- {"01;TT(", 'F'},
- {"01;TT1", 'F'},
- {"01;TTF", 'F'},
{"01;TTN", 'F'},
- {"01;TTS", 'F'},
- {"01;TTV", 'F'},
+ {"01;TV(", 'F'},
{"01;TV,", 'F'},
{"01;TV;", 'F'},
{"01;TVC", 'F'},
@@ -967,7 +1095,6 @@ static const keyword_t sql_keywords[] = {
{"01B(1)", 'F'},
{"01B(1O", 'F'},
{"01B(F(", 'F'},
- {"01B(N)", 'F'},
{"01B(NO", 'F'},
{"01B(S)", 'F'},
{"01B(SO", 'F'},
@@ -1116,11 +1243,18 @@ static const keyword_t sql_keywords[] = {
{"01E(SO", 'F'},
{"01E(V)", 'F'},
{"01E(VO", 'F'},
+ {"01E1;T", 'F'},
{"01E1C", 'F'},
{"01E1O(", 'F'},
{"01E1OF", 'F'},
{"01E1OS", 'F'},
{"01E1OV", 'F'},
+ {"01E1T(", 'F'},
+ {"01E1T1", 'F'},
+ {"01E1TF", 'F'},
+ {"01E1TN", 'F'},
+ {"01E1TS", 'F'},
+ {"01E1TV", 'F'},
{"01E1UE", 'F'},
{"01EF()", 'F'},
{"01EF(1", 'F'},
@@ -1134,35 +1268,50 @@ static const keyword_t sql_keywords[] = {
{"01EK(N", 'F'},
{"01EK(S", 'F'},
{"01EK(V", 'F'},
+ {"01EK1;", 'F'},
{"01EK1C", 'F'},
{"01EK1O", 'F'},
+ {"01EK1T", 'F'},
{"01EK1U", 'F'},
{"01EKF(", 'F'},
+ {"01EKN;", 'F'},
{"01EKNC", 'F'},
{"01EKNE", 'F'},
+ {"01EKNT", 'F'},
{"01EKNU", 'F'},
{"01EKOK", 'F'},
+ {"01EKS;", 'F'},
{"01EKSC", 'F'},
{"01EKSO", 'F'},
+ {"01EKST", 'F'},
{"01EKSU", 'F'},
{"01EKU(", 'F'},
{"01EKU1", 'F'},
{"01EKUE", 'F'},
{"01EKUF", 'F'},
- {"01EKUN", 'F'},
{"01EKUS", 'F'},
{"01EKUV", 'F'},
+ {"01EKV;", 'F'},
{"01EKVC", 'F'},
{"01EKVO", 'F'},
+ {"01EKVT", 'F'},
{"01EKVU", 'F'},
+ {"01EN;T", 'F'},
{"01ENC", 'F'},
{"01ENEN", 'F'},
{"01ENO(", 'F'},
{"01ENOF", 'F'},
{"01ENOS", 'F'},
{"01ENOV", 'F'},
+ {"01ENT(", 'F'},
+ {"01ENT1", 'F'},
+ {"01ENTF", 'F'},
+ {"01ENTN", 'F'},
+ {"01ENTS", 'F'},
+ {"01ENTV", 'F'},
{"01ENUE", 'F'},
{"01EOKN", 'F'},
+ {"01ES;T", 'F'},
{"01ESC", 'F'},
{"01ESO(", 'F'},
{"01ESO1", 'F'},
@@ -1170,6 +1319,12 @@ static const keyword_t sql_keywords[] = {
{"01ESON", 'F'},
{"01ESOS", 'F'},
{"01ESOV", 'F'},
+ {"01EST(", 'F'},
+ {"01EST1", 'F'},
+ {"01ESTF", 'F'},
+ {"01ESTN", 'F'},
+ {"01ESTS", 'F'},
+ {"01ESTV", 'F'},
{"01ESUE", 'F'},
{"01EU(1", 'F'},
{"01EU(F", 'F'},
@@ -1182,19 +1337,23 @@ static const keyword_t sql_keywords[] = {
{"01EUEF", 'F'},
{"01EUEK", 'F'},
{"01EUF(", 'F'},
- {"01EUN,", 'F'},
- {"01EUNC", 'F'},
- {"01EUNO", 'F'},
{"01EUS,", 'F'},
{"01EUSC", 'F'},
{"01EUSO", 'F'},
{"01EUV,", 'F'},
{"01EUVC", 'F'},
{"01EUVO", 'F'},
+ {"01EV;T", 'F'},
{"01EVC", 'F'},
{"01EVO(", 'F'},
{"01EVOF", 'F'},
{"01EVOS", 'F'},
+ {"01EVT(", 'F'},
+ {"01EVT1", 'F'},
+ {"01EVTF", 'F'},
+ {"01EVTN", 'F'},
+ {"01EVTS", 'F'},
+ {"01EVTV", 'F'},
{"01EVUE", 'F'},
{"01F()1", 'F'},
{"01F()F", 'F'},
@@ -1251,6 +1410,8 @@ static const keyword_t sql_keywords[] = {
{"01K)EN", 'F'},
{"01K)ES", 'F'},
{"01K)EV", 'F'},
+ {"01K)F(", 'F'},
+ {"01K)O(", 'F'},
{"01K)OF", 'F'},
{"01K)UE", 'F'},
{"01K1", 'F'},
@@ -1387,7 +1548,6 @@ static const keyword_t sql_keywords[] = {
{"01KVU(", 'F'},
{"01KVUE", 'F'},
{"01N&F(", 'F'},
- {"01N(1)", 'F'},
{"01N(1O", 'F'},
{"01N(F(", 'F'},
{"01N(S)", 'F'},
@@ -1410,12 +1570,6 @@ static const keyword_t sql_keywords[] = {
{"01NESO", 'F'},
{"01NEVC", 'F'},
{"01NEVO", 'F'},
- {"01NF()", 'F'},
- {"01NF(1", 'F'},
- {"01NF(F", 'F'},
- {"01NF(N", 'F'},
- {"01NF(S", 'F'},
- {"01NF(V", 'F'},
{"01NU(E", 'F'},
{"01NUE", 'F'},
{"01NUE(", 'F'},
@@ -1437,6 +1591,7 @@ static const keyword_t sql_keywords[] = {
{"01O(EF", 'F'},
{"01O(EK", 'F'},
{"01O(EN", 'F'},
+ {"01O(EO", 'F'},
{"01O(ES", 'F'},
{"01O(EV", 'F'},
{"01O(F(", 'F'},
@@ -1502,6 +1657,7 @@ static const keyword_t sql_keywords[] = {
{"01OS)B", 'F'},
{"01OS)C", 'F'},
{"01OS)E", 'F'},
+ {"01OS)F", 'F'},
{"01OS)K", 'F'},
{"01OS)O", 'F'},
{"01OS)U", 'F'},
@@ -1550,6 +1706,14 @@ static const keyword_t sql_keywords[] = {
{"01OSKS", 'F'},
{"01OSKU", 'F'},
{"01OSKV", 'F'},
+ {"01OST(", 'F'},
+ {"01OST1", 'F'},
+ {"01OSTE", 'F'},
+ {"01OSTF", 'F'},
+ {"01OSTN", 'F'},
+ {"01OSTS", 'F'},
+ {"01OSTT", 'F'},
+ {"01OSTV", 'F'},
{"01OSU", 'F'},
{"01OSU(", 'F'},
{"01OSU1", 'F'},
@@ -1558,7 +1722,6 @@ static const keyword_t sql_keywords[] = {
{"01OSUE", 'F'},
{"01OSUF", 'F'},
{"01OSUK", 'F'},
- {"01OSUN", 'F'},
{"01OSUO", 'F'},
{"01OSUS", 'F'},
{"01OSUT", 'F'},
@@ -1589,6 +1752,7 @@ static const keyword_t sql_keywords[] = {
{"01OV)B", 'F'},
{"01OV)C", 'F'},
{"01OV)E", 'F'},
+ {"01OV)F", 'F'},
{"01OV)K", 'F'},
{"01OV)O", 'F'},
{"01OV)U", 'F'},
@@ -1642,6 +1806,14 @@ static const keyword_t sql_keywords[] = {
{"01OVSO", 'F'},
{"01OVSU", 'F'},
{"01OVSV", 'F'},
+ {"01OVT(", 'F'},
+ {"01OVT1", 'F'},
+ {"01OVTE", 'F'},
+ {"01OVTF", 'F'},
+ {"01OVTN", 'F'},
+ {"01OVTS", 'F'},
+ {"01OVTT", 'F'},
+ {"01OVTV", 'F'},
{"01OVU", 'F'},
{"01OVU(", 'F'},
{"01OVU1", 'F'},
@@ -1650,7 +1822,6 @@ static const keyword_t sql_keywords[] = {
{"01OVUE", 'F'},
{"01OVUF", 'F'},
{"01OVUK", 'F'},
- {"01OVUN", 'F'},
{"01OVUO", 'F'},
{"01OVUS", 'F'},
{"01OVUT", 'F'},
@@ -1672,6 +1843,96 @@ static const keyword_t sql_keywords[] = {
{"01SVO(", 'F'},
{"01SVOF", 'F'},
{"01SVOS", 'F'},
+ {"01T(1)", 'F'},
+ {"01T(1O", 'F'},
+ {"01T(F(", 'F'},
+ {"01T(N)", 'F'},
+ {"01T(NO", 'F'},
+ {"01T(S)", 'F'},
+ {"01T(SO", 'F'},
+ {"01T(V)", 'F'},
+ {"01T(VO", 'F'},
+ {"01T1(F", 'F'},
+ {"01T1O(", 'F'},
+ {"01T1OF", 'F'},
+ {"01T1OS", 'F'},
+ {"01T1OV", 'F'},
+ {"01TE(1", 'F'},
+ {"01TE(F", 'F'},
+ {"01TE(N", 'F'},
+ {"01TE(S", 'F'},
+ {"01TE(V", 'F'},
+ {"01TE1N", 'F'},
+ {"01TE1O", 'F'},
+ {"01TEF(", 'F'},
+ {"01TEK(", 'F'},
+ {"01TEK1", 'F'},
+ {"01TEKF", 'F'},
+ {"01TEKN", 'F'},
+ {"01TEKS", 'F'},
+ {"01TEKV", 'F'},
+ {"01TENN", 'F'},
+ {"01TENO", 'F'},
+ {"01TESN", 'F'},
+ {"01TESO", 'F'},
+ {"01TEVN", 'F'},
+ {"01TEVO", 'F'},
+ {"01TF()", 'F'},
+ {"01TF(1", 'F'},
+ {"01TF(F", 'F'},
+ {"01TF(N", 'F'},
+ {"01TF(S", 'F'},
+ {"01TF(V", 'F'},
+ {"01TN(1", 'F'},
+ {"01TN(F", 'F'},
+ {"01TN(S", 'F'},
+ {"01TN(V", 'F'},
+ {"01TN1C", 'F'},
+ {"01TN1O", 'F'},
+ {"01TN;E", 'F'},
+ {"01TN;N", 'F'},
+ {"01TN;T", 'F'},
+ {"01TNE(", 'F'},
+ {"01TNE1", 'F'},
+ {"01TNEF", 'F'},
+ {"01TNEN", 'F'},
+ {"01TNES", 'F'},
+ {"01TNEV", 'F'},
+ {"01TNF(", 'F'},
+ {"01TNKN", 'F'},
+ {"01TNN:", 'F'},
+ {"01TNNC", 'F'},
+ {"01TNNO", 'F'},
+ {"01TNO(", 'F'},
+ {"01TNOF", 'F'},
+ {"01TNOS", 'F'},
+ {"01TNOV", 'F'},
+ {"01TNSC", 'F'},
+ {"01TNSO", 'F'},
+ {"01TNT(", 'F'},
+ {"01TNT1", 'F'},
+ {"01TNTF", 'F'},
+ {"01TNTN", 'F'},
+ {"01TNTS", 'F'},
+ {"01TNTV", 'F'},
+ {"01TNVC", 'F'},
+ {"01TNVO", 'F'},
+ {"01TS(F", 'F'},
+ {"01TSO(", 'F'},
+ {"01TSO1", 'F'},
+ {"01TSOF", 'F'},
+ {"01TSON", 'F'},
+ {"01TSOS", 'F'},
+ {"01TSOV", 'F'},
+ {"01TTNE", 'F'},
+ {"01TTNK", 'F'},
+ {"01TTNN", 'F'},
+ {"01TTNT", 'F'},
+ {"01TV(1", 'F'},
+ {"01TV(F", 'F'},
+ {"01TVO(", 'F'},
+ {"01TVOF", 'F'},
+ {"01TVOS", 'F'},
{"01U", 'F'},
{"01U(1)", 'F'},
{"01U(1O", 'F'},
@@ -1757,7 +2018,6 @@ static const keyword_t sql_keywords[] = {
{"01UENU", 'F'},
{"01UEOK", 'F'},
{"01UEON", 'F'},
- {"01UEOO", 'F'},
{"01UES", 'F'},
{"01UES&", 'F'},
{"01UES(", 'F'},
@@ -1793,30 +2053,6 @@ static const keyword_t sql_keywords[] = {
{"01UF(S", 'F'},
{"01UF(V", 'F'},
{"01UK(E", 'F'},
- {"01UN(1", 'F'},
- {"01UN(F", 'F'},
- {"01UN(S", 'F'},
- {"01UN(V", 'F'},
- {"01UN,(", 'F'},
- {"01UN,F", 'F'},
- {"01UN1(", 'F'},
- {"01UN1,", 'F'},
- {"01UN1O", 'F'},
- {"01UNC", 'F'},
- {"01UNE(", 'F'},
- {"01UNE1", 'F'},
- {"01UNEF", 'F'},
- {"01UNEN", 'F'},
- {"01UNES", 'F'},
- {"01UNEV", 'F'},
- {"01UNF(", 'F'},
- {"01UNO(", 'F'},
- {"01UNOF", 'F'},
- {"01UNOS", 'F'},
- {"01UNOV", 'F'},
- {"01UNS(", 'F'},
- {"01UNS,", 'F'},
- {"01UNSO", 'F'},
{"01UO(E", 'F'},
{"01UON(", 'F'},
{"01UON1", 'F'},
@@ -1834,7 +2070,9 @@ static const keyword_t sql_keywords[] = {
{"01UTN(", 'F'},
{"01UTN1", 'F'},
{"01UTNF", 'F'},
+ {"01UTNN", 'F'},
{"01UTNS", 'F'},
+ {"01UTNV", 'F'},
{"01UV,(", 'F'},
{"01UV,F", 'F'},
{"01UVC", 'F'},
@@ -1872,6 +2110,8 @@ static const keyword_t sql_keywords[] = {
{"01VUE;", 'F'},
{"01VUEC", 'F'},
{"01VUEK", 'F'},
+ {"0;T(EF", 'F'},
+ {"0;T(EK", 'F'},
{"0;TKNC", 'F'},
{"0E(1&(", 'F'},
{"0E(1&1", 'F'},
@@ -1986,7 +2226,6 @@ static const keyword_t sql_keywords[] = {
{"0E(S)V", 'F'},
{"0E(S,F", 'F'},
{"0E(S1)", 'F'},
- {"0E(S1O", 'F'},
{"0E(SF(", 'F'},
{"0E(SO(", 'F'},
{"0E(SO1", 'F'},
@@ -2270,7 +2509,6 @@ static const keyword_t sql_keywords[] = {
{"0EK1N)", 'F'},
{"0EK1N;", 'F'},
{"0EK1NC", 'F'},
- {"0EK1NF", 'F'},
{"0EK1NK", 'F'},
{"0EK1O(", 'F'},
{"0EK1OF", 'F'},
@@ -2321,7 +2559,6 @@ static const keyword_t sql_keywords[] = {
{"0EKN1", 'F'},
{"0EKN1;", 'F'},
{"0EKN1C", 'F'},
- {"0EKN1F", 'F'},
{"0EKN1K", 'F'},
{"0EKN1O", 'F'},
{"0EKN;(", 'F'},
@@ -2367,7 +2604,6 @@ static const keyword_t sql_keywords[] = {
{"0EKS1C", 'F'},
{"0EKS1F", 'F'},
{"0EKS1K", 'F'},
- {"0EKS1O", 'F'},
{"0EKS;(", 'F'},
{"0EKSB(", 'F'},
{"0EKSB1", 'F'},
@@ -2486,7 +2722,6 @@ static const keyword_t sql_keywords[] = {
{"0EN,F(", 'F'},
{"0EN1;", 'F'},
{"0EN1;C", 'F'},
- {"0EN1C", 'F'},
{"0EN1O(", 'F'},
{"0EN1OF", 'F'},
{"0EN1OS", 'F'},
@@ -2620,10 +2855,6 @@ static const keyword_t sql_keywords[] = {
{"0ES1;", 'F'},
{"0ES1;C", 'F'},
{"0ES1C", 'F'},
- {"0ES1O(", 'F'},
- {"0ES1OF", 'F'},
- {"0ES1OS", 'F'},
- {"0ES1OV", 'F'},
{"0ES;(E", 'F'},
{"0ESB(1", 'F'},
{"0ESB(F", 'F'},
@@ -2942,6 +3173,14 @@ static const keyword_t sql_keywords[] = {
{"0F()SO", 'F'},
{"0F()SU", 'F'},
{"0F()SV", 'F'},
+ {"0F()T(", 'F'},
+ {"0F()T1", 'F'},
+ {"0F()TE", 'F'},
+ {"0F()TF", 'F'},
+ {"0F()TN", 'F'},
+ {"0F()TS", 'F'},
+ {"0F()TT", 'F'},
+ {"0F()TV", 'F'},
{"0F()U", 'F'},
{"0F()U(", 'F'},
{"0F()U1", 'F'},
@@ -2950,7 +3189,6 @@ static const keyword_t sql_keywords[] = {
{"0F()UE", 'F'},
{"0F()UF", 'F'},
{"0F()UK", 'F'},
- {"0F()UN", 'F'},
{"0F()UO", 'F'},
{"0F()US", 'F'},
{"0F()UT", 'F'},
@@ -2980,6 +3218,7 @@ static const keyword_t sql_keywords[] = {
{"0F(1)N", 'F'},
{"0F(1)O", 'F'},
{"0F(1)S", 'F'},
+ {"0F(1)T", 'F'},
{"0F(1)U", 'F'},
{"0F(1)V", 'F'},
{"0F(1,(", 'F'},
@@ -3003,12 +3242,14 @@ static const keyword_t sql_keywords[] = {
{"0F(EK1", 'F'},
{"0F(EKF", 'F'},
{"0F(EKN", 'F'},
+ {"0F(EKO", 'F'},
{"0F(EKS", 'F'},
{"0F(EKV", 'F'},
{"0F(EN&", 'F'},
{"0F(EN)", 'F'},
{"0F(ENK", 'F'},
{"0F(ENO", 'F'},
+ {"0F(EOK", 'F'},
{"0F(ES&", 'F'},
{"0F(ES)", 'F'},
{"0F(ESK", 'F'},
@@ -3047,6 +3288,7 @@ static const keyword_t sql_keywords[] = {
{"0F(N)N", 'F'},
{"0F(N)O", 'F'},
{"0F(N)S", 'F'},
+ {"0F(N)T", 'F'},
{"0F(N)U", 'F'},
{"0F(N)V", 'F'},
{"0F(N,(", 'F'},
@@ -3075,6 +3317,7 @@ static const keyword_t sql_keywords[] = {
{"0F(S)N", 'F'},
{"0F(S)O", 'F'},
{"0F(S)S", 'F'},
+ {"0F(S)T", 'F'},
{"0F(S)U", 'F'},
{"0F(S)V", 'F'},
{"0F(S,(", 'F'},
@@ -3107,6 +3350,7 @@ static const keyword_t sql_keywords[] = {
{"0F(V)N", 'F'},
{"0F(V)O", 'F'},
{"0F(V)S", 'F'},
+ {"0F(V)T", 'F'},
{"0F(V)U", 'F'},
{"0F(V)V", 'F'},
{"0F(V,(", 'F'},
@@ -3395,7 +3639,6 @@ static const keyword_t sql_keywords[] = {
{"0N&1KV", 'F'},
{"0N&1O(", 'F'},
{"0N&1OF", 'F'},
- {"0N&1OO", 'F'},
{"0N&1OS", 'F'},
{"0N&1OV", 'F'},
{"0N&1TN", 'F'},
@@ -3455,6 +3698,7 @@ static const keyword_t sql_keywords[] = {
{"0N&K(S", 'F'},
{"0N&K(V", 'F'},
{"0N&K1O", 'F'},
+ {"0N&KC", 'F'},
{"0N&KF(", 'F'},
{"0N&KNK", 'F'},
{"0N&KO(", 'F'},
@@ -3481,7 +3725,6 @@ static const keyword_t sql_keywords[] = {
{"0N&NB(", 'F'},
{"0N&NB1", 'F'},
{"0N&NBF", 'F'},
- {"0N&NBN", 'F'},
{"0N&NBS", 'F'},
{"0N&NBV", 'F'},
{"0N&NF(", 'F'},
@@ -3512,7 +3755,6 @@ static const keyword_t sql_keywords[] = {
{"0N&S1", 'F'},
{"0N&S1;", 'F'},
{"0N&S1C", 'F'},
- {"0N&S1O", 'F'},
{"0N&S;", 'F'},
{"0N&S;C", 'F'},
{"0N&S;E", 'F'},
@@ -3537,7 +3779,6 @@ static const keyword_t sql_keywords[] = {
{"0N&SO1", 'F'},
{"0N&SOF", 'F'},
{"0N&SON", 'F'},
- {"0N&SOO", 'F'},
{"0N&SOS", 'F'},
{"0N&SOV", 'F'},
{"0N&STN", 'F'},
@@ -3583,7 +3824,6 @@ static const keyword_t sql_keywords[] = {
{"0N&VKV", 'F'},
{"0N&VO(", 'F'},
{"0N&VOF", 'F'},
- {"0N&VOO", 'F'},
{"0N&VOS", 'F'},
{"0N&VS", 'F'},
{"0N&VS;", 'F'},
@@ -3595,48 +3835,6 @@ static const keyword_t sql_keywords[] = {
{"0N&VU;", 'F'},
{"0N&VUC", 'F'},
{"0N&VUE", 'F'},
- {"0N(1)F", 'F'},
- {"0N(1)O", 'F'},
- {"0N(1)U", 'F'},
- {"0N(1)V", 'F'},
- {"0N(1O(", 'F'},
- {"0N(1OF", 'F'},
- {"0N(1OS", 'F'},
- {"0N(1OV", 'F'},
- {"0N(EF(", 'F'},
- {"0N(EKF", 'F'},
- {"0N(EKN", 'F'},
- {"0N(ENK", 'F'},
- {"0N(F()", 'F'},
- {"0N(F(1", 'F'},
- {"0N(F(F", 'F'},
- {"0N(F(N", 'F'},
- {"0N(F(S", 'F'},
- {"0N(F(V", 'F'},
- {"0N(S)1", 'F'},
- {"0N(S)F", 'F'},
- {"0N(S)N", 'F'},
- {"0N(S)O", 'F'},
- {"0N(S)S", 'F'},
- {"0N(S)U", 'F'},
- {"0N(S)V", 'F'},
- {"0N(SO(", 'F'},
- {"0N(SO1", 'F'},
- {"0N(SOF", 'F'},
- {"0N(SON", 'F'},
- {"0N(SOS", 'F'},
- {"0N(SOV", 'F'},
- {"0N(U(E", 'F'},
- {"0N(V)1", 'F'},
- {"0N(V)F", 'F'},
- {"0N(V)N", 'F'},
- {"0N(V)O", 'F'},
- {"0N(V)S", 'F'},
- {"0N(V)U", 'F'},
- {"0N(V)V", 'F'},
- {"0N(VO(", 'F'},
- {"0N(VOF", 'F'},
- {"0N(VOS", 'F'},
{"0N)&(1", 'F'},
{"0N)&(E", 'F'},
{"0N)&(F", 'F'},
@@ -3756,6 +3954,7 @@ static const keyword_t sql_keywords[] = {
{"0N)ESO", 'F'},
{"0N)EVC", 'F'},
{"0N)EVO", 'F'},
+ {"0N)F(F", 'F'},
{"0N)K(1", 'F'},
{"0N)K(F", 'F'},
{"0N)K(N", 'F'},
@@ -3777,6 +3976,7 @@ static const keyword_t sql_keywords[] = {
{"0N)KN&", 'F'},
{"0N)KN;", 'F'},
{"0N)KNB", 'F'},
+ {"0N)KNC", 'F'},
{"0N)KNE", 'F'},
{"0N)KNK", 'F'},
{"0N)KNU", 'F'},
@@ -3807,7 +4007,6 @@ static const keyword_t sql_keywords[] = {
{"0N)O1K", 'F'},
{"0N)O1U", 'F'},
{"0N)OF(", 'F'},
- {"0N)ON", 'F'},
{"0N)ON&", 'F'},
{"0N)ON)", 'F'},
{"0N)ON;", 'F'},
@@ -3861,12 +4060,6 @@ static const keyword_t sql_keywords[] = {
{"0N,F(N", 'F'},
{"0N,F(S", 'F'},
{"0N,F(V", 'F'},
- {"0N1F()", 'F'},
- {"0N1F(1", 'F'},
- {"0N1F(F", 'F'},
- {"0N1F(N", 'F'},
- {"0N1F(S", 'F'},
- {"0N1F(V", 'F'},
{"0N1O(1", 'F'},
{"0N1O(F", 'F'},
{"0N1O(N", 'F'},
@@ -3937,11 +4130,13 @@ static const keyword_t sql_keywords[] = {
{"0N;EVT", 'F'},
{"0N;N:T", 'F'},
{"0N;T(1", 'F'},
+ {"0N;T(C", 'F'},
{"0N;T(E", 'F'},
{"0N;T(F", 'F'},
{"0N;T(N", 'F'},
{"0N;T(S", 'F'},
{"0N;T(V", 'F'},
+ {"0N;T1(", 'F'},
{"0N;T1,", 'F'},
{"0N;T1;", 'F'},
{"0N;T1C", 'F'},
@@ -3956,7 +4151,6 @@ static const keyword_t sql_keywords[] = {
{"0N;TK1", 'F'},
{"0N;TKF", 'F'},
{"0N;TKK", 'F'},
- {"0N;TKN", 'F'},
{"0N;TKO", 'F'},
{"0N;TKS", 'F'},
{"0N;TKV", 'F'},
@@ -3974,6 +4168,7 @@ static const keyword_t sql_keywords[] = {
{"0N;TNT", 'F'},
{"0N;TNV", 'F'},
{"0N;TO(", 'F'},
+ {"0N;TS(", 'F'},
{"0N;TS,", 'F'},
{"0N;TS;", 'F'},
{"0N;TSC", 'F'},
@@ -3981,12 +4176,8 @@ static const keyword_t sql_keywords[] = {
{"0N;TSK", 'F'},
{"0N;TSO", 'F'},
{"0N;TST", 'F'},
- {"0N;TT(", 'F'},
- {"0N;TT1", 'F'},
- {"0N;TTF", 'F'},
{"0N;TTN", 'F'},
- {"0N;TTS", 'F'},
- {"0N;TTV", 'F'},
+ {"0N;TV(", 'F'},
{"0N;TV,", 'F'},
{"0N;TV;", 'F'},
{"0N;TVC", 'F'},
@@ -4025,13 +4216,16 @@ static const keyword_t sql_keywords[] = {
{"0NAVOF", 'F'},
{"0NAVOS", 'F'},
{"0NAVUE", 'F'},
+ {"0NB(1&", 'F'},
{"0NB(1)", 'F'},
{"0NB(1O", 'F'},
{"0NB(F(", 'F'},
- {"0NB(N)", 'F'},
+ {"0NB(N&", 'F'},
{"0NB(NO", 'F'},
+ {"0NB(S&", 'F'},
{"0NB(S)", 'F'},
{"0NB(SO", 'F'},
+ {"0NB(V&", 'F'},
{"0NB(V)", 'F'},
{"0NB(VO", 'F'},
{"0NB1", 'F'},
@@ -4176,11 +4370,18 @@ static const keyword_t sql_keywords[] = {
{"0NE(SO", 'F'},
{"0NE(V)", 'F'},
{"0NE(VO", 'F'},
+ {"0NE1;T", 'F'},
{"0NE1C", 'F'},
{"0NE1O(", 'F'},
{"0NE1OF", 'F'},
{"0NE1OS", 'F'},
{"0NE1OV", 'F'},
+ {"0NE1T(", 'F'},
+ {"0NE1T1", 'F'},
+ {"0NE1TF", 'F'},
+ {"0NE1TN", 'F'},
+ {"0NE1TS", 'F'},
+ {"0NE1TV", 'F'},
{"0NE1UE", 'F'},
{"0NEF()", 'F'},
{"0NEF(1", 'F'},
@@ -4188,13 +4389,20 @@ static const keyword_t sql_keywords[] = {
{"0NEF(N", 'F'},
{"0NEF(S", 'F'},
{"0NEF(V", 'F'},
- {"0NENC", 'F'},
+ {"0NEN;T", 'F'},
{"0NENO(", 'F'},
{"0NENOF", 'F'},
{"0NENOS", 'F'},
{"0NENOV", 'F'},
+ {"0NENT(", 'F'},
+ {"0NENT1", 'F'},
+ {"0NENTF", 'F'},
+ {"0NENTN", 'F'},
+ {"0NENTS", 'F'},
+ {"0NENTV", 'F'},
{"0NENUE", 'F'},
{"0NEOKN", 'F'},
+ {"0NES;T", 'F'},
{"0NESC", 'F'},
{"0NESO(", 'F'},
{"0NESO1", 'F'},
@@ -4202,6 +4410,12 @@ static const keyword_t sql_keywords[] = {
{"0NESON", 'F'},
{"0NESOS", 'F'},
{"0NESOV", 'F'},
+ {"0NEST(", 'F'},
+ {"0NEST1", 'F'},
+ {"0NESTF", 'F'},
+ {"0NESTN", 'F'},
+ {"0NESTS", 'F'},
+ {"0NESTV", 'F'},
{"0NESUE", 'F'},
{"0NEU(1", 'F'},
{"0NEU(F", 'F'},
@@ -4214,19 +4428,23 @@ static const keyword_t sql_keywords[] = {
{"0NEUEF", 'F'},
{"0NEUEK", 'F'},
{"0NEUF(", 'F'},
- {"0NEUN,", 'F'},
- {"0NEUNC", 'F'},
- {"0NEUNO", 'F'},
{"0NEUS,", 'F'},
{"0NEUSC", 'F'},
{"0NEUSO", 'F'},
{"0NEUV,", 'F'},
{"0NEUVC", 'F'},
{"0NEUVO", 'F'},
+ {"0NEV;T", 'F'},
{"0NEVC", 'F'},
{"0NEVO(", 'F'},
{"0NEVOF", 'F'},
{"0NEVOS", 'F'},
+ {"0NEVT(", 'F'},
+ {"0NEVT1", 'F'},
+ {"0NEVTF", 'F'},
+ {"0NEVTN", 'F'},
+ {"0NEVTS", 'F'},
+ {"0NEVTV", 'F'},
{"0NEVUE", 'F'},
{"0NF()1", 'F'},
{"0NF()F", 'F'},
@@ -4237,7 +4455,6 @@ static const keyword_t sql_keywords[] = {
{"0NF()U", 'F'},
{"0NF()V", 'F'},
{"0NF(1)", 'F'},
- {"0NF(1N", 'F'},
{"0NF(1O", 'F'},
{"0NF(E(", 'F'},
{"0NF(E1", 'F'},
@@ -4247,7 +4464,6 @@ static const keyword_t sql_keywords[] = {
{"0NF(ES", 'F'},
{"0NF(EV", 'F'},
{"0NF(F(", 'F'},
- {"0NF(N)", 'F'},
{"0NF(N,", 'F'},
{"0NF(NO", 'F'},
{"0NF(S)", 'F'},
@@ -4257,7 +4473,6 @@ static const keyword_t sql_keywords[] = {
{"0NK(1)", 'F'},
{"0NK(1O", 'F'},
{"0NK(F(", 'F'},
- {"0NK(N)", 'F'},
{"0NK(NO", 'F'},
{"0NK(S)", 'F'},
{"0NK(SO", 'F'},
@@ -4284,6 +4499,8 @@ static const keyword_t sql_keywords[] = {
{"0NK)EN", 'F'},
{"0NK)ES", 'F'},
{"0NK)EV", 'F'},
+ {"0NK)F(", 'F'},
+ {"0NK)O(", 'F'},
{"0NK)OF", 'F'},
{"0NK)UE", 'F'},
{"0NK1", 'F'},
@@ -4337,7 +4554,6 @@ static const keyword_t sql_keywords[] = {
{"0NKNBN", 'F'},
{"0NKNBS", 'F'},
{"0NKNBV", 'F'},
- {"0NKNC", 'F'},
{"0NKNE(", 'F'},
{"0NKNE1", 'F'},
{"0NKNEF", 'F'},
@@ -4425,6 +4641,7 @@ static const keyword_t sql_keywords[] = {
{"0NO(EF", 'F'},
{"0NO(EK", 'F'},
{"0NO(EN", 'F'},
+ {"0NO(EO", 'F'},
{"0NO(ES", 'F'},
{"0NO(EV", 'F'},
{"0NO(F(", 'F'},
@@ -4448,11 +4665,6 @@ static const keyword_t sql_keywords[] = {
{"0NOF(S", 'F'},
{"0NOF(V", 'F'},
{"0NOK&(", 'F'},
- {"0NOK&1", 'F'},
- {"0NOK&F", 'F'},
- {"0NOK&N", 'F'},
- {"0NOK&S", 'F'},
- {"0NOK&V", 'F'},
{"0NOK(1", 'F'},
{"0NOK(F", 'F'},
{"0NOK(N", 'F'},
@@ -4490,6 +4702,7 @@ static const keyword_t sql_keywords[] = {
{"0NOS)B", 'F'},
{"0NOS)C", 'F'},
{"0NOS)E", 'F'},
+ {"0NOS)F", 'F'},
{"0NOS)K", 'F'},
{"0NOS)O", 'F'},
{"0NOS)U", 'F'},
@@ -4498,7 +4711,6 @@ static const keyword_t sql_keywords[] = {
{"0NOS1(", 'F'},
{"0NOS1F", 'F'},
{"0NOS1N", 'F'},
- {"0NOS1O", 'F'},
{"0NOS1S", 'F'},
{"0NOS1U", 'F'},
{"0NOS1V", 'F'},
@@ -4538,6 +4750,14 @@ static const keyword_t sql_keywords[] = {
{"0NOSKS", 'F'},
{"0NOSKU", 'F'},
{"0NOSKV", 'F'},
+ {"0NOST(", 'F'},
+ {"0NOST1", 'F'},
+ {"0NOSTE", 'F'},
+ {"0NOSTF", 'F'},
+ {"0NOSTN", 'F'},
+ {"0NOSTS", 'F'},
+ {"0NOSTT", 'F'},
+ {"0NOSTV", 'F'},
{"0NOSU", 'F'},
{"0NOSU(", 'F'},
{"0NOSU1", 'F'},
@@ -4546,7 +4766,6 @@ static const keyword_t sql_keywords[] = {
{"0NOSUE", 'F'},
{"0NOSUF", 'F'},
{"0NOSUK", 'F'},
- {"0NOSUN", 'F'},
{"0NOSUO", 'F'},
{"0NOSUS", 'F'},
{"0NOSUT", 'F'},
@@ -4576,6 +4795,7 @@ static const keyword_t sql_keywords[] = {
{"0NOV)B", 'F'},
{"0NOV)C", 'F'},
{"0NOV)E", 'F'},
+ {"0NOV)F", 'F'},
{"0NOV)K", 'F'},
{"0NOV)O", 'F'},
{"0NOV)U", 'F'},
@@ -4629,6 +4849,14 @@ static const keyword_t sql_keywords[] = {
{"0NOVSO", 'F'},
{"0NOVSU", 'F'},
{"0NOVSV", 'F'},
+ {"0NOVT(", 'F'},
+ {"0NOVT1", 'F'},
+ {"0NOVTE", 'F'},
+ {"0NOVTF", 'F'},
+ {"0NOVTN", 'F'},
+ {"0NOVTS", 'F'},
+ {"0NOVTT", 'F'},
+ {"0NOVTV", 'F'},
{"0NOVU", 'F'},
{"0NOVU(", 'F'},
{"0NOVU1", 'F'},
@@ -4637,7 +4865,6 @@ static const keyword_t sql_keywords[] = {
{"0NOVUE", 'F'},
{"0NOVUF", 'F'},
{"0NOVUK", 'F'},
- {"0NOVUN", 'F'},
{"0NOVUO", 'F'},
{"0NOVUS", 'F'},
{"0NOVUT", 'F'},
@@ -4650,6 +4877,96 @@ static const keyword_t sql_keywords[] = {
{"0NSUE;", 'F'},
{"0NSUEC", 'F'},
{"0NSUEK", 'F'},
+ {"0NT(1)", 'F'},
+ {"0NT(1O", 'F'},
+ {"0NT(F(", 'F'},
+ {"0NT(N)", 'F'},
+ {"0NT(NO", 'F'},
+ {"0NT(S)", 'F'},
+ {"0NT(SO", 'F'},
+ {"0NT(V)", 'F'},
+ {"0NT(VO", 'F'},
+ {"0NT1(F", 'F'},
+ {"0NT1O(", 'F'},
+ {"0NT1OF", 'F'},
+ {"0NT1OS", 'F'},
+ {"0NT1OV", 'F'},
+ {"0NTE(1", 'F'},
+ {"0NTE(F", 'F'},
+ {"0NTE(N", 'F'},
+ {"0NTE(S", 'F'},
+ {"0NTE(V", 'F'},
+ {"0NTE1N", 'F'},
+ {"0NTE1O", 'F'},
+ {"0NTEF(", 'F'},
+ {"0NTEK(", 'F'},
+ {"0NTEK1", 'F'},
+ {"0NTEKF", 'F'},
+ {"0NTEKN", 'F'},
+ {"0NTEKS", 'F'},
+ {"0NTEKV", 'F'},
+ {"0NTENN", 'F'},
+ {"0NTENO", 'F'},
+ {"0NTESN", 'F'},
+ {"0NTESO", 'F'},
+ {"0NTEVN", 'F'},
+ {"0NTEVO", 'F'},
+ {"0NTF()", 'F'},
+ {"0NTF(1", 'F'},
+ {"0NTF(F", 'F'},
+ {"0NTF(N", 'F'},
+ {"0NTF(S", 'F'},
+ {"0NTF(V", 'F'},
+ {"0NTN(1", 'F'},
+ {"0NTN(F", 'F'},
+ {"0NTN(S", 'F'},
+ {"0NTN(V", 'F'},
+ {"0NTN1C", 'F'},
+ {"0NTN1O", 'F'},
+ {"0NTN;E", 'F'},
+ {"0NTN;N", 'F'},
+ {"0NTN;T", 'F'},
+ {"0NTNE(", 'F'},
+ {"0NTNE1", 'F'},
+ {"0NTNEF", 'F'},
+ {"0NTNEN", 'F'},
+ {"0NTNES", 'F'},
+ {"0NTNEV", 'F'},
+ {"0NTNF(", 'F'},
+ {"0NTNKN", 'F'},
+ {"0NTNN:", 'F'},
+ {"0NTNNC", 'F'},
+ {"0NTNNO", 'F'},
+ {"0NTNO(", 'F'},
+ {"0NTNOF", 'F'},
+ {"0NTNOS", 'F'},
+ {"0NTNOV", 'F'},
+ {"0NTNSC", 'F'},
+ {"0NTNSO", 'F'},
+ {"0NTNT(", 'F'},
+ {"0NTNT1", 'F'},
+ {"0NTNTF", 'F'},
+ {"0NTNTN", 'F'},
+ {"0NTNTS", 'F'},
+ {"0NTNTV", 'F'},
+ {"0NTNVC", 'F'},
+ {"0NTNVO", 'F'},
+ {"0NTS(F", 'F'},
+ {"0NTSO(", 'F'},
+ {"0NTSO1", 'F'},
+ {"0NTSOF", 'F'},
+ {"0NTSON", 'F'},
+ {"0NTSOS", 'F'},
+ {"0NTSOV", 'F'},
+ {"0NTTNE", 'F'},
+ {"0NTTNK", 'F'},
+ {"0NTTNN", 'F'},
+ {"0NTTNT", 'F'},
+ {"0NTV(1", 'F'},
+ {"0NTV(F", 'F'},
+ {"0NTVO(", 'F'},
+ {"0NTVOF", 'F'},
+ {"0NTVOS", 'F'},
{"0NU(1)", 'F'},
{"0NU(1O", 'F'},
{"0NU(E(", 'F'},
@@ -4733,7 +5050,6 @@ static const keyword_t sql_keywords[] = {
{"0NUENU", 'F'},
{"0NUEOK", 'F'},
{"0NUEON", 'F'},
- {"0NUEOO", 'F'},
{"0NUES", 'F'},
{"0NUES&", 'F'},
{"0NUES(", 'F'},
@@ -4769,30 +5085,6 @@ static const keyword_t sql_keywords[] = {
{"0NUF(S", 'F'},
{"0NUF(V", 'F'},
{"0NUK(E", 'F'},
- {"0NUN(1", 'F'},
- {"0NUN(F", 'F'},
- {"0NUN(S", 'F'},
- {"0NUN(V", 'F'},
- {"0NUN,(", 'F'},
- {"0NUN,F", 'F'},
- {"0NUN1(", 'F'},
- {"0NUN1,", 'F'},
- {"0NUN1O", 'F'},
- {"0NUNC", 'F'},
- {"0NUNE(", 'F'},
- {"0NUNE1", 'F'},
- {"0NUNEF", 'F'},
- {"0NUNEN", 'F'},
- {"0NUNES", 'F'},
- {"0NUNEV", 'F'},
- {"0NUNF(", 'F'},
- {"0NUNO(", 'F'},
- {"0NUNOF", 'F'},
- {"0NUNOS", 'F'},
- {"0NUNOV", 'F'},
- {"0NUNS(", 'F'},
- {"0NUNS,", 'F'},
- {"0NUNSO", 'F'},
{"0NUO(E", 'F'},
{"0NUON(", 'F'},
{"0NUON1", 'F'},
@@ -4810,110 +5102,15 @@ static const keyword_t sql_keywords[] = {
{"0NUTN(", 'F'},
{"0NUTN1", 'F'},
{"0NUTNF", 'F'},
+ {"0NUTNN", 'F'},
{"0NUTNS", 'F'},
+ {"0NUTNV", 'F'},
{"0NUV,(", 'F'},
{"0NUV,F", 'F'},
{"0NUVC", 'F'},
{"0NUVO(", 'F'},
{"0NUVOF", 'F'},
{"0NUVOS", 'F'},
- {"0O(1)O", 'F'},
- {"0O(1)U", 'F'},
- {"0O(1O(", 'F'},
- {"0O(1OF", 'F'},
- {"0O(1OS", 'F'},
- {"0O(1OV", 'F'},
- {"0O(F()", 'F'},
- {"0O(F(1", 'F'},
- {"0O(F(F", 'F'},
- {"0O(F(N", 'F'},
- {"0O(F(S", 'F'},
- {"0O(F(V", 'F'},
- {"0O(N)O", 'F'},
- {"0O(N)U", 'F'},
- {"0O(NO(", 'F'},
- {"0O(NOF", 'F'},
- {"0O(NOS", 'F'},
- {"0O(NOV", 'F'},
- {"0O(S)O", 'F'},
- {"0O(S)U", 'F'},
- {"0O(SO(", 'F'},
- {"0O(SO1", 'F'},
- {"0O(SOF", 'F'},
- {"0O(SON", 'F'},
- {"0O(SOS", 'F'},
- {"0O(SOV", 'F'},
- {"0O(V)O", 'F'},
- {"0O(V)U", 'F'},
- {"0O(VO(", 'F'},
- {"0O(VOF", 'F'},
- {"0O(VOS", 'F'},
- {"0O1UE(", 'F'},
- {"0O1UE1", 'F'},
- {"0O1UEF", 'F'},
- {"0O1UEK", 'F'},
- {"0O1UEN", 'F'},
- {"0O1UES", 'F'},
- {"0O1UEV", 'F'},
- {"0OF()O", 'F'},
- {"0OF()U", 'F'},
- {"0OF(1)", 'F'},
- {"0OF(1O", 'F'},
- {"0OF(F(", 'F'},
- {"0OF(N)", 'F'},
- {"0OF(NO", 'F'},
- {"0OF(S)", 'F'},
- {"0OF(SO", 'F'},
- {"0OF(V)", 'F'},
- {"0OF(VO", 'F'},
- {"0ONUE(", 'F'},
- {"0ONUE1", 'F'},
- {"0ONUEF", 'F'},
- {"0ONUEK", 'F'},
- {"0ONUEN", 'F'},
- {"0ONUES", 'F'},
- {"0ONUEV", 'F'},
- {"0OSUE(", 'F'},
- {"0OSUE1", 'F'},
- {"0OSUEF", 'F'},
- {"0OSUEK", 'F'},
- {"0OSUEN", 'F'},
- {"0OSUES", 'F'},
- {"0OSUEV", 'F'},
- {"0OUE(1", 'F'},
- {"0OUE(F", 'F'},
- {"0OUE(N", 'F'},
- {"0OUE(S", 'F'},
- {"0OUE(V", 'F'},
- {"0OUE1,", 'F'},
- {"0OUE1O", 'F'},
- {"0OUEF(", 'F'},
- {"0OUEK(", 'F'},
- {"0OUEK1", 'F'},
- {"0OUEKF", 'F'},
- {"0OUEKN", 'F'},
- {"0OUEKS", 'F'},
- {"0OUEKV", 'F'},
- {"0OUEN,", 'F'},
- {"0OUENO", 'F'},
- {"0OUES,", 'F'},
- {"0OUESO", 'F'},
- {"0OUEV,", 'F'},
- {"0OUEVO", 'F'},
- {"0OVO(1", 'F'},
- {"0OVO(F", 'F'},
- {"0OVO(N", 'F'},
- {"0OVO(S", 'F'},
- {"0OVO(V", 'F'},
- {"0OVOF(", 'F'},
- {"0OVOSU", 'F'},
- {"0OVUE(", 'F'},
- {"0OVUE1", 'F'},
- {"0OVUEF", 'F'},
- {"0OVUEK", 'F'},
- {"0OVUEN", 'F'},
- {"0OVUES", 'F'},
- {"0OVUEV", 'F'},
{"0S&(1&", 'F'},
{"0S&(1)", 'F'},
{"0S&(1,", 'F'},
@@ -4972,7 +5169,6 @@ static const keyword_t sql_keywords[] = {
{"0S&1KV", 'F'},
{"0S&1O(", 'F'},
{"0S&1OF", 'F'},
- {"0S&1OO", 'F'},
{"0S&1OS", 'F'},
{"0S&1OV", 'F'},
{"0S&1TN", 'F'},
@@ -5033,6 +5229,7 @@ static const keyword_t sql_keywords[] = {
{"0S&K(S", 'F'},
{"0S&K(V", 'F'},
{"0S&K1O", 'F'},
+ {"0S&KC", 'F'},
{"0S&KF(", 'F'},
{"0S&KNK", 'F'},
{"0S&KO(", 'F'},
@@ -5098,7 +5295,6 @@ static const keyword_t sql_keywords[] = {
{"0S&S1", 'F'},
{"0S&S1;", 'F'},
{"0S&S1C", 'F'},
- {"0S&S1O", 'F'},
{"0S&S;", 'F'},
{"0S&S;C", 'F'},
{"0S&S;E", 'F'},
@@ -5123,7 +5319,6 @@ static const keyword_t sql_keywords[] = {
{"0S&SO1", 'F'},
{"0S&SOF", 'F'},
{"0S&SON", 'F'},
- {"0S&SOO", 'F'},
{"0S&SOS", 'F'},
{"0S&SOV", 'F'},
{"0S&STN", 'F'},
@@ -5169,7 +5364,6 @@ static const keyword_t sql_keywords[] = {
{"0S&VKV", 'F'},
{"0S&VO(", 'F'},
{"0S&VOF", 'F'},
- {"0S&VOO", 'F'},
{"0S&VOS", 'F'},
{"0S&VS", 'F'},
{"0S&VS;", 'F'},
@@ -5306,6 +5500,7 @@ static const keyword_t sql_keywords[] = {
{"0S)ESO", 'F'},
{"0S)EVC", 'F'},
{"0S)EVO", 'F'},
+ {"0S)F(F", 'F'},
{"0S)K(1", 'F'},
{"0S)K(F", 'F'},
{"0S)K(N", 'F'},
@@ -5327,6 +5522,7 @@ static const keyword_t sql_keywords[] = {
{"0S)KN&", 'F'},
{"0S)KN;", 'F'},
{"0S)KNB", 'F'},
+ {"0S)KNC", 'F'},
{"0S)KNE", 'F'},
{"0S)KNK", 'F'},
{"0S)KNU", 'F'},
@@ -5419,22 +5615,6 @@ static const keyword_t sql_keywords[] = {
{"0S1F(S", 'F'},
{"0S1F(V", 'F'},
{"0S1NC", 'F'},
- {"0S1O(1", 'F'},
- {"0S1O(F", 'F'},
- {"0S1O(N", 'F'},
- {"0S1O(S", 'F'},
- {"0S1O(V", 'F'},
- {"0S1OF(", 'F'},
- {"0S1OS(", 'F'},
- {"0S1OS1", 'F'},
- {"0S1OSF", 'F'},
- {"0S1OSU", 'F'},
- {"0S1OSV", 'F'},
- {"0S1OV(", 'F'},
- {"0S1OVF", 'F'},
- {"0S1OVO", 'F'},
- {"0S1OVS", 'F'},
- {"0S1OVU", 'F'},
{"0S1S;", 'F'},
{"0S1S;C", 'F'},
{"0S1SC", 'F'},
@@ -5490,11 +5670,13 @@ static const keyword_t sql_keywords[] = {
{"0S;EVT", 'F'},
{"0S;N:T", 'F'},
{"0S;T(1", 'F'},
+ {"0S;T(C", 'F'},
{"0S;T(E", 'F'},
{"0S;T(F", 'F'},
{"0S;T(N", 'F'},
{"0S;T(S", 'F'},
{"0S;T(V", 'F'},
+ {"0S;T1(", 'F'},
{"0S;T1,", 'F'},
{"0S;T1;", 'F'},
{"0S;T1C", 'F'},
@@ -5527,6 +5709,7 @@ static const keyword_t sql_keywords[] = {
{"0S;TNT", 'F'},
{"0S;TNV", 'F'},
{"0S;TO(", 'F'},
+ {"0S;TS(", 'F'},
{"0S;TS,", 'F'},
{"0S;TS;", 'F'},
{"0S;TSC", 'F'},
@@ -5534,12 +5717,8 @@ static const keyword_t sql_keywords[] = {
{"0S;TSK", 'F'},
{"0S;TSO", 'F'},
{"0S;TST", 'F'},
- {"0S;TT(", 'F'},
- {"0S;TT1", 'F'},
- {"0S;TTF", 'F'},
{"0S;TTN", 'F'},
- {"0S;TTS", 'F'},
- {"0S;TTV", 'F'},
+ {"0S;TV(", 'F'},
{"0S;TV,", 'F'},
{"0S;TV;", 'F'},
{"0S;TVC", 'F'},
@@ -5581,7 +5760,6 @@ static const keyword_t sql_keywords[] = {
{"0SB(1)", 'F'},
{"0SB(1O", 'F'},
{"0SB(F(", 'F'},
- {"0SB(N)", 'F'},
{"0SB(NO", 'F'},
{"0SB(S)", 'F'},
{"0SB(SO", 'F'},
@@ -5730,11 +5908,18 @@ static const keyword_t sql_keywords[] = {
{"0SE(SO", 'F'},
{"0SE(V)", 'F'},
{"0SE(VO", 'F'},
+ {"0SE1;T", 'F'},
{"0SE1C", 'F'},
{"0SE1O(", 'F'},
{"0SE1OF", 'F'},
{"0SE1OS", 'F'},
{"0SE1OV", 'F'},
+ {"0SE1T(", 'F'},
+ {"0SE1T1", 'F'},
+ {"0SE1TF", 'F'},
+ {"0SE1TN", 'F'},
+ {"0SE1TS", 'F'},
+ {"0SE1TV", 'F'},
{"0SE1UE", 'F'},
{"0SEF()", 'F'},
{"0SEF(1", 'F'},
@@ -5748,35 +5933,50 @@ static const keyword_t sql_keywords[] = {
{"0SEK(N", 'F'},
{"0SEK(S", 'F'},
{"0SEK(V", 'F'},
+ {"0SEK1;", 'F'},
{"0SEK1C", 'F'},
{"0SEK1O", 'F'},
+ {"0SEK1T", 'F'},
{"0SEK1U", 'F'},
{"0SEKF(", 'F'},
+ {"0SEKN;", 'F'},
{"0SEKNC", 'F'},
{"0SEKNE", 'F'},
+ {"0SEKNT", 'F'},
{"0SEKNU", 'F'},
{"0SEKOK", 'F'},
+ {"0SEKS;", 'F'},
{"0SEKSC", 'F'},
{"0SEKSO", 'F'},
+ {"0SEKST", 'F'},
{"0SEKSU", 'F'},
{"0SEKU(", 'F'},
{"0SEKU1", 'F'},
{"0SEKUE", 'F'},
{"0SEKUF", 'F'},
- {"0SEKUN", 'F'},
{"0SEKUS", 'F'},
{"0SEKUV", 'F'},
+ {"0SEKV;", 'F'},
{"0SEKVC", 'F'},
{"0SEKVO", 'F'},
+ {"0SEKVT", 'F'},
{"0SEKVU", 'F'},
+ {"0SEN;T", 'F'},
{"0SENC", 'F'},
{"0SENEN", 'F'},
{"0SENO(", 'F'},
{"0SENOF", 'F'},
{"0SENOS", 'F'},
{"0SENOV", 'F'},
+ {"0SENT(", 'F'},
+ {"0SENT1", 'F'},
+ {"0SENTF", 'F'},
+ {"0SENTN", 'F'},
+ {"0SENTS", 'F'},
+ {"0SENTV", 'F'},
{"0SENUE", 'F'},
{"0SEOKN", 'F'},
+ {"0SES;T", 'F'},
{"0SESC", 'F'},
{"0SESO(", 'F'},
{"0SESO1", 'F'},
@@ -5784,6 +5984,12 @@ static const keyword_t sql_keywords[] = {
{"0SESON", 'F'},
{"0SESOS", 'F'},
{"0SESOV", 'F'},
+ {"0SEST(", 'F'},
+ {"0SEST1", 'F'},
+ {"0SESTF", 'F'},
+ {"0SESTN", 'F'},
+ {"0SESTS", 'F'},
+ {"0SESTV", 'F'},
{"0SESUE", 'F'},
{"0SEU(1", 'F'},
{"0SEU(F", 'F'},
@@ -5796,19 +6002,23 @@ static const keyword_t sql_keywords[] = {
{"0SEUEF", 'F'},
{"0SEUEK", 'F'},
{"0SEUF(", 'F'},
- {"0SEUN,", 'F'},
- {"0SEUNC", 'F'},
- {"0SEUNO", 'F'},
{"0SEUS,", 'F'},
{"0SEUSC", 'F'},
{"0SEUSO", 'F'},
{"0SEUV,", 'F'},
{"0SEUVC", 'F'},
{"0SEUVO", 'F'},
+ {"0SEV;T", 'F'},
{"0SEVC", 'F'},
{"0SEVO(", 'F'},
{"0SEVOF", 'F'},
{"0SEVOS", 'F'},
+ {"0SEVT(", 'F'},
+ {"0SEVT1", 'F'},
+ {"0SEVTF", 'F'},
+ {"0SEVTN", 'F'},
+ {"0SEVTS", 'F'},
+ {"0SEVTV", 'F'},
{"0SEVUE", 'F'},
{"0SF()1", 'F'},
{"0SF()F", 'F'},
@@ -5866,6 +6076,8 @@ static const keyword_t sql_keywords[] = {
{"0SK)EN", 'F'},
{"0SK)ES", 'F'},
{"0SK)EV", 'F'},
+ {"0SK)F(", 'F'},
+ {"0SK)O(", 'F'},
{"0SK)OF", 'F'},
{"0SK)UE", 'F'},
{"0SK1", 'F'},
@@ -6011,6 +6223,7 @@ static const keyword_t sql_keywords[] = {
{"0SO(EF", 'F'},
{"0SO(EK", 'F'},
{"0SO(EN", 'F'},
+ {"0SO(EO", 'F'},
{"0SO(ES", 'F'},
{"0SO(EV", 'F'},
{"0SO(F(", 'F'},
@@ -6043,6 +6256,7 @@ static const keyword_t sql_keywords[] = {
{"0SO1)B", 'F'},
{"0SO1)C", 'F'},
{"0SO1)E", 'F'},
+ {"0SO1)F", 'F'},
{"0SO1)K", 'F'},
{"0SO1)O", 'F'},
{"0SO1)U", 'F'},
@@ -6089,12 +6303,17 @@ static const keyword_t sql_keywords[] = {
{"0SO1N(", 'F'},
{"0SO1N,", 'F'},
{"0SO1NE", 'F'},
- {"0SO1NF", 'F'},
{"0SO1NU", 'F'},
- {"0SO1S(", 'F'},
- {"0SO1SF", 'F'},
{"0SO1SU", 'F'},
{"0SO1SV", 'F'},
+ {"0SO1T(", 'F'},
+ {"0SO1T1", 'F'},
+ {"0SO1TE", 'F'},
+ {"0SO1TF", 'F'},
+ {"0SO1TN", 'F'},
+ {"0SO1TS", 'F'},
+ {"0SO1TT", 'F'},
+ {"0SO1TV", 'F'},
{"0SO1U", 'F'},
{"0SO1U(", 'F'},
{"0SO1U1", 'F'},
@@ -6103,7 +6322,6 @@ static const keyword_t sql_keywords[] = {
{"0SO1UE", 'F'},
{"0SO1UF", 'F'},
{"0SO1UK", 'F'},
- {"0SO1UN", 'F'},
{"0SO1UO", 'F'},
{"0SO1US", 'F'},
{"0SO1UT", 'F'},
@@ -6166,16 +6384,14 @@ static const keyword_t sql_keywords[] = {
{"0SON)B", 'F'},
{"0SON)C", 'F'},
{"0SON)E", 'F'},
+ {"0SON)F", 'F'},
{"0SON)K", 'F'},
{"0SON)O", 'F'},
{"0SON)U", 'F'},
{"0SON,(", 'F'},
{"0SON,F", 'F'},
{"0SON1(", 'F'},
- {"0SON1F", 'F'},
- {"0SON1N", 'F'},
{"0SON1O", 'F'},
- {"0SON1S", 'F'},
{"0SON1U", 'F'},
{"0SON1V", 'F'},
{"0SON;", 'F'},
@@ -6213,6 +6429,14 @@ static const keyword_t sql_keywords[] = {
{"0SONKU", 'F'},
{"0SONKV", 'F'},
{"0SONSU", 'F'},
+ {"0SONT(", 'F'},
+ {"0SONT1", 'F'},
+ {"0SONTE", 'F'},
+ {"0SONTF", 'F'},
+ {"0SONTN", 'F'},
+ {"0SONTS", 'F'},
+ {"0SONTT", 'F'},
+ {"0SONTV", 'F'},
{"0SONU", 'F'},
{"0SONU(", 'F'},
{"0SONU1", 'F'},
@@ -6221,7 +6445,6 @@ static const keyword_t sql_keywords[] = {
{"0SONUE", 'F'},
{"0SONUF", 'F'},
{"0SONUK", 'F'},
- {"0SONUN", 'F'},
{"0SONUO", 'F'},
{"0SONUS", 'F'},
{"0SONUT", 'F'},
@@ -6244,6 +6467,7 @@ static const keyword_t sql_keywords[] = {
{"0SOS)B", 'F'},
{"0SOS)C", 'F'},
{"0SOS)E", 'F'},
+ {"0SOS)F", 'F'},
{"0SOS)K", 'F'},
{"0SOS)O", 'F'},
{"0SOS)U", 'F'},
@@ -6252,7 +6476,6 @@ static const keyword_t sql_keywords[] = {
{"0SOS1(", 'F'},
{"0SOS1F", 'F'},
{"0SOS1N", 'F'},
- {"0SOS1O", 'F'},
{"0SOS1S", 'F'},
{"0SOS1U", 'F'},
{"0SOS1V", 'F'},
@@ -6293,6 +6516,14 @@ static const keyword_t sql_keywords[] = {
{"0SOSKS", 'F'},
{"0SOSKU", 'F'},
{"0SOSKV", 'F'},
+ {"0SOST(", 'F'},
+ {"0SOST1", 'F'},
+ {"0SOSTE", 'F'},
+ {"0SOSTF", 'F'},
+ {"0SOSTN", 'F'},
+ {"0SOSTS", 'F'},
+ {"0SOSTT", 'F'},
+ {"0SOSTV", 'F'},
{"0SOSU", 'F'},
{"0SOSU(", 'F'},
{"0SOSU1", 'F'},
@@ -6301,7 +6532,6 @@ static const keyword_t sql_keywords[] = {
{"0SOSUE", 'F'},
{"0SOSUF", 'F'},
{"0SOSUK", 'F'},
- {"0SOSUN", 'F'},
{"0SOSUO", 'F'},
{"0SOSUS", 'F'},
{"0SOSUT", 'F'},
@@ -6332,6 +6562,7 @@ static const keyword_t sql_keywords[] = {
{"0SOV)B", 'F'},
{"0SOV)C", 'F'},
{"0SOV)E", 'F'},
+ {"0SOV)F", 'F'},
{"0SOV)K", 'F'},
{"0SOV)O", 'F'},
{"0SOV)U", 'F'},
@@ -6385,6 +6616,14 @@ static const keyword_t sql_keywords[] = {
{"0SOVSO", 'F'},
{"0SOVSU", 'F'},
{"0SOVSV", 'F'},
+ {"0SOVT(", 'F'},
+ {"0SOVT1", 'F'},
+ {"0SOVTE", 'F'},
+ {"0SOVTF", 'F'},
+ {"0SOVTN", 'F'},
+ {"0SOVTS", 'F'},
+ {"0SOVTT", 'F'},
+ {"0SOVTV", 'F'},
{"0SOVU", 'F'},
{"0SOVU(", 'F'},
{"0SOVU1", 'F'},
@@ -6393,11 +6632,100 @@ static const keyword_t sql_keywords[] = {
{"0SOVUE", 'F'},
{"0SOVUF", 'F'},
{"0SOVUK", 'F'},
- {"0SOVUN", 'F'},
{"0SOVUO", 'F'},
{"0SOVUS", 'F'},
{"0SOVUT", 'F'},
{"0SOVUV", 'F'},
+ {"0ST(1)", 'F'},
+ {"0ST(1O", 'F'},
+ {"0ST(F(", 'F'},
+ {"0ST(N)", 'F'},
+ {"0ST(NO", 'F'},
+ {"0ST(S)", 'F'},
+ {"0ST(SO", 'F'},
+ {"0ST(V)", 'F'},
+ {"0ST(VO", 'F'},
+ {"0ST1(F", 'F'},
+ {"0ST1O(", 'F'},
+ {"0ST1OF", 'F'},
+ {"0ST1OS", 'F'},
+ {"0ST1OV", 'F'},
+ {"0STE(1", 'F'},
+ {"0STE(F", 'F'},
+ {"0STE(N", 'F'},
+ {"0STE(S", 'F'},
+ {"0STE(V", 'F'},
+ {"0STE1N", 'F'},
+ {"0STE1O", 'F'},
+ {"0STEF(", 'F'},
+ {"0STEK(", 'F'},
+ {"0STEK1", 'F'},
+ {"0STEKF", 'F'},
+ {"0STEKN", 'F'},
+ {"0STEKS", 'F'},
+ {"0STEKV", 'F'},
+ {"0STENN", 'F'},
+ {"0STENO", 'F'},
+ {"0STESN", 'F'},
+ {"0STESO", 'F'},
+ {"0STEVN", 'F'},
+ {"0STEVO", 'F'},
+ {"0STF()", 'F'},
+ {"0STF(1", 'F'},
+ {"0STF(F", 'F'},
+ {"0STF(N", 'F'},
+ {"0STF(S", 'F'},
+ {"0STF(V", 'F'},
+ {"0STN(1", 'F'},
+ {"0STN(F", 'F'},
+ {"0STN(S", 'F'},
+ {"0STN(V", 'F'},
+ {"0STN1C", 'F'},
+ {"0STN1O", 'F'},
+ {"0STN;E", 'F'},
+ {"0STN;N", 'F'},
+ {"0STN;T", 'F'},
+ {"0STNE(", 'F'},
+ {"0STNE1", 'F'},
+ {"0STNEF", 'F'},
+ {"0STNEN", 'F'},
+ {"0STNES", 'F'},
+ {"0STNEV", 'F'},
+ {"0STNF(", 'F'},
+ {"0STNKN", 'F'},
+ {"0STNN:", 'F'},
+ {"0STNNC", 'F'},
+ {"0STNNO", 'F'},
+ {"0STNO(", 'F'},
+ {"0STNOF", 'F'},
+ {"0STNOS", 'F'},
+ {"0STNOV", 'F'},
+ {"0STNSC", 'F'},
+ {"0STNSO", 'F'},
+ {"0STNT(", 'F'},
+ {"0STNT1", 'F'},
+ {"0STNTF", 'F'},
+ {"0STNTN", 'F'},
+ {"0STNTS", 'F'},
+ {"0STNTV", 'F'},
+ {"0STNVC", 'F'},
+ {"0STNVO", 'F'},
+ {"0STS(F", 'F'},
+ {"0STSO(", 'F'},
+ {"0STSO1", 'F'},
+ {"0STSOF", 'F'},
+ {"0STSON", 'F'},
+ {"0STSOS", 'F'},
+ {"0STSOV", 'F'},
+ {"0STTNE", 'F'},
+ {"0STTNK", 'F'},
+ {"0STTNN", 'F'},
+ {"0STTNT", 'F'},
+ {"0STV(1", 'F'},
+ {"0STV(F", 'F'},
+ {"0STVO(", 'F'},
+ {"0STVOF", 'F'},
+ {"0STVOS", 'F'},
{"0SU(1)", 'F'},
{"0SU(1O", 'F'},
{"0SU(E(", 'F'},
@@ -6481,7 +6809,6 @@ static const keyword_t sql_keywords[] = {
{"0SUENU", 'F'},
{"0SUEOK", 'F'},
{"0SUEON", 'F'},
- {"0SUEOO", 'F'},
{"0SUES", 'F'},
{"0SUES&", 'F'},
{"0SUES(", 'F'},
@@ -6517,30 +6844,6 @@ static const keyword_t sql_keywords[] = {
{"0SUF(S", 'F'},
{"0SUF(V", 'F'},
{"0SUK(E", 'F'},
- {"0SUN(1", 'F'},
- {"0SUN(F", 'F'},
- {"0SUN(S", 'F'},
- {"0SUN(V", 'F'},
- {"0SUN,(", 'F'},
- {"0SUN,F", 'F'},
- {"0SUN1(", 'F'},
- {"0SUN1,", 'F'},
- {"0SUN1O", 'F'},
- {"0SUNC", 'F'},
- {"0SUNE(", 'F'},
- {"0SUNE1", 'F'},
- {"0SUNEF", 'F'},
- {"0SUNEN", 'F'},
- {"0SUNES", 'F'},
- {"0SUNEV", 'F'},
- {"0SUNF(", 'F'},
- {"0SUNO(", 'F'},
- {"0SUNOF", 'F'},
- {"0SUNOS", 'F'},
- {"0SUNOV", 'F'},
- {"0SUNS(", 'F'},
- {"0SUNS,", 'F'},
- {"0SUNSO", 'F'},
{"0SUO(E", 'F'},
{"0SUON(", 'F'},
{"0SUON1", 'F'},
@@ -6558,7 +6861,9 @@ static const keyword_t sql_keywords[] = {
{"0SUTN(", 'F'},
{"0SUTN1", 'F'},
{"0SUTNF", 'F'},
+ {"0SUTNN", 'F'},
{"0SUTNS", 'F'},
+ {"0SUTNV", 'F'},
{"0SUV,(", 'F'},
{"0SUV,F", 'F'},
{"0SUVC", 'F'},
@@ -6582,7 +6887,6 @@ static const keyword_t sql_keywords[] = {
{"0SVOSF", 'F'},
{"0SVOSU", 'F'},
{"0SVOSV", 'F'},
- {"0SVS", 'F'},
{"0SVS;", 'F'},
{"0SVS;C", 'F'},
{"0SVSC", 'F'},
@@ -6622,16 +6926,19 @@ static const keyword_t sql_keywords[] = {
{"0T(N1)", 'F'},
{"0T(N1O", 'F'},
{"0T(NF(", 'F'},
+ {"0T(NN)", 'F'},
+ {"0T(NNO", 'F'},
{"0T(NO(", 'F'},
{"0T(NOF", 'F'},
{"0T(NOS", 'F'},
{"0T(NOV", 'F'},
{"0T(NS)", 'F'},
{"0T(NSO", 'F'},
+ {"0T(NV)", 'F'},
+ {"0T(NVO", 'F'},
{"0T(S)F", 'F'},
{"0T(S)O", 'F'},
{"0T(S1)", 'F'},
- {"0T(S1O", 'F'},
{"0T(SF(", 'F'},
{"0T(SN)", 'F'},
{"0T(SNO", 'F'},
@@ -6696,6 +7003,12 @@ static const keyword_t sql_keywords[] = {
{"0TNF(N", 'F'},
{"0TNF(S", 'F'},
{"0TNF(V", 'F'},
+ {"0TNN;", 'F'},
+ {"0TNN;C", 'F'},
+ {"0TNNO(", 'F'},
+ {"0TNNOF", 'F'},
+ {"0TNNOS", 'F'},
+ {"0TNNOV", 'F'},
{"0TNO(1", 'F'},
{"0TNO(F", 'F'},
{"0TNO(N", 'F'},
@@ -6714,6 +7027,9 @@ static const keyword_t sql_keywords[] = {
{"0TNSOS", 'F'},
{"0TNSOV", 'F'},
{"0TNV;", 'F'},
+ {"0TNV;C", 'F'},
+ {"0TNVO(", 'F'},
+ {"0TNVOF", 'F'},
{"0TNVOS", 'F'},
{"0TSF(1", 'F'},
{"0TSF(F", 'F'},
@@ -6944,7 +7260,6 @@ static const keyword_t sql_keywords[] = {
{"0V&1KV", 'F'},
{"0V&1O(", 'F'},
{"0V&1OF", 'F'},
- {"0V&1OO", 'F'},
{"0V&1OS", 'F'},
{"0V&1OV", 'F'},
{"0V&1TN", 'F'},
@@ -7005,6 +7320,7 @@ static const keyword_t sql_keywords[] = {
{"0V&K(S", 'F'},
{"0V&K(V", 'F'},
{"0V&K1O", 'F'},
+ {"0V&KC", 'F'},
{"0V&KF(", 'F'},
{"0V&KNK", 'F'},
{"0V&KO(", 'F'},
@@ -7070,7 +7386,6 @@ static const keyword_t sql_keywords[] = {
{"0V&S1", 'F'},
{"0V&S1;", 'F'},
{"0V&S1C", 'F'},
- {"0V&S1O", 'F'},
{"0V&S;", 'F'},
{"0V&S;C", 'F'},
{"0V&S;E", 'F'},
@@ -7095,7 +7410,6 @@ static const keyword_t sql_keywords[] = {
{"0V&SO1", 'F'},
{"0V&SOF", 'F'},
{"0V&SON", 'F'},
- {"0V&SOO", 'F'},
{"0V&SOS", 'F'},
{"0V&SOV", 'F'},
{"0V&STN", 'F'},
@@ -7141,7 +7455,6 @@ static const keyword_t sql_keywords[] = {
{"0V&VKV", 'F'},
{"0V&VO(", 'F'},
{"0V&VOF", 'F'},
- {"0V&VOO", 'F'},
{"0V&VOS", 'F'},
{"0V&VS", 'F'},
{"0V&VS;", 'F'},
@@ -7278,6 +7591,7 @@ static const keyword_t sql_keywords[] = {
{"0V)ESO", 'F'},
{"0V)EVC", 'F'},
{"0V)EVO", 'F'},
+ {"0V)F(F", 'F'},
{"0V)K(1", 'F'},
{"0V)K(F", 'F'},
{"0V)K(N", 'F'},
@@ -7299,6 +7613,7 @@ static const keyword_t sql_keywords[] = {
{"0V)KN&", 'F'},
{"0V)KN;", 'F'},
{"0V)KNB", 'F'},
+ {"0V)KNC", 'F'},
{"0V)KNE", 'F'},
{"0V)KNK", 'F'},
{"0V)KNU", 'F'},
@@ -7426,11 +7741,13 @@ static const keyword_t sql_keywords[] = {
{"0V;EVT", 'F'},
{"0V;N:T", 'F'},
{"0V;T(1", 'F'},
+ {"0V;T(C", 'F'},
{"0V;T(E", 'F'},
{"0V;T(F", 'F'},
{"0V;T(N", 'F'},
{"0V;T(S", 'F'},
{"0V;T(V", 'F'},
+ {"0V;T1(", 'F'},
{"0V;T1,", 'F'},
{"0V;T1;", 'F'},
{"0V;T1C", 'F'},
@@ -7463,6 +7780,7 @@ static const keyword_t sql_keywords[] = {
{"0V;TNT", 'F'},
{"0V;TNV", 'F'},
{"0V;TO(", 'F'},
+ {"0V;TS(", 'F'},
{"0V;TS,", 'F'},
{"0V;TS;", 'F'},
{"0V;TSC", 'F'},
@@ -7470,12 +7788,8 @@ static const keyword_t sql_keywords[] = {
{"0V;TSK", 'F'},
{"0V;TSO", 'F'},
{"0V;TST", 'F'},
- {"0V;TT(", 'F'},
- {"0V;TT1", 'F'},
- {"0V;TTF", 'F'},
{"0V;TTN", 'F'},
- {"0V;TTS", 'F'},
- {"0V;TTV", 'F'},
+ {"0V;TV(", 'F'},
{"0V;TV,", 'F'},
{"0V;TV;", 'F'},
{"0V;TVC", 'F'},
@@ -7517,7 +7831,6 @@ static const keyword_t sql_keywords[] = {
{"0VB(1)", 'F'},
{"0VB(1O", 'F'},
{"0VB(F(", 'F'},
- {"0VB(N)", 'F'},
{"0VB(NO", 'F'},
{"0VB(S)", 'F'},
{"0VB(SO", 'F'},
@@ -7666,11 +7979,18 @@ static const keyword_t sql_keywords[] = {
{"0VE(SO", 'F'},
{"0VE(V)", 'F'},
{"0VE(VO", 'F'},
+ {"0VE1;T", 'F'},
{"0VE1C", 'F'},
{"0VE1O(", 'F'},
{"0VE1OF", 'F'},
{"0VE1OS", 'F'},
{"0VE1OV", 'F'},
+ {"0VE1T(", 'F'},
+ {"0VE1T1", 'F'},
+ {"0VE1TF", 'F'},
+ {"0VE1TN", 'F'},
+ {"0VE1TS", 'F'},
+ {"0VE1TV", 'F'},
{"0VE1UE", 'F'},
{"0VEF()", 'F'},
{"0VEF(1", 'F'},
@@ -7684,35 +8004,50 @@ static const keyword_t sql_keywords[] = {
{"0VEK(N", 'F'},
{"0VEK(S", 'F'},
{"0VEK(V", 'F'},
+ {"0VEK1;", 'F'},
{"0VEK1C", 'F'},
{"0VEK1O", 'F'},
+ {"0VEK1T", 'F'},
{"0VEK1U", 'F'},
{"0VEKF(", 'F'},
+ {"0VEKN;", 'F'},
{"0VEKNC", 'F'},
{"0VEKNE", 'F'},
+ {"0VEKNT", 'F'},
{"0VEKNU", 'F'},
{"0VEKOK", 'F'},
+ {"0VEKS;", 'F'},
{"0VEKSC", 'F'},
{"0VEKSO", 'F'},
+ {"0VEKST", 'F'},
{"0VEKSU", 'F'},
{"0VEKU(", 'F'},
{"0VEKU1", 'F'},
{"0VEKUE", 'F'},
{"0VEKUF", 'F'},
- {"0VEKUN", 'F'},
{"0VEKUS", 'F'},
{"0VEKUV", 'F'},
+ {"0VEKV;", 'F'},
{"0VEKVC", 'F'},
{"0VEKVO", 'F'},
+ {"0VEKVT", 'F'},
{"0VEKVU", 'F'},
+ {"0VEN;T", 'F'},
{"0VENC", 'F'},
{"0VENEN", 'F'},
{"0VENO(", 'F'},
{"0VENOF", 'F'},
{"0VENOS", 'F'},
{"0VENOV", 'F'},
+ {"0VENT(", 'F'},
+ {"0VENT1", 'F'},
+ {"0VENTF", 'F'},
+ {"0VENTN", 'F'},
+ {"0VENTS", 'F'},
+ {"0VENTV", 'F'},
{"0VENUE", 'F'},
{"0VEOKN", 'F'},
+ {"0VES;T", 'F'},
{"0VESC", 'F'},
{"0VESO(", 'F'},
{"0VESO1", 'F'},
@@ -7720,6 +8055,12 @@ static const keyword_t sql_keywords[] = {
{"0VESON", 'F'},
{"0VESOS", 'F'},
{"0VESOV", 'F'},
+ {"0VEST(", 'F'},
+ {"0VEST1", 'F'},
+ {"0VESTF", 'F'},
+ {"0VESTN", 'F'},
+ {"0VESTS", 'F'},
+ {"0VESTV", 'F'},
{"0VESUE", 'F'},
{"0VEU(1", 'F'},
{"0VEU(F", 'F'},
@@ -7732,19 +8073,23 @@ static const keyword_t sql_keywords[] = {
{"0VEUEF", 'F'},
{"0VEUEK", 'F'},
{"0VEUF(", 'F'},
- {"0VEUN,", 'F'},
- {"0VEUNC", 'F'},
- {"0VEUNO", 'F'},
{"0VEUS,", 'F'},
{"0VEUSC", 'F'},
{"0VEUSO", 'F'},
{"0VEUV,", 'F'},
{"0VEUVC", 'F'},
{"0VEUVO", 'F'},
+ {"0VEV;T", 'F'},
{"0VEVC", 'F'},
{"0VEVO(", 'F'},
{"0VEVOF", 'F'},
{"0VEVOS", 'F'},
+ {"0VEVT(", 'F'},
+ {"0VEVT1", 'F'},
+ {"0VEVTF", 'F'},
+ {"0VEVTN", 'F'},
+ {"0VEVTS", 'F'},
+ {"0VEVTV", 'F'},
{"0VEVUE", 'F'},
{"0VF()1", 'F'},
{"0VF()F", 'F'},
@@ -7802,6 +8147,8 @@ static const keyword_t sql_keywords[] = {
{"0VK)EN", 'F'},
{"0VK)ES", 'F'},
{"0VK)EV", 'F'},
+ {"0VK)F(", 'F'},
+ {"0VK)O(", 'F'},
{"0VK)OF", 'F'},
{"0VK)UE", 'F'},
{"0VK1", 'F'},
@@ -7947,6 +8294,7 @@ static const keyword_t sql_keywords[] = {
{"0VO(EF", 'F'},
{"0VO(EK", 'F'},
{"0VO(EN", 'F'},
+ {"0VO(EO", 'F'},
{"0VO(ES", 'F'},
{"0VO(EV", 'F'},
{"0VO(F(", 'F'},
@@ -8012,6 +8360,7 @@ static const keyword_t sql_keywords[] = {
{"0VOS)B", 'F'},
{"0VOS)C", 'F'},
{"0VOS)E", 'F'},
+ {"0VOS)F", 'F'},
{"0VOS)K", 'F'},
{"0VOS)O", 'F'},
{"0VOS)U", 'F'},
@@ -8020,7 +8369,6 @@ static const keyword_t sql_keywords[] = {
{"0VOS1(", 'F'},
{"0VOS1F", 'F'},
{"0VOS1N", 'F'},
- {"0VOS1O", 'F'},
{"0VOS1S", 'F'},
{"0VOS1U", 'F'},
{"0VOS1V", 'F'},
@@ -8061,6 +8409,14 @@ static const keyword_t sql_keywords[] = {
{"0VOSKS", 'F'},
{"0VOSKU", 'F'},
{"0VOSKV", 'F'},
+ {"0VOST(", 'F'},
+ {"0VOST1", 'F'},
+ {"0VOSTE", 'F'},
+ {"0VOSTF", 'F'},
+ {"0VOSTN", 'F'},
+ {"0VOSTS", 'F'},
+ {"0VOSTT", 'F'},
+ {"0VOSTV", 'F'},
{"0VOSU", 'F'},
{"0VOSU(", 'F'},
{"0VOSU1", 'F'},
@@ -8069,7 +8425,6 @@ static const keyword_t sql_keywords[] = {
{"0VOSUE", 'F'},
{"0VOSUF", 'F'},
{"0VOSUK", 'F'},
- {"0VOSUN", 'F'},
{"0VOSUO", 'F'},
{"0VOSUS", 'F'},
{"0VOSUT", 'F'},
@@ -8082,6 +8437,96 @@ static const keyword_t sql_keywords[] = {
{"0VOU(E", 'F'},
{"0VOUEK", 'F'},
{"0VOUEN", 'F'},
+ {"0VT(1)", 'F'},
+ {"0VT(1O", 'F'},
+ {"0VT(F(", 'F'},
+ {"0VT(N)", 'F'},
+ {"0VT(NO", 'F'},
+ {"0VT(S)", 'F'},
+ {"0VT(SO", 'F'},
+ {"0VT(V)", 'F'},
+ {"0VT(VO", 'F'},
+ {"0VT1(F", 'F'},
+ {"0VT1O(", 'F'},
+ {"0VT1OF", 'F'},
+ {"0VT1OS", 'F'},
+ {"0VT1OV", 'F'},
+ {"0VTE(1", 'F'},
+ {"0VTE(F", 'F'},
+ {"0VTE(N", 'F'},
+ {"0VTE(S", 'F'},
+ {"0VTE(V", 'F'},
+ {"0VTE1N", 'F'},
+ {"0VTE1O", 'F'},
+ {"0VTEF(", 'F'},
+ {"0VTEK(", 'F'},
+ {"0VTEK1", 'F'},
+ {"0VTEKF", 'F'},
+ {"0VTEKN", 'F'},
+ {"0VTEKS", 'F'},
+ {"0VTEKV", 'F'},
+ {"0VTENN", 'F'},
+ {"0VTENO", 'F'},
+ {"0VTESN", 'F'},
+ {"0VTESO", 'F'},
+ {"0VTEVN", 'F'},
+ {"0VTEVO", 'F'},
+ {"0VTF()", 'F'},
+ {"0VTF(1", 'F'},
+ {"0VTF(F", 'F'},
+ {"0VTF(N", 'F'},
+ {"0VTF(S", 'F'},
+ {"0VTF(V", 'F'},
+ {"0VTN(1", 'F'},
+ {"0VTN(F", 'F'},
+ {"0VTN(S", 'F'},
+ {"0VTN(V", 'F'},
+ {"0VTN1C", 'F'},
+ {"0VTN1O", 'F'},
+ {"0VTN;E", 'F'},
+ {"0VTN;N", 'F'},
+ {"0VTN;T", 'F'},
+ {"0VTNE(", 'F'},
+ {"0VTNE1", 'F'},
+ {"0VTNEF", 'F'},
+ {"0VTNEN", 'F'},
+ {"0VTNES", 'F'},
+ {"0VTNEV", 'F'},
+ {"0VTNF(", 'F'},
+ {"0VTNKN", 'F'},
+ {"0VTNN:", 'F'},
+ {"0VTNNC", 'F'},
+ {"0VTNNO", 'F'},
+ {"0VTNO(", 'F'},
+ {"0VTNOF", 'F'},
+ {"0VTNOS", 'F'},
+ {"0VTNOV", 'F'},
+ {"0VTNSC", 'F'},
+ {"0VTNSO", 'F'},
+ {"0VTNT(", 'F'},
+ {"0VTNT1", 'F'},
+ {"0VTNTF", 'F'},
+ {"0VTNTN", 'F'},
+ {"0VTNTS", 'F'},
+ {"0VTNTV", 'F'},
+ {"0VTNVC", 'F'},
+ {"0VTNVO", 'F'},
+ {"0VTS(F", 'F'},
+ {"0VTSO(", 'F'},
+ {"0VTSO1", 'F'},
+ {"0VTSOF", 'F'},
+ {"0VTSON", 'F'},
+ {"0VTSOS", 'F'},
+ {"0VTSOV", 'F'},
+ {"0VTTNE", 'F'},
+ {"0VTTNK", 'F'},
+ {"0VTTNN", 'F'},
+ {"0VTTNT", 'F'},
+ {"0VTV(1", 'F'},
+ {"0VTV(F", 'F'},
+ {"0VTVO(", 'F'},
+ {"0VTVOF", 'F'},
+ {"0VTVOS", 'F'},
{"0VU", 'F'},
{"0VU(1)", 'F'},
{"0VU(1O", 'F'},
@@ -8166,7 +8611,6 @@ static const keyword_t sql_keywords[] = {
{"0VUENU", 'F'},
{"0VUEOK", 'F'},
{"0VUEON", 'F'},
- {"0VUEOO", 'F'},
{"0VUES", 'F'},
{"0VUES&", 'F'},
{"0VUES(", 'F'},
@@ -8202,30 +8646,6 @@ static const keyword_t sql_keywords[] = {
{"0VUF(S", 'F'},
{"0VUF(V", 'F'},
{"0VUK(E", 'F'},
- {"0VUN(1", 'F'},
- {"0VUN(F", 'F'},
- {"0VUN(S", 'F'},
- {"0VUN(V", 'F'},
- {"0VUN,(", 'F'},
- {"0VUN,F", 'F'},
- {"0VUN1(", 'F'},
- {"0VUN1,", 'F'},
- {"0VUN1O", 'F'},
- {"0VUNC", 'F'},
- {"0VUNE(", 'F'},
- {"0VUNE1", 'F'},
- {"0VUNEF", 'F'},
- {"0VUNEN", 'F'},
- {"0VUNES", 'F'},
- {"0VUNEV", 'F'},
- {"0VUNF(", 'F'},
- {"0VUNO(", 'F'},
- {"0VUNOF", 'F'},
- {"0VUNOS", 'F'},
- {"0VUNOV", 'F'},
- {"0VUNS(", 'F'},
- {"0VUNS,", 'F'},
- {"0VUNSO", 'F'},
{"0VUO(E", 'F'},
{"0VUON(", 'F'},
{"0VUON1", 'F'},
@@ -8243,7 +8663,9 @@ static const keyword_t sql_keywords[] = {
{"0VUTN(", 'F'},
{"0VUTN1", 'F'},
{"0VUTNF", 'F'},
+ {"0VUTNN", 'F'},
{"0VUTNS", 'F'},
+ {"0VUTNV", 'F'},
{"0VUV,(", 'F'},
{"0VUV,F", 'F'},
{"0VUVC", 'F'},
@@ -8264,7 +8686,6 @@ static const keyword_t sql_keywords[] = {
{"ABS", 'f'},
{"ACCESSIBLE", 'k'},
{"ACOS", 'f'},
- {"ADD", 'k'},
{"ADDDATE", 'f'},
{"ADDTIME", 'f'},
{"AES_DECRYPT", 'f'},
@@ -8310,6 +8731,10 @@ static const keyword_t sql_keywords[] = {
{"AVG", 'f'},
{"BEFORE", 'k'},
{"BEGIN", 'T'},
+ {"BEGIN DECLARE", 'T'},
+ {"BEGIN GOTO", 'T'},
+ {"BEGIN TRY", 'T'},
+ {"BEGIN TRY DECLARE", 'T'},
{"BENCHMARK", 'f'},
{"BETWEEN", 'o'},
{"BIGINT", 't'},
@@ -8361,7 +8786,7 @@ static const keyword_t sql_keywords[] = {
{"CHAR_LENGTH", 'f'},
{"CHDIR", 'f'},
{"CHDRIVE", 'f'},
- {"CHECK", 'k'},
+ {"CHECK", 'n'},
{"CHECKSUM_AGG", 'f'},
{"CHOOSE", 'f'},
{"CHR", 'f'},
@@ -8466,6 +8891,7 @@ static const keyword_t sql_keywords[] = {
{"DAY_SECOND", 'k'},
{"DBMS_LOCK.SLEEP", 'f'},
{"DBMS_PIPE.RECEIVE_MESSAGE", 'f'},
+ {"DBMS_UTILITY.SQLID_TO_SQLHASH", 'f'},
{"DB_ID", 'f'},
{"DB_NAME", 'f'},
{"DCOUNT", 'f'},
@@ -8544,6 +8970,8 @@ static const keyword_t sql_keywords[] = {
{"FILEGROUP_NAME", 'f'},
{"FILELEN", 'f'},
{"FILEPROPERTY", 'f'},
+ {"FILETOBLOB", 'f'},
+ {"FILETOCLOB", 'f'},
{"FILE_ID", 'f'},
{"FILE_IDEX", 'f'},
{"FILE_NAME", 'f'},
@@ -8611,7 +9039,7 @@ static const keyword_t sql_keywords[] = {
{"IDENT_SEED", 'f'},
{"IF", 'f'},
{"IF EXISTS", 'f'},
- {"IF NOT", 'n'},
+ {"IF NOT", 'f'},
{"IF NOT EXISTS", 'f'},
{"IFF", 'f'},
{"IFNULL", 'f'},
@@ -8676,6 +9104,7 @@ static const keyword_t sql_keywords[] = {
{"IS_USED_LOCK", 'f'},
{"ITERATE", 'k'},
{"JOIN", 'k'},
+ {"JSON_KEYS", 'f'},
{"JULIANDAY", 'f'},
{"JUSTIFY_DAYS", 'f'},
{"JUSTIFY_HOURS", 'f'},
@@ -8694,7 +9123,7 @@ static const keyword_t sql_keywords[] = {
{"LEADING", 'k'},
{"LEAST", 'f'},
{"LEAVE", 'k'},
- {"LEFT", 'n'},
+ {"LEFT", 'f'},
{"LEFT JOIN", 'k'},
{"LEFT OUTER", 'k'},
{"LEFT OUTER JOIN", 'k'},
@@ -8818,7 +9247,7 @@ static const keyword_t sql_keywords[] = {
{"ORDER BY", 'B'},
{"ORIGINAL_DB_NAME", 'f'},
{"ORIGINAL_LOGIN", 'f'},
- {"OUT", 'k'},
+ {"OUT", 'n'},
{"OUTER", 'n'},
{"OUTFILE", 'k'},
{"OVERLAPS", 'f'},
@@ -8987,6 +9416,7 @@ static const keyword_t sql_keywords[] = {
{"SPLIT_PART", 'f'},
{"SQL", 'k'},
{"SQLEXCEPTION", 'k'},
+ {"SQLITE_VERSION", 'f'},
{"SQLSTATE", 'k'},
{"SQLWARNING", 'k'},
{"SQL_BIG_RESULT", 'k'},
@@ -9037,7 +9467,7 @@ static const keyword_t sql_keywords[] = {
{"SYSTEM_USER", 'f'},
{"SYSUSERS", 'k'},
{"SYSUTCDATETME", 'f'},
- {"TABLE", 'k'},
+ {"TABLE", 'n'},
{"TAN", 'f'},
{"TERMINATED", 'k'},
{"TERTIARY_WEIGHTS", 'f'},
@@ -9081,6 +9511,7 @@ static const keyword_t sql_keywords[] = {
{"TRUE", '1'},
{"TRUNC", 'f'},
{"TRUNCATE", 'f'},
+ {"TRY", 'T'},
{"TRY_CAST", 'f'},
{"TRY_CONVERT", 'f'},
{"TRY_PARSE", 'f'},
@@ -9217,5 +9648,5 @@ static const keyword_t sql_keywords[] = {
{"||", '&'},
{"~*", 'o'},
};
-static const size_t sql_keywords_sz = 9049;
+static const size_t sql_keywords_sz = 9352;
#endif
diff --git a/apache2/libinjection/libinjection_xss.c b/apache2/libinjection/libinjection_xss.c
index 2807c22f08..f0df4d84ac 100644
--- a/apache2/libinjection/libinjection_xss.c
+++ b/apache2/libinjection/libinjection_xss.c
@@ -6,13 +6,6 @@
#include <assert.h>
#include <stdio.h>
-#ifndef DEBUG
-#include <stdio.h>
-#define TRACE() printf("%s:%d\n", __FUNCTION__, __LINE__)
-#else
-#define TRACE()
-#endif
-
typedef enum attribute {
TYPE_NONE
, TYPE_BLACK /* ban always */
@@ -37,109 +30,109 @@ typedef struct stringtype {
static const int gsHexDecodeMap[256] = {
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 256, 256,
- 256, 256, 256, 256, 256, 10, 11, 12, 13, 14, 15, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 10, 11, 12, 13, 14, 15, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
- 256, 256, 256, 256
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 256, 256,
+ 256, 256, 256, 256, 256, 10, 11, 12, 13, 14, 15, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 10, 11, 12, 13, 14, 15, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256
};
static int html_decode_char_at(const char* src, size_t len, size_t* consumed)
{
- int val = 0;
- size_t i;
- int ch;
-
- if (len == 0 || src == NULL) {
- *consumed = 0;
- return -1;
- }
-
- *consumed = 1;
- if (*src != '&' || len < 2) {
- return (unsigned char)(*src);
- }
-
-
- if (*(src+1) != '#') {
- /* normally this would be for named entities
- * but for this case we don't actually care
- */
- return '&';
- }
-
- if (*(src+2) == 'x' || *(src+2) == 'X') {
- ch = (unsigned char) (*(src+3));
- ch = gsHexDecodeMap[ch];
- if (ch == 256) {
- /* degenerate case '&#[?]' */
- return '&';
+ int val = 0;
+ size_t i;
+ int ch;
+
+ if (len == 0 || src == NULL) {
+ *consumed = 0;
+ return -1;
}
- val = ch;
- i = 4;
- while (i < len) {
- ch = (unsigned char) src[i];
- if (ch == ';') {
- *consumed = i + 1;
- return val;
- }
- ch = gsHexDecodeMap[ch];
- if (ch == 256) {
- *consumed = i;
- return val;
- }
- val = (val * 16) + ch;
- if (val > 0x1000FF) {
- return '&';
- }
- ++i;
+
+ *consumed = 1;
+ if (*src != '&' || len < 2) {
+ return (unsigned char)(*src);
}
- *consumed = i;
- return val;
- } else {
- i = 2;
- ch = (unsigned char) src[i];
- if (ch < '0' || ch > '9') {
- return '&';
+
+
+ if (*(src+1) != '#') {
+ /* normally this would be for named entities
+ * but for this case we don't actually care
+ */
+ return '&';
}
- val = ch - '0';
- i += 1;
- while (i < len) {
- ch = (unsigned char) src[i];
- if (ch == ';') {
- *consumed = i + 1;
- return val;
- }
- if (ch < '0' || ch > '9') {
- *consumed = i;
- return val;
- }
- val = (val * 10) + (ch - '0');
- if (val > 0x1000FF) {
- return '&';
- }
- ++i;
+
+ if (*(src+2) == 'x' || *(src+2) == 'X') {
+ ch = (unsigned char) (*(src+3));
+ ch = gsHexDecodeMap[ch];
+ if (ch == 256) {
+ /* degenerate case '&#[?]' */
+ return '&';
+ }
+ val = ch;
+ i = 4;
+ while (i < len) {
+ ch = (unsigned char) src[i];
+ if (ch == ';') {
+ *consumed = i + 1;
+ return val;
+ }
+ ch = gsHexDecodeMap[ch];
+ if (ch == 256) {
+ *consumed = i;
+ return val;
+ }
+ val = (val * 16) + ch;
+ if (val > 0x1000FF) {
+ return '&';
+ }
+ ++i;
+ }
+ *consumed = i;
+ return val;
+ } else {
+ i = 2;
+ ch = (unsigned char) src[i];
+ if (ch < '0' || ch > '9') {
+ return '&';
+ }
+ val = ch - '0';
+ i += 1;
+ while (i < len) {
+ ch = (unsigned char) src[i];
+ if (ch == ';') {
+ *consumed = i + 1;
+ return val;
+ }
+ if (ch < '0' || ch > '9') {
+ *consumed = i;
+ return val;
+ }
+ val = (val * 10) + (ch - '0');
+ if (val > 0x1000FF) {
+ return '&';
+ }
+ ++i;
+ }
+ *consumed = i;
+ return val;
}
- *consumed = i;
- return val;
- }
}
@@ -157,7 +150,7 @@ static stringtype_t BLACKATTR[] = {
, { "DATASRC", TYPE_BLACK } /* IE */
, { "DYNSRC", TYPE_ATTR_URL } /* Obsolete img attribute */
, { "FILTER", TYPE_STYLE } /* Opera, SVG inline style */
- , { "FORMACTION", TYPE_ATTR_URL } /* HTML5 */
+ , { "FORMACTION", TYPE_ATTR_URL } /* HTML 5 */
, { "FOLDER", TYPE_ATTR_URL } /* Only on A tags, IE-only */
, { "FROM", TYPE_ATTR_URL } /* SVG */
, { "HANDLER", TYPE_ATTR_URL } /* SVG Tiny, Opera */
@@ -173,20 +166,20 @@ static stringtype_t BLACKATTR[] = {
};
/* xmlns */
-/* xml-stylesheet > <eval>, <if expr=> */
+/* `xml-stylesheet` > <eval>, <if expr=> */
/*
-static const char* BLACKATTR[] = {
- "ATTRIBUTENAME",
- "BACKGROUND",
- "DATAFORMATAS",
- "HREF",
- "SCROLL",
- "SRC",
- "STYLE",
- "SRCDOC",
- NULL
-};
+ static const char* BLACKATTR[] = {
+ "ATTRIBUTENAME",
+ "BACKGROUND",
+ "DATAFORMATAS",
+ "HREF",
+ "SCROLL",
+ "SRC",
+ "STYLE",
+ "SRCDOC",
+ NULL
+ };
*/
static const char* BLACKTAG[] = {
@@ -220,36 +213,36 @@ static const char* BLACKTAG[] = {
static int cstrcasecmp_with_null(const char *a, const char *b, size_t n)
{
- char ca;
- char cb;
- /* printf("Comparing to %s %.*s\n", a, (int)n, b); */
- while (n-- > 0) {
- cb = *b++;
- if (cb == '\0') continue;
+ char ca;
+ char cb;
+ /* printf("Comparing to %s %.*s\n", a, (int)n, b); */
+ while (n-- > 0) {
+ cb = *b++;
+ if (cb == '\0') continue;
- ca = *a++;
+ ca = *a++;
- if (cb >= 'a' && cb <= 'z') {
- cb -= 0x20;
- }
- /* printf("Comparing %c vs %c with %d left\n", ca, cb, (int)n); */
- if (ca != cb) {
- return 1;
+ if (cb >= 'a' && cb <= 'z') {
+ cb -= 0x20;
+ }
+ /* printf("Comparing %c vs %c with %d left\n", ca, cb, (int)n); */
+ if (ca != cb) {
+ return 1;
+ }
}
- }
- if (*a == 0) {
- /* printf(" MATCH \n"); */
- return 0;
- } else {
- return 1;
- }
+ if (*a == 0) {
+ /* printf(" MATCH \n"); */
+ return 0;
+ } else {
+ return 1;
+ }
}
/*
- * Does an HTML encoded binary string (const char*, lenght) start with
- * a all uppercase c-string (null terminated), case insenstive!
- *
+ * Does an HTML encoded binary string (const char*, length) start with
+ * a all uppercase c-string (null terminated), case insensitive!
+ *
* also ignore any embedded nulls in the HTML string!
*
* return 1 if match / starts with
@@ -257,47 +250,47 @@ static int cstrcasecmp_with_null(const char *a, const char *b, size_t n)
*/
static int htmlencode_startswith(const char *a, const char *b, size_t n)
{
- size_t consumed;
- int cb;
- int first = 1;
- /* printf("Comparing %s with %.*s\n", a,(int)n,b); */
+ size_t consumed;
+ int cb;
+ int first = 1;
+ /* printf("Comparing %s with %.*s\n", a,(int)n,b); */
while (n > 0) {
- if (*a == 0) {
- /* printf("Match EOL!\n"); */
- return 1;
- }
- cb = html_decode_char_at(b, n, &consumed);
- b += consumed;
- n -= consumed;
-
- if (first && cb <= 32) {
- /* ignore all leading whitespace and control characters */
- continue;
- }
- first = 0;
+ if (*a == 0) {
+ /* printf("Match EOL!\n"); */
+ return 1;
+ }
+ cb = html_decode_char_at(b, n, &consumed);
+ b += consumed;
+ n -= consumed;
+
+ if (first && cb <= 32) {
+ /* ignore all leading whitespace and control characters */
+ continue;
+ }
+ first = 0;
if (cb == 0) {
- /* always ignore null characters in user input */
- continue;
- }
+ /* always ignore null characters in user input */
+ continue;
+ }
if (cb == 10) {
- /* always ignore vtab characters in user input */
- /* who allows this?? */
- continue;
- }
+ /* always ignore vertical tab characters in user input */
+ /* who allows this?? */
+ continue;
+ }
if (cb >= 'a' && cb <= 'z') {
- /* upcase */
+ /* upcase */
cb -= 0x20;
}
if (*a != (char) cb) {
- /* printf(" %c != %c\n", *a, cb); */
- /* mismatch */
- return 0;
+ /* printf(" %c != %c\n", *a, cb); */
+ /* mismatch */
+ return 0;
}
- a++;
+ a++;
}
return (*a == 0) ? 1 : 0;
@@ -313,8 +306,8 @@ static int is_black_tag(const char* s, size_t len)
black = BLACKTAG;
while (*black != NULL) {
- if (cstrcasecmp_with_null(*black, s, len) == 0) {
- /* printf("Got black tag %s\n", *black); */
+ if (cstrcasecmp_with_null(*black, s, len) == 0) {
+ /* printf("Got black tag %s\n", *black); */
return 1;
}
black += 1;
@@ -324,7 +317,7 @@ static int is_black_tag(const char* s, size_t len)
if ((s[0] == 's' || s[0] == 'S') &&
(s[1] == 'v' || s[1] == 'V') &&
(s[2] == 'g' || s[2] == 'G')) {
- /* printf("Got SVG tag \n"); */
+ /* printf("Got SVG tag \n"); */
return 1;
}
@@ -332,7 +325,7 @@ static int is_black_tag(const char* s, size_t len)
if ((s[0] == 'x' || s[0] == 'X') &&
(s[1] == 's' || s[1] == 'S') &&
(s[2] == 'l' || s[2] == 'L')) {
- /* printf("Got XSL tag\n"); */
+ /* printf("Got XSL tag\n"); */
return 1;
}
@@ -347,17 +340,18 @@ static attribute_t is_black_attr(const char* s, size_t len)
return TYPE_NONE;
}
- /* javascript on.* */
- if ((s[0] == 'o' || s[0] == 'O') && (s[1] == 'n' || s[1] == 'N')) {
- /* printf("Got javascript on- attribute name\n"); */
- return TYPE_BLACK;
- }
+ if (len >= 5) {
+ /* JavaScript on.* */
+ if ((s[0] == 'o' || s[0] == 'O') && (s[1] == 'n' || s[1] == 'N')) {
+ /* printf("Got JavaScript on- attribute name\n"); */
+ return TYPE_BLACK;
+ }
+
- if (len >= 5) {
/* XMLNS can be used to create arbitrary tags */
if (cstrcasecmp_with_null("XMLNS", s, 5) == 0 || cstrcasecmp_with_null("XLINK", s, 5) == 0) {
- /* printf("Got XMLNS and XLINK tags\n"); */
+ /* printf("Got XMLNS and XLINK tags\n"); */
return TYPE_BLACK;
}
}
@@ -365,7 +359,7 @@ static attribute_t is_black_attr(const char* s, size_t len)
black = BLACKATTR;
while (black->name != NULL) {
if (cstrcasecmp_with_null(black->name, s, len) == 0) {
- /* printf("Got banned attribute name %s\n", black->name); */
+ /* printf("Got banned attribute name %s\n", black->name); */
return black->atype;
}
black += 1;
@@ -387,20 +381,18 @@ static int is_black_url(const char* s, size_t len)
static const char* javascript_url = "JAVA";
/* skip whitespace */
- while (len > 0) {
+ while (len > 0 && (*s <= 32 || *s >= 127)) {
/*
* HEY: this is a signed character.
* We are intentionally skipping high-bit characters too
- * since they are not ascii, and Opera sometimes uses UTF8 whitespace
+ * since they are not ASCII, and Opera sometimes uses UTF-8 whitespace.
+ *
+ * Also in EUC-JP some of the high bytes are just ignored.
*/
- if (*s <= 32) {
- ++s;
- --len;
- }
- break;
+ ++s;
+ --len;
}
-
if (htmlencode_startswith(data_url, s, len)) {
return 1;
}
@@ -442,16 +434,16 @@ int libinjection_is_xss(const char* s, size_t len, int flags)
/*
* IE6,7,8 parsing works a bit differently so
* a whole <script> or other black tag might be hiding
- * inside an attribute value under HTML5 parsing
+ * inside an attribute value under HTML 5 parsing
* See http://html5sec.org/#102
* to avoid doing a full reparse of the value, just
* look for "<". This probably need adjusting to
* handle escaped characters
*/
/*
- if (memchr(h5.token_start, '<', h5.token_len) != NULL) {
- return 1;
- }
+ if (memchr(h5.token_start, '<', h5.token_len) != NULL) {
+ return 1;
+ }
*/
switch (attr) {
@@ -473,13 +465,13 @@ int libinjection_is_xss(const char* s, size_t len, int flags)
}
break;
/*
- default:
- assert(0);
+ default:
+ assert(0);
*/
}
attr = TYPE_NONE;
} else if (h5.token_type == TAG_COMMENT) {
- /* IE uses a "`" as a tag ending char */
+ /* IE uses a "`" as a tag ending char */
if (memchr(h5.token_start, '`', h5.token_len) != NULL) {
return 1;
}
@@ -491,7 +483,7 @@ int libinjection_is_xss(const char* s, size_t len, int flags)
(h5.token_start[2] == 'f' || h5.token_start[2] == 'F')) {
return 1;
}
- if ((h5.token_start[0] == 'x' || h5.token_start[1] == 'X') &&
+ if ((h5.token_start[0] == 'x' || h5.token_start[0] == 'X') &&
(h5.token_start[1] == 'm' || h5.token_start[1] == 'M') &&
(h5.token_start[2] == 'l' || h5.token_start[2] == 'L')) {
return 1;
@@ -499,7 +491,7 @@ int libinjection_is_xss(const char* s, size_t len, int flags)
}
if (h5.token_len > 5) {
- /* IE <?import pseudo-tag */
+ /* IE <?import pseudo-tag */
if (cstrcasecmp_with_null("IMPORT", h5.token_start, 6) == 0) {
return 1;
}
@@ -519,22 +511,22 @@ int libinjection_is_xss(const char* s, size_t len, int flags)
* wrapper
*/
int libinjection_xss(const char* s, size_t len)
-{
- if (libinjection_is_xss(s, len, DATA_STATE)) {
- return 1;
- }
- if (libinjection_is_xss(s, len, VALUE_NO_QUOTE)) {
- return 1;
- }
- if (libinjection_is_xss(s, len, VALUE_SINGLE_QUOTE)) {
- return 1;
- }
- if (libinjection_is_xss(s, len, VALUE_DOUBLE_QUOTE)) {
- return 1;
- }
- if (libinjection_is_xss(s, len, VALUE_BACK_QUOTE)) {
- return 1;
- }
-
- return 0;
+{
+ if (libinjection_is_xss(s, len, DATA_STATE)) {
+ return 1;
+ }
+ if (libinjection_is_xss(s, len, VALUE_NO_QUOTE)) {
+ return 1;
+ }
+ if (libinjection_is_xss(s, len, VALUE_SINGLE_QUOTE)) {
+ return 1;
+ }
+ if (libinjection_is_xss(s, len, VALUE_DOUBLE_QUOTE)) {
+ return 1;
+ }
+ if (libinjection_is_xss(s, len, VALUE_BACK_QUOTE)) {
+ return 1;
+ }
+
+ return 0;
}
diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
index 519f2cc8db..1850191eb7 100644
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -46,6 +46,10 @@
#include <yajl/yajl_version.h>
#endif /* WITH_YAJL */
+#ifdef APLOG_USE_MODULE
+ APLOG_USE_MODULE(security2);
+#endif
+
/* ModSecurity structure */
msc_engine DSOLOCAL *modsecurity = NULL;
@@ -92,11 +96,6 @@ int (*modsecDropAction)(request_rec *r) = NULL;
#endif
static int server_limit, thread_limit;
-typedef struct {
- int child_num;
- int thread_num;
-} sb_handle;
-
/* -- Miscellaneous functions -- */
/**
@@ -104,39 +103,52 @@ typedef struct {
*
* \param mp Pointer to memory pool
*/
-static void version(apr_pool_t *mp) {
+static void version(apr_pool_t *mp, server_rec* s) {
char *pcre_vrs = NULL;
+ const char *pcre_loaded_vrs = NULL;
+ char pcre2_loaded_vrs_buffer[80] ={0};
- ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
"ModSecurity: APR compiled version=\"%s\"; "
"loaded version=\"%s\"", APR_VERSION_STRING, apr_version_string());
if (strstr(apr_version_string(), APR_VERSION_STRING) == NULL) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "ModSecurity: Loaded APR do not match with compiled!");
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "ModSecurity: Loaded APR do not match with compiled!");
}
+#ifdef WITH_PCRE2
+ pcre_vrs = apr_psprintf(mp,"%d.%d ", PCRE2_MAJOR, PCRE2_MINOR);
+ pcre_loaded_vrs = pcre2_loaded_vrs_buffer;
+ pcre2_config(PCRE2_CONFIG_VERSION, pcre2_loaded_vrs_buffer);
+#else
pcre_vrs = apr_psprintf(mp,"%d.%d ", PCRE_MAJOR, PCRE_MINOR);
+ pcre_loaded_vrs = pcre_version();
+#endif
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+#ifdef WITH_PCRE2
+ "ModSecurity: PCRE2 compiled version=\"%s\"; "
+#else
"ModSecurity: PCRE compiled version=\"%s\"; "
- "loaded version=\"%s\"", pcre_vrs, pcre_version());
+#endif
+ "loaded version=\"%s\"", pcre_vrs, pcre_loaded_vrs);
- if (strstr(pcre_version(),pcre_vrs) == NULL) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "ModSecurity: Loaded PCRE do not match with compiled!");
+ if (strstr(pcre_loaded_vrs,pcre_vrs) == NULL) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "ModSecurity: Loaded PCRE do not match with compiled!");
}
/* Lua version function was removed in current 5.1. Need to check in future versions if it's back */
#if defined(WITH_LUA)
- ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
"ModSecurity: LUA compiled version=\"%s\"", LUA_VERSION);
#endif /* WITH_LUA */
#ifdef WITH_YAJL
- ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
"ModSecurity: YAJL compiled version=\"%d.%d.%d\"", YAJL_MAJOR, YAJL_MINOR, YAJL_MICRO);
#endif /* WITH_YAJL */
- ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
"ModSecurity: LIBXML compiled version=\"%s\"", LIBXML_DOTTED_VERSION);
}
@@ -266,9 +278,22 @@ int perform_interception(modsec_rec *msr) {
#if !defined(WIN32) && !defined(VERSION_NGINX)
{
extern module core_module;
- apr_socket_t *csd = ap_get_module_config(msr->r->connection->conn_config,
- &core_module);
-
+ apr_socket_t *csd;
+
+#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2 && AP_SERVER_PATCHLEVEL_NUMBER > 17
+ /* For mod_http2 used by HTTP/2 there is a virtual connection so must go through
+ * master to get the main connection or the drop request doesn't seem to do anything.
+ * For HTTP/1.1 master will not be defined so just go through normal connection.
+ * More details here: https://github.com/icing/mod_h2/issues/127
+ */
+ if (msr->r->connection->master) {
+ csd = ap_get_module_config(msr->r->connection->master->conn_config, &core_module);
+ } else {
+ csd = ap_get_module_config(msr->r->connection->conn_config, &core_module);
+ }
+#else
+ csd = ap_get_module_config(msr->r->connection->conn_config, &core_module);
+#endif
if (csd) {
if (apr_socket_close(csd) == APR_SUCCESS) {
status = HTTP_FORBIDDEN;
@@ -450,6 +475,8 @@ static modsec_rec *retrieve_tx_context(request_rec *r) {
* phases, redirections, or subrequests.
*/
static void store_tx_context(modsec_rec *msr, request_rec *r) {
+ assert(msr != NULL);
+ assert(r != NULL);
apr_table_setn(r->notes, NOTE_MSR, (void *)msr);
}
@@ -466,7 +493,10 @@ static modsec_rec *create_tx_context(request_rec *r) {
apr_allocator_create(&allocator);
apr_allocator_max_free_set(allocator, 1024);
apr_pool_create_ex(&msr->mp, r->pool, NULL, allocator);
- if (msr->mp == NULL) return NULL;
+ if (msr->mp == NULL) {
+ apr_allocator_destroy(allocator);
+ return NULL;
+ }
apr_allocator_owner_set(allocator, msr->mp);
msr->modsecurity = modsecurity;
@@ -691,6 +721,11 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t
change_server_signature(s);
}
+ /* For connection level hook */
+ ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit);
+ ap_mpm_query(AP_MPMQ_HARD_LIMIT_DAEMONS, &server_limit);
+
+
#if (!(defined(WIN32) || defined(NETWARE)))
/* Internal chroot functionality */
@@ -743,7 +778,7 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t
ap_log_error(APLOG_MARK, APLOG_NOTICE | APLOG_NOERRNO, 0, s,
"%s configured.", MODSEC_MODULE_NAME_FULL);
- version(mp);
+ version(mp, s);
/* If we've changed the server signature make note of the original. */
if (new_server_signature != NULL) {
@@ -833,6 +868,9 @@ static int hook_request_early(request_rec *r) {
*/
msr = create_tx_context(r);
if (msr == NULL) return DECLINED;
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "Context created after request failure.");
+ }
#ifdef REQUEST_EARLY
@@ -994,7 +1032,7 @@ static int hook_request_late(request_rec *r) {
}
rc = read_request_body(msr, &my_error_msg);
- if (rc < 0) {
+ if (rc < 0 && msr->txcfg->is_enabled == MODSEC_ENABLED) {
switch(rc) {
case -1 :
if (my_error_msg != NULL) {
@@ -1030,6 +1068,13 @@ static int hook_request_late(request_rec *r) {
r->connection->keepalive = AP_CONN_CLOSE;
return HTTP_BAD_REQUEST;
break;
+ case -7 : /* Partial recieved */
+ if (my_error_msg != NULL) {
+ msr_log(msr, 4, "%s", my_error_msg);
+ }
+ r->connection->keepalive = AP_CONN_CLOSE;
+ return HTTP_BAD_REQUEST;
+ break;
default :
/* allow through */
break;
@@ -1086,6 +1131,7 @@ static void hook_error_log(const char *file, int line, int level, apr_status_t s
{
modsec_rec *msr = NULL;
error_message_t *em = NULL;
+ int msr_ap_server;
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
if (info == NULL) return;
@@ -1102,27 +1148,22 @@ static void hook_error_log(const char *file, int line, int level, apr_status_t s
/* Create a context for requests we never had the chance to process */
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
- if ((msr == NULL)
+ msr_ap_server = ((msr == NULL)
&& ((info->level & APLOG_LEVELMASK) < APLOG_DEBUG)
- && apr_table_get(info->r->subprocess_env, "UNIQUE_ID"))
+ && apr_table_get(info->r->subprocess_env, "UNIQUE_ID"));
#else
- if ((msr == NULL)
+ msr_ap_server = ((msr == NULL)
&& ((level & APLOG_LEVELMASK) < APLOG_DEBUG)
- && apr_table_get(r->subprocess_env, "UNIQUE_ID"))
+ && apr_table_get(r->subprocess_env, "UNIQUE_ID"));
#endif
- {
+ if (msr_ap_server) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
- msr = create_tx_context((request_rec *)info->r);
+ msr = create_tx_context((request_rec*)info->r);
#else
- msr = create_tx_context((request_rec *)r);
+ msr = create_tx_context((request_rec*)r);
#endif
- if (msr != NULL && msr->txcfg->debuglog_level >= 9) {
- if (msr == NULL) {
- msr_log(msr, 9, "Failed to create context after request failure.");
- }
- else {
- msr_log(msr, 9, "Context created after request failure.");
- }
+ if (msr && msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "Context created after request failure.");
}
}
if (msr == NULL) return;
@@ -1136,7 +1177,7 @@ static void hook_error_log(const char *file, int line, int level, apr_status_t s
em->line = info->line;
em->level = info->level;
em->status = info->status;
- if (info->format != NULL) em->message = apr_pstrdup(msr->mp, info->format);
+ em->message = apr_pstrdup(msr->mp, errstr);
#else
if (file != NULL) em->file = apr_pstrdup(msr->mp, file);
em->line = line;
@@ -1412,6 +1453,14 @@ static void modsec_register_operator(const char *name, void *fn_init, void *fn_e
}
}
+#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
+#else
+typedef struct {
+ int child_num;
+ int thread_num;
+} sb_handle;
+#endif
+
/**
* \brief Connetion hook to limit the number of
* connections in BUSY state
@@ -1423,36 +1472,50 @@ static void modsec_register_operator(const char *name, void *fn_init, void *fn_e
*/
static int hook_connection_early(conn_rec *conn)
{
- sb_handle *sb = conn->sbh;
- int i, j;
- unsigned long int ip_count_r = 0, ip_count_w = 0;
- char *error_msg;
- worker_score *ws_record = NULL;
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
- ap_sb_handle_t *sbh = NULL;
+ ap_sb_handle_t *sbh = conn->sbh;
char *client_ip = conn->client_ip;
#else
+ sb_handle *sbh = conn->sbh;
char *client_ip = conn->remote_ip;
#endif
+ int i, j;
+ unsigned long int ip_count_r = 0, ip_count_w = 0;
+ char *error_msg;
+ worker_score *ws_record = NULL;
- if (sb != NULL && (conn_read_state_limit > 0 || conn_write_state_limit > 0)) {
+ if (sbh != NULL && (conn_read_state_limit > 0 || conn_write_state_limit > 0)) {
- ws_record = &ap_scoreboard_image->servers[sb->child_num][sb->thread_num];
+#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
+ ws_record = ap_get_scoreboard_worker(sbh);
+#else
+ ws_record = ap_get_scoreboard_worker(sbh->child_num, sbh->thread_num);
+#endif
if (ws_record == NULL)
return DECLINED;
- apr_cpystrn(ws_record->client, client_ip, sizeof(ws_record->client));
+ /* If ws_record does not have correct ip yet, we count it already */
+ if (strcmp(client_ip, ws_record->client) != 0) {
+ switch (ws_record->status) {
+ case SERVER_BUSY_READ:
+ ip_count_r++;
+ break;
+ case SERVER_BUSY_WRITE:
+ ip_count_w++;
+ break;
+ default:
+ break;
+ }
+ }
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
+ "ModSecurity: going to loop through %d servers with %d threads",
+ server_limit, thread_limit);
for (i = 0; i < server_limit; ++i) {
for (j = 0; j < thread_limit; ++j) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
- sbh = conn->sbh;
- if (sbh == NULL) {
- return DECLINED;
- }
-
- ws_record = ap_get_scoreboard_worker(sbh);
+ ws_record = ap_get_scoreboard_worker_from_indexes(i, j);
#else
ws_record = ap_get_scoreboard_worker(i, j);
#endif
@@ -1477,6 +1540,10 @@ static int hook_connection_early(conn_rec *conn)
}
}
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
+ "ModSecurity: threads in READ: %ld of %ld, WRITE: %ld of %ld, IP: %s",
+ ip_count_r, conn_read_state_limit, ip_count_w, conn_write_state_limit, client_ip);
+
if (conn_read_state_limit > 0 && ip_count_r > conn_read_state_limit)
{
if (conn_read_state_suspicious_list &&
@@ -1484,7 +1551,7 @@ static int hook_connection_early(conn_rec *conn)
conn_read_state_suspicious_list, client_ip, NULL, &error_msg) <= 0))
{
if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, conn,
"ModSecurity: Too many threads [%ld] of %ld allowed " \
"in READ state from %s - There is a suspission list " \
"but that IP is not part of it, access granted",
@@ -1494,7 +1561,7 @@ static int hook_connection_early(conn_rec *conn)
conn_read_state_whitelist, client_ip, NULL, &error_msg) > 0)
{
if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, conn,
"ModSecurity: Too many threads [%ld] of %ld allowed " \
"in READ state from %s - Ip is on whitelist, access " \
"granted", ip_count_r, conn_read_state_limit,
@@ -1502,7 +1569,7 @@ static int hook_connection_early(conn_rec *conn)
}
else
{
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, conn,
"ModSecurity: Access denied with code 400. Too many " \
"threads [%ld] of %ld allowed in READ state from %s - " \
"Possible DoS Consumption Attack [Rejected]", ip_count_r,
@@ -1520,7 +1587,7 @@ static int hook_connection_early(conn_rec *conn)
conn_write_state_suspicious_list, client_ip, NULL, &error_msg) <= 0))
{
if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, conn,
"ModSecurity: Too many threads [%ld] of %ld allowed " \
"in WRITE state from %s - There is a suspission list " \
"but that IP is not part of it, access granted",
@@ -1530,7 +1597,7 @@ static int hook_connection_early(conn_rec *conn)
conn_write_state_whitelist, client_ip, NULL, &error_msg) > 0)
{
if (conn_limits_filter_state == MODSEC_DETECTION_ONLY)
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, conn,
"ModSecurity: Too many threads [%ld] of %ld allowed " \
"in WRITE state from %s - Ip is on whitelist, " \
"access granted", ip_count_w, conn_read_state_limit,
@@ -1538,13 +1605,13 @@ static int hook_connection_early(conn_rec *conn)
}
else
{
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, conn,
"ModSecurity: Access denied with code 400. Too many " \
"threads [%ld] of %ld allowed in WRITE state from %s - " \
"Possible DoS Consumption Attack [Rejected]", ip_count_w,
conn_write_state_limit, client_ip);
- if (!conn_limits_filter_state == MODSEC_ENABLED)
+ if (conn_limits_filter_state == MODSEC_ENABLED)
return OK;
}
}
@@ -1647,10 +1714,6 @@ static void register_hooks(apr_pool_t *mp) {
APR_REGISTER_OPTIONAL_FN(modsec_register_reqbody_processor);
#endif
- /* For connection level hook */
- ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit);
- ap_mpm_query(AP_MPMQ_HARD_LIMIT_DAEMONS, &server_limit);
-
/* Main hooks */
ap_hook_pre_config(hook_pre_config, NULL, NULL, APR_HOOK_FIRST);
ap_hook_post_config(hook_post_config, postconfig_beforeme_list,
diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c
index da89faa7a2..e21f17766c 100644
--- a/apache2/modsecurity.c
+++ b/apache2/modsecurity.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -27,6 +27,10 @@
#include <curl/curl.h>
#endif
+#ifdef APLOG_USE_MODULE
+ APLOG_USE_MODULE(security2);
+#endif
+
unsigned long int DSOLOCAL unicode_codepage = 0;
int DSOLOCAL *unicode_map_table = NULL;
@@ -37,6 +41,8 @@ int DSOLOCAL *unicode_map_table = NULL;
const char * msc_alert_message(modsec_rec *msr, msre_actionset *actionset, const char *action_message,
const char *rule_message)
{
+ assert(msr != NULL);
+ assert(actionset != NULL);
const char *message = NULL;
if (rule_message == NULL) rule_message = "Unknown error.";
@@ -59,6 +65,8 @@ const char * msc_alert_message(modsec_rec *msr, msre_actionset *actionset, const
void msc_alert(modsec_rec *msr, int level, msre_actionset *actionset, const char *action_message,
const char *rule_message)
{
+ assert(msr != NULL);
+ assert(actionset != NULL);
const char *message = msc_alert_message(msr, actionset, action_message, rule_message);
msr_log(msr, level, "%s", message);
@@ -114,6 +122,62 @@ msc_engine *modsecurity_create(apr_pool_t *mp, int processing_mode) {
return msce;
}
+int acquire_global_lock(apr_global_mutex_t **lock, apr_pool_t *mp) {
+ apr_status_t rc = apr_global_mutex_create(lock, NULL, APR_LOCK_DEFAULT, mp);
+ if (rc != APR_SUCCESS) {
+ ap_log_perror(APLOG_MARK, APLOG_ERR, 0, mp, " ModSecurity: Could not create global mutex");
+ return -1;
+ }
+#if !defined(MSC_TEST)
+#ifdef __SET_MUTEX_PERMS
+#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
+ rc = ap_unixd_set_global_mutex_perms(*lock);
+#else
+ rc = unixd_set_global_mutex_perms(*lock);
+#endif
+ if (rc != APR_SUCCESS) {
+ ap_log_perror(APLOG_MARK, APLOG_ERR, 0, mp, " ModSecurity: Could not set permissions on global mutex");
+ return -1;
+ }
+#endif /* SET_MUTEX_PERMS */
+#endif /* MSC_TEST */
+ return APR_SUCCESS;
+}
+
+/**
+ * handle errors from apr_global_mutex_lock
+ */
+int msr_global_mutex_lock(modsec_rec* msr, apr_global_mutex_t* lock, const char* fct) {
+ assert(msr);
+ assert(msr->modsecurity); // lock is msr->modsecurity->..._lock
+ assert(msr->mp);
+ if (!lock) {
+ msr_log(msr, 1, "%s: Global mutex was not created", fct);
+ return -1;
+ }
+
+ int rc = apr_global_mutex_lock(lock);
+ if (rc != APR_SUCCESS) msr_log(msr, 1, "Audit log: Failed to lock global mutex: %s", get_apr_error(msr->mp, rc));
+ return rc;
+}
+/**
+ * handle errors from apr_global_mutex_unlock
+ */
+int msr_global_mutex_unlock(modsec_rec* msr, apr_global_mutex_t* lock, const char* fct) {
+ assert(msr);
+ assert(msr->modsecurity); // lock is msr->modsecurity->..._lock
+ assert(msr->mp);
+ if (!lock) {
+ msr_log(msr, 1, "%s: Global mutex was not created", fct);
+ return -1;
+ }
+
+ int rc = apr_global_mutex_unlock(lock);
+ // We should have get the warning at lock time, so ignore it here
+ // if (rc != APR_SUCCESS) msr_log(msr, 1, "Audit log: Failed to unlock global mutex: %s", get_apr_error(msr->mp, rc));
+ return rc;
+}
+
/**
* Initialise the modsecurity engine. This function must be invoked
* after configuration processing is complete as Apache needs to know the
@@ -122,6 +186,11 @@ msc_engine *modsecurity_create(apr_pool_t *mp, int processing_mode) {
int modsecurity_init(msc_engine *msce, apr_pool_t *mp) {
apr_status_t rc;
+ msce->auditlog_lock = msce->geo_lock = NULL;
+#ifdef GLOBAL_COLLECTION_LOCK
+ msce->dbm_lock = NULL;
+#endif
+
/**
* Notice that curl is initialized here but never cleaned up. First version
* of this implementation curl was initialized and cleaned for every
@@ -132,44 +201,17 @@ int modsecurity_init(msc_engine *msce, apr_pool_t *mp) {
#ifdef WITH_CURL
curl_global_init(CURL_GLOBAL_ALL);
#endif
- /* Serial audit log mutext */
- rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_DEFAULT, mp);
- if (rc != APR_SUCCESS) {
- //ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, "mod_security: Could not create modsec_auditlog_lock");
- //return HTTP_INTERNAL_SERVER_ERROR;
- return -1;
- }
+ /* Serial audit log mutex */
+ rc = acquire_global_lock(&msce->auditlog_lock, mp);
+ if (rc != APR_SUCCESS) return -1;
-#if !defined(MSC_TEST)
-#ifdef __SET_MUTEX_PERMS
-#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
- rc = ap_unixd_set_global_mutex_perms(msce->auditlog_lock);
-#else
- rc = unixd_set_global_mutex_perms(msce->auditlog_lock);
-#endif
- if (rc != APR_SUCCESS) {
- // ap_log_error(APLOG_MARK, APLOG_ERR, rc, s, "mod_security: Could not set permissions on modsec_auditlog_lock; check User and Group directives");
- // return HTTP_INTERNAL_SERVER_ERROR;
- return -1;
- }
-#endif /* SET_MUTEX_PERMS */
+ rc = acquire_global_lock(&msce->geo_lock, mp);
+ if (rc != APR_SUCCESS) return -1;
- rc = apr_global_mutex_create(&msce->geo_lock, NULL, APR_LOCK_DEFAULT, mp);
- if (rc != APR_SUCCESS) {
- return -1;
- }
-
-#ifdef __SET_MUTEX_PERMS
-#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
- rc = ap_unixd_set_global_mutex_perms(msce->geo_lock);
-#else
- rc = unixd_set_global_mutex_perms(msce->geo_lock);
-#endif
- if (rc != APR_SUCCESS) {
- return -1;
- }
-#endif /* SET_MUTEX_PERMS */
-#endif
+#ifdef GLOBAL_COLLECTION_LOCK
+ rc = acquire_global_lock(&msce->dbm_lock, mp);
+ if (rc != APR_SUCCESS) return -1;
+#endif /* GLOBAL_COLLECTION_LOCK */
return 1;
}
@@ -195,6 +237,15 @@ void modsecurity_child_init(msc_engine *msce) {
}
}
+#ifdef GLOBAL_COLLECTION_LOCK
+ if (msce->dbm_lock != NULL) {
+ apr_status_t rc = apr_global_mutex_child_init(&msce->dbm_lock, NULL, msce->mp);
+ if (rc != APR_SUCCESS) {
+ // ap_log_error(APLOG_MARK, APLOG_ERR, rs, s, "Failed to child-init dbm mutex");
+ }
+ }
+#endif
+
}
/**
@@ -237,9 +288,11 @@ static void modsecurity_persist_data(modsec_rec *msr) {
}
/* Remove stale collections. */
- srand(time(NULL));
-
+#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 3
+ if (ap_random_pick(0, RAND_MAX) < RAND_MAX/100) {
+#else
if (rand() < RAND_MAX/100) {
+#endif
arr = apr_table_elts(msr->collections);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
@@ -285,6 +338,7 @@ static apr_status_t modsecurity_tx_cleanup(void *data) {
msr->msc_full_request_buffer != NULL) {
msr->msc_full_request_length = 0;
free(msr->msc_full_request_buffer);
+ msr->msc_full_request_buffer = NULL;
}
#if defined(WITH_LUA)
@@ -293,6 +347,21 @@ static apr_status_t modsecurity_tx_cleanup(void *data) {
#endif
#endif
+ /* Streams cleanup. */
+ if (msr->stream_input_data != NULL) {
+ free(msr->stream_input_data);
+ msr->stream_input_data = NULL;
+ msr->stream_input_length = 0;
+#ifdef MSC_LARGE_STREAM_INPUT
+ msr->stream_input_allocated_length = 0;
+#endif
+ }
+ if (msr->stream_output_data != NULL) {
+ free(msr->stream_output_data);
+ msr->stream_output_data = NULL;
+ msr->stream_output_length = 0;
+ }
+
return APR_SUCCESS;
}
@@ -496,6 +565,7 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
*
*/
static int is_response_status_relevant(modsec_rec *msr, int status) {
+ assert(msr != NULL);
char *my_error_msg = NULL;
apr_status_t rc;
char buf[32];
@@ -514,7 +584,11 @@ static int is_response_status_relevant(modsec_rec *msr, int status) {
rc = msc_regexec(msr->txcfg->auditlog_relevant_regex, buf, strlen(buf), &my_error_msg);
if (rc >= 0) return 1;
+#ifdef WITH_PCRE2
+ if (rc == PCRE2_ERROR_NOMATCH) return 0;
+#else
if (rc == PCRE_ERROR_NOMATCH) return 0;
+#endif
msr_log(msr, 1, "Regex processing failed (rc %d): %s", rc, my_error_msg);
@@ -608,6 +682,7 @@ static apr_status_t modsecurity_process_phase_response_headers(modsec_rec *msr)
*
*/
static apr_status_t modsecurity_process_phase_response_body(modsec_rec *msr) {
+ assert(msr != NULL);
apr_time_t time_before;
apr_status_t rc = 0;
@@ -639,6 +714,7 @@ static apr_status_t modsecurity_process_phase_response_body(modsec_rec *msr) {
*
*/
static apr_status_t modsecurity_process_phase_logging(modsec_rec *msr) {
+ assert(msr != NULL);
apr_time_t time_before, time_after;
if (msr->txcfg->debuglog_level >= 4) {
@@ -725,6 +801,7 @@ static apr_status_t modsecurity_process_phase_logging(modsec_rec *msr) {
* in the modsec_rec structure.
*/
apr_status_t modsecurity_process_phase(modsec_rec *msr, unsigned int phase) {
+ assert(msr != NULL);
/* Check if we should run. */
if ((msr->was_intercepted)&&(phase != PHASE_LOGGING)) {
if (msr->txcfg->debuglog_level >= 4) {
diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
index bbec3faa4d..b3976f9366 100644
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -95,6 +95,8 @@ typedef struct msc_parm msc_parm;
#define REQUEST_BODY_DEFAULT_INMEMORY_LIMIT 131072
#define REQUEST_BODY_DEFAULT_LIMIT 134217728
#define REQUEST_BODY_NO_FILES_DEFAULT_LIMIT 1048576
+#define REQUEST_BODY_JSON_DEPTH_DEFAULT_LIMIT 10000
+#define ARGUMENTS_LIMIT 1000
#define RESPONSE_BODY_DEFAULT_LIMIT 524288
#define RESPONSE_BODY_HARD_LIMIT 1073741824L
@@ -268,6 +270,7 @@ struct modsec_rec {
unsigned int phase_request_body_complete;
apr_bucket_brigade *if_brigade;
+ unsigned int if_seen_eos;
unsigned int if_status;
unsigned int if_started_forwarding;
@@ -286,6 +289,10 @@ struct modsec_rec {
unsigned int resbody_contains_html;
apr_size_t stream_input_length;
+#ifdef MSC_LARGE_STREAM_INPUT
+ apr_size_t stream_input_allocated_length;
+#endif
+
char *stream_input_data;
apr_size_t stream_output_length;
char *stream_output_data;
@@ -487,6 +494,8 @@ struct directory_config {
long int reqbody_inmemory_limit;
long int reqbody_limit;
long int reqbody_no_files_limit;
+ long int reqbody_json_depth_limit;
+ long int arguments_limit;
int resbody_access;
long int of_limit;
@@ -518,6 +527,11 @@ struct directory_config {
/* AUDITLOG_SERIAL (single file) or AUDITLOG_CONCURRENT (multiple files) */
int auditlog_type;
+#ifdef WITH_YAJL
+ /* AUDITLOGFORMAT_NATIVE or AUDITLOGFORMAT_JSON */
+ int auditlog_format;
+#endif
+
/* Mode for audit log directories and files */
apr_fileperms_t auditlog_dirperms;
apr_fileperms_t auditlog_fileperms;
@@ -651,6 +665,9 @@ struct msc_engine {
apr_pool_t *mp;
apr_global_mutex_t *auditlog_lock;
apr_global_mutex_t *geo_lock;
+#ifdef GLOBAL_COLLECTION_LOCK
+ apr_global_mutex_t *dbm_lock;
+#endif
msre_engine *msre;
unsigned int processing_mode;
};
@@ -686,6 +703,11 @@ struct msc_parm {
int pad_2;
};
+/* Reusable functions */
+int acquire_global_lock(apr_global_mutex_t **lock, apr_pool_t *mp);
+int msr_global_mutex_lock(modsec_rec* msr, apr_global_mutex_t* lock, const char* fct);
+int msr_global_mutex_unlock(modsec_rec* msr, apr_global_mutex_t* lock, const char* fct);
+
/* Engine functions */
msc_engine DSOLOCAL *modsecurity_create(apr_pool_t *mp, int processing_mode);
diff --git a/apache2/msc_crypt.c b/apache2/msc_crypt.c
index e7590b66a3..4f73d15a7a 100644
--- a/apache2/msc_crypt.c
+++ b/apache2/msc_crypt.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -32,14 +32,12 @@
* \retval NULL on fail
*/
char *normalize_path(modsec_rec *msr, char *input) {
+ assert(msr != NULL);
+ assert(input != NULL);
xmlURI *uri = NULL;
char *parsed_content = NULL;
char *content = NULL;
- if(msr == NULL) return NULL;
-
- if(input == NULL) return NULL;
-
uri = xmlParseURI(input);
if(uri != NULL && uri->path) {
@@ -68,24 +66,30 @@ char *normalize_path(modsec_rec *msr, char *input) {
char *Uri = NULL;
int bytes = 0;
/*int i;*/
- char *relative_link = NULL;
+ char *abs_link = NULL;
char *filename = NULL;
- char *relative_path = NULL;
- char *relative_uri = NULL;
+ char *abs_path = NULL;
+ char *abs_uri = NULL;
- filename = file_basename(msr->mp, msr->r->parsed_uri.path);
+ if (uri->path[0] != '/') {
+ /* uri->path is relative. make it absolute */
+ filename = file_basename(msr->mp, msr->r->parsed_uri.path);
- if(filename == NULL || (strlen(msr->r->parsed_uri.path) - strlen(filename) < 0))
- return NULL;
+ if(filename == NULL || (strlen(msr->r->parsed_uri.path) - strlen(filename) < 0))
+ return NULL;
- relative_path = apr_pstrndup(msr->mp, msr->r->parsed_uri.path, strlen(msr->r->parsed_uri.path) - strlen(filename));
- relative_uri = apr_pstrcat(msr->mp, relative_path, uri->path, NULL);
+ abs_path = apr_pstrndup(msr->mp, msr->r->parsed_uri.path, strlen(msr->r->parsed_uri.path) - strlen(filename));
+ abs_uri = apr_pstrcat(msr->mp, abs_path, uri->path, NULL);
- relative_link = apr_pstrdup(msr->mp, relative_uri);
+ abs_link = apr_pstrdup(msr->mp, abs_uri);
+ }
+ else {
+ abs_link = apr_pstrdup(msr->mp, uri->path);
+ }
- xmlNormalizeURIPath(relative_link);
+ xmlNormalizeURIPath(abs_link);
- Uri = apr_pstrdup(msr->mp, relative_link);
+ Uri = apr_pstrdup(msr->mp, abs_link);
/*
for(i = 0; i < (int)strlen(Uri); i++) {
@@ -182,14 +186,21 @@ char *getkey(apr_pool_t *mp) {
*
* \retval hex_digest The MAC
*/
+#ifdef __NetBSD__
+char *mschmac(modsec_rec *msr, const char *key, int key_len,
+ unsigned char *msg, int msglen) {
+#else
char *hmac(modsec_rec *msr, const char *key, int key_len,
unsigned char *msg, int msglen) {
+#endif
+ assert(msr != NULL);
+ assert(msg != NULL);
apr_sha1_ctx_t ctx;
unsigned char digest[APR_SHA1_DIGESTSIZE];
unsigned char hmac_ipad[HMAC_PAD_SIZE], hmac_opad[HMAC_PAD_SIZE];
unsigned char nkey[APR_SHA1_DIGESTSIZE];
unsigned char *hmac_key = (unsigned char *) key;
- char hex_digest[APR_SHA1_DIGESTSIZE * 2], *hmac_digest;
+ char hex_digest[APR_SHA1_DIGESTSIZE * 2 + 1], *hmac_digest;
const char hex[] = "0123456789abcdef";
int i;
@@ -335,6 +346,8 @@ int init_response_body_html_parser(modsec_rec *msr) {
* \retval -1 on fail
*/
int do_hash_method(modsec_rec *msr, char *link, int type) {
+ assert(msr != NULL);
+ assert(link != NULL);
hash_method **em = NULL;
int i = 0;
char *error_msg = NULL;
@@ -375,7 +388,11 @@ int do_hash_method(modsec_rec *msr, char *link, int type) {
case HASH_URL_HREF_HASH_RX:
if(em[i]->type == HASH_URL_HREF_HASH_RX) {
rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg);
+#ifdef WITH_PCRE2
+ if ((rc == PCRE2_ERROR_MATCHLIMIT) || (rc == PCRE2_ERROR_RECURSIONLIMIT)) {
+#else
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
+#endif
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
if (s == NULL) return -1;
@@ -404,7 +421,11 @@ int do_hash_method(modsec_rec *msr, char *link, int type) {
msr_log(msr, 4, "%s.", error_msg);
return -1;
}
+#ifdef WITH_PCRE2
+ if (rc != PCRE2_ERROR_NOMATCH) { /* Match. */
+#else
if (rc != PCRE_ERROR_NOMATCH) { /* Match. */
+#endif
return 1;
}
}
@@ -430,7 +451,11 @@ int do_hash_method(modsec_rec *msr, char *link, int type) {
case HASH_URL_FACTION_HASH_RX:
if(em[i]->type == HASH_URL_FACTION_HASH_RX) {
rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg);
+#ifdef WITH_PCRE2
+ if ((rc == PCRE2_ERROR_MATCHLIMIT) || (rc == PCRE2_ERROR_RECURSIONLIMIT)) {
+#else
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
+#endif
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
if (s == NULL) return -1;
@@ -459,7 +484,11 @@ int do_hash_method(modsec_rec *msr, char *link, int type) {
msr_log(msr, 4, "%s.", error_msg);
return -1;
}
+#ifdef WITH_PCRE2
+ if (rc != PCRE2_ERROR_NOMATCH) { /* Match. */
+#else
if (rc != PCRE_ERROR_NOMATCH) { /* Match. */
+#endif
return 1;
}
}
@@ -485,7 +514,11 @@ int do_hash_method(modsec_rec *msr, char *link, int type) {
case HASH_URL_LOCATION_HASH_RX:
if(em[i]->type == HASH_URL_LOCATION_HASH_RX) {
rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg);
+#ifdef WITH_PCRE2
+ if ((rc == PCRE2_ERROR_MATCHLIMIT) || (rc == PCRE2_ERROR_RECURSIONLIMIT)) {
+#else
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
+#endif
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
if (s == NULL) return -1;
@@ -514,7 +547,11 @@ int do_hash_method(modsec_rec *msr, char *link, int type) {
msr_log(msr, 4, "%s.", error_msg);
return -1;
}
+#ifdef WITH_PCRE2
+ if (rc != PCRE2_ERROR_NOMATCH) { /* Match. */
+#else
if (rc != PCRE_ERROR_NOMATCH) { /* Match. */
+#endif
return 1;
}
}
@@ -540,7 +577,11 @@ int do_hash_method(modsec_rec *msr, char *link, int type) {
case HASH_URL_IFRAMESRC_HASH_RX:
if(em[i]->type == HASH_URL_IFRAMESRC_HASH_RX) {
rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg);
+#ifdef WITH_PCRE2
+ if ((rc == PCRE2_ERROR_MATCHLIMIT) || (rc == PCRE2_ERROR_RECURSIONLIMIT)) {
+#else
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
+#endif
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
if (s == NULL) return -1;
@@ -569,7 +610,11 @@ int do_hash_method(modsec_rec *msr, char *link, int type) {
msr_log(msr, 4, "%s.", error_msg);
return -1;
}
+#ifdef WITH_PCRE2
+ if (rc != PCRE2_ERROR_NOMATCH) { /* Match. */
+#else
if (rc != PCRE_ERROR_NOMATCH) { /* Match. */
+#endif
return 1;
}
}
@@ -595,7 +640,11 @@ int do_hash_method(modsec_rec *msr, char *link, int type) {
case HASH_URL_FRAMESRC_HASH_RX:
if(em[i]->type == HASH_URL_FRAMESRC_HASH_RX) {
rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg);
+#ifdef WITH_PCRE2
+ if ((rc == PCRE2_ERROR_MATCHLIMIT) || (rc == PCRE2_ERROR_RECURSIONLIMIT)) {
+#else
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
+#endif
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
if (s == NULL) return -1;
@@ -624,7 +673,11 @@ int do_hash_method(modsec_rec *msr, char *link, int type) {
msr_log(msr, 4, "%s.", error_msg);
return -1;
}
+#ifdef WITH_PCRE2
+ if (rc != PCRE2_ERROR_NOMATCH) { /* Match. */
+#else
if (rc != PCRE_ERROR_NOMATCH) { /* Match. */
+#endif
return 1;
}
}
@@ -1000,6 +1053,7 @@ int hash_response_body_links(modsec_rec *msr) {
* \retval -1 On fail
*/
int inject_hashed_response_body(modsec_rec *msr, int elts) {
+ assert(msr != NULL);
xmlOutputBufferPtr output_buf = NULL;
xmlCharEncodingHandlerPtr handler = NULL;
char *p = NULL;
@@ -1072,7 +1126,8 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
}
htmlDocContentDumpFormatOutput(output_buf, msr->crypto_html_tree, NULL, 0);
- xmlOutputBufferFlush(output_buf);
+ // Not necessary in 2.9.4+
+ //xmlOutputBufferFlush(output_buf);
#ifdef LIBXML2_NEW_BUFFER
@@ -1082,6 +1137,7 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
xmlOutputBufferClose(output_buf);
xmlFreeDoc(msr->crypto_html_tree);
msr->of_stream_changed = 0;
+ msr_log(msr, 4, "inject_hashed_response_body: NEW_BUFFER Output buffer is null.");
return -1;
}
@@ -1096,11 +1152,12 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
if (msr->stream_output_data == NULL) {
xmlOutputBufferClose(output_buf);
xmlFreeDoc(msr->crypto_html_tree);
+ msr_log(msr, 4, "inject_hashed_response_body: NEW BUFFER Stream Output is null.");
return -1;
}
- memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
+ msr->stream_output_data[msr->stream_output_length] = '\0';
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "inject_hashed_response_body: Copying XML tree from CONTENT to stream buffer [%zu] bytes.", xmlOutputBufferGetSize(output_buf));
@@ -1111,6 +1168,7 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
xmlOutputBufferClose(output_buf);
xmlFreeDoc(msr->crypto_html_tree);
msr->of_stream_changed = 0;
+ msr_log(msr, 4, "inject_hashed_response_body: Conv is null.");
return -1;
}
@@ -1123,13 +1181,14 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
if (msr->stream_output_data == NULL) {
+ msr_log(msr, 4, "inject_hashed_response_body: Stream Output data is NULL.");
xmlOutputBufferClose(output_buf);
xmlFreeDoc(msr->crypto_html_tree);
return -1;
}
- memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
+ msr->stream_output_data[msr->stream_output_length] = '\0';
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "inject_hashed_response_body: Copying XML tree from CONV to stream buffer [%zu] bytes.", xmlOutputBufferGetSize(output_buf));
@@ -1143,6 +1202,7 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
if(output_buf->buffer == NULL || output_buf->buffer->use == 0) {
xmlOutputBufferClose(output_buf);
xmlFreeDoc(msr->crypto_html_tree);
+ msr_log(msr, 4, "inject_hashed_response_body: Output buffer is null.");
msr->of_stream_changed = 0;
return -1;
}
@@ -1158,12 +1218,13 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
if (msr->stream_output_data == NULL) {
xmlOutputBufferClose(output_buf);
xmlFreeDoc(msr->crypto_html_tree);
+ msr_log(msr, 4, "inject_hashed_response_body: Stream Output is null.");
return -1;
}
- memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
memcpy(msr->stream_output_data, (char *)xmlBufferContent(output_buf->buffer), msr->stream_output_length);
//memcpy(msr->stream_output_data, output_buf->buffer->content, msr->stream_output_length);
+ msr->stream_output_data[msr->stream_output_length] = '\0';
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "inject_hashed_response_body: Copying XML tree from CONTENT to stream buffer [%d] bytes.", msr->stream_output_length);
@@ -1174,6 +1235,7 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
xmlOutputBufferClose(output_buf);
xmlFreeDoc(msr->crypto_html_tree);
msr->of_stream_changed = 0;
+ msr_log(msr, 4, "inject_hashed_response_body: Stream Output is null.");
return -1;
}
@@ -1188,12 +1250,13 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
if (msr->stream_output_data == NULL) {
xmlOutputBufferClose(output_buf);
xmlFreeDoc(msr->crypto_html_tree);
+ msr_log(msr, 4, "inject_hashed_response_body: Stream Output Data is null.");
return -1;
}
- memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
memcpy(msr->stream_output_data, (char *)xmlBufferContent(output_buf->conv), msr->stream_output_length);
//memcpy(msr->stream_output_data, output_buf->conv->content, msr->stream_output_length);
+ msr->stream_output_data[msr->stream_output_length] = '\0';
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "inject_hashed_response_body: Copying XML tree from CONV to stream buffer [%d] bytes.", msr->stream_output_length);
@@ -1230,13 +1293,13 @@ int inject_hashed_response_body(modsec_rec *msr, int elts) {
* \retval NULL on fail
*/
char *do_hash_link(modsec_rec *msr, char *link, int type) {
+ assert(msr != NULL);
+ assert(link != NULL);
char *mac_link = NULL;
char *path_chunk = NULL;
char *hash_value = NULL;
char *qm = NULL;
- if(msr == NULL) return NULL;
-
if(strlen(link) > 7 && strncmp("http:",(char*)link,5)==0){
path_chunk = strchr(link+7,'/');
if(path_chunk != NULL) {
@@ -1245,8 +1308,11 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
}
if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#else
hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
-
+#endif
if(msr->txcfg->crypto_key_add == HASH_SESSIONID) {
if(msr->sessionid == NULL || strlen(msr->sessionid) == 0) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
@@ -1257,13 +1323,21 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Session id is empty. Using REMOTE_IP");
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#endif
} else {
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->sessionid);
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Using session id [%s]", msr->sessionid);
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#endif
}
}
@@ -1274,7 +1348,11 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->remote_ip);
#endif
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#endif
}
} else {
return NULL;
@@ -1288,8 +1366,11 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
}
if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#else
hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
-
+#endif
if(msr->txcfg->crypto_key_add == HASH_SESSIONID) {
if(msr->sessionid == NULL || strlen(msr->sessionid) == 0) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
@@ -1300,13 +1381,21 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Session id is empty. Using REMOTE_IP");
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#endif
} else {
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->sessionid);
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Using session id [%s]", msr->sessionid);
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#endif
}
}
@@ -1317,7 +1406,11 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->remote_ip);
#endif
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
+#endif
}
} else {
return NULL;
@@ -1329,8 +1422,11 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
}
if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) link+1, strlen((char*)link)-1);
+#else
hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) link+1, strlen((char*)link)-1);
-
+#endif
if(msr->txcfg->crypto_key_add == HASH_SESSIONID) {
if(msr->sessionid == NULL || strlen(msr->sessionid) == 0) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
@@ -1341,13 +1437,21 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Session id is empty. Using REMOTE_IP");
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) link+1, strlen((char*)link)-1);
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) link+1, strlen((char*)link)-1);
+#endif
} else {
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->sessionid);
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Using session id [%s]", msr->sessionid);
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) link+1, strlen((char*)link)-1);
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) link+1, strlen((char*)link)-1);
+#endif
}
}
@@ -1358,7 +1462,11 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->remote_ip);
#endif
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) link+1, strlen((char*)link)-1);
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) link+1, strlen((char*)link)-1);
+#endif
}
}
@@ -1383,7 +1491,11 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
}
if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link));
+#else
hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link));
+#endif
if(msr->txcfg->crypto_key_add == HASH_SESSIONID) {
if(msr->sessionid == NULL || strlen(msr->sessionid) == 0) {
@@ -1395,13 +1507,21 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Session id is empty. Using REMOTE_IP");
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link));
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link));
+#endif
} else {
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->sessionid);
if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Using session id [%s]", msr->sessionid);
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link));
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link));
+#endif
}
}
@@ -1412,7 +1532,11 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->remote_ip);
#endif
msr->txcfg->crypto_key_len = strlen(new_pwd);
+#ifdef __NetBSD__
+ hash_value = mschmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link));
+#else
hash_value = hmac(msr, new_pwd, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link));
+#endif
}
link = relative_uri;
diff --git a/apache2/msc_crypt.h b/apache2/msc_crypt.h
index 3b3aa6da44..fb3d515112 100644
--- a/apache2/msc_crypt.h
+++ b/apache2/msc_crypt.h
@@ -27,8 +27,13 @@
#define INT32_MAX (2147483647)
#endif
+#ifdef __NetBSD__
+char DSOLOCAL *mschmac(modsec_rec *msr, const char *key, int key_len,
+ unsigned char *msg, int msglen);
+#else
char DSOLOCAL *hmac(modsec_rec *msr, const char *key, int key_len,
unsigned char *msg, int msglen);
+#endif
char DSOLOCAL *do_hash_link(modsec_rec *msr, char *link,
int type);
char DSOLOCAL *getkey(apr_pool_t *mp);
diff --git a/apache2/msc_geo.c b/apache2/msc_geo.c
index 49cf292c7d..7d3a8e4021 100644
--- a/apache2/msc_geo.c
+++ b/apache2/msc_geo.c
@@ -12,6 +12,7 @@
* directly using the email address security@modsecurity.org.
*/
+#include <assert.h>
#include "msc_geo.h"
@@ -43,7 +44,8 @@ static const char geo_country_code[GEO_COUNTRY_LAST + 1][4] = {
"TJ","TK","TM","TN","TO","TL","TR","TT","TV","TW",
"TZ","UA","UG","UM","US","UY","UZ","VA","VC","VE",
"VG","VI","VN","VU","WF","WS","YE","YT","RS","ZA",
- "ZM","ME","ZW","A1","A2","O1","AX","GG","IM","JE"
+ "ZM","ME","ZW","A1","A2","O1","AX","GG","IM","JE",
+ "BL","BQ","CW","MF","SS","SX"
};
static const char geo_country_code3[GEO_COUNTRY_LAST + 1][4] = {
@@ -72,7 +74,8 @@ static const char geo_country_code3[GEO_COUNTRY_LAST + 1][4] = {
"TJK","TKL","TKM","TUN","TON","TLS","TUR","TTO","TUV","TWN",
"TZA","UKR","UGA","UM","USA","URY","UZB","VAT","VCT","VEN",
"VGB","VIR","VNM","VUT","WLF","WSM","YEM","YT","SRB","ZAF",
- "ZMB","MNE","ZWE","A1","A2","O1","ALA","GGY","IMN","JEY"
+ "ZMB","MNE","ZWE","A1","A2","O1","ALA","GGY","IMN","JEY",
+ "BLM","BES","CUW","MAF","SSD","SXM"
};
static const char *const geo_country_name[GEO_COUNTRY_LAST + 1] = {
@@ -82,7 +85,7 @@ static const char *const geo_country_name[GEO_COUNTRY_LAST + 1] = {
"Bangladesh","Belgium","Burkina Faso","Bulgaria","Bahrain","Burundi","Benin","Bermuda","Brunei Darussalam","Bolivia",
"Brazil","Bahamas","Bhutan","Bouvet Island","Botswana","Belarus","Belize","Canada","Cocos (Keeling) Islands","Congo, The Democratic Republic of the",
"Central African Republic","Congo","Switzerland","Cote D'Ivoire","Cook Islands","Chile","Cameroon","China","Colombia","Costa Rica",
- "Cuba","Cape Verde","Christmas Island","Cyprus","Czech Republic","Germany","Djibouti","Denmark","Dominica","Dominican Republic",
+ "Cuba","Cape Verde","Christmas Island","Cyprus","Czechia","Germany","Djibouti","Denmark","Dominica","Dominican Republic",
"Algeria","Ecuador","Estonia","Egypt","Western Sahara","Eritrea","Spain","Ethiopia","Finland","Fiji",
"Falkland Islands (Malvinas)","Micronesia, Federated States of","Faroe Islands","France","France, Metropolitan","Gabon","United Kingdom","Grenada","Georgia","French Guiana",
"Ghana","Gibraltar","Greenland","Gambia","Guinea","Guadeloupe","Equatorial Guinea","Greece","South Georgia and the South Sandwich Islands","Guatemala",
@@ -101,7 +104,8 @@ static const char *const geo_country_name[GEO_COUNTRY_LAST + 1] = {
"Tajikistan","Tokelau","Turkmenistan","Tunisia","Tonga","Timor-Leste","Turkey","Trinidad and Tobago","Tuvalu","Taiwan",
"Tanzania, United Republic of","Ukraine","Uganda","United States Minor Outlying Islands","United States","Uruguay","Uzbekistan","Holy See (Vatican City State)","Saint Vincent and the Grenadines","Venezuela",
"Virgin Islands, British","Virgin Islands, U.S.","Vietnam","Vanuatu","Wallis and Futuna","Samoa","Yemen","Mayotte","Serbia","South Africa",
- "Zambia","Montenegro","Zimbabwe","Anonymous Proxy","Satellite Provider","Other","Aland Islands","Guernsey","Isle of Man","Jersey"
+ "Zambia","Montenegro","Zimbabwe","Anonymous Proxy","Satellite Provider","Other","Aland Islands","Guernsey","Isle of Man","Jersey",
+ "Saint Barthélemy","Bonaire, Sint Eustatius and Saba","Curaçao","Saint Martin (French part)","South Sudan","Sint Maarten (Dutch part)"
};
static const char geo_country_continent[GEO_COUNTRY_LAST + 1][4] = {
@@ -130,7 +134,8 @@ static const char geo_country_continent[GEO_COUNTRY_LAST + 1][4] = {
"AS","OC","AS","AF","OC","AS","AS","SA","OC","AS",
"AF","EU","AF","OC","NA","SA","AS","EU","SA","SA",
"SA","SA","AS","OC","OC","OC","AS","AF","EU","AF",
- "AF","EU","AF","--","--","--","EU","EU","EU","EU"
+ "AF","EU","AF","--","--","--","EU","EU","EU","EU",
+ "--","--","--","--","AF","--"
};
typedef enum {
@@ -240,6 +245,7 @@ static int field_length(const char *field, int maxlen)
*/
int geo_init(directory_config *dcfg, const char *dbfn, char **error_msg)
{
+ assert(dcfg != NULL);
*error_msg = NULL;
if ((dcfg->geo == NULL) || (dcfg->geo == NOT_SET_P)) {
@@ -259,6 +265,10 @@ int geo_init(directory_config *dcfg, const char *dbfn, char **error_msg)
*/
int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **error_msg)
{
+ assert(msr != NULL);
+ assert(georec != NULL);
+ assert(target != NULL);
+ assert(error_msg != NULL);
apr_sockaddr_t *addr;
long ipnum = 0;
char *targetip = NULL;
@@ -315,11 +325,7 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
msr_log(msr, 9, "GEO: Using address \"%s\" (0x%08lx). %lu", targetip, ipnum, ipnum);
}
- ret = apr_global_mutex_lock(msr->modsecurity->geo_lock);
- if (ret != APR_SUCCESS) {
- msr_log(msr, 1, "Geo Lookup: Failed to lock proc mutex: %s",
- get_apr_error(msr->mp, ret));
- }
+ msr_global_mutex_lock(msr, msr->modsecurity->geo_lock, "Geo lookup");
for (level = 31; level >= 0; level--) {
/* Read the record */
@@ -351,13 +357,7 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
if (rec_val == geo->ctry_offset) {
*error_msg = apr_psprintf(msr->mp, "No geo data for \"%s\").", log_escape(msr->mp, target));
msr_log(msr, 4, "%s", *error_msg);
-
- ret = apr_global_mutex_unlock(msr->modsecurity->geo_lock);
- if (ret != APR_SUCCESS) {
- msr_log(msr, 1, "Geo Lookup: Failed to lock proc mutex: %s",
- get_apr_error(msr->mp, ret));
- }
-
+ msr_global_mutex_unlock(msr, msr->modsecurity->geo_lock, "Geo Lookup");
return 0;
}
@@ -367,13 +367,7 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
if ((country <= 0) || (country > GEO_COUNTRY_LAST)) {
*error_msg = apr_psprintf(msr->mp, "No geo data for \"%s\" (country %d).", log_escape(msr->mp, target), country);
msr_log(msr, 4, "%s", *error_msg);
-
- ret = apr_global_mutex_unlock(msr->modsecurity->geo_lock);
- if (ret != APR_SUCCESS) {
- msr_log(msr, 1, "Geo Lookup: Failed to lock proc mutex: %s",
- get_apr_error(msr->mp, ret));
- }
-
+ msr_global_mutex_unlock(msr, msr->modsecurity->geo_lock, "Geo Lookup");
return 0;
}
@@ -398,13 +392,7 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
if ((country <= 0) || (country > GEO_COUNTRY_LAST)) {
*error_msg = apr_psprintf(msr->mp, "No geo data for \"%s\" (country %d).", log_escape(msr->mp, target), country);
msr_log(msr, 4, "%s", *error_msg);
-
- ret = apr_global_mutex_unlock(msr->modsecurity->geo_lock);
- if (ret != APR_SUCCESS) {
- msr_log(msr, 1, "Geo Lookup: Failed to lock proc mutex: %s",
- get_apr_error(msr->mp, ret));
- }
-
+ msr_global_mutex_unlock(msr, msr->modsecurity->geo_lock, "Geo Lookup");
return 0;
}
if (msr->txcfg->debuglog_level >= 9) {
@@ -493,13 +481,7 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
}
*error_msg = apr_psprintf(msr->mp, "Geo lookup for \"%s\" succeeded.", log_escape(msr->mp, target));
-
- ret = apr_global_mutex_unlock(msr->modsecurity->geo_lock);
- if (ret != APR_SUCCESS) {
- msr_log(msr, 1, "Geo Lookup: Failed to lock proc mutex: %s",
- get_apr_error(msr->mp, ret));
- }
-
+ msr_global_mutex_unlock(msr, msr->modsecurity->geo_lock, "Geo Lookup");
return 1;
}
diff --git a/apache2/msc_geo.h b/apache2/msc_geo.h
index 1293614608..afc8e72c74 100644
--- a/apache2/msc_geo.h
+++ b/apache2/msc_geo.h
@@ -25,7 +25,7 @@
#define GEO_COUNTRY_DATABASE 1
#define GEO_CITY_DATABASE_0 6
#define GEO_CITY_DATABASE_1 2
-#define GEO_COUNTRY_LAST 250
+#define GEO_COUNTRY_LAST 256
#define GEO_SEGMENT_RECORD_LENGTH 3
#define GEO_STATE_BEGIN_REV0 16700000
#define GEO_STATE_BEGIN_REV1 16000000
diff --git a/apache2/msc_json.c b/apache2/msc_json.c
index 4bec0f14df..0656fc2588 100644
--- a/apache2/msc_json.c
+++ b/apache2/msc_json.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
- * Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -16,8 +16,12 @@
#ifdef WITH_YAJL
+const char *base_offset=NULL;
+
int json_add_argument(modsec_rec *msr, const char *value, unsigned length)
{
+ assert(msr != NULL);
+ assert(msr->json != NULL);
msc_arg *arg = (msc_arg *) NULL;
/**
@@ -25,8 +29,7 @@ int json_add_argument(modsec_rec *msr, const char *value, unsigned length)
* to reference this argument; for now we simply ignore these
*/
if (!msr->json->current_key) {
- msr_log(msr, 3, "Cannot add scalar value without an associated key");
- return 1;
+ msr->json->current_key = "";
}
arg = (msc_arg *) apr_pcalloc(msr->mp, sizeof(msc_arg));
@@ -48,12 +51,24 @@ int json_add_argument(modsec_rec *msr, const char *value, unsigned length)
*/
arg->value = apr_pstrmemdup(msr->mp, value, length);
arg->value_len = length;
+ arg->value_origin_len = length;
+ arg->value_origin_offset = value-base_offset;
arg->origin = "JSON";
if (msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "Adding JSON argument '%s' with value '%s'",
arg->name, arg->value);
}
+ if (apr_table_elts(msr->arguments)->nelts >= msr->txcfg->arguments_limit) {
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Skipping request argument, over limit (%s): name \"%s\", value \"%s\"",
+ arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len),
+ log_escape_ex(msr->mp, arg->value, arg->value_len));
+ }
+ msr->msc_reqbody_error = 1;
+ msr->json->yajl_error = apr_psprintf(msr->mp, "More than %ld JSON keys", msr->txcfg->arguments_limit);
+ return 0;
+ }
apr_table_addn(msr->arguments,
log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *) arg);
@@ -74,6 +89,8 @@ int json_add_argument(modsec_rec *msr, const char *value, unsigned length)
static int yajl_map_key(void *ctx, const unsigned char *key, size_t length)
{
modsec_rec *msr = (modsec_rec *) ctx;
+ assert(msr != NULL);
+ assert(msr->json != NULL);
unsigned char *safe_key = (unsigned char *) NULL;
/**
@@ -105,6 +122,7 @@ static int yajl_map_key(void *ctx, const unsigned char *key, size_t length)
static int yajl_null(void *ctx)
{
modsec_rec *msr = (modsec_rec *) ctx;
+ assert(msr != NULL);
return json_add_argument(msr, "", 0);
}
@@ -115,6 +133,7 @@ static int yajl_null(void *ctx)
static int yajl_boolean(void *ctx, int value)
{
modsec_rec *msr = (modsec_rec *) ctx;
+ assert(msr != NULL);
if (value) {
return json_add_argument(msr, "true", strlen("true"));
@@ -130,6 +149,7 @@ static int yajl_boolean(void *ctx, int value)
static int yajl_string(void *ctx, const unsigned char *value, size_t length)
{
modsec_rec *msr = (modsec_rec *) ctx;
+ assert(msr != NULL);
return json_add_argument(msr, value, length);
}
@@ -142,10 +162,75 @@ static int yajl_string(void *ctx, const unsigned char *value, size_t length)
static int yajl_number(void *ctx, const char *value, size_t length)
{
modsec_rec *msr = (modsec_rec *) ctx;
+ assert(msr != NULL);
return json_add_argument(msr, value, length);
}
+static int yajl_start_array(void *ctx) {
+ modsec_rec *msr = (modsec_rec *) ctx;
+ assert(msr != NULL);
+ assert(msr->json != NULL);
+
+ if (!msr->json->current_key && !msr->json->prefix) {
+ msr->json->prefix = apr_pstrdup(msr->mp, "array");
+ msr->json->current_key = apr_pstrdup(msr->mp, "array");
+ }
+ else if (msr->json->prefix) {
+ msr->json->prefix = apr_psprintf(msr->mp, "%s.%s", msr->json->prefix,
+ msr->json->current_key);
+ }
+ else {
+ msr->json->prefix = apr_pstrdup(msr->mp, msr->json->current_key);
+ }
+ msr->json->current_depth++;
+ if (msr->json->current_depth > msr->txcfg->reqbody_json_depth_limit) {
+ msr->json->depth_limit_exceeded = 1;
+ return 0;
+ }
+
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "New JSON hash context (prefix '%s')", msr->json->prefix);
+ }
+
+
+ return 1;
+}
+
+
+static int yajl_end_array(void *ctx) {
+ modsec_rec *msr = (modsec_rec *) ctx;
+ assert(msr != NULL);
+ assert(msr->json != NULL);
+ unsigned char *separator = (unsigned char *) NULL;
+
+ /**
+ * If we have no prefix, then this is the end of a top-level hash and
+ * we don't do anything
+ */
+ if (msr->json->prefix == NULL) return 1;
+
+ /**
+ * Current prefix might or not include a separator character; top-level
+ * hash keys do not have separators in the variable name
+ */
+ separator = strrchr(msr->json->prefix, '.');
+
+ if (separator) {
+ msr->json->prefix = apr_pstrmemdup(msr->mp, msr->json->prefix,
+ separator - msr->json->prefix);
+ }
+ else {
+ /**
+ * TODO: Check if it is safe to do this kind of pointer tricks
+ */
+ msr->json->prefix = (unsigned char *) NULL;
+ }
+ msr->json->current_depth--;
+
+ return 1;
+}
+
/**
* Callback for a new hash, which indicates a new subtree, labeled as the current
* argument name, is being created
@@ -153,6 +238,8 @@ static int yajl_number(void *ctx, const char *value, size_t length)
static int yajl_start_map(void *ctx)
{
modsec_rec *msr = (modsec_rec *) ctx;
+ assert(msr != NULL);
+ assert(msr->json != NULL);
/**
* If we do not have a current_key, this is a top-level hash, so we do not
@@ -171,6 +258,11 @@ static int yajl_start_map(void *ctx)
else {
msr->json->prefix = apr_pstrdup(msr->mp, msr->json->current_key);
}
+ msr->json->current_depth++;
+ if (msr->json->current_depth > msr->txcfg->reqbody_json_depth_limit) {
+ msr->json->depth_limit_exceeded = 1;
+ return 0;
+ }
if (msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "New JSON hash context (prefix '%s')", msr->json->prefix);
@@ -186,6 +278,8 @@ static int yajl_start_map(void *ctx)
static int yajl_end_map(void *ctx)
{
modsec_rec *msr = (modsec_rec *) ctx;
+ assert(msr != NULL);
+ assert(msr->json != NULL);
unsigned char *separator = (unsigned char *) NULL;
/**
@@ -212,6 +306,7 @@ static int yajl_end_map(void *ctx)
msr->json->current_key = msr->json->prefix;
msr->json->prefix = (unsigned char *) NULL;
}
+ msr->json->current_depth--;
return 1;
}
@@ -220,6 +315,8 @@ static int yajl_end_map(void *ctx)
* Initialise JSON parser.
*/
int json_init(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
/**
* yajl configuration and callbacks
*/
@@ -233,11 +330,10 @@ int json_init(modsec_rec *msr, char **error_msg) {
yajl_start_map,
yajl_map_key,
yajl_end_map,
- NULL /* yajl_start_array */,
- NULL /* yajl_end_array */
+ yajl_start_array,
+ yajl_end_array
};
- if (error_msg == NULL) return -1;
*error_msg = NULL;
msr_log(msr, 4, "JSON parser initialization");
@@ -250,6 +346,9 @@ int json_init(modsec_rec *msr, char **error_msg) {
msr->json->prefix = (unsigned char *) NULL;
msr->json->current_key = (unsigned char *) NULL;
+ msr->json->current_depth = 0;
+ msr->json->depth_limit_exceeded = 0;
+
/**
* yajl initialization
*
@@ -271,14 +370,25 @@ int json_init(modsec_rec *msr, char **error_msg) {
* Feed one chunk of data to the JSON parser.
*/
int json_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char **error_msg) {
- if (error_msg == NULL) return -1;
+ assert(msr != NULL);
+ assert(msr->json != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
+ base_offset=buf;
/* Feed our parser and catch any errors */
msr->json->status = yajl_parse(msr->json->handle, buf, size);
if (msr->json->status != yajl_status_ok) {
- /* We need to free the yajl error message later, how to do this? */
- *error_msg = yajl_get_error(msr->json->handle, 0, buf, size);
+ if (msr->json->depth_limit_exceeded) {
+ *error_msg = "JSON depth limit exceeded";
+ } else {
+ if (msr->json->yajl_error) *error_msg = msr->json->yajl_error;
+ else {
+ char* yajl_err = yajl_get_error(msr->json->handle, 0, buf, size);
+ *error_msg = apr_pstrdup(msr->mp, yajl_err);
+ yajl_free_error(msr->json->handle, yajl_err);
+ }
+ }
return -1;
}
@@ -289,16 +399,24 @@ int json_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char
* Finalise JSON parsing.
*/
int json_complete(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(msr->json != NULL);
+ assert(error_msg != NULL);
char *json_data = (char *) NULL;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
/* Wrap up the parsing process */
msr->json->status = yajl_complete_parse(msr->json->handle);
if (msr->json->status != yajl_status_ok) {
- /* We need to free the yajl error message later, how to do this? */
- *error_msg = yajl_get_error(msr->json->handle, 0, NULL, 0);
+ if (msr->json->depth_limit_exceeded) {
+ *error_msg = "JSON depth limit exceeded";
+ } else {
+ char *yajl_err = yajl_get_error(msr->json->handle, 0, NULL, 0);
+ *error_msg = apr_pstrdup(msr->mp, yajl_err);
+ yajl_free_error(msr->json->handle, yajl_err);
+ }
+
return -1;
}
@@ -306,10 +424,16 @@ int json_complete(modsec_rec *msr, char **error_msg) {
}
/**
- * Frees the resources used for XML parsing.
+ * Frees the resources used for JSON parsing.
*/
apr_status_t json_cleanup(modsec_rec *msr) {
+ assert(msr != NULL);
+ assert(msr->json != NULL);
msr_log(msr, 4, "JSON: Cleaning up JSON results");
+ if (msr->json->handle != NULL) {
+ yajl_free(msr->json->handle);
+ msr->json->handle = NULL;
+ }
return 1;
}
diff --git a/apache2/msc_json.h b/apache2/msc_json.h
index 02326ec03d..089dab4763 100644
--- a/apache2/msc_json.h
+++ b/apache2/msc_json.h
@@ -39,7 +39,9 @@ struct json_data {
/* prefix is used to create data hierarchy (i.e., 'parent.child.value') */
unsigned char *prefix;
- unsigned char *current_key;
+ const unsigned char *current_key;
+ long int current_depth;
+ int depth_limit_exceeded;
};
/* Functions */
diff --git a/apache2/msc_logging.c b/apache2/msc_logging.c
index 3323fac925..39588b10fa 100644
--- a/apache2/msc_logging.c
+++ b/apache2/msc_logging.c
@@ -25,11 +25,17 @@
#include "apr_version.h"
#include <libxml/xmlversion.h>
+#ifdef WITH_YAJL
+#include <yajl/yajl_gen.h>
+#include "msc_logging_json.h"
+#endif
+
/**
* Write the supplied data to the audit log (if the FD is ready), update
* the size counters, update the hash context.
*/
static int sec_auditlog_write(modsec_rec *msr, const char *data, unsigned int len) {
+ assert(msr != NULL);
apr_size_t nbytes_written, nbytes = len;
apr_status_t rc;
@@ -81,6 +87,8 @@ static int sec_auditlog_write(modsec_rec *msr, const char *data, unsigned int le
* some of the fields to make the log line shorter than _limit bytes.
*/
char *construct_log_vcombinedus_limited(modsec_rec *msr, int _limit, int *was_limited) {
+ assert(msr != NULL);
+ assert(was_limited != NULL);
char *hostname;
char *local_user, *remote_user;
char *referer, *user_agent, *uniqueid;
@@ -225,10 +233,24 @@ static char *construct_auditlog_filename(apr_pool_t *mp, const char *uniqueid) {
char tstr[300];
apr_size_t len;
+ /**
+ * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations
+ * It also changes the return statement.
+ */
+ char *userinfo;
+ apr_status_t rc;
+ apr_uid_t uid;
+ apr_gid_t gid;
+ apr_uid_current(&uid, &gid, mp);
+ rc = apr_uid_name_get(&userinfo, uid, mp);
+ if (rc != APR_SUCCESS) {
+ userinfo = apr_psprintf(mp, "%u", uid);
+ }
+
apr_time_exp_lt(&t, apr_time_now());
apr_strftime(tstr, &len, 299, "/%Y%m%d/%Y%m%d-%H%M/%Y%m%d-%H%M%S", &t);
- return apr_psprintf(mp, "%s-%s", tstr, uniqueid);
+ return apr_psprintf(mp, "/%s%s-%s", userinfo, tstr, uniqueid);
}
/**
@@ -381,6 +403,41 @@ static void sec_auditlog_write_producer_header(modsec_rec *msr) {
sec_auditlog_write(msr, ".\n", 2);
}
+#ifdef WITH_YAJL
+/**
+ * Ouput the Producer header into a JSON generator
+ */
+static void sec_auditlog_write_producer_header_json(modsec_rec *msr, yajl_gen g) {
+ assert(msr != NULL);
+ char **signatures = NULL;
+ int i;
+
+ // this is written no matter what
+ yajl_string(g, "producer");
+
+ /* Try to write verything in one go. */
+ if (msr->txcfg->component_signatures->nelts == 0) {
+ yajl_string(g, MODSEC_MODULE_NAME_FULL);
+
+ return;
+ }
+
+ // we'll need an array if there are component signatures
+ yajl_gen_array_open(g);
+
+ /* Start with the ModSecurity signature. */
+ yajl_string(g, MODSEC_MODULE_NAME_FULL);
+
+ /* Then loop through the components and output individual signatures. */
+ signatures = (char **)msr->txcfg->component_signatures->elts;
+ for(i = 0; i < msr->txcfg->component_signatures->nelts; i++) {
+ yajl_string(g, (char *)signatures[i]);
+ }
+
+ yajl_gen_array_close(g); // array for producers is finished
+}
+#endif
+
/*
* \brief This function will returns the next chain node
*
@@ -467,6 +524,7 @@ static msre_rule *return_chained_rule(const msre_rule *current, modsec_rec *msr)
* \retval 1 On Success
*/
static int chained_is_matched(modsec_rec *msr, const msre_rule *next_rule) {
+ assert(msr != NULL);
int i = 0;
const msre_rule *rule = NULL;
@@ -480,10 +538,123 @@ static int chained_is_matched(modsec_rec *msr, const msre_rule *next_rule) {
return 0;
}
+#ifdef WITH_YAJL
/**
- * Produce an audit log entry.
+ * Write detailed information about performance metrics into a JSON generator
*/
-void sec_audit_logger(modsec_rec *msr) {
+static void format_performance_variables_json(modsec_rec *msr, yajl_gen g) {
+ assert(msr != NULL);
+ yajl_string(g, "stopwatch");
+ yajl_gen_map_open(g);
+
+ yajl_kv_int(g, "p1", msr->time_phase1);
+ yajl_kv_int(g, "p2", msr->time_phase2);
+ yajl_kv_int(g, "p3", msr->time_phase3);
+ yajl_kv_int(g, "p4", msr->time_phase4);
+ yajl_kv_int(g, "p5", msr->time_phase5);
+ yajl_kv_int(g, "sr", msr->time_storage_read);
+ yajl_kv_int(g, "sw", msr->time_storage_write);
+ yajl_kv_int(g, "l", msr->time_logging);
+ yajl_kv_int(g, "gc", msr->time_gc);
+
+ yajl_gen_map_close(g);
+}
+
+/**
+ * Write detailed information about a rule and its actionset into a JSON generator
+ */
+static void write_rule_json(modsec_rec *msr, const msre_rule *rule, yajl_gen g) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ const apr_array_header_t *tarr;
+ const apr_table_entry_t *telts;
+ int been_opened = 0;
+ int k;
+
+ yajl_gen_map_open(g);
+
+ yajl_string(g, "actionset");
+ yajl_gen_map_open(g);
+ if (rule->actionset->id) {
+ yajl_kv_string(g, "id", log_escape(msr->mp, rule->actionset->id));
+ }
+ if (rule->actionset->rev) {
+ yajl_kv_string(g, "rev", log_escape(msr->mp, rule->actionset->rev));
+ }
+ if (rule->actionset->version) {
+ yajl_kv_string(g, "version", log_escape(msr->mp, rule->actionset->version));
+ }
+ if (rule->actionset->severity != NOT_SET) {
+ yajl_kv_int(g, "severity", rule->actionset->severity);
+ }
+ if (rule->actionset->accuracy != NOT_SET) {
+ yajl_kv_int(g, "accuracy", rule->actionset->accuracy);
+ }
+ if (rule->actionset->maturity != NOT_SET) {
+ yajl_kv_int(g, "maturity", rule->actionset->maturity);
+ }
+ if (rule->actionset->phase != NOT_SET) {
+ yajl_kv_int(g, "phase", rule->actionset->phase);
+ }
+ yajl_kv_bool(g, "is_chained", rule->actionset->is_chained || (rule->chain_starter != NULL));
+ if (rule->actionset->is_chained && (rule->chain_starter == NULL)) {
+ yajl_kv_bool(g, "chain_starter", 1);
+ }
+
+ // tags, lazily opened
+ tarr = apr_table_elts(rule->actionset->actions);
+ telts = (const apr_table_entry_t*)tarr->elts;
+ for (k = 0; k < tarr->nelts; k++) {
+ msre_action *action = (msre_action *)telts[k].val;
+ if (strcmp(telts[k].key, "tag") == 0) {
+ msc_string *var = NULL;
+ if (been_opened == 0) {
+ yajl_string(g, "tags");
+ yajl_gen_array_open(g);
+ been_opened = 1;
+ }
+
+ // expand variables in the tag
+ var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ var->value = (char *)action->param;
+ var->value_len = strlen(action->param);
+ expand_macros(msr, var, NULL, msr->mp);
+
+ yajl_string(g, log_escape(msr->mp, var->value));
+ }
+ }
+
+ if (been_opened == 1) {
+ yajl_gen_array_close(g);
+ }
+
+ yajl_gen_map_close(g);
+
+ yajl_string(g, "operator");
+ yajl_gen_map_open(g);
+ yajl_kv_string(g, "operator", rule->op_name);
+ yajl_kv_string(g, "operator_param", rule->op_param);
+ yajl_kv_string(g, "target", rule->p1);
+ yajl_kv_bool(g, "negated", rule->op_negated);
+ yajl_gen_map_close(g);
+
+ yajl_string(g, "config");
+ yajl_gen_map_open(g);
+ yajl_kv_string(g, "filename", rule->filename);
+ yajl_kv_int(g, "line_num", rule->line_num);
+ yajl_gen_map_close(g);
+
+ yajl_kv_string(g, "unparsed", rule->unparsed);
+ yajl_kv_bool(g, "is_matched", chained_is_matched(msr, rule));
+
+ yajl_gen_map_close(g);
+}
+
+/*
+ * Produce an audit log entry in JSON format.
+ */
+void sec_audit_logger_json(modsec_rec *msr) {
+ assert(msr != NULL);
const apr_array_header_t *arr = NULL;
apr_table_entry_t *te = NULL;
const apr_array_header_t *tarr_pattern = NULL;
@@ -501,9 +672,11 @@ void sec_audit_logger(modsec_rec *msr) {
char *buf = NULL, *pat = NULL;
msc_parm *mparm = NULL;
int arg_min, arg_max, sanitize_matched;
+ yajl_gen g;
+ int been_opened = 0; // helper flag for conditionally opening maps
+ const unsigned char *final_buf;
+ size_t len;
- /* the boundary is used by both audit log types */
- msr->new_auditlog_boundary = create_auditlog_boundary(msr->r);
/* Return silently if we don't have a request line. This
* means we will not be logging request timeouts.
@@ -584,36 +757,48 @@ void sec_audit_logger(modsec_rec *msr) {
/* Lock the mutex, but only if we are using serial format. */
if (msr->txcfg->auditlog_type != AUDITLOG_CONCURRENT) {
- rc = apr_global_mutex_lock(msr->modsecurity->auditlog_lock);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "Audit log: Failed to lock global mutex: %s",
- get_apr_error(msr->mp, rc));
- }
+ msr_global_mutex_lock(msr, msr->modsecurity->auditlog_lock, "Audit log");
}
- /* AUDITLOG_PART_HEADER */
+ /**
+ * allocate the buffer for the JSON generator
+ * passing null will force yajl to use malloc/realloc/free
+ * need to perf test using APR routines
+ */
+ g = yajl_gen_alloc(NULL);
- text = apr_psprintf(msr->mp, "--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_HEADER);
- sec_auditlog_write(msr, text, strlen(text));
+ /**
+ * don't pretty print JSON
+ * this is harder to eyeball but much easier to parse programmatically
+ */
+ yajl_gen_config(g, yajl_gen_beautify, 0);
- /* Format: time transaction_id remote_addr remote_port local_addr local_port */
+ yajl_gen_map_open(g); // IT BEGINS
- text = apr_psprintf(msr->mp, "[%s] %s %s %u %s %u",
- current_logtime(msr->mp), msr->txid, msr->remote_addr, msr->remote_port,
- msr->local_addr, msr->local_port);
- sec_auditlog_write(msr, text, strlen(text));
+ /* AUDITLOG_PART_HEADER */
+ yajl_string(g, "transaction");
+ yajl_gen_map_open(g); // transaction top-level key
+
+ yajl_kv_string(g, "time", current_logtime(msr->mp));
+ yajl_kv_string(g, "transaction_id", msr->txid);
+ yajl_kv_string(g, "remote_address", msr->remote_addr);
+ yajl_kv_int(g, "remote_port", (int)msr->remote_port); // msr->remote_port is unsigned, yajl wants signed
+ yajl_kv_string(g, "local_address", msr->local_addr);
+ yajl_kv_int(g, "local_port", (int)msr->local_port);
+ yajl_gen_map_close(g); // transaction top-level key is finished
+
+ yajl_string(g, "request");
+ yajl_gen_map_open(g); // request top-level key
/* AUDITLOG_PART_REQUEST_HEADERS */
if (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_REQUEST_HEADERS) != NULL) {
- text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_REQUEST_HEADERS);
- sec_auditlog_write(msr, text, strlen(text));
-
sanitize_request_line(msr);
+ yajl_kv_string(g, "request_line", msr->request_line);
- sec_auditlog_write(msr, msr->request_line, strlen(msr->request_line));
- sec_auditlog_write(msr, "\n", 1);
+ yajl_string(g, "headers");
+ yajl_gen_map_open(g); // separate map for request headers
arr = apr_table_elts(msr->request_headers);
te = (apr_table_entry_t *)arr->elts;
@@ -625,9 +810,11 @@ void sec_audit_logger(modsec_rec *msr) {
sanitized_partial = 0;
sanitize_matched = 0;
text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, te[i].val);
+ // write the key no matter what
+ // since sanitization only occurs on the value
+ yajl_string(g, te[i].key);
if (apr_table_get(msr->request_headers_to_sanitize, te[i].key) != NULL) {
buf = apr_psprintf(msr->mp, "%s",text+strlen(te[i].key)+2);
-
for ( k = 0; k < tarr_pattern->nelts; k++) {
if(strncmp(telts_pattern[k].key,te[i].key,strlen(te[i].key)) ==0 ) {
mparm = (msc_parm *)telts_pattern[k].val;
@@ -656,13 +843,18 @@ void sec_audit_logger(modsec_rec *msr) {
}
if(sanitized_partial == 1 && sanitize_matched == 0) {
- text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, buf);
+ yajl_string(g, buf);
} else {
- memset(text + strlen(te[i].key) + 2, '*', strlen(te[i].val));
+ memset(buf, '*', strlen(buf)); // strlen also includes the appended newline on the header
+ yajl_string(g, buf);
}
+ } else {
+ // we diverge from the original logic a bit because we always print the key
+ // at this no point sanitization had occured, so we just print the value
+ yajl_string(g, te[i].val);
}
- sec_auditlog_write(msr, text, strlen(text));
}
+ yajl_gen_map_close(g); // request headers map is finished
}
/* AUDITLOG_PART_REQUEST_BODY */
@@ -705,7 +897,7 @@ void sec_audit_logger(modsec_rec *msr) {
for(i = 0; i < tarr->nelts; i++) {
msc_arg *arg = (msc_arg *)telts[i].val;
if (arg->origin != NULL &&
- strcmp(arg->origin, "BODY") != 0)
+ ( strcmp(arg->origin, "BODY") != 0 && strcmp(arg->origin, "JSON") !=0) )
continue;
if (last_offset == 0) { /* The first time we're here. */
@@ -749,9 +941,8 @@ void sec_audit_logger(modsec_rec *msr) {
unsigned int chunk_offset = 0;
unsigned int sanitize_offset = 0;
unsigned int sanitize_length = 0;
-
- text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_REQUEST_BODY);
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_string(g, "body");
+ yajl_gen_array_open(g); // use an array here because we're writing in chunks
for(;;) {
rc = modsecurity_request_body_retrieve(msr, &chunk, -1, &my_error_msg);
@@ -810,7 +1001,8 @@ void sec_audit_logger(modsec_rec *msr) {
/* Write the sanitized chunk to the log
* and advance to the next chunk. */
- sec_auditlog_write(msr, chunk->data, chunk->length);
+ chunk->data[chunk->length] = 0;
+ yajl_string(g, chunk->data);
chunk_offset += chunk->length;
}
@@ -819,6 +1011,8 @@ void sec_audit_logger(modsec_rec *msr) {
}
}
+ yajl_gen_array_close(g); // request body chunks array is finished
+
if (rc < 0) {
msr_log(msr, 1, "Audit log: %s", my_error_msg);
}
@@ -838,29 +1032,27 @@ void sec_audit_logger(modsec_rec *msr) {
if (buffer == NULL) {
msr_log(msr, 1, "Audit log: Failed to reconstruct request body.");
} else {
- text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_FAKE_REQUEST_BODY);
- sec_auditlog_write(msr, text, strlen(text));
- sec_auditlog_write(msr, buffer, strlen(buffer));
+ yajl_kv_string(g, "fake_body", buffer);
}
}
}
+ yajl_gen_map_close(g); // request top-level key is finished
+
+ yajl_string(g, "response");
+ yajl_gen_map_open(g); // response top-level key
+
/* AUDITLOG_PART_A_RESPONSE_HEADERS */
if (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_A_RESPONSE_HEADERS) != NULL) {
- text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_A_RESPONSE_HEADERS);
- sec_auditlog_write(msr, text, strlen(text));
/* There are no response headers (or the status line) in HTTP 0.9 */
if (msr->response_headers_sent) {
- if (msr->status_line != NULL) {
- text = apr_psprintf(msr->mp, "%s %s\n", msr->response_protocol,
- msr->status_line);
- } else {
- text = apr_psprintf(msr->mp, "%s %u\n", msr->response_protocol,
- msr->response_status);
- }
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_kv_string(g, "protocol", msr->response_protocol);
+ // as an integer, response status is easier to parse than status_line
+ yajl_kv_int(g, "status", (int)msr->response_status);
+ yajl_string(g, "headers");
+ yajl_gen_map_open(g); // separate map for response headers
/* Output headers */
@@ -874,6 +1066,9 @@ void sec_audit_logger(modsec_rec *msr) {
sanitized_partial = 0;
sanitize_matched = 0;
text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, te[i].val);
+ // write the key no matter what
+ // since sanitization only occurs on the value
+ yajl_string(g, te[i].key);
if (apr_table_get(msr->response_headers_to_sanitize, te[i].key) != NULL) {
buf = apr_psprintf(msr->mp, "%s",text+strlen(te[i].key)+2);
@@ -905,13 +1100,18 @@ void sec_audit_logger(modsec_rec *msr) {
}
if(sanitized_partial == 1 && sanitize_matched == 0) {
- text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, buf);
+ yajl_string(g, buf);
} else {
- memset(text + strlen(te[i].key) + 2, '*', strlen(te[i].val));
+ memset(buf, '*', strlen(buf));
+ yajl_string(g, buf);
}
+ } else {
+ // we diverge from the original logic a bit because we always print the key
+ // at this point no sanitization had occured, so we just print the value
+ yajl_string(g, te[i].val);
}
- sec_auditlog_write(msr, text, strlen(text));
}
+ yajl_gen_map_close(g); // response headers map is finised
}
}
@@ -921,78 +1121,96 @@ void sec_audit_logger(modsec_rec *msr) {
if (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_RESPONSE_BODY) != NULL) {
if (msr->resbody_data != NULL) {
- text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_RESPONSE_BODY);
- sec_auditlog_write(msr, text, strlen(text));
- sec_auditlog_write(msr, msr->resbody_data, msr->resbody_length);
+ yajl_kv_string(g, "body", msr->resbody_data);
wrote_response_body = 1;
}
}
+ yajl_gen_map_close(g); // response top-level key is finished
+
+ yajl_string(g, "audit_data");
+ yajl_gen_map_open(g); // audit_data top-level key
+
/* AUDITLOG_PART_TRAILER */
if (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_TRAILER) != NULL) {
apr_time_t now = apr_time_now();
- text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_TRAILER);
- sec_auditlog_write(msr, text, strlen(text));
-
/* Messages */
+ been_opened = 0;
+ if (msr->alerts->nelts > 0) {
+ yajl_string(g, "messages");
+ yajl_gen_array_open(g);
+ been_opened = 1;
+ }
for(i = 0; i < msr->alerts->nelts; i++) {
- text = apr_psprintf(msr->mp, "Message: %s\n", ((char **)msr->alerts->elts)[i]);
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_string(g, ((char **)msr->alerts->elts)[i]);
+ }
+ if (been_opened == 1) {
+ yajl_gen_array_close(g);
}
/* Apache error messages */
+ been_opened = 0;
+ if (msr->error_messages->nelts > 0) {
+ yajl_string(g, "error_messages");
+ yajl_gen_array_open(g);
+ been_opened = 1;
+ }
for(i = 0; i < msr->error_messages->nelts; i++) {
error_message_t *em = (((error_message_t **)msr->error_messages->elts)[i]);
- text = apr_psprintf(msr->mp, "Apache-Error: %s\n",
- format_error_log_message(msr->mp, em));
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_string(g, format_error_log_message(msr->mp, em));
+ }
+ if (been_opened == 1) {
+ yajl_gen_array_close(g);
}
/* Action */
if (msr->was_intercepted) {
- text = apr_psprintf(msr->mp, "Action: Intercepted (phase %d)\n", msr->intercept_phase);
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_string(g, "action");
+ yajl_gen_map_open(g);
+ yajl_kv_bool(g, "intercepted", 1);
+ yajl_kv_int(g, "phase", msr->intercept_phase);
+ yajl_kv_string(g, "message", msr->intercept_message);
+ yajl_gen_map_close(g);
}
/* Apache-Handler */
+#ifdef LOG_NO_HANDLER
+ if (msr->txcfg->debuglog_level >= 9)
+#endif
if (msr->r->handler != NULL) {
- text = apr_psprintf(msr->mp, "Apache-Handler: %s\n", msr->r->handler);
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_kv_string(g, "handler", msr->r->handler);
}
- /* Stopwatch; left in for compatibility reasons */
- text = apr_psprintf(msr->mp, "Stopwatch: %" APR_TIME_T_FMT " %" APR_TIME_T_FMT " (- - -)\n",
- msr->request_time, (now - msr->request_time));
- sec_auditlog_write(msr, text, strlen(text));
/* Stopwatch2 */
- {
- char *perf_all = format_all_performance_variables(msr, msr->mp);
-
- text = apr_psprintf(msr->mp, "Stopwatch2: %" APR_TIME_T_FMT " %" APR_TIME_T_FMT
- "; %s\n", msr->request_time, (now - msr->request_time), perf_all);
-
- sec_auditlog_write(msr, text, strlen(text));
- }
+#ifdef LOG_NO_STOPWATCH
+ if (msr->txcfg->debuglog_level >= 9)
+#endif
+ format_performance_variables_json(msr, g);
/* Our response body does not contain chunks */
/* ENH Only write this when the output was chunked. */
/* ENH Add info when request body was decompressed, dechunked too. */
+#ifdef LOG_NO_DECHUNK
+ if (msr->txcfg->debuglog_level >= 9)
+#endif
if (wrote_response_body) {
- text = apr_psprintf(msr->mp, "Response-Body-Transformed: Dechunked\n");
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_kv_bool(g, "response_body_dechunked", 1);
}
- sec_auditlog_write_producer_header(msr);
+#ifdef LOG_NO_SERVER_CONTEXT
+ if (msr->txcfg->debuglog_level >= 9) {
+#endif
+ sec_auditlog_write_producer_header_json(msr, g);
/* Server */
if (msr->server_software != NULL) {
- text = apr_psprintf(msr->mp, "Server: %s\n", msr->server_software);
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_kv_string(g, "server", msr->server_software);
}
+ been_opened = 0;
/* Sanitised arguments */
{
const apr_array_header_t *tarr;
@@ -1002,15 +1220,23 @@ void sec_audit_logger(modsec_rec *msr) {
telts = (const apr_table_entry_t*)tarr->elts;
if (tarr->nelts > 0) {
- text = apr_psprintf(msr->mp, "Sanitised-Args: ");
- sec_auditlog_write(msr, text, strlen(text));
+ if (been_opened == 0) {
+ yajl_string(g, "sanitized");
+ yajl_gen_map_open(g);
+ been_opened = 1;
+ }
+
+ yajl_string(g, "args");
+ yajl_gen_array_open(g);
}
for(i = 0; i < tarr->nelts; i++) {
msc_arg *arg = (msc_arg *)telts[i].val;
- text = apr_psprintf(msr->mp, "%s\"%s\"%s", ((i == 0) ? "" : ", "),
- log_escape(msr->mp, arg->name), ((i == (tarr->nelts - 1)) ? ".\n" : ""));
- sec_auditlog_write(msr, text, strlen(text));
+ // yay arrays actually make it easier here
+ yajl_string(g, log_escape(msr->mp, arg->name));
+ }
+ if (tarr->nelts > 0) {
+ yajl_gen_array_close(g);
}
}
@@ -1023,14 +1249,21 @@ void sec_audit_logger(modsec_rec *msr) {
telts = (const apr_table_entry_t*)tarr->elts;
if (tarr->nelts > 0) {
- text = apr_psprintf(msr->mp, "Sanitised-Request-Headers: ");
- sec_auditlog_write(msr, text, strlen(text));
+ if (been_opened == 0) {
+ yajl_string(g, "sanitized");
+ yajl_gen_map_open(g);
+ been_opened = 1;
+ }
+
+ yajl_string(g, "request_headers");
+ yajl_gen_array_open(g);
}
for(i = 0; i < tarr->nelts; i++) {
- text = apr_psprintf(msr->mp, "%s\"%s\"%s", ((i == 0) ? "" : ", "),
- log_escape(msr->mp, telts[i].key), ((i == (tarr->nelts - 1)) ? ".\n" : ""));
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_string(g, log_escape(msr->mp, telts[i].key));
+ }
+ if (tarr->nelts > 0) {
+ yajl_gen_array_close(g);
}
}
@@ -1043,40 +1276,61 @@ void sec_audit_logger(modsec_rec *msr) {
telts = (const apr_table_entry_t*)tarr->elts;
if (tarr->nelts > 0) {
- text = apr_psprintf(msr->mp, "Sanitised-Response-Headers: ");
- sec_auditlog_write(msr, text, strlen(text));
+ if (been_opened == 0) {
+ yajl_string(g, "sanitized");
+ yajl_gen_map_open(g);
+ been_opened = 1;
+ }
+
+ yajl_string(g, "response_headers");
+ yajl_gen_array_open(g);
}
for(i = 0; i < tarr->nelts; i++) {
- text = apr_psprintf(msr->mp, "%s\"%s\"%s", ((i == 0) ? "" : ", "),
- log_escape(msr->mp, telts[i].key), ((i == (tarr->nelts - 1)) ? ".\n" : ""));
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_string(g, log_escape(msr->mp, telts[i].key));
+ }
+ if (tarr->nelts > 0) {
+ yajl_gen_array_close(g);
}
}
+ if (been_opened == 1) {
+ yajl_gen_map_close(g); // sanitized args map is finished
+ }
+#ifdef LOG_NO_SERVER_CONTEXT
+ }
+#endif
+
/* Web application info. */
if ( ((msr->txcfg->webappid != NULL)&&(strcmp(msr->txcfg->webappid, "default") != 0))
|| (msr->sessionid != NULL) || (msr->userid != NULL))
{
- text = apr_psprintf(msr->mp, "WebApp-Info: \"%s\" \"%s\" \"%s\"\n",
- msr->txcfg->webappid == NULL ? "-" : log_escape(msr->mp, msr->txcfg->webappid),
- msr->sessionid == NULL ? "-" : log_escape(msr->mp, msr->sessionid),
- msr->userid == NULL ? "-" : log_escape(msr->mp, msr->userid));
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_string(g, "webapp_info");
+ yajl_gen_map_open(g);
+
+ if (msr->txcfg->webappid != NULL) {
+ yajl_kv_string(g, "id", log_escape(msr->mp, msr->txcfg->webappid));
+ }
+ if (msr->sessionid != NULL) {
+ yajl_kv_string(g, "session", log_escape(msr->mp, msr->sessionid));
+ }
+ if (msr->userid != NULL) {
+ yajl_kv_string(g, "user_id", log_escape(msr->mp, msr->userid));
+ }
+
+ yajl_gen_map_close(g);
}
if ( ((msr->txcfg->sensor_id != NULL)&&(strcmp(msr->txcfg->sensor_id, "default") != 0)))
{
- text = apr_psprintf(msr->mp, "Sensor-Id: \"%s\"\n",
- msr->txcfg->sensor_id == NULL ? "-" : log_escape(msr->mp, msr->txcfg->sensor_id)),
- sec_auditlog_write(msr, text, strlen(text));
+ if(msr->txcfg->sensor_id != NULL) {
+ yajl_kv_string(g, "sensor_id", log_escape(msr->mp, msr->txcfg->sensor_id));
+ }
}
if (msr->txcfg->is_enabled > 0) {
- text = apr_psprintf(msr->mp, "Engine-Mode: \"%s\"\n",
- msr->txcfg->is_enabled == 1 ? "DETECTION_ONLY" : "ENABLED"),
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_kv_string(g, "engine_mode", (msr->txcfg->is_enabled == 1 ? "DETECTION_ONLY" : "ENABLED"));
}
/* Rule performance time */
@@ -1088,54 +1342,72 @@ void sec_audit_logger(modsec_rec *msr) {
telts = (const apr_table_entry_t*)tarr->elts;
if (tarr->nelts > 0) {
- text = apr_psprintf(msr->mp, "Rules-Performance-Info: ");
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_string(g, "rules_performance_info");
+ yajl_gen_map_open(g); // separate map for rule perf info
}
for(i = 0; i < tarr->nelts; i++) {
- text = apr_psprintf(msr->mp, "%s\"%s=%s\"%s", ((i == 0) ? "" : ", "),
- log_escape(msr->mp, telts[i].key), log_escape(msr->mp, telts[i].val), ((i == (tarr->nelts - 1)) ? ".\n" : ""));
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_kv_string(g, log_escape(msr->mp, telts[i].key), log_escape(msr->mp, telts[i].val));
+ }
+ if (tarr->nelts > 0) {
+ yajl_gen_map_close(g); // map for rule perf info is finished
}
}
-
}
+ yajl_gen_map_close(g); // audit_data top-level key is finished
+
/* AUDITLOG_PART_UPLOADS */
if ((strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_UPLOADS) != NULL) && (msr->mpd != NULL)) {
multipart_part **parts = NULL;
unsigned int total_size = 0;
int cfiles = 0;
- text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_UPLOADS);
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_string(g, "uploads");
+ yajl_gen_map_open(g);
parts = (multipart_part **)msr->mpd->parts->elts;
+ yajl_string(g, "info");
+ yajl_gen_array_open(g); // separate array for upload info
for(cfiles = 0; cfiles < msr->mpd->parts->nelts; cfiles++) {
if (parts[cfiles]->type == MULTIPART_FILE) {
if(parts[cfiles]->filename != NULL) {
- text = apr_psprintf(msr->mp, "%d,%u,\"%s\",\"%s\"\n", cfiles+1, parts[cfiles]->tmp_file_size, log_escape(msr->mp, parts[cfiles]->filename), log_escape(msr->mp, parts[cfiles]->content_type ? parts[cfiles]->content_type : "<Unknown ContentType>"));
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_gen_map_open(g);
+ yajl_kv_int(g, "file_size", parts[cfiles]->tmp_file_size);
+ yajl_kv_string(g, "file_name", log_escape(msr->mp, parts[cfiles]->filename));
+ yajl_kv_string(g, "content_type", parts[cfiles]->content_type ? parts[cfiles]->content_type : "<Unknown Content-Type>");
total_size += parts[cfiles]->tmp_file_size;
+ yajl_gen_map_close(g);
}
}
}
- text = apr_psprintf(msr->mp, "Total,%u\n", total_size);
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_gen_array_close(g); // array for upload info is finished
+ yajl_kv_int(g, "total", total_size);
+
+ yajl_gen_map_close(g); // uploads top-level key is finished
}
/* AUDITLOG_PART_MATCHEDRULES */
if (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_MATCHEDRULES) != NULL) {
- text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_MATCHEDRULES);
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_string(g, "matched_rules");
+ yajl_gen_array_open(g); // matched_rules top-level key
/* Matched Rules */
+
for(i = 0; i < msr->matched_rules->nelts; i++) {
rule = ((msre_rule **)msr->matched_rules->elts)[i];
if ((rule != NULL) && (rule->actionset != NULL) && rule->actionset->is_chained && (rule->chain_starter == NULL)) {
- text = apr_psprintf(msr->mp, "%s\n", rule->unparsed);
- sec_auditlog_write(msr, text, strlen(text));
+ /*
+ * create a separate map for each rule chain
+ * this makes it a lot easier to search for partial chains
+ */
+ yajl_gen_map_open(g); // map for this chain
+ yajl_kv_bool(g, "chain", 1);
+ yajl_string(g, "rules");
+ yajl_gen_array_open(g); // array for the rules
+
+ write_rule_json(msr, rule, g);
do {
if (rule->ruleset != NULL) {
@@ -1145,47 +1417,55 @@ void sec_audit_logger(modsec_rec *msr) {
present = chained_is_matched(msr,next_rule);
- if (present == 0) {
- text = apr_psprintf(msr->mp, "#%s\n",next_rule->unparsed);
- } else {
- text = apr_psprintf(msr->mp, "%s\n",next_rule->unparsed);
+ if (present == 1) {
i++;
}
-
- sec_auditlog_write(msr, text, strlen(text));
+ write_rule_json(msr, next_rule, g);
}
}
rule = next_rule;
} while (rule != NULL && rule->actionset != NULL && rule->actionset->is_chained);
- text = apr_psprintf(msr->mp, "\n");
- sec_auditlog_write(msr, text, strlen(text));
+ yajl_gen_array_close(g);
+
+ yajl_kv_bool(g, "full_chain_match", present); // if one of the rules didnt match, present is set to 0
+ yajl_gen_map_close(g); // close the map for this chain
} else {
+ yajl_gen_map_open(g);
+
+ yajl_kv_bool(g, "chain", 0);
+ yajl_string(g, "rules"); // this really should be 'rule', but we're keeping in line with other chain maps
+
+ yajl_gen_array_open(g);
if ((rule != NULL) && (rule->actionset != NULL) && !rule->actionset->is_chained && (rule->chain_starter == NULL)) {
- text = apr_psprintf(msr->mp, "%s\n\n", rule->unparsed);
- sec_auditlog_write(msr, text, strlen(text));
+ write_rule_json(msr, rule, g);
}
+ yajl_gen_array_close(g);
+
+ yajl_gen_map_close(g);
}
}
- }
+ yajl_gen_array_close(g); // matched_rules top-level key is finished
+ }
/* AUDITLOG_PART_ENDMARKER */
- text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_ENDMARKER);
- sec_auditlog_write(msr, text, strlen(text));
+ /* finished building JSON */
+ yajl_gen_map_close(g); // box it up!
+
+ yajl_gen_get_buf(g, &final_buf, &len);
+ sec_auditlog_write(msr, final_buf, len);
+
+ yajl_gen_clear(g);
+ yajl_gen_free(g);
+
+ sec_auditlog_write(msr, "\n", 1);
/* Return here if we were writing to a serial log
* as it does not need an index file.
*/
if (msr->txcfg->auditlog_type != AUDITLOG_CONCURRENT) {
- sec_auditlog_write(msr, "\n", 1);
-
/* Unlock the mutex we used to serialise access to the audit log file. */
- rc = apr_global_mutex_unlock(msr->modsecurity->auditlog_lock);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "Audit log: Failed to unlock global mutex: %s",
- get_apr_error(msr->mp, rc));
- }
-
+ msr_global_mutex_unlock(msr, msr->modsecurity->auditlog_lock, "Audit log");
return;
}
@@ -1249,3 +1529,790 @@ void sec_audit_logger(modsec_rec *msr) {
apr_file_write_full(msr->txcfg->auditlog2_fd, text, nbytes, &nbytes_written);
}
}
+#endif
+
+/*
+ * Produce an audit log entry in native format.
+ */
+void sec_audit_logger_native(modsec_rec *msr) {
+ assert(msr != NULL);
+ const apr_array_header_t *arr = NULL;
+ apr_table_entry_t *te = NULL;
+ const apr_array_header_t *tarr_pattern = NULL;
+ const apr_table_entry_t *telts_pattern = NULL;
+ char *str1 = NULL, *str2 = NULL, *text = NULL;
+ const msre_rule *rule = NULL, *next_rule = NULL;
+ apr_size_t nbytes, nbytes_written;
+ unsigned char md5hash[APR_MD5_DIGESTSIZE];
+ int was_limited = 0;
+ int present = 0;
+ int wrote_response_body = 0;
+ char *entry_filename, *entry_basename;
+ apr_status_t rc;
+ int i, limit, k, sanitized_partial, j;
+ char *buf = NULL, *pat = NULL;
+ msc_parm *mparm = NULL;
+ int arg_min, arg_max, sanitize_matched;
+
+ /* the boundary is used by both audit log types */
+ msr->new_auditlog_boundary = create_auditlog_boundary(msr->r);
+
+ /* Return silently if we don't have a request line. This
+ * means we will not be logging request timeouts.
+ */
+ if (msr->request_line == NULL) {
+ msr_log(msr, 4, "Audit log: Skipping request whose request_line is null.");
+ return;
+ }
+
+ /* Also return silently if we don't have a file descriptor. */
+ if (msr->txcfg->auditlog_fd == NULL) {
+ msr_log(msr, 4, "Audit log: Skipping request since there is nowhere to write to.");
+ return;
+ }
+
+ if (msr->txcfg->auditlog_type != AUDITLOG_CONCURRENT) {
+ /* Serial logging - we already have an open file
+ * descriptor to write to.
+ */
+ msr->new_auditlog_fd = msr->txcfg->auditlog_fd;
+ } else {
+ /* Concurrent logging - we need to create a brand
+ * new file for this request.
+ */
+ apr_md5_init(&msr->new_auditlog_md5ctx);
+
+ msr->new_auditlog_filename = construct_auditlog_filename(msr->mp, msr->txid);
+ if (msr->new_auditlog_filename == NULL) return;
+
+ /* The audit log storage directory should be explicitly
+ * defined. But if it isn't try to write to the same
+ * directory where the index file is placed. Of course,
+ * it is *very* bad practice to allow the Apache user
+ * to write to the same directory where a root user is
+ * writing to but it's not us that's causing the problem
+ * and there isn't anything we can do about that.
+ *
+ * ENH Actually there is something we can do! We will make
+ * SecAuditStorageDir mandatory, ask the user to explicitly
+ * define the storage location *and* refuse to work if the
+ * index and the storage location are in the same folder.
+ */
+ if (msr->txcfg->auditlog_storage_dir == NULL) {
+ entry_filename = file_dirname(msr->mp, msr->txcfg->auditlog_name);
+ }
+ else {
+ entry_filename = msr->txcfg->auditlog_storage_dir;
+ }
+ if (entry_filename == NULL) return;
+
+ entry_filename = apr_psprintf(msr->mp, "%s%s", entry_filename, msr->new_auditlog_filename);
+ if (entry_filename == NULL) return;
+ entry_basename = file_dirname(msr->mp, entry_filename);
+ if (entry_basename == NULL) return;
+
+ /* IMP1 Surely it would be more efficient to check the folders for
+ * the audit log repository base path in the configuration phase, to reduce
+ * the work we do on every request. Also, since our path depends on time,
+ * we could cache the time we last checked and don't check if we know
+ * the folder is there.
+ */
+ rc = apr_dir_make_recursive(entry_basename, msr->txcfg->auditlog_dirperms, msr->mp);
+ if ((rc != APR_SUCCESS) && (rc != APR_EEXIST)) {
+ msr_log(msr, 1, "Audit log: Failed to create subdirectories: %s (%s)",
+ entry_basename, get_apr_error(msr->mp, rc));
+ return;
+ }
+
+ rc = apr_file_open(&msr->new_auditlog_fd, entry_filename,
+ APR_WRITE | APR_TRUNCATE | APR_CREATE | APR_BINARY | APR_FILE_NOCLEANUP,
+ msr->txcfg->auditlog_fileperms, msr->mp);
+ if (rc != APR_SUCCESS) {
+ msr_log(msr, 1, "Audit log: Failed to create file: %s (%s)",
+ entry_filename, get_apr_error(msr->mp, rc));
+ return;
+ }
+ }
+
+ /* Lock the mutex, but only if we are using serial format. */
+ if (msr->txcfg->auditlog_type != AUDITLOG_CONCURRENT) {
+ msr_global_mutex_lock(msr, msr->modsecurity->auditlog_lock, "Audit log");
+ }
+
+
+ /* AUDITLOG_PART_HEADER */
+ text = apr_psprintf(msr->mp, "--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_HEADER);
+ sec_auditlog_write(msr, text, strlen(text));
+ /* Format: time transaction_id remote_addr remote_port local_addr local_port */
+
+ text = apr_psprintf(msr->mp, "[%s] %s %s %u %s %u",
+ current_logtime(msr->mp), msr->txid, msr->remote_addr, msr->remote_port,
+ msr->local_addr, msr->local_port);
+ sec_auditlog_write(msr, text, strlen(text));
+
+ /* AUDITLOG_PART_REQUEST_HEADERS */
+
+ if (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_REQUEST_HEADERS) != NULL) {
+ text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_REQUEST_HEADERS);
+ sec_auditlog_write(msr, text, strlen(text));
+
+ sanitize_request_line(msr);
+ sec_auditlog_write(msr, msr->request_line, strlen(msr->request_line));
+ sec_auditlog_write(msr, "\n", 1);
+
+
+ arr = apr_table_elts(msr->request_headers);
+ te = (apr_table_entry_t *)arr->elts;
+
+ tarr_pattern = apr_table_elts(msr->pattern_to_sanitize);
+ telts_pattern = (const apr_table_entry_t*)tarr_pattern->elts;
+
+ for (i = 0; i < arr->nelts; i++) {
+ sanitized_partial = 0;
+ sanitize_matched = 0;
+ text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, te[i].val);
+ if (apr_table_get(msr->request_headers_to_sanitize, te[i].key) != NULL) {
+ buf = apr_psprintf(msr->mp, "%s",text+strlen(te[i].key)+2);
+ for ( k = 0; k < tarr_pattern->nelts; k++) {
+ if(strncmp(telts_pattern[k].key,te[i].key,strlen(te[i].key)) ==0 ) {
+ mparm = (msc_parm *)telts_pattern[k].val;
+ if(mparm->pad_1 == -1)
+ sanitize_matched = 1;
+ pat = strstr(buf,mparm->value);
+ if (pat != NULL) {
+ j = strlen(mparm->value);
+ arg_min = j;
+ arg_max = 1;
+ while((*pat != '\0')&&(j--)) {
+ if(arg_max > mparm->pad_2) {
+ int off = strlen(mparm->value) - arg_max;
+ int pos = mparm->pad_1-1;
+ if(off > pos) {
+ *pat = '*';
+ }
+ }
+ arg_max++;
+ arg_min--;
+ pat++;
+ }
+ sanitized_partial = 1;
+ }
+ }
+ }
+
+ if(sanitized_partial == 1 && sanitize_matched == 0) {
+ text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, buf);
+ } else {
+ memset(text + strlen(te[i].key) + 2, '*', strlen(te[i].val));
+ }
+ }
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+ }
+
+ /* AUDITLOG_PART_REQUEST_BODY */
+
+ /* Output this part of it was explicitly requested (C) or if it was the faked
+ * request body that was requested (I) but we have no reason to fake it (it's
+ * already in the correct format).
+ */
+ if ( (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_REQUEST_BODY) != NULL)
+ || ( (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_FAKE_REQUEST_BODY) != NULL)
+ && (msr->mpd == NULL) ) )
+ {
+ if (msr->msc_reqbody_read) {
+ const apr_array_header_t *tarr;
+ const apr_table_entry_t *telts;
+ apr_array_header_t *sorted_args;
+ unsigned int offset = 0, last_offset = 0;
+ msc_arg *nextarg = NULL;
+ int sanitize = 0; /* IMP1 Use constants for "sanitize" values. */
+ char *my_error_msg = NULL;
+
+ sorted_args = apr_array_make(msr->mp, 25, sizeof(const msc_arg *));
+
+ /* First we need to sort the arguments that need to be
+ * sanitized in descending order (we are using a stack structure
+ * to store then so the order will be ascending when we start
+ * popping them out). This is because we will
+ * be reading the request body sequentially and must
+ * sanitize it as we go.
+ */
+
+ for(;;) {
+ nextarg = NULL;
+
+ /* Find the next largest offset (excluding
+ * the ones we've used up already).
+ */
+ tarr = apr_table_elts(msr->arguments_to_sanitize);
+ telts = (const apr_table_entry_t*)tarr->elts;
+ for(i = 0; i < tarr->nelts; i++) {
+ msc_arg *arg = (msc_arg *)telts[i].val;
+ if (arg->origin != NULL &&
+ ( strcmp(arg->origin, "BODY") != 0 && strcmp(arg->origin, "JSON") != 0) )
+ continue;
+
+ if (last_offset == 0) { /* The first time we're here. */
+ if (arg->value_origin_offset > offset) {
+ offset = arg->value_origin_offset;
+ nextarg = arg;
+ }
+ } else { /* Not the first time. */
+ if ((arg->value_origin_offset > offset)
+ &&(arg->value_origin_offset < last_offset))
+ {
+ offset = arg->value_origin_offset;
+ nextarg = arg;
+ }
+ }
+ }
+
+ /* If we don't have the next argument that means
+ * we're done here.
+ */
+ if (nextarg == NULL) break;
+
+ sanitize = 2; /* Means time to pop the next argument out. */
+ last_offset = offset;
+ offset = 0;
+ { /* IMP1 Fix this ugly bit here. */
+ msc_arg **x = apr_array_push(sorted_args);
+ *x = nextarg;
+ }
+ }
+
+ /* Now start retrieving the body chunk by chunk and
+ * sanitize data in pieces.
+ */
+
+ rc = modsecurity_request_body_retrieve_start(msr, &my_error_msg);
+ if (rc < 0) {
+ msr_log(msr, 1, "Audit log: %s", my_error_msg);
+ } else {
+ msc_data_chunk *chunk = NULL;
+ unsigned int chunk_offset = 0;
+ unsigned int sanitize_offset = 0;
+ unsigned int sanitize_length = 0;
+ text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_REQUEST_BODY);
+ sec_auditlog_write(msr, text, strlen(text));
+
+ for(;;) {
+ rc = modsecurity_request_body_retrieve(msr, &chunk, -1, &my_error_msg);
+ if (chunk != NULL) {
+ /* Anything greater than 1 means we have more data to sanitize. */
+ while (sanitize > 1) {
+ msc_arg **arg = NULL;
+
+ if (sanitize == 2) {
+ /* Get the next argument from the stack. */
+ arg = (msc_arg **)apr_array_pop(sorted_args);
+ if (arg == NULL) sanitize = 0; /* We're done sanitising. */
+ else {
+ /* Continue with sanitation to process the
+ * retrieved argument.
+ */
+ sanitize = 1;
+ sanitize_offset = (*arg)->value_origin_offset;
+ sanitize_length = (*arg)->value_origin_len;
+ }
+ }
+
+ if (sanitize) {
+ /* Check if the data we want to sanitize is
+ * stored in the current chunk.
+ */
+ if (chunk_offset + chunk->length > sanitize_offset) {
+ unsigned int soff; /* data offset within chunk */
+ unsigned int len; /* amount in this chunk to sanitize */
+
+ soff = sanitize_offset - chunk_offset;
+
+ if (soff + sanitize_length <= chunk->length) {
+ /* The entire argument resides in the current chunk. */
+ len = sanitize_length;
+ sanitize = 2; /* Get another parameter to sanitize. */
+ } else {
+ /* Some work to do here but we'll need to seek
+ * another chunk.
+ */
+ len = chunk->length - soff;
+ sanitize_offset += len;
+ sanitize_length -= len;
+ sanitize = 1; /* It's OK to go to the next chunk. */
+ }
+
+ /* Yes, we actually write over the original data.
+ * We shouldn't be needing it any more.
+ */
+ if (soff + len <= chunk->length) { /* double check */
+ memset((char *)chunk->data + soff, '*', len);
+ }
+ }
+ }
+ }
+
+ /* Write the sanitized chunk to the log
+ * and advance to the next chunk. */
+ sec_auditlog_write(msr, chunk->data, chunk->length);
+ chunk_offset += chunk->length;
+ }
+
+ if (rc <= 0) {
+ break;
+ }
+ }
+
+ if (rc < 0) {
+ msr_log(msr, 1, "Audit log: %s", my_error_msg);
+ }
+
+ modsecurity_request_body_retrieve_end(msr);
+ }
+ }
+ }
+
+ /* AUDITLOG_PART_FAKE_REQUEST_BODY */
+
+ if (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_FAKE_REQUEST_BODY) != NULL) {
+ if ((msr->msc_reqbody_read)&&(msr->mpd != NULL)) {
+ char *buffer = NULL;
+
+ buffer = multipart_reconstruct_urlencoded_body_sanitize(msr);
+ if (buffer == NULL) {
+ msr_log(msr, 1, "Audit log: Failed to reconstruct request body.");
+ } else {
+ text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_FAKE_REQUEST_BODY);
+ sec_auditlog_write(msr, text, strlen(text));
+ sec_auditlog_write(msr, buffer, strlen(buffer));
+ }
+ }
+ }
+
+ /* AUDITLOG_PART_A_RESPONSE_HEADERS */
+
+ if (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_A_RESPONSE_HEADERS) != NULL) {
+ text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_A_RESPONSE_HEADERS);
+ sec_auditlog_write(msr, text, strlen(text));
+
+ /* There are no response headers (or the status line) in HTTP 0.9 */
+ if (msr->response_headers_sent) {
+ if (msr->status_line != NULL && msr->status_line[0] != '\0') {
+ text = apr_psprintf(msr->mp, "%s %s\n", msr->response_protocol,
+ msr->status_line);
+ } else {
+ text = apr_psprintf(msr->mp, "%s %u\n", msr->response_protocol,
+ msr->response_status);
+ }
+ sec_auditlog_write(msr, text, strlen(text));
+
+ /* Output headers */
+
+ arr = apr_table_elts(msr->response_headers);
+ te = (apr_table_entry_t *)arr->elts;
+
+ tarr_pattern = apr_table_elts(msr->pattern_to_sanitize);
+ telts_pattern = (const apr_table_entry_t*)tarr_pattern->elts;
+
+ for (i = 0; i < arr->nelts; i++) {
+ sanitized_partial = 0;
+ sanitize_matched = 0;
+ text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, te[i].val);
+ if (apr_table_get(msr->response_headers_to_sanitize, te[i].key) != NULL) {
+ buf = apr_psprintf(msr->mp, "%s",text+strlen(te[i].key)+2);
+
+ for ( k = 0; k < tarr_pattern->nelts; k++) {
+ if(strncmp(telts_pattern[k].key,te[i].key,strlen(te[i].key)) ==0 ) {
+ mparm = (msc_parm *)telts_pattern[k].val;
+ if(mparm->pad_1 == -1)
+ sanitize_matched = 1;
+ pat = strstr(buf,mparm->value);
+ if (pat != NULL) {
+ j = strlen(mparm->value);
+ arg_min = j;
+ arg_max = 1;
+ while((*pat != '\0')&&(j--)) {
+ if(arg_max > mparm->pad_2) {
+ int off = strlen(mparm->value) - arg_max;
+ int pos = mparm->pad_1-1;
+ if(off > pos) {
+ *pat = '*';
+ }
+ }
+ arg_max++;
+ arg_min--;
+ pat++;
+ }
+ sanitized_partial = 1;
+ }
+ }
+ }
+
+ if(sanitized_partial == 1 && sanitize_matched == 0) {
+ text = apr_psprintf(msr->mp, "%s: %s\n", te[i].key, buf);
+ } else {
+ memset(text + strlen(te[i].key) + 2, '*', strlen(te[i].val));
+ }
+ }
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+ }
+ }
+
+ apr_table_clear(msr->pattern_to_sanitize);
+
+ /* AUDITLOG_PART_RESPONSE_BODY */
+
+ if (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_RESPONSE_BODY) != NULL) {
+ if (msr->resbody_data != NULL) {
+ text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_RESPONSE_BODY);
+ sec_auditlog_write(msr, text, strlen(text));
+ sec_auditlog_write(msr, msr->resbody_data, msr->resbody_length);
+ wrote_response_body = 1;
+ }
+ }
+
+ /* AUDITLOG_PART_TRAILER */
+
+ if (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_TRAILER) != NULL) {
+ apr_time_t now = apr_time_now();
+ text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_TRAILER);
+ sec_auditlog_write(msr, text, strlen(text));
+
+ /* Messages */
+ for(i = 0; i < msr->alerts->nelts; i++) {
+ text = apr_psprintf(msr->mp, "Message: %s\n", ((char **)msr->alerts->elts)[i]);
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ /* Apache error messages */
+ for(i = 0; i < msr->error_messages->nelts; i++) {
+ error_message_t *em = (((error_message_t **)msr->error_messages->elts)[i]);
+ text = apr_psprintf(msr->mp, "Apache-Error: %s\n",
+ format_error_log_message(msr->mp, em));
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ /* Action */
+ if (msr->was_intercepted) {
+ text = apr_psprintf(msr->mp, "Action: Intercepted (phase %d)\n", msr->intercept_phase);
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ /* Apache-Handler */
+#ifdef LOG_NO_HANDLER
+ if (msr->txcfg->debuglog_level >= 9)
+#endif
+ if (msr->r->handler != NULL) {
+ text = apr_psprintf(msr->mp, "Apache-Handler: %s\n", msr->r->handler);
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ /* Stopwatch; left in for compatibility reasons */
+#ifdef LOG_NO_STOPWATCH
+ if (msr->txcfg->debuglog_level >= 9) {
+#endif
+ text = apr_psprintf(msr->mp, "Stopwatch: %" APR_TIME_T_FMT " %" APR_TIME_T_FMT " (- - -)\n",
+ msr->request_time, (now - msr->request_time));
+ sec_auditlog_write(msr, text, strlen(text));
+
+ /* Stopwatch2 */
+ {
+ char *perf_all = format_all_performance_variables(msr, msr->mp);
+
+ text = apr_psprintf(msr->mp, "Stopwatch2: %" APR_TIME_T_FMT " %" APR_TIME_T_FMT
+ "; %s\n", msr->request_time, (now - msr->request_time), perf_all);
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+#ifdef LOG_NO_STOPWATCH
+ }
+#endif
+
+ /* Our response body does not contain chunks */
+ /* ENH Only write this when the output was chunked. */
+ /* ENH Add info when request body was decompressed, dechunked too. */
+#ifdef LOG_NO_DECHUNK
+ if (msr->txcfg->debuglog_level >= 9)
+#endif
+ if (wrote_response_body) {
+ text = apr_psprintf(msr->mp, "Response-Body-Transformed: Dechunked\n");
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+#ifdef LOG_NO_SERVER_CONTEXT
+ if (msr->txcfg->debuglog_level >= 9) {
+#endif
+ sec_auditlog_write_producer_header(msr);
+
+ /* Server */
+ if (msr->server_software != NULL) {
+ text = apr_psprintf(msr->mp, "Server: %s\n", msr->server_software);
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ /* Sanitised arguments */
+ {
+ const apr_array_header_t *tarr;
+ const apr_table_entry_t *telts;
+
+ tarr = apr_table_elts(msr->arguments_to_sanitize);
+ telts = (const apr_table_entry_t*)tarr->elts;
+
+ if (tarr->nelts > 0) {
+ text = apr_psprintf(msr->mp, "Sanitised-Args: ");
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ for(i = 0; i < tarr->nelts; i++) {
+ msc_arg *arg = (msc_arg *)telts[i].val;
+ text = apr_psprintf(msr->mp, "%s\"%s\"%s", ((i == 0) ? "" : ", "),
+ log_escape(msr->mp, arg->name), ((i == (tarr->nelts - 1)) ? ".\n" : ""));
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+ }
+
+ /* Sanitised request headers */
+ {
+ const apr_array_header_t *tarr;
+ const apr_table_entry_t *telts;
+
+ tarr = apr_table_elts(msr->request_headers_to_sanitize);
+ telts = (const apr_table_entry_t*)tarr->elts;
+
+ if (tarr->nelts > 0) {
+ text = apr_psprintf(msr->mp, "Sanitised-Request-Headers: ");
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ for(i = 0; i < tarr->nelts; i++) {
+ text = apr_psprintf(msr->mp, "%s\"%s\"%s", ((i == 0) ? "" : ", "),
+ log_escape(msr->mp, telts[i].key), ((i == (tarr->nelts - 1)) ? ".\n" : ""));
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+ }
+
+ /* Sanitised response headers */
+ {
+ const apr_array_header_t *tarr;
+ const apr_table_entry_t *telts;
+
+ tarr = apr_table_elts(msr->response_headers_to_sanitize);
+ telts = (const apr_table_entry_t*)tarr->elts;
+
+ if (tarr->nelts > 0) {
+ text = apr_psprintf(msr->mp, "Sanitised-Response-Headers: ");
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ for(i = 0; i < tarr->nelts; i++) {
+ text = apr_psprintf(msr->mp, "%s\"%s\"%s", ((i == 0) ? "" : ", "),
+ log_escape(msr->mp, telts[i].key), ((i == (tarr->nelts - 1)) ? ".\n" : ""));
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+ }
+#ifdef LOG_NO_SERVER_CONTEXT
+ }
+#endif
+
+ /* Web application info. */
+ if ( ((msr->txcfg->webappid != NULL)&&(strcmp(msr->txcfg->webappid, "default") != 0))
+ || (msr->sessionid != NULL) || (msr->userid != NULL))
+ {
+ text = apr_psprintf(msr->mp, "WebApp-Info: \"%s\" \"%s\" \"%s\"\n",
+ msr->txcfg->webappid == NULL ? "-" : log_escape(msr->mp, msr->txcfg->webappid),
+ msr->sessionid == NULL ? "-" : log_escape(msr->mp, msr->sessionid),
+ msr->userid == NULL ? "-" : log_escape(msr->mp, msr->userid));
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ if ( ((msr->txcfg->sensor_id != NULL)&&(strcmp(msr->txcfg->sensor_id, "default") != 0)))
+ {
+ text = apr_psprintf(msr->mp, "Sensor-Id: \"%s\"\n",
+ msr->txcfg->sensor_id == NULL ? "-" : log_escape(msr->mp, msr->txcfg->sensor_id)),
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+
+ if (msr->txcfg->is_enabled > 0) {
+ text = apr_psprintf(msr->mp, "Engine-Mode: \"%s\"\n",
+ msr->txcfg->is_enabled == 1 ? "DETECTION_ONLY" : "ENABLED"),
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ /* Rule performance time */
+ if(msr->txcfg->max_rule_time > 0) {
+ const apr_array_header_t *tarr;
+ const apr_table_entry_t *telts;
+
+ tarr = apr_table_elts(msr->perf_rules);
+ telts = (const apr_table_entry_t*)tarr->elts;
+
+ if (tarr->nelts > 0) {
+ text = apr_psprintf(msr->mp, "Rules-Performance-Info: ");
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ for(i = 0; i < tarr->nelts; i++) {
+ text = apr_psprintf(msr->mp, "%s\"%s=%s\"%s", ((i == 0) ? "" : ", "),
+ log_escape(msr->mp, telts[i].key), log_escape(msr->mp, telts[i].val), ((i == (tarr->nelts - 1)) ? ".\n" : ""));
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+ }
+ }
+
+ /* AUDITLOG_PART_UPLOADS */
+ if ((strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_UPLOADS) != NULL) && (msr->mpd != NULL)) {
+ multipart_part **parts = NULL;
+ unsigned int total_size = 0;
+ int cfiles = 0;
+
+ text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_UPLOADS);
+ sec_auditlog_write(msr, text, strlen(text));
+
+ parts = (multipart_part **)msr->mpd->parts->elts;
+ for(cfiles = 0; cfiles < msr->mpd->parts->nelts; cfiles++) {
+ if (parts[cfiles]->type == MULTIPART_FILE) {
+ if(parts[cfiles]->filename != NULL) {
+ text = apr_psprintf(msr->mp, "%d,%u,\"%s\",\"%s\"\n", cfiles+1, parts[cfiles]->tmp_file_size, log_escape(msr->mp, parts[cfiles]->filename), log_escape(msr->mp, parts[cfiles]->content_type ? parts[cfiles]->content_type : "<Unknown ContentType>"));
+ sec_auditlog_write(msr, text, strlen(text));
+ total_size += parts[cfiles]->tmp_file_size;
+ }
+ }
+ }
+ text = apr_psprintf(msr->mp, "Total,%u\n", total_size);
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+
+ /* AUDITLOG_PART_MATCHEDRULES */
+
+ if (strchr(msr->txcfg->auditlog_parts, AUDITLOG_PART_MATCHEDRULES) != NULL) {
+ text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_MATCHEDRULES);
+ sec_auditlog_write(msr, text, strlen(text));
+
+ /* Matched Rules */
+
+ for(i = 0; i < msr->matched_rules->nelts; i++) {
+ rule = ((msre_rule **)msr->matched_rules->elts)[i];
+ if ((rule != NULL) && (rule->actionset != NULL) && rule->actionset->is_chained && (rule->chain_starter == NULL)) {
+ text = apr_psprintf(msr->mp, "%s\n", rule->unparsed);
+ sec_auditlog_write(msr, text, strlen(text));
+ do {
+ if (rule->ruleset != NULL) {
+
+ next_rule = return_chained_rule(rule,msr);
+
+ if (next_rule != NULL) {
+
+ present = chained_is_matched(msr,next_rule);
+
+ if (present == 0) {
+ text = apr_psprintf(msr->mp, "#%s\n",next_rule->unparsed);
+ } else {
+ text = apr_psprintf(msr->mp, "%s\n",next_rule->unparsed);
+ i++;
+ }
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+ }
+ rule = next_rule;
+ } while (rule != NULL && rule->actionset != NULL && rule->actionset->is_chained);
+ text = apr_psprintf(msr->mp, "\n");
+ sec_auditlog_write(msr, text, strlen(text));
+ } else {
+ if ((rule != NULL) && (rule->actionset != NULL) && !rule->actionset->is_chained && (rule->chain_starter == NULL)) {
+ text = apr_psprintf(msr->mp, "%s\n", rule->unparsed);
+ sec_auditlog_write(msr, text, strlen(text));
+ }
+ }
+ }
+ }
+ /* AUDITLOG_PART_ENDMARKER */
+ text = apr_psprintf(msr->mp, "\n--%s-%c--\n", msr->new_auditlog_boundary, AUDITLOG_PART_ENDMARKER);
+ sec_auditlog_write(msr, text, strlen(text));
+
+ /* Return here if we were writing to a serial log
+ * as it does not need an index file.
+ */
+ if (msr->txcfg->auditlog_type != AUDITLOG_CONCURRENT) {
+ sec_auditlog_write(msr, "\n", 1);
+ /* Unlock the mutex we used to serialise access to the audit log file. */
+ msr_global_mutex_unlock(msr, msr->modsecurity->auditlog_lock, "Audit log");
+ return;
+ }
+
+ /* From here on only concurrent-style processing. */
+
+ /* File handle might already be closed after write failure. */
+ if (msr->new_auditlog_fd) {
+ apr_file_close(msr->new_auditlog_fd);
+ }
+
+ /* Write an entry to the index file */
+
+ /* Calculate hash of the entry. */
+ apr_md5_final(md5hash, &msr->new_auditlog_md5ctx);
+
+ str2 = apr_psprintf(msr->mp, "%s %d %d md5:%s", msr->new_auditlog_filename, 0,
+ msr->new_auditlog_size, bytes2hex(msr->mp, md5hash, 16));
+ if (str2 == NULL) return;
+
+ /* We do not want the index line to be longer than 3980 bytes. */
+ limit = 3980;
+ was_limited = 0;
+
+ /* If we are logging to a pipe we need to observe and
+ * obey the pipe atomic write limit - PIPE_BUF. For
+ * more details see the discussion in sec_guardian_logger code.
+ */
+ if (msr->txcfg->auditlog_name[0] == '|') {
+ if (PIPE_BUF < limit) {
+ limit = PIPE_BUF;
+ }
+ }
+
+ limit = limit - strlen(str2) - 5;
+ if (limit <= 0) {
+ msr_log(msr, 1, "Audit Log: Atomic PIPE write buffer too small: %d", PIPE_BUF);
+ return;
+ }
+
+ str1 = construct_log_vcombinedus_limited(msr, limit, &was_limited);
+ if (str1 == NULL) return;
+
+ if (was_limited == 0) {
+ text = apr_psprintf(msr->mp, "%s %s \n", str1, str2);
+ } else {
+ text = apr_psprintf(msr->mp, "%s %s L\n", str1, str2);
+ }
+ if (text == NULL) return;
+
+ nbytes = strlen(text);
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "Audit Log: Writing %" APR_SIZE_T_FMT " bytes to primary concurrent index", nbytes);
+ }
+ apr_file_write_full(msr->txcfg->auditlog_fd, text, nbytes, &nbytes_written);
+
+ /* Write to the secondary audit log if we have one */
+ if (msr->txcfg->auditlog2_fd != NULL) {
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "Audit Log: Writing %" APR_SIZE_T_FMT " bytes to secondary concurrent index", nbytes);
+ }
+ apr_file_write_full(msr->txcfg->auditlog2_fd, text, nbytes, &nbytes_written);
+ }
+}
+
+/*
+ * Handler for audit log writers.
+ */
+void sec_audit_logger(modsec_rec *msr) {
+ #ifdef WITH_YAJL
+ assert(msr != NULL);
+ if (msr->txcfg->auditlog_format == AUDITLOGFORMAT_JSON) {
+ sec_audit_logger_json(msr);
+ } else {
+ #endif
+ sec_audit_logger_native(msr);
+ #ifdef WITH_YAJL
+ }
+ #endif
+}
diff --git a/apache2/msc_logging.h b/apache2/msc_logging.h
index 75af9da7ae..5378ddc659 100644
--- a/apache2/msc_logging.h
+++ b/apache2/msc_logging.h
@@ -22,6 +22,11 @@
#define AUDITLOG_SERIAL 0
#define AUDITLOG_CONCURRENT 1
+#ifdef WITH_YAJL
+#define AUDITLOGFORMAT_JSON 0
+#define AUDITLOGFORMAT_NATIVE 1
+#endif
+
#define AUDITLOG_PART_FIRST 'A'
#define AUDITLOG_PART_HEADER 'A'
#define AUDITLOG_PART_REQUEST_HEADERS 'B'
diff --git a/apache2/msc_logging_json.h b/apache2/msc_logging_json.h
new file mode 100644
index 0000000000..e49b98c29d
--- /dev/null
+++ b/apache2/msc_logging_json.h
@@ -0,0 +1,13 @@
+#include <string.h>
+
+#include <yajl/yajl_gen.h>
+
+#define yajl_string(g, s) yajl_gen_string(g, (const unsigned char *)s, strlen(s))
+
+#define yajl_kv_null(g, k) yajl_string(g, k); yajl_gen_null(g)
+
+#define yajl_kv_int(g, k, v) yajl_string(g, k); yajl_gen_integer(g, v)
+
+#define yajl_kv_string(g, k, v) yajl_string(g, k); yajl_string(g, v)
+
+#define yajl_kv_bool(g, k, v) yajl_string(g, k); yajl_gen_bool(g, v)
diff --git a/apache2/msc_lua.c b/apache2/msc_lua.c
index f4482ae7e5..e1715c03b5 100644
--- a/apache2/msc_lua.c
+++ b/apache2/msc_lua.c
@@ -111,8 +111,11 @@ char *lua_compile(msc_script **script, const char *filename, apr_pool_t *pool) {
dump.pool = pool;
dump.parts = apr_array_make(pool, 128, sizeof(msc_script_part *));
+#if LUA_VERSION_NUM >= 503
+ lua_dump(L, dump_writer, &dump, 0);
+#else
lua_dump(L, dump_writer, &dump);
-
+#endif
(*script) = apr_pcalloc(pool, sizeof(msc_script));
(*script)->name = filename;
(*script)->parts = dump.parts;
@@ -151,6 +154,8 @@ static int l_log(lua_State *L) {
*
*/
static apr_array_header_t *resolve_tfns(lua_State *L, int idx, modsec_rec *msr, apr_pool_t *mp) {
+ assert(msr != NULL);
+ assert(mp != NULL);
apr_array_header_t *tfn_arr = NULL;
msre_tfn_metadata *tfn = NULL;
char *name = NULL;
@@ -403,11 +408,13 @@ static const struct luaL_Reg mylib[] = {
*
*/
int lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rule, char **error_msg) {
+ assert(script != NULL);
+ assert(msr != NULL);
+ assert(error_msg != NULL);
apr_time_t time_before;
lua_State *L = NULL;
int rc = 0;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if (msr->txcfg->debuglog_level >= 8) {
@@ -417,23 +424,32 @@ int lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rul
time_before = apr_time_now();
#ifdef CACHE_LUA
+
L = msr->L;
rc = lua_gettop(L);
if(rc)
lua_pop(L, rc);
+
#else
+
/* Create new state. */
-#if LUA_VERSION_NUM > 501
+#if LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 504 || LUA_VERSION_NUM == 501
L = luaL_newstate();
-#else
+#elif LUA_VERSION_NUM == 500
L = lua_open();
+#else
+#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3, or 5.4.
#endif
luaL_openlibs(L);
+
#endif
if(L == NULL)
return -1;
+ luaL_newmetatable(L, "luaL_msc");
+ lua_newtable(L);
+
/* Associate msr with the state. */
lua_pushlightuserdata(L, (void *)msr);
lua_setglobal(L, "__msr");
@@ -445,13 +461,16 @@ int lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rul
}
/* Register functions. */
-#if LUA_VERSION_NUM > 501
- luaL_setfuncs(L,mylib,0);
- lua_setglobal(L,"m");
-#else
+#if LUA_VERSION_NUM == 500 || LUA_VERSION_NUM == 501
luaL_register(L, "m", mylib);
+#elif LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 504
+ luaL_setfuncs(L, mylib, 0);
+#else
+#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3, or 5.4.
#endif
+ lua_setglobal(L, "m");
+
rc = lua_restore(L, script);
if (rc) {
*error_msg = apr_psprintf(msr->mp, "Lua: Failed to restore script with %i.", rc);
diff --git a/apache2/msc_multipart.c b/apache2/msc_multipart.c
index 88eff9b7a1..dc24248de7 100644
--- a/apache2/msc_multipart.c
+++ b/apache2/msc_multipart.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -20,18 +20,22 @@
#include "msc_util.h"
#include "msc_parsers.h"
-void validate_quotes(modsec_rec *msr, char *data) {
+void validate_quotes(modsec_rec *msr, char *data, char quote) {
+ assert(msr != NULL);
int i, len;
- if(msr == NULL)
- return;
-
if(msr->mpd == NULL)
return;
if(data == NULL)
return;
+ // if the value was enclosed in double quotes, then we don't care about
+ // a single quote character within the name.
+ if (quote == '"') {
+ return;
+ }
+
len = strlen(data);
for(i = 0; i < len; i++) {
@@ -78,6 +82,8 @@ static char *multipart_construct_filename(modsec_rec *msr) {
*
*/
static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value) {
+ assert(msr != NULL);
+ assert(c_d_value != NULL);
char *p = NULL, *t = NULL;
/* accept only what we understand */
@@ -123,9 +129,10 @@ static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value)
* set so the user can deal with it in the rules if they so wish.
*/
+ char quote = '\0';
if ((*p == '"') || (*p == '\'')) {
/* quoted */
- char quote = *p;
+ quote = *p; // remember which quote character was used for the value
if (quote == '\'') {
msr->mpd->flag_invalid_quoting = 1;
@@ -182,7 +189,7 @@ static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value)
if (strcmp(name, "name") == 0) {
- validate_quotes(msr, value);
+ validate_quotes(msr, value, quote);
msr->multipart_name = apr_pstrdup(msr->mp, value);
@@ -201,7 +208,7 @@ static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value)
else
if (strcmp(name, "filename") == 0) {
- validate_quotes(msr, value);
+ validate_quotes(msr, value, quote);
msr->multipart_filename = apr_pstrdup(msr->mp, value);
@@ -248,9 +255,10 @@ static int multipart_parse_content_disposition(modsec_rec *msr, char *c_d_value)
*
*/
static int multipart_process_part_header(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
int i, len, rc;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
/* Check for nul bytes. */
@@ -318,7 +326,14 @@ static int multipart_process_part_header(modsec_rec *msr, char **error_msg) {
}
msr->mpd->mpp_state = 1;
+ msr->mpd->mpp_substate_part_data_read = 0;
msr->mpd->mpp->last_header_name = NULL;
+
+ /* Record the last part header line in the collection */
+ if (msr->mpd->mpp->last_header_line != NULL) {
+ *(char **)apr_array_push(msr->mpd->mpp->header_lines) = msr->mpd->mpp->last_header_line;
+ msr_log(msr, 9, "Multipart: Added part header line \"%s\"", msr->mpd->mpp->last_header_line);
+ }
} else {
/* Header line. */
@@ -372,12 +387,28 @@ static int multipart_process_part_header(modsec_rec *msr, char **error_msg) {
*error_msg = apr_psprintf(msr->mp, "Multipart: Part header too long.");
return -1;
}
+ if ((msr->mpd->mpp->last_header_line != NULL) && (msr->mpd->mpp->last_header_name != NULL)
+ && (new_value != NULL)) {
+ msr->mpd->mpp->last_header_line = apr_psprintf(msr->mp,
+ "%s: %s", msr->mpd->mpp->last_header_name, new_value);
+ }
+
} else {
char *header_name, *header_value, *data;
/* new header */
+ /* Record the most recently-seen part header line in the collection */
+ if (msr->mpd->mpp->last_header_line != NULL) {
+ *(char **)apr_array_push(msr->mpd->mpp->header_lines) = msr->mpd->mpp->last_header_line;
+ msr_log(msr, 9, "Multipart: Added part header line \"%s\"", msr->mpd->mpp->last_header_line);
+ }
+
data = msr->mpd->buf;
+
+ msr->mpd->mpp->last_header_line = apr_pstrdup(msr->mp, data);
+ remove_lf_crlf_inplace(msr->mpd->mpp->last_header_line);
+
while((*data != ':') && (*data != '\0')) data++;
if (*data == '\0') {
*error_msg = apr_psprintf(msr->mp, "Multipart: Invalid part header (colon missing): %s.",
@@ -393,6 +424,16 @@ static int multipart_process_part_header(modsec_rec *msr, char **error_msg) {
return -1;
}
+ /* check if multipart header contains any invalid characters */
+ char *ch = header_name;
+ while(*ch != '\0') {
+ if (*ch < 33 || *ch > 126) {
+ *error_msg = apr_psprintf(msr->mp, "Multipart: Invalid part header (contains invalid character).");
+ return -1;
+ }
+ ch++;
+ }
+
/* extract the value value */
data++;
while((*data == '\t') || (*data == ' ')) data++;
@@ -424,13 +465,16 @@ static int multipart_process_part_header(modsec_rec *msr, char **error_msg) {
*
*/
static int multipart_process_part_data(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
char *p = msr->mpd->buf + (MULTIPART_BUF_SIZE - msr->mpd->bufleft);
char localreserve[2] = { '\0', '\0' }; /* initialized to quiet warning */
int bytes_reserved = 0;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
+ msr->mpd->mpp_substate_part_data_read = 1;
+
/* Preserve some bytes for later. */
if ( ((MULTIPART_BUF_SIZE - msr->mpd->bufleft) >= 1)
&& (*(p - 1) == '\n') )
@@ -596,6 +640,8 @@ static int multipart_process_part_data(modsec_rec *msr, char **error_msg) {
*
*/
static char *multipart_combine_value_parts(modsec_rec *msr, apr_array_header_t *value_parts) {
+ assert(msr != NULL);
+ assert(value_parts != NULL);
value_part_t **parts = NULL;
char *rval = apr_palloc(msr->mp, msr->mpd->mpp->length + 1);
unsigned long int offset;
@@ -620,6 +666,7 @@ static char *multipart_combine_value_parts(modsec_rec *msr, apr_array_header_t *
*
*/
static int multipart_process_boundary(modsec_rec *msr, int last_part, char **error_log) {
+ assert(msr != NULL);
/* if there was a part being built finish it */
if (msr->mpd->mpp != NULL) {
/* close the temp file */
@@ -673,10 +720,14 @@ static int multipart_process_boundary(modsec_rec *msr, int last_part, char **err
if (msr->mpd->mpp == NULL) return -1;
msr->mpd->mpp->type = MULTIPART_FORMDATA;
msr->mpd->mpp_state = 0;
+ msr->mpd->mpp_substate_part_data_read = 0;
msr->mpd->mpp->headers = apr_table_make(msr->mp, 10);
if (msr->mpd->mpp->headers == NULL) return -1;
msr->mpd->mpp->last_header_name = NULL;
+ msr->mpd->mpp->last_header_line = NULL;
+ msr->mpd->mpp->header_lines = apr_array_make(msr->mp, 2, sizeof(char *));
+ if (msr->mpd->mpp->header_lines == NULL) return -1;
msr->mpd->reserve[0] = 0;
msr->mpd->reserve[1] = 0;
@@ -695,42 +746,29 @@ static int multipart_boundary_characters_valid(char *boundary) {
if (p == NULL) return -1;
- while((c = *p) != '\0') {
- /* Control characters and space not allowed. */
- if (c < 32) {
+ while ((c = *p) != '\0') {
+ // Check against allowed list defined in RFC2046 page 21
+ if (!(
+ ('0' <= c && c <= '9')
+ || ('A' <= c && c <= 'Z')
+ || ('a' <= c && c <= 'z')
+ || (c == ' ' && *(p + 1) != '\0') // space allowed, but not as last character
+ || c == '\''
+ || c == '('
+ || c == ')'
+ || c == '+'
+ || c == '_'
+ || c == ','
+ || c == '-'
+ || c == '.'
+ || c == '/'
+ || c == ':'
+ || c == '='
+ || c == '?'
+ )) {
return 0;
}
- /* Non-ASCII characters not allowed. */
- if (c > 126) {
- return 0;
- }
-
- switch(c) {
- /* Special characters not allowed. */
- case '(' :
- case ')' :
- case '<' :
- case '>' :
- case '@' :
- case ',' :
- case ';' :
- case ':' :
- case '\\' :
- case '"' :
- case '/' :
- case '[' :
- case ']' :
- case '?' :
- case '=' :
- return 0;
- break;
-
- default :
- /* Do nothing. */
- break;
- }
-
p++;
}
@@ -765,7 +803,8 @@ static int multipart_count_boundary_params(apr_pool_t *mp, const char *header_va
*
*/
int multipart_init(modsec_rec *msr, char **error_msg) {
- if (error_msg == NULL) return -1;
+ assert(msr != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
msr->mpd = (multipart_data *)apr_pcalloc(msr->mp, sizeof(multipart_data));
@@ -929,6 +968,8 @@ int multipart_init(modsec_rec *msr, char **error_msg) {
* is clear that there is no more data to be processed.
*/
int multipart_complete(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
if (msr->mpd == NULL) return 1;
if (msr->txcfg->debuglog_level >= 4) {
@@ -989,6 +1030,19 @@ int multipart_complete(modsec_rec *msr, char **error_msg) {
&& (*(msr->mpd->buf + 2 + strlen(msr->mpd->boundary)) == '-')
&& (*(msr->mpd->buf + 2 + strlen(msr->mpd->boundary) + 1) == '-') )
{
+ if ((msr->mpd->crlf_state_buf_end == 2) && (msr->mpd->flag_lf_line != 1)) {
+ msr->mpd->flag_lf_line = 1;
+ if (msr->mpd->flag_crlf_line) {
+ msr_log(msr, 4, "Multipart: Warning: mixed line endings used (CRLF/LF).");
+ } else {
+ msr_log(msr, 4, "Multipart: Warning: incorrect line endings used (LF).");
+ }
+ }
+ if (msr->mpd->mpp_substate_part_data_read == 0) {
+ /* it looks like the final boundary, but it's where part data should begin */
+ msr->mpd->flag_invalid_part = 1;
+ msr_log(msr, 4, "Multipart: Warning: Invalid part (data contains final boundary)");
+ }
/* Looks like the final boundary - process it. */
if (multipart_process_boundary(msr, 1 /* final */, error_msg) < 0) {
msr->mpd->flag_error = 1;
@@ -1019,10 +1073,12 @@ int multipart_complete(modsec_rec *msr, char **error_msg) {
int multipart_process_chunk(modsec_rec *msr, const char *buf,
unsigned int size, char **error_msg)
{
+ assert(msr != NULL);
+ assert(buf != NULL);
+ assert(error_msg != NULL);
char *inptr = (char *)buf;
unsigned int inleft = size;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if (size == 0) return 1;
@@ -1081,54 +1137,63 @@ int multipart_process_chunk(modsec_rec *msr, const char *buf,
if ( (strlen(msr->mpd->buf) >= strlen(msr->mpd->boundary) + 2)
&& (strncmp(msr->mpd->buf + 2, msr->mpd->boundary, strlen(msr->mpd->boundary)) == 0) )
{
- char *boundary_end = msr->mpd->buf + 2 + strlen(msr->mpd->boundary);
- int is_final = 0;
+ if (msr->mpd->crlf_state_buf_end == 2) {
+ msr->mpd->flag_lf_line = 1;
+ }
+ if ((msr->mpd->mpp_substate_part_data_read == 0) && (msr->mpd->boundary_count > 0)) {
+ /* string matches our boundary, but it's where part data should begin */
+ msr->mpd->flag_invalid_part = 1;
+ msr_log(msr, 4, "Multipart: Warning: Invalid part (data contains boundary)");
+ } else {
+ char *boundary_end = msr->mpd->buf + 2 + strlen(msr->mpd->boundary);
+ int is_final = 0;
+
+ /* Is this the final boundary? */
+ if ((*boundary_end == '-') && (*(boundary_end + 1)== '-')) {
+ is_final = 1;
+ boundary_end += 2;
+
+ if (msr->mpd->is_complete != 0) {
+ msr->mpd->flag_error = 1;
+ *error_msg = apr_psprintf(msr->mp,
+ "Multipart: Invalid boundary (final duplicate).");
+ return -1;
+ }
+ }
- /* Is this the final boundary? */
- if ((*boundary_end == '-') && (*(boundary_end + 1)== '-')) {
- is_final = 1;
- boundary_end += 2;
+ /* Allow for CRLF and LF line endings. */
+ if ( ( (*boundary_end == '\r')
+ && (*(boundary_end + 1) == '\n')
+ && (*(boundary_end + 2) == '\0') )
+ || ( (*boundary_end == '\n')
+ && (*(boundary_end + 1) == '\0') ) )
+ {
+ if (*boundary_end == '\n') {
+ msr->mpd->flag_lf_line = 1;
+ } else {
+ msr->mpd->flag_crlf_line = 1;
+ }
- if (msr->mpd->is_complete != 0) {
- msr->mpd->flag_error = 1;
- *error_msg = apr_psprintf(msr->mp,
- "Multipart: Invalid boundary (final duplicate).");
- return -1;
- }
- }
+ if (multipart_process_boundary(msr, (is_final ? 1 : 0), error_msg) < 0) {
+ msr->mpd->flag_error = 1;
+ return -1;
+ }
- /* Allow for CRLF and LF line endings. */
- if ( ( (*boundary_end == '\r')
- && (*(boundary_end + 1) == '\n')
- && (*(boundary_end + 2) == '\0') )
- || ( (*boundary_end == '\n')
- && (*(boundary_end + 1) == '\0') ) )
- {
- if (*boundary_end == '\n') {
- msr->mpd->flag_lf_line = 1;
- } else {
- msr->mpd->flag_crlf_line = 1;
- }
+ if (is_final) {
+ msr->mpd->is_complete = 1;
+ }
- if (multipart_process_boundary(msr, (is_final ? 1 : 0), error_msg) < 0) {
+ processed_as_boundary = 1;
+ msr->mpd->boundary_count++;
+ }
+ else {
+ /* error */
msr->mpd->flag_error = 1;
+ *error_msg = apr_psprintf(msr->mp,
+ "Multipart: Invalid boundary: %s",
+ log_escape_nq(msr->mp, msr->mpd->buf));
return -1;
}
-
- if (is_final) {
- msr->mpd->is_complete = 1;
- }
-
- processed_as_boundary = 1;
- msr->mpd->boundary_count++;
- }
- else {
- /* error */
- msr->mpd->flag_error = 1;
- *error_msg = apr_psprintf(msr->mp,
- "Multipart: Invalid boundary: %s",
- log_escape_nq(msr->mp, msr->mpd->buf));
- return -1;
}
} else { /* It looks like a boundary but we couldn't match it. */
char *p = NULL;
@@ -1227,6 +1292,21 @@ int multipart_process_chunk(modsec_rec *msr, const char *buf,
msr->mpd->bufptr = msr->mpd->buf;
msr->mpd->bufleft = MULTIPART_BUF_SIZE;
msr->mpd->buf_contains_line = (c == 0x0a) ? 1 : 0;
+
+ if (c == 0x0a) {
+ if (msr->mpd->crlf_state == 1) {
+ msr->mpd->crlf_state = 3;
+ } else {
+ msr->mpd->crlf_state = 2;
+ }
+ }
+ msr->mpd->crlf_state_buf_end = msr->mpd->crlf_state;
+ }
+
+ if (c == 0x0d) {
+ msr->mpd->crlf_state = 1;
+ } else if (c != 0x0a) {
+ msr->mpd->crlf_state = 0;
}
if ((msr->mpd->is_complete) && (inleft != 0)) {
@@ -1247,6 +1327,7 @@ int multipart_process_chunk(modsec_rec *msr, const char *buf,
*
*/
apr_status_t multipart_cleanup(modsec_rec *msr) {
+ assert(msr != NULL);
int keep_files = 0;
if (msr->mpd == NULL) return -1;
@@ -1330,6 +1411,11 @@ apr_status_t multipart_cleanup(modsec_rec *msr) {
const char *new_filename = NULL;
const char *new_basename = NULL;
+ if (strcmp(msr->txcfg->upload_dir, msr->txcfg->tmp_dir) == 0) {
+ msr_log(msr, 4, "Not moving part to identical location");
+ continue;
+ }
+
/* make sure it is closed first */
if (parts[i]->tmp_file_fd > 0) {
close(parts[i]->tmp_file_fd);
@@ -1368,6 +1454,7 @@ apr_status_t multipart_cleanup(modsec_rec *msr) {
*
*/
int multipart_get_arguments(modsec_rec *msr, char *origin, apr_table_t *arguments) {
+ assert(msr != NULL);
multipart_part **parts;
int i;
diff --git a/apache2/msc_multipart.h b/apache2/msc_multipart.h
index a0f6a08ddf..a9c20b9b19 100644
--- a/apache2/msc_multipart.h
+++ b/apache2/msc_multipart.h
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -55,6 +55,8 @@ struct multipart_part {
char *last_header_name;
apr_table_t *headers;
+ char *last_header_line;
+ apr_array_header_t *header_lines;
unsigned int offset;
unsigned int length;
@@ -81,6 +83,15 @@ struct multipart_data {
char *bufptr;
int bufleft;
+ /* line ending status seen immediately before current position.
+ * 0 = neither LF nor CR; 1 = prev char CR; 2 = prev char LF alone;
+ * 3 = prev two chars were CRLF
+ */
+ int crlf_state;
+
+ /* crlf_state at end of previous buffer */
+ int crlf_state_buf_end;
+
unsigned int buf_offset;
/* pointer that keeps track of a part while
@@ -94,6 +105,14 @@ struct multipart_data {
*/
int mpp_state;
+ /* part parsing substate; if mpp_state is 1 (collecting
+ * data), then for this variable:
+ * 0 means we have not yet read any data between the
+ * post-headers blank line and the next boundary
+ * 1 means we have read at some data after that blank line
+ */
+ int mpp_substate_part_data_read;
+
/* because of the way this parsing algorithm
* works we hold back the last two bytes of
* each data chunk so that we can discard it
diff --git a/apache2/msc_parsers.c b/apache2/msc_parsers.c
index 57f291ec2a..9a84e2adf4 100644
--- a/apache2/msc_parsers.c
+++ b/apache2/msc_parsers.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -21,6 +21,9 @@
int parse_cookies_v0(modsec_rec *msr, char *_cookie_header,
apr_table_t *cookies, const char *delim)
{
+ assert(msr != NULL);
+ assert(cookies != NULL);
+ assert(delim != NULL);
char *attr_name = NULL, *attr_value = NULL;
char *cookie_header;
char *saveptr = NULL;
@@ -95,6 +98,8 @@ int parse_cookies_v0(modsec_rec *msr, char *_cookie_header,
int parse_cookies_v1(modsec_rec *msr, char *_cookie_header,
apr_table_t *cookies)
{
+ assert(msr != NULL);
+ assert(cookies != NULL);
char *attr_name = NULL, *attr_value = NULL, *p = NULL;
char *prev_attr_name = NULL;
char *cookie_header = NULL;
@@ -239,6 +244,8 @@ int parse_arguments(modsec_rec *msr, const char *s, apr_size_t inputlength,
int argument_separator, const char *origin,
apr_table_t *arguments, int *invalid_count)
{
+ assert(msr != NULL);
+ assert(invalid_count != NULL);
msc_arg *arg;
apr_size_t i, j;
char *value = NULL;
@@ -266,7 +273,7 @@ int parse_arguments(modsec_rec *msr, const char *s, apr_size_t inputlength,
if (status == 0) {
/* parameter name */
arg->name_origin_offset = i;
- while ((s[i] != '=') && (s[i] != argument_separator) && (i < inputlength)) {
+ while ((i < inputlength) && (s[i] != '=') && (s[i] != argument_separator)) {
buf[j] = s[i];
j++;
i++;
@@ -340,12 +347,30 @@ int parse_arguments(modsec_rec *msr, const char *s, apr_size_t inputlength,
*/
void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg)
{
+ assert(msr != NULL);
+ assert(arguments != NULL);
+ assert(arg != NULL);
if (msr->txcfg->debuglog_level >= 5) {
msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value \"%s\"",
arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len),
log_escape_ex(msr->mp, arg->value, arg->value_len));
}
- apr_table_addn(arguments, log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *)arg);
+ if (apr_table_elts(arguments)->nelts >= msr->txcfg->arguments_limit) {
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Skipping request argument, over limit (%s): name \"%s\", value \"%s\"",
+ arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len),
+ log_escape_ex(msr->mp, arg->value, arg->value_len));
+ }
+ if (msr->msc_reqbody_error != 1) {
+ char *error_msg = apr_psprintf(msr->mp, "SecArgumentsLimit exceeded");
+ msr->msc_reqbody_error = 1;
+ if (error_msg != NULL) {
+ msr->msc_reqbody_error_msg = error_msg;
+ }
+ }
+ } else {
+ apr_table_addn(arguments, log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *)arg);
+ }
}
diff --git a/apache2/msc_pcre.c b/apache2/msc_pcre.c
index 8534a20914..16f5efd5d4 100644
--- a/apache2/msc_pcre.c
+++ b/apache2/msc_pcre.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -20,18 +20,25 @@
*/
static apr_status_t msc_pcre_cleanup(msc_regex_t *regex) {
if (regex != NULL) {
+#ifdef WITH_PCRE2
+ if (regex->match_context != NULL) {
+ pcre2_match_context_free(regex->match_context);
+ regex->match_context = NULL;
+ }
+ if (regex->re != NULL) {
+ pcre2_code_free(regex->re);
+ regex->re = NULL;
+ }
+#else
if (regex->pe != NULL) {
-#if defined(VERSION_NGINX)
pcre_free(regex->pe);
-#else
- free(regex->pe);
-#endif
regex->pe = NULL;
}
if (regex->re != NULL) {
pcre_free(regex->re);
regex->re = NULL;
}
+#endif
}
return APR_SUCCESS;
@@ -48,6 +55,88 @@ static apr_status_t msc_pcre_cleanup(msc_regex_t *regex) {
void *msc_pregcomp_ex(apr_pool_t *pool, const char *pattern, int options,
const char **_errptr, int *_erroffset,
int match_limit, int match_limit_recursion)
+#ifdef WITH_PCRE2
+{
+ msc_regex_t *regex = NULL;
+ PCRE2_SPTR pcre2_pattern;
+ uint32_t pcre2_options;
+ int error_number = 0;
+ PCRE2_SIZE error_offset = 0;
+ pcre2_match_context *match_context = NULL;
+
+ regex = apr_pcalloc(pool, sizeof(msc_regex_t));
+ if (regex == NULL) return NULL;
+ regex->pattern = pattern;
+
+ pcre2_pattern = (PCRE2_SPTR)pattern;
+ pcre2_options = (uint32_t)options;
+
+ regex->re = pcre2_compile(pcre2_pattern, PCRE2_ZERO_TERMINATED,
+ pcre2_options, &error_number, &error_offset, NULL);
+ if (regex->re == NULL) {
+ if (_erroffset != NULL) {
+ *_erroffset = (int)error_offset;
+ }
+ PCRE2_UCHAR buffer[256];
+ // Get the error message from the error code
+ pcre2_get_error_message(error_number, buffer, sizeof(buffer));
+#ifdef DEBUG_CONF
+ * _errptr = apr_psprintf(pool, "%s - pattern = %s", buffer, pattern);
+#else
+ * _errptr = apr_pstrdup(pool, buffer);
+#endif
+ return NULL;
+ }
+
+#ifdef WITH_PCRE_JIT
+ regex->jit_compile_rc = pcre2_jit_compile(regex->re, PCRE2_JIT_COMPLETE);
+#endif
+
+ /* Setup the pcre2 match context */
+ regex->match_context = NULL;
+ match_context = pcre2_match_context_create(NULL);
+ if (match_context == NULL) {
+ return NULL;
+ }
+
+ /* Prefer the match limit passed as an arg; else use compilation default */
+ {
+ uint32_t final_match_limit = 0;
+ if (match_limit > 0) {
+ final_match_limit = match_limit;
+ pcre2_set_match_limit(match_context, final_match_limit);
+ }
+#ifdef MODSEC_PCRE_MATCH_LIMIT
+ else {
+ final_match_limit = MODSEC_PCRE_MATCH_LIMIT;
+ pcre2_set_match_limit(match_context, final_match_limit);
+ }
+#endif /* MODSEC_PCRE_MATCH_LIMIT */
+ }
+
+ /* Prefer the depth limit passed as an arg; else use compilation default */
+ {
+ uint32_t final_match_limit_recursion = 0;
+ if (match_limit_recursion > 0) {
+ final_match_limit_recursion = match_limit_recursion;
+ pcre2_set_depth_limit(match_context, final_match_limit_recursion);
+ }
+#ifdef MODSEC_PCRE_MATCH_LIMIT_RECURSION
+ else {
+ final_match_limit_recursion = MODSEC_PCRE_MATCH_LIMIT_RECURSION;
+ pcre2_set_depth_limit(match_context, final_match_limit_recursion);
+ }
+#endif /* MODSEC_PCRE_MATCH_LIMIT_RECURSION */
+ }
+
+ regex->match_context = match_context;
+
+ apr_pool_cleanup_register(pool, (void *)regex,
+ (apr_status_t (*)(void *))msc_pcre_cleanup, apr_pool_cleanup_null);
+
+ return regex;
+}
+#else /* not WITH_PCRE2 */
{
const char *errptr = NULL;
int erroffset;
@@ -75,11 +164,7 @@ void *msc_pregcomp_ex(apr_pool_t *pool, const char *pattern, int options,
/* Setup the pcre_extra record if pcre_study did not already do it */
if (pe == NULL) {
-#if defined(VERSION_NGINX)
- pe = pcre_malloc(sizeof(pcre_extra));
-#else
- pe = malloc(sizeof(pcre_extra));
-#endif
+ pe = (pcre_extra*)pcre_malloc(sizeof(pcre_extra));
if (pe == NULL) {
return NULL;
}
@@ -131,6 +216,7 @@ void *msc_pregcomp_ex(apr_pool_t *pool, const char *pattern, int options,
return regex;
}
+#endif /* WITH_PCRE2 */
/**
* Compiles the provided regular expression pattern. Calls msc_pregcomp_ex()
@@ -143,9 +229,9 @@ void *msc_pregcomp(apr_pool_t *pool, const char *pattern, int options,
}
/**
- * Executes regular expression with extended options.
- * Returns PCRE_ERROR_NOMATCH when there is no match, error code < -1
- * on errors, and a value > 0 when there is a match.
+ * Executes regular expression with extended options (or match context)
+ * Returns PCRE_ERROR_NOMATCH (or PCRE2_ERROR_NOMATCH),
+ * error code < -1 on errors, and a value > 0 when there is a match.
*/
int msc_regexec_ex(msc_regex_t *regex, const char *s, unsigned int slen,
int startoffset, int options, int *ovector, int ovecsize, char **error_msg)
@@ -153,7 +239,52 @@ int msc_regexec_ex(msc_regex_t *regex, const char *s, unsigned int slen,
if (error_msg == NULL) return -1000; /* To differentiate from PCRE as it already uses -1. */
*error_msg = NULL;
+#ifdef WITH_PCRE2
+ {
+ PCRE2_SPTR pcre2_s;
+ int pcre2_ret;
+ pcre2_match_data *match_data;
+ PCRE2_SIZE *pcre2_ovector = NULL;
+
+ pcre2_s = (PCRE2_SPTR)s;
+ match_data = pcre2_match_data_create_from_pattern(regex->re, NULL);
+
+#ifdef WITH_PCRE_JIT
+ if (regex->jit_compile_rc == 0) {
+ pcre2_ret = pcre2_jit_match(regex->re, pcre2_s, slen,
+ (PCRE2_SIZE)(startoffset), (uint32_t)options, match_data, regex->match_context);
+ }
+ if (regex->jit_compile_rc != 0 || pcre2_ret == PCRE2_ERROR_JIT_STACKLIMIT) {
+ pcre2_ret = pcre2_match(regex->re, pcre2_s, slen,
+ (PCRE2_SIZE)(startoffset), (PCRE2_NO_JIT | (uint32_t)options), match_data, regex->match_context);
+ }
+#else
+ pcre2_ret = pcre2_match(regex->re, pcre2_s, slen,
+ (PCRE2_SIZE)(startoffset), (uint32_t)options, match_data, regex->match_context);
+#endif
+ if (match_data != NULL) {
+ if (ovector != NULL) {
+ pcre2_ovector = pcre2_get_ovector_pointer(match_data);
+ if (pcre2_ovector != NULL) {
+ for (int i = 0; ((i < pcre2_ret) && ((i*2) <= ovecsize)); i++) {
+ if ((i*2) < ovecsize) {
+ ovector[2*i] = pcre2_ovector[2*i];
+ ovector[2*i+1] = pcre2_ovector[2*i+1];
+ }
+ }
+ }
+ }
+ pcre2_match_data_free(match_data);
+ }
+ if ((pcre2_ret*2) > ovecsize) {
+ return 0;
+ } else {
+ return pcre2_ret;
+ }
+ }
+#else
return pcre_exec(regex->re, regex->pe, s, slen, startoffset, options, ovector, ovecsize);
+#endif
}
/**
@@ -188,6 +319,10 @@ int msc_regexec(msc_regex_t *regex, const char *s, unsigned int slen,
*/
int msc_fullinfo(msc_regex_t *regex, int what, void *where)
{
+#ifdef WITH_PCRE2
+ return pcre2_pattern_info(regex->re, (uint32_t)what, where);
+#else
return pcre_fullinfo(regex->re, regex->pe, what, where);
+#endif
}
diff --git a/apache2/msc_pcre.h b/apache2/msc_pcre.h
index bbaa818b29..c0ab37b4ae 100644
--- a/apache2/msc_pcre.h
+++ b/apache2/msc_pcre.h
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -17,7 +17,14 @@
typedef struct msc_regex_t msc_regex_t;
+#ifdef WITH_PCRE2
+#define PCRE2_CODE_UNIT_WIDTH 8
+#include "pcre2.h"
+#else
#include "pcre.h"
+#endif
+
+#ifndef WITH_PCRE2
#ifndef PCRE_ERROR_MATCHLIMIT
/* Define for compile, but not valid in this version of PCRE. */
@@ -29,12 +36,23 @@ typedef struct msc_regex_t msc_regex_t;
#define PCRE_ERROR_RECURSIONLIMIT (-21)
#endif /* PCRE_ERROR_RECURSIONLIMIT */
+#endif
+
#include "apr_general.h"
#include "modsecurity.h"
struct msc_regex_t {
+#ifdef WITH_PCRE2
+ pcre2_code *re;
+ pcre2_match_context *match_context;
+#ifdef WITH_PCRE_JIT
+ int jit_compile_rc;
+#endif
+
+#else
void *re;
void *pe;
+#endif
const char *pattern;
};
diff --git a/apache2/msc_release.h b/apache2/msc_release.h
index a34578b663..5c4dbc96d2 100644
--- a/apache2/msc_release.h
+++ b/apache2/msc_release.h
@@ -38,7 +38,7 @@
#define MODSEC_VERSION_MAJOR "2"
#define MODSEC_VERSION_MINOR "9"
-#define MODSEC_VERSION_MAINT "0"
+#define MODSEC_VERSION_MAINT "8"
#define MODSEC_VERSION_TYPE ""
#define MODSEC_VERSION_RELEASE ""
diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
index 8a6df9e0ab..37b8864842 100644
--- a/apache2/msc_remote_rules.c
+++ b/apache2/msc_remote_rules.c
@@ -312,6 +312,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
struct curl_slist *headers_chunk = NULL;
#ifdef WIN32
char *buf = malloc(sizeof(TCHAR) * (2048 + 1));
+ if (buf == NULL) { /* malloc failed... */
+ *error_msg = apr_psprintf(mp, "Unable to allocate memory");
+ ret = -2;
+ goto failed;
+ }
char *ptr = NULL;
DWORD res_len;
#endif
@@ -326,8 +331,8 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
headers_chunk = curl_slist_append(headers_chunk, header_key);
}
- /* Make it TLS 1.x only. */
- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+ /* Make it TLS 1.2 at least. */
+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
#ifdef WIN32
res_len = SearchPathA(NULL, "curl-ca-bundle.crt", NULL, (2048 + 1), buf, &ptr);
diff --git a/apache2/msc_reqbody.c b/apache2/msc_reqbody.c
index 7d150eedff..0877c82598 100644
--- a/apache2/msc_reqbody.c
+++ b/apache2/msc_reqbody.c
@@ -25,6 +25,7 @@
void msre_engine_reqbody_processor_register(msre_engine *engine,
const char *name, void *fn_init, void *fn_process, void *fn_complete)
{
+ assert(engine != NULL);
msre_reqbody_processor_metadata *metadata =
(msre_reqbody_processor_metadata *)apr_pcalloc(engine->mp,
sizeof(msre_reqbody_processor_metadata));
@@ -41,6 +42,8 @@ void msre_engine_reqbody_processor_register(msre_engine *engine,
* Prepare to accept the request body (part 2).
*/
static apr_status_t modsecurity_request_body_start_init(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
if(msr->msc_reqbody_storage == MSC_REQBODY_MEMORY) {
@@ -80,6 +83,8 @@ static apr_status_t modsecurity_request_body_start_init(modsec_rec *msr, char **
* Prepare to accept the request body (part 1).
*/
apr_status_t modsecurity_request_body_start(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
msr->msc_reqbody_length = 0;
msr->stream_input_length = 0;
@@ -161,6 +166,8 @@ apr_status_t modsecurity_request_body_start(modsec_rec *msr, char **error_msg) {
static apr_status_t modsecurity_request_body_store_disk(modsec_rec *msr,
const char *data, apr_size_t length, char **error_msg)
{
+ assert(msr != NULL);
+ assert(error_msg != NULL);
apr_size_t i;
*error_msg = NULL;
@@ -181,6 +188,8 @@ static apr_status_t modsecurity_request_body_store_disk(modsec_rec *msr,
static apr_status_t modsecurity_request_body_store_memory(modsec_rec *msr,
const char *data, apr_size_t length, char **error_msg)
{
+ assert(msr != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
/* Would storing this chunk mean going over the limit? */
@@ -309,6 +318,8 @@ static apr_status_t modsecurity_request_body_store_memory(modsec_rec *msr,
apr_status_t modsecurity_request_body_store(modsec_rec *msr,
const char *data, apr_size_t length, char **error_msg)
{
+ assert(msr != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
/* If we have a processor for this request body send
@@ -396,13 +407,14 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr,
/* Check that we are not over the request body no files limit. */
if (msr->msc_reqbody_no_files_length >= (unsigned long) msr->txcfg->reqbody_no_files_limit) {
-
*error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
"configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
if (msr->txcfg->debuglog_level >= 1) {
msr_log(msr, 1, "%s", *error_msg);
}
+ msr->msc_reqbody_error = 1;
+
if ((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
return -5;
} else if (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL) {
@@ -411,7 +423,6 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr,
}
}
-
/* Store data. */
if (msr->msc_reqbody_storage == MSC_REQBODY_MEMORY) {
return modsecurity_request_body_store_memory(msr, data, length, error_msg);
@@ -428,10 +439,19 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr,
}
apr_status_t modsecurity_request_body_to_stream(modsec_rec *msr, const char *buffer, int buflen, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
+ assert(buffer != NULL || buflen == 0);
+#ifndef MSC_LARGE_STREAM_INPUT
char *stream_input_body = NULL;
char *data = NULL;
int first_pkt = 0;
+#else
+ apr_size_t allocate_length = 0;
+ char* allocated = NULL;
+#endif
+#ifndef MSC_LARGE_STREAM_INPUT
if(msr->stream_input_data == NULL) {
msr->stream_input_data = (char *)calloc(sizeof(char), msr->stream_input_length + 1);
first_pkt = 1;
@@ -443,8 +463,8 @@ apr_status_t modsecurity_request_body_to_stream(modsec_rec *msr, const char *buf
if(data == NULL)
return -1;
- memset(data, 0, msr->stream_input_length + 1 - buflen);
memcpy(data, msr->stream_input_data, msr->stream_input_length - buflen);
+ data[msr->stream_input_length - buflen] = '\0';
stream_input_body = (char *)realloc(msr->stream_input_data, msr->stream_input_length + 1);
@@ -452,35 +472,84 @@ apr_status_t modsecurity_request_body_to_stream(modsec_rec *msr, const char *buf
}
if (msr->stream_input_data == NULL) {
- if(data) {
- free(data);
- data = NULL;
- }
+ if (data) free(data);
*error_msg = apr_psprintf(msr->mp, "Unable to allocate memory to hold request body on stream. Asked for %" APR_SIZE_T_FMT " bytes.",
msr->stream_input_length + 1);
return -1;
}
- memset(msr->stream_input_data, 0, msr->stream_input_length+1);
-
if(first_pkt) {
memcpy(msr->stream_input_data, buffer, msr->stream_input_length);
} else {
memcpy(msr->stream_input_data, data, msr->stream_input_length - buflen);
memcpy(msr->stream_input_data+(msr->stream_input_length - buflen), buffer, buflen);
}
+ msr->stream_input_data[msr->stream_input_length] = '\0';
+
+ if (data) free(data);
+#else
+ if (msr->stream_input_data == NULL) {
+ // Is the request body length known beforehand? (requests that are not Transfer-Encoding: chunked)
+ if (msr->request_content_length > 0) {
+ // Use min of Content-Length and SecRequestBodyLimit
+ allocate_length = msr->request_content_length < msr->txcfg->reqbody_limit ? msr->request_content_length : msr->txcfg->reqbody_limit;
+ }
+ else {
+ // We don't know how this request is going to be, so hope for just buflen to begin with (requests that are Transfer-Encoding: chunked)
+ allocate_length = buflen;
+ }
- if(data) {
- free(data);
- data = NULL;
+ allocated = (char*) calloc(allocate_length, sizeof(char));
+ if (allocated) {
+ msr->stream_input_data = allocated;
+ msr->stream_input_allocated_length = allocate_length;
+ }
+ else {
+ *error_msg = apr_psprintf(
+ msr->mp,
+ "Unable to allocate memory to hold request body on stream. Asked for %" APR_SIZE_T_FMT " bytes.",
+ allocate_length);
+ return -1;
+ }
+ }
+ else {
+ // Do we need to expand the space we have previously allocated?
+ if ((msr->stream_input_length + buflen) > msr->stream_input_allocated_length) {
+ // If this becomes a hotspot again, consider increasing by some percent extra each time, for fewer reallocs
+ allocate_length = msr->stream_input_length + buflen;
+
+ allocated = (char*) realloc(msr->stream_input_data, allocate_length);
+ if (allocated) {
+ msr->stream_input_data = allocated;
+ msr->stream_input_allocated_length = allocate_length;
+ }
+ else {
+ *error_msg = apr_psprintf(
+ msr->mp,
+ "Unable to reallocate memory to hold request body on stream. Asked for %" APR_SIZE_T_FMT " bytes.",
+ allocate_length);
+ free(msr->stream_input_data);
+ msr->stream_input_data = NULL;
+ msr->stream_input_length = 0;
+ msr->stream_input_allocated_length = 0;
+ return -1;
+ }
+ }
}
+ // Append buffer to msr->stream_input_data
+ memcpy(msr->stream_input_data + msr->stream_input_length, buffer, buflen);
+ msr->stream_input_length += buflen;
+#endif
return 1;
}
+
/**
* Replace a bunch of chunks holding a request body with a single large chunk.
*/
static apr_status_t modsecurity_request_body_end_raw(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
msc_data_chunk **chunks, *one_chunk;
char *d;
int i, sofar;
@@ -554,6 +623,8 @@ static apr_status_t modsecurity_request_body_end_raw(modsec_rec *msr, char **err
*
*/
static apr_status_t modsecurity_request_body_end_urlencoded(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
int invalid_count = 0;
*error_msg = NULL;
@@ -583,6 +654,8 @@ static apr_status_t modsecurity_request_body_end_urlencoded(modsec_rec *msr, cha
* Stops receiving the request body.
*/
apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
/* Close open file descriptors, if any. */
@@ -596,6 +669,19 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) {
/* Note that we've read the body. */
msr->msc_reqbody_read = 1;
+
+ /* Check that we are not over the request body no files limit. */
+ if (msr->msc_reqbody_no_files_length >= (unsigned long)msr->txcfg->reqbody_no_files_limit) {
+ *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
+ "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
+ if (msr->txcfg->debuglog_level >= 1) {
+ msr_log(msr, 1, "%s", *error_msg);
+ }
+
+ return -5;
+ }
+
+
/* Finalise body processing. */
if ((msr->msc_reqbody_processor != NULL) && (msr->msc_reqbody_error == 0)) {
char *my_error_msg = NULL;
@@ -637,7 +723,7 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) {
}
else if (strcmp(msr->msc_reqbody_processor, "JSON") == 0) {
#ifdef WITH_YAJL
- if (json_complete(msr, &my_error_msg) < 0) {
+ if (json_complete(msr, &my_error_msg) < 0 && msr->msc_reqbody_length > 0) {
*error_msg = apr_psprintf(msr->mp, "JSON parser error: %s", my_error_msg);
msr->msc_reqbody_error = 1;
msr->msc_reqbody_error_msg = *error_msg;
@@ -680,6 +766,8 @@ apr_status_t modsecurity_request_body_end(modsec_rec *msr, char **error_msg) {
* Prepares to forward the request body.
*/
apr_status_t modsecurity_request_body_retrieve_start(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
if (msr->msc_reqbody_storage == MSC_REQBODY_MEMORY) {
@@ -726,6 +814,7 @@ apr_status_t modsecurity_request_body_retrieve_start(modsec_rec *msr, char **err
*
*/
apr_status_t modsecurity_request_body_retrieve_end(modsec_rec *msr) {
+ assert(msr != NULL);
if (msr->msc_reqbody_storage == MSC_REQBODY_DISK) {
if (msr->msc_reqbody_fd > 0) {
close(msr->msc_reqbody_fd);
@@ -748,6 +837,8 @@ apr_status_t modsecurity_request_body_retrieve_end(modsec_rec *msr) {
apr_status_t modsecurity_request_body_retrieve(modsec_rec *msr,
msc_data_chunk **chunk, long int nbytes, char **error_msg)
{
+ assert(msr != NULL);
+ assert(error_msg != NULL);
msc_data_chunk **chunks;
*error_msg = NULL;
@@ -849,6 +940,8 @@ apr_status_t modsecurity_request_body_retrieve(modsec_rec *msr,
*
*/
apr_status_t modsecurity_request_body_clear(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
/* Release memory we used to store request body data. */
@@ -888,6 +981,11 @@ apr_status_t modsecurity_request_body_clear(modsec_rec *msr, char **error_msg) {
const char *put_filename = NULL;
const char *put_basename = NULL;
+ if (strcmp(msr->txcfg->upload_dir, msr->txcfg->tmp_dir) == 0) {
+ msr_log(msr, 4, "Not moving file to identical location.");
+ goto nullify;
+ }
+
/* Construct the new filename. */
put_basename = file_basename(msr->msc_reqbody_mp, msr->msc_reqbody_filename);
if (put_basename == NULL) {
@@ -933,6 +1031,8 @@ apr_status_t modsecurity_request_body_clear(modsec_rec *msr, char **error_msg) {
msr->msc_reqbody_filename);
}
+nullify:
+
msr->msc_reqbody_filename = NULL;
}
}
diff --git a/apache2/msc_status_engine.c b/apache2/msc_status_engine.c
index 834ecc3ed9..4587641641 100644
--- a/apache2/msc_status_engine.c
+++ b/apache2/msc_status_engine.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -19,6 +19,9 @@
#ifdef WIN32
#include <winsock2.h>
#include <iphlpapi.h>
+#else
+#include <sys/ioctl.h>
+#include <netdb.h>
#endif
#ifdef DARWIN
@@ -42,6 +45,10 @@
#include <sys/utsname.h>
#endif
+#ifdef APLOG_USE_MODULE
+ APLOG_USE_MODULE(security2);
+#endif
+
// Bese32 encode, based on:
// https://code.google.com/p/google-authenticator/source/browse/libpam/base32.c
int DSOLOCAL msc_status_engine_base32_encode(char *encoded,
@@ -342,8 +349,13 @@ int DSOLOCAL msc_beacon_string (char *beacon_string, int beacon_string_max_len)
apr = APR_VERSION_STRING;
apr_loaded = apr_version_string();
+#ifdef WITH_PCRE2
+ apr_snprintf(pcre, 7, "%d.%d", PCRE2_MAJOR, PCRE2_MINOR);
+ pcre_loaded = ""; /* complete this if/when status reactivated */
+#else
apr_snprintf(pcre, 7, "%d.%d", PCRE_MAJOR, PCRE_MINOR);
pcre_loaded = pcre_version();
+#endif
#ifdef WITH_LUA
lua = LUA_VERSION;
#endif
@@ -496,4 +508,3 @@ int msc_status_engine_call (void) {
return ret;
}
-
diff --git a/apache2/msc_tree.c b/apache2/msc_tree.c
index c672bd5fd4..f8610b39e3 100644
--- a/apache2/msc_tree.c
+++ b/apache2/msc_tree.c
@@ -14,6 +14,7 @@
#include <stdio.h>
#include <stdlib.h>
+#include <apr.h>
#if APR_HAVE_STDINT_H
#include <stdint.h>
#endif
@@ -534,6 +535,8 @@ int TreeCheckData(TreePrefix *prefix, CPTData *prefix_data, unsigned int netmask
}
int TreePrefixNetmask(modsec_rec *msr, TreePrefix *prefix, unsigned int netmask, int flag) {
+ // msr can be NULL;
+ assert(!msr || msr->txcfg != NULL);
CPTData *prefix_data = NULL;
int ret = 0;
@@ -573,6 +576,8 @@ int TreePrefixNetmask(modsec_rec *msr, TreePrefix *prefix, unsigned int netmask,
}
TreeNode *CPTRetriveNode(modsec_rec *msr, unsigned char *buffer, unsigned int ip_bitmask, TreeNode *node) {
+ // msr can be NULL;
+ assert(!msr || msr->txcfg != NULL);
unsigned int x, y;
if(node == NULL) {
@@ -619,6 +624,8 @@ TreeNode *CPTRetriveParentNode(TreeNode *node) {
}
TreeNode *CPTFindElementIPNetblock(modsec_rec *msr, unsigned char *ipdata, unsigned char ip_bitmask, TreeNode *node) {
+ // msr can be NULL;
+ assert(!msr || msr->txcfg != NULL);
TreeNode *netmask_node = NULL;
int mask = 0, bytes = 0;
int i = 0, j = 0;
@@ -655,15 +662,22 @@ TreeNode *CPTFindElementIPNetblock(modsec_rec *msr, unsigned char *ipdata, unsig
}
node = CPTRetriveNode(msr, ipdata, ip_bitmask, node);
+ if (!node) {
+ if (msr && msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "CPTFindElementIPNetblock: No tree node found.");
+ }
+ return NULL;
+ }
- if (node && node->bit != ip_bitmask) {
+
+ if (node->bit != ip_bitmask) {
if (msr && msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "CPTFindElementIPNetblock: Found a tree node but netmask is different.");
}
return NULL;
}
- if (node && node->prefix == NULL) {
+ if (node->prefix == NULL) {
if (msr && msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "CPTFindElementIPNetblock: Found a tree node but prefix is NULL.");
}
@@ -699,6 +713,8 @@ TreeNode *CPTFindElementIPNetblock(modsec_rec *msr, unsigned char *ipdata, unsig
}
TreeNode *CPTFindElement(modsec_rec *msr, unsigned char *ipdata, unsigned int ip_bitmask, CPTTree *tree) {
+ // msr can be NULL;
+ assert(!msr || msr->txcfg != NULL);
TreeNode *node = NULL;
int mask = 0, bytes = 0;
unsigned char temp_data[NETMASK_256-1];
@@ -754,7 +770,7 @@ TreeNode *CPTFindElement(modsec_rec *msr, unsigned char *ipdata, unsigned int ip
return node;
}
- if (memcmp(node->prefix->buffer, temp_data, bytes) == 0) {
+ if ((node->netmasks == NULL) && (memcmp(node->prefix->buffer, temp_data, bytes) == 0)) {
mask = SHIFT_LEFT_MASK(8 - ip_bitmask % 8);
if ((ip_bitmask % 8) == 0) {
@@ -780,6 +796,8 @@ TreeNode *CPTFindElement(modsec_rec *msr, unsigned char *ipdata, unsigned int ip
}
TreeNode *CPTIpMatch(modsec_rec *msr, unsigned char *ipdata, CPTTree *tree, int type) {
+ // msr can be NULL;
+ assert(!msr || msr->txcfg != NULL);
if(tree == NULL) {
if (msr && msr->txcfg->debuglog_level >= 9) {
@@ -831,13 +849,14 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) {
switch(type) {
case IPV4_TREE:
- memset(&addr4, 0, sizeof(addr4));
+ memset(&(addr4.s_addr), 0, sizeof(addr4.s_addr));
memset(ip_strv4, 0x0, NETMASK_32);
strncpy(ip_strv4, buffer, sizeof(ip_strv4));
*(ip_strv4 + (sizeof(ip_strv4) - 1)) = '\0';
ptr = strdup(ip_strv4);
+ if (ptr == NULL) return NULL; // No way to return a clean error message
netmask_v4 = is_netmask_v4(ptr);
if (netmask_v4 > NETMASK_32) {
@@ -858,26 +877,23 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) {
ip_strv4[pos] = '\0';
}
- ret = inet_pton(AF_INET, ip_strv4, &addr4);
+ ret = inet_pton(AF_INET, ip_strv4, &(addr4.s_addr));
if (ret <= 0) {
return NULL;
}
-
- ip = addr4.s_addr;
-
tree->count++;
-
- return CPTAddElement((unsigned char *)&ip, NETMASK_32, tree, netmask_v4);
+ return CPTAddElement((unsigned char *)&(addr4.s_addr), NETMASK_32, tree, netmask_v4);
case IPV6_TREE:
- memset(&addr6, 0, sizeof(addr6));
+ memset(&(addr6.s6_addr), 0, sizeof(addr6.s6_addr));
memset(ip_strv6, 0x0, NETMASK_128);
strncpy(ip_strv6, buffer, sizeof(ip_strv6));
*(ip_strv6 + sizeof(ip_strv6) - 1) = '\0';
ptr = strdup(ip_strv6);
+ if (ptr == NULL) return NULL; // No way to return a clean error message
netmask_v6 = is_netmask_v6(ptr);
if (netmask_v6 > NETMASK_128) {
@@ -898,7 +914,7 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) {
ip_strv6[pos] = '\0';
}
- ret = inet_pton(AF_INET6, ip_strv6, &addr6);
+ ret = inet_pton(AF_INET6, ip_strv6, &(addr6.s6_addr));
if (ret <= 0)
{
@@ -907,7 +923,7 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) {
tree->count++;
- return CPTAddElement((unsigned char *)&addr6.s6_addr, NETMASK_128, tree, netmask_v6);
+ return CPTAddElement((unsigned char *)&(addr6.s6_addr), NETMASK_128, tree, netmask_v6);
default:
return NULL;
}
diff --git a/apache2/msc_util.c b/apache2/msc_util.c
index 33447ba0d0..fe13ab9984 100644
--- a/apache2/msc_util.c
+++ b/apache2/msc_util.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -22,6 +22,10 @@
#include "msc_release.h"
#include "msc_util.h"
+#include <apr.h>
+#if APR_HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
#include <apr_lib.h>
#include <apr_sha1.h>
#include "modsecurity_config.h"
@@ -101,81 +105,44 @@ int swap_int32(int x) {
*/
char *utf8_unicode_inplace_ex(apr_pool_t *mp, unsigned char *input, long int input_len, int *changed) {
int unicode_len = 0, length = 0;
- unsigned int d = 0, count = 0;
+ unsigned int d = 0;
unsigned char c, *utf;
char *rval, *data;
unsigned int i, len, j;
unsigned int bytes_left = input_len;
unsigned char *unicode = NULL;
- *changed = 0;
+ assert(input != NULL);
- len = input_len * 7 + 1;
+ *changed = 0;
+ /* RFC3629 states that UTF-8 are encoded using sequences of 1 to 4 octets. */
+ /* Max size per character should fit in 4 bytes (%u01020304) */
+ len = input_len * 10 + 1;
data = rval = apr_palloc(mp, len);
if (rval == NULL) return NULL;
-
- if (input == NULL) return NULL;
-
- for(i = 0; i < bytes_left;) {
+ for (i = 0; i < bytes_left;) {
unicode_len = 0; d = 0;
utf = (unsigned char *)&input[i];
-
c = *utf;
- /* If first byte begins with binary 0 it is single byte encoding */
+ /* If first byte begins with binary 0 it may be single byte encoding */
if ((c & 0x80) == 0) {
- /* single byte unicode (7 bit ASCII equivilent) has no validation */
- count++;
- if(count <= len) {
- if(c == 0)
- *data = x2c(&c);
- else
- *data++ = c;
+ if (c == 0) {
+ unicode_len = 2;
+ d = utf[1];
}
-
}
/* If first byte begins with binary 110 it is two byte encoding*/
else if ((c & 0xE0) == 0xC0) {
/* check we have at least two bytes */
if (bytes_left < 2) unicode_len = UNICODE_ERROR_CHARACTERS_MISSING;
/* check second byte starts with binary 10 */
- else if (((*(utf + 1)) & 0xC0) != 0x80) unicode_len = UNICODE_ERROR_INVALID_ENCODING;
+ else if ((utf[1] & 0xC0) != 0x80) unicode_len = UNICODE_ERROR_INVALID_ENCODING;
else {
unicode_len = 2;
- count+=6;
- if(count <= len) {
- /* compute character number */
- d = ((c & 0x1F) << 6) | (*(utf + 1) & 0x3F);
- *data++ = '%';
- *data++ = 'u';
- unicode = apr_psprintf(mp, "%x", d);
- length = strlen(unicode);
-
- switch(length) {
- case 1:
- *data++ = '0';
- *data++ = '0';
- *data++ = '0';
- break;
- case 2:
- *data++ = '0';
- *data++ = '0';
- break;
- case 3:
- *data++ = '0';
- break;
- case 4:
- case 5:
- break;
- }
-
- for(j=0; j<length; j++) {
- *data++ = unicode[j];
- }
-
- *changed = 1;
- }
+ /* compute character number */
+ d = ((c & 0x1F) << 6) | (utf[1] & 0x3F);
}
}
/* If first byte begins with binary 1110 it is three byte encoding */
@@ -183,142 +150,56 @@ char *utf8_unicode_inplace_ex(apr_pool_t *mp, unsigned char *input, long int inp
/* check we have at least three bytes */
if (bytes_left < 3) unicode_len = UNICODE_ERROR_CHARACTERS_MISSING;
/* check second byte starts with binary 10 */
- else if (((*(utf + 1)) & 0xC0) != 0x80) unicode_len = UNICODE_ERROR_INVALID_ENCODING;
+ else if ((utf[1] & 0xC0) != 0x80) unicode_len = UNICODE_ERROR_INVALID_ENCODING;
/* check third byte starts with binary 10 */
else if (((*(utf + 2)) & 0xC0) != 0x80) unicode_len = UNICODE_ERROR_INVALID_ENCODING;
else {
unicode_len = 3;
- count+=6;
- if(count <= len) {
- /* compute character number */
- d = ((c & 0x0F) << 12) | ((*(utf + 1) & 0x3F) << 6) | (*(utf + 2) & 0x3F);
- *data++ = '%';
- *data++ = 'u';
- unicode = apr_psprintf(mp, "%x", d);
- length = strlen(unicode);
-
- switch(length) {
- case 1:
- *data++ = '0';
- *data++ = '0';
- *data++ = '0';
- break;
- case 2:
- *data++ = '0';
- *data++ = '0';
- break;
- case 3:
- *data++ = '0';
- break;
- case 4:
- case 5:
- break;
- }
-
- for(j=0; j<length; j++) {
- *data++ = unicode[j];
- }
-
- *changed = 1;
-
- }
+ /* compute character number */
+ d = ((c & 0x0F) << 12) | ((utf[1] & 0x3F) << 6) | (*(utf + 2) & 0x3F);
}
}
/* If first byte begins with binary 11110 it is four byte encoding */
else if ((c & 0xF8) == 0xF0) {
/* restrict characters to UTF-8 range (U+0000 - U+10FFFF)*/
- if (c >= 0xF5) {
- *data++ = c;
- }
+ if (c >= 0xF5) unicode_len = UNICODE_ERROR_RESTRICTED_CHARACTER;
/* check we have at least four bytes */
- if (bytes_left < 4) unicode_len = UNICODE_ERROR_CHARACTERS_MISSING;
+ else if (bytes_left < 4) unicode_len = UNICODE_ERROR_CHARACTERS_MISSING;
/* check second byte starts with binary 10 */
- else if (((*(utf + 1)) & 0xC0) != 0x80) unicode_len = UNICODE_ERROR_INVALID_ENCODING;
+ else if ((utf[1] & 0xC0) != 0x80) unicode_len = UNICODE_ERROR_INVALID_ENCODING;
/* check third byte starts with binary 10 */
else if (((*(utf + 2)) & 0xC0) != 0x80) unicode_len = UNICODE_ERROR_INVALID_ENCODING;
/* check forth byte starts with binary 10 */
else if (((*(utf + 3)) & 0xC0) != 0x80) unicode_len = UNICODE_ERROR_INVALID_ENCODING;
else {
unicode_len = 4;
- count+=7;
- if(count <= len) {
- /* compute character number */
- d = ((c & 0x07) << 18) | ((*(utf + 1) & 0x3F) << 12) | ((*(utf + 2) & 0x3F) << 6) | (*(utf + 3) & 0x3F);
- *data++ = '%';
- *data++ = 'u';
- unicode = apr_psprintf(mp, "%x", d);
- length = strlen(unicode);
-
- switch(length) {
- case 1:
- *data++ = '0';
- *data++ = '0';
- *data++ = '0';
- break;
- case 2:
- *data++ = '0';
- *data++ = '0';
- break;
- case 3:
- *data++ = '0';
- break;
- case 4:
- case 5:
- break;
- }
-
- for(j=0; j<length; j++) {
- *data++ = unicode[j];
- }
-
- *changed = 1;
-
- }
+ /* compute character number */
+ d = ((c & 0x07) << 18) | ((utf[1] & 0x3F) << 12) | ((*(utf + 2) & 0x3F) << 6) | (*(utf + 3) & 0x3F);
}
}
- /* any other first byte is invalid (RFC 3629) */
- else {
- count++;
- if(count <= len)
- *data++ = c;
- }
-
/* invalid UTF-8 character number range (RFC 3629) */
- if ((d >= 0xD800) && (d <= 0xDFFF)) {
- count++;
- if(count <= len)
- *data++ = c;
- }
-
+ if ((d >= 0xD800) && (d <= 0xDFFF)) unicode_len = UNICODE_ERROR_RESTRICTED_CHARACTER;
/* check for overlong */
- if ((unicode_len == 4) && (d < 0x010000)) {
- /* four byte could be represented with less bytes */
- count++;
- if(count <= len)
- *data++ = c;
- }
- else if ((unicode_len == 3) && (d < 0x0800)) {
- /* three byte could be represented with less bytes */
- count++;
- if(count <= len)
- *data++ = c;
- }
- else if ((unicode_len == 2) && (d < 0x80)) {
- /* two byte could be represented with less bytes */
- count++;
- if(count <= len)
- *data++ = c;
- }
+ if ((unicode_len == 4) && (d < 0x010000)) unicode_len = UNICODE_ERROR_OVERLONG_CHARACTER;
+ /* three byte could be represented with less bytes */
+ if ((unicode_len == 3) && (d < 0x0800)) unicode_len = UNICODE_ERROR_OVERLONG_CHARACTER;
+ /* two byte could be represented with less bytes */
+ if ((unicode_len == 2) && (d < 0x80)) unicode_len = UNICODE_ERROR_OVERLONG_CHARACTER;
- if(unicode_len > 0) {
+ if (unicode_len > 0) {
i += unicode_len;
- } else {
+ sprintf(data, "%%u%04x", d);
+ data += 6;
+ *changed = 1;
+ }
+ else {
+ /* any other first byte is invalid (RFC 3629), so assume it's an ASCII character */
+ *data++ = c;
i++;
}
}
- *data ='\0';
-
+ *data = '\0';
return rval;
}
@@ -401,7 +282,8 @@ char *parse_pm_content(const char *op_parm, unsigned short int op_len, msre_rule
char converted = 0;
int i, x;
unsigned char bin = 0, esc = 0, bin_offset = 0;
- unsigned char bin_parm[3], c = 0;
+ unsigned char c = 0;
+ unsigned char bin_parm[3] = { 0 };
char *processed = NULL;
content = apr_pstrdup(rule->ruleset->mp, op_parm);
@@ -661,6 +543,7 @@ int convert_to_int(const char c)
* \retval 0 On Sucess|Fail
*/
int set_match_to_tx(modsec_rec *msr, int capture, const char *match, int tx_n) {
+ assert(msr != NULL);
if (capture) {
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
@@ -1123,10 +1006,12 @@ char *current_logtime(apr_pool_t *mp) {
char tstr[100];
apr_size_t len;
- apr_time_exp_lt(&t, apr_time_now());
+ apr_time_t now = apr_time_now();
+ apr_time_exp_lt(&t, now);
- apr_strftime(tstr, &len, 80, "%d/%b/%Y:%H:%M:%S ", &t);
- apr_snprintf(tstr + strlen(tstr), 80 - strlen(tstr), "%c%.2d%.2d",
+ apr_strftime(tstr, &len, 80, "%d/%b/%Y:%H:%M:%S.", &t);
+ apr_snprintf(tstr + strlen(tstr), 80 - strlen(tstr), "%06ld %c%.2d%.2d",
+ (long)apr_time_usec(now),
t.tm_gmtoff < 0 ? '-' : '+',
t.tm_gmtoff / (60 * 60), (t.tm_gmtoff / 60) % 60);
return apr_pstrdup(mp, tstr);
@@ -2370,6 +2255,7 @@ apr_fileperms_t mode2fileperms(int mode) {
* Generate a single variable.
*/
char *construct_single_var(modsec_rec *msr, char *name) {
+ assert(msr != NULL);
char *varname = NULL;
char *param = NULL;
msre_var *var = NULL;
@@ -2378,6 +2264,7 @@ char *construct_single_var(modsec_rec *msr, char *name) {
/* Extract variable name and its parameter from the script. */
varname = apr_pstrdup(msr->mp, name);
+ if (varname == NULL) return NULL;
param = strchr(varname, '.');
if (param != NULL) {
*param = '\0';
@@ -2462,28 +2349,16 @@ int msc_headers_to_buffer(const apr_array_header_t *arr, char *buffer,
int read_line(char *buf, int len, FILE *fp)
{
- char *tmp;
+ if (buf == NULL) return -1;
- if (buf == NULL)
- {
- return -1;
- }
-
- memset(buf, '\0', len*sizeof(char));
-
- if (fgets(buf, len, fp) == NULL)
- {
+ if (fgets(buf, len, fp) == NULL) {
*buf = '\0';
return 0;
}
- else
- {
- if ((tmp = strrchr(buf, '\n')) != NULL)
- {
- *tmp = '\0';
- }
- }
-
+
+ char* tmp;
+ if ((tmp = strrchr(buf, '\n')) != NULL) *tmp = '\0';
+
return 1;
}
@@ -2695,6 +2570,10 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri,
int tree_contains_ip(apr_pool_t *mp, TreeRoot *rtree,
const char *value, modsec_rec *msr, char **error_msg)
{
+ assert(mp != NULL);
+ assert(value != NULL);
+ // msr can be NULL;
+ assert(error_msg != NULL);
struct in_addr in;
#if APR_HAVE_IPV6
struct in6_addr in6;
@@ -2706,26 +2585,26 @@ int tree_contains_ip(apr_pool_t *mp, TreeRoot *rtree,
}
if (strchr(value, ':') == NULL) {
- if (inet_pton(AF_INET, value, &in) <= 0) {
+ if (inet_pton(AF_INET, value, &(in.s_addr)) <= 0) {
*error_msg = apr_psprintf(mp, "IPmatch: bad IPv4 " \
"specification \"%s\".", value);
return -1;
}
- if (CPTIpMatch(msr, (unsigned char *)&in.s_addr, rtree->ipv4_tree,
+ if (CPTIpMatch(msr, (unsigned char *)&(in.s_addr), rtree->ipv4_tree,
IPV4_TREE) != NULL) {
return 1;
}
}
#if APR_HAVE_IPV6
else {
- if (inet_pton(AF_INET6, value, &in6) <= 0) {
+ if (inet_pton(AF_INET6, value, &(in6.s6_addr)) <= 0) {
*error_msg = apr_psprintf(mp, "IPmatch: bad IPv6 " \
"specification \"%s\".", value);
return -1;
}
- if (CPTIpMatch(msr, (unsigned char *)&in6.s6_addr, rtree->ipv6_tree,
+ if (CPTIpMatch(msr, (unsigned char *)&(in6.s6_addr), rtree->ipv6_tree,
IPV6_TREE) != NULL) {
return 1;
}
@@ -2783,6 +2662,9 @@ size_t msc_curl_write_memory_cb(void *contents, size_t size,
if (mem->size == 0)
{
mem->memory = malloc(realsize + 1);
+ if (mem->memory == NULL) {
+ return 0;
+ }
memset(mem->memory, '\0', sizeof(realsize + 1));
}
else
@@ -2832,3 +2714,24 @@ char* strtok_r(
}
#endif
+// we cannot log an error message as this happens much too often
+char* get_username(apr_pool_t* mp) {
+ char* username;
+ apr_uid_t uid;
+ apr_gid_t gid;
+ int rc = apr_uid_current(&uid, &gid, mp);
+ if (rc != APR_SUCCESS) return "apache";
+ rc = apr_uid_name_get(&username, uid, mp);
+ if (rc != APR_SUCCESS) return "apache";
+ return username;
+}
+
+// Returns the rule id if existing, otherwise the file name & line number
+const char* id_log(msre_rule* rule) {
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(rule->ruleset != NULL);
+ const char* id = rule->actionset->id;
+ if (!id || id == NOT_SET_P || !*id) id = apr_psprintf(rule->ruleset->mp, "%s (%d)", rule->filename, rule->line_num);
+ return id;
+}
diff --git a/apache2/msc_util.h b/apache2/msc_util.h
index f7e1280f21..afff3e7f64 100644
--- a/apache2/msc_util.h
+++ b/apache2/msc_util.h
@@ -15,6 +15,7 @@
#ifndef _UTIL_H_
#define _UTIL_H_
+#include <assert.h>
#include <sys/types.h>
#include <apr_file_info.h>
@@ -164,6 +165,9 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri,
apr_pool_t *mp, char **error_msg);
#endif
+char DSOLOCAL *get_username(apr_pool_t* mp);
+const char* id_log(msre_rule* rule);
+
int read_line(char *buff, int size, FILE *fp);
size_t msc_curl_write_memory_cb(void *contents, size_t size,
diff --git a/apache2/msc_xml.c b/apache2/msc_xml.c
index a31decb5e1..2b6681639e 100644
--- a/apache2/msc_xml.c
+++ b/apache2/msc_xml.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -24,9 +24,10 @@ xml_unload_external_entity(const char *URI, xmlCharEncoding enc) {
* Initialise XML parser.
*/
int xml_init(modsec_rec *msr, char **error_msg) {
+ assert(msr != NULL);
+ assert(error_msg != NULL);
xmlParserInputBufferCreateFilenameFunc entity;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data));
@@ -59,7 +60,8 @@ static void xml_receive_sax_error(void *data, const char *msg, ...) {
* Feed one chunk of data to the XML parser.
*/
int xml_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char **error_msg) {
- if (error_msg == NULL) return -1;
+ assert(msr != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
/* We want to initialise our parsing context here, to
@@ -107,7 +109,8 @@ int xml_process_chunk(modsec_rec *msr, const char *buf, unsigned int size, char
* Finalise XML parsing.
*/
int xml_complete(modsec_rec *msr, char **error_msg) {
- if (error_msg == NULL) return -1;
+ assert(msr != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
/* Only if we have a context, meaning we've done some work. */
@@ -137,6 +140,18 @@ int xml_complete(modsec_rec *msr, char **error_msg) {
* Frees the resources used for XML parsing.
*/
apr_status_t xml_cleanup(modsec_rec *msr) {
+ assert(msr != NULL);
+ assert(msr->xml != NULL);
+ if (msr->xml->parsing_ctx != NULL) {
+ if (msr->xml->parsing_ctx->myDoc) {
+ xmlFreeDoc(msr->xml->parsing_ctx->myDoc);
+ if (msr->xml->parsing_ctx->myDoc == msr->xml->doc) {
+ msr->xml->doc = NULL;
+ }
+ }
+ xmlFreeParserCtxt(msr->xml->parsing_ctx);
+ msr->xml->parsing_ctx = NULL;
+ }
if (msr->xml->doc != NULL) {
xmlFreeDoc(msr->xml->doc);
msr->xml->doc = NULL;
diff --git a/apache2/persist_dbm.c b/apache2/persist_dbm.c
index b698e7913f..ba8475cc59 100644
--- a/apache2/persist_dbm.c
+++ b/apache2/persist_dbm.c
@@ -1,709 +1,800 @@
-/*
-* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
-*
-* You may not use this file except in compliance with
-* the License. You may obtain a copy of the License at
-*
-* http://www.apache.org/licenses/LICENSE-2.0
-*
-* If any of the files related to licensing are missing or if you have any
-* other questions related to licensing please contact Trustwave Holdings, Inc.
-* directly using the email address security@modsecurity.org.
-*/
-
-#include "persist_dbm.h"
-#include "apr_sdbm.h"
-
-/**
- *
- */
-static apr_table_t *collection_unpack(modsec_rec *msr, const unsigned char *blob, unsigned int blob_size,
- int log_vars)
-{
- apr_table_t *col = NULL;
- unsigned int blob_offset;
-
- col = apr_table_make(msr->mp, 32);
- if (col == NULL) return NULL;
-
- /* ENH verify the first 3 bytes (header) */
-
- blob_offset = 3;
- while (blob_offset + 1 < blob_size) {
- msc_string *var = apr_pcalloc(msr->mp, sizeof(msc_string));
-
- var->name_len = (blob[blob_offset] << 8) + blob[blob_offset + 1];
- if (var->name_len == 0) {
- /* Is the length a name length, or just the end of the blob? */
- if (blob_offset < blob_size - 2) {
- /* This should never happen as the name length
- * includes the terminating NUL and should be 1 for ""
- */
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collection_unpack: BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset));
- }
- msr_log(msr, 4, "collection_unpack: Possibly corrupted database: var name length = 0 at blob offset %u-%u.", blob_offset, blob_offset + 1);
- }
- break;
- }
- else if (var->name_len > 65536) {
- /* This should never happen as the length is restricted on store
- * to 65536.
- */
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collection_unpack: BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset));
- }
- msr_log(msr, 4, "collection_unpack: Possibly corrupted database: var name length > 65536 (0x%04x) at blob offset %u-%u.", var->name_len, blob_offset, blob_offset + 1);
- break;
- }
-
- blob_offset += 2;
- if (blob_offset + var->name_len > blob_size) return NULL;
- var->name = apr_pstrmemdup(msr->mp, (const char *)blob + blob_offset, var->name_len - 1);
- blob_offset += var->name_len;
- var->name_len--;
-
- var->value_len = (blob[blob_offset] << 8) + blob[blob_offset + 1];
- blob_offset += 2;
-
- if (blob_offset + var->value_len > blob_size) return NULL;
- var->value = apr_pstrmemdup(msr->mp, (const char *)blob + blob_offset, var->value_len - 1);
- blob_offset += var->value_len;
- var->value_len--;
-
- if (log_vars && (msr->txcfg->debuglog_level >= 9)) {
- msr_log(msr, 9, "collection_unpack: Read variable: name \"%s\", value \"%s\".",
- log_escape_ex(msr->mp, var->name, var->name_len),
- log_escape_ex(msr->mp, var->value, var->value_len));
- }
-
- apr_table_addn(col, var->name, (void *)var);
- }
-
- return col;
-}
-
-/**
- *
- */
-static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec *msr, const char *col_name,
- const char *col_key, int col_key_len)
-{
- char *dbm_filename = NULL;
- apr_status_t rc;
- apr_sdbm_datum_t key;
- apr_sdbm_datum_t *value = NULL;
- apr_sdbm_t *dbm = NULL;
- apr_table_t *col = NULL;
- const apr_array_header_t *arr;
- apr_table_entry_t *te;
- int expired = 0;
- int i;
-
- if (msr->txcfg->data_dir == NULL) {
- msr_log(msr, 1, "collection_retrieve_ex: Unable to retrieve collection (name \"%s\", key \"%s\"). Use "
- "SecDataDir to define data directory first.", log_escape(msr->mp, col_name),
- log_escape_ex(msr->mp, col_key, col_key_len));
- goto cleanup;
- }
-
- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", col_name, NULL);
-
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name),
- log_escape(msr->mp, dbm_filename));
- }
-
- key.dptr = (char *)col_key;
- key.dsize = col_key_len + 1;
-
- if (existing_dbm == NULL) {
- rc = apr_sdbm_open(&dbm, dbm_filename, APR_READ | APR_SHARELOCK,
- CREATEMODE, msr->mp);
- if (rc != APR_SUCCESS) {
- dbm = NULL;
- goto cleanup;
- }
- }
- else {
- dbm = existing_dbm;
- }
-
- value = (apr_sdbm_datum_t *)apr_pcalloc(msr->mp, sizeof(apr_sdbm_datum_t));
- rc = apr_sdbm_fetch(dbm, value, key);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "collection_retrieve_ex: Failed to read from DBM file \"%s\": %s", log_escape(msr->mp,
- dbm_filename), get_apr_error(msr->mp, rc));
- goto cleanup;
- }
-
- if (value->dptr == NULL) { /* Key not found in DBM file. */
- goto cleanup;
- }
-
- /* ENH Need expiration (and perhaps other metadata) accessible in blob
- * form to determine if converting to a table is needed. This will
- * save some cycles.
- */
-
- /* Transform raw data into a table. */
- col = collection_unpack(msr, (const unsigned char *)value->dptr, value->dsize, 1);
- if (col == NULL) {
- goto cleanup;
- }
-
- /* Close after "value" used from fetch or memory may be overwritten. */
- if (existing_dbm == NULL) {
- apr_sdbm_close(dbm);
- dbm = NULL;
- }
-
- /* Remove expired variables. */
- do {
- arr = apr_table_elts(col);
- te = (apr_table_entry_t *)arr->elts;
- for (i = 0; i < arr->nelts; i++) {
- if (strncmp(te[i].key, "__expire_", 9) == 0) {
- msc_string *var = (msc_string *)te[i].val;
- int expiry_time = atoi(var->value);
-
- if (expiry_time <= apr_time_sec(msr->request_time)) {
- char *key_to_expire = te[i].key;
-
- /* Done early if the col expired */
- if (strcmp(key_to_expire, "__expire_KEY") == 0) {
- expired = 1;
- }
-
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collection_retrieve_ex: Removing key \"%s\" from collection.", key_to_expire + 9);
- msr_log(msr, 9, "collection_retrieve_ex: Removing key \"%s\" from collection.", key_to_expire);
- }
-
- apr_table_unset(col, key_to_expire + 9);
- apr_table_unset(col, key_to_expire);
-
- if (msr->txcfg->debuglog_level >= 4) {
- msr_log(msr, 4, "collection_retrieve_ex: Removed expired variable \"%s\".", key_to_expire + 9);
- }
-
- break;
- }
- }
- }
- } while(!expired && (i != arr->nelts));
-
- /* Delete the collection if the variable "KEY" does not exist.
- *
- * ENH It would probably be more efficient to hold the DBM
- * open until determined if it needs deleted than to open a second
- * time.
- */
- if (apr_table_get(col, "KEY") == NULL) {
- if (existing_dbm == NULL) {
- rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE | APR_WRITE | APR_SHARELOCK,
- CREATEMODE, msr->mp);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "collection_retrieve_ex: Failed to access DBM file \"%s\": %s",
- log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc));
- dbm = NULL;
- goto cleanup;
- }
- }
- else {
- dbm = existing_dbm;
- }
-
- rc = apr_sdbm_delete(dbm, key);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "collection_retrieve_ex: Failed deleting collection (name \"%s\", "
- "key \"%s\"): %s", log_escape(msr->mp, col_name),
- log_escape_ex(msr->mp, col_key, col_key_len), get_apr_error(msr->mp, rc));
- msr->msc_sdbm_delete_error = 1;
- goto cleanup;
- }
-
-
- if (existing_dbm == NULL) {
- apr_sdbm_close(dbm);
- dbm = NULL;
- }
-
- if (expired && (msr->txcfg->debuglog_level >= 9)) {
- msr_log(msr, 9, "collection_retrieve_ex: Collection expired (name \"%s\", key \"%s\").", col_name,
- log_escape_ex(msr->mp, col_key, col_key_len));
- }
- if (msr->txcfg->debuglog_level >= 4) {
- msr_log(msr, 4, "collection_retrieve_ex: Deleted collection (name \"%s\", key \"%s\").",
- log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len));
- }
- goto cleanup;
- }
-
- /* Update UPDATE_RATE */
- {
- msc_string *var;
- int create_time, counter;
-
- var = (msc_string *)apr_table_get(col, "CREATE_TIME");
- if (var == NULL) {
- /* Error. */
- } else {
- create_time = atoi(var->value);
- var = (msc_string *)apr_table_get(col, "UPDATE_COUNTER");
- if (var == NULL) {
- /* Error. */
- } else {
- apr_time_t td;
- counter = atoi(var->value);
-
- /* UPDATE_RATE is removed on store, so add it back here */
- var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
- var->name = "UPDATE_RATE";
- var->name_len = strlen(var->name);
- apr_table_setn(col, var->name, (void *)var);
-
- /* NOTE: No rate if there has been no time elapsed */
- td = (apr_time_sec(apr_time_now()) - create_time);
- if (td == 0) {
- var->value = apr_psprintf(msr->mp, "%d", 0);
- }
- else {
- var->value = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT,
- (apr_time_t)((60 * counter)/td));
- }
- var->value_len = strlen(var->value);
- }
- }
- }
-
- if (msr->txcfg->debuglog_level >= 4) {
- msr_log(msr, 4, "collection_retrieve_ex: Retrieved collection (name \"%s\", key \"%s\").",
- log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len));
- }
-
- if ((existing_dbm == NULL) && dbm) {
- /* Should not ever get here */
- msr_log(msr, 1, "collection_retrieve_ex: Internal Error: Collection remained open (name \"%s\", key \"%s\").",
- log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len));
-
- apr_sdbm_close(dbm);
- }
-
- return col;
-
-cleanup:
-
- if ((existing_dbm == NULL) && dbm) {
- apr_sdbm_close(dbm);
- }
-
- return NULL;
-}
-
-/**
- *
- */
-apr_table_t *collection_retrieve(modsec_rec *msr, const char *col_name,
- const char *col_key, int col_key_len)
-{
- apr_time_t time_before = apr_time_now();
- apr_table_t *rtable = NULL;
-
- rtable = collection_retrieve_ex(NULL, msr, col_name, col_key, col_key_len);
-
- msr->time_storage_read += apr_time_now() - time_before;
-
- return rtable;
-}
-
-/**
- *
- */
-int collection_store(modsec_rec *msr, apr_table_t *col) {
- char *dbm_filename = NULL;
- msc_string *var_name = NULL, *var_key = NULL;
- unsigned char *blob = NULL;
- unsigned int blob_size, blob_offset;
- apr_status_t rc;
- apr_sdbm_datum_t key;
- apr_sdbm_datum_t value;
- apr_sdbm_t *dbm = NULL;
- const apr_array_header_t *arr;
- apr_table_entry_t *te;
- int i;
- const apr_table_t *stored_col = NULL;
- const apr_table_t *orig_col = NULL;
-
- var_name = (msc_string *)apr_table_get(col, "__name");
- if (var_name == NULL) {
- goto error;
- }
-
- var_key = (msc_string *)apr_table_get(col, "__key");
- if (var_key == NULL) {
- goto error;
- }
-
- if (msr->txcfg->data_dir == NULL) {
- msr_log(msr, 1, "collection_store: Unable to store collection (name \"%s\", key \"%s\"). Use "
- "SecDataDir to define data directory first.", log_escape_ex(msr->mp, var_name->value, var_name->value_len),
- log_escape_ex(msr->mp, var_key->value, var_key->value_len));
- goto error;
- }
-
- // ENH: lowercase the var name in the filename
- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", var_name->value, NULL);
-
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collection_store: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, var_name->value),
- log_escape(msr->mp, dbm_filename));
- }
-
- /* Delete IS_NEW on store. */
- apr_table_unset(col, "IS_NEW");
-
- /* Delete UPDATE_RATE on store to save space as it is calculated */
- apr_table_unset(col, "UPDATE_RATE");
-
- /* Update the timeout value. */
- {
- msc_string *var = (msc_string *)apr_table_get(col, "TIMEOUT");
- if (var != NULL) {
- int timeout = atoi(var->value);
- var = (msc_string *)apr_table_get(col, "__expire_KEY");
- if (var != NULL) {
- var->value = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT, (apr_time_t)(apr_time_sec(apr_time_now()) + timeout));
- var->value_len = strlen(var->value);
- }
- }
- }
-
- /* LAST_UPDATE_TIME */
- {
- msc_string *var = (msc_string *)apr_table_get(col, "LAST_UPDATE_TIME");
- if (var == NULL) {
- var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
- var->name = "LAST_UPDATE_TIME";
- var->name_len = strlen(var->name);
- apr_table_setn(col, var->name, (void *)var);
- }
- var->value = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT, (apr_time_t)(apr_time_sec(apr_time_now())));
- var->value_len = strlen(var->value);
- }
-
- /* UPDATE_COUNTER */
- {
- msc_string *var = (msc_string *)apr_table_get(col, "UPDATE_COUNTER");
- int counter = 0;
- if (var == NULL) {
- var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
- var->name = "UPDATE_COUNTER";
- var->name_len = strlen(var->name);
- apr_table_setn(col, var->name, (void *)var);
- } else {
- counter = atoi(var->value);
- }
- var->value = apr_psprintf(msr->mp, "%d", counter + 1);
- var->value_len = strlen(var->value);
- }
-
- /* ENH Make the expiration timestamp accessible in blob form so that
- * it is easier/faster to determine expiration without having to
- * convert back to table form
- */
-
- rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE | APR_WRITE | APR_SHARELOCK,
- CREATEMODE, msr->mp);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "collection_store: Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename),
- get_apr_error(msr->mp, rc));
- dbm = NULL;
- goto error;
- }
-
- /* Need to lock to pull in the stored data again and apply deltas. */
- rc = apr_sdbm_lock(dbm, APR_FLOCK_EXCLUSIVE);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "collection_store: Failed to exclusivly lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename),
- get_apr_error(msr->mp, rc));
- goto error;
- }
-
- /* If there is an original value, then create a delta and
- * apply the delta to the current value */
- orig_col = (const apr_table_t *)apr_table_get(msr->collections_original, var_name->value);
- if (orig_col != NULL) {
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collection_store: Re-retrieving collection prior to store: %s",
- apr_psprintf(msr->mp, "%.*s", var_name->value_len, var_name->value));
- }
-
- stored_col = (const apr_table_t *)collection_retrieve_ex(dbm, msr, var_name->value, var_key->value, var_key->value_len);
- }
-
- /* Merge deltas and calculate the size first. */
- blob_size = 3 + 2;
- arr = apr_table_elts(col);
- te = (apr_table_entry_t *)arr->elts;
- for (i = 0; i < arr->nelts; i++) {
- msc_string *var = (msc_string *)te[i].val;
- int len;
-
- /* If there is an original value, then apply the delta
- * to the latest stored value */
- if (stored_col != NULL) {
- const msc_string *orig_var = (const msc_string *)apr_table_get(orig_col, var->name);
- if (orig_var != NULL) {
- const msc_string *stored_var = (const msc_string *)apr_table_get(stored_col, var->name);
- if (stored_var != NULL) {
- int origval = atoi(orig_var->value);
- int ourval = atoi(var->value);
- int storedval = atoi(stored_var->value);
- int delta = ourval - origval;
- int newval = storedval + delta;
-
- if (newval < 0) newval = 0; /* Counters never go below zero. */
-
- var->value = apr_psprintf(msr->mp, "%d", newval);
- var->value_len = strlen(var->value);
-
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collection_store: Delta applied for %s.%s %d->%d (%d): %d + (%d) = %d [%s,%d]",
- log_escape_ex(msr->mp, var_name->value, var_name->value_len),
- log_escape_ex(msr->mp, var->name, var->name_len),
- origval, ourval, delta, storedval, delta, newval, var->value, var->value_len);
- }
- }
- }
- }
-
- len = var->name_len + 1;
- if (len >= 65536) len = 65536;
- blob_size += len + 2;
-
- len = var->value_len + 1;
- if (len >= 65536) len = 65536;
- blob_size += len + 2;
- }
-
- /* Now generate the binary object. */
- blob = apr_pcalloc(msr->mp, blob_size);
- if (blob == NULL) {
- if (dbm != NULL) {
- apr_sdbm_unlock(dbm);
- apr_sdbm_close(dbm);
- }
-
- return -1;
- }
-
- blob[0] = 0x49;
- blob[1] = 0x52;
- blob[2] = 0x01;
-
- blob_offset = 3;
- arr = apr_table_elts(col);
- te = (apr_table_entry_t *)arr->elts;
- for (i = 0; i < arr->nelts; i++) {
- msc_string *var = (msc_string *)te[i].val;
- int len;
-
- len = var->name_len + 1;
- if (len >= 65536) len = 65536;
-
- blob[blob_offset + 0] = (len & 0xff00) >> 8;
- blob[blob_offset + 1] = len & 0x00ff;
- memcpy(blob + blob_offset + 2, var->name, len - 1);
- blob[blob_offset + 2 + len - 1] = '\0';
- blob_offset += 2 + len;
-
- len = var->value_len + 1;
- if (len >= 65536) len = 65536;
-
- blob[blob_offset + 0] = (len & 0xff00) >> 8;
- blob[blob_offset + 1] = len & 0x00ff;
- memcpy(blob + blob_offset + 2, var->value, len - 1);
- blob[blob_offset + 2 + len - 1] = '\0';
- blob_offset += 2 + len;
-
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collection_store: Wrote variable: name \"%s\", value \"%s\".",
- log_escape_ex(msr->mp, var->name, var->name_len),
- log_escape_ex(msr->mp, var->value, var->value_len));
- }
- }
-
- blob[blob_offset] = 0;
- blob[blob_offset + 1] = 0;
-
- /* And, finally, store it. */
- key.dptr = var_key->value;
- key.dsize = var_key->value_len + 1;
-
- value.dptr = (char *)blob;
- value.dsize = blob_size;
-
- rc = apr_sdbm_store(dbm, key, value, APR_SDBM_REPLACE);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "collection_store: Failed to write to DBM file \"%s\": %s", dbm_filename,
- get_apr_error(msr->mp, rc));
- if (dbm != NULL) {
- apr_sdbm_unlock(dbm);
- apr_sdbm_close(dbm);
- }
-
- return -1;
- }
-
- apr_sdbm_unlock(dbm);
- apr_sdbm_close(dbm);
-
- if (msr->txcfg->debuglog_level >= 4) {
- msr_log(msr, 4, "collection_store: Persisted collection (name \"%s\", key \"%s\").",
- log_escape_ex(msr->mp, var_name->value, var_name->value_len),
- log_escape_ex(msr->mp, var_key->value, var_key->value_len));
- }
-
- return 0;
-
-error:
- return -1;
-}
-
-/**
- *
- */
-int collections_remove_stale(modsec_rec *msr, const char *col_name) {
- char *dbm_filename = NULL;
- apr_sdbm_datum_t key, value;
- apr_sdbm_t *dbm = NULL;
- apr_status_t rc;
- apr_array_header_t *keys_arr;
- char **keys;
- apr_time_t now = apr_time_sec(msr->request_time);
- int i;
-
- if (msr->txcfg->data_dir == NULL) {
- /* The user has been warned about this problem enough times already by now.
- * msr_log(msr, 1, "Unable to access collection file (name \"%s\"). Use SecDataDir to "
- * "define data directory first.", log_escape(msr->mp, col_name));
- */
- goto error;
- }
-
- if(strstr(col_name,"USER") || strstr(col_name,"SESSION") || strstr(col_name, "RESOURCE"))
- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", msr->txcfg->webappid, "_", col_name, NULL);
- else
- dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", col_name, NULL);
-
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collections_remove_stale: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name),
- log_escape(msr->mp, dbm_filename));
- }
-
- rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE | APR_WRITE | APR_SHARELOCK,
- CREATEMODE, msr->mp);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "collections_remove_stale: Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename),
- get_apr_error(msr->mp, rc));
- dbm = NULL;
- goto error;
- }
-
- /* First get a list of all keys. */
- keys_arr = apr_array_make(msr->mp, 256, sizeof(char *));
- rc = apr_sdbm_lock(dbm, APR_FLOCK_SHARED);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "collections_remove_stale: Failed to lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename),
- get_apr_error(msr->mp, rc));
- goto error;
- }
-
- /* No one can write to the file while doing this so
- * do it as fast as possible.
- */
- rc = apr_sdbm_firstkey(dbm, &key);
- while(rc == APR_SUCCESS) {
- char *s = apr_pstrmemdup(msr->mp, key.dptr, key.dsize - 1);
- *(char **)apr_array_push(keys_arr) = s;
- rc = apr_sdbm_nextkey(dbm, &key);
- }
- apr_sdbm_unlock(dbm);
-
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collections_remove_stale: Found %d record(s) in file \"%s\".", keys_arr->nelts,
- log_escape(msr->mp, dbm_filename));
- }
-
- /* Now retrieve the entires one by one. */
- keys = (char **)keys_arr->elts;
- for (i = 0; i < keys_arr->nelts; i++) {
- key.dptr = keys[i];
- key.dsize = strlen(key.dptr) + 1;
-
- rc = apr_sdbm_fetch(dbm, &value, key);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "collections_remove_stale: Failed reading DBM file \"%s\": %s",
- log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc));
- goto error;
- }
-
- if (value.dptr != NULL) {
- apr_table_t *col = NULL;
- msc_string *var = NULL;
-
- col = collection_unpack(msr, (const unsigned char *)value.dptr, value.dsize, 0);
- if (col == NULL) {
- goto error;
- }
-
- var = (msc_string *)apr_table_get(col, "__expire_KEY");
- if (var == NULL) {
- msr_log(msr, 1, "collections_remove_stale: Collection cleanup discovered entry with no "
- "__expire_KEY (name \"%s\", key \"%s\").",
- log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1));
- } else {
- unsigned int expiry_time = atoi(var->value);
-
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "collections_remove_stale: Record (name \"%s\", key \"%s\") set to expire in %" APR_TIME_T_FMT " seconds.",
- log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1),
- expiry_time - now);
- }
-
- if (expiry_time <= now) {
- rc = apr_sdbm_delete(dbm, key);
- if (rc != APR_SUCCESS) {
- msr_log(msr, 1, "collections_remove_stale: Failed deleting collection (name \"%s\", "
- "key \"%s\"): %s", log_escape(msr->mp, col_name),
- log_escape_ex(msr->mp, key.dptr, key.dsize - 1), get_apr_error(msr->mp, rc));
- msr->msc_sdbm_delete_error = 1;
- goto error;
- }
-
- if (msr->txcfg->debuglog_level >= 4) {
- msr_log(msr, 4, "collections_remove_stale: Removed stale collection (name \"%s\", "
- "key \"%s\").", log_escape(msr->mp, col_name),
- log_escape_ex(msr->mp, key.dptr, key.dsize - 1));
- }
- }
- }
- } else {
- /* Ignore entry not found - it may have been removed in the meantime. */
- }
- }
-
- apr_sdbm_close(dbm);
-
- return 1;
-
-error:
-
- if (dbm) {
- apr_sdbm_close(dbm);
- }
-
- return -1;
-}
+/*
+* ModSecurity for Apache 2.x, http://www.modsecurity.org/
+* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+*
+* You may not use this file except in compliance with
+* the License. You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* If any of the files related to licensing are missing or if you have any
+* other questions related to licensing please contact Trustwave Holdings, Inc.
+* directly using the email address security@modsecurity.org.
+*/
+
+#include "persist_dbm.h"
+#include "apr_sdbm.h"
+
+/**
+ *
+ */
+static apr_table_t *collection_unpack(modsec_rec *msr, const unsigned char *blob, unsigned int blob_size,
+ int log_vars)
+{
+ assert(msr != NULL);
+ assert(blob != NULL);
+ apr_table_t *col = NULL;
+ unsigned int blob_offset;
+
+ col = apr_table_make(msr->mp, 32);
+ if (col == NULL) return NULL;
+
+ /* ENH verify the first 3 bytes (header) */
+
+ blob_offset = 3;
+ while (blob_offset + 1 < blob_size) {
+ msc_string *var = apr_pcalloc(msr->mp, sizeof(msc_string));
+
+ var->name_len = (blob[blob_offset] << 8) + blob[blob_offset + 1];
+ if (var->name_len == 0) {
+ /* Is the length a name length, or just the end of the blob? */
+ if (blob_offset < blob_size - 2) {
+ /* This should never happen as the name length
+ * includes the terminating NUL and should be 1 for ""
+ */
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "collection_unpack: BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset));
+ }
+ msr_log(msr, 4, "collection_unpack: Possibly corrupted database: var name length = 0 at blob offset %u-%u.", blob_offset, blob_offset + 1);
+ }
+ break;
+ }
+ else if (var->name_len > 65536) {
+ /* This should never happen as the length is restricted on store
+ * to 65536.
+ */
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "collection_unpack: BLOB[%d]: %s", blob_offset, log_escape_hex(msr->mp, blob + blob_offset, blob_size - blob_offset));
+ }
+ msr_log(msr, 4, "collection_unpack: Possibly corrupted database: var name length > 65536 (0x%04x) at blob offset %u-%u.", var->name_len, blob_offset, blob_offset + 1);
+ break;
+ }
+
+ blob_offset += 2;
+ if (blob_offset + var->name_len > blob_size) return NULL;
+ var->name = apr_pstrmemdup(msr->mp, (const char *)blob + blob_offset, var->name_len - 1);
+ blob_offset += var->name_len;
+ var->name_len--;
+
+ var->value_len = (blob[blob_offset] << 8) + blob[blob_offset + 1];
+ blob_offset += 2;
+
+ if (blob_offset + var->value_len > blob_size) return NULL;
+ var->value = apr_pstrmemdup(msr->mp, (const char *)blob + blob_offset, var->value_len - 1);
+ blob_offset += var->value_len;
+ var->value_len--;
+
+ if (log_vars && (msr->txcfg->debuglog_level >= 9)) {
+ msr_log(msr, 9, "collection_unpack: Read variable: name \"%s\", value \"%s\".",
+ log_escape_ex(msr->mp, var->name, var->name_len),
+ log_escape_ex(msr->mp, var->value, var->value_len));
+ }
+
+ apr_table_addn(col, var->name, (void *)var);
+ }
+
+ return col;
+}
+
+/**
+ *
+ */
+static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec *msr, const char *col_name,
+ const char *col_key, int col_key_len)
+{
+ assert(msr != NULL);
+ assert(col_name != NULL);
+ char *dbm_filename = NULL;
+ apr_status_t rc;
+ apr_sdbm_datum_t key;
+ apr_sdbm_datum_t *value = NULL;
+ apr_sdbm_t *dbm = NULL;
+ apr_table_t *col = NULL;
+ const apr_array_header_t *arr;
+ apr_table_entry_t *te;
+ int expired = 0;
+ int i;
+ char *userinfo = get_username(msr->mp);
+
+ if (msr->txcfg->data_dir == NULL) {
+ msr_log(msr, 1, "collection_retrieve_ex: Unable to retrieve collection (name \"%s\", key \"%s\"). Use "
+ "SecDataDir to define data directory first.", log_escape(msr->mp, col_name),
+ log_escape_ex(msr->mp, col_key, col_key_len));
+ goto cleanup;
+ }
+
+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", col_name, NULL);
+
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name),
+ log_escape(msr->mp, dbm_filename));
+ }
+
+ key.dptr = (char *)col_key;
+ key.dsize = col_key_len + 1;
+
+ if (existing_dbm == NULL) {
+#ifdef GLOBAL_COLLECTION_LOCK
+ rc = msr_global_mutex_lock(msr, msr->modsecurity->dbm_lock, "collection_retrieve_ex");
+ if (rc != APR_SUCCESS) goto cleanup;
+#endif
+ rc = apr_sdbm_open(&dbm, dbm_filename, APR_READ | APR_SHARELOCK,
+ CREATEMODE, msr->mp);
+ if (rc != APR_SUCCESS) {
+ dbm = NULL;
+#ifdef GLOBAL_COLLECTION_LOCK
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collection_retrieve_ex");
+#endif
+ goto cleanup;
+ }
+ }
+ else {
+ dbm = existing_dbm;
+ }
+
+ value = (apr_sdbm_datum_t *)apr_pcalloc(msr->mp, sizeof(apr_sdbm_datum_t));
+ rc = apr_sdbm_fetch(dbm, value, key);
+ if (rc != APR_SUCCESS) {
+ msr_log(msr, 1, "collection_retrieve_ex: Failed to read from DBM file \"%s\": %s", log_escape(msr->mp,
+ dbm_filename), get_apr_error(msr->mp, rc));
+ goto cleanup;
+ }
+
+ if (value->dptr == NULL) { /* Key not found in DBM file. */
+ goto cleanup;
+ }
+
+ /* ENH Need expiration (and perhaps other metadata) accessible in blob
+ * form to determine if converting to a table is needed. This will
+ * save some cycles.
+ */
+
+ /* Transform raw data into a table. */
+ col = collection_unpack(msr, (const unsigned char *)value->dptr, value->dsize, 1);
+ if (col == NULL) {
+ goto cleanup;
+ }
+
+ /* Close after "value" used from fetch or memory may be overwritten. */
+ if (existing_dbm == NULL) {
+ apr_sdbm_close(dbm);
+#ifdef GLOBAL_COLLECTION_LOCK
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collection_retrieve_ex");
+#endif
+ dbm = NULL;
+ }
+
+ /* Remove expired variables. */
+ do {
+ arr = apr_table_elts(col);
+ te = (apr_table_entry_t *)arr->elts;
+ for (i = 0; i < arr->nelts; i++) {
+ if (strncmp(te[i].key, "__expire_", 9) == 0) {
+ msc_string *var = (msc_string *)te[i].val;
+ int expiry_time = atoi(var->value);
+
+ if (expiry_time <= apr_time_sec(msr->request_time)) {
+ char *key_to_expire = te[i].key;
+
+ /* Done early if the col expired */
+ if (strcmp(key_to_expire, "__expire_KEY") == 0) {
+ expired = 1;
+ }
+
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "collection_retrieve_ex: Removing key \"%s\" from collection.", key_to_expire + 9);
+ msr_log(msr, 9, "collection_retrieve_ex: Removing key \"%s\" from collection.", key_to_expire);
+ }
+
+ apr_table_unset(col, key_to_expire + 9);
+ apr_table_unset(col, key_to_expire);
+
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "collection_retrieve_ex: Removed expired variable \"%s\".", key_to_expire + 9);
+ }
+
+ break;
+ }
+ }
+ }
+ } while(!expired && (i != arr->nelts));
+
+ /* Delete the collection if the variable "KEY" does not exist.
+ *
+ * ENH It would probably be more efficient to hold the DBM
+ * open until determined if it needs deleted than to open a second
+ * time.
+ */
+ if (apr_table_get(col, "KEY") == NULL) {
+ if (existing_dbm == NULL) {
+#ifdef GLOBAL_COLLECTION_LOCK
+ rc = msr_global_mutex_lock(msr, msr->modsecurity->dbm_lock, "collection_retrieve_ex");
+ if (rc != APR_SUCCESS) goto cleanup;
+#endif
+ rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE | APR_WRITE | APR_SHARELOCK,
+ CREATEMODE, msr->mp);
+ if (rc != APR_SUCCESS) {
+ msr_log(msr, 1, "collection_retrieve_ex: Failed to access DBM file \"%s\": %s",
+ log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc));
+ dbm = NULL;
+#ifdef GLOBAL_COLLECTION_LOCK
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collection_retrieve_ex");
+#endif
+ goto cleanup;
+ }
+ }
+ else {
+ dbm = existing_dbm;
+ }
+
+ rc = apr_sdbm_delete(dbm, key);
+ if (rc != APR_SUCCESS) {
+#ifdef LOG_NO_COLL_DELET_PB
+ if (msr->txcfg->debuglog_level >= 9)
+#endif
+ msr_log(msr, 1, "collection_retrieve_ex: Failed deleting collection (name \"%s\", "
+ "key \"%s\"): %s", log_escape(msr->mp, col_name),
+ log_escape_ex(msr->mp, col_key, col_key_len), get_apr_error(msr->mp, rc));
+ msr->msc_sdbm_delete_error = 1;
+ goto cleanup;
+ }
+
+
+ if (existing_dbm == NULL) {
+ apr_sdbm_close(dbm);
+#ifdef GLOBAL_COLLECTION_LOCK
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collection_retrieve_ex");
+#endif
+ dbm = NULL;
+ }
+
+ if (expired && (msr->txcfg->debuglog_level >= 9)) {
+ msr_log(msr, 9, "collection_retrieve_ex: Collection expired (name \"%s\", key \"%s\").", col_name,
+ log_escape_ex(msr->mp, col_key, col_key_len));
+ }
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "collection_retrieve_ex: Deleted collection (name \"%s\", key \"%s\").",
+ log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len));
+ }
+ goto cleanup;
+ }
+
+ /* Update UPDATE_RATE */
+ {
+ msc_string *var;
+ int create_time, counter;
+
+ var = (msc_string *)apr_table_get(col, "CREATE_TIME");
+ if (var == NULL) {
+ /* Error. */
+ } else {
+ create_time = atoi(var->value);
+ var = (msc_string *)apr_table_get(col, "UPDATE_COUNTER");
+ if (var == NULL) {
+ /* Error. */
+ } else {
+ apr_time_t td;
+ counter = atoi(var->value);
+
+ /* UPDATE_RATE is removed on store, so add it back here */
+ var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ var->name = "UPDATE_RATE";
+ var->name_len = strlen(var->name);
+ apr_table_setn(col, var->name, (void *)var);
+
+ /* NOTE: No rate if there has been no time elapsed */
+ td = (apr_time_sec(apr_time_now()) - create_time);
+ if (td == 0) {
+ var->value = apr_psprintf(msr->mp, "%d", 0);
+ }
+ else {
+ var->value = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT,
+ (apr_time_t)((60 * counter)/td));
+ }
+ var->value_len = strlen(var->value);
+ }
+ }
+ }
+
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "collection_retrieve_ex: Retrieved collection (name \"%s\", key \"%s\").",
+ log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len));
+ }
+
+ if ((existing_dbm == NULL) && dbm) {
+ /* Should not ever get here */
+ msr_log(msr, 1, "collection_retrieve_ex: Internal Error: Collection remained open (name \"%s\", key \"%s\").",
+ log_escape(msr->mp, col_name), log_escape_ex(msr->mp, col_key, col_key_len));
+
+ apr_sdbm_close(dbm);
+#ifdef GLOBAL_COLLECTION_LOCK
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collection_retrieve_ex");
+#endif
+ }
+
+ return col;
+
+cleanup:
+
+ if ((existing_dbm == NULL) && dbm) {
+ apr_sdbm_close(dbm);
+#ifdef GLOBAL_COLLECTION_LOCK
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collection_retrieve_ex");
+#endif
+ }
+
+ return NULL;
+}
+
+/**
+ *
+ */
+apr_table_t *collection_retrieve(modsec_rec *msr, const char *col_name,
+ const char *col_key, int col_key_len)
+{
+ assert(msr != NULL);
+ apr_time_t time_before = apr_time_now();
+ apr_table_t *rtable = NULL;
+
+ rtable = collection_retrieve_ex(NULL, msr, col_name, col_key, col_key_len);
+
+ msr->time_storage_read += apr_time_now() - time_before;
+
+ return rtable;
+}
+
+/**
+ *
+ */
+int collection_store(modsec_rec *msr, apr_table_t *col) {
+ assert(msr != NULL);
+ char *dbm_filename = NULL;
+ msc_string *var_name = NULL, *var_key = NULL;
+ unsigned char *blob = NULL;
+ unsigned int blob_size, blob_offset;
+ apr_status_t rc;
+ apr_sdbm_datum_t key;
+ apr_sdbm_datum_t value;
+ apr_sdbm_t *dbm = NULL;
+ const apr_array_header_t *arr;
+ apr_table_entry_t *te;
+ int i;
+ const apr_table_t *stored_col = NULL;
+ const apr_table_t *orig_col = NULL;
+ char *userinfo = get_username(msr->mp);
+
+ var_name = (msc_string *)apr_table_get(col, "__name");
+ if (var_name == NULL) {
+ goto error;
+ }
+
+ var_key = (msc_string *)apr_table_get(col, "__key");
+ if (var_key == NULL) {
+ goto error;
+ }
+
+ if (msr->txcfg->data_dir == NULL) {
+ msr_log(msr, 1, "collection_store: Unable to store collection (name \"%s\", key \"%s\"). Use "
+ "SecDataDir to define data directory first.", log_escape_ex(msr->mp, var_name->value, var_name->value_len),
+ log_escape_ex(msr->mp, var_key->value, var_key->value_len));
+ goto error;
+ }
+
+ // ENH: lowercase the var name in the filename
+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", var_name->value, NULL);
+
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "collection_store: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, var_name->value),
+ log_escape(msr->mp, dbm_filename));
+ }
+
+#ifdef GLOBAL_COLLECTION_LOCK
+ /* Need to lock to pull in the stored data again and apply deltas. */
+ int ret = msr_global_mutex_lock(msr, msr->modsecurity->dbm_lock, "collection_store");
+ if (ret != APR_SUCCESS) goto error;
+#endif
+
+ /* Delete IS_NEW on store. */
+ apr_table_unset(col, "IS_NEW");
+
+ /* Delete UPDATE_RATE on store to save space as it is calculated */
+ apr_table_unset(col, "UPDATE_RATE");
+
+ /* Update the timeout value. */
+ {
+ msc_string *var = (msc_string *)apr_table_get(col, "TIMEOUT");
+ if (var != NULL) {
+ int timeout = atoi(var->value);
+ var = (msc_string *)apr_table_get(col, "__expire_KEY");
+ if (var != NULL) {
+ var->value = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT, (apr_time_t)(apr_time_sec(apr_time_now()) + timeout));
+ var->value_len = strlen(var->value);
+ }
+ }
+ }
+
+ /* LAST_UPDATE_TIME */
+ {
+ msc_string *var = (msc_string *)apr_table_get(col, "LAST_UPDATE_TIME");
+ if (var == NULL) {
+ var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ var->name = "LAST_UPDATE_TIME";
+ var->name_len = strlen(var->name);
+ apr_table_setn(col, var->name, (void *)var);
+ }
+ var->value = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT, (apr_time_t)(apr_time_sec(apr_time_now())));
+ var->value_len = strlen(var->value);
+ }
+
+ /* UPDATE_COUNTER */
+ {
+ msc_string *var = (msc_string *)apr_table_get(col, "UPDATE_COUNTER");
+ int counter = 0;
+ if (var == NULL) {
+ var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ var->name = "UPDATE_COUNTER";
+ var->name_len = strlen(var->name);
+ apr_table_setn(col, var->name, (void *)var);
+ } else {
+ counter = atoi(var->value);
+ }
+ var->value = apr_psprintf(msr->mp, "%d", counter + 1);
+ var->value_len = strlen(var->value);
+ }
+
+ /* ENH Make the expiration timestamp accessible in blob form so that
+ * it is easier/faster to determine expiration without having to
+ * convert back to table form
+ */
+
+ rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE | APR_WRITE | APR_SHARELOCK,
+ CREATEMODE, msr->mp);
+ if (rc != APR_SUCCESS) {
+#ifdef GLOBAL_COLLECTION_LOCK
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collection_store");
+#endif
+ msr_log(msr, 1, "collection_store: Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename),
+ get_apr_error(msr->mp, rc));
+ dbm = NULL;
+ goto error;
+ }
+
+#ifndef GLOBAL_COLLECTION_LOCK
+ /* Need to lock to pull in the stored data again and apply deltas. */
+ rc = apr_sdbm_lock(dbm, APR_FLOCK_EXCLUSIVE);
+ if (rc != APR_SUCCESS) {
+ msr_log(msr, 1, "collection_store: Failed to exclusivly lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename),
+ get_apr_error(msr->mp, rc));
+ goto error;
+ }
+#endif
+
+ /* If there is an original value, then create a delta and
+ * apply the delta to the current value */
+ orig_col = (const apr_table_t *)apr_table_get(msr->collections_original, var_name->value);
+ if (orig_col != NULL) {
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "collection_store: Re-retrieving collection prior to store: %s",
+ apr_psprintf(msr->mp, "%.*s", var_name->value_len, var_name->value));
+ }
+
+ stored_col = (const apr_table_t *)collection_retrieve_ex(dbm, msr, var_name->value, var_key->value, var_key->value_len);
+ }
+
+ /* Merge deltas and calculate the size first. */
+ blob_size = 3 + 2;
+ arr = apr_table_elts(col);
+ te = (apr_table_entry_t *)arr->elts;
+ for (i = 0; i < arr->nelts; i++) {
+ msc_string *var = (msc_string *)te[i].val;
+ int len;
+
+ /* If there is an original value, then apply the delta
+ * to the latest stored value */
+ if (stored_col != NULL) {
+ const msc_string *orig_var = (const msc_string *)apr_table_get(orig_col, var->name);
+ if (orig_var != NULL) {
+ const msc_string *stored_var = (const msc_string *)apr_table_get(stored_col, var->name);
+ if (stored_var != NULL) {
+ int origval = atoi(orig_var->value);
+ int ourval = atoi(var->value);
+ int storedval = atoi(stored_var->value);
+ int delta = ourval - origval;
+ int newval = storedval + delta;
+
+ if (newval < 0) newval = 0; /* Counters never go below zero. */
+
+ var->value = apr_psprintf(msr->mp, "%d", newval);
+ var->value_len = strlen(var->value);
+
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "collection_store: Delta applied for %s.%s %d->%d (%d): %d + (%d) = %d [%s,%d]",
+ log_escape_ex(msr->mp, var_name->value, var_name->value_len),
+ log_escape_ex(msr->mp, var->name, var->name_len),
+ origval, ourval, delta, storedval, delta, newval, var->value, var->value_len);
+ }
+ }
+ }
+ }
+
+ // Allocate blob_size for keys
+ len = var->name_len + 1;
+ if (len >= 65536) len = 65536;
+ blob_size += len + 2;
+
+ // Allocate blob_size for values
+ len = var->value_len + 1;
+ if (len >= 65536) len = 65536;
+ blob_size += len + 2;
+ }
+
+ /* Now generate the binary object. */
+ blob = apr_pcalloc(msr->mp, blob_size);
+ if (blob == NULL) {
+ if (dbm != NULL) {
+#ifdef GLOBAL_COLLECTION_LOCK
+ apr_sdbm_close(dbm);
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collection_store");
+#else
+ apr_sdbm_unlock(dbm);
+ apr_sdbm_close(dbm);
+#endif
+ }
+
+ return -1;
+ }
+
+ blob[0] = 0x49;
+ blob[1] = 0x52;
+ blob[2] = 0x01;
+
+ blob_offset = 3;
+ arr = apr_table_elts(col);
+ te = (apr_table_entry_t *)arr->elts;
+ for (i = 0; i < arr->nelts; i++) {
+ msc_string *var = (msc_string *)te[i].val;
+ int len;
+
+ len = var->name_len + 1;
+ if (len >= 65536) len = 65536;
+
+ blob[blob_offset + 0] = (len & 0xff00) >> 8;
+ blob[blob_offset + 1] = len & 0x00ff;
+ memcpy(blob + blob_offset + 2, var->name, len - 1);
+ blob[blob_offset + 2 + len - 1] = '\0';
+ blob_offset += 2 + len;
+
+ len = var->value_len + 1;
+ if (len >= 65536) len = 65536;
+
+ blob[blob_offset + 0] = (len & 0xff00) >> 8;
+ blob[blob_offset + 1] = len & 0x00ff;
+ memcpy(blob + blob_offset + 2, var->value, len - 1);
+ blob[blob_offset + 2 + len - 1] = '\0';
+ blob_offset += 2 + len;
+
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "collection_store: Wrote variable: name \"%s\", value \"%s\".",
+ log_escape_ex(msr->mp, var->name, var->name_len),
+ log_escape_ex(msr->mp, var->value, var->value_len));
+ }
+ }
+
+ blob[blob_offset] = 0;
+ blob[blob_offset + 1] = 0;
+
+ /* And, finally, store it. */
+ key.dptr = var_key->value;
+ key.dsize = var_key->value_len + 1;
+
+ value.dptr = (char *)blob;
+ value.dsize = blob_size;
+
+ rc = apr_sdbm_store(dbm, key, value, APR_SDBM_REPLACE);
+ if (rc != APR_SUCCESS) {
+ msr_log(msr, 1, "collection_store: Failed to write to DBM file \"%s\": %s", dbm_filename,
+ get_apr_error(msr->mp, rc));
+ if (dbm != NULL) {
+#ifdef GLOBAL_COLLECTION_LOCK
+ apr_sdbm_close(dbm);
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collection_store");
+#else
+ apr_sdbm_unlock(dbm);
+ apr_sdbm_close(dbm);
+#endif
+ }
+
+ return -1;
+ }
+
+#ifdef GLOBAL_COLLECTION_LOCK
+ apr_sdbm_close(dbm);
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collection_store");
+#else
+ apr_sdbm_unlock(dbm);
+ apr_sdbm_close(dbm);
+#endif
+
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "collection_store: Persisted collection (name \"%s\", key \"%s\", length=%d).",
+ log_escape_ex(msr->mp, var_name->value, var_name->value_len),
+ log_escape_ex(msr->mp, var_key->value, var_key->value_len), value.dsize);
+ }
+
+ return 0;
+
+error:
+ return -1;
+}
+
+/**
+ *
+ */
+int collections_remove_stale(modsec_rec *msr, const char *col_name) {
+ assert(msr != NULL);
+ assert(col_name != NULL);
+ char *dbm_filename = NULL;
+ apr_sdbm_datum_t key, value;
+ apr_sdbm_t *dbm = NULL;
+ apr_status_t rc;
+ apr_array_header_t *keys_arr;
+ char **keys;
+ apr_time_t now = apr_time_sec(msr->request_time);
+ int i;
+ char *userinfo = get_username(msr->mp);
+
+ if (msr->txcfg->data_dir == NULL) {
+ /* The user has been warned about this problem enough times already by now.
+ * msr_log(msr, 1, "Unable to access collection file (name \"%s\"). Use SecDataDir to "
+ * "define data directory first.", log_escape(msr->mp, col_name));
+ */
+ goto error;
+ }
+
+ if(strstr(col_name,"USER") || strstr(col_name,"SESSION") || strstr(col_name, "RESOURCE"))
+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", msr->txcfg->webappid, "_", col_name, NULL);
+ else
+ dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", userinfo, "-", col_name, NULL);
+
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "collections_remove_stale: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name),
+ log_escape(msr->mp, dbm_filename));
+ }
+
+#ifdef GLOBAL_COLLECTION_LOCK
+ rc = msr_global_mutex_lock(msr, msr->modsecurity->dbm_lock, "collections_remove_stale");
+ if (rc != APR_SUCCESS) goto error;
+#endif
+
+ rc = apr_sdbm_open(&dbm, dbm_filename, APR_CREATE | APR_WRITE | APR_SHARELOCK,
+ CREATEMODE, msr->mp);
+ if (rc != APR_SUCCESS) {
+#ifdef GLOBAL_COLLECTION_LOCK
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collections_remove_stale");
+#endif
+ msr_log(msr, 1, "collections_remove_stale: Failed to access DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename),
+ get_apr_error(msr->mp, rc));
+ dbm = NULL;
+ goto error;
+ }
+
+ /* First get a list of all keys. */
+ keys_arr = apr_array_make(msr->mp, 256, sizeof(char *));
+
+#ifndef GLOBAL_COLLECTION_LOCK
+ rc = apr_sdbm_lock(dbm, APR_FLOCK_SHARED);
+ if (rc != APR_SUCCESS) {
+ msr_log(msr, 1, "collections_remove_stale: Failed to lock DBM file \"%s\": %s", log_escape(msr->mp, dbm_filename),
+ get_apr_error(msr->mp, rc));
+ goto error;
+ }
+#endif
+
+ /* No one can write to the file while doing this so
+ * do it as fast as possible.
+ */
+ rc = apr_sdbm_firstkey(dbm, &key);
+ while(rc == APR_SUCCESS) {
+ if (key.dsize) {
+ char *s = apr_pstrmemdup(msr->mp, key.dptr, key.dsize - 1);
+ *(char **)apr_array_push(keys_arr) = s;
+ }
+ rc = apr_sdbm_nextkey(dbm, &key);
+ }
+#ifndef GLOBAL_COLLECTION_LOCK
+ apr_sdbm_unlock(dbm);
+#endif
+
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "collections_remove_stale: Found %d record(s) in file \"%s\".", keys_arr->nelts,
+ log_escape(msr->mp, dbm_filename));
+ }
+
+ /* Now retrieve the entires one by one. */
+ keys = (char **)keys_arr->elts;
+ for (i = 0; i < keys_arr->nelts; i++) {
+ key.dptr = keys[i];
+ key.dsize = strlen(key.dptr) + 1;
+
+ rc = apr_sdbm_fetch(dbm, &value, key);
+ if (rc != APR_SUCCESS) {
+ msr_log(msr, 1, "collections_remove_stale: Failed reading DBM file \"%s\": %s",
+ log_escape(msr->mp, dbm_filename), get_apr_error(msr->mp, rc));
+ goto error;
+ }
+
+ if (value.dptr != NULL) {
+ apr_table_t *col = NULL;
+ msc_string *var = NULL;
+
+ col = collection_unpack(msr, (const unsigned char *)value.dptr, value.dsize, 0);
+ if (col == NULL) {
+ goto error;
+ }
+
+ var = (msc_string *)apr_table_get(col, "__expire_KEY");
+ if (var == NULL) {
+ msr_log(msr, 1, "collections_remove_stale: Collection cleanup discovered entry with no "
+ "__expire_KEY (name \"%s\", key \"%s\").",
+ log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1));
+ } else {
+ unsigned int expiry_time = atoi(var->value);
+
+ if (msr->txcfg->debuglog_level >= 9) {
+ msr_log(msr, 9, "collections_remove_stale: Record (name \"%s\", key \"%s\") set to expire in %" APR_TIME_T_FMT " seconds.",
+ log_escape(msr->mp, col_name), log_escape_ex(msr->mp, key.dptr, key.dsize - 1),
+ expiry_time - now);
+ }
+
+ if (expiry_time <= now) {
+ rc = apr_sdbm_delete(dbm, key);
+ if (rc != APR_SUCCESS) {
+#ifdef LOG_NO_COLL_DELET_PB
+ if (msr->txcfg->debuglog_level >= 9)
+#endif
+ msr_log(msr, 1, "collections_remove_stale: Failed deleting collection (name \"%s\", "
+ "key \"%s\"): %s", log_escape(msr->mp, col_name),
+ log_escape_ex(msr->mp, key.dptr, key.dsize - 1), get_apr_error(msr->mp, rc));
+ msr->msc_sdbm_delete_error = 1;
+ goto error;
+ }
+
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "collections_remove_stale: Removed stale collection (name \"%s\", "
+ "key \"%s\").", log_escape(msr->mp, col_name),
+ log_escape_ex(msr->mp, key.dptr, key.dsize - 1));
+ }
+ }
+ }
+ } else {
+ /* Ignore entry not found - it may have been removed in the meantime. */
+ }
+ }
+
+ apr_sdbm_close(dbm);
+#ifdef GLOBAL_COLLECTION_LOCK
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collections_remove_stale");
+#endif
+ return 1;
+
+error:
+
+ if (dbm) {
+ apr_sdbm_close(dbm);
+#ifdef GLOBAL_COLLECTION_LOCK
+ msr_global_mutex_unlock(msr, msr->modsecurity->dbm_lock, "collections_remove_stale");
+#endif
+ }
+
+ return -1;
+}
\ No newline at end of file
diff --git a/apache2/re.c b/apache2/re.c
index 1d843e21c1..0a8b0724d3 100644
--- a/apache2/re.c
+++ b/apache2/re.c
@@ -20,6 +20,10 @@
#include "msc_lua.h"
#endif
+#ifdef APLOG_USE_MODULE
+ APLOG_USE_MODULE(security2);
+#endif
+
static const char *const severities[] = {
"EMERGENCY",
"ALERT",
@@ -53,6 +57,7 @@ static apr_status_t msre_rule_process(msre_rule *rule, modsec_rec *msr);
* \param targets Exception list.
*/
static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *var, const char *exceptions) {
+ assert(msr != NULL);
const char *targets = NULL;
char *savedptr = NULL, *target = NULL;
char *c = NULL, *name = NULL, *value = NULL;
@@ -60,25 +65,23 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va
char *myvalue = NULL, *myname = NULL;
int match = 0;
- if(msr == NULL)
- return 0;
-
- if(var == NULL)
+ if (var == NULL)
return 0;
- if(rule == NULL)
+ if (rule == NULL)
return 0;
- if(rule->actionset == NULL)
+ if (rule->actionset == NULL)
return 0;
- if(rule->actionset->id !=NULL) {
+ assert(exceptions != NULL);
+ {
myvar = apr_pstrdup(msr->mp, var->name);
c = strchr(myvar,':');
- if(c != NULL) {
+ if (c != NULL) {
myname = apr_strtok(myvar,":",&myvalue);
} else {
myname = myvar;
@@ -88,9 +91,9 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va
targets = apr_pstrdup(msr->mp, exceptions);
- if(targets != NULL) {
+ if (targets != NULL) {
if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "fetch_target_exception: Found exception target list [%s] for rule id %s", targets, rule->actionset->id);
+ msr_log(msr, 9, "fetch_target_exception: Found exception target list [%s] for rule id %s", targets, id_log(rule));
}
target = apr_strtok((char *)targets, ",", &savedptr);
@@ -100,18 +103,18 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va
c = strchr(variable,':');
- if(c != NULL) {
+ if (c != NULL) {
name = apr_strtok(variable,":",&value);
} else {
name = variable;
value = NULL;
}
- if((strlen(myname) == strlen(name)) &&
+ if ((strlen(myname) == strlen(name)) &&
(strncasecmp(myname, name,strlen(myname)) == 0)) {
- if(value != NULL && myvalue != NULL) {
- if((strlen(myvalue) == strlen(value)) &&
+ if (value != NULL && myvalue != NULL) {
+ if ((strlen(myvalue) == strlen(value)) &&
strncasecmp(myvalue,value,strlen(myvalue)) == 0) {
if (msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "fetch_target_exception: Target %s will not be processed.", target);
@@ -135,14 +138,14 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va
}
} else {
if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "fetch_target_exception: No exception target found for rule id %s.", rule->actionset->id);
+ msr_log(msr, 9, "fetch_target_exception: No exception target found for rule id %s.", id_log(rule));
}
}
}
- if(match == 1)
+ if (match == 1)
return 1;
return 0;
@@ -160,10 +163,10 @@ static int fetch_target_exception(msre_rule *rule, modsec_rec *msr, msre_var *va
char *msre_ruleset_rule_update_target_matching_exception(modsec_rec *msr, msre_ruleset *ruleset, rule_exception *re, const char *p2, const char *p3) {
char *err;
- if(ruleset == NULL)
+ if (ruleset == NULL)
return NULL;
- if(p2 == NULL) {
+ if (p2 == NULL) {
return apr_psprintf(ruleset->mp, "Trying to update without a target");
}
@@ -199,6 +202,8 @@ char *msre_ruleset_phase_rule_update_target_matching_exception(modsec_rec *msr,
apr_array_header_t *phase_arr, const char *p2,
const char *p3)
{
+ assert(ruleset != NULL);
+ assert(phase_arr != NULL);
msre_rule **rules;
int i, j, mode;
char *err;
@@ -208,11 +213,12 @@ char *msre_ruleset_phase_rule_update_target_matching_exception(modsec_rec *msr,
rules = (msre_rule **)phase_arr->elts;
for (i = 0; i < phase_arr->nelts; i++) {
msre_rule *rule = (msre_rule *)rules[i];
+ assert(rule != NULL);
if (mode == 0) { /* Looking for next rule. */
+ assert(rule->actionset != NULL);
if (msre_ruleset_rule_matches_exception(rule, re)) {
-
- err = update_rule_target_ex(NULL, ruleset, rule, p2, p3);
+ err = update_rule_target_ex(msr, ruleset, rule, p2, p3);
if (err) return err;
if (rule->actionset->is_chained) mode = 2; /* Match all rules in this chain. */
} else {
@@ -234,6 +240,7 @@ char *msre_ruleset_phase_rule_update_target_matching_exception(modsec_rec *msr,
char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *rule, const char *p2,
const char *p3) {
+ assert(ruleset != NULL);
msre_var **targets = NULL;
const char *current_targets = NULL;
@@ -246,26 +253,24 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
char *target_list = NULL, *replace = NULL;
int i, rc, match = 0, var_appended = 0;
- if(rule != NULL) {
-
+ if (rule != NULL) {
target_list = strdup(p2);
- if(target_list == NULL)
- return apr_psprintf(ruleset->mp, "Error to update target - memory allocation");;
+ if (target_list == NULL) {
+ my_error_msg = apr_psprintf(ruleset->mp, "Error to update target - memory allocation");
+ goto end;
+ }
- if(p3 != NULL) {
+ if (p3 != NULL) {
replace = strdup(p3);
- if(replace == NULL) {
- free(target_list);
- target_list = NULL;
- return apr_psprintf(ruleset->mp, "Error to update target - memory allocation");;
+ if (replace == NULL) {
+ my_error_msg = apr_psprintf(ruleset->mp, "Error to update target - memory allocation");
+ goto end;
}
}
- if(replace != NULL) {
-
+ if (replace != NULL) {
opt = strchr(replace,'!');
-
- if(opt != NULL) {
+ if (opt != NULL) {
*opt = '\0';
opt++;
param = opt;
@@ -281,56 +286,40 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
opt = strchr(param,':');
- if(opt != NULL) {
+ if (opt != NULL) {
name = apr_strtok(param,":",&value);
} else {
name = param;
}
- if(apr_table_get(ruleset->engine->variables, name) == NULL) {
- if(target_list != NULL)
- free(target_list);
- if(replace != NULL)
- free(replace);
- if(msr) {
- msr_log(msr, 9, "Error to update target - [%s] is not valid target", name);
- }
- return apr_psprintf(ruleset->mp, "Error to update target - [%s] is not valid target", name);
+ if (apr_table_get(ruleset->engine->variables, name) == NULL) {
+ my_error_msg = apr_psprintf(ruleset->mp, "Error to update target - [%s] is not valid target", name);
+ goto end;
}
name_len = strlen(name);
- if(value != NULL)
- value_len = strlen(value);
-
- if(msr) {
- msr_log(msr, 9, "Trying to replace by variable name [%s] value [%s]", name, value);
- }
-#if !defined(MSC_TEST)
- else {
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, NULL, " ModSecurity: Trying to replace by variable name [%s] value [%s]", name, value);
- }
-#endif
+ if (value != NULL) value_len = strlen(value);
targets = (msre_var **)rule->targets->elts;
// TODO need a good way to remove the element from array, maybe change array by tables or rings
for (i = 0; i < rule->targets->nelts; i++) {
- if((strlen(targets[i]->name) == strlen(name)) &&
+ if ((strlen(targets[i]->name) == strlen(name)) &&
(strncasecmp(targets[i]->name,name,strlen(targets[i]->name)) == 0) &&
(targets[i]->is_negated == is_negated) &&
(targets[i]->is_counting == is_counting)) {
- if(value != NULL && targets[i]->param != NULL) {
- if((strlen(targets[i]->param) == strlen(value)) &&
+ if (value != NULL && targets[i]->param != NULL) {
+ if ((strlen(targets[i]->param) == strlen(value)) &&
strncasecmp(targets[i]->param,value,strlen(targets[i]->param)) == 0) {
- memset(targets[i]->name,0,strlen(targets[i]->name));
- memset(targets[i]->param,0,strlen(targets[i]->param));
+ targets[i]->name[0] = '\0';
+ targets[i]->param[0] = '\0';
targets[i]->is_counting = 0;
targets[i]->is_negated = 1;
match = 1;
}
} else if (value == NULL && targets[i]->param == NULL){
- memset(targets[i]->name,0,strlen(targets[i]->name));
+ targets[i]->name[0] = '\0';
targets[i]->is_counting = 0;
targets[i]->is_negated = 1;
match = 1;
@@ -343,22 +332,16 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
p = apr_strtok(target_list, ",", &savedptr);
- while(p != NULL) {
- if(replace != NULL) {
- if(match == 1) {
+ while (p != NULL) {
+ if (replace != NULL) {
+ if (match == 1) {
rc = msre_parse_targets(ruleset, p, rule->targets, &my_error_msg);
if (rc < 0) {
- if(msr) {
- msr_log(msr, 9, "Error parsing rule targets to replace variable");
- }
-#if !defined(MSC_TEST)
- else {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: Error parsing rule targets to replace variable");
- }
-#endif
+ if (my_error_msg) my_error_msg = apr_psprintf(ruleset->mp, "Error parsing rule targets to replace variable: %s", my_error_msg);
+ else my_error_msg = apr_psprintf(ruleset->mp, "Error parsing rule targets to replace variable");
goto end;
}
- if(msr) {
+ if (msr) {
msr_log(msr, 9, "Successfully replaced variable");
}
#if !defined(MSC_TEST)
@@ -369,28 +352,24 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
var_appended = 1;
} else {
- if(msr) {
- msr_log(msr, 9, "Cannot find variable to replace");
- }
-#if !defined(MSC_TEST)
- else {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: Cannot find varibale to replace");
- }
-#endif
+ my_error_msg = apr_psprintf(ruleset->mp, "Cannot find variable to replace");
goto end;
}
- } else {
+ }
+ else {
target = strdup(p);
- if(target == NULL)
- return NULL;
+ if (target == NULL) {
+ my_error_msg = apr_psprintf(ruleset->mp, "Error to update target - memory allocation");
+ goto end;
+ }
is_negated = is_counting = 0;
param = name = value = NULL;
opt = strchr(target,'!');
- if(opt != NULL) {
+ if (opt != NULL) {
*opt = '\0';
opt++;
param = opt;
@@ -405,30 +384,22 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
}
opt = strchr(param,':');
-
- if(opt != NULL) {
+ if (opt != NULL) {
name = apr_strtok(param,":",&value);
} else {
name = param;
}
- if(apr_table_get(ruleset->engine->variables, name) == NULL) {
- if(target_list != NULL)
- free(target_list);
- if(replace != NULL)
- free(replace);
- if(msr) {
- msr_log(msr, 9, "Error to update target - [%s] is not valid target", name);
- }
- return apr_psprintf(ruleset->mp, "Error to update target - [%s] is not valid target", name);
+ if (apr_table_get(ruleset->engine->variables, name) == NULL) {
+ my_error_msg = apr_psprintf(ruleset->mp, "Error to update target - [%s] is not valid target", name);
+ goto end;
}
name_len = strlen(name);
- if(value != NULL)
- value_len = strlen(value);
+ if (value != NULL) value_len = strlen(value);
- if(msr) {
+ if (msr) {
msr_log(msr, 9, "Trying to append variable name [%s] value [%s]", name, value);
}
#if !defined(MSC_TEST)
@@ -440,45 +411,37 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
targets = (msre_var **)rule->targets->elts;
for (i = 0; i < rule->targets->nelts; i++) {
- if((strlen(targets[i]->name) == strlen(name)) &&
+ if ((strlen(targets[i]->name) == strlen(name)) &&
(strncasecmp(targets[i]->name,name,strlen(targets[i]->name)) == 0) &&
(targets[i]->is_negated == is_negated) &&
(targets[i]->is_counting == is_counting)) {
- if(value != NULL && targets[i]->param != NULL) {
- if((strlen(targets[i]->param) == strlen(value)) &&
+ if (value != NULL && targets[i]->param != NULL) {
+ if ((strlen(targets[i]->param) == strlen(value)) &&
strncasecmp(targets[i]->param,value,strlen(targets[i]->param)) == 0) {
match = 1;
}
} else if (value == NULL && targets[i]->param == NULL){
match = 1;
- } else
- continue;
+ } else continue;
}
}
- if(target != NULL) {
+ if (target != NULL) {
free(target);
target = NULL;
}
- if(match == 0 ) {
+ if (match == 0 ) {
rc = msre_parse_targets(ruleset, p, rule->targets, &my_error_msg);
if (rc < 0) {
- if(msr) {
- msr_log(msr, 9, "Error parsing rule targets to append variable");
- }
-#if !defined(MSC_TEST)
- else {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, " ModSecurity: Error parsing rule targets to append variable");
- }
-#endif
+ my_error_msg = apr_psprintf(ruleset->mp, "Error parsing rule targets to append variable");
goto end;
}
var_appended = 1;
} else {
- if(msr) {
+ if (msr) {
msr_log(msr, 9, "Skipping variable, already appended");
}
#if !defined(MSC_TEST)
@@ -492,11 +455,11 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
p = apr_strtok(NULL,",",&savedptr);
}
- if(var_appended == 1) {
+ if (var_appended == 1) {
current_targets = msre_generate_target_string(ruleset->mp, rule);
rule->unparsed = msre_rule_generate_unparsed(ruleset->mp, rule, current_targets, NULL, NULL);
rule->p1 = apr_pstrdup(ruleset->mp, current_targets);
- if(msr) {
+ if (msr) {
msr_log(msr, 9, "Successfully appended variable");
}
#if !defined(MSC_TEST)
@@ -508,26 +471,23 @@ char *update_rule_target_ex(modsec_rec *msr, msre_ruleset *ruleset, msre_rule *r
}
end:
- if(target_list != NULL) {
- free(target_list);
- target_list = NULL;
- }
- if(replace != NULL) {
- free(replace);
- replace = NULL;
- }
- if(target != NULL) {
- free(target);
- target = NULL;
- }
- return NULL;
+ if (my_error_msg) {
+ if (msr) msr_log(msr, 9, "%s", my_error_msg);
+ else ap_log_error(APLOG_MARK, APLOG_INFO, 0, NULL, "%s", my_error_msg);
+ }
+ if (target_list != NULL) free(target_list);
+ if (replace != NULL) free(replace);
+ if (target != NULL) free(target);
+ return my_error_msg;
}
int msre_ruleset_rule_matches_exception(msre_rule *rule, rule_exception *re) {
+ assert(rule != NULL);
int match = 0;
/* Only remove non-placeholder rules */
if (rule->placeholder == RULE_PH_NONE) {
+ assert(re != NULL);
switch(re->type) {
case RULE_EXCEPTION_REMOVE_ID :
if ((rule->actionset != NULL)&&(rule->actionset->id != NULL)) {
@@ -564,7 +524,7 @@ int msre_ruleset_rule_matches_exception(msre_rule *rule, rule_exception *re) {
for (act = 0; act < tarr->nelts; act++) {
msre_action *action = (msre_action *)telts[act].val;
- if((action != NULL) && (action->metadata != NULL) && (strcmp("tag", action->metadata->name) == 0)) {
+ if ((action != NULL) && (action->metadata != NULL) && (strcmp("tag", action->metadata->name) == 0)) {
int rc = msc_regexec(re->param_data,
action->param, strlen(action->param),
@@ -615,7 +575,7 @@ static char *msre_generate_target_string(apr_pool_t *pool, msre_rule *rule) {
for (i = 0; i < rule->targets->nelts; i++) {
- if(targets[i]->name != NULL && strlen(targets[i]->name) > 0) {
+ if (targets[i]->name != NULL && strlen(targets[i]->name) > 0) {
target_str = apr_pstrcat(pool,
(target_str == NULL) ? "" : apr_psprintf(pool, "%s|", target_str),
(targets[i]->is_negated == 0) ? "" : "!",
@@ -633,7 +593,10 @@ static char *msre_generate_target_string(apr_pool_t *pool, msre_rule *rule) {
/**
* Generate an action string from an actionset.
*/
-static char *msre_actionset_generate_action_string(apr_pool_t *pool, const msre_actionset *actionset) {
+#ifndef DEBUG_CONF
+static
+#endif
+char *msre_actionset_generate_action_string(apr_pool_t *pool, const msre_actionset *actionset) {
const apr_array_header_t *tarr = NULL;
const apr_table_entry_t *telts = NULL;
char *actions = NULL;
@@ -860,6 +823,7 @@ static msre_action_metadata *msre_resolve_action(msre_engine *engine, const char
msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *name, const char *param,
modsec_rec *msr, char **error_msg)
{
+ // msr can be NULL
const char *varparam = param;
msre_var *var = apr_pcalloc(pool, sizeof(msre_var));
if (var == NULL) return NULL;
@@ -940,6 +904,9 @@ msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *
static msre_var *msre_create_var(msre_ruleset *ruleset, const char *name, const char *param,
modsec_rec *msr, char **error_msg)
{
+ // msr can be NULL
+ assert(ruleset != NULL);
+ assert(error_msg != NULL);
msre_var *var = msre_create_var_ex(ruleset->mp, ruleset->engine, name, param, msr, error_msg);
if (var == NULL) return NULL;
@@ -1458,6 +1425,7 @@ apr_status_t msre_ruleset_process_phase(msre_ruleset *ruleset, modsec_rec *msr)
rules = (msre_rule **)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msre_rule *rule = rules[i];
+ assert(rule != NULL);
rule->execution_time = 0;
}
@@ -1470,6 +1438,7 @@ apr_status_t msre_ruleset_process_phase(msre_ruleset *ruleset, modsec_rec *msr)
rules = (msre_rule **)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msre_rule *rule = rules[i];
+ assert(rule != NULL);
/* Ignore markers, which are never processed. */
if (rule->placeholder == RULE_PH_MARKER) continue;
@@ -1488,6 +1457,8 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
#else
apr_status_t msre_ruleset_process_phase(msre_ruleset *ruleset, modsec_rec *msr) {
#endif
+ assert(ruleset != NULL);
+ assert(msr != NULL);
apr_array_header_t *arr = NULL;
msre_rule **rules;
apr_status_t rc;
@@ -1532,6 +1503,8 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
rules = (msre_rule **)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msre_rule *rule = rules[i];
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
#if defined(PERFORMANCE_MEASUREMENT)
apr_time_t time1 = 0;
#endif
@@ -1547,12 +1520,12 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
if ((rule->placeholder == RULE_PH_NONE) || (rule->actionset->id == NULL) || (strcmp(skip_after, rule->actionset->id) != 0)) {
- if(i-1 >=0)
+ if (i-1 >=0)
last_rule = rules[i-1];
else
last_rule = rules[0];
- if((last_rule != NULL) && (last_rule->actionset != NULL) && last_rule->actionset->is_chained && (saw_starter == 1)) {
+ if ((last_rule != NULL) && (last_rule->actionset != NULL) && last_rule->actionset->is_chained && (saw_starter == 1)) {
mode = NEXT_RULE;
skipped = 1;
--i;
@@ -1562,7 +1535,7 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
saw_starter = 0;
if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "Current rule is id=\"%s\" [chained %d] is trying to find the SecMarker=\"%s\" [stater %d]",rule->actionset->id,last_rule->actionset->is_chained,skip_after,saw_starter);
+ msr_log(msr, 9, "Current rule is id=\"%s\" [chained %d] is trying to find the SecMarker=\"%s\" [stater %d]", id_log(rule),last_rule->actionset->is_chained,skip_after,saw_starter);
}
}
@@ -1644,7 +1617,7 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
for(j = 0; j < msr->removed_rules_msg->nelts; j++) {
re = ((rule_exception **)msr->removed_rules_msg->elts)[j];
- if(rule->actionset->msg !=NULL) {
+ if (rule->actionset->msg !=NULL) {
if (msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "Checking removal of rule msg=\"%s\" against: %s", rule->actionset->msg, re->param);
@@ -1663,7 +1636,7 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
for(j = 0; j < msr->removed_rules->nelts; j++) {
range = ((const char**)msr->removed_rules->elts)[j];
- if(rule->actionset->id !=NULL) {
+ if (rule->actionset->id !=NULL) {
if (msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "Checking removal of rule id=\"%s\" against: %s", rule->actionset->id, range);
@@ -1682,13 +1655,13 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
for (act = 0; act < tag_tarr->nelts; act++) {
msre_action *action = (msre_action *)tag_telts[act].val;
- if((action != NULL) && (action->metadata != NULL ) && strcmp("tag", action->metadata->name) == 0) {
+ if ((action != NULL) && (action->metadata != NULL ) && strcmp("tag", action->metadata->name) == 0) {
for(j = 0; j < msr->removed_rules_tag->nelts; j++) {
re = ((rule_exception **)msr->removed_rules_tag->elts)[j];
- if(action->param != NULL) {
+ if (action->param != NULL) {
/* Expand variables in the tag argument. */
msc_string *var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
@@ -1719,7 +1692,7 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
msr_log(msr, 5, "Not processing %srule id=\"%s\": "
"removed by ctl action",
rule->actionset->is_chained ? "chained " : "",
- rule->actionset->id);
+ id_log(rule));
}
/* Skip the whole chain, if this is a chained rule */
@@ -1734,7 +1707,7 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
}
}
- if(msr->txcfg->is_enabled == MODSEC_DISABLED) {
+ if (msr->txcfg->is_enabled == MODSEC_DISABLED) {
saw_starter = 0;
skipped = 0;
skip_after = NULL;
@@ -1753,11 +1726,11 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
fn = apr_psprintf(p, " [file \"%s\"] [line \"%d\"]", rule->filename, rule->line_num);
}
- if (rule->actionset != NULL && rule->actionset->id != NULL) {
+ if (rule->actionset->id != NULL) {
id = apr_psprintf(p, " [id \"%s\"]", rule->actionset->id);
}
- if (rule->actionset != NULL && rule->actionset->rev != NULL) {
+ if (rule->actionset->rev != NULL) {
rev = apr_psprintf(p, " [rev \"%s\"]", rule->actionset->rev);
}
@@ -1814,12 +1787,12 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
msr_log(msr, 9, "Match, intercepted -> returning.");
}
- if(i-1 >= 0)
+ if (i-1 >= 0)
last_rule = rules[i-1];
else
last_rule = rules[0];
- if((last_rule != NULL) && (last_rule->actionset != NULL) && last_rule->actionset->is_chained) {
+ if ((last_rule != NULL) && (last_rule->actionset != NULL) && last_rule->actionset->is_chained) {
int st = 0;
@@ -1827,8 +1800,8 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
rule_starter = rules[st];
- if(rule_starter != NULL && rule_starter->chain_starter != NULL) {
- if((msr != NULL) && (msr->intercept_actionset != NULL) && (rule_starter->actionset != NULL))
+ if (rule_starter != NULL && rule_starter->chain_starter != NULL) {
+ if ((msr != NULL) && (msr->intercept_actionset != NULL) && (rule_starter->actionset != NULL))
msr->intercept_actionset->intercept_uri = rule_starter->actionset->intercept_uri;
break;
}
@@ -1852,7 +1825,7 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
continue;
}
- if(skipped == 1) {
+ if (skipped == 1) {
mode = SKIP_RULES;
continue;
}
@@ -1889,8 +1862,11 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
}
}
else if (rc < 0) {
- msr_log(msr, 1, "Rule processing failed.");
-
+ const char *msg = "";
+ if (rule->actionset->msg) {
+ msg = rule->actionset->msg;
+ }
+ msr_log(msr, 1, "Rule processing failed (id=%s, msg=%s).", id_log(rule), msg);
if (msr->txcfg->reqintercept_oe == 1) {
apr_table_clear(msr->matched_vars);
@@ -1920,7 +1896,11 @@ static apr_status_t msre_ruleset_process_phase_(msre_ruleset *ruleset, modsec_re
}
}
else {
- msr_log(msr, 1, "Rule processing failed with unknown return code: %d.", rc);
+ const char *msg = "";
+ if (rule->actionset->msg) {
+ msg = rule->actionset->msg;
+ }
+ msr_log(msr, 1, "Rule processing failed with unknown return code: %d (id=%s, msg=%s).", rc, id_log(rule), msg);
apr_table_clear(msr->matched_vars);
return -1;
}
@@ -1956,6 +1936,9 @@ msre_ruleset *msre_ruleset_create(msre_engine *engine, apr_pool_t *mp) {
* Adds one rule to the given phase of the ruleset.
*/
int msre_ruleset_rule_add(msre_ruleset *ruleset, msre_rule *rule, int phase) {
+ assert(ruleset != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
apr_array_header_t *arr = NULL;
switch (phase) {
@@ -1993,6 +1976,8 @@ int msre_ruleset_rule_add(msre_ruleset *ruleset, msre_rule *rule, int phase) {
static msre_rule * msre_ruleset_fetch_phase_rule(const msre_ruleset *ruleset, const char *id,
const apr_array_header_t *phase_arr, int offset)
{
+ assert(id != NULL);
+ assert(phase_arr != NULL);
msre_rule **rules = (msre_rule **)phase_arr->elts;
int i;
@@ -2006,7 +1991,7 @@ static msre_rule * msre_ruleset_fetch_phase_rule(const msre_ruleset *ruleset, co
&& (strcmp(rule->actionset->id, id) == 0))
{
/* Return rule that matched unless it is a placeholder */
- if(offset == 0) {
+ if (offset == 0) {
return (rule->placeholder == RULE_PH_NONE) ? rule : NULL;
}
else {
@@ -2049,6 +2034,7 @@ msre_rule * msre_ruleset_fetch_rule(msre_ruleset *ruleset, const char *id, int o
static int msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset, rule_exception *re,
apr_array_header_t *phase_arr)
{
+ assert(phase_arr != NULL);
msre_rule **rules;
int i, j, mode, removed_count;
@@ -2058,15 +2044,18 @@ static int msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset,
rules = (msre_rule **)phase_arr->elts;
for (i = 0; i < phase_arr->nelts; i++) {
msre_rule *rule = (msre_rule *)rules[i];
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
if (mode == 0) { /* Looking for next rule. */
int remove_rule = 0;
/* Only remove non-placeholder rules */
if (rule->placeholder == RULE_PH_NONE) {
+ assert(re != NULL);
switch(re->type) {
case RULE_EXCEPTION_REMOVE_ID :
- if ((rule->actionset != NULL)&&(rule->actionset->id != NULL)) {
+ if (rule->actionset->id != NULL) {
int ruleid = atoi(rule->actionset->id);
if (rule_id_in_range(ruleid, re->param)) {
@@ -2101,7 +2090,7 @@ static int msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset,
for (act = 0; act < tarr->nelts; act++) {
msre_action *action = (msre_action *)telts[act].val;
- if((action != NULL) && (action->metadata != NULL) && (strcmp("tag", action->metadata->name) == 0)) {
+ if ((action != NULL) && (action->metadata != NULL) && (strcmp("tag", action->metadata->name) == 0)) {
int rc = msc_regexec(re->param_data,
action->param, strlen(action->param),
@@ -2178,6 +2167,7 @@ static const char *msre_format_severity(int severity) {
* Creates a string containing the metadata of the supplied rule.
*/
char *msre_format_metadata(modsec_rec *msr, msre_actionset *actionset) {
+ assert(msr != NULL);
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
char *id = "";
@@ -2194,10 +2184,12 @@ char *msre_format_metadata(modsec_rec *msr, msre_actionset *actionset) {
if (actionset == NULL) return "";
+#ifndef LOG_NO_FILENAME
if ((actionset->rule != NULL) && (actionset->rule->filename != NULL)) {
fn = apr_psprintf(msr->mp, " [file \"%s\"] [line \"%d\"]",
actionset->rule->filename, actionset->rule->line_num);
}
+#endif
if (actionset->id != NULL) {
id = apr_psprintf(msr->mp, " [id \"%s\"]",
log_escape(msr->mp, actionset->id));
@@ -2281,6 +2273,7 @@ char *msre_format_metadata(modsec_rec *msr, msre_actionset *actionset) {
char * msre_rule_generate_unparsed(apr_pool_t *pool, const msre_rule *rule, const char *targets,
const char *args, const char *actions)
{
+ assert(rule != NULL);
char *unparsed = NULL;
const char *r_targets = targets;
const char *r_args = args;
@@ -2340,12 +2333,19 @@ msre_rule *msre_rule_create(msre_ruleset *ruleset, int type,
const char *fn, int line, const char *targets,
const char *args, const char *actions, char **error_msg)
{
+ assert(ruleset != NULL);
+ assert(args != NULL);
+ assert(error_msg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (error_msg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, ruleset->mp, "msre_rule_create: error_msg is NULL");
+ return NULL;
+ }
msre_rule *rule;
char *my_error_msg;
const char *argsp;
int rc;
- if (error_msg == NULL) return NULL;
*error_msg = NULL;
rule = (msre_rule *)apr_pcalloc(ruleset->mp, sizeof(msre_rule));
@@ -2472,6 +2472,8 @@ msre_rule *msre_rule_lua_create(msre_ruleset *ruleset,
static void msre_perform_nondisruptive_actions(modsec_rec *msr, msre_rule *rule,
msre_actionset *actionset, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(actionset != NULL);
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
int i;
@@ -2494,6 +2496,10 @@ static void msre_perform_nondisruptive_actions(modsec_rec *msr, msre_rule *rule,
static void msre_perform_disruptive_actions(modsec_rec *msr, msre_rule *rule,
msre_actionset *actionset, apr_pool_t *mptmp, const char *message)
{
+ assert(msr != NULL);
+ assert(actionset != NULL);
+ assert(actionset->intercept_action_rec != NULL);
+ assert(actionset->intercept_action_rec->metadata != NULL);
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
int i;
@@ -2507,12 +2513,18 @@ static void msre_perform_disruptive_actions(modsec_rec *msr, msre_rule *rule,
telts = (const apr_table_entry_t*)tarr->elts;
for (i = 0; i < tarr->nelts; i++) {
msre_action *action = (msre_action *)telts[i].val;
+ assert(action->metadata != NULL);
if (action->metadata->type == ACTION_DISRUPTIVE) {
if (action->metadata->execute != NULL) {
action->metadata->execute(msr, mptmp, rule, action);
}
}
}
+ if (actionset->intercept_action_rec->metadata->type == ACTION_DISRUPTIVE) {
+ if (actionset->intercept_action_rec->metadata->execute != NULL) {
+ actionset->intercept_action_rec->metadata->execute(msr, mptmp, rule, actionset->intercept_action_rec);
+ }
+ }
/* If "noauditlog" was used do not mark the transaction relevant. */
if (actionset->auditlog != 0) {
@@ -2573,6 +2585,14 @@ static void msre_perform_disruptive_actions(modsec_rec *msr, msre_rule *rule,
static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
msre_actionset *acting_actionset, apr_pool_t *mptmp)
{
+ assert(var != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(rule->op_metadata != NULL);
+ assert(rule->op_metadata->execute != NULL);
+ assert(msr != NULL);
+ assert(acting_actionset != NULL);
+ assert(mptmp != NULL);
apr_time_t time_before_op = 0;
char *my_error_msg = NULL;
const char *full_varname = NULL;
@@ -2613,7 +2633,7 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
if (rc > 0) {
rc = fetch_target_exception(rule, msr, var, exceptions);
- if(rc > 0) {
+ if (rc > 0) {
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Executing operator \"%s%s\" with param \"%s\" against %s skipped.",
@@ -2661,22 +2681,22 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
msr_log(msr, 4, "Operator completed in %" APR_TIME_T_FMT " usec.", (t1 - time_before_op));
}
- if(msr->txcfg->max_rule_time > 0) {
+ if (msr->txcfg->max_rule_time > 0) {
apr_time_t t1 = apr_time_now();
apr_time_t rule_time = 0;
const char *rt_time = NULL;
- if(rule->actionset->id != NULL) {
+ if (rule->actionset->id != NULL) {
rt_time = apr_table_get(msr->perf_rules, rule->actionset->id);
- if(rt_time == NULL) {
+ if (rt_time == NULL) {
rt_time = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT, (t1 - time_before_op));
rule_time = (apr_time_t)atoi(rt_time);
- if(rule_time >= msr->txcfg->max_rule_time)
+ if (rule_time >= msr->txcfg->max_rule_time)
apr_table_setn(msr->perf_rules, rule->actionset->id, rt_time);
} else {
rule_time = (apr_time_t)atoi(rt_time);
rule_time += (t1 - time_before_op);
- if(rule_time >= msr->txcfg->max_rule_time) {
+ if (rule_time >= msr->txcfg->max_rule_time) {
rt_time = apr_psprintf(msr->mp, "%" APR_TIME_T_FMT, rule_time);
apr_table_setn(msr->perf_rules, rule->actionset->id, rt_time);
}
@@ -2714,7 +2734,7 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
*(const msre_rule **)apr_array_push(msr->matched_rules) = rule;
/* Save the last matched var data */
- if(var != NULL && msr != NULL) {
+ if (var != NULL && msr != NULL) {
msc_string *mvar = NULL;
msr->matched_var->name = apr_pstrdup(msr->mp, var->name);
@@ -2757,6 +2777,11 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
* Executes rule against the given transaction.
*/
static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) {
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(rule->targets != NULL);
+ assert(msr != NULL);
+ assert(msr->txcfg != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
msre_actionset *acting_actionset = NULL;
@@ -2846,7 +2871,10 @@ static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) {
arr = apr_table_elts(tartab);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
+ /* Variable was modified by *any* transformation */
int changed;
+ /* Variable was modified by *last applied* transformation (needed by multimatch) */
+ int tfnchanged;
int usecache = 0;
apr_table_t *cachetab = NULL;
apr_time_t time_before_trans = 0;
@@ -2969,8 +2997,8 @@ static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) {
apr_table_t *normtab;
const char *lastvarval = NULL;
apr_size_t lastvarlen = 0;
- int tfnchanged = 0;
+ tfnchanged = 0;
changed = 0;
normtab = apr_table_make(mptmp, 10);
if (normtab == NULL) return -1;
@@ -3078,6 +3106,8 @@ static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) {
/* Perform transformations. */
tarr = apr_table_elts(normtab);
+ /* if no transformation, multi_match makes no sense and breaks the logic */
+ if (tarr->nelts == 0) multi_match = 0;
/* Execute transformations in a loop. */
@@ -3252,7 +3282,7 @@ static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) {
* or if it is and we need to process the result of the
* last transformation.
*/
- if (!multi_match || changed) {
+ if (!multi_match || tfnchanged) {
invocations++;
#if defined(PERFORMANCE_MEASUREMENT)
@@ -3298,6 +3328,8 @@ static apr_status_t msre_rule_process_normal(msre_rule *rule, modsec_rec *msr) {
*
*/
static apr_status_t msre_rule_process_lua(msre_rule *rule, modsec_rec *msr) {
+ assert(rule != NULL);
+ assert(msr != NULL);
msre_actionset *acting_actionset = NULL;
char *my_error_msg = NULL;
int rc;
@@ -3335,6 +3367,7 @@ static apr_status_t msre_rule_process_lua(msre_rule *rule, modsec_rec *msr) {
*
*/
static apr_status_t msre_rule_process(msre_rule *rule, modsec_rec *msr) {
+ assert(msr != NULL);
/* Use a fresh memory sub-pool for processing each rule */
if (msr->msc_rule_mptmp == NULL) {
if (apr_pool_create(&msr->msc_rule_mptmp, msr->mp) != APR_SUCCESS) {
diff --git a/apache2/re.h b/apache2/re.h
index 836e2af2b8..db6c190455 100644
--- a/apache2/re.h
+++ b/apache2/re.h
@@ -75,6 +75,10 @@ int DSOLOCAL rule_id_in_range(int ruleid, const char *range);
msre_var DSOLOCAL *generate_single_var(modsec_rec *msr, msre_var *var, apr_array_header_t *tfn_arr,
msre_rule *rule, apr_pool_t *mptmp);
+#ifdef DEBUG_CONF
+char DSOLOCAL* msre_actionset_generate_action_string(apr_pool_t* pool, const msre_actionset* actionset);
+#endif
+
#if defined(WITH_LUA)
apr_table_t DSOLOCAL *generate_multi_var(modsec_rec *msr, msre_var *var, apr_array_header_t *tfn_arr,
msre_rule *rule, apr_pool_t *mptmp);
@@ -409,8 +413,14 @@ struct msre_cache_rec {
apr_size_t val_len;
};
+struct fuzzy_hash_chunk {
+ const char *data;
+ struct fuzzy_hash_chunk *next;
+};
+
struct fuzzy_hash_param_data {
const char *file;
+ struct fuzzy_hash_chunk *head;
int threshold;
};
diff --git a/apache2/re_actions.c b/apache2/re_actions.c
index e06ebe65c2..510d6988d4 100644
--- a/apache2/re_actions.c
+++ b/apache2/re_actions.c
@@ -27,6 +27,8 @@ static void msre_engine_action_register(msre_engine *engine, const char *name,
unsigned int cardinality_group, fn_action_validate_t validate,
fn_action_init_t init, fn_action_execute_t execute)
{
+ assert(engine != NULL);
+ assert(name != NULL);
msre_action_metadata *metadata = (msre_action_metadata *)apr_pcalloc(engine->mp,
sizeof(msre_action_metadata));
if (metadata == NULL) return;
@@ -51,6 +53,7 @@ static void msre_engine_action_register(msre_engine *engine, const char *name,
msre_var *generate_single_var(modsec_rec *msr, msre_var *var, apr_array_header_t *tfn_arr,
msre_rule *rule, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
apr_table_t *vartab = NULL;
const apr_table_entry_t *te = NULL;
const apr_array_header_t *arr = NULL;
@@ -92,6 +95,8 @@ msre_var *generate_single_var(modsec_rec *msr, msre_var *var, apr_array_header_t
rvar->value = rval;
rvar->value_len = rval_len;
+ assert(msr != NULL);
+ assert(msr->txcfg != NULL);
if (msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "T (%d) %s: \"%s\"", rc, tfn->name,
log_escape_nq_ex(mptmp, rvar->value, rvar->value_len));
@@ -108,6 +113,7 @@ msre_var *generate_single_var(modsec_rec *msr, msre_var *var, apr_array_header_t
apr_table_t *generate_multi_var(modsec_rec *msr, msre_var *var, apr_array_header_t *tfn_arr,
msre_rule *rule, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
apr_table_t *vartab = NULL, *tvartab = NULL;
@@ -169,6 +175,9 @@ apr_table_t *generate_multi_var(modsec_rec *msr, msre_var *var, apr_array_header
* in the given variable.
*/
int expand_macros(modsec_rec *msr, msc_string *var, msre_rule *rule, apr_pool_t *mptmp) {
+ assert(msr != NULL);
+ assert(msr->txcfg != NULL);
+ assert(var != NULL);
char *data = NULL;
apr_array_header_t *arr = NULL;
char *p = NULL, *q = NULL, *t = NULL;
@@ -316,6 +325,8 @@ int expand_macros(modsec_rec *msr, msc_string *var, msre_rule *rule, apr_pool_t
* value that is set.
*/
apr_status_t collection_original_setvar(modsec_rec *msr, const char *col_name, const msc_string *orig_var) {
+ assert(msr != NULL);
+ assert(msr->txcfg != NULL);
apr_table_t *table = NULL;
msc_string *var = NULL;
const char *var_name = NULL;
@@ -374,6 +385,8 @@ apr_status_t collection_original_setvar(modsec_rec *msr, const char *col_name, c
static apr_status_t msre_action_marker_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->id = action->param;
return 1;
}
@@ -383,6 +396,8 @@ static apr_status_t msre_action_marker_init(msre_engine *engine, apr_pool_t *mp,
static apr_status_t msre_action_id_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->id = action->param;
return 1;
}
@@ -409,6 +424,8 @@ static char *msre_action_id_validate(msre_engine *engine, apr_pool_t *mp, msre_a
static apr_status_t msre_action_rev_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->rev = action->param;
return 1;
}
@@ -418,6 +435,8 @@ static apr_status_t msre_action_rev_init(msre_engine *engine, apr_pool_t *mp, ms
static apr_status_t msre_action_msg_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->msg = action->param;
return 1;
}
@@ -427,6 +446,8 @@ static apr_status_t msre_action_msg_init(msre_engine *engine, apr_pool_t *mp, ms
static apr_status_t msre_action_logdata_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->logdata = action->param;
return 1;
}
@@ -436,6 +457,8 @@ static apr_status_t msre_action_logdata_init(msre_engine *engine, apr_pool_t *mp
static apr_status_t msre_action_sanitizeMatchedBytes_init(msre_engine *engine, apr_pool_t *mp,
msre_actionset *actionset, msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
char *parse_parm = NULL;
char *ac_param = NULL;
char *savedptr = NULL;
@@ -464,6 +487,8 @@ static apr_status_t msre_action_sanitizeMatchedBytes_init(msre_engine *engine, a
static apr_status_t msre_action_accuracy_init(msre_engine *engine, apr_pool_t *mp,
msre_actionset *actionset, msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->accuracy = atoi(action->param);
return 1;
}
@@ -473,6 +498,8 @@ static apr_status_t msre_action_accuracy_init(msre_engine *engine, apr_pool_t *m
static apr_status_t msre_action_maturity_init(msre_engine *engine, apr_pool_t *mp,
msre_actionset *actionset, msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->maturity = atoi(action->param);
return 1;
}
@@ -482,6 +509,8 @@ static apr_status_t msre_action_maturity_init(msre_engine *engine, apr_pool_t *m
static apr_status_t msre_action_ver_init(msre_engine *engine, apr_pool_t *mp,
msre_actionset *actionset, msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->version = action->param;
return 1;
}
@@ -491,6 +520,8 @@ static apr_status_t msre_action_ver_init(msre_engine *engine, apr_pool_t *mp,
static apr_status_t msre_action_severity_init(msre_engine *engine, apr_pool_t *mp,
msre_actionset *actionset, msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
if (strcasecmp(action->param, "emergency") == 0) {
actionset->severity = 0;
} else if (strcasecmp(action->param, "alert") == 0) {
@@ -518,6 +549,7 @@ static apr_status_t msre_action_severity_init(msre_engine *engine, apr_pool_t *m
static apr_status_t msre_action_chain_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
actionset->is_chained = 1;
return 1;
}
@@ -526,6 +558,7 @@ static apr_status_t msre_action_chain_init(msre_engine *engine, apr_pool_t *mp,
static apr_status_t msre_action_log_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
actionset->log = 1;
return 1;
}
@@ -534,6 +567,7 @@ static apr_status_t msre_action_log_init(msre_engine *engine, apr_pool_t *mp, ms
static apr_status_t msre_action_nolog_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
actionset->log = 0;
actionset->auditlog = 0;
return 1;
@@ -543,6 +577,7 @@ static apr_status_t msre_action_nolog_init(msre_engine *engine, apr_pool_t *mp,
static apr_status_t msre_action_auditlog_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
actionset->auditlog = 1;
return 1;
}
@@ -551,6 +586,7 @@ static apr_status_t msre_action_auditlog_init(msre_engine *engine, apr_pool_t *m
static apr_status_t msre_action_noauditlog_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
actionset->auditlog = 0;
return 1;
}
@@ -559,6 +595,7 @@ static apr_status_t msre_action_noauditlog_init(msre_engine *engine, apr_pool_t
static apr_status_t msre_action_block_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
/* Right now we just set a flag and inherit the real disruptive action */
actionset->block = 1;
return 1;
@@ -568,6 +605,7 @@ static apr_status_t msre_action_block_init(msre_engine *engine, apr_pool_t *mp,
static apr_status_t msre_action_deny_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
actionset->intercept_action = ACTION_DENY;
actionset->intercept_action_rec = action;
return 1;
@@ -582,6 +620,8 @@ static char *msre_action_status_validate(msre_engine *engine, apr_pool_t *mp, ms
static apr_status_t msre_action_status_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->intercept_status = atoi(action->param);
return 1;
}
@@ -590,6 +630,8 @@ static apr_status_t msre_action_status_init(msre_engine *engine, apr_pool_t *mp,
static apr_status_t msre_action_drop_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->intercept_action = ACTION_DROP;
actionset->intercept_action_rec = action;
return 1;
@@ -604,6 +646,8 @@ static char *msre_action_pause_validate(msre_engine *engine, apr_pool_t *mp, msr
static apr_status_t msre_action_pause_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->intercept_action = ACTION_PAUSE;
actionset->intercept_pause = action->param;
return 1;
@@ -619,6 +663,8 @@ static char *msre_action_redirect_validate(msre_engine *engine, apr_pool_t *mp,
static apr_status_t msre_action_redirect_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->intercept_action = ACTION_REDIRECT;
actionset->intercept_uri = action->param;
actionset->intercept_action_rec = action;
@@ -628,6 +674,10 @@ static apr_status_t msre_action_redirect_init(msre_engine *engine, apr_pool_t *m
static apr_status_t msre_action_redirect_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(action != NULL);
msc_string *var = NULL;
var = apr_pcalloc(mptmp, sizeof(msc_string));
@@ -651,6 +701,8 @@ static char *msre_action_proxy_validate(msre_engine *engine, apr_pool_t *mp, msr
static apr_status_t msre_action_proxy_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->intercept_action = ACTION_PROXY;
actionset->intercept_uri = action->param;
actionset->intercept_action_rec = action;
@@ -660,11 +712,19 @@ static apr_status_t msre_action_proxy_init(msre_engine *engine, apr_pool_t *mp,
static apr_status_t msre_action_proxy_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(action != NULL);
msc_string *var = NULL;
var = apr_pcalloc(mptmp, sizeof(msc_string));
if (var == NULL) return -1;
- var->value = (char *)action->param;
+ if (!strncmp(action->param,"[nocanon]",9)) {
+ apr_table_setn(msr->r->notes,"proxy-nocanon", "1");
+ var->value = (char *)action->param+9;
+ } else {
+ var->value = (char *)action->param;
+ }
var->value_len = strlen(var->value);
expand_macros(msr, var, rule, mptmp);
@@ -678,6 +738,8 @@ static apr_status_t msre_action_proxy_execute(modsec_rec *msr, apr_pool_t *mptmp
static apr_status_t msre_action_pass_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->intercept_action = ACTION_NONE;
actionset->intercept_action_rec = action;
return 1;
@@ -693,6 +755,8 @@ static char *msre_action_skip_validate(msre_engine *engine, apr_pool_t *mp, msre
static apr_status_t msre_action_skip_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->skip_count = atoi(action->param);
if (actionset->skip_count <= 0) actionset->skip_count = 1;
return 1;
@@ -708,6 +772,8 @@ static char *msre_action_skipAfter_validate(msre_engine *engine, apr_pool_t *mp,
static apr_status_t msre_action_skipAfter_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->skip_after = action->param;
return 1;
}
@@ -717,6 +783,8 @@ static apr_status_t msre_action_skipAfter_init(msre_engine *engine, apr_pool_t *
static apr_status_t msre_action_allow_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
actionset->intercept_action = ACTION_ALLOW;
actionset->intercept_action_rec = action;
@@ -733,6 +801,7 @@ static apr_status_t msre_action_allow_init(msre_engine *engine, apr_pool_t *mp,
}
static char *msre_action_allow_validate(msre_engine *engine, apr_pool_t *mp, msre_action *action) {
+ assert(action != NULL);
if (action->param != NULL) {
if (strcasecmp(action->param, "phase") == 0) {
return NULL;
@@ -757,6 +826,8 @@ static char *msre_action_phase_validate(msre_engine *engine, apr_pool_t *mp, msr
static apr_status_t msre_action_phase_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(actionset != NULL);
+ assert(action != NULL);
if(strcasecmp(action->param,"request") == 0)
actionset->phase = 2;
else if(strcasecmp(action->param,"response") == 0)
@@ -772,6 +843,7 @@ static apr_status_t msre_action_phase_init(msre_engine *engine, apr_pool_t *mp,
/* t */
static char *msre_action_t_validate(msre_engine *engine, apr_pool_t *mp, msre_action *action) {
+ assert(action != NULL);
msre_tfn_metadata *metadata = NULL;
metadata = msre_engine_tfn_resolve(engine, action->param);
if (metadata == NULL) return apr_psprintf(mp, "Invalid transformation function: %s",
@@ -783,6 +855,7 @@ static char *msre_action_t_validate(msre_engine *engine, apr_pool_t *mp, msre_ac
static apr_status_t msre_action_t_init(msre_engine *engine, apr_pool_t *mp, msre_actionset *actionset,
msre_action *action)
{
+ assert(action != NULL);
msre_tfn_metadata *metadata = (msre_tfn_metadata *)action->param_data;
action->param_data = metadata;
return 1;
@@ -790,6 +863,7 @@ static apr_status_t msre_action_t_init(msre_engine *engine, apr_pool_t *mp, msre
/* ctl */
static char *msre_action_ctl_validate(msre_engine *engine, apr_pool_t *mp, msre_action *action) {
+ assert(action != NULL);
char *name = NULL;
char *value = NULL;
@@ -963,6 +1037,8 @@ static apr_status_t msre_action_ctl_init(msre_engine *engine, apr_pool_t *mp, ms
static apr_status_t msre_action_ctl_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
char *name = NULL;
char *value = NULL;
@@ -1230,11 +1306,24 @@ static apr_status_t msre_action_ctl_execute(modsec_rec *msr, apr_pool_t *mptmp,
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Ctl: ruleRemoveTargetById id=%s targets=%s", p1, p2);
}
- re = apr_pcalloc(msr->mp, sizeof(rule_exception));
- re->type = RULE_EXCEPTION_REMOVE_ID;
- re->param = (const char *)apr_pstrdup(msr->mp, p1);
- apr_table_addn(msr->removed_targets, apr_pstrdup(msr->mp, p2), (void *)re);
- return 1;
+ if (p2 == NULL) {
+ msr_log(msr, 1, "Ctl: ruleRemoveTargetById: Missing target for id \"%s\"", p1);
+ return -1;
+ }
+
+ re = apr_pcalloc(msr->mp, sizeof(rule_exception));
+ if (re == NULL) {
+ msr_log(msr, 1, "Ctl: Memory allocation error");
+ return -1;
+ }
+ re->type = RULE_EXCEPTION_REMOVE_ID;
+ re->param = (const char *)apr_pstrdup(msr->mp, p1);
+ if (re->param == NULL) {
+ msr_log(msr, 1, "Ctl: Memory allocation error");
+ return -1;
+ }
+ apr_table_addn(msr->removed_targets, apr_pstrdup(msr->mp, p2), (void *)re);
+ return 1;
} else
if (strcasecmp(name, "ruleRemoveTargetByTag") == 0) {
rule_exception *re = NULL;
@@ -1242,23 +1331,26 @@ static apr_status_t msre_action_ctl_execute(modsec_rec *msr, apr_pool_t *mptmp,
char *savedptr = NULL;
p1 = apr_strtok(value,";",&savedptr);
-
p2 = apr_strtok(NULL,";",&savedptr);
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Ctl: ruleRemoveTargetByTag tag=%s targets=%s", p1, p2);
}
+ if (p2 == NULL) {
+ msr_log(msr, 1, "ModSecurity: Missing target for tag \"%s\"", p1);
+ return -1;
+ }
- re = apr_pcalloc(msr->mp, sizeof(rule_exception));
- re->type = RULE_EXCEPTION_REMOVE_TAG;
- re->param = (const char *)apr_pstrdup(msr->mp, p1);
- re->param_data = msc_pregcomp(msr->mp, p1, 0, NULL, NULL);
- if (re->param_data == NULL) {
- msr_log(msr, 1, "ModSecurity: Invalid regular expression \"%s\"", p1);
- return -1;
- }
- apr_table_addn(msr->removed_targets, apr_pstrdup(msr->mp, p2), (void *)re);
- return 1;
+ re = apr_pcalloc(msr->mp, sizeof(rule_exception));
+ re->type = RULE_EXCEPTION_REMOVE_TAG;
+ re->param = (const char *)apr_pstrdup(msr->mp, p1);
+ re->param_data = msc_pregcomp(msr->mp, p1, 0, NULL, NULL);
+ if (re->param_data == NULL) {
+ msr_log(msr, 1, "ModSecurity: Invalid regular expression \"%s\"", p1);
+ return -1;
+ }
+ apr_table_addn(msr->removed_targets, apr_pstrdup(msr->mp, p2), (void *)re);
+ return 1;
} else
if (strcasecmp(name, "ruleRemoveTargetByMsg") == 0) {
rule_exception *re = NULL;
@@ -1266,35 +1358,36 @@ static apr_status_t msre_action_ctl_execute(modsec_rec *msr, apr_pool_t *mptmp,
char *savedptr = NULL;
p1 = apr_strtok(value,";",&savedptr);
-
p2 = apr_strtok(NULL,";",&savedptr);
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Ctl: ruleRemoveTargetByMsg msg=%s targets=%s", p1, p2);
}
+ if (p2 == NULL) {
+ msr_log(msr, 1, "ModSecurity: Missing target for msg \"%s\"", p1);
+ return -1;
+ }
- re = apr_pcalloc(msr->mp, sizeof(rule_exception));
- re->type = RULE_EXCEPTION_REMOVE_MSG;
- re->param = apr_pstrdup(msr->mp, p1);
- re->param_data = msc_pregcomp(msr->mp, p1, 0, NULL, NULL);
- if (re->param_data == NULL) {
- msr_log(msr, 1, "ModSecurity: Invalid regular expression \"%s\"", p1);
- return -1;
- }
- apr_table_addn(msr->removed_targets, apr_pstrdup(msr->mp, p2), (void *)re);
- return 1;
- }
- else {
- /* Should never happen, but log if it does. */
- msr_log(msr, 1, "Internal Error: Unknown ctl action \"%s\".", name);
- return -1;
+ re = apr_pcalloc(msr->mp, sizeof(rule_exception));
+ re->type = RULE_EXCEPTION_REMOVE_MSG;
+ re->param = apr_pstrdup(msr->mp, p1);
+ re->param_data = msc_pregcomp(msr->mp, p1, 0, NULL, NULL);
+ if (re->param_data == NULL) {
+ msr_log(msr, 1, "ModSecurity: Invalid regular expression \"%s\"", p1);
+ return -1;
+ }
+ apr_table_addn(msr->removed_targets, apr_pstrdup(msr->mp, p2), (void *)re);
+ return 1;
}
+ /* Should never happen, but log if it does. */
+ msr_log(msr, 1, "Internal Error: Unknown ctl action \"%s\".", name);
return -1;
}
/* xmlns */
static char *msre_action_xmlns_validate(msre_engine *engine, apr_pool_t *mp, msre_action *action) {
+ assert(action != NULL);
char *name = NULL;
char *value = NULL;
@@ -1318,6 +1411,8 @@ static char *msre_action_xmlns_validate(msre_engine *engine, apr_pool_t *mp, msr
static apr_status_t msre_action_sanitizeArg_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
const char *sargname = NULL;
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
@@ -1346,17 +1441,21 @@ static apr_status_t msre_action_sanitizeArg_execute(modsec_rec *msr, apr_pool_t
static apr_status_t msre_action_sanitizeMatched_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
const char *sargname = NULL;
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
int i, type = 0;
msc_string *mvar = msr->matched_var;
+ assert(mvar != NULL);
if (mvar->name_len == 0) return 0;
/* IMP1 We need to extract the variable name properly here,
* taking into account it may have been escaped.
*/
+ assert(mvar->name != NULL);
if ((mvar->name_len > 5) && (strncmp(mvar->name, "ARGS:", 5) == 0)) {
sargname = apr_pstrdup(msr->mp, mvar->name + 5);
type = SANITISE_ARG;
@@ -1391,10 +1490,13 @@ static apr_status_t msre_action_sanitizeMatched_execute(modsec_rec *msr, apr_poo
switch(type) {
case SANITISE_ARG :
+ assert(msr->arguments_to_sanitize != NULL);
tarr = apr_table_elts(msr->arguments);
+ assert(tarr != NULL);
telts = (const apr_table_entry_t*)tarr->elts;
for (i = 0; i < tarr->nelts; i++) {
msc_arg *arg = (msc_arg *)telts[i].val;
+ assert(arg != NULL);
if (strcasecmp(sargname, arg->name) == 0) {
apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
}
@@ -1402,10 +1504,12 @@ static apr_status_t msre_action_sanitizeMatched_execute(modsec_rec *msr, apr_poo
break;
case SANITISE_REQUEST_HEADER :
+ assert(msr->request_headers_to_sanitize != NULL);
apr_table_set(msr->request_headers_to_sanitize, sargname, "1");
break;
case SANITISE_RESPONSE_HEADER :
+ assert(msr->response_headers_to_sanitize != NULL);
apr_table_set(msr->response_headers_to_sanitize, sargname, "1");
break;
@@ -1421,6 +1525,10 @@ static apr_status_t msre_action_sanitizeMatched_execute(modsec_rec *msr, apr_poo
static apr_status_t msre_action_sanitizeRequestHeader_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(msr->request_headers_to_sanitize != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
apr_table_set(msr->request_headers_to_sanitize, action->param, "1");
return 1;
}
@@ -1429,6 +1537,10 @@ static apr_status_t msre_action_sanitizeRequestHeader_execute(modsec_rec *msr, a
static apr_status_t msre_action_sanitizeResponseHeader_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(msr->response_headers_to_sanitize != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
apr_table_set(msr->response_headers_to_sanitize, action->param, "1");
return 1;
}
@@ -1437,6 +1549,9 @@ static apr_status_t msre_action_sanitizeResponseHeader_execute(modsec_rec *msr,
static apr_status_t msre_action_setenv_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
char *data = apr_pstrdup(mptmp, action->param);
char *env_name = NULL, *env_value = NULL;
char *s = NULL;
@@ -1454,6 +1569,7 @@ static apr_status_t msre_action_setenv_execute(modsec_rec *msr, apr_pool_t *mptm
*s = '\0';
}
+ assert(msr->txcfg != NULL);
if (msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "Setting env variable: %s=%s", env_name, env_value);
}
@@ -1472,6 +1588,7 @@ static apr_status_t msre_action_setenv_execute(modsec_rec *msr, apr_pool_t *mptm
/* Execute the requested action. */
if (env_name != NULL && env_name[0] == '!') {
/* Delete */
+ assert(msr->r != NULL);
apr_table_unset(msr->r->subprocess_env, env_name + 1);
if (msr->txcfg->debuglog_level >= 9) {
@@ -1492,6 +1609,7 @@ static apr_status_t msre_action_setenv_execute(modsec_rec *msr, apr_pool_t *mptm
expand_macros(msr, val, rule, mptmp);
/* To be safe, we escape NULs as it goes in subprocess_env. */
+ assert(msr->mp != NULL);
val_value = log_escape_nul(msr->mp, (const unsigned char *)val->value, val->value_len);
apr_table_set(msr->r->subprocess_env, env_name, val_value);
@@ -1510,10 +1628,14 @@ static apr_status_t msre_action_setenv_execute(modsec_rec *msr, apr_pool_t *mptm
apr_status_t msre_action_setvar_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, char *var_name, char *var_value)
{
+ assert(msr != NULL);
+ assert(var_name != NULL);
+ assert(var_value != NULL);
char *col_name = NULL;
char *s = NULL;
apr_table_t *target_col = NULL;
int is_negated = 0;
+ char *real_col_name = NULL;
msc_string *var = NULL;
if (msr->txcfg->debuglog_level >= 9) {
@@ -1530,9 +1652,13 @@ apr_status_t msre_action_setvar_execute(modsec_rec *msr, apr_pool_t *mptmp,
var->value_len = strlen(var->value);
expand_macros(msr, var, rule, mptmp);
var_name = log_escape_nq_ex(msr->mp, var->value, var->value_len);
+ if (var_name == NULL) {
+ msr_log(msr, 1, "Failed to allocate space to expand name macros");
+ return -1;
+ }
/* Handle the exclamation mark. */
- if (var_name != NULL && var_name[0] == '!') {
+ if (var_name[0] == '!') {
var_name = var_name + 1;
is_negated = 1;
}
@@ -1556,19 +1682,26 @@ apr_status_t msre_action_setvar_execute(modsec_rec *msr, apr_pool_t *mptmp,
var_name = s + 1;
*s = '\0';
+ if (strcasecmp(col_name,"USER") == 0 || strcasecmp(col_name,"SESSION") == 0
+ || strcasecmp(col_name, "RESOURCE") == 0) {
+ real_col_name = apr_psprintf(mptmp, "%s_%s", msr->txcfg->webappid, col_name);
+ }
+
/* Locate the collection. */
if (strcasecmp(col_name, "tx") == 0) { /* Special case for TX variables. */
target_col = msr->tx_vars;
} else {
target_col = (apr_table_t *)apr_table_get(msr->collections, col_name);
- if (target_col == NULL) {
- if (msr->txcfg->debuglog_level >= 3) {
- msr_log(msr, 3, "Could not set variable \"%s.%s\" as the collection does not exist.",
- log_escape(msr->mp, col_name), log_escape(msr->mp, var_name));
- }
+ }
- return 0;
+
+ if (target_col == NULL) {
+ if (msr->txcfg->debuglog_level >= 3) {
+ msr_log(msr, 3, "Could not set variable \"%s.%s\" as the collection does not exist.",
+ log_escape(msr->mp, col_name), log_escape(msr->mp, var_name));
}
+
+ return 0;
}
if (is_negated) {
@@ -1611,7 +1744,11 @@ apr_status_t msre_action_setvar_execute(modsec_rec *msr, apr_pool_t *mptmp,
}
/* Record the original value before we change it */
- collection_original_setvar(msr, col_name, rec);
+ if (real_col_name == NULL) {
+ collection_original_setvar(msr, col_name, rec);
+ } else {
+ collection_original_setvar(msr, real_col_name, rec);
+ }
/* Expand values in value */
val->value = var_value;
@@ -1646,6 +1783,7 @@ apr_status_t msre_action_setvar_execute(modsec_rec *msr, apr_pool_t *mptmp,
var->value = apr_pstrdup(msr->mp, var_value);
var->value_len = strlen(var->value);
expand_macros(msr, var, rule, mptmp);
+
apr_table_setn(target_col, var->name, (void *)var);
if (msr->txcfg->debuglog_level >= 9) {
@@ -1680,6 +1818,9 @@ apr_status_t msre_action_setvar_execute(modsec_rec *msr, apr_pool_t *mptmp,
static apr_status_t msre_action_setvar_parse(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
char *data = apr_pstrdup(mptmp, action->param);
char *var_name = NULL, *var_value = NULL;
char *s = NULL;
@@ -1695,7 +1836,7 @@ static apr_status_t msre_action_setvar_parse(modsec_rec *msr, apr_pool_t *mptmp,
var_value = s + 1;
*s = '\0';
- while ((*var_value != '\0')&&(isspace(*var_value))) var_value++;
+ while (isspace(*var_value)) var_value++;
}
return msre_action_setvar_execute(msr,mptmp,rule,var_name,var_value);
@@ -1705,6 +1846,9 @@ static apr_status_t msre_action_setvar_parse(modsec_rec *msr, apr_pool_t *mptmp,
static apr_status_t msre_action_expirevar_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
char *data = apr_pstrdup(mptmp, action->param);
char *col_name = NULL, *var_name = NULL, *var_value = NULL;
char *s = NULL;
@@ -1802,6 +1946,9 @@ static apr_status_t msre_action_expirevar_execute(modsec_rec *msr, apr_pool_t *m
static apr_status_t msre_action_deprecatevar_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
char *data = apr_pstrdup(mptmp, action->param);
char *col_name = NULL, *var_name = NULL, *var_value = NULL;
char *s = NULL;
@@ -1936,6 +2083,10 @@ static apr_status_t msre_action_deprecatevar_execute(modsec_rec *msr, apr_pool_t
static apr_status_t init_collection(modsec_rec *msr, const char *real_col_name,
const char *col_name, const char *col_key, unsigned int col_key_len)
{
+ assert(msr != NULL);
+ assert(msr->collections != NULL);
+ assert(msr->txcfg != NULL);
+ assert(real_col_name != NULL);
apr_table_t *table = NULL;
msc_string *var = NULL;
@@ -1949,7 +2100,6 @@ static apr_status_t init_collection(modsec_rec *msr, const char *real_col_name,
/* Init collection from storage. */
table = collection_retrieve(msr, real_col_name, col_key, col_key_len);
-
if (table == NULL) {
/* Does not exist yet - create new. */
@@ -2043,7 +2193,11 @@ static apr_status_t init_collection(modsec_rec *msr, const char *real_col_name,
/* Record the original counter value before we change it */
var = (msc_string *)apr_table_get(table, "UPDATE_COUNTER");
if (var != NULL) {
- collection_original_setvar(msr, col_name, var);
+ if (real_col_name == NULL) {
+ collection_original_setvar(msr, col_name, var);
+ } else {
+ collection_original_setvar(msr, real_col_name, var);
+ }
}
/* Add the collection to the list. */
@@ -2066,6 +2220,9 @@ static apr_status_t init_collection(modsec_rec *msr, const char *real_col_name,
static apr_status_t msre_action_initcol_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
char *data = apr_pstrdup(msr->mp, action->param);
char *col_name = NULL, *col_key = NULL;
unsigned int col_key_len;
@@ -2097,6 +2254,9 @@ static apr_status_t msre_action_initcol_execute(modsec_rec *msr, apr_pool_t *mpt
static apr_status_t msre_action_setsid_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
msc_string *var = NULL;
char *real_col_name = NULL, *col_key = NULL;
unsigned int col_key_len;
@@ -2121,6 +2281,9 @@ static apr_status_t msre_action_setsid_execute(modsec_rec *msr, apr_pool_t *mptm
static apr_status_t msre_action_setuid_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
msc_string *var = NULL;
char *real_col_name = NULL, *col_key = NULL;
unsigned int col_key_len;
@@ -2145,6 +2308,9 @@ static apr_status_t msre_action_setuid_execute(modsec_rec *msr, apr_pool_t *mptm
static apr_status_t msre_action_setrsc_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
msc_string *var = NULL;
char *real_col_name = NULL, *col_key = NULL;
unsigned int col_key_len;
@@ -2166,6 +2332,8 @@ static apr_status_t msre_action_setrsc_execute(modsec_rec *msr, apr_pool_t *mptm
/* exec */
static char *msre_action_exec_validate(msre_engine *engine, apr_pool_t *mp, msre_action *action) {
+ assert(action != NULL);
+ assert(action->param != NULL);
#if defined(WITH_LUA)
char *filename = (char *)action->param;
@@ -2193,7 +2361,9 @@ static char *msre_action_exec_validate(msre_engine *engine, apr_pool_t *mp, msre
static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
- #if defined(WITH_LUA)
+ assert(msr != NULL);
+ assert(action != NULL);
+#if defined(WITH_LUA)
if (action->param_data != NULL) { /* Lua */
msc_script *script = (msc_script *)action->param_data;
char *my_error_msg = NULL;
@@ -2221,6 +2391,9 @@ static apr_status_t msre_action_exec_execute(modsec_rec *msr, apr_pool_t *mptmp,
static apr_status_t msre_action_prepend_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
msc_string *var = NULL;
/* Expand any macros in the text */
@@ -2241,6 +2414,9 @@ static apr_status_t msre_action_prepend_execute(modsec_rec *msr, apr_pool_t *mpt
static apr_status_t msre_action_append_execute(modsec_rec *msr, apr_pool_t *mptmp,
msre_rule *rule, msre_action *action)
{
+ assert(msr != NULL);
+ assert(action != NULL);
+ assert(action->param != NULL);
msc_string *var = NULL;
/* Expand any macros in the text */
diff --git a/apache2/re_operators.c b/apache2/re_operators.c
index 4f748d77da..ca61c7adc8 100644
--- a/apache2/re_operators.c
+++ b/apache2/re_operators.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -44,6 +44,8 @@
void msre_engine_op_register(msre_engine *engine, const char *name,
fn_op_param_init_t fn1, fn_op_execute_t fn2)
{
+ assert(engine != NULL);
+ assert(name != NULL);
msre_op_metadata *metadata = (msre_op_metadata *)apr_pcalloc(engine->mp,
sizeof(msre_op_metadata));
if (metadata == NULL) return;
@@ -58,6 +60,7 @@ void msre_engine_op_register(msre_engine *engine, const char *name,
*
*/
msre_op_metadata *msre_engine_op_resolve(msre_engine *engine, const char *name) {
+ assert(engine != NULL);
return (msre_op_metadata *)apr_table_get(engine->operators, name);
}
@@ -70,6 +73,7 @@ msre_op_metadata *msre_engine_op_resolve(msre_engine *engine, const char *name)
static int msre_op_unconditionalmatch_execute(modsec_rec *msr, msre_rule *rule,
msre_var *var, char **error_msg)
{
+ assert(error_msg != NULL);
*error_msg = "Unconditional match in SecAction.";
/* Always match. */
@@ -81,6 +85,7 @@ static int msre_op_unconditionalmatch_execute(modsec_rec *msr, msre_rule *rule,
static int msre_op_nomatch_execute(modsec_rec *msr, msre_rule *rule,
msre_var *var, char **error_msg)
{
+ assert(error_msg != NULL);
*error_msg = "No match.";
/* Never match. */
@@ -99,13 +104,17 @@ static int msre_op_nomatch_execute(modsec_rec *msr, msre_rule *rule,
* \retval 0 On Fail
*/
static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(error_msg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (error_msg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, rule->ruleset->mp, "msre_op_ipmatch_param_init: error_msg is NULL");
+ return -1;
+ }
char *param = NULL;
int res = 0;
- if (error_msg == NULL)
- return -1;
- else
- *error_msg = NULL;
+ *error_msg = NULL;
param = apr_pstrdup(rule->ruleset->mp, rule->op_param);
@@ -131,13 +140,13 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
* \retval 0 On No Match
*/
static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
TreeRoot *rtree = NULL;
int res = 0;
- if (error_msg == NULL)
- return -1;
- else
- *error_msg = NULL;
+ *error_msg = NULL;
if (rule == NULL || rule->ip_op == NULL) {
msr_log(msr, 1, "ipMatch Internal Error: ipmatch value is null.");
@@ -171,6 +180,8 @@ static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *v
* \retval 0 On Fail
*/
static int msre_op_ipmatchFromFile_param_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(error_msg != NULL);
const char *rootpath = NULL;
const char *filepath = NULL;
const char *ipfile_path = NULL;
@@ -258,14 +269,14 @@ static int msre_op_ipmatchFromFile_param_init(msre_rule *rule, char **error_msg)
*/
static int msre_op_ipmatchFromFile_execute(modsec_rec *msr, msre_rule *rule,
msre_var *var, char **error_msg) {
-
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
TreeRoot *rtree = (TreeRoot *)rule->op_param_data;
int res = 0;
- if (error_msg == NULL)
- return -1;
- else
- *error_msg = NULL;
+ *error_msg = NULL;
if (rtree == NULL)
{
@@ -298,6 +309,8 @@ static int msre_op_ipmatchFromFile_execute(modsec_rec *msr, msre_rule *rule,
/* rsub */
static char *param_remove_escape(msre_rule *rule, char *str, int len) {
+ assert(rule != NULL);
+ assert(str != NULL);
char *parm = apr_pcalloc(rule->ruleset->mp, len);
char *ret = parm;
@@ -330,6 +343,14 @@ static char *param_remove_escape(msre_rule *rule, char *str, int len) {
*/
#if !defined(MSC_TEST)
static int msre_op_rsub_param_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(rule->ruleset != NULL);
+ assert(error_msg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (error_msg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, rule->ruleset->mp, "msre_op_rsub_param_init: error_msg is NULL");
+ return -1;
+ }
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 0
ap_regex_t *regex;
#else
@@ -347,7 +368,6 @@ static int msre_op_rsub_param_init(msre_rule *rule, char **error_msg) {
int ignore_case = 0;
unsigned short int op_len = 0;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
line = rule->op_param;
@@ -469,8 +489,20 @@ static int msre_op_rsub_param_init(msre_rule *rule, char **error_msg) {
* \retval 0 On No Match
*/
static int msre_op_rsub_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ if (!str) {
+ msr_log(msr, 1, "rsub: Memory allocation error");
+ return -1;
+ }
msc_string *re_pattern = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ if (!re_pattern) {
+ msr_log(msr, 1, "rsub: Memory allocation error");
+ return -1;
+ }
char *offset = NULL;
char *data = NULL, *pattern = NULL;
char *data_out = NULL;
@@ -483,7 +515,6 @@ static int msre_op_rsub_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
regmatch_t pmatch[AP_MAX_REG_MATCH];
#endif
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if(strcmp(var->name,"STREAM_OUTPUT_BODY") == 0 ) {
@@ -604,24 +635,15 @@ static int msre_op_rsub_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
size+=sl;
*data_out=0;
- if(msr->stream_output_data != NULL && output_body == 1) {
-
- memset(msr->stream_output_data, 0x0, msr->stream_output_length);
+ if (msr->stream_output_data != NULL && output_body == 1) {
free(msr->stream_output_data);
msr->stream_output_data = NULL;
msr->stream_output_length = 0;
-
msr->stream_output_data = (char *)malloc(size+1);
-
- if(msr->stream_output_data == NULL) {
- return -1;
- }
+ if (msr->stream_output_data == NULL) return -1;
msr->stream_output_length = size;
- memset(msr->stream_output_data, 0x0, size+1);
-
msr->of_stream_changed = 1;
-
memcpy(msr->stream_output_data, data, size);
msr->stream_output_data[size] = '\0';
@@ -629,21 +651,20 @@ static int msre_op_rsub_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
var->value = msr->stream_output_data;
}
- if(msr->stream_input_data != NULL && input_body == 1) {
- memset(msr->stream_input_data, 0x0, msr->stream_input_length);
+ if (msr->stream_input_data != NULL && input_body == 1) {
free(msr->stream_input_data);
msr->stream_input_data = NULL;
msr->stream_input_length = 0;
-
+#ifdef MSC_LARGE_STREAM_INPUT
+ msr->stream_input_allocated_length = 0;
+#endif
msr->stream_input_data = (char *)malloc(size+1);
-
- if(msr->stream_input_data == NULL) {
- return -1;
- }
+ if(msr->stream_input_data == NULL) return -1;
msr->stream_input_length = size;
- memset(msr->stream_input_data, 0x0, size+1);
-
+#ifdef MSC_LARGE_STREAM_INPUT
+ msr->stream_input_allocated_length = size;
+#endif
msr->if_stream_changed = 1;
memcpy(msr->stream_input_data, data, size);
@@ -671,13 +692,15 @@ static int msre_op_rsub_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
* \retval 0 On fail
*/
static int msre_op_validateHash_param_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(error_msg != NULL);
const char *errptr = NULL;
int erroffset;
msc_regex_t *regex;
const char *pattern = rule->op_param;
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
- int rc, jit;
+ int rc, jit = 0;
#endif
#endif
@@ -686,7 +709,12 @@ static int msre_op_validateHash_param_init(msre_rule *rule, char **error_msg) {
/* Compile pattern */
if(strstr(pattern,"%{") == NULL) {
- regex = msc_pregcomp_ex(rule->ruleset->mp, pattern, PCRE_DOTALL | PCRE_DOLLAR_ENDONLY, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
+#ifdef WITH_PCRE2
+ int options = PCRE2_DOTALL | PCRE2_DOLLAR_ENDONLY;
+#else
+ int options = PCRE_DOTALL | PCRE_DOLLAR_ENDONLY;
+#endif
+ regex = msc_pregcomp_ex(rule->ruleset->mp, pattern, options, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
if (regex == NULL) {
*error_msg = apr_psprintf(rule->ruleset->mp, "Error compiling pattern (offset %d): %s",
erroffset, errptr);
@@ -695,7 +723,11 @@ static int msre_op_validateHash_param_init(msre_rule *rule, char **error_msg) {
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
+ #ifdef WITH_PCRE2
+ rc = regex->jit_compile_rc;
+ #else
rc = msc_fullinfo(regex, PCRE_INFO_JIT, &jit);
+ #endif
if ((rc != 0) || (jit != 1)) {
*error_msg = apr_psprintf(rule->ruleset->mp,
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
@@ -731,24 +763,30 @@ static int msre_op_validateHash_param_init(msre_rule *rule, char **error_msg) {
* \retval 0 On fail
*/
static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_regex_t *regex = (msc_regex_t *)rule->op_param_data;
msc_string *re_pattern = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ if (!re_pattern) {
+ msr_log(msr, 1, "validateHash: Memory allocation error");
+ return -1;
+ }
const char *target;
const char *errptr = NULL;
int erroffset;
+ int options = 0;
unsigned int target_length;
char *my_error_msg = NULL;
int ovector[33];
int rc;
- const char *pattern = NULL;
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
- int jit;
+ int jit = 0;
#endif
#endif
-
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if (msr->txcfg->hash_enforcement == HASH_DISABLED || msr->txcfg->hash_is_enabled == HASH_DISABLED)
@@ -770,15 +808,20 @@ static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_v
expand_macros(msr, re_pattern, rule, msr->mp);
- pattern = log_escape_re(msr->mp, re_pattern->value);
+ const char *pattern = log_escape_re(msr->mp, re_pattern->value);
if (msr->txcfg->debuglog_level >= 6) {
msr_log(msr, 6, "Escaping pattern [%s]",pattern);
}
- regex = msc_pregcomp_ex(rule->ruleset->mp, pattern, PCRE_DOTALL | PCRE_DOLLAR_ENDONLY, &errptr,
+#ifdef WITH_PCRE2
+ options = PCRE2_DOTALL | PCRE2_DOLLAR_ENDONLY;
+#else
+ options = PCRE_DOTALL | PCRE_DOLLAR_ENDONLY;
+#endif
+ regex = msc_pregcomp_ex(msr->mp, pattern, options, &errptr,
&erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
if (regex == NULL) {
- *error_msg = apr_psprintf(rule->ruleset->mp, "Error compiling pattern (offset %d): %s",
+ *error_msg = apr_psprintf(msr->mp, "Error compiling pattern (offset %d): %s",
erroffset, errptr);
return 0;
}
@@ -786,9 +829,13 @@ static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_v
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
if (msr->txcfg->debuglog_level >= 4) {
+ #ifdef WITH_PCRE2
+ rc = regex->jit_compile_rc;
+ #else
rc = msc_fullinfo(regex, PCRE_INFO_JIT, &jit);
+ #endif
if ((rc != 0) || (jit != 1)) {
- *error_msg = apr_psprintf(rule->ruleset->mp,
+ *error_msg = apr_psprintf(msr->mp,
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
@@ -820,7 +867,11 @@ static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_v
* and no memory has to be allocated for any backreferences.
*/
rc = msc_regexec_capture(regex, target, target_length, ovector, 30, &my_error_msg);
+#ifdef WITH_PCRE2
+ if ((rc == PCRE2_ERROR_MATCHLIMIT) || (rc == PCRE2_ERROR_RECURSIONLIMIT)) {
+#else
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
+#endif
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
if (s == NULL) return -1;
@@ -850,7 +901,11 @@ static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_v
return -1;
}
+#ifdef WITH_PCRE2
+ if (rc != PCRE2_ERROR_NOMATCH) { /* Match. */
+#else
if (rc != PCRE_ERROR_NOMATCH) { /* Match. */
+#endif
/* We no longer escape the pattern here as it is done when logging */
char *pattern = apr_pstrdup(msr->mp, log_escape(msr->mp, regex->pattern ? regex->pattern : "<Unknown Match>"));
char *hmac = NULL, *valid = NULL;
@@ -914,13 +969,15 @@ static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_v
/* rx */
static int msre_op_rx_param_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(error_msg != NULL);
const char *errptr = NULL;
int erroffset;
msc_regex_t *regex;
const char *pattern = rule->op_param;
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
- int rc, jit;
+ int rc, jit = 0;
#endif
#endif
@@ -929,7 +986,12 @@ static int msre_op_rx_param_init(msre_rule *rule, char **error_msg) {
/* Compile pattern */
if(strstr(pattern,"%{") == NULL) {
- regex = msc_pregcomp_ex(rule->ruleset->mp, pattern, PCRE_DOTALL | PCRE_DOLLAR_ENDONLY, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
+#ifdef WITH_PCRE2
+ int options = PCRE2_DOTALL | PCRE2_DOLLAR_ENDONLY;
+#else
+ int options = PCRE_DOTALL | PCRE_DOLLAR_ENDONLY;
+#endif
+ regex = msc_pregcomp_ex(rule->ruleset->mp, pattern, options, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
if (regex == NULL) {
*error_msg = apr_psprintf(rule->ruleset->mp, "Error compiling pattern (offset %d): %s",
erroffset, errptr);
@@ -938,7 +1000,11 @@ static int msre_op_rx_param_init(msre_rule *rule, char **error_msg) {
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
+ #ifdef WITH_PCRE2
+ rc = regex->jit_compile_rc;
+ #else
rc = msc_fullinfo(regex, PCRE_INFO_JIT, &jit);
+ #endif
if ((rc != 0) || (jit != 1)) {
*error_msg = apr_psprintf(rule->ruleset->mp,
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
@@ -963,11 +1029,21 @@ static int msre_op_rx_param_init(msre_rule *rule, char **error_msg) {
}
static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_regex_t *regex = (msc_regex_t *)rule->op_param_data;
msc_string *re_pattern = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ if (!re_pattern) {
+ msr_log(msr, 1, "rx: Memory allocation error");
+ return -1;
+ }
const char *target;
const char *errptr = NULL;
int erroffset;
+ int options = 0;
unsigned int target_length;
char *my_error_msg = NULL;
int ovector[33];
@@ -976,16 +1052,14 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c
int matched = 0;
int rc;
char *qspos = NULL;
- const char *parm = NULL, *pattern = NULL;
+ const char *parm = NULL;
msc_parm *mparm = NULL;
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
- int jit;
+ int jit = 0;
#endif
#endif
-
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if (regex == NULL) {
@@ -1004,14 +1078,19 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c
expand_macros(msr, re_pattern, rule, msr->mp);
- pattern = log_escape_re(msr->mp, re_pattern->value);
if (msr->txcfg->debuglog_level >= 6) {
- msr_log(msr, 6, "Escaping pattern [%s]",pattern);
+ char *pattern = log_escape_re(msr->mp, re_pattern->value);
+ msr_log(msr, 6, "Expanded-macro pattern [%s]",pattern);
}
- regex = msc_pregcomp_ex(rule->ruleset->mp, pattern, PCRE_DOTALL | PCRE_DOLLAR_ENDONLY, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
+#ifdef WITH_PCRE2
+ options = PCRE2_DOTALL | PCRE2_DOLLAR_ENDONLY;
+#else
+ options = PCRE_DOTALL | PCRE_DOLLAR_ENDONLY;
+#endif
+ regex = msc_pregcomp_ex(msr->mp, re_pattern->value, options, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
if (regex == NULL) {
- *error_msg = apr_psprintf(rule->ruleset->mp, "Error compiling pattern (offset %d): %s",
+ *error_msg = apr_psprintf(msr->mp, "Error compiling pattern (offset %d): %s",
erroffset, errptr);
return 0;
}
@@ -1019,9 +1098,13 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
if (msr->txcfg->debuglog_level >= 4) {
+ #ifdef WITH_PCRE2
+ rc = regex->jit_compile_rc;
+ #else
rc = msc_fullinfo(regex, PCRE_INFO_JIT, &jit);
+ #endif
if ((rc != 0) || (jit != 1)) {
- *error_msg = apr_psprintf(rule->ruleset->mp,
+ *error_msg = apr_psprintf(msr->mp,
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
@@ -1051,20 +1134,27 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c
target_length = var->value_len;
}
- /* Are we supposed to capture subexpressions? */
- capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0;
- matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0;
- if(!matched_bytes)
- matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0;
+ if (rule->actionset->actions) {
+ /* Are we supposed to capture subexpressions? */
+ capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0;
+ matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0;
+ if (!matched_bytes)
+ matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0;
- matched = apr_table_get(rule->actionset->actions, "sanitizeMatched") ? 1 : 0;
- if(!matched)
- matched = apr_table_get(rule->actionset->actions, "sanitiseMatched") ? 1 : 0;
+ matched = apr_table_get(rule->actionset->actions, "sanitizeMatched") ? 1 : 0;
+ if (!matched)
+ matched = apr_table_get(rule->actionset->actions, "sanitiseMatched") ? 1 : 0;
+ }
+ else capture = 0;
/* Show when the regex captures but "capture" is not set */
if (msr->txcfg->debuglog_level >= 6) {
int capcount = 0;
+#ifdef WITH_PCRE2
+ rc = msc_fullinfo(regex, PCRE2_INFO_CAPTURECOUNT, &capcount);
+#else
rc = msc_fullinfo(regex, PCRE_INFO_CAPTURECOUNT, &capcount);
+#endif
if (msr->txcfg->debuglog_level >= 6) {
if ((capture == 0) && (capcount > 0)) {
msr_log(msr, 6, "Ignoring regex captures since \"capture\" action is not enabled.");
@@ -1076,7 +1166,11 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c
* and no memory has to be allocated for any backreferences.
*/
rc = msc_regexec_capture(regex, target, target_length, ovector, 30, &my_error_msg);
+#ifdef WITH_PCRE2
+ if ((rc == PCRE2_ERROR_MATCHLIMIT) || (rc == PCRE2_ERROR_RECURSIONLIMIT)) {
+#else
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
+#endif
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
if (s == NULL) return -1;
@@ -1167,7 +1261,11 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c
}
}
+#ifdef WITH_PCRE2
+ if (rc != PCRE2_ERROR_NOMATCH) { /* Match. */
+#else
if (rc != PCRE_ERROR_NOMATCH) { /* Match. */
+#endif
/* We no longer escape the pattern here as it is done when logging */
char *pattern = apr_pstrdup(msr->mp, log_escape(msr->mp, regex->pattern ? regex->pattern : "<Unknown Match>"));
@@ -1190,6 +1288,9 @@ static int msre_op_rx_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c
/* pm */
static int msre_op_pm_param_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(rule->ruleset != NULL);
+ assert(error_msg != NULL);
ACMP *p;
const char *phrase;
const char *next;
@@ -1228,6 +1329,9 @@ static int msre_op_pm_param_init(msre_rule *rule, char **error_msg) {
/* pmFromFile */
static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(rule->ruleset != NULL);
+ assert(error_msg != NULL);
char errstr[1024];
char buf[HUGE_STRING_LEN + 1];
char *fn = NULL;
@@ -1279,7 +1383,7 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
strncmp(fn, "http://", strlen("http://")) == 0)
{
*error_msg = apr_psprintf(rule->ruleset->mp, "HTTPS address or " \
- "file path are expected for operator pmFromFile \"%s\"", fn);
+ "file path are expected for operator pmFromFile \"%s\"", fn);
return 0;
}
else if (strlen(fn) > strlen("https://") &&
@@ -1316,7 +1420,7 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
msc_remote_clean_chunk(&chunk);
#else
*error_msg = apr_psprintf(rule->ruleset->mp, "ModSecurity was not " \
- "compiled with Curl support, it cannot load: \"%s\"", fn);
+ "compiled with Curl support, it cannot load: \"%s\"", fn);
return 0;
#endif
}
@@ -1387,6 +1491,11 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
}
static int msre_op_pm_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
const char *match = NULL;
apr_status_t rc = 0;
int capture;
@@ -1396,7 +1505,9 @@ static int msre_op_pm_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c
if ((var->value == NULL) || (var->value_len == 0)) return 0;
/* Are we supposed to capture subexpressions? */
- capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0;
+ if (rule->actionset->actions)
+ capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0;
+ else capture = 0;
if (rule->op_param_data == NULL)
{
@@ -1468,18 +1579,17 @@ static int msre_op_pm_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, c
* \retval url On Success
*/
static const char *gsb_replace_tpath(apr_pool_t *pool, const char *domain, int len) {
-
+ assert(domain != NULL);
char *pos = NULL, *data = NULL;
char *url = NULL;
int match = 0;
url = apr_palloc(pool, len + 1);
+ if (!url) return NULL;
data = apr_palloc(pool, len + 1);
+ if (!data) return NULL;
- memset(data, 0, len+1);
- memset(url, 0, len+1);
-
- memcpy(url, domain, len);
+ url[len] = '\0';
while(( pos = strstr(url , "/./" )) != NULL) {
match = 1;
@@ -1490,8 +1600,7 @@ static const char *gsb_replace_tpath(apr_pool_t *pool, const char *domain, int l
strncpy(url , data, len);
}
- if(match == 0)
- return domain;
+ if (match == 0) return domain;
return url;
}
@@ -1506,7 +1615,7 @@ static const char *gsb_replace_tpath(apr_pool_t *pool, const char *domain, int l
* \retval reduced On Success
*/
static const char *gsb_reduce_char(apr_pool_t *pool, const char *domain) {
-
+ assert(domain != NULL);
char *ptr = apr_pstrdup(pool, domain);
char *data = NULL;
char *reduced = NULL;
@@ -1573,14 +1682,15 @@ static const char *gsb_reduce_char(apr_pool_t *pool, const char *domain) {
* \retval 0 On No Match
*/
static int verify_gsb(gsb_db *gsb, modsec_rec *msr, const char *match, unsigned int match_length) {
+ assert(gsb != NULL);
+ assert(msr != NULL);
+ assert(match != NULL);
apr_md5_ctx_t ctx;
apr_status_t rc;
unsigned char digest[APR_MD5_DIGESTSIZE];
const char *hash = NULL;
const char *search = NULL;
- memset(digest, 0, sizeof(digest));
-
apr_md5_init(&ctx);
if ((rc = apr_md5_update(&ctx, match, match_length)) != APR_SUCCESS)
@@ -1588,7 +1698,7 @@ static int verify_gsb(gsb_db *gsb, modsec_rec *msr, const char *match, unsigned
apr_md5_final(digest, &ctx);
- hash = apr_psprintf(msr->mp, "%s", bytes2hex(msr->mp, digest, 16));
+ hash = apr_psprintf(msr->mp, "%s", bytes2hex(msr->mp, digest, APR_MD5_DIGESTSIZE));
if ((hash != NULL) && (gsb->gsb_table != NULL)) {
search = apr_hash_get(gsb->gsb_table, hash, APR_HASH_KEY_STRING);
@@ -1610,15 +1720,23 @@ static int verify_gsb(gsb_db *gsb, modsec_rec *msr, const char *match, unsigned
* \retval 0 On Fail
*/
static int msre_op_gsbLookup_param_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(error_msg != NULL);
const char *errptr = NULL;
int erroffset;
+ int options = 0;
msc_regex_t *regex;
if (error_msg == NULL) return -1;
*error_msg = NULL;
/* Compile rule->op_param */
- regex = msc_pregcomp_ex(rule->ruleset->mp, rule->op_param, PCRE_DOTALL | PCRE_MULTILINE, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
+#ifdef WITH_PCRE2
+ options = PCRE2_DOTALL | PCRE2_MULTILINE;
+#else
+ options = PCRE_DOTALL | PCRE_MULTILINE;
+#endif
+ regex = msc_pregcomp_ex(rule->ruleset->mp, rule->op_param, options, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
if (regex == NULL) {
*error_msg = apr_psprintf(rule->ruleset->mp, "Error compiling pattern (offset %d): %s",
@@ -1644,10 +1762,15 @@ static int msre_op_gsbLookup_param_init(msre_rule *rule, char **error_msg) {
* \retval 0 On No Match
*/
static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_regex_t *regex = (msc_regex_t *)rule->op_param_data;
char *my_error_msg = NULL;
int ovector[33];
unsigned int offset = 0;
+ int options = 0;
gsb_db *gsb = msr->txcfg->gsb;
const char *match = NULL;
unsigned int match_length;
@@ -1675,7 +1798,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
return 0;
}
- data = apr_pcalloc(rule->ruleset->mp, var->value_len+1);
+ data = apr_pcalloc(msr->mp, var->value_len+1);
if(data == NULL) {
*error_msg = "Internal Error: cannot allocate memory for data.";
@@ -1686,22 +1809,27 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
memcpy(data,var->value,var->value_len);
- while (offset < size && (rv = msc_regexec_ex(regex, data, size, offset, PCRE_NOTEMPTY, ovector, 30, &my_error_msg)) >= 0)
+#ifdef WITH_PCRE2
+ options = PCRE2_NOTEMPTY;
+#else
+ options = PCRE_NOTEMPTY;
+#endif
+ while (offset < size && (rv = msc_regexec_ex(regex, data, size, offset, options, ovector, 30, &my_error_msg)) >= 0)
{
for(i = 0; i < rv; ++i)
{
- match = apr_psprintf(rule->ruleset->mp, "%.*s", ovector[2*i+1] - ovector[2*i], data + ovector[2*i]);
+ match = apr_psprintf(msr->mp, "%.*s", ovector[2*i+1] - ovector[2*i], data + ovector[2*i]);
if (match == NULL) {
*error_msg = "Internal Error: cannot allocate memory for match.";
return -1;
}
- match = remove_escape(rule->ruleset->mp, match, strlen(match));
+ match = remove_escape(msr->mp, match, strlen(match));
- match = gsb_replace_tpath(rule->ruleset->mp, match, strlen(match));
+ match = gsb_replace_tpath(msr->mp, match, strlen(match));
- match = gsb_reduce_char(rule->ruleset->mp, match);
+ match = gsb_reduce_char(msr->mp, match);
match_length = strlen(match);
@@ -1723,7 +1851,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
log_escape_nq(msr->mp, match));
}
- str = apr_pstrdup(rule->ruleset->mp,match);
+ str = apr_pstrdup(msr->mp,match);
base = apr_strtok(str,"/",&savedptr);
if(base != NULL)
@@ -1735,7 +1863,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
/* append / in the end of full url */
if ((match[match_length -1] != '/') && (strchr(match,'?') == NULL)) {
- canon = apr_psprintf(rule->ruleset->mp, "%s/", match);
+ canon = apr_psprintf(msr->mp, "%s/", match);
if (canon != NULL) {
canon_length = strlen(canon);
@@ -1748,7 +1876,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
log_escape_nq(msr->mp, canon));
}
- str = apr_pstrdup(rule->ruleset->mp,match);
+ str = apr_pstrdup(msr->mp,match);
base = apr_strtok(str,"/",&savedptr);
if(base != NULL)
@@ -1761,7 +1889,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
/* Parsing full url */
- domain = apr_pstrdup(rule->ruleset->mp, match);
+ domain = apr_pstrdup(msr->mp, match);
domain_len = strlen(domain);
@@ -1776,7 +1904,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
dot = strchr(domain,'.');
if(dot != NULL) {
- canon = apr_pstrdup(rule->ruleset->mp, domain);
+ canon = apr_pstrdup(msr->mp, domain);
ret = verify_gsb(gsb, msr, canon, strlen(canon));
@@ -1787,7 +1915,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
log_escape_nq(msr->mp, canon));
}
- str = apr_pstrdup(rule->ruleset->mp,match);
+ str = apr_pstrdup(msr->mp,match);
base = apr_strtok(str,"/",&savedptr);
if(base != NULL)
@@ -1809,7 +1937,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
log_escape_nq(msr->mp, base));
}
- str = apr_pstrdup(rule->ruleset->mp,match);
+ str = apr_pstrdup(msr->mp,match);
base = apr_strtok(str,"/",&savedptr);
if(base != NULL)
@@ -1820,13 +1948,13 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
}
- url = apr_palloc(rule->ruleset->mp, strlen(canon));
+ url = apr_palloc(msr->mp, strlen(canon));
count_slash = 0;
while(*canon != '\0') {
switch (*canon) {
case '/':
- ptr = apr_psprintf(rule->ruleset->mp,"%s/",url);
+ ptr = apr_psprintf(msr->mp,"%s/",url);
ret = verify_gsb(gsb, msr, ptr, strlen(ptr));
if(ret > 0) {
set_match_to_tx(msr, capture, ptr, 0);
@@ -1835,7 +1963,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
log_escape_nq(msr->mp, ptr));
}
- str = apr_pstrdup(rule->ruleset->mp,match);
+ str = apr_pstrdup(msr->mp,match);
base = apr_strtok(str,"/",&savedptr);
if(base != NULL)
@@ -1862,7 +1990,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
}
- str = apr_pstrdup(rule->ruleset->mp, match);
+ str = apr_pstrdup(msr->mp, match);
while (*str != '\0') {
@@ -1887,7 +2015,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
dot = strchr(domain,'.');
if(dot != NULL) {
- canon = apr_pstrdup(rule->ruleset->mp, domain);
+ canon = apr_pstrdup(msr->mp, domain);
ret = verify_gsb(gsb, msr, canon, strlen(canon));
@@ -1897,7 +2025,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
*error_msg = apr_psprintf(msr->mp, "Gsb lookup for \"%s\" succeeded.",
log_escape_nq(msr->mp, canon));
}
- str = apr_pstrdup(rule->ruleset->mp,match);
+ str = apr_pstrdup(msr->mp,match);
base = apr_strtok(str,"/",&savedptr);
if(base != NULL)
@@ -1917,7 +2045,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
*error_msg = apr_psprintf(msr->mp, "Gsb lookup for \"%s\" succeeded.",
log_escape_nq(msr->mp, base));
}
- str = apr_pstrdup(rule->ruleset->mp,match);
+ str = apr_pstrdup(msr->mp,match);
base = apr_strtok(str,"/",&savedptr);
if(base != NULL)
@@ -1927,13 +2055,13 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
}
- url = apr_palloc(rule->ruleset->mp, strlen(canon));
+ url = apr_palloc(msr->mp, strlen(canon));
count_slash = 0;
while(*canon != '\0') {
switch (*canon) {
case '/':
- ptr = apr_psprintf(rule->ruleset->mp,"%s/",url);
+ ptr = apr_psprintf(msr->mp,"%s/",url);
ret = verify_gsb(gsb, msr, ptr, strlen(ptr));
if(ret > 0) {
set_match_to_tx(msr, capture, ptr, 0);
@@ -1941,7 +2069,7 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
*error_msg = apr_psprintf(msr->mp, "Gsb lookup for \"%s\" succeeded.",
log_escape_nq(msr->mp, ptr));
}
- str = apr_pstrdup(rule->ruleset->mp,match);
+ str = apr_pstrdup(msr->mp,match);
base = apr_strtok(str,"/",&savedptr);
if(base != NULL)
@@ -1977,6 +2105,10 @@ static int msre_op_gsbLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
/* within */
static int msre_op_within_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
const char *match = NULL;
const char *target;
@@ -1984,6 +2116,8 @@ static int msre_op_within_execute(modsec_rec *msr, msre_rule *rule, msre_var *va
unsigned int target_length = 0;
unsigned int i, i_max;
+ *error_msg = NULL;
+
str->value = (char *)rule->op_param;
if (str->value == NULL) {
@@ -1993,9 +2127,6 @@ static int msre_op_within_execute(modsec_rec *msr, msre_rule *rule, msre_var *va
str->value_len = strlen(str->value);
- if (error_msg == NULL) return -1;
- *error_msg = NULL;
-
expand_macros(msr, str, rule, msr->mp);
match = (const char *)str->value;
@@ -2047,15 +2178,22 @@ static int msre_op_within_execute(modsec_rec *msr, msre_rule *rule, msre_var *va
/* contains */
static int msre_op_contains_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
- msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
const char *match = NULL;
const char *target;
unsigned int match_length;
unsigned int target_length = 0;
unsigned int i, i_max;
+ msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ if (str == NULL) {
+ *error_msg = "Internal Error: cannot allocate memory.";
+ return -1;
+ }
str->value = (char *)rule->op_param;
-
if (str->value == NULL) {
*error_msg = "Internal Error: match string is null.";
return -1;
@@ -2126,7 +2264,12 @@ static int msre_op_contains_execute(modsec_rec *msr, msre_rule *rule, msre_var *
*/
static int msre_op_detectSQLi_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg) {
-
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(rule->actionset->actions != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
char fingerprint[8];
int issqli;
int capture;
@@ -2158,12 +2301,20 @@ static int msre_op_detectSQLi_execute(modsec_rec *msr, msre_rule *rule, msre_var
*/
static int msre_op_detectXSS_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg) {
-
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(rule->actionset->actions != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
+ int capture;
int is_xss;
is_xss = libinjection_xss(var->value, var->value_len);
+ capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0;
if (is_xss) {
+ set_match_to_tx(msr, capture, var->value, 0);
*error_msg = apr_psprintf(msr->mp, "detected XSS using libinjection.");
if (msr->txcfg->debuglog_level >= 9) {
@@ -2182,16 +2333,23 @@ static int msre_op_detectXSS_execute(modsec_rec *msr, msre_rule *rule, msre_var
/* containsWord */
static int msre_op_containsWord_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
- msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
const char *match = NULL;
const char *target;
unsigned int match_length;
unsigned int target_length = 0;
unsigned int i, i_max;
int rc = 0;
+ msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ if (str == NULL) {
+ *error_msg = "Internal Error: cannot allocate memory.";
+ return -1;
+ }
str->value = (char *)rule->op_param;
-
if (str->value == NULL) {
*error_msg = "Internal Error: match string is null.";
return -1;
@@ -2199,7 +2357,6 @@ static int msre_op_containsWord_execute(modsec_rec *msr, msre_rule *rule, msre_v
str->value_len = strlen(str->value);
- if (error_msg == NULL) return -1;
*error_msg = NULL;
expand_macros(msr, str, rule, msr->mp);
@@ -2277,14 +2434,21 @@ static int msre_op_containsWord_execute(modsec_rec *msr, msre_rule *rule, msre_v
/* streq */
static int msre_op_streq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ if (!str) {
+ msr_log(msr, 1, "streq: Memory allocation error");
+ return -1;
+ }
const char *match = NULL;
const char *target;
unsigned int match_length;
unsigned int target_length;
str->value = (char *)rule->op_param;
-
if (str->value == NULL) {
*error_msg = "Internal Error: match string is null.";
return -1;
@@ -2292,7 +2456,6 @@ static int msre_op_streq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var
str->value_len = strlen(str->value);
- if (error_msg == NULL) return -1;
*error_msg = NULL;
expand_macros(msr, str, rule, msr->mp);
@@ -2333,14 +2496,21 @@ static int msre_op_streq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var
/* beginsWith */
static int msre_op_beginsWith_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
- msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
const char *match = NULL;
const char *target;
unsigned int match_length;
unsigned int target_length;
+ msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ if (str == NULL) {
+ *error_msg = "Internal Error: cannot allocate memory.";
+ return -1;
+ }
str->value = (char *)rule->op_param;
-
if (str->value == NULL) {
*error_msg = "Internal Error: match string is null.";
return -1;
@@ -2396,14 +2566,26 @@ static int msre_op_beginsWith_execute(modsec_rec *msr, msre_rule *rule, msre_var
/* endsWith */
static int msre_op_endsWith_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
- msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (error_msg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, rule->ruleset->mp, "msre_op_endsWith_execute: error_msg is NULL");
+ return -1;
+ }
const char *match = NULL;
const char *target;
unsigned int match_length;
unsigned int target_length;
+ msc_string *str = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ if (str == NULL) {
+ *error_msg = "Internal Error: cannot allocate memory.";
+ return -1;
+ }
str->value = (char *)rule->op_param;
-
if (str->value == NULL) {
*error_msg = "Internal Error: match string is null.";
return -1;
@@ -2411,7 +2593,6 @@ static int msre_op_endsWith_execute(modsec_rec *msr, msre_rule *rule, msre_var *
str->value_len = strlen(str->value);
- if (error_msg == NULL) return -1;
*error_msg = NULL;
expand_macros(msr, str, rule, msr->mp);
@@ -2459,12 +2640,19 @@ static int msre_op_endsWith_execute(modsec_rec *msr, msre_rule *rule, msre_var *
/* strmatch */
static int msre_op_strmatch_param_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(rule->ruleset != NULL);
+ assert(error_msg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (error_msg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, rule->ruleset->mp, "msre_op_strmatch_param_init: error_msg is NULL");
+ return -1;
+ }
const apr_strmatch_pattern *compiled_pattern;
char *processed = NULL;
const char *pattern = rule->op_param;
unsigned short int op_len;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
op_len = strlen(pattern);
@@ -2488,12 +2676,20 @@ static int msre_op_strmatch_param_init(msre_rule *rule, char **error_msg) {
}
static int msre_op_strmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
+ // Normally useless code, left to be safe for the moment
+ if (error_msg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, rule->ruleset->mp, "msre_op_strmatch_execute: error_msg is NULL");
+ return -1;
+ }
apr_strmatch_pattern *compiled_pattern = (apr_strmatch_pattern *)rule->op_param_data;
const char *target;
unsigned int target_length;
const char *rc;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if (compiled_pattern == NULL) {
@@ -2536,6 +2732,10 @@ static int msre_op_validateDTD_init(msre_rule *rule, char **error_msg) {
static int msre_op_validateDTD_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
xmlValidCtxtPtr cvp;
xmlDtdPtr dtd;
@@ -2606,6 +2806,10 @@ static int msre_op_validateSchema_init(msre_rule *rule, char **error_msg) {
static int msre_op_validateSchema_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
xmlSchemaParserCtxtPtr parserCtx;
xmlSchemaValidCtxtPtr validCtx;
xmlSchemaPtr schema;
@@ -2683,6 +2887,7 @@ static int msre_op_validateSchema_execute(modsec_rec *msr, msre_rule *rule, msre
* Luhn Mod-10 Method (ISO 2894/ANSI 4.13)
*/
static int luhn_verify(const char *ccnumber, int len) {
+ assert(ccnumber != NULL);
int sum[2] = { 0, 0 };
int odd = 0;
int digits = 0;
@@ -2716,15 +2921,24 @@ static int luhn_verify(const char *ccnumber, int len) {
}
static int msre_op_verifyCC_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(rule->ruleset != NULL);
+ assert(error_msg != NULL);
const char *errptr = NULL;
int erroffset;
+ int options = 0;
msc_regex_t *regex;
if (error_msg == NULL) return -1;
*error_msg = NULL;
+#ifdef WITH_PCRE2
+ options = PCRE2_DOTALL | PCRE2_MULTILINE;
+#else
+ options = PCRE_DOTALL | PCRE_MULTILINE;
+#endif
/* Compile rule->op_param */
- regex = msc_pregcomp_ex(rule->ruleset->mp, rule->op_param, PCRE_DOTALL | PCRE_MULTILINE, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
+ regex = msc_pregcomp_ex(rule->ruleset->mp, rule->op_param, options, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
if (regex == NULL) {
*error_msg = apr_psprintf(rule->ruleset->mp, "Error compiling pattern (offset %d): %s",
erroffset, errptr);
@@ -2737,6 +2951,11 @@ static int msre_op_verifyCC_init(msre_rule *rule, char **error_msg) {
}
static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_regex_t *regex = (msc_regex_t *)rule->op_param_data;
const char *target;
unsigned int target_length;
@@ -2745,17 +2964,17 @@ static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var *
int rc;
int is_cc = 0;
int offset;
+ int options = 0;
int matched_bytes = 0;
char *qspos = NULL;
const char *parm = NULL;
msc_parm *mparm = NULL;
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
- int jit;
+ int jit = 0;
#endif
#endif
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if (regex == NULL) {
@@ -2763,14 +2982,20 @@ static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var *
return -1;
}
+ assert(rule->actionset != NULL);
+
memset(ovector, 0, sizeof(ovector));
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
if (msr->txcfg->debuglog_level >= 4) {
+ #ifdef WITH_PCRE2
+ rc = regex->jit_compile_rc;
+ #else
rc = msc_fullinfo(regex, PCRE_INFO_JIT, &jit);
+ #endif
if ((rc != 0) || (jit != 1)) {
- *error_msg = apr_psprintf(rule->ruleset->mp,
+ *error_msg = apr_psprintf(msr->mp,
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
@@ -2804,10 +3029,19 @@ static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var *
}
}
- rc = msc_regexec_ex(regex, target, target_length, offset, PCRE_NOTEMPTY, ovector, 30, &my_error_msg);
+#ifdef WITH_PCRE2
+ options = PCRE2_NOTEMPTY;
+#else
+ options = PCRE_NOTEMPTY;
+#endif
+ rc = msc_regexec_ex(regex, target, target_length, offset, options, ovector, 30, &my_error_msg);
/* If there was no match, then we are done. */
+#ifdef WITH_PCRE2
+ if (rc == PCRE2_ERROR_NOMATCH) {
+#else
if (rc == PCRE_ERROR_NOMATCH) {
+#endif
break;
}
@@ -2844,7 +3078,6 @@ static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var *
if(!matched_bytes)
matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0;
-
if (apr_table_get(rule->actionset->actions, "capture")) {
for(; i < rc; i++) {
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
@@ -2924,7 +3157,7 @@ static int msre_op_verifyCC_execute(modsec_rec *msr, msre_rule *rule, msre_var *
* \retval 1 On Valid CPF
*/
static int cpf_verify(const char *cpfnumber, int len) {
-
+ assert(cpfnumber != NULL);
int factor, part_1, part_2, var_len = len;
unsigned int sum = 0, i = 0, cpf_len = 11, c;
int cpf[11];
@@ -3012,15 +3245,27 @@ static int cpf_verify(const char *cpfnumber, int len) {
* \retval 1 On Success
*/
static int msre_op_verifyCPF_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(rule->ruleset != NULL);
+ assert(error_msg != NULL);
+ if (error_msg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, rule->ruleset->mp, "msre_op_verifyCPF_init: error_msg is NULL");
+ return -1;
+ }
const char *errptr = NULL;
int erroffset;
+ int options = 0;
msc_regex_t *regex;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
+#ifdef WITH_PCRE2
+ options = PCRE2_DOTALL | PCRE2_MULTILINE;
+#else
+ options = PCRE_DOTALL | PCRE_MULTILINE;
+#endif
/* Compile rule->op_param */
- regex = msc_pregcomp_ex(rule->ruleset->mp, rule->op_param, PCRE_DOTALL | PCRE_MULTILINE, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
+ regex = msc_pregcomp_ex(rule->ruleset->mp, rule->op_param, options, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
if (regex == NULL) {
*error_msg = apr_psprintf(rule->ruleset->mp, "Error compiling pattern (offset %d): %s",
erroffset, errptr);
@@ -3045,6 +3290,11 @@ static int msre_op_verifyCPF_init(msre_rule *rule, char **error_msg) {
* \retval 0 On No Match
*/
static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_regex_t *regex = (msc_regex_t *)rule->op_param_data;
const char *target;
unsigned int target_length;
@@ -3053,18 +3303,17 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var
int rc;
int is_cpf = 0;
int offset;
+ int options = 0;
int matched_bytes = 0;
char *qspos = NULL;
const char *parm = NULL;
msc_parm *mparm = NULL;
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
- int jit;
+ int jit = 0;
#endif
#endif
-
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if (regex == NULL) {
@@ -3072,14 +3321,20 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var
return -1;
}
+ assert(rule->actionset != NULL);
+
memset(ovector, 0, sizeof(ovector));
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
if (msr->txcfg->debuglog_level >= 4) {
+ #ifdef WITH_PCRE2
+ rc = regex->jit_compile_rc;
+ #else
rc = msc_fullinfo(regex, PCRE_INFO_JIT, &jit);
+ #endif
if ((rc != 0) || (jit != 1)) {
- *error_msg = apr_psprintf(rule->ruleset->mp,
+ *error_msg = apr_psprintf(msr->mp,
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
@@ -3112,10 +3367,19 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var
}
}
- rc = msc_regexec_ex(regex, target, target_length, offset, PCRE_NOTEMPTY, ovector, 30, &my_error_msg);
+#ifdef WITH_PCRE2
+ options = PCRE2_NOTEMPTY;
+#else
+ options = PCRE_NOTEMPTY;
+#endif
+ rc = msc_regexec_ex(regex, target, target_length, offset, options, ovector, 30, &my_error_msg);
/* If there was no match, then we are done. */
+#ifdef WITH_PCRE2
+ if (rc == PCRE2_ERROR_NOMATCH) {
+#else
if (rc == PCRE_ERROR_NOMATCH) {
+#endif
break;
}
@@ -3126,11 +3390,11 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var
/* Verify a match. */
if (rc > 0) {
- const char *match = target + ovector[0];
+ const char* match = target + ovector[0];
int length = ovector[1] - ovector[0];
int i = 0;
- offset = ovector[2*i];
+ offset = ovector[2 * i];
/* Check CPF using the match string */
is_cpf = cpf_verify(match, length);
@@ -3149,12 +3413,12 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var
*/
matched_bytes = apr_table_get(rule->actionset->actions, "sanitizeMatchedBytes") ? 1 : 0;
- if(!matched_bytes)
+ if (!matched_bytes)
matched_bytes = apr_table_get(rule->actionset->actions, "sanitiseMatchedBytes") ? 1 : 0;
if (apr_table_get(rule->actionset->actions, "capture")) {
- for(; i < rc; i++) {
- msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
+ for (; i < rc; i++) {
+ msc_string* s = (msc_string*)apr_pcalloc(msr->mp, sizeof(msc_string));
if (s == NULL) return -1;
s->name = apr_psprintf(msr->mp, "%d", i);
if (s->name == NULL) return -1;
@@ -3163,33 +3427,34 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var
if (s->value == NULL) return -1;
s->value_len = length;
- apr_table_setn(msr->tx_vars, s->name, (void *)s);
+ apr_table_setn(msr->tx_vars, s->name, (void*)s);
if (msr->txcfg->debuglog_level >= 9) {
msr_log(msr, 9, "Added regex subexpression to TX.%d: %s", i,
log_escape_nq_ex(msr->mp, s->value, s->value_len));
}
- if((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) {
+ if ((matched_bytes == 1) && (var != NULL) && (var->name != NULL)) {
qspos = apr_psprintf(msr->mp, "%s", var->name);
parm = strstr(qspos, ":");
- if (parm != NULL) {
+ if (parm != NULL) {
parm++;
mparm = apr_palloc(msr->mp, sizeof(msc_parm));
if (mparm == NULL)
continue;
- mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len);
+ mparm->value = apr_pstrmemdup(msr->mp, s->value, s->value_len);
mparm->pad_1 = rule->actionset->arg_min;
mparm->pad_2 = rule->actionset->arg_max;
- apr_table_addn(msr->pattern_to_sanitize, parm, (void *)mparm);
- } else {
+ apr_table_addn(msr->pattern_to_sanitize, parm, (void*)mparm);
+ }
+ else {
mparm = apr_palloc(msr->mp, sizeof(msc_parm));
if (mparm == NULL)
continue;
- mparm->value = apr_pstrmemdup(msr->mp,s->value,s->value_len);
- apr_table_addn(msr->pattern_to_sanitize, qspos, (void *)mparm);
+ mparm->value = apr_pstrmemdup(msr->mp, s->value, s->value_len);
+ apr_table_addn(msr->pattern_to_sanitize, qspos, (void*)mparm);
}
}
@@ -3197,7 +3462,7 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var
}
/* Unset the remaining TX vars (from previous invocations). */
- for(; i <= 9; i++) {
+ for (; i <= 9; i++) {
char buf[24];
apr_snprintf(buf, sizeof(buf), "%i", i);
apr_table_unset(msr->tx_vars, buf);
@@ -3232,6 +3497,8 @@ static int msre_op_verifyCPF_execute(modsec_rec *msr, msre_rule *rule, msre_var
* \retval 1 On Valid SSN
*/
static int ssn_verify(modsec_rec *msr, const char *ssnumber, int len) {
+ assert(msr != NULL);
+ assert(ssnumber != NULL);
int i;
int num[9];
int digits = 0;
@@ -3304,15 +3571,24 @@ static int ssn_verify(modsec_rec *msr, const char *ssnumber, int len) {
* \retval 1 On Success
*/
static int msre_op_verifySSN_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(rule->ruleset != NULL);
+ assert(error_msg != NULL);
const char *errptr = NULL;
int erroffset;
+ int options = 0;
msc_regex_t *regex;
if (error_msg == NULL) return -1;
*error_msg = NULL;
+#ifdef WITH_PCRE2
+ options = PCRE2_DOTALL | PCRE2_MULTILINE;
+#else
+ options = PCRE_DOTALL | PCRE_MULTILINE;
+#endif
/* Compile rule->op_param */
- regex = msc_pregcomp_ex(rule->ruleset->mp, rule->op_param, PCRE_DOTALL | PCRE_MULTILINE, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
+ regex = msc_pregcomp_ex(rule->ruleset->mp, rule->op_param, options, &errptr, &erroffset, msc_pcre_match_limit, msc_pcre_match_limit_recursion);
if (regex == NULL) {
*error_msg = apr_psprintf(rule->ruleset->mp, "Error compiling pattern (offset %d): %s",
erroffset, errptr);
@@ -3337,6 +3613,11 @@ static int msre_op_verifySSN_init(msre_rule *rule, char **error_msg) {
* \retval 0 On No Match
*/
static int msre_op_verifySSN_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_regex_t *regex = (msc_regex_t *)rule->op_param_data;
const char *target;
unsigned int target_length;
@@ -3345,13 +3626,14 @@ static int msre_op_verifySSN_execute(modsec_rec *msr, msre_rule *rule, msre_var
int rc;
int is_ssn = 0;
int offset;
+ int options = 0;
int matched_bytes = 0;
char *qspos = NULL;
const char *parm = NULL;
msc_parm *mparm = NULL;
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
- int jit;
+ int jit = 0;
#endif
#endif
@@ -3364,14 +3646,20 @@ static int msre_op_verifySSN_execute(modsec_rec *msr, msre_rule *rule, msre_var
return -1;
}
+ assert(rule->actionset != NULL);
+
memset(ovector, 0, sizeof(ovector));
#ifdef WITH_PCRE_STUDY
#ifdef WITH_PCRE_JIT
if (msr->txcfg->debuglog_level >= 4) {
+ #ifdef WITH_PCRE2
+ rc = regex->jit_compile_rc;
+ #else
rc = msc_fullinfo(regex, PCRE_INFO_JIT, &jit);
+ #endif
if ((rc != 0) || (jit != 1)) {
- *error_msg = apr_psprintf(rule->ruleset->mp,
+ *error_msg = apr_psprintf(msr->mp,
"Rule %pp [id \"%s\"][file \"%s\"][line \"%d\"] - "
"Execution error - "
"Does not support JIT (%d)",
@@ -3404,10 +3692,19 @@ static int msre_op_verifySSN_execute(modsec_rec *msr, msre_rule *rule, msre_var
}
}
- rc = msc_regexec_ex(regex, target, target_length, offset, PCRE_NOTEMPTY, ovector, 30, &my_error_msg);
+#ifdef WITH_PCRE2
+ options = PCRE2_NOTEMPTY;
+#else
+ options = PCRE_NOTEMPTY;
+#endif
+ rc = msc_regexec_ex(regex, target, target_length, offset, options, ovector, 30, &my_error_msg);
/* If there was no match, then we are done. */
+#ifdef WITH_PCRE2
+ if (rc == PCRE2_ERROR_NOMATCH) {
+#else
if (rc == PCRE_ERROR_NOMATCH) {
+#endif
break;
}
@@ -3519,6 +3816,9 @@ static int msre_op_verifySSN_execute(modsec_rec *msr, msre_rule *rule, msre_var
static int msre_op_geoLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
geo_rec rec;
geo_db *geo = msr->txcfg->geo;
const char *geo_host = var->value;
@@ -3645,6 +3945,11 @@ static int msre_op_geoLookup_execute(modsec_rec *msr, msre_rule *rule, msre_var
/* rbl */
static int msre_op_rbl_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
unsigned int h0, h1, h2, h3;
unsigned int high8bits = 0;
char *name_to_check = NULL;
@@ -3653,10 +3958,11 @@ static int msre_op_rbl_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
apr_status_t rc;
int capture = 0;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
- capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0;
+ if (rule->actionset->actions)
+ capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0;
+ else capture = 0;
/* ENH Add IPv6 support. */
@@ -3826,10 +4132,20 @@ static int msre_op_rbl_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
/* fuzzyHash */
static int msre_op_fuzzy_hash_init(msre_rule *rule, char **error_msg)
{
+ assert(rule != NULL);
+ assert(rule->ruleset != NULL);
+ assert(error_msg != NULL);
+ if (error_msg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, rule->ruleset->mp, "msre_op_fuzzy_hash_init error_msg is NULL");
+ return -1;
+ }
#ifdef WITH_SSDEEP
struct fuzzy_hash_param_data *param_data;
+ struct fuzzy_hash_chunk *chunk, *t;
+ FILE *fp;
char *file;
int param_len,threshold;
+ char line[1024];
char *data = NULL;
char *threshold_str = NULL;
@@ -3837,15 +4153,12 @@ static int msre_op_fuzzy_hash_init(msre_rule *rule, char **error_msg)
param_data = apr_palloc(rule->ruleset->mp,
sizeof(struct fuzzy_hash_param_data));
+ param_data->head = NULL;
+
data = apr_pstrdup(rule->ruleset->mp, rule->op_param);
threshold_str = data;
#endif
- if (error_msg == NULL)
- {
- return -1;
- }
-
*error_msg = NULL;
#ifdef WITH_SSDEEP
@@ -3876,14 +4189,37 @@ static int msre_op_fuzzy_hash_init(msre_rule *rule, char **error_msg)
}
file = resolve_relative_path(rule->ruleset->mp, rule->filename, file);
-
- if (!fopen(file, "r"))
+
+ fp = fopen(file, "r");
+ if (!fp)
{
*error_msg = apr_psprintf(rule->ruleset->mp, "Not able to open file:" \
" %s.", file);
return -1;
}
+ while (read_line(line, sizeof(line), fp))
+ {
+ chunk = apr_palloc(rule->ruleset->mp,
+ sizeof(struct fuzzy_hash_chunk));
+
+ chunk->data = apr_pstrdup(rule->ruleset->mp, line);
+ chunk->next = NULL;
+
+ if (param_data->head == NULL) {
+ param_data->head = chunk;
+ } else {
+ t = param_data->head;
+
+ while (t->next) {
+ t = t->next;
+ }
+
+ t->next = chunk;
+ }
+ }
+
+ fclose(fp);
param_data->file = file;
param_data->threshold = threshold;
@@ -3905,55 +4241,42 @@ static int msre_op_fuzzy_hash_init(msre_rule *rule, char **error_msg)
static int msre_op_fuzzy_hash_execute(modsec_rec *msr, msre_rule *rule,
msre_var *var, char **error_msg)
{
-
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
#ifdef WITH_SSDEEP
char result[FUZZY_MAX_RESULT];
struct fuzzy_hash_param_data *param = rule->op_param_data;
- FILE *fp;
- char line[1024];
+ struct fuzzy_hash_chunk *chunk = param->head;
#endif
- if (error_msg == NULL)
- {
- return -1;
- }
-
*error_msg = NULL;
#ifdef WITH_SSDEEP
if (fuzzy_hash_buf(var->value, var->value_len, result))
{
- *error_msg = apr_psprintf(rule->ruleset->mp, "Problems generating " \
+ *error_msg = apr_psprintf(msr->mp, "Problems generating " \
"fuzzy hash.");
return -1;
}
- fp = fopen(param->file, "r");
- if (!fp)
- {
- *error_msg = apr_psprintf(rule->ruleset->mp, "Not able to open " \
- "fuzzy hash file: %s", param->file);
-
- return 1;
- }
-
- while (read_line(line, sizeof(line), fp))
+ while (chunk != NULL)
{
- int i = fuzzy_compare(line, result);
+ int i = fuzzy_compare(chunk->data, result);
+ msr_log(msr, 9, "%d (%s)", i, chunk->data);
if (i >= param->threshold)
{
*error_msg = apr_psprintf(msr->mp, "Fuzzy hash of %s matched " \
- "with %s (from: %s). Score: %d.", var->name, line,
+ "with %s (from: %s). Score: %d.", var->name, chunk->data,
param->file, i);
- fclose(fp);
return 1;
}
+ chunk = chunk->next;
}
-
- fclose(fp);
#else
- *error_msg = apr_psprintf(rule->ruleset->mp, "ModSecurity was not " \
+ *error_msg = apr_psprintf(msr->mp, "ModSecurity was not " \
"compiled with ssdeep support.");
return -1;
@@ -3967,9 +4290,15 @@ static int msre_op_fuzzy_hash_execute(modsec_rec *msr, msre_rule *rule,
/* inspectFile */
static int msre_op_inspectFile_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(rule->ruleset != NULL);
+ assert(error_msg != NULL);
+ if (error_msg == NULL) {
+ ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, rule->ruleset->mp, "msre_op_inspectFile_init: error_msg is NULL");
+ return -1;
+ }
char *filename = (char *)rule->op_param;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if ((filename == NULL)||(is_empty_string(filename))) {
@@ -4008,7 +4337,10 @@ static int msre_op_inspectFile_init(msre_rule *rule, char **error_msg) {
static int msre_op_inspectFile_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
- if (error_msg == NULL) return -1;
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
*error_msg = NULL;
if (rule->op_param_data == NULL) {
@@ -4069,6 +4401,9 @@ static int msre_op_inspectFile_execute(modsec_rec *msr, msre_rule *rule, msre_va
/* validateByteRange */
static int msre_op_validateByteRange_init(msre_rule *rule, char **error_msg) {
+ assert(rule != NULL);
+ assert(rule->ruleset != NULL);
+ assert(error_msg != NULL);
char *p = NULL, *saveptr = NULL;
char *table = NULL, *data = NULL;
@@ -4132,10 +4467,13 @@ static int msre_op_validateByteRange_init(msre_rule *rule, char **error_msg) {
static int msre_op_validateByteRange_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
char *table = rule->op_param_data;
unsigned int i, count;
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if (table == NULL) {
@@ -4206,6 +4544,9 @@ static int validate_url_encoding(const char *input, long int input_length) {
static int msre_op_validateUrlEncoding_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
int rc = validate_url_encoding(var->value, var->value_len);
switch(rc) {
case 1 :
@@ -4293,7 +4634,7 @@ static int detect_utf8_character(const unsigned char *p_read, unsigned int lengt
else {
unicode_len = 4;
/* compute character number */
- d = ((c & 0x07) << 18) | ((*(p_read + 1) & 0x3F) << 12) | ((*(p_read + 2) & 0x3F) < 6) | (*(p_read + 3) & 0x3F);
+ d = ((c & 0x07) << 18) | ((*(p_read + 1) & 0x3F) << 12) | ((*(p_read + 2) & 0x3F) << 6) | (*(p_read + 3) & 0x3F);
}
}
/* any other first byte is invalid (RFC 3629) */
@@ -4326,6 +4667,9 @@ static int detect_utf8_character(const unsigned char *p_read, unsigned int lengt
static int msre_op_validateUtf8Encoding_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
unsigned int i, bytes_left;
bytes_left = var->value_len;
@@ -4383,6 +4727,10 @@ static int msre_op_validateUtf8Encoding_execute(modsec_rec *msr, msre_rule *rule
static int msre_op_eq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_string str;
int left, right;
char *target = NULL;
@@ -4421,6 +4769,10 @@ static int msre_op_eq_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
static int msre_op_gt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_string str;
int left, right;
char *target = NULL;
@@ -4464,16 +4816,14 @@ static int msre_op_gt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
static int msre_op_lt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_string str;
int left, right;
char *target = NULL;
- if ((var->value == NULL)||(rule->op_param == NULL)) {
- /* NULL values do not match anything. */
- return 0;
- }
-
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if ((var->value == NULL)||(rule->op_param == NULL)) {
@@ -4507,6 +4857,10 @@ static int msre_op_lt_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
static int msre_op_ge_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_string str;
int left, right;
char *target = NULL;
@@ -4550,6 +4904,10 @@ static int msre_op_ge_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
static int msre_op_le_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
char **error_msg)
{
+ assert(msr != NULL);
+ assert(rule != NULL);
+ assert(var != NULL);
+ assert(error_msg != NULL);
msc_string str;
int left, right;
char *target = NULL;
@@ -4559,7 +4917,6 @@ static int msre_op_le_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
return 0;
}
- if (error_msg == NULL) return -1;
*error_msg = NULL;
if ((var->value == NULL)||(rule->op_param == NULL)) {
diff --git a/apache2/re_variables.c b/apache2/re_variables.c
index b83af1c605..266ed6895f 100644
--- a/apache2/re_variables.c
+++ b/apache2/re_variables.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -12,6 +12,7 @@
* directly using the email address security@modsecurity.org.
*/
+#include <time.h>
#include "http_core.h"
#include "modsecurity.h"
@@ -21,12 +22,18 @@
#include "libxml/xpathInternals.h"
+#ifdef WITH_PCRE2
+#define PCRE_ERROR_NOMATCH PCRE2_ERROR_NOMATCH
+#endif
/**
* Generates a variable from a string and a length.
*/
static int var_simple_generate_ex(msre_var *var, apr_table_t *vartab, apr_pool_t *mptmp,
const char *value, int value_len)
{
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
if (value == NULL) return 0;
@@ -54,6 +61,9 @@ static int var_simple_generate(msre_var *var, apr_table_t *vartab, apr_pool_t *m
* care of the case when the parameter is a regular expression.
*/
static char *var_generic_list_validate(msre_ruleset *ruleset, msre_var *var) {
+ assert(ruleset != NULL);
+ assert(var != NULL);
+
/* It's OK if there's no parameter. */
if (var->param == NULL) return NULL;
@@ -64,12 +74,18 @@ static char *var_generic_list_validate(msre_ruleset *ruleset, msre_var *var) {
msc_regex_t *regex = NULL;
const char *errptr = NULL;
const char *pattern = NULL;
+ int options = 0;
int erroffset;
pattern = apr_pstrmemdup(ruleset->mp, var->param + 1, strlen(var->param + 1) - 1);
if (pattern == NULL) return FATAL_ERROR;
- regex = msc_pregcomp(ruleset->mp, pattern, PCRE_DOTALL | PCRE_CASELESS | PCRE_DOLLAR_ENDONLY, &errptr, &erroffset);
+#ifdef WITH_PCRE2
+ options = PCRE2_DOTALL | PCRE2_CASELESS | PCRE2_DOLLAR_ENDONLY;
+#else
+ options = PCRE_DOTALL | PCRE_CASELESS | PCRE_DOLLAR_ENDONLY;
+#endif
+ regex = msc_pregcomp(ruleset->mp, pattern, options, &errptr, &erroffset);
if (regex == NULL) {
return apr_psprintf(ruleset->mp, "Error compiling pattern (offset %d): %s",
erroffset, errptr);
@@ -90,6 +106,10 @@ static char *var_generic_list_validate(msre_ruleset *ruleset, msre_var *var) {
static int var_args_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -99,6 +119,7 @@ static int var_args_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_arg *arg = (msc_arg *)te[i].val;
+ assert(arg != NULL);
int match = 0;
/* Figure out if we want to include this argument. */
@@ -107,8 +128,7 @@ static int var_args_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
/* Run the regex against the argument name. */
- if (!(msc_regexec((msc_regex_t *)var->param_data, arg->name,
- arg->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, arg->name, arg->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(arg->name, var->param) == 0) match = 1;
}
@@ -135,6 +155,10 @@ static int var_args_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_args_combined_size_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
unsigned int combined_size = 0;
@@ -145,6 +169,7 @@ static int var_args_combined_size_generate(modsec_rec *msr, msre_var *var, msre_
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_arg *arg = (msc_arg *)te[i].val;
+ assert(arg != NULL);
combined_size += arg->name_len;
combined_size += arg->value_len;
}
@@ -162,6 +187,10 @@ static int var_args_combined_size_generate(modsec_rec *msr, msre_var *var, msre_
static int var_args_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -170,6 +199,7 @@ static int var_args_names_generate(modsec_rec *msr, msre_var *var, msre_rule *ru
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_arg *arg = (msc_arg *)te[i].val;
+ assert(arg != NULL);
int match = 0;
/* Figure out if we want to include this variable. */
@@ -177,8 +207,7 @@ static int var_args_names_generate(modsec_rec *msr, msre_var *var, msre_rule *ru
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, arg->name,
- arg->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, arg->name, arg->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(arg->name, var->param) == 0) match = 1;
}
@@ -205,6 +234,10 @@ static int var_args_names_generate(modsec_rec *msr, msre_var *var, msre_rule *ru
static int var_args_get_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -214,6 +247,7 @@ static int var_args_get_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_arg *arg = (msc_arg *)te[i].val;
+ assert(arg != NULL);
int match = 0;
/* Only QUERY_STRING arguments */
@@ -225,8 +259,7 @@ static int var_args_get_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
/* Run the regex against the argument name. */
- if (!(msc_regexec((msc_regex_t *)var->param_data, arg->name,
- arg->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, arg->name, arg->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(arg->name, var->param) == 0) match = 1;
}
@@ -253,6 +286,10 @@ static int var_args_get_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
static int var_args_get_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -261,6 +298,7 @@ static int var_args_get_names_generate(modsec_rec *msr, msre_var *var, msre_rule
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_arg *arg = (msc_arg *)te[i].val;
+ assert(arg != NULL);
int match = 0;
/* Only QUERY_STRING arguments */
@@ -271,8 +309,7 @@ static int var_args_get_names_generate(modsec_rec *msr, msre_var *var, msre_rule
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, arg->name,
- arg->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, arg->name, arg->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(arg->name, var->param) == 0) match = 1;
}
@@ -299,6 +336,10 @@ static int var_args_get_names_generate(modsec_rec *msr, msre_var *var, msre_rule
static int var_args_post_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -308,6 +349,7 @@ static int var_args_post_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_arg *arg = (msc_arg *)te[i].val;
+ assert(arg != NULL);
int match = 0;
/* Only BODY arguments */
@@ -319,8 +361,7 @@ static int var_args_post_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
/* Run the regex against the argument name. */
- if (!(msc_regexec((msc_regex_t *)var->param_data, arg->name,
- arg->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, arg->name, arg->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(arg->name, var->param) == 0) match = 1;
}
@@ -347,6 +388,10 @@ static int var_args_post_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
static int var_args_post_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -355,6 +400,7 @@ static int var_args_post_names_generate(modsec_rec *msr, msre_var *var, msre_rul
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_arg *arg = (msc_arg *)te[i].val;
+ assert(arg != NULL);
int match = 0;
/* Only BODY arguments */
@@ -365,8 +411,7 @@ static int var_args_post_names_generate(modsec_rec *msr, msre_var *var, msre_rul
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, arg->name,
- arg->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, arg->name, arg->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(arg->name, var->param) == 0) match = 1;
}
@@ -393,10 +438,14 @@ static int var_args_post_names_generate(modsec_rec *msr, msre_var *var, msre_rul
static int var_rule_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_actionset *actionset = NULL;
- if (rule == NULL) return 0;
-
actionset = rule->actionset;
if (rule->chain_starter != NULL) actionset = rule->chain_starter->actionset;
@@ -428,13 +477,14 @@ static int var_rule_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
return var_simple_generate(var, vartab, mptmp, value);
}
-
return 0;
}
/* ENV */
static char *var_env_validate(msre_ruleset *ruleset, msre_var *var) {
+ assert(ruleset != NULL);
+ assert(var != NULL);
if (var->param == NULL) {
return apr_psprintf(ruleset->mp, "Parameter required for ENV.");
}
@@ -449,6 +499,9 @@ static char *var_env_validate(msre_ruleset *ruleset, msre_var *var) {
static int var_env_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
+ assert(var != NULL);
char *value = get_env_var(msr->r, (char *)var->param);
if (value != NULL) {
return var_simple_generate(var, vartab, mptmp, value);
@@ -461,6 +514,8 @@ static int var_env_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_request_uri_raw_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
return var_simple_generate(var, vartab, mptmp, msr->r->unparsed_uri);
}
@@ -469,6 +524,8 @@ static int var_request_uri_raw_generate(modsec_rec *msr, msre_var *var, msre_rul
static int var_uniqueid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
char *value = get_env_var(msr->r, "UNIQUE_ID");
if (value != NULL) {
return var_simple_generate(var, vartab, mptmp, value);
@@ -483,10 +540,18 @@ static int var_uniqueid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
static int var_request_uri_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp) /* dynamic */
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
char *value = NULL;
if (msr->r->parsed_uri.query == NULL) value = msr->r->parsed_uri.path;
- else value = apr_pstrcat(mptmp, msr->r->parsed_uri.path, "?", msr->r->parsed_uri.query, NULL);
+ else {
+ value = apr_pstrcat(mptmp, msr->r->parsed_uri.path, "?", msr->r->parsed_uri.query, NULL);
+ if (!value) {
+ msr_log(msr, 1, "REQUEST_URI: Memory allocation error");
+ return -1;
+ }
+ }
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -496,7 +561,14 @@ static int var_request_uri_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_reqbody_processor_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "REQBODY_PROCESSOR: Memory allocation error");
+ return -1;
+ }
if (msr->msc_reqbody_processor == NULL) {
rvar->value = apr_pstrdup(mptmp, "");
@@ -515,9 +587,21 @@ static int var_reqbody_processor_generate(modsec_rec *msr, msre_var *var, msre_r
static int var_sdbm_delete_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "SDBM_DELETE_ERROR: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%d", msr->msc_sdbm_delete_error);
+ if (!rvar->value) {
+ msr_log(msr, 1, "SDBM_DELETE_ERROR: Memory allocation error");
+ return -1;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -529,7 +613,15 @@ static int var_sdbm_delete_error_generate(modsec_rec *msr, msre_var *var, msre_r
static int var_reqbody_processor_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "REQBODY_ERROR: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%d", msr->msc_reqbody_error);
rvar->value_len = strlen(rvar->value);
@@ -543,7 +635,15 @@ static int var_reqbody_processor_error_generate(modsec_rec *msr, msre_var *var,
static int var_reqbody_processor_error_msg_generate(modsec_rec *msr, msre_var *var,
msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "REQBODY_ERROR_MSG: Memory allocation error");
+ return -1;
+ }
if (msr->msc_reqbody_error_msg == NULL) {
rvar->value = apr_pstrdup(mptmp, "");
@@ -561,6 +661,8 @@ static int var_reqbody_processor_error_msg_generate(modsec_rec *msr, msre_var *v
/* XML */
static char *var_xml_validate(msre_ruleset *ruleset, msre_var *var) {
+ assert(var != NULL);
+
/* It's OK if there's no parameter. */
if (var->param == NULL) return NULL;
@@ -572,6 +674,13 @@ static char *var_xml_validate(msre_ruleset *ruleset, msre_var *var) {
static int var_xml_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(var->name != NULL);
+ assert(rule != NULL);
+ assert(rule->actionset != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *tarr;
const apr_table_entry_t *telts;
xmlXPathContextPtr xpathCtx;
@@ -652,22 +761,35 @@ static int var_xml_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
}
/* Create one variable for each node in the result. */
+ char* content = NULL;
for(i = 0; i < nodes->nodeNr; i++) {
msre_var *rvar = NULL;
- char *content = NULL;
content = (char *)xmlNodeGetContent(nodes->nodeTab[i]);
if (content != NULL) {
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "XML: Memory allocation error");
+ count = -1;
+ goto var_xml_generate_Error;
+ }
rvar->value = apr_pstrdup(mptmp, content);
- xmlFree(content);
+ if (!rvar->value) {
+ msr_log(msr, 1, "XML: Memory allocation error");
+ count = -1;
+ goto var_xml_generate_Error;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
+ xmlFree(content);
+ content = NULL;
count++;
}
}
+var_xml_generate_Error:
+ if (content != NULL) xmlFree(content);
xmlXPathFreeObject(xpathObj);
xmlXPathFreeContext(xpathCtx);
@@ -679,6 +801,11 @@ static int var_xml_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_webserver_error_log_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(var->name != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
int i, count = 0;
@@ -689,7 +816,15 @@ static int var_webserver_error_log_generate(modsec_rec *msr, msre_var *var, msre
fem = format_error_log_message(mptmp, em);
if (fem != NULL) {
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "WEBSERVER_ERROR_LOG: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_pstrdup(mptmp, fem);
+ if (!rvar->value) {
+ msr_log(msr, 1, "WEBSERVER_ERROR_LOG: Memory allocation error");
+ return -1;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -704,6 +839,7 @@ static int var_webserver_error_log_generate(modsec_rec *msr, msre_var *var, msre
static int var_useragent_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return var_simple_generate(var, vartab, mptmp, msr->useragent_ip ? msr->useragent_ip : "0.0.0.0");
}
#endif
@@ -713,9 +849,12 @@ static int var_useragent_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *
static int var_remote_addr_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
#if !defined(MSC_TEST)
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 3
if (ap_find_linked_module("mod_remoteip.c") != NULL) {
+ assert(msr->r != NULL);
+ assert(msr->r->useragent_ip != NULL);
if(msr->r->useragent_ip != NULL) msr->remote_addr = apr_pstrdup(msr->mp, msr->r->useragent_ip);
return var_simple_generate(var, vartab, mptmp, msr->remote_addr);
}
@@ -730,6 +869,8 @@ static int var_remote_addr_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_remote_host_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
const char *value1 = ap_get_remote_host(msr->r->connection, msr->r->per_dir_config,
REMOTE_NAME, NULL);
return var_simple_generate(var, vartab, mptmp, value1);
@@ -740,6 +881,7 @@ static int var_remote_host_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_remote_port_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
char *value = apr_psprintf(mptmp, "%u", msr->remote_port);
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -749,6 +891,7 @@ static int var_remote_port_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_remote_user_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return var_simple_generate(var, vartab, mptmp, msr->remote_user);
}
@@ -757,14 +900,20 @@ static int var_remote_user_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_tx_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
arr = apr_table_elts(msr->tx_vars);
+ assert(arr != NULL);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_string *str = (msc_string *)te[i].val;
+ assert(str != NULL);
int match;
/* Figure out if we want to include this variable. */
@@ -773,8 +922,7 @@ static int var_tx_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, str->name,
- str->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, str->name, str->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(str->name, var->param) == 0) match = 1;
}
@@ -783,10 +931,18 @@ static int var_tx_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
/* If we had a match add this argument to the collection. */
if (match) {
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "TX: Memory allocation error");
+ return -1;
+ }
rvar->value = str->value;
rvar->value_len = str->value_len;
rvar->name = apr_psprintf(mptmp, "TX:%s", log_escape_nq_ex(mptmp, str->name, str->name_len));
+ if (!rvar->name) {
+ msr_log(msr, 1, "TX: Memory allocation error");
+ return -1;
+ }
apr_table_addn(vartab, rvar->name, (void *)rvar);
count++;
@@ -801,14 +957,20 @@ static int var_tx_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_geo_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
arr = apr_table_elts(msr->geo_vars);
+ assert(arr != NULL);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_string *str = (msc_string *)te[i].val;
+ assert(str != NULL);
int match;
/* Figure out if we want to include this variable. */
@@ -817,8 +979,7 @@ static int var_geo_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, str->name,
- str->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, str->name, str->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(str->name, var->param) == 0) match = 1;
}
@@ -845,6 +1006,7 @@ static int var_geo_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_highest_severity_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return var_simple_generate(var, vartab, mptmp,
apr_psprintf(mptmp, "%d", msr->highest_severity));
}
@@ -854,6 +1016,11 @@ static int var_highest_severity_generate(modsec_rec *msr, msre_var *var, msre_ru
static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->collections != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -863,9 +1030,11 @@ static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
if (target_col == NULL) return 0;
arr = apr_table_elts(target_col);
+ assert(arr != NULL);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_string *str = (msc_string *)te[i].val;
+ assert(str != NULL);
int match;
/* Figure out if we want to include this variable. */
@@ -874,8 +1043,7 @@ static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, str->name,
- str->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, str->name, str->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(str->name, var->param) == 0) match = 1;
}
@@ -902,6 +1070,8 @@ static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_matched_var_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->matched_var != NULL);
return var_simple_generate_ex(var, vartab, mptmp,
apr_pmemdup(mptmp,
msr->matched_var->value,
@@ -914,6 +1084,8 @@ static int var_matched_var_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_matched_var_name_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->matched_var != NULL);
return var_simple_generate_ex(var, vartab, mptmp,
apr_pmemdup(mptmp,
msr->matched_var->name,
@@ -926,6 +1098,11 @@ static int var_matched_var_name_generate(modsec_rec *msr, msre_var *var, msre_ru
static int var_session_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->collections != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -938,6 +1115,7 @@ static int var_session_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_string *str = (msc_string *)te[i].val;
+ assert(str != NULL);
int match;
/* Figure out if we want to include this variable. */
@@ -946,8 +1124,7 @@ static int var_session_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, str->name,
- str->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, str->name, str->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(str->name, var->param) == 0) match = 1;
}
@@ -956,6 +1133,10 @@ static int var_session_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
/* If we had a match add this argument to the collection. */
if (match) {
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "SESSION: Memory allocation error");
+ return -1;
+ }
rvar->value = str->value;
rvar->value_len = str->value_len;
@@ -974,6 +1155,11 @@ static int var_session_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_user_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->collections != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -986,6 +1172,7 @@ static int var_user_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_string *str = (msc_string *)te[i].val;
+ assert(str != NULL);
int match;
/* Figure out if we want to include this variable. */
@@ -994,8 +1181,7 @@ static int var_user_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, str->name,
- str->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, str->name, str->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(str->name, var->param) == 0) match = 1;
}
@@ -1004,10 +1190,18 @@ static int var_user_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
/* If we had a match add this argument to the collection. */
if (match) {
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "USER: Memory allocation error");
+ return -1;
+ }
rvar->value = str->value;
rvar->value_len = str->value_len;
rvar->name = apr_psprintf(mptmp, "USER:%s", log_escape_nq_ex(mptmp, str->name, str->name_len));
+ if (!rvar->name) {
+ msr_log(msr, 1, "USER: Memory allocation error");
+ return -1;
+ }
apr_table_addn(vartab, rvar->name, (void *)rvar);
count++;
@@ -1022,6 +1216,11 @@ static int var_user_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_global_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->collections != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -1034,6 +1233,7 @@ static int var_global_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_string *str = (msc_string *)te[i].val;
+ assert(str != NULL);
int match;
/* Figure out if we want to include this variable. */
@@ -1042,8 +1242,7 @@ static int var_global_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, str->name,
- str->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, str->name, str->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(str->name, var->param) == 0) match = 1;
}
@@ -1070,6 +1269,11 @@ static int var_global_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_resource_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->collections != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -1082,6 +1286,7 @@ static int var_resource_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
msc_string *str = (msc_string *)te[i].val;
+ assert(str != NULL);
int match;
/* Figure out if we want to include this variable. */
@@ -1090,8 +1295,7 @@ static int var_resource_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, str->name,
- str->name_len, &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, str->name, str->name_len, &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(str->name, var->param) == 0) match = 1;
}
@@ -1100,6 +1304,10 @@ static int var_resource_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
/* If we had a match add this argument to the collection. */
if (match) {
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "RESOURCE: Memory allocation error");
+ return -1;
+ }
rvar->value = str->value;
rvar->value_len = str->value_len;
@@ -1118,44 +1326,32 @@ static int var_resource_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
static int var_files_tmp_contents_generate(modsec_rec *msr, msre_var *var,
msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
multipart_part **parts = NULL;
int i, count = 0;
if (msr->mpd == NULL) return 0;
+ assert(msr->mpd->parts != NULL);
parts = (multipart_part **)msr->mpd->parts->elts;
- for (i = 0; i < msr->mpd->parts->nelts; i++)
- {
- if ((parts[i]->type == MULTIPART_FILE) &&
- (parts[i]->tmp_file_name != NULL))
- {
+ for (i = 0; i < msr->mpd->parts->nelts; i++) {
+ if ((parts[i]->type == MULTIPART_FILE) && (parts[i]->tmp_file_name != NULL)) {
int match = 0;
/* Figure out if we want to include this variable. */
- if (var->param == NULL)
- {
- match = 1;
- }
- else
- {
- if (var->param_data != NULL)
- {
+ if (var->param == NULL)match = 1;
+ else {
+ if (var->param_data != NULL) {
/* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data,
- parts[i]->name, strlen(parts[i]->name),
- &my_error_msg) == PCRE_ERROR_NOMATCH))
- {
- match = 1;
- }
+ if (msc_regexec((msc_regex_t*)var->param_data, parts[i]->name, strlen(parts[i]->name), &my_error_msg) >= 0) match = 1;
}
- else
- {
+ else {
/* Simple comparison. */
- if (strcasecmp(parts[i]->name, var->param) == 0)
- {
- match = 1;
- }
+ if (strcasecmp(parts[i]->name, var->param) == 0)match = 1;
}
}
/* If we had a match add this argument to the collection. */
@@ -1164,28 +1360,30 @@ static int var_files_tmp_contents_generate(modsec_rec *msr, msre_var *var,
FILE *file;
size_t nread;
char *full_content = NULL;
+ char *full_content_tmp_ptr = NULL;
size_t total_lenght = 0;
msre_var *rvar = NULL;
file = fopen(parts[i]->tmp_file_name, "r");
- if (file == NULL)
- {
- continue;
+ if (file == NULL) continue;
+
+ full_content = (char *)apr_pcalloc(mptmp, (sizeof(char)*parts[i]->length) + 1);
+ if (full_content == NULL) {
+ if (msr->txcfg->debuglog_level >= 3) {
+ msr_log(msr, 3, "Variable FILES_TMP_CONTENT will not be created, not " \
+ "enough memory available.");
+ }
+ goto files_tmp_content_not_enough_mem;
}
+ full_content_tmp_ptr = full_content;
while ((nread = fread(buf, 1, 1023, file)) > 0)
{
- total_lenght += nread;
- buf[nread] = '\0';
- if (full_content == NULL)
- {
- full_content = apr_psprintf(mptmp, "%s", buf);
- }
- else
- {
- full_content = apr_psprintf(mptmp, "%s%s", full_content, buf);
- }
+ full_content_tmp_ptr = memcpy(full_content_tmp_ptr, buf, nread);
+ full_content_tmp_ptr += nread;
+ total_lenght += nread;
}
+ full_content_tmp_ptr[total_lenght] = '\0';
fclose(file);
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
@@ -1200,6 +1398,7 @@ static int var_files_tmp_contents_generate(modsec_rec *msr, msre_var *var,
}
}
+files_tmp_content_not_enough_mem:
return count;
}
@@ -1209,13 +1408,19 @@ static int var_files_tmp_contents_generate(modsec_rec *msr, msre_var *var,
static int var_files_tmpnames_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
multipart_part **parts = NULL;
int i, count = 0;
if (msr->mpd == NULL) return 0;
+ assert(msr->mpd->parts != NULL);
parts = (multipart_part **)msr->mpd->parts->elts;
for(i = 0; i < msr->mpd->parts->nelts; i++) {
+ assert(parts[i] != NULL);
if ((parts[i]->type == MULTIPART_FILE)&&(parts[i]->tmp_file_name != NULL)) {
int match = 0;
@@ -1224,8 +1429,7 @@ static int var_files_tmpnames_generate(modsec_rec *msr, msre_var *var, msre_rule
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, parts[i]->name,
- strlen(parts[i]->name), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, parts[i]->name, strlen(parts[i]->name), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(parts[i]->name, var->param) == 0) match = 1;
}
@@ -1254,13 +1458,19 @@ static int var_files_tmpnames_generate(modsec_rec *msr, msre_var *var, msre_rule
static int var_files_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
multipart_part **parts = NULL;
int i, count = 0;
if (msr->mpd == NULL) return 0;
+ assert(msr->mpd->parts != NULL);
parts = (multipart_part **)msr->mpd->parts->elts;
for(i = 0; i < msr->mpd->parts->nelts; i++) {
+ assert(parts[i] != NULL);
if (parts[i]->type == MULTIPART_FILE) {
int match = 0;
@@ -1269,8 +1479,7 @@ static int var_files_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, parts[i]->name,
- strlen(parts[i]->name), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, parts[i]->name, strlen(parts[i]->name), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(parts[i]->name, var->param) == 0) match = 1;
}
@@ -1299,13 +1508,19 @@ static int var_files_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_files_sizes_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
multipart_part **parts = NULL;
int i, count = 0;
if (msr->mpd == NULL) return 0;
+ assert(msr->mpd->parts != NULL);
parts = (multipart_part **)msr->mpd->parts->elts;
for(i = 0; i < msr->mpd->parts->nelts; i++) {
+ assert(parts[i] != NULL);
if (parts[i]->type == MULTIPART_FILE) {
int match = 0;
@@ -1314,8 +1529,7 @@ static int var_files_sizes_generate(modsec_rec *msr, msre_var *var, msre_rule *r
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, parts[i]->name,
- strlen(parts[i]->name), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, parts[i]->name, strlen(parts[i]->name), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(parts[i]->name, var->param) == 0) match = 1;
}
@@ -1344,15 +1558,25 @@ static int var_files_sizes_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_files_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
multipart_part **parts = NULL;
int i, count = 0;
if (msr->mpd == NULL) return 0;
+ assert(msr->mpd->parts != NULL);
parts = (multipart_part **)msr->mpd->parts->elts;
for(i = 0; i < msr->mpd->parts->nelts; i++) {
+ assert(parts[i] != NULL);
if (parts[i]->type == MULTIPART_FILE) {
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "FILES_NAMES: Memory allocation error");
+ return count;
+ }
rvar->value = parts[i]->name;
rvar->value_len = strlen(rvar->value);
@@ -1372,6 +1596,9 @@ static int var_files_names_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_files_combined_size_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
multipart_part **parts = NULL;
msre_var *rvar = NULL;
unsigned int combined_size = 0;
@@ -1380,6 +1607,7 @@ static int var_files_combined_size_generate(modsec_rec *msr, msre_var *var, msre
if (msr->mpd != NULL) {
parts = (multipart_part **)msr->mpd->parts->elts;
for(i = 0; i < msr->mpd->parts->nelts; i++) {
+ assert(parts[i] != NULL);
if (parts[i]->type == MULTIPART_FILE) {
combined_size += parts[i]->tmp_file_size;
}
@@ -1387,6 +1615,10 @@ static int var_files_combined_size_generate(modsec_rec *msr, msre_var *var, msre
}
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "FILES_NAMES: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%u", combined_size);
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -1394,6 +1626,59 @@ static int var_files_combined_size_generate(modsec_rec *msr, msre_var *var, msre
return 1;
}
+/* MULTIPART_PART_HEADERS */
+
+static int var_multipart_part_headers_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+ apr_table_t *vartab, apr_pool_t *mptmp)
+{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
+ multipart_part **parts = NULL;
+ int i, j, count = 0;
+
+ if (msr->mpd == NULL) return 0;
+ assert(msr->mpd->parts != NULL);
+
+ parts = (multipart_part **)msr->mpd->parts->elts;
+ for(i = 0; i < msr->mpd->parts->nelts; i++) {
+ assert(parts[i] != NULL);
+ int match = 0;
+
+ /* Figure out if we want to include this variable. */
+ if (var->param == NULL) match = 1;
+ else {
+ if (var->param_data != NULL) { /* Regex. */
+ char *my_error_msg = NULL;
+ if (msc_regexec((msc_regex_t *)var->param_data, parts[i]->name, strlen(parts[i]->name), &my_error_msg) >= 0) match = 1;
+ } else { /* Simple comparison. */
+ if (strcasecmp(parts[i]->name, var->param) == 0) match = 1;
+ }
+ }
+
+ /* If we had a match add this argument to the collection. */
+ if (match) {
+ if (parts[i]->header_lines) { /* this NULL check shouldn't be necessary */
+ for (j = 0; j < parts[i]->header_lines->nelts; j++) {
+ char *header_line = ((char **)parts[i]->header_lines->elts)[j];
+ msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+
+ rvar->value = header_line;
+ rvar->value_len = strlen(rvar->value);
+ rvar->name = apr_psprintf(mptmp, "MULTIPART_PART_HEADERS:%s",
+ log_escape_nq(mptmp, parts[i]->name));
+ apr_table_addn(vartab, rvar->name, (void *)rvar);
+
+ count++;
+ }
+ }
+ }
+ }
+
+ return count;
+}
+
/* MODSEC_BUILD */
static int var_modsec_build_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
@@ -1407,6 +1692,7 @@ static int var_modsec_build_generate(modsec_rec *msr, msre_var *var, msre_rule *
static int var_multipart_filename_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return var_simple_generate(var, vartab, mptmp, msr->multipart_filename);
}
@@ -1415,6 +1701,7 @@ static int var_multipart_filename_generate(modsec_rec *msr, msre_var *var, msre_
static int var_multipart_name_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return var_simple_generate(var, vartab, mptmp, msr->multipart_name);
}
@@ -1423,6 +1710,7 @@ static int var_multipart_name_generate(modsec_rec *msr, msre_var *var, msre_rule
static int var_multipart_boundary_quoted_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_boundary_quoted != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1435,6 +1723,7 @@ static int var_multipart_boundary_quoted_generate(modsec_rec *msr, msre_var *var
static int var_multipart_boundary_whitespace_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_boundary_whitespace != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1447,6 +1736,7 @@ static int var_multipart_boundary_whitespace_generate(modsec_rec *msr, msre_var
static int var_multipart_data_after_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_data_after != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1459,6 +1749,7 @@ static int var_multipart_data_after_generate(modsec_rec *msr, msre_var *var, msr
static int var_multipart_data_before_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_data_before != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1471,6 +1762,7 @@ static int var_multipart_data_before_generate(modsec_rec *msr, msre_var *var, ms
static int var_multipart_header_folding_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_header_folding != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1483,6 +1775,7 @@ static int var_multipart_header_folding_generate(modsec_rec *msr, msre_var *var,
static int var_multipart_crlf_line_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_crlf_line != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1495,6 +1788,7 @@ static int var_multipart_crlf_line_generate(modsec_rec *msr, msre_var *var, msre
static int var_multipart_crlf_lf_lines_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_lf_line != 0)&&(msr->mpd->flag_crlf_line != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1507,6 +1801,7 @@ static int var_multipart_crlf_lf_lines_generate(modsec_rec *msr, msre_var *var,
static int var_multipart_lf_line_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_lf_line != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1519,6 +1814,7 @@ static int var_multipart_lf_line_generate(modsec_rec *msr, msre_var *var, msre_r
static int var_multipart_missing_semicolon_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_missing_semicolon != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1531,6 +1827,7 @@ static int var_multipart_missing_semicolon_generate(modsec_rec *msr, msre_var *v
static int var_multipart_invalid_part_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_part != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1543,6 +1840,7 @@ static int var_multipart_invalid_part_generate(modsec_rec *msr, msre_var *var, m
static int var_multipart_invalid_quoting_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_quoting != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1555,6 +1853,7 @@ static int var_multipart_invalid_quoting_generate(modsec_rec *msr, msre_var *var
static int var_multipart_invalid_header_folding_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_header_folding != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1567,6 +1866,7 @@ static int var_multipart_invalid_header_folding_generate(modsec_rec *msr, msre_v
static int var_multipart_file_limit_exceeded_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_file_limit_exceeded != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1579,6 +1879,7 @@ static int var_multipart_file_limit_exceeded_generate(modsec_rec *msr, msre_var
static int var_multipart_strict_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if (msr->mpd != NULL) {
/* Respond positive if at least one of the multipart flags is raised. */
if ( (msr->mpd->flag_error)
@@ -1606,6 +1907,7 @@ static int var_multipart_strict_error_generate(modsec_rec *msr, msre_var *var, m
static int var_multipart_unmatched_boundary_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if ((msr->mpd != NULL)&&(msr->mpd->flag_unmatched_boundary != 0)) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1618,6 +1920,7 @@ static int var_multipart_unmatched_boundary_generate(modsec_rec *msr, msre_var *
static int var_urlencoded_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if (msr->urlencoded_error) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1630,6 +1933,7 @@ static int var_urlencoded_error_generate(modsec_rec *msr, msre_var *var, msre_ru
static int var_inbound_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if (msr->inbound_error) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1642,6 +1946,7 @@ static int var_inbound_error_generate(modsec_rec *msr, msre_var *var, msre_rule
static int var_outbound_error_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if (msr->outbound_error) {
return var_simple_generate(var, vartab, mptmp, "1");
} else {
@@ -1650,12 +1955,15 @@ static int var_outbound_error_generate(modsec_rec *msr, msre_var *var, msre_rule
}
static apr_time_t calculate_perf_combined(modsec_rec *msr) {
+ assert(msr != NULL);
return msr->time_phase1 + msr->time_phase2 + msr->time_phase3 + msr->time_phase4
+ msr->time_phase5 + msr->time_storage_write /* time_storage_read is already
included in phases */ + msr->time_logging + msr->time_gc;
}
char *format_all_performance_variables(modsec_rec *msr, apr_pool_t *mp) {
+ assert(msr != NULL);
+ assert(mp != NULL);
return apr_psprintf(mp, "combined=%" APR_TIME_T_FMT ", p1=%" APR_TIME_T_FMT
", p2=%" APR_TIME_T_FMT ", p3=%" APR_TIME_T_FMT ", p4=%" APR_TIME_T_FMT
", p5=%" APR_TIME_T_FMT ", sr=%" APR_TIME_T_FMT ", sw=%" APR_TIME_T_FMT
@@ -1668,6 +1976,9 @@ char *format_all_performance_variables(modsec_rec *msr, apr_pool_t *mp) {
static int generate_performance_variable(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp, apr_time_t value)
{
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
@@ -1684,6 +1995,9 @@ static int generate_performance_variable(modsec_rec *msr, msre_var *var, msre_ru
static int var_perf_all_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
@@ -1708,6 +2022,7 @@ static int var_perf_combined_generate(modsec_rec *msr, msre_var *var, msre_rule
static int var_perf_gc_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_gc);
}
@@ -1716,6 +2031,7 @@ static int var_perf_gc_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_perf_phase1_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_phase1);
}
@@ -1724,6 +2040,7 @@ static int var_perf_phase1_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_perf_phase2_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_phase2);
}
@@ -1732,6 +2049,7 @@ static int var_perf_phase2_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_perf_phase3_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_phase3);
}
@@ -1740,6 +2058,7 @@ static int var_perf_phase3_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_perf_phase4_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_phase4);
}
@@ -1748,6 +2067,7 @@ static int var_perf_phase4_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_perf_phase5_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_phase5);
}
@@ -1756,6 +2076,7 @@ static int var_perf_phase5_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_perf_sread_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_storage_read);
}
@@ -1764,6 +2085,7 @@ static int var_perf_sread_generate(modsec_rec *msr, msre_var *var, msre_rule *ru
static int var_perf_swrite_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_storage_write);
}
@@ -1772,6 +2094,7 @@ static int var_perf_swrite_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_perf_logging_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return generate_performance_variable(msr, var, rule, vartab, mptmp, msr->time_logging);
}
@@ -1781,11 +2104,16 @@ static int var_perf_logging_generate(modsec_rec *msr, msre_var *var, msre_rule *
static int var_perf_rules_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
arr = apr_table_elts(msr->perf_rules);
+ assert(arr != NULL);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
int match = 0;
@@ -1795,8 +2123,7 @@ static int var_perf_rules_generate(modsec_rec *msr, msre_var *var, msre_rule *ru
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, te[i].key,
- strlen(te[i].key), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, te[i].key, strlen(te[i].key), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(te[i].key, var->param) == 0) match = 1;
}
@@ -1824,11 +2151,18 @@ static int var_perf_rules_generate(modsec_rec *msr, msre_var *var, msre_rule *ru
static int var_duration_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
- msre_var *rvar = NULL;
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
+ msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "DURATION: Memory allocation error");
+ return -1;
+ }
- rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
rvar->value = apr_psprintf(mptmp, "%" APR_TIME_T_FMT,
- (apr_time_usec(apr_time_now() - msr->r->request_time)));
+ (apr_time_now() - msr->r->request_time));
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -1840,6 +2174,10 @@ static int var_duration_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
static int var_time_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
struct tm *tm;
time_t tc;
@@ -1847,10 +2185,18 @@ static int var_time_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
tc = time(NULL);
tm = localtime(&tc);
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "TIME: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%02d%02d%02d%02d%02d%02d%02d",
(tm->tm_year / 100) + 19, (tm->tm_year % 100),
tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min,
tm->tm_sec);
+ if (!rvar->value) {
+ msr_log(msr, 1, "TIME: Memory allocation error");
+ return -1;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -1862,6 +2208,10 @@ static int var_time_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_time_year_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
struct tm *tm;
time_t tc;
@@ -1869,9 +2219,17 @@ static int var_time_year_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
tc = time(NULL);
tm = localtime(&tc);
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "TIME_YEAR: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%02d%02d",
(tm->tm_year / 100) + 19,
tm->tm_year % 100);
+ if (!rvar->value) {
+ msr_log(msr, 1, "TIME_YEAR: Memory allocation error");
+ return -1;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -1883,6 +2241,10 @@ static int var_time_year_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
static int var_time_wday_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
struct tm *tm;
time_t tc;
@@ -1890,7 +2252,15 @@ static int var_time_wday_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
tc = time(NULL);
tm = localtime(&tc);
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "TIME_WDAY: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%d", tm->tm_wday);
+ if (!rvar->value) {
+ msr_log(msr, 1, "TIME_WDAY: Memory allocation error");
+ return -1;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -1902,6 +2272,10 @@ static int var_time_wday_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
static int var_time_sec_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
struct tm *tm;
time_t tc;
@@ -1909,7 +2283,15 @@ static int var_time_sec_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
tc = time(NULL);
tm = localtime(&tc);
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "TIME_SEC: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%02d", tm->tm_sec);
+ if (!rvar->value) {
+ msr_log(msr, 1, "TIME_SEC: Memory allocation error");
+ return -1;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -1921,6 +2303,10 @@ static int var_time_sec_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
static int var_time_min_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
struct tm *tm;
time_t tc;
@@ -1928,7 +2314,15 @@ static int var_time_min_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
tc = time(NULL);
tm = localtime(&tc);
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "TIME_MIN: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%02d", tm->tm_min);
+ if (!rvar->value) {
+ msr_log(msr, 1, "TIME_MIN: Memory allocation error");
+ return -1;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -1939,6 +2333,10 @@ static int var_time_min_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
static int var_time_hour_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
struct tm *tm;
time_t tc;
@@ -1946,7 +2344,15 @@ static int var_time_hour_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
tc = time(NULL);
tm = localtime(&tc);
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "TIME_HOUR: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%02d", tm->tm_hour);
+ if (!rvar->value) {
+ msr_log(msr, 1, "TIME_HOUR: Memory allocation error");
+ return -1;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -1958,6 +2364,10 @@ static int var_time_hour_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
static int var_time_mon_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
struct tm *tm;
time_t tc;
@@ -1965,7 +2375,16 @@ static int var_time_mon_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
tc = time(NULL);
tm = localtime(&tc);
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ assert(msr != NULL);
+ if (!rvar) {
+ msr_log(msr, 1, "TIME_MON: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%02d", tm->tm_mon + 1);
+ if (!rvar->value) {
+ msr_log(msr, 1, "TIME_MON: Memory allocation error");
+ return -1;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -1977,6 +2396,10 @@ static int var_time_mon_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
static int var_time_day_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
struct tm *tm;
time_t tc;
@@ -1984,7 +2407,15 @@ static int var_time_day_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
tc = time(NULL);
tm = localtime(&tc);
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "TIME_DAY: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%02d", tm->tm_mday);
+ if (!rvar->value) {
+ msr_log(msr, 1, "TIME_DAY: Memory allocation error");
+ return -1;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -1996,12 +2427,24 @@ static int var_time_day_generate(modsec_rec *msr, msre_var *var, msre_rule *rule
static int var_time_epoch_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
msre_var *rvar = NULL;
time_t tc;
tc = time(NULL);
rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "TIME_EPOCH: Memory allocation error");
+ return -1;
+ }
rvar->value = apr_psprintf(mptmp, "%ld", (long)tc);
+ if (!rvar->value) {
+ msr_log(msr, 1, "TIME_EPOCH: Memory allocation error");
+ return -1;
+ }
rvar->value_len = strlen(rvar->value);
apr_table_addn(vartab, rvar->name, (void *)rvar);
@@ -2013,6 +2456,7 @@ static int var_time_epoch_generate(modsec_rec *msr, msre_var *var, msre_rule *ru
static int var_query_string_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return var_simple_generate(var, vartab, mptmp, msr->query_string);
}
@@ -2021,6 +2465,8 @@ static int var_query_string_generate(modsec_rec *msr, msre_var *var, msre_rule *
static int var_request_basename_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
char *value = file_basename(mptmp, msr->r->parsed_uri.path);
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2030,6 +2476,10 @@ static int var_request_basename_generate(modsec_rec *msr, msre_var *var, msre_ru
static int var_full_request_generate(modsec_rec *msr, msre_var *var,
msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
char *full_request = NULL;
int full_request_length = 0;
@@ -2056,7 +2506,7 @@ static int var_full_request_generate(modsec_rec *msr, msre_var *var,
}
goto failed_not_enough_mem;
}
- memset(full_request, '\0', sizeof(char)*msr->msc_full_request_length);
+ full_request[0] = '\0';
msr->msc_full_request_buffer = full_request;
msr->msc_full_request_length = full_request_length;
@@ -2092,6 +2542,10 @@ static int var_full_request_generate(modsec_rec *msr, msre_var *var,
static int var_full_request_length_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
char *value = NULL;
int headers_length = 0;
@@ -2110,6 +2564,7 @@ static int var_full_request_length_generate(modsec_rec *msr, msre_var *var, msre
static int var_request_body_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if (msr->msc_reqbody_buffer != NULL) {
return var_simple_generate_ex(var, vartab, mptmp,
msr->msc_reqbody_buffer, msr->msc_reqbody_length);
@@ -2122,6 +2577,7 @@ static int var_request_body_generate(modsec_rec *msr, msre_var *var, msre_rule *
static int var_request_body_length_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
char *value = apr_psprintf(mptmp, "%d", msr->msc_reqbody_length);
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2131,6 +2587,10 @@ static int var_request_body_length_generate(modsec_rec *msr, msre_var *var, msre
static int var_matched_vars_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -2140,14 +2600,14 @@ static int var_matched_vars_names_generate(modsec_rec *msr, msre_var *var, msre_
for (i = 0; i < arr->nelts; i++) {
int match = 0;
msc_string *str = (msc_string *)te[i].val;
+ assert(str != NULL);
/* Figure out if we want to include this variable. */
if (var->param == NULL) match = 1;
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, str->name,
- strlen(str->name), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, str->name, strlen(str->name), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(str->name, var->param) == 0) match = 1;
}
@@ -2158,6 +2618,11 @@ static int var_matched_vars_names_generate(modsec_rec *msr, msre_var *var, msre_
msre_var *rvar = apr_palloc(mptmp, sizeof(msre_var));
+ rvar->param = NULL;
+ rvar->param_data = NULL;
+ rvar->metadata = NULL;
+ rvar->param_regex = NULL;
+
rvar->value = apr_pstrndup(mptmp, str->name, strlen(str->name));
rvar->value_len = strlen(rvar->value);
rvar->name = apr_psprintf(mptmp, "%s",
@@ -2191,23 +2656,28 @@ static int var_matched_vars_names_generate(modsec_rec *msr, msre_var *var, msre_
static int var_matched_vars_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
arr = apr_table_elts(msr->matched_vars);
+ assert(arr != NULL);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
int match = 0;
msc_string *str = (msc_string *)te[i].val;
+ assert(str != NULL);
/* Figure out if we want to include this variable. */
if (var->param == NULL) match = 1;
else {
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, str->name,
- strlen(str->name), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, str->name, strlen(str->name), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(str->name, var->param) == 0) match = 1;
}
@@ -2218,6 +2688,11 @@ static int var_matched_vars_generate(modsec_rec *msr, msre_var *var, msre_rule *
msre_var *rvar = apr_palloc(mptmp, sizeof(msre_var));
+ rvar->param = NULL;
+ rvar->param_data = NULL;
+ rvar->metadata = NULL;
+ rvar->param_regex = NULL;
+
rvar->value = apr_pstrndup(mptmp, str->value, str->value_len);
rvar->value_len = str->value_len;
rvar->name = apr_psprintf(mptmp, "%s",
@@ -2251,11 +2726,16 @@ static int var_matched_vars_generate(modsec_rec *msr, msre_var *var, msre_rule *
static int var_request_cookies_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
arr = apr_table_elts(msr->request_cookies);
+ assert(arr != NULL);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
int match = 0;
@@ -2263,10 +2743,10 @@ static int var_request_cookies_generate(modsec_rec *msr, msre_var *var, msre_rul
/* Figure out if we want to include this variable. */
if (var->param == NULL) match = 1;
else {
+ assert(te[i].key != NULL);
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, te[i].key,
- strlen(te[i].key), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, te[i].key, strlen(te[i].key), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(te[i].key, var->param) == 0) match = 1;
}
@@ -2275,11 +2755,19 @@ static int var_request_cookies_generate(modsec_rec *msr, msre_var *var, msre_rul
/* If we had a match add this argument to the collection. */
if (match) {
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "REQUEST_COOKIES: Memory allocation error");
+ return -1;
+ }
rvar->value = te[i].val;
rvar->value_len = strlen(rvar->value);
rvar->name = apr_psprintf(mptmp, "REQUEST_COOKIES:%s",
log_escape_nq(mptmp, te[i].key));
+ if (!rvar->name) {
+ msr_log(msr, 1, "REQUEST_COOKIES: Memory allocation error");
+ return -1;
+ }
apr_table_addn(vartab, rvar->name, (void *)rvar);
count++;
@@ -2294,11 +2782,16 @@ static int var_request_cookies_generate(modsec_rec *msr, msre_var *var, msre_rul
static int var_request_cookies_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
arr = apr_table_elts(msr->request_cookies);
+ assert(arr != NULL);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
int match = 0;
@@ -2306,10 +2799,10 @@ static int var_request_cookies_names_generate(modsec_rec *msr, msre_var *var, ms
/* Figure out if we want to include this variable. */
if (var->param == NULL) match = 1;
else {
+ assert(te[i].key != NULL);
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, te[i].key,
- strlen(te[i].key), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, te[i].key, strlen(te[i].key), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(te[i].key, var->param) == 0) match = 1;
}
@@ -2318,11 +2811,19 @@ static int var_request_cookies_names_generate(modsec_rec *msr, msre_var *var, ms
/* If we had a match add this argument to the collection. */
if (match) {
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "REQUEST_COOKIES_NAMES: Memory allocation error");
+ return -1;
+ }
rvar->value = te[i].key;
rvar->value_len = strlen(rvar->value);
rvar->name = apr_psprintf(mptmp, "REQUEST_COOKIES_NAMES:%s",
log_escape_nq(mptmp, te[i].key));
+ if (!rvar->name) {
+ msr_log(msr, 1, "REQUEST_COOKIES_NAMES: Memory allocation error");
+ return -1;
+ }
apr_table_addn(vartab, rvar->name, (void *)rvar);
count++;
@@ -2337,11 +2838,16 @@ static int var_request_cookies_names_generate(modsec_rec *msr, msre_var *var, ms
static int var_request_headers_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
arr = apr_table_elts(msr->request_headers);
+ assert(arr != NULL);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
int match = 0;
@@ -2349,10 +2855,10 @@ static int var_request_headers_generate(modsec_rec *msr, msre_var *var, msre_rul
/* Figure out if we want to include this variable. */
if (var->param == NULL) match = 1;
else {
+ assert(te[i].key != NULL);
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, te[i].key,
- strlen(te[i].key), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, te[i].key, strlen(te[i].key), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(te[i].key, var->param) == 0) match = 1;
}
@@ -2361,11 +2867,19 @@ static int var_request_headers_generate(modsec_rec *msr, msre_var *var, msre_rul
/* If we had a match add this argument to the collection. */
if (match) {
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "REQUEST_HEADERS: Memory allocation error");
+ return -1;
+ }
rvar->value = te[i].val;
rvar->value_len = strlen(rvar->value);
rvar->name = apr_psprintf(mptmp, "REQUEST_HEADERS:%s",
log_escape_nq(mptmp, te[i].key));
+ if (!rvar->name) {
+ msr_log(msr, 1, "REQUEST_HEADERS: Memory allocation error");
+ return -1;
+ }
apr_table_addn(vartab, rvar->name, (void *)rvar);
count++;
@@ -2380,11 +2894,16 @@ static int var_request_headers_generate(modsec_rec *msr, msre_var *var, msre_rul
static int var_request_headers_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
arr = apr_table_elts(msr->request_headers);
+ assert(arr != NULL);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
int match = 0;
@@ -2392,10 +2911,10 @@ static int var_request_headers_names_generate(modsec_rec *msr, msre_var *var, ms
/* Figure out if we want to include this variable. */
if (var->param == NULL) match = 1;
else {
+ assert(te[i].key != NULL);
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, te[i].key,
- strlen(te[i].key), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, te[i].key, strlen(te[i].key), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(te[i].key, var->param) == 0) match = 1;
}
@@ -2404,11 +2923,19 @@ static int var_request_headers_names_generate(modsec_rec *msr, msre_var *var, ms
/* If we had a match add this argument to the collection. */
if (match) {
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "REQUEST_HEADERS_NAMES: Memory allocation error");
+ return -1;
+ }
rvar->value = te[i].key;
rvar->value_len = strlen(rvar->value);
rvar->name = apr_psprintf(mptmp, "REQUEST_HEADERS_NAMES:%s",
log_escape_nq(mptmp, te[i].key));
+ if (!rvar->name) {
+ msr_log(msr, 1, "REQUEST_HEADERS_NAMES: Memory allocation error");
+ return -1;
+ }
apr_table_addn(vartab, rvar->name, (void *)rvar);
count++;
@@ -2423,6 +2950,8 @@ static int var_request_headers_names_generate(modsec_rec *msr, msre_var *var, ms
static int var_request_filename_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
return var_simple_generate(var, vartab, mptmp, msr->r->parsed_uri.path);
}
@@ -2431,6 +2960,7 @@ static int var_request_filename_generate(modsec_rec *msr, msre_var *var, msre_ru
static int var_request_line_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return var_simple_generate(var, vartab, mptmp, msr->request_line);
}
@@ -2439,6 +2969,7 @@ static int var_request_line_generate(modsec_rec *msr, msre_var *var, msre_rule *
static int var_request_method_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return var_simple_generate(var, vartab, mptmp, msr->request_method);
}
@@ -2447,6 +2978,7 @@ static int var_request_method_generate(modsec_rec *msr, msre_var *var, msre_rule
static int var_request_protocol_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return var_simple_generate(var, vartab, mptmp, msr->request_protocol);
}
@@ -2455,6 +2987,7 @@ static int var_request_protocol_generate(modsec_rec *msr, msre_var *var, msre_ru
static int var_server_addr_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return var_simple_generate(var, vartab, mptmp, msr->local_addr);
}
@@ -2463,6 +2996,7 @@ static int var_server_addr_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_server_name_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
return var_simple_generate(var, vartab, mptmp, msr->hostname);
}
@@ -2471,7 +3005,12 @@ static int var_server_name_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_server_port_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
char *value = apr_psprintf(mptmp, "%u", msr->local_port);
+ if (!value) {
+ msr_log(msr, 1, "SERVER_PORT: Memory allocation error");
+ return -1;
+ }
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2480,6 +3019,8 @@ static int var_server_port_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_script_basename_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
char *value = file_basename(mptmp, msr->r->filename);
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2489,6 +3030,8 @@ static int var_script_basename_generate(modsec_rec *msr, msre_var *var, msre_rul
static int var_script_filename_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
char *value = msr->r->filename;
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2498,7 +3041,13 @@ static int var_script_filename_generate(modsec_rec *msr, msre_var *var, msre_rul
static int var_script_gid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
char *value = apr_psprintf(mptmp, "%ld", (long)msr->r->finfo.group);
+ if (!value) {
+ msr_log(msr, 1, "SCRIPT_GID: Memory allocation error");
+ return -1;
+ }
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2507,6 +3056,9 @@ static int var_script_gid_generate(modsec_rec *msr, msre_var *var, msre_rule *ru
static int var_script_groupname_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
+ assert(mptmp != NULL);
char *value = NULL;
if (apr_gid_name_get(&value, msr->r->finfo.group, mptmp) == APR_SUCCESS) {
return var_simple_generate(var, vartab, mptmp, value);
@@ -2519,6 +3071,9 @@ static int var_script_groupname_generate(modsec_rec *msr, msre_var *var, msre_ru
static int var_script_mode_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
+ assert(mptmp != NULL);
char *value = apr_psprintf(mptmp, "%04x", msr->r->finfo.protection);
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2528,6 +3083,9 @@ static int var_script_mode_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_script_uid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
+ assert(mptmp != NULL);
char *value = apr_psprintf(mptmp, "%ld", (long)msr->r->finfo.user);
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2537,6 +3095,9 @@ static int var_script_uid_generate(modsec_rec *msr, msre_var *var, msre_rule *ru
static int var_script_username_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
+ assert(mptmp != NULL);
char *value = NULL;
if (apr_uid_name_get(&value, msr->r->finfo.user, mptmp) == APR_SUCCESS) {
return var_simple_generate(var, vartab, mptmp, value);
@@ -2549,6 +3110,8 @@ static int var_script_username_generate(modsec_rec *msr, msre_var *var, msre_rul
static int var_auth_type_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
char *value = msr->r->ap_auth_type;
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2558,6 +3121,9 @@ static int var_auth_type_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
static int var_path_info_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
+ assert(mptmp != NULL);
const char *value = msr->r->path_info;
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2567,6 +3133,7 @@ static int var_path_info_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
static int var_stream_output_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if (msr->stream_output_data != NULL) {
return var_simple_generate_ex(var, vartab, mptmp,
msr->stream_output_data, msr->stream_output_length);
@@ -2580,6 +3147,7 @@ static int var_stream_output_generate(modsec_rec *msr, msre_var *var, msre_rule
static int var_stream_input_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if (msr->stream_input_data != NULL) {
return var_simple_generate_ex(var, vartab, mptmp,
msr->stream_input_data, msr->stream_input_length);
@@ -2593,6 +3161,7 @@ static int var_stream_input_generate(modsec_rec *msr, msre_var *var, msre_rule *
static int var_response_body_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
if (msr->resbody_data != NULL) {
return var_simple_generate_ex(var, vartab, mptmp,
msr->resbody_data, msr->resbody_length);
@@ -2606,6 +3175,10 @@ static int var_response_body_generate(modsec_rec *msr, msre_var *var, msre_rule
static int var_response_headers_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
@@ -2613,6 +3186,7 @@ static int var_response_headers_generate(modsec_rec *msr, msre_var *var, msre_ru
if (msr->response_headers == NULL) return 0;
arr = apr_table_elts(msr->response_headers);
+ assert(arr != NULL);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
int match = 0;
@@ -2620,10 +3194,10 @@ static int var_response_headers_generate(modsec_rec *msr, msre_var *var, msre_ru
/* Figure out if we want to include this variable. */
if (var->param == NULL) match = 1;
else {
+ assert(te[i].key != NULL);
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, te[i].key,
- strlen(te[i].key), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, te[i].key, strlen(te[i].key), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(te[i].key, var->param) == 0) match = 1;
}
@@ -2632,11 +3206,19 @@ static int var_response_headers_generate(modsec_rec *msr, msre_var *var, msre_ru
/* If we had a match add this argument to the collection. */
if (match) {
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "RESPONSE_HEADERS: Memory allocation error");
+ return -1;
+ }
rvar->value = te[i].val;
rvar->value_len = strlen(rvar->value);
rvar->name = apr_psprintf(mptmp, "RESPONSE_HEADERS:%s",
log_escape_nq(mptmp, te[i].key));
+ if (!rvar->name) {
+ msr_log(msr, 1, "RESPONSE_HEADERS: Memory allocation error");
+ return -1;
+ }
apr_table_addn(vartab, rvar->name, (void *)rvar);
count++;
@@ -2651,11 +3233,16 @@ static int var_response_headers_generate(modsec_rec *msr, msre_var *var, msre_ru
static int var_response_headers_names_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(var != NULL);
+ assert(vartab != NULL);
+ assert(mptmp != NULL);
const apr_array_header_t *arr = NULL;
const apr_table_entry_t *te = NULL;
int i, count = 0;
arr = apr_table_elts(msr->response_headers);
+ assert(arr != NULL);
te = (apr_table_entry_t *)arr->elts;
for (i = 0; i < arr->nelts; i++) {
int match = 0;
@@ -2663,10 +3250,10 @@ static int var_response_headers_names_generate(modsec_rec *msr, msre_var *var, m
/* Figure out if we want to include this variable. */
if (var->param == NULL) match = 1;
else {
+ assert(te[i].key != NULL);
if (var->param_data != NULL) { /* Regex. */
char *my_error_msg = NULL;
- if (!(msc_regexec((msc_regex_t *)var->param_data, te[i].key,
- strlen(te[i].key), &my_error_msg) == PCRE_ERROR_NOMATCH)) match = 1;
+ if (msc_regexec((msc_regex_t *)var->param_data, te[i].key, strlen(te[i].key), &my_error_msg) >= 0) match = 1;
} else { /* Simple comparison. */
if (strcasecmp(te[i].key, var->param) == 0) match = 1;
}
@@ -2675,11 +3262,19 @@ static int var_response_headers_names_generate(modsec_rec *msr, msre_var *var, m
/* If we had a match add this argument to the collection. */
if (match) {
msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+ if (!rvar) {
+ msr_log(msr, 1, "RESPONSE_HEADERS_NAMES: Memory allocation error");
+ return -1;
+ }
rvar->value = te[i].key;
rvar->value_len = strlen(rvar->value);
rvar->name = apr_psprintf(mptmp, "RESPONSE_HEADERS_NAMES:%s",
log_escape_nq(mptmp, te[i].key));
+ if (!rvar) {
+ msr_log(msr, 1, "RESPONSE_HEADERS_NAMES: Memory allocation error");
+ return -1;
+ }
apr_table_addn(vartab, rvar->name, (void *)rvar);
count++;
@@ -2694,6 +3289,7 @@ static int var_response_headers_names_generate(modsec_rec *msr, msre_var *var, m
static int var_status_line_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
const char *value = msr->status_line;
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2703,6 +3299,7 @@ static int var_status_line_generate(modsec_rec *msr, msre_var *var, msre_rule *r
static int var_response_protocol_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
const char *value = msr->response_protocol;
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2712,6 +3309,7 @@ static int var_response_protocol_generate(modsec_rec *msr, msre_var *var, msre_r
static int var_response_status_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
const char *value = apr_psprintf(mptmp, "%u", msr->response_status);
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2721,6 +3319,8 @@ static int var_response_status_generate(modsec_rec *msr, msre_var *var, msre_rul
static int var_response_content_type(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
return var_simple_generate(var, vartab, mptmp, msr->r->content_type);
}
@@ -2729,6 +3329,8 @@ static int var_response_content_type(modsec_rec *msr, msre_var *var, msre_rule *
static int var_response_content_length(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->r != NULL);
const char *value = apr_psprintf(mptmp, "%" APR_OFF_T_FMT, msr->r->clength);
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2738,6 +3340,7 @@ static int var_response_content_length(modsec_rec *msr, msre_var *var, msre_rule
static int var_userid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
const char *value = msr->userid;
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2747,6 +3350,7 @@ static int var_userid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
static int var_sessionid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
const char *value = msr->sessionid;
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2756,6 +3360,8 @@ static int var_sessionid_generate(modsec_rec *msr, msre_var *var, msre_rule *rul
static int var_webappid_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
apr_table_t *vartab, apr_pool_t *mptmp)
{
+ assert(msr != NULL);
+ assert(msr->txcfg != NULL);
const char *value = msr->txcfg->webappid;
return var_simple_generate(var, vartab, mptmp, value);
}
@@ -2770,6 +3376,7 @@ void msre_engine_variable_register(msre_engine *engine, const char *name,
fn_var_validate_t validate, fn_var_generate_t generate,
unsigned int is_cacheable, unsigned int availability)
{
+ assert(engine != NULL);
msre_var_metadata *metadata = (msre_var_metadata *)apr_pcalloc(engine->mp,
sizeof(msre_var_metadata));
if (metadata == NULL) return;
@@ -2790,6 +3397,7 @@ void msre_engine_variable_register(msre_engine *engine, const char *name,
*
*/
void msre_engine_register_default_variables(msre_engine *engine) {
+ assert(engine != NULL);
/* ARGS */
msre_engine_variable_register(engine,
@@ -2956,6 +3564,17 @@ void msre_engine_register_default_variables(msre_engine *engine) {
PHASE_REQUEST_BODY
);
+ /* MULTIPART_PART_HEADERS */
+ msre_engine_variable_register(engine,
+ "MULTIPART_PART_HEADERS",
+ VAR_LIST,
+ 0, 1,
+ var_generic_list_validate,
+ var_multipart_part_headers_generate,
+ VAR_CACHE,
+ PHASE_REQUEST_BODY
+ );
+
/* GEO */
msre_engine_variable_register(engine,
"GEO",
diff --git a/build/compile b/build/compile
index 1b1d232169..df363c8fbf 100755
--- a/build/compile
+++ b/build/compile
@@ -1,9 +1,9 @@
#! /bin/sh
-# Wrapper for compilers which do not understand `-c -o'.
+# Wrapper for compilers which do not understand '-c -o'.
-scriptversion=2005-05-14.22
+scriptversion=2018-03-07.03; # UTC
-# Copyright (C) 1999, 2000, 2003, 2004, 2005 Free Software Foundation, Inc.
+# Copyright (C) 1999-2021 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
@@ -17,8 +17,7 @@ scriptversion=2005-05-14.22
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
@@ -29,21 +28,224 @@ scriptversion=2005-05-14.22
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
+nl='
+'
+
+# We need space, tab and new line, in precisely that order. Quoting is
+# there to prevent tools from complaining about whitespace usage.
+IFS=" "" $nl"
+
+file_conv=
+
+# func_file_conv build_file lazy
+# Convert a $build file to $host form and store it in $file
+# Currently only supports Windows hosts. If the determined conversion
+# type is listed in (the comma separated) LAZY, no conversion will
+# take place.
+func_file_conv ()
+{
+ file=$1
+ case $file in
+ / | /[!/]*) # absolute file, and not a UNC file
+ if test -z "$file_conv"; then
+ # lazily determine how to convert abs files
+ case `uname -s` in
+ MINGW*)
+ file_conv=mingw
+ ;;
+ CYGWIN* | MSYS*)
+ file_conv=cygwin
+ ;;
+ *)
+ file_conv=wine
+ ;;
+ esac
+ fi
+ case $file_conv/,$2, in
+ *,$file_conv,*)
+ ;;
+ mingw/*)
+ file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
+ ;;
+ cygwin/* | msys/*)
+ file=`cygpath -m "$file" || echo "$file"`
+ ;;
+ wine/*)
+ file=`winepath -w "$file" || echo "$file"`
+ ;;
+ esac
+ ;;
+ esac
+}
+
+# func_cl_dashL linkdir
+# Make cl look for libraries in LINKDIR
+func_cl_dashL ()
+{
+ func_file_conv "$1"
+ if test -z "$lib_path"; then
+ lib_path=$file
+ else
+ lib_path="$lib_path;$file"
+ fi
+ linker_opts="$linker_opts -LIBPATH:$file"
+}
+
+# func_cl_dashl library
+# Do a library search-path lookup for cl
+func_cl_dashl ()
+{
+ lib=$1
+ found=no
+ save_IFS=$IFS
+ IFS=';'
+ for dir in $lib_path $LIB
+ do
+ IFS=$save_IFS
+ if $shared && test -f "$dir/$lib.dll.lib"; then
+ found=yes
+ lib=$dir/$lib.dll.lib
+ break
+ fi
+ if test -f "$dir/$lib.lib"; then
+ found=yes
+ lib=$dir/$lib.lib
+ break
+ fi
+ if test -f "$dir/lib$lib.a"; then
+ found=yes
+ lib=$dir/lib$lib.a
+ break
+ fi
+ done
+ IFS=$save_IFS
+
+ if test "$found" != yes; then
+ lib=$lib.lib
+ fi
+}
+
+# func_cl_wrapper cl arg...
+# Adjust compile command to suit cl
+func_cl_wrapper ()
+{
+ # Assume a capable shell
+ lib_path=
+ shared=:
+ linker_opts=
+ for arg
+ do
+ if test -n "$eat"; then
+ eat=
+ else
+ case $1 in
+ -o)
+ # configure might choose to run compile as 'compile cc -o foo foo.c'.
+ eat=1
+ case $2 in
+ *.o | *.[oO][bB][jJ])
+ func_file_conv "$2"
+ set x "$@" -Fo"$file"
+ shift
+ ;;
+ *)
+ func_file_conv "$2"
+ set x "$@" -Fe"$file"
+ shift
+ ;;
+ esac
+ ;;
+ -I)
+ eat=1
+ func_file_conv "$2" mingw
+ set x "$@" -I"$file"
+ shift
+ ;;
+ -I*)
+ func_file_conv "${1#-I}" mingw
+ set x "$@" -I"$file"
+ shift
+ ;;
+ -l)
+ eat=1
+ func_cl_dashl "$2"
+ set x "$@" "$lib"
+ shift
+ ;;
+ -l*)
+ func_cl_dashl "${1#-l}"
+ set x "$@" "$lib"
+ shift
+ ;;
+ -L)
+ eat=1
+ func_cl_dashL "$2"
+ ;;
+ -L*)
+ func_cl_dashL "${1#-L}"
+ ;;
+ -static)
+ shared=false
+ ;;
+ -Wl,*)
+ arg=${1#-Wl,}
+ save_ifs="$IFS"; IFS=','
+ for flag in $arg; do
+ IFS="$save_ifs"
+ linker_opts="$linker_opts $flag"
+ done
+ IFS="$save_ifs"
+ ;;
+ -Xlinker)
+ eat=1
+ linker_opts="$linker_opts $2"
+ ;;
+ -*)
+ set x "$@" "$1"
+ shift
+ ;;
+ *.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
+ func_file_conv "$1"
+ set x "$@" -Tp"$file"
+ shift
+ ;;
+ *.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
+ func_file_conv "$1" mingw
+ set x "$@" "$file"
+ shift
+ ;;
+ *)
+ set x "$@" "$1"
+ shift
+ ;;
+ esac
+ fi
+ shift
+ done
+ if test -n "$linker_opts"; then
+ linker_opts="-link$linker_opts"
+ fi
+ exec "$@" $linker_opts
+ exit 1
+}
+
+eat=
+
case $1 in
'')
- echo "$0: No command. Try \`$0 --help' for more information." 1>&2
+ echo "$0: No command. Try '$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: compile [--help] [--version] PROGRAM [ARGS]
-Wrapper for compilers which do not understand `-c -o'.
-Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
+Wrapper for compilers which do not understand '-c -o'.
+Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
arguments, and rename the output as expected.
If you are trying to build a whole package this is not the
-right script to run: please start by reading the file `INSTALL'.
+right script to run: please start by reading the file 'INSTALL'.
Report bugs to <bug-automake@gnu.org>.
EOF
@@ -53,11 +255,14 @@ EOF
echo "compile $scriptversion"
exit $?
;;
+ cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \
+ icl | *[/\\]icl | icl.exe | *[/\\]icl.exe )
+ func_cl_wrapper "$@" # Doesn't return...
+ ;;
esac
ofile=
cfile=
-eat=
for arg
do
@@ -66,8 +271,8 @@ do
else
case $1 in
-o)
- # configure might choose to run compile as `compile cc -o foo foo.c'.
- # So we strip `-o arg' only if arg is an object.
+ # configure might choose to run compile as 'compile cc -o foo foo.c'.
+ # So we strip '-o arg' only if arg is an object.
eat=1
case $2 in
*.o | *.obj)
@@ -94,22 +299,22 @@ do
done
if test -z "$ofile" || test -z "$cfile"; then
- # If no `-o' option was seen then we might have been invoked from a
+ # If no '-o' option was seen then we might have been invoked from a
# pattern rule where we don't need one. That is ok -- this is a
# normal compilation that the losing compiler can handle. If no
- # `.c' file was seen then we are probably linking. That is also
+ # '.c' file was seen then we are probably linking. That is also
# ok.
exec "$@"
fi
# Name of file we expect compiler to create.
-cofile=`echo "$cfile" | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
+cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
# Create the lock directory.
-# Note: use `[/.-]' here to ensure that we don't use the same name
+# Note: use '[/\\:.-]' here to ensure that we don't use the same name
# that we are using for the .o file. Also, base the name on the expected
# object file name, since that is what matters with a parallel build.
-lockdir=`echo "$cofile" | sed -e 's|[/.-]|_|g'`.d
+lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
while true; do
if mkdir "$lockdir" >/dev/null 2>&1; then
break
@@ -124,9 +329,9 @@ trap "rmdir '$lockdir'; exit 1" 1 2 15
ret=$?
if test -f "$cofile"; then
- mv "$cofile" "$ofile"
+ test "$cofile" = "$ofile" || mv "$cofile" "$ofile"
elif test -f "${cofile}bj"; then
- mv "${cofile}bj" "$ofile"
+ test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile"
fi
rmdir "$lockdir"
@@ -135,8 +340,9 @@ exit $ret
# Local Variables:
# mode: shell-script
# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
+# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-end: "$"
+# time-stamp-time-zone: "UTC0"
+# time-stamp-end: "; # UTC"
# End:
diff --git a/build/find_apr.m4 b/build/find_apr.m4
index 5524b66285..a303696586 100644
--- a/build/find_apr.m4
+++ b/build/find_apr.m4
@@ -18,7 +18,7 @@ AC_DEFUN([CHECK_APR],
AC_ARG_WITH(
apr,
- [AC_HELP_STRING([--with-apr=PATH],[Path to apr prefix or config script])],
+ [AS_HELP_STRING([--with-apr=PATH],[Path to apr prefix or config script])],
[test_paths="${with_apr}"],
[test_paths="/usr/local/libapr /usr/local/apr /usr/local /opt/libapr /opt/apr /opt /usr"])
diff --git a/build/find_apu.m4 b/build/find_apu.m4
index 4a5e6e5549..956a159cb7 100644
--- a/build/find_apu.m4
+++ b/build/find_apu.m4
@@ -18,7 +18,7 @@ AC_DEFUN([CHECK_APU],
AC_ARG_WITH(
apu,
- [AC_HELP_STRING([--with-apu=PATH],[Path to apu prefix or config script])],
+ [AS_HELP_STRING([--with-apu=PATH],[Path to apu prefix or config script])],
[test_paths="${with_apu}"],
[test_paths="/usr/local/libapr-util /usr/local/apr-util /usr/local/libapu /usr/local/apu /usr/local/apr /usr/local /opt/libapr-util /opt/apr-util /opt/libapu /opt/apu /opt /usr"])
diff --git a/build/find_curl.m4 b/build/find_curl.m4
index 6b23ad696e..1cee35bba2 100644
--- a/build/find_curl.m4
+++ b/build/find_curl.m4
@@ -2,6 +2,7 @@ dnl Check for CURL Libraries
dnl CHECK_CURL(ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND])
dnl Sets:
dnl CURL_CFLAGS
+dnl CURL_LDADD
dnl CURL_LIBS
CURL_CONFIG=""
@@ -17,7 +18,7 @@ AC_DEFUN([CHECK_CURL],
AC_ARG_WITH(
curl,
- [AC_HELP_STRING([--with-curl=PATH],[Path to curl prefix or config script])],
+ [AS_HELP_STRING([--with-curl=PATH],[Path to curl prefix or config script])],
[test_paths="${with_curl}"],
[test_paths="/usr/local/libcurl /usr/local/curl /usr/local /opt/libcurl /opt/curl /opt /usr"])
@@ -53,11 +54,12 @@ if test -n "${curl_path}"; then
CURL_CONFIG="${curl_path}/${CURL_CONFIG}"
fi
AC_MSG_RESULT([${CURL_CONFIG}])
- CURL_VERSION=`${CURL_CONFIG} --version | sed 's/^[[^0-9]][[^[:space:]]][[^[:space:]]]*[[[:space:]]]*//'`
+ CURL_VERSION=`${CURL_CONFIG} --version | sed 's/^[[^0-9]][[^[:space:]]][[^[:space:]]]*[[[:space:]]]*//' | tr '\r\n' ' '`
if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(curl VERSION: $CURL_VERSION); fi
CURL_CFLAGS="`${CURL_CONFIG} --cflags`"
if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(curl CFLAGS: $CURL_CFLAGS); fi
- CURL_LDADD="`${CURL_CONFIG} --libs`"
+ CURL_LIBS="`${CURL_CONFIG} --libs`"
+ CURL_LDADD="${CURL_LIBS}"
if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(curl LDADD: $CURL_LIBS); fi
dnl # Check version is ok
diff --git a/build/find_lua.m4 b/build/find_lua.m4
index b86280112b..664bc3e3fa 100644
--- a/build/find_lua.m4
+++ b/build/find_lua.m4
@@ -16,12 +16,12 @@ LUA_CPPFLAGS=""
LUA_LDADD=""
LUA_LDFLAGS=""
LUA_CONFIG=${PKG_CONFIG}
-LUA_PKGNAMES="lua5.1 lua-5.1 lua_5.1 lua-51 lua_51 lua51 lua5 lua"
+LUA_PKGNAMES="lua5.1 lua-5.1 lua_5.1 lua-51 lua_51 lua51 lua5 lua lua5.2 lua-5.2 lua_5.2 lua-52 lua_52 lua52 lua5.3 lua-5.3 lua_5.3 lua-53 lua_53 lua53 "
LUA_SONAMES="so la sl dll dylib a"
AC_ARG_WITH(
lua,
- [AC_HELP_STRING([--with-lua=PATH],[Path to lua prefix or config script])]
+ [AS_HELP_STRING([--with-lua=PATH],[Path to lua prefix or config script])]
,, with_lua=yes)
AS_CASE(["${with_lua}"],
diff --git a/build/find_pcre.m4 b/build/find_pcre.m4
index f5da40a327..bf297f67fc 100644
--- a/build/find_pcre.m4
+++ b/build/find_pcre.m4
@@ -17,74 +17,77 @@ AC_DEFUN([CHECK_PCRE],
AC_ARG_WITH(
pcre,
- [AC_HELP_STRING([--with-pcre=PATH],[Path to pcre prefix or config script])],
+ [AS_HELP_STRING([--with-pcre=PATH],[Path to pcre prefix or config script])],
[test_paths="${with_pcre}"],
[test_paths="/usr/local/libpcre /usr/local/pcre /usr/local /opt/libpcre /opt/pcre /opt /usr"])
-AC_MSG_CHECKING([for libpcre config script])
-
-dnl # Determine pcre lib directory
-if test -z "${with_pcre}"; then
- test_paths="/usr/local/pcre /usr/local /usr"
+if test "x${with_pcre2}" != "x" && test "x${with_pcre2}" != "xno"; then
+ AC_MSG_NOTICE([pcre2 specified; omitting check for pcre])
else
- test_paths="${with_pcre}"
-fi
+ AC_MSG_CHECKING([for libpcre config script])
-for x in ${test_paths}; do
- dnl # Determine if the script was specified and use it directly
- if test ! -d "$x" -a -e "$x"; then
- PCRE_CONFIG=$x
- pcre_path="no"
- break
+ dnl # Determine pcre lib directory
+ if test -z "${with_pcre}"; then
+ test_paths="/usr/local/pcre /usr/local /usr"
+ else
+ test_paths="${with_pcre}"
fi
- dnl # Try known config script names/locations
- for PCRE_CONFIG in pcre-config; do
- if test -e "${x}/bin/${PCRE_CONFIG}"; then
- pcre_path="${x}/bin"
+ for x in ${test_paths}; do
+ dnl # Determine if the script was specified and use it directly
+ if test ! -d "$x" -a -e "$x"; then
+ PCRE_CONFIG=$x
+ pcre_path="no"
break
- elif test -e "${x}/${PCRE_CONFIG}"; then
- pcre_path="${x}"
+ fi
+
+ dnl # Try known config script names/locations
+ for PCRE_CONFIG in pcre-config; do
+ if test -e "${x}/bin/${PCRE_CONFIG}"; then
+ pcre_path="${x}/bin"
+ break
+ elif test -e "${x}/${PCRE_CONFIG}"; then
+ pcre_path="${x}"
+ break
+ else
+ pcre_path=""
+ fi
+ done
+ if test -n "$pcre_path"; then
break
- else
- pcre_path=""
fi
done
- if test -n "$pcre_path"; then
- break
- fi
-done
-if test -n "${pcre_path}"; then
- if test "${pcre_path}" != "no"; then
- PCRE_CONFIG="${pcre_path}/${PCRE_CONFIG}"
+ if test -n "${pcre_path}"; then
+ if test "${pcre_path}" != "no"; then
+ PCRE_CONFIG="${pcre_path}/${PCRE_CONFIG}"
+ fi
+ AC_MSG_RESULT([${PCRE_CONFIG}])
+ PCRE_VERSION="`${PCRE_CONFIG} --version`"
+ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre VERSION: $PCRE_VERSION); fi
+ PCRE_CFLAGS="`${PCRE_CONFIG} --cflags`"
+ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre CFLAGS: $PCRE_CFLAGS); fi
+ PCRE_LDADD="`${PCRE_CONFIG} --libs`"
+ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre LDADD: $PCRE_LDADD); fi
+ PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`"
+ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre PCRE_LD_PATH: $PCRE_LD_PATH); fi
+ else
+ AC_MSG_RESULT([no])
fi
- AC_MSG_RESULT([${PCRE_CONFIG}])
- PCRE_VERSION="`${PCRE_CONFIG} --version`"
- if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre VERSION: $PCRE_VERSION); fi
- PCRE_CFLAGS="`${PCRE_CONFIG} --cflags`"
- if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre CFLAGS: $PCRE_CFLAGS); fi
- PCRE_LDADD="`${PCRE_CONFIG} --libs`"
- if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre LDADD: $PCRE_LDADD); fi
- PCRE_LD_PATH="/`${PCRE_CONFIG} --libs | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`"
- if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre PCRE_LD_PATH: $PCRE_LD_PATH); fi
-else
- AC_MSG_RESULT([no])
-fi
-AC_SUBST(PCRE_CONFIG)
-AC_SUBST(PCRE_VERSION)
-AC_SUBST(PCRE_CPPFLAGS)
-AC_SUBST(PCRE_CFLAGS)
-AC_SUBST(PCRE_LDFLAGS)
-AC_SUBST(PCRE_LDADD)
-AC_SUBST(PCRE_LD_PATH)
+ AC_SUBST(PCRE_CONFIG)
+ AC_SUBST(PCRE_VERSION)
+ AC_SUBST(PCRE_CPPFLAGS)
+ AC_SUBST(PCRE_CFLAGS)
+ AC_SUBST(PCRE_LDFLAGS)
+ AC_SUBST(PCRE_LDADD)
+ AC_SUBST(PCRE_LD_PATH)
-if test -z "${PCRE_VERSION}"; then
- AC_MSG_NOTICE([*** pcre library not found.])
- ifelse([$2], , AC_MSG_ERROR([pcre library is required]), $2)
-else
- AC_MSG_NOTICE([using pcre v${PCRE_VERSION}])
- ifelse([$1], , , $1)
-fi
+ if test -z "${PCRE_VERSION}"; then
+ AC_MSG_NOTICE([*** pcre library not found.])
+ else
+ AC_MSG_NOTICE([using pcre v${PCRE_VERSION}])
+ ifelse([$1], , , $1)
+ fi
+fi
])
diff --git a/build/find_pcre2.m4 b/build/find_pcre2.m4
new file mode 100644
index 0000000000..f8786ce9f7
--- /dev/null
+++ b/build/find_pcre2.m4
@@ -0,0 +1,93 @@
+dnl Check for PCRE2 Libraries
+dnl CHECK_PCRE2(ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND])
+dnl Sets:
+dnl PCRE2_CFLAGS
+dnl PCRE2_LIBS
+
+PCRE2_CONFIG=""
+PCRE2_VERSION=""
+PCRE2_CPPFLAGS=""
+PCRE2_CFLAGS=""
+PCRE2_LDFLAGS=""
+PCRE2_LDADD=""
+PCRE_LD_PATH=""
+
+AC_DEFUN([CHECK_PCRE2],
+[dnl
+
+AC_ARG_WITH(
+ pcre2,
+ [AS_HELP_STRING([--with-pcre2=PATH],[Path to pcre2 prefix or config script])],
+ , with_pcre2=no)
+
+AS_CASE(["${with_pcre2}"],
+ [no], [test_paths=],
+ [yes], [test_paths="/usr/local/libpcre2 /usr/local/pcre2 /usr/local /opt/libpcre2 /opt/pcre2 /opt /usr"],
+ [test_paths="${with_pcre2}"])
+
+if test "x${with_pcre2}" = "x" || test "x${with_pcre2}" = "xno"; then
+ AC_MSG_NOTICE([pcre2 not specified; omitting check])
+else
+
+ AC_MSG_CHECKING([for libpcre2 config script])
+
+ for x in ${test_paths}; do
+ dnl # Determine if the script was specified and use it directly
+ if test ! -d "$x" -a -e "$x"; then
+ PCRE2_CONFIG=$x
+ pcre2_path="no"
+ break
+ fi
+
+ dnl # Try known config script names/locations
+ for PCRE2_CONFIG in pcre2-config; do
+ if test -e "${x}/bin/${PCRE2_CONFIG}"; then
+ pcre2_path="${x}/bin"
+ break
+ elif test -e "${x}/${PCRE2_CONFIG}"; then
+ pcre2_path="${x}"
+ break
+ else
+ pcre2_path=""
+ fi
+ done
+ if test -n "$pcre2_path"; then
+ break
+ fi
+ done
+
+ if test -n "${pcre2_path}"; then
+ if test "${pcre2_path}" != "no"; then
+ PCRE2_CONFIG="${pcre2_path}/${PCRE2_CONFIG}"
+ fi
+ AC_MSG_RESULT([${PCRE2_CONFIG}])
+ PCRE2_VERSION="`${PCRE2_CONFIG} --version`"
+ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre2 VERSION: $PCRE2_VERSION); fi
+ PCRE2_CFLAGS="`${PCRE2_CONFIG} --cflags`"
+ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre2 CFLAGS: $PCRE2_CFLAGS); fi
+ PCRE2_LDADD="`${PCRE2_CONFIG} --libs8`"
+ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre2 LDADD: $PCRE2_LDADD); fi
+ PCRE_LD_PATH="/`${PCRE2_CONFIG} --libs8 | cut -d'/' -f2,3,4,5,6 | cut -d ' ' -f1`"
+ if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(pcre2 PCRE_LD_PATH: $PCRE_LD_PATH); fi
+ else
+ AC_MSG_RESULT([no])
+ fi
+
+ AC_SUBST(PCRE2_CONFIG)
+ AC_SUBST(PCRE2_VERSION)
+ AC_SUBST(PCRE2_CPPFLAGS)
+ AC_SUBST(PCRE2_CFLAGS)
+ AC_SUBST(PCRE2_LDFLAGS)
+ AC_SUBST(PCRE2_LDADD)
+ AC_SUBST(PCRE_LD_PATH)
+
+ if test -z "${PCRE2_VERSION}"; then
+ AC_MSG_NOTICE([*** pcre2 library not found.])
+ ifelse([$2], , AC_MSG_ERROR([pcre2 library is required]), $2)
+ else
+ AC_MSG_NOTICE([using pcre2 v${PCRE2_VERSION}])
+ PCRE2_CFLAGS="-DWITH_PCRE2 ${PCRE2_CFLAGS}"
+ ifelse([$1], , , $1)
+ fi
+fi
+])
diff --git a/build/find_ssdeep.m4 b/build/find_ssdeep.m4
index 4b0c9aa970..08d3ef959b 100644
--- a/build/find_ssdeep.m4
+++ b/build/find_ssdeep.m4
@@ -13,7 +13,7 @@ SSDEEP_LDADD=""
AC_ARG_WITH(
ssdeep,
- [AC_HELP_STRING([--with-ssdeep=PATH],[Path to ssdeep prefix])]
+ [AS_HELP_STRING([--with-ssdeep=PATH],[Path to ssdeep prefix])]
,, with_ssdeep=yes)
AS_CASE(["${with_ssdeep}"],
diff --git a/build/find_xml.m4 b/build/find_xml.m4
index 691679e467..cd410faf4d 100644
--- a/build/find_xml.m4
+++ b/build/find_xml.m4
@@ -4,21 +4,7 @@ dnl Sets:
dnl LIBXML2_CFLAGS
dnl LIBXML2_LIBS
-LIBXML2_CONFIG=""
-LIBXML2_VERSION=""
-LIBXML2_CFLAGS=""
-LIBXML2_CPPFLAGS=""
-LIBXML2_LDADD=""
-LIBXML2_LDFLAGS=""
-
-AC_DEFUN([CHECK_LIBXML2],
-[dnl
-
-AC_ARG_WITH(
- libxml,
- [AC_HELP_STRING([--with-libxml=PATH],[Path to libxml2 prefix or config script])],
- [test_paths="${with_libxml}"],
- [test_paths="/usr/local/libxml2 /usr/local/xml2 /usr/local/xml /usr/local /opt/libxml2 /opt/libxml /opt/xml2 /opt/xml /opt /usr"])
+AC_DEFUN([CHECK_XML2CONFIG], [
AC_MSG_CHECKING([for libxml2 config script])
@@ -59,19 +45,56 @@ if test -n "${libxml2_path}"; then
LIBXML2_LDADD="`${LIBXML2_CONFIG} --libs`"
if test "$verbose_output" -eq 1; then AC_MSG_NOTICE(xml LDADD: $LIBXML2_LDADD); fi
- AC_MSG_CHECKING([if libxml2 is at least v2.6.29])
- libxml2_min_ver=`echo 2.6.29 | awk -F. '{print (\$ 1 * 1000000) + (\$ 2 * 1000) + \$ 3}'`
+ AC_MSG_CHECKING([if libxml2 is at least v${LIBXML2_MIN_VERSION}])
+ libxml2_min_ver=`echo ${LIBXML2_MIN_VERSION} | awk -F. '{print (\$ 1 * 1000000) + (\$ 2 * 1000) + \$ 3}'`
libxml2_ver=`echo ${LIBXML2_VERSION} | awk -F. '{print (\$ 1 * 1000000) + (\$ 2 * 1000) + \$ 3}'`
if test "$libxml2_ver" -ge "$libxml2_min_ver"; then
AC_MSG_RESULT([yes, $LIBXML2_VERSION])
else
AC_MSG_RESULT([no, $LIBXML2_VERSION])
- AC_MSG_ERROR([NOTE: libxml2 library must be at least 2.6.29])
+ AC_MSG_ERROR([NOTE: libxml2 library must be at least ${LIBXML2_MIN_VERSION}])
fi
else
AC_MSG_RESULT([no])
fi
+])
+
+AC_DEFUN([CHECK_LIBXML2], [
+
+AC_ARG_WITH(
+ libxml,
+ [AS_HELP_STRING([--with-libxml=PATH],[Path to libxml2 prefix or config script])],
+ [test_paths="${with_libxml}"],
+ [test_paths="/usr/local/libxml2 /usr/local/xml2 /usr/local/xml /usr/local /opt/libxml2 /opt/libxml /opt/xml2 /opt/xml /opt /usr"])
+
+LIBXML2_MIN_VERSION="2.6.29"
+LIBXML2_PKG_NAME="libxml-2.0"
+LIBXML2_CONFIG=""
+LIBXML2_VERSION=""
+LIBXML2_CFLAGS=""
+LIBXML2_CPPFLAGS=""
+LIBXML2_LDADD=""
+LIBXML2_LDFLAGS=""
+
+if test "x${with_libxml}" != "xno"; then
+ if test -n "${PKG_CONFIG}"; then
+ AC_MSG_CHECKING([for libxml2 >= ${LIBXML2_MIN_VERSION} via pkg-config])
+ if `${PKG_CONFIG} --exists "${LIBXML2_PKG_NAME} >= ${LIBXML2_MIN_VERSION}"`; then
+ LIBXML2_VERSION="`${PKG_CONFIG} --modversion ${LIBXML2_PKG_NAME}`"
+ LIBXML2_CFLAGS="`${PKG_CONFIG} --cflags ${LIBXML2_PKG_NAME}`"
+ LIBXML2_LDADD="`${PKG_CONFIG} --libs-only-l ${LIBXML2_PKG_NAME}`"
+ LIBXML2_LDFLAGS="`${PKG_CONFIG} --libs-only-L --libs-only-other ${LIBXML2_PKG_NAME}`"
+ AC_MSG_RESULT([found version ${LIBXML2_VERSION}])
+ else
+ AC_MSG_RESULT([not found])
+ fi
+ fi
+
+ if test -z "${LIBXML2_VERSION}"; then
+ CHECK_XML2CONFIG
+ fi
+fi
AC_SUBST(LIBXML2_CONFIG)
AC_SUBST(LIBXML2_VERSION)
diff --git a/build/find_yajl.m4 b/build/find_yajl.m4
index 132a8a8a90..c3d4dcde7e 100644
--- a/build/find_yajl.m4
+++ b/build/find_yajl.m4
@@ -23,7 +23,7 @@ YAJL_SONAMES="so la sl dll dylib"
AC_ARG_WITH(
yajl,
- [AC_HELP_STRING([--with-yajl=PATH],[Path to yajl prefix or config script])]
+ [AS_HELP_STRING([--with-yajl=PATH],[Path to yajl prefix or config script])]
,, with_yajl=yes)
AS_CASE(["${with_yajl}"],
diff --git a/configure.ac b/configure.ac
index f00172a771..69228a6b93 100644
--- a/configure.ac
+++ b/configure.ac
@@ -30,9 +30,9 @@ AC_PROG_MAKE_SET
AC_PROG_GREP
AC_PATH_PROGS(PERL, [perl perl5], )
AC_PATH_PROGS(ENV_CMD, [env printenv], )
+PKG_PROG_PKG_CONFIG
# Checks for header files.
-AC_HEADER_STDC
AC_CHECK_HEADERS([fcntl.h limits.h stdlib.h string.h unistd.h sys/types.h sys/stat.h sys/utsname.h])
# Checks for typedefs, structures, and compiler characteristics.
@@ -70,6 +70,22 @@ AC_SUBST(MSC_REGRESSION_DOCROOT_DIR)
### Configure Options
+# Verbose output
+AC_ARG_ENABLE(verbose-output,
+ AS_HELP_STRING([--enable-verbose-output],
+ [Enable more verbose configure output.]),
+[
+ if test "$enableval" != "no"; then
+ verbose_output=1
+ else
+ verbose_output=0
+ fi
+],
+[
+ verbose_output=0
+])
+
+
#OS type
AC_CANONICAL_HOST
@@ -228,7 +244,7 @@ AC_ARG_ENABLE(mlogc,
CHECK_CURL()
if test -z "${CURL_VERSION}"; then
- AC_MSG_NOTICE([NOTE: mlgoc compilation was disabled.])
+ AC_MSG_NOTICE([NOTE: mlogc compilation was disabled.])
build_mlogc=0
fi
@@ -272,10 +288,39 @@ AC_ARG_ENABLE(docs,
])
AM_CONDITIONAL([BUILD_DOCS], [test "$build_docs" -eq 1])
if test "$build_docs" -eq 1; then
- TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS docs"
+ TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS doc"
+ AC_CHECK_PROGS([DOXYGEN], [doxygen])
+ if test -z "$DOXYGEN"; then
+ AC_MSG_WARN([Doxygen not found - continue without Doxygen support])
+ fi
+ if test "$build_apache2_module" -eq 1; then
+ AC_CONFIG_FILES([doc/doxygen-apache])
+ fi
+ if test "$build_standalone_module" -eq 1; then
+ AC_CONFIG_FILES([doc/doxygen-nginx])
+ AC_CONFIG_FILES([doc/doxygen-iis])
+ AC_CONFIG_FILES([doc/doxygen-standalone])
+ fi
+ AC_CONFIG_FILES([doc/Makefile])
fi
+# Add assert() usage
+
+AC_ARG_ENABLE(assertions,
+ AS_HELP_STRING([--enable-assertions],
+ [Turn on assertions checks (undefine NDEBUG, define _GLIBCXX_ASSERTIONS & _FORTIFY_SOURCE)]),
+[
+ if test "${enableval}" = "yes"; then
+ assertions='-UNDEBUG -D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS'
+ else
+ assertions='-DNDEBUG'
+ fi
+],
+[
+ assertions='-DNDEBUG'
+])
+
# Add PCRE Studying
AC_ARG_ENABLE(pcre-study,
@@ -395,36 +440,160 @@ AC_ARG_ENABLE(request-early,
request_early='-DREQUEST_EARLY'
])
-# Ignore configure errors
-AC_ARG_ENABLE(errors,
- AS_HELP_STRING([--disable-errors],
- [Disable errors during configure.]),
+# Enable duplicate rules id
+AC_ARG_ENABLE(rule-id-validation,
+ AS_HELP_STRING([--enable-rule-id-validation],
+ [Forbid duplicate rule ids and missing ones. This is the default]),
[
if test "$enableval" != "no"; then
- report_errors=1
+ unique_id=
else
- report_errors=0
+ unique_id="-DALLOW_ID_NOT_UNIQUE"
+ MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $unique_id"
fi
],
[
- report_errors=1
+ unique_id=''
])
-# Verbose output
-AC_ARG_ENABLE(verbose-output,
- AS_HELP_STRING([--enable-verbose-output],
- [Enable more verbose configure output.]),
+# Disable logging of filename
+AC_ARG_ENABLE(filename-logging,
+ AS_HELP_STRING([--enable-filename-logging],
+ [Enable logging of filename in audit log. This is the default]),
[
if test "$enableval" != "no"; then
- verbose_output=1
+ log_filename=
else
- verbose_output=0
+ log_filename="-DLOG_NO_FILENAME"
fi
],
[
- verbose_output=0
+ log_filename=''
])
+# Disable logging of "Server"
+AC_ARG_ENABLE(server-logging,
+ AS_HELP_STRING([--enable-server-logging],
+ [Enable logging of "Server" in audit log when log level < 9. This is the default]),
+[
+ if test "$enableval" != "no"; then
+ log_server=
+ else
+ log_server="-DLOG_NO_SERVER"
+ fi
+],
+[
+ log_server=''
+])
+
+# Disable logging of problem when deleting collection
+AC_ARG_ENABLE(collection-delete-problem-logging,
+ AS_HELP_STRING([--enable-collection-delete-problem-logging],
+ [Enable logging of collection delete problem even when log level is < 9. This is the default]),
+[
+ if test "$enableval" != "no"; then
+ log_collection_delete_problem=
+ else
+ log_collection_delete_problem="-DLOG_NO_COLL_DELET_PB"
+ fi
+],
+[
+ log_collection_delete_problem=''
+])
+
+# Disable logging of Apache handler
+AC_ARG_ENABLE(handler-logging,
+ AS_HELP_STRING([--enable-handler-logging],
+ [Enable logging of Apache handler in audit log even when log level is < 9. This is the default]),
+[
+ if test "$enableval" != "no"; then
+ log_handler=
+ else
+ log_handler="-DLOG_NO_HANDLER"
+ fi
+],
+[
+ log_handler=''
+])
+
+# Disable logging of dechunking
+AC_ARG_ENABLE(dechunk-logging,
+ AS_HELP_STRING([--enable-dechunk-logging],
+ [Enable logging of dechunking even when log level is < 9. This is the default]),
+[
+ if test "$enableval" != "no"; then
+ log_dechunk=
+ else
+ log_dechunk="-DLOG_NO_DECHUNK"
+ fi
+],
+[
+ log_dechunk=''
+])
+
+# Disable logging of stopwatches
+AC_ARG_ENABLE(stopwatch-logging,
+ AS_HELP_STRING([--enable-stopwatch-logging],
+ [Enable logging of stopwatches even when log level is < 9. This is the default]),
+[
+ if test "$enableval" != "no"; then
+ log_stopwatch=
+ else
+ log_stopwatch="-DLOG_NO_STOPWATCH"
+ fi
+],
+[
+ log_stopwatch=''
+])
+
+# Disable logging of server context
+AC_ARG_ENABLE(server-context-logging,
+ AS_HELP_STRING([--enable-server-context-logging],
+ [Enable logging of server info (log producer, sanitized objects, ...) in audit log even when log level < 9. This is the default]),
+[
+ if test "$enableval" != "no"; then
+ log_server_context=
+ else
+ log_server_context="-DLOG_NO_SERVER_CONTEXT"
+ fi
+],
+[
+ log_server_context=''
+])
+
+
+# Enable collection's global lock
+AC_ARG_ENABLE(collection-global-lock,
+ AS_HELP_STRING([--enable-collection-global-lock],
+ [Enable collection correctness by using a global lock. May reduce performance significatively. This is disabled by default]),
+[
+ if test "$enableval" != "yes"; then
+ collection_global_lock=""
+ else
+ collection_global_lock="-DGLOBAL_COLLECTION_LOCK"
+ fi
+],
+[
+ collection_global_lock=''
+])
+
+
+# Ignore configure errors
+AC_ARG_ENABLE(errors,
+ AS_HELP_STRING([--disable-errors],
+ [Disable errors during configure.]),
+[
+ if test "$enableval" != "no"; then
+ report_errors=1
+ else
+ report_errors=0
+ fi
+],
+[
+ report_errors=1
+])
+
+
# Strict Compile
AC_ARG_ENABLE(strict-compile,
AS_HELP_STRING([--enable-strict-compile],
@@ -537,6 +706,22 @@ AC_ARG_ENABLE(modsec-api,
modsec_api=
])
+# MSC_LARGE_STREAM_INPUT
+AC_ARG_ENABLE(large-stream-input,
+ AS_HELP_STRING([--enable-large-stream-input],
+ [Enable optimization for large stream input]),
+[
+ if test "$enableval" = "yes"; then
+ large_stream_input="-DMSC_LARGE_STREAM_INPUT"
+ MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $large_stream_input"
+ else
+ large_stream_input=
+ fi
+],
+[
+ large_stream_input=
+])
+
# Find apxs
AC_MSG_NOTICE(looking for Apache module support via DSO through APXS)
AC_ARG_WITH(apxs,
@@ -659,7 +844,7 @@ else
fi
fi
-MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type"
+MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type $unique_id $log_filename $log_server $log_collection_delete_problem $log_dechunk $log_stopwatch $log_handler $log_server_context $collection_global_lock $large_stream_input $assertions"
APXS_WRAPPER=build/apxs-wrapper
APXS_EXTRA_CFLAGS=""
@@ -696,6 +881,7 @@ AC_SUBST(APXS_MODULES)
AC_SUBST(APXS_HTTPD)
CHECK_PCRE()
+CHECK_PCRE2()
if test "$build_apache2_module" -ne 0 -o "$build_mlogc" -ne 0; then
CHECK_APR()
CHECK_APU()
@@ -712,21 +898,30 @@ CHECK_YAJL()
CHECK_SSDEEP()
#AC_SEARCH_LIBS([fuzzy_hash_buf], [fuzzy])
-CFLAGS="$CFLAGS $APU_CFLAGS"
-AC_TRY_COMPILE(
- [#include <apr_crypto.h>],
- [
+# Temporarily set cflags for apr_crypto check, then restore
+# since it's already used correctly to compile modsecurity module.
+ORIG_CFLAGS="$CFLAGS $APU_CFLAGS"
+ORIG_CPPFLAGS="$CPPFLAGS"
+CFLAGS="$CFLAGS $APR_CFLAGS"
+CPPFLAGS="$CPPFLAGS $APR_CPPFLAGS"
+AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([[ #include <apr_crypto.h> ]],
+ [[
#if APU_HAVE_CRYPTO == 0
#error APR util was not compiled with crypto support.
#endif
- ],
+ ]])],
[ AC_DEFINE([WITH_APU_CRYPTO], [1], [APR util was compiled with crypto support])
MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_APU_CRYPTO"
],
[ AC_MSG_WARN([APR util was not compiled with crypto support. SecRemoteRule will not support the parameter 'crypto']) ]
)
+# Restore env vars so that we don't clutter with duplicates that
+# are eventually appended later on
+CFLAGS="$ORIG_CFLAGS"
+CPPFLAGS="$ORIG_CPPFLAGS"
-# Current our unique download backend is curl, furhter we can support more.
+# Currently our unique download backend is curl, further we can support more.
if test ! -z "${CURL_VERSION}"; then
AC_DEFINE([WITH_REMOTE_RULES], [1], [Enables SecRemoteRules support])
MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS -DWITH_REMOTE_RULES"
diff --git a/design.md b/design.md
new file mode 100644
index 0000000000..a8e56e128e
--- /dev/null
+++ b/design.md
@@ -0,0 +1,29 @@
+Design notes for source code
+==
+This file give some explanations and guidelines regarding ModSecurity v2 source code.
+The goal is to discuss topics that are not related to a specific location in the code, so that cannot be best explained by comments.
+The goal is not to replace comments where it is probably better.
+It's quite short for the moment, but the goal is to extend it from time to time.
+
+## Null pointer check
+The default behaviour is to check for null pointer dereference everywhere it may be needed.
+In case a pointer cannot be null, it has to be explained with a comment at the beginning of the function of when dereferencing the pointer.
+On top of that, an explicit check should be done when compiling in debug mode with the following code:
+```
+ assert(mypointer);
+```
+In case a pointer that cannot be null is used at several locations (say more than 3 times),
+the explanation could be given globally in this file.
+
+### Pointers never null
+The following pointers can never be null:
+
+#### msr
+
+msr is assigned at the following places:
+- mod_security2.c (14 x): initialization
+In all the above calls, and all calling functions, it immediately returns (with an error code) in case msr is null, up to a place where no mod_security2 processing at all occurs.
+In subsequent calls, there's thus no possibility to have msr null.
+- apache2_io.c (2 x): assign a previously initialized msr
+- msc_json (9 x): assign a previously initialized msr
+- msc_lua.c (4 x): assign a previously initialized msr
diff --git a/doc/Makefile.am b/doc/Makefile.am
new file mode 100644
index 0000000000..4f4eaffb1e
--- /dev/null
+++ b/doc/Makefile.am
@@ -0,0 +1,27 @@
+apache:
+ $(DOXYGEN) doxygen-apache
+ touch apache.stamp
+
+iis:
+ $(DOXYGEN) doxygen-iis
+ touch iis.stamp
+
+nginx:
+ $(DOXYGEN) doxygen-nginx
+ touch nginx.stamp
+
+standalone:
+ $(DOXYGEN) doxygen-standalone
+ touch standalone.stamp
+
+
+if BUILD_APACHE2_MODULE
+all-local: apache
+endif
+
+if BUILD_STANDALONE_MODULE
+all-local: iis nginx standalone
+endif
+
+clean-local:
+ rm -rf apache iis nginx standalone
diff --git a/doc/README.txt b/doc/README.txt
index ec0ed3572d..75bfac094c 100644
--- a/doc/README.txt
+++ b/doc/README.txt
@@ -8,4 +8,4 @@ Please access the ModSecurity Github space to access the below documentation.
* Reference Manual
* RoadMap
-https://github.com/SpiderLabs/ModSecurity/wiki/
+https://github.com/owasp-modsecurity/ModSecurity/wiki/
diff --git a/doc/doxygen-apache.conf b/doc/doxygen-apache.in
similarity index 84%
rename from doc/doxygen-apache.conf
rename to doc/doxygen-apache.in
index b59b47b390..b031ade5d3 100644
--- a/doc/doxygen-apache.conf
+++ b/doc/doxygen-apache.in
@@ -1,4 +1,4 @@
-# Doxyfile 1.8.6
+# Doxyfile 1.8.13
# This file describes the settings to be used by the documentation system
# doxygen (www.doxygen.org) for a project.
@@ -38,7 +38,7 @@ PROJECT_NAME = "ModSecurity (Apache)"
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER =
+PROJECT_NUMBER =
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
@@ -46,21 +46,21 @@ PROJECT_NUMBER =
PROJECT_BRIEF = "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence."
-# With the PROJECT_LOGO tag one can specify an logo or icon that is included in
-# the documentation. The maximum height of the logo should not exceed 55 pixels
-# and the maximum width should not exceed 200 pixels. Doxygen will copy the logo
-# to the output directory.
+# With the PROJECT_LOGO tag one can specify a logo or an icon that is included
+# in the documentation. The maximum height of the logo should not exceed 55
+# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
+# the logo to the output directory.
-PROJECT_LOGO = ./doc/doxygen-logo.png
+PROJECT_LOGO = ./doxygen-logo.png
# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path
# into which the generated documentation will be written. If a relative path is
# entered, it will be relative to the location where doxygen was started. If
# left blank the current directory will be used.
-OUTPUT_DIRECTORY = doc/apache
+OUTPUT_DIRECTORY = apache
-# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub-
+# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
# directories (in 2 levels) under the output directory of each output format and
# will distribute the generated files over these directories. Enabling this
# option can be useful when feeding doxygen a huge amount of source files, where
@@ -70,6 +70,14 @@ OUTPUT_DIRECTORY = doc/apache
CREATE_SUBDIRS = YES
+# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
+# characters to appear in the names of generated files. If set to NO, non-ASCII
+# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
+# U+3044.
+# The default value is: NO.
+
+ALLOW_UNICODE_NAMES = NO
+
# The OUTPUT_LANGUAGE tag is used to specify the language in which all
# documentation generated by doxygen is written. Doxygen will use this
# information to generate all constant output in the proper language.
@@ -85,14 +93,14 @@ CREATE_SUBDIRS = YES
OUTPUT_LANGUAGE = English
-# If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member
+# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member
# descriptions after the members that are listed in the file and class
# documentation (similar to Javadoc). Set to NO to disable this.
# The default value is: YES.
BRIEF_MEMBER_DESC = YES
-# If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief
+# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief
# description of a member or function before the detailed description
#
# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
@@ -110,7 +118,7 @@ REPEAT_BRIEF = YES
# the entity):The $name class, The $name widget, The $name file, is, provides,
# specifies, contains, represents, a, an and the.
-ABBREVIATE_BRIEF =
+ABBREVIATE_BRIEF =
# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
# doxygen will generate a detailed section even if there is only a brief
@@ -127,7 +135,7 @@ ALWAYS_DETAILED_SEC = NO
INLINE_INHERITED_MEMB = NO
-# If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path
+# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path
# before files name in the file list and in the header files. If set to NO the
# shortest path that makes the file name unique will be used
# The default value is: YES.
@@ -144,7 +152,7 @@ FULL_PATH_NAMES = YES
# will be relative from the directory where doxygen is started.
# This tag requires that the tag FULL_PATH_NAMES is set to YES.
-STRIP_FROM_PATH =
+STRIP_FROM_PATH =
# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the
# path mentioned in the documentation of a class, which tells the reader which
@@ -153,7 +161,7 @@ STRIP_FROM_PATH =
# specify the list of include paths that are normally passed to the compiler
# using the -I flag.
-STRIP_FROM_INC_PATH =
+STRIP_FROM_INC_PATH =
# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but
# less readable) file names. This can be useful is your file systems doesn't
@@ -197,9 +205,9 @@ MULTILINE_CPP_IS_BRIEF = NO
INHERIT_DOCS = YES
-# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a
-# new page for each member. If set to NO, the documentation of a member will be
-# part of the file/class/namespace that contains it.
+# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new
+# page for each member. If set to NO, the documentation of a member will be part
+# of the file/class/namespace that contains it.
# The default value is: NO.
SEPARATE_MEMBER_PAGES = NO
@@ -220,13 +228,13 @@ TAB_SIZE = 4
# "Side Effects:". You can put \n's in the value part of an alias to insert
# newlines.
-ALIASES =
+ALIASES =
# This tag can be used to specify a number of word-keyword mappings (TCL only).
# A mapping has the form "name=value". For example adding "class=itcl::class"
# will allow you to use the command class in the itcl::class meaning.
-TCL_SUBST =
+TCL_SUBST =
# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
# only. Doxygen will then generate output that is more tailored for C. For
@@ -261,16 +269,19 @@ OPTIMIZE_OUTPUT_VHDL = NO
# extension. Doxygen has a built-in mapping, but you can override or extend it
# using this tag. The format is ext=language, where ext is a file extension, and
# language is one of the parsers supported by doxygen: IDL, Java, Javascript,
-# C#, C, C++, D, PHP, Objective-C, Python, Fortran, VHDL. For instance to make
-# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C
-# (default is Fortran), use: inc=Fortran f=C.
+# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran:
+# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran:
+# Fortran. In the later case the parser tries to guess whether the code is fixed
+# or free formatted code, this is the default for Fortran type files), VHDL. For
+# instance to make doxygen treat .inc files as Fortran files (default is PHP),
+# and .f files as C (default is Fortran), use: inc=Fortran f=C.
#
-# Note For files without extension you can use no_extension as a placeholder.
+# Note: For files without extension you can use no_extension as a placeholder.
#
# Note that for custom extensions you also need to set FILE_PATTERNS otherwise
# the files are not read by doxygen.
-EXTENSION_MAPPING =
+EXTENSION_MAPPING =
# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments
# according to the Markdown format, which allows for more readable
@@ -282,10 +293,19 @@ EXTENSION_MAPPING =
MARKDOWN_SUPPORT = YES
+# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up
+# to that level are automatically included in the table of contents, even if
+# they do not have an id attribute.
+# Note: This feature currently applies only to Markdown headings.
+# Minimum value: 0, maximum value: 99, default value: 0.
+# This tag requires that the tag MARKDOWN_SUPPORT is set to YES.
+
+TOC_INCLUDE_HEADINGS = 0
+
# When enabled doxygen tries to link words that correspond to documented
# classes, or namespaces to their corresponding documentation. Such a link can
-# be prevented in individual cases by by putting a % sign in front of the word
-# or globally by setting AUTOLINK_SUPPORT to NO.
+# be prevented in individual cases by putting a % sign in front of the word or
+# globally by setting AUTOLINK_SUPPORT to NO.
# The default value is: YES.
AUTOLINK_SUPPORT = YES
@@ -325,13 +345,20 @@ SIP_SUPPORT = NO
IDL_PROPERTY_SUPPORT = YES
# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
-# tag is set to YES, then doxygen will reuse the documentation of the first
+# tag is set to YES then doxygen will reuse the documentation of the first
# member in the group (if any) for the other members of the group. By default
# all members of a group must be documented explicitly.
# The default value is: NO.
DISTRIBUTE_GROUP_DOC = NO
+# If one adds a struct or class to a group and this option is enabled, then also
+# any nested class or struct is added to the same group. By default this option
+# is disabled and one has to add nested compounds explicitly via \ingroup.
+# The default value is: NO.
+
+GROUP_NESTED_COMPOUNDS = NO
+
# Set the SUBGROUPING tag to YES to allow class member groups of the same type
# (for instance a group of public functions) to be put as a subgroup of that
# type (e.g. under the Public Functions section). Set it to NO to prevent
@@ -390,7 +417,7 @@ LOOKUP_CACHE_SIZE = 0
# Build related configuration options
#---------------------------------------------------------------------------
-# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
+# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in
# documentation are documented, even if no documentation was available. Private
# class members and static file members will be hidden unless the
# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
@@ -400,35 +427,35 @@ LOOKUP_CACHE_SIZE = 0
EXTRACT_ALL = YES
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class will
+# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will
# be included in the documentation.
# The default value is: NO.
EXTRACT_PRIVATE = NO
-# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal
+# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal
# scope will be included in the documentation.
# The default value is: NO.
EXTRACT_PACKAGE = NO
-# If the EXTRACT_STATIC tag is set to YES all static members of a file will be
+# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be
# included in the documentation.
# The default value is: NO.
EXTRACT_STATIC = NO
-# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined
-# locally in source files will be included in the documentation. If set to NO
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined
+# locally in source files will be included in the documentation. If set to NO,
# only classes defined in header files are included. Does not have any effect
# for Java sources.
# The default value is: YES.
EXTRACT_LOCAL_CLASSES = YES
-# This flag is only useful for Objective-C code. When set to YES local methods,
+# This flag is only useful for Objective-C code. If set to YES, local methods,
# which are defined in the implementation section but not in the interface are
-# included in the documentation. If set to NO only methods in the interface are
+# included in the documentation. If set to NO, only methods in the interface are
# included.
# The default value is: NO.
@@ -453,21 +480,21 @@ HIDE_UNDOC_MEMBERS = NO
# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
# undocumented classes that are normally visible in the class hierarchy. If set
-# to NO these classes will be included in the various overviews. This option has
-# no effect if EXTRACT_ALL is enabled.
+# to NO, these classes will be included in the various overviews. This option
+# has no effect if EXTRACT_ALL is enabled.
# The default value is: NO.
HIDE_UNDOC_CLASSES = NO
# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
-# (class|struct|union) declarations. If set to NO these declarations will be
+# (class|struct|union) declarations. If set to NO, these declarations will be
# included in the documentation.
# The default value is: NO.
HIDE_FRIEND_COMPOUNDS = NO
# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
-# documentation blocks found inside the body of a function. If set to NO these
+# documentation blocks found inside the body of a function. If set to NO, these
# blocks will be appended to the function's detailed documentation block.
# The default value is: NO.
@@ -481,7 +508,7 @@ HIDE_IN_BODY_DOCS = NO
INTERNAL_DOCS = NO
# If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
-# names in lower-case letters. If set to YES upper-case letters are also
+# names in lower-case letters. If set to YES, upper-case letters are also
# allowed. This is useful if you have classes or files whose names only differ
# in case and if your file system supports case sensitive file names. Windows
# and Mac users are advised to set this option to NO.
@@ -490,12 +517,19 @@ INTERNAL_DOCS = NO
CASE_SENSE_NAMES = YES
# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
-# their full class and namespace scopes in the documentation. If set to YES the
+# their full class and namespace scopes in the documentation. If set to YES, the
# scope will be hidden.
# The default value is: NO.
HIDE_SCOPE_NAMES = YES
+# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will
+# append additional text to a page's title, such as Class Reference. If set to
+# YES the compound reference will be hidden.
+# The default value is: NO.
+
+HIDE_COMPOUND_REFERENCE= NO
+
# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
# the files that are included by a file in the documentation of that file.
# The default value is: YES.
@@ -523,14 +557,14 @@ INLINE_INFO = YES
# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
# (detailed) documentation of file and class members alphabetically by member
-# name. If set to NO the members will appear in declaration order.
+# name. If set to NO, the members will appear in declaration order.
# The default value is: YES.
SORT_MEMBER_DOCS = YES
# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
# descriptions of file, namespace and class members alphabetically by member
-# name. If set to NO the members will appear in declaration order. Note that
+# name. If set to NO, the members will appear in declaration order. Note that
# this will also influence the order of the classes in the class list.
# The default value is: NO.
@@ -575,27 +609,25 @@ SORT_BY_SCOPE_NAME = NO
STRICT_PROTO_MATCHING = NO
-# The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the
-# todo list. This list is created by putting \todo commands in the
-# documentation.
+# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo
+# list. This list is created by putting \todo commands in the documentation.
# The default value is: YES.
GENERATE_TODOLIST = YES
-# The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the
-# test list. This list is created by putting \test commands in the
-# documentation.
+# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test
+# list. This list is created by putting \test commands in the documentation.
# The default value is: YES.
GENERATE_TESTLIST = YES
-# The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug
+# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug
# list. This list is created by putting \bug commands in the documentation.
# The default value is: YES.
GENERATE_BUGLIST = YES
-# The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO)
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)
# the deprecated list. This list is created by putting \deprecated commands in
# the documentation.
# The default value is: YES.
@@ -606,7 +638,7 @@ GENERATE_DEPRECATEDLIST= YES
# sections, marked by \if <section_label> ... \endif and \cond <section_label>
# ... \endcond blocks.
-ENABLED_SECTIONS =
+ENABLED_SECTIONS =
# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the
# initial value of a variable or macro / define can have for it to appear in the
@@ -620,8 +652,8 @@ ENABLED_SECTIONS =
MAX_INITIALIZER_LINES = 30
# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
-# the bottom of the documentation of classes and structs. If set to YES the list
-# will mention the files that were used to generate the documentation.
+# the bottom of the documentation of classes and structs. If set to YES, the
+# list will mention the files that were used to generate the documentation.
# The default value is: YES.
SHOW_USED_FILES = YES
@@ -648,7 +680,7 @@ SHOW_NAMESPACES = YES
# by doxygen. Whatever the program writes to standard output is used as the file
# version. For an example see the documentation.
-FILE_VERSION_FILTER =
+FILE_VERSION_FILTER =
# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
# by doxygen. The layout file controls the global structure of the generated
@@ -661,7 +693,7 @@ FILE_VERSION_FILTER =
# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE
# tag is left empty.
-LAYOUT_FILE =
+LAYOUT_FILE =
# The CITE_BIB_FILES tag can be used to specify one or more bib files containing
# the reference definitions. This must be a list of .bib files. The .bib
@@ -669,10 +701,9 @@ LAYOUT_FILE =
# to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info.
# For LaTeX the style of the bibliography can be controlled using
# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
-# search path. Do not use file names with spaces, bibtex cannot handle them. See
-# also \cite for info how to create references.
+# search path. See also \cite for info how to create references.
-CITE_BIB_FILES =
+CITE_BIB_FILES =
#---------------------------------------------------------------------------
# Configuration options related to warning and progress messages
@@ -686,7 +717,7 @@ CITE_BIB_FILES =
QUIET = NO
# The WARNINGS tag can be used to turn on/off the warning messages that are
-# generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES
+# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES
# this implies that the warnings are on.
#
# Tip: Turn warnings on while writing the documentation.
@@ -694,7 +725,7 @@ QUIET = NO
WARNINGS = YES
-# If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate
+# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate
# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
# will automatically be disabled.
# The default value is: YES.
@@ -711,12 +742,18 @@ WARN_IF_DOC_ERROR = YES
# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
# are documented, but have no documentation for their parameters or return
-# value. If set to NO doxygen will only warn about wrong or incomplete parameter
-# documentation, but not about the absence of documentation.
+# value. If set to NO, doxygen will only warn about wrong or incomplete
+# parameter documentation, but not about the absence of documentation.
# The default value is: NO.
WARN_NO_PARAMDOC = NO
+# If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when
+# a warning is encountered.
+# The default value is: NO.
+
+WARN_AS_ERROR = NO
+
# The WARN_FORMAT tag determines the format of the warning messages that doxygen
# can produce. The string should contain the $file, $line, and $text tags, which
# will be replaced by the file and line number from which the warning originated
@@ -731,7 +768,7 @@ WARN_FORMAT = "$file:$line: $text"
# messages should be written. If left blank the output is written to standard
# error (stderr).
-WARN_LOGFILE =
+WARN_LOGFILE =
#---------------------------------------------------------------------------
# Configuration options related to the input files
@@ -740,10 +777,10 @@ WARN_LOGFILE =
# The INPUT tag is used to specify the files and/or directories that contain
# documented source files. You may enter file names like myfile.cpp or
# directories like /usr/src/myproject. Separate the files or directories with
-# spaces.
+# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
# Note: If this tag is empty the current directory is searched.
-INPUT = apache2
+INPUT = ../apache2
# This tag can be used to specify the character encoding of the source files
# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
@@ -756,14 +793,19 @@ INPUT_ENCODING = UTF-8
# If the value of the INPUT tag contains directories, you can use the
# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and
-# *.h) to filter out the source-files in the directories. If left blank the
-# following patterns are tested:*.c, *.cc, *.cxx, *.cpp, *.c++, *.java, *.ii,
-# *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h, *.hh, *.hxx, *.hpp,
-# *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc, *.m, *.markdown,
-# *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf,
-# *.qsf, *.as and *.js.
+# *.h) to filter out the source-files in the directories.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# read by doxygen.
+#
+# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cpp,
+# *.c++, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h,
+# *.hh, *.hxx, *.hpp, *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc,
+# *.m, *.markdown, *.md, *.mm, *.dox, *.py, *.pyw, *.f90, *.f95, *.f03, *.f08,
+# *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf and *.qsf.
-FILE_PATTERNS =
+FILE_PATTERNS =
# The RECURSIVE tag can be used to specify whether or not subdirectories should
# be searched for input files as well.
@@ -778,7 +820,7 @@ RECURSIVE = YES
# Note that relative paths are relative to the directory from which doxygen is
# run.
-EXCLUDE =
+EXCLUDE =
# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
# directories that are symbolic links (a Unix file system feature) are excluded
@@ -794,7 +836,7 @@ EXCLUDE_SYMLINKS = NO
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories for example use the pattern */test/*
-EXCLUDE_PATTERNS =
+EXCLUDE_PATTERNS =
# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
# (namespaces, classes, functions, etc.) that should be excluded from the
@@ -805,20 +847,20 @@ EXCLUDE_PATTERNS =
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories use the pattern */test/*
-EXCLUDE_SYMBOLS =
+EXCLUDE_SYMBOLS =
# The EXAMPLE_PATH tag can be used to specify one or more files or directories
# that contain example code fragments that are included (see the \include
# command).
-EXAMPLE_PATH =
+EXAMPLE_PATH =
# If the value of the EXAMPLE_PATH tag contains directories, you can use the
# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
# *.h) to filter out the source-files in the directories. If left blank all
# files are included.
-EXAMPLE_PATTERNS =
+EXAMPLE_PATTERNS =
# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
# searched for input files to be used with the \include or \dontinclude commands
@@ -831,7 +873,7 @@ EXAMPLE_RECURSIVE = NO
# that contain images that are to be included in the documentation (see the
# \image command).
-IMAGE_PATH =
+IMAGE_PATH =
# The INPUT_FILTER tag can be used to specify a program that doxygen should
# invoke to filter for each input file. Doxygen will invoke the filter program
@@ -847,8 +889,12 @@ IMAGE_PATH =
# Note that the filter must not add or remove lines; it is applied before the
# code is scanned, but not when the output code is generated. If lines are added
# or removed, the anchors will not be placed correctly.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
-INPUT_FILTER =
+INPUT_FILTER =
# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
# basis. Doxygen will compare the file name with each pattern and apply the
@@ -856,11 +902,15 @@ INPUT_FILTER =
# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how
# filters are used. If the FILTER_PATTERNS tag is empty or if none of the
# patterns match the file name, INPUT_FILTER is applied.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
-FILTER_PATTERNS =
+FILTER_PATTERNS =
# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
-# INPUT_FILTER ) will also be used to filter the input files that are used for
+# INPUT_FILTER) will also be used to filter the input files that are used for
# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
# The default value is: NO.
@@ -872,14 +922,14 @@ FILTER_SOURCE_FILES = NO
# *.ext= (so without naming a filter).
# This tag requires that the tag FILTER_SOURCE_FILES is set to YES.
-FILTER_SOURCE_PATTERNS =
+FILTER_SOURCE_PATTERNS =
# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that
# is part of the input, its contents will be placed on the main page
# (index.html). This can be useful if you have a project on for instance GitHub
# and want to reuse the introduction page also for the doxygen output.
-USE_MDFILE_AS_MAINPAGE =
+USE_MDFILE_AS_MAINPAGE =
#---------------------------------------------------------------------------
# Configuration options related to source browsing
@@ -920,7 +970,7 @@ REFERENCED_BY_RELATION = NO
REFERENCES_RELATION = NO
# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
-# to YES, then the hyperlinks from functions in REFERENCES_RELATION and
+# to YES then the hyperlinks from functions in REFERENCES_RELATION and
# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
# link to the documentation.
# The default value is: YES.
@@ -991,13 +1041,13 @@ COLS_IN_ALPHA_INDEX = 5
# while generating the index headers.
# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
-IGNORE_PREFIX =
+IGNORE_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the HTML output
#---------------------------------------------------------------------------
-# If the GENERATE_HTML tag is set to YES doxygen will generate HTML output
+# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output
# The default value is: YES.
GENERATE_HTML = YES
@@ -1035,7 +1085,7 @@ HTML_FILE_EXTENSION = .html
# of the possible markers and block names see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_HEADER =
+HTML_HEADER =
# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each
# generated HTML page. If the tag is left blank doxygen will generate a standard
@@ -1045,7 +1095,7 @@ HTML_HEADER =
# that doxygen normally uses.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_FOOTER =
+HTML_FOOTER =
# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style
# sheet that is used by each HTML page. It can be used to fine-tune the look of
@@ -1057,18 +1107,20 @@ HTML_FOOTER =
# obsolete.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_STYLESHEET =
+HTML_STYLESHEET =
-# The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user-
-# defined cascading style sheet that is included after the standard style sheets
+# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# cascading style sheets that are included after the standard style sheets
# created by doxygen. Using this option one can overrule certain style aspects.
# This is preferred over using HTML_STYLESHEET since it does not replace the
-# standard style sheet and is therefor more robust against future updates.
-# Doxygen will copy the style sheet file to the output directory. For an example
-# see the documentation.
+# standard style sheet and is therefore more robust against future updates.
+# Doxygen will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list). For an example see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_EXTRA_STYLESHEET =
+HTML_EXTRA_STYLESHEET =
# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the HTML output directory. Note
@@ -1078,10 +1130,10 @@ HTML_EXTRA_STYLESHEET =
# files will be copied as-is; there are no commands or markers available.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_EXTRA_FILES =
+HTML_EXTRA_FILES =
# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
-# will adjust the colors in the stylesheet and background images according to
+# will adjust the colors in the style sheet and background images according to
# this color. Hue is specified as an angle on a colorwheel, see
# http://en.wikipedia.org/wiki/Hue for more information. For instance the value
# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
@@ -1112,8 +1164,9 @@ HTML_COLORSTYLE_GAMMA = 80
# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
# page will contain the date and time when the page was generated. Setting this
-# to NO can help when comparing the output of multiple runs.
-# The default value is: YES.
+# to YES can help to show when doxygen was last run and thus if the
+# documentation is up to date.
+# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_TIMESTAMP = YES
@@ -1206,31 +1259,32 @@ GENERATE_HTMLHELP = NO
# written to the html output directory.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-CHM_FILE =
+CHM_FILE =
# The HHC_LOCATION tag can be used to specify the location (absolute path
-# including file name) of the HTML help compiler ( hhc.exe). If non-empty
+# including file name) of the HTML help compiler (hhc.exe). If non-empty,
# doxygen will try to run the HTML help compiler on the generated index.hhp.
# The file has to be specified with full path.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-HHC_LOCATION =
+HHC_LOCATION =
-# The GENERATE_CHI flag controls if a separate .chi index file is generated (
-# YES) or that it should be included in the master .chm file ( NO).
+# The GENERATE_CHI flag controls if a separate .chi index file is generated
+# (YES) or that it should be included in the master .chm file (NO).
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
GENERATE_CHI = NO
-# The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc)
+# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)
# and project file content.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-CHM_INDEX_ENCODING =
+CHM_INDEX_ENCODING =
-# The BINARY_TOC flag controls whether a binary table of contents is generated (
-# YES) or a normal table of contents ( NO) in the .chm file.
+# The BINARY_TOC flag controls whether a binary table of contents is generated
+# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it
+# enables the Previous and Next buttons.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
@@ -1257,7 +1311,7 @@ GENERATE_QHP = NO
# the HTML output folder.
# This tag requires that the tag GENERATE_QHP is set to YES.
-QCH_FILE =
+QCH_FILE =
# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help
# Project output. For more information please see Qt Help Project / Namespace
@@ -1282,7 +1336,7 @@ QHP_VIRTUAL_FOLDER = doc
# filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_CUST_FILTER_NAME =
+QHP_CUST_FILTER_NAME =
# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the
# custom filter to add. For more information please see Qt Help Project / Custom
@@ -1290,21 +1344,21 @@ QHP_CUST_FILTER_NAME =
# filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_CUST_FILTER_ATTRS =
+QHP_CUST_FILTER_ATTRS =
# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
# project's filter section matches. Qt Help Project / Filter Attributes (see:
# http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_SECT_FILTER_ATTRS =
+QHP_SECT_FILTER_ATTRS =
# The QHG_LOCATION tag can be used to specify the location of Qt's
# qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the
# generated .qhp file.
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHG_LOCATION =
+QHG_LOCATION =
# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be
# generated, together with the HTML files, they form an Eclipse help plugin. To
@@ -1343,7 +1397,7 @@ DISABLE_INDEX = NO
# index structure (just like the one that is generated for HTML Help). For this
# to work a browser that supports JavaScript, DHTML, CSS and frames is required
# (i.e. any modern browser). Windows users are probably better off using the
-# HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can
+# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can
# further fine-tune the look of the index. As an example, the default style
# sheet generated by doxygen has an example that shows how to put an image at
# the root of the tree instead of the PROJECT_NAME. Since the tree basically has
@@ -1371,7 +1425,7 @@ ENUM_VALUES_PER_LINE = 4
TREEVIEW_WIDTH = 250
-# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to
+# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to
# external symbols imported via tag files in a separate window.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
@@ -1400,7 +1454,7 @@ FORMULA_TRANSPARENT = YES
# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
# http://www.mathjax.org) which uses client side Javascript for the rendering
-# instead of using prerendered bitmaps. Use this if you do not have LaTeX
+# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX
# installed or if you want to formulas look prettier in the HTML output. When
# enabled you may also need to install MathJax separately and configure the path
# to it using the MATHJAX_RELPATH option.
@@ -1437,7 +1491,7 @@ MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest
# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols
# This tag requires that the tag USE_MATHJAX is set to YES.
-MATHJAX_EXTENSIONS =
+MATHJAX_EXTENSIONS =
# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces
# of code that will be used on startup of the MathJax code. See the MathJax site
@@ -1445,7 +1499,7 @@ MATHJAX_EXTENSIONS =
# example see the documentation.
# This tag requires that the tag USE_MATHJAX is set to YES.
-MATHJAX_CODEFILE =
+MATHJAX_CODEFILE =
# When the SEARCHENGINE tag is enabled doxygen will generate a search box for
# the HTML output. The underlying search engine uses javascript and DHTML and
@@ -1470,11 +1524,11 @@ SEARCHENGINE = YES
# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
# implemented using a web server instead of a web client using Javascript. There
-# are two flavours of web server based searching depending on the
-# EXTERNAL_SEARCH setting. When disabled, doxygen will generate a PHP script for
-# searching and an index file used by the script. When EXTERNAL_SEARCH is
-# enabled the indexing and searching needs to be provided by external tools. See
-# the section "External Indexing and Searching" for details.
+# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
+# setting. When disabled, doxygen will generate a PHP script for searching and
+# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
+# and searching needs to be provided by external tools. See the section
+# "External Indexing and Searching" for details.
# The default value is: NO.
# This tag requires that the tag SEARCHENGINE is set to YES.
@@ -1486,7 +1540,7 @@ SERVER_BASED_SEARCH = NO
# external search engine pointed to by the SEARCHENGINE_URL option to obtain the
# search results.
#
-# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# Doxygen ships with an example indexer (doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see: http://xapian.org/).
#
@@ -1499,13 +1553,13 @@ EXTERNAL_SEARCH = NO
# The SEARCHENGINE_URL should point to a search engine hosted by a web server
# which will return the search results when EXTERNAL_SEARCH is enabled.
#
-# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# Doxygen ships with an example indexer (doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see: http://xapian.org/). See the section "External Indexing and
# Searching" for details.
# This tag requires that the tag SEARCHENGINE is set to YES.
-SEARCHENGINE_URL =
+SEARCHENGINE_URL =
# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed
# search data is written to a file for indexing by an external tool. With the
@@ -1521,7 +1575,7 @@ SEARCHDATA_FILE = searchdata.xml
# projects and redirect the results back to the right project.
# This tag requires that the tag SEARCHENGINE is set to YES.
-EXTERNAL_SEARCH_ID =
+EXTERNAL_SEARCH_ID =
# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through doxygen
# projects other than the one defined by this configuration file, but that are
@@ -1531,13 +1585,13 @@ EXTERNAL_SEARCH_ID =
# EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ...
# This tag requires that the tag SEARCHENGINE is set to YES.
-EXTRA_SEARCH_MAPPINGS =
+EXTRA_SEARCH_MAPPINGS =
#---------------------------------------------------------------------------
# Configuration options related to the LaTeX output
#---------------------------------------------------------------------------
-# If the GENERATE_LATEX tag is set to YES doxygen will generate LaTeX output.
+# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output.
# The default value is: YES.
GENERATE_LATEX = YES
@@ -1568,7 +1622,7 @@ LATEX_CMD_NAME = latex
MAKEINDEX_CMD_NAME = makeindex
-# If the COMPACT_LATEX tag is set to YES doxygen generates more compact LaTeX
+# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
@@ -1586,13 +1640,16 @@ COMPACT_LATEX = NO
PAPER_TYPE = a4
# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
-# that should be included in the LaTeX output. To get the times font for
-# instance you can specify
-# EXTRA_PACKAGES=times
+# that should be included in the LaTeX output. The package can be specified just
+# by its name or with the correct syntax as to be used with the LaTeX
+# \usepackage command. To get the times font for instance you can specify :
+# EXTRA_PACKAGES=times or EXTRA_PACKAGES={times}
+# To use the option intlimits with the amsmath package you can specify:
+# EXTRA_PACKAGES=[intlimits]{amsmath}
# If left blank no extra packages will be included.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-EXTRA_PACKAGES =
+EXTRA_PACKAGES =
# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the
# generated LaTeX document. The header should contain everything until the first
@@ -1602,22 +1659,35 @@ EXTRA_PACKAGES =
#
# Note: Only use a user-defined header if you know what you are doing! The
# following commands have a special meaning inside the header: $title,
-# $datetime, $date, $doxygenversion, $projectname, $projectnumber. Doxygen will
-# replace them by respectively the title of the page, the current date and time,
-# only the current date, the version number of doxygen, the project name (see
-# PROJECT_NAME), or the project number (see PROJECT_NUMBER).
+# $datetime, $date, $doxygenversion, $projectname, $projectnumber,
+# $projectbrief, $projectlogo. Doxygen will replace $title with the empty
+# string, for the replacement values of the other commands the user is referred
+# to HTML_HEADER.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_HEADER =
+LATEX_HEADER =
# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
# generated LaTeX document. The footer should contain everything after the last
-# chapter. If it is left blank doxygen will generate a standard footer.
+# chapter. If it is left blank doxygen will generate a standard footer. See
+# LATEX_HEADER for more information on how to generate a default footer and what
+# special commands can be used inside the footer.
#
# Note: Only use a user-defined footer if you know what you are doing!
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_FOOTER =
+LATEX_FOOTER =
+
+# The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# LaTeX style sheets that are included after the standard style sheets created
+# by doxygen. Using this option one can overrule certain style aspects. Doxygen
+# will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list).
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_STYLESHEET =
# The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the LATEX_OUTPUT output
@@ -1625,7 +1695,7 @@ LATEX_FOOTER =
# markers available.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_EXTRA_FILES =
+LATEX_EXTRA_FILES =
# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated is
# prepared for conversion to PDF (using ps2pdf or pdflatex). The PDF file will
@@ -1636,8 +1706,8 @@ LATEX_EXTRA_FILES =
PDF_HYPERLINKS = YES
-# If the LATEX_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
-# the PDF file directly from the LaTeX files. Set this option to YES to get a
+# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
+# the PDF file directly from the LaTeX files. Set this option to YES, to get a
# higher quality PDF documentation.
# The default value is: YES.
# This tag requires that the tag GENERATE_LATEX is set to YES.
@@ -1678,11 +1748,19 @@ LATEX_SOURCE_CODE = NO
LATEX_BIB_STYLE = plain
+# If the LATEX_TIMESTAMP tag is set to YES then the footer of each generated
+# page will contain the date and time when the page was generated. Setting this
+# to NO can help when comparing the output of multiple runs.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_TIMESTAMP = NO
+
#---------------------------------------------------------------------------
# Configuration options related to the RTF output
#---------------------------------------------------------------------------
-# If the GENERATE_RTF tag is set to YES doxygen will generate RTF output. The
+# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The
# RTF output is optimized for Word 97 and may not look too pretty with other RTF
# readers/editors.
# The default value is: NO.
@@ -1697,7 +1775,7 @@ GENERATE_RTF = NO
RTF_OUTPUT = rtf
-# If the COMPACT_RTF tag is set to YES doxygen generates more compact RTF
+# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
@@ -1725,20 +1803,30 @@ RTF_HYPERLINKS = NO
# default style sheet that doxygen normally uses.
# This tag requires that the tag GENERATE_RTF is set to YES.
-RTF_STYLESHEET_FILE =
+RTF_STYLESHEET_FILE =
# Set optional variables used in the generation of an RTF document. Syntax is
# similar to doxygen's config file. A template extensions file can be generated
# using doxygen -e rtf extensionFile.
# This tag requires that the tag GENERATE_RTF is set to YES.
-RTF_EXTENSIONS_FILE =
+RTF_EXTENSIONS_FILE =
+
+# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code
+# with syntax highlighting in the RTF output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_SOURCE_CODE = NO
#---------------------------------------------------------------------------
# Configuration options related to the man page output
#---------------------------------------------------------------------------
-# If the GENERATE_MAN tag is set to YES doxygen will generate man pages for
+# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for
# classes and files.
# The default value is: NO.
@@ -1762,6 +1850,13 @@ MAN_OUTPUT = man
MAN_EXTENSION = .3
+# The MAN_SUBDIR tag determines the name of the directory created within
+# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
+# MAN_EXTENSION with the initial . removed.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_SUBDIR =
+
# If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
# will generate one additional man file for each entity documented in the real
# man page(s). These additional files only source the real man page, but without
@@ -1775,7 +1870,7 @@ MAN_LINKS = NO
# Configuration options related to the XML output
#---------------------------------------------------------------------------
-# If the GENERATE_XML tag is set to YES doxygen will generate an XML file that
+# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that
# captures the structure of the code including all documentation.
# The default value is: NO.
@@ -1789,19 +1884,7 @@ GENERATE_XML = NO
XML_OUTPUT = xml
-# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_SCHEMA =
-
-# The XML_DTD tag can be used to specify a XML DTD, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_DTD =
-
-# If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program
+# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program
# listings (including syntax highlighting and cross-referencing information) to
# the XML output. Note that enabling this will significantly increase the size
# of the XML output.
@@ -1814,7 +1897,7 @@ XML_PROGRAMLISTING = YES
# Configuration options related to the DOCBOOK output
#---------------------------------------------------------------------------
-# If the GENERATE_DOCBOOK tag is set to YES doxygen will generate Docbook files
+# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files
# that can be used to generate PDF.
# The default value is: NO.
@@ -1828,14 +1911,23 @@ GENERATE_DOCBOOK = NO
DOCBOOK_OUTPUT = docbook
+# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the
+# program listings (including syntax highlighting and cross-referencing
+# information) to the DOCBOOK output. Note that enabling this will significantly
+# increase the size of the DOCBOOK output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_PROGRAMLISTING = NO
+
#---------------------------------------------------------------------------
# Configuration options for the AutoGen Definitions output
#---------------------------------------------------------------------------
-# If the GENERATE_AUTOGEN_DEF tag is set to YES doxygen will generate an AutoGen
-# Definitions (see http://autogen.sf.net) file that captures the structure of
-# the code including all documentation. Note that this feature is still
-# experimental and incomplete at the moment.
+# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an
+# AutoGen Definitions (see http://autogen.sf.net) file that captures the
+# structure of the code including all documentation. Note that this feature is
+# still experimental and incomplete at the moment.
# The default value is: NO.
GENERATE_AUTOGEN_DEF = NO
@@ -1844,7 +1936,7 @@ GENERATE_AUTOGEN_DEF = NO
# Configuration options related to the Perl module output
#---------------------------------------------------------------------------
-# If the GENERATE_PERLMOD tag is set to YES doxygen will generate a Perl module
+# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module
# file that captures the structure of the code including all documentation.
#
# Note that this feature is still experimental and incomplete at the moment.
@@ -1852,7 +1944,7 @@ GENERATE_AUTOGEN_DEF = NO
GENERATE_PERLMOD = NO
-# If the PERLMOD_LATEX tag is set to YES doxygen will generate the necessary
+# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary
# Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
# output from the Perl module output.
# The default value is: NO.
@@ -1860,9 +1952,9 @@ GENERATE_PERLMOD = NO
PERLMOD_LATEX = NO
-# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be nicely
+# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely
# formatted so it can be parsed by a human reader. This is useful if you want to
-# understand what is going on. On the other hand, if this tag is set to NO the
+# understand what is going on. On the other hand, if this tag is set to NO, the
# size of the Perl module output will be much smaller and Perl will parse it
# just the same.
# The default value is: YES.
@@ -1876,20 +1968,20 @@ PERLMOD_PRETTY = YES
# overwrite each other's variables.
# This tag requires that the tag GENERATE_PERLMOD is set to YES.
-PERLMOD_MAKEVAR_PREFIX =
+PERLMOD_MAKEVAR_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the preprocessor
#---------------------------------------------------------------------------
-# If the ENABLE_PREPROCESSING tag is set to YES doxygen will evaluate all
+# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all
# C-preprocessor directives found in the sources and include files.
# The default value is: YES.
ENABLE_PREPROCESSING = YES
-# If the MACRO_EXPANSION tag is set to YES doxygen will expand all macro names
-# in the source code. If set to NO only conditional compilation will be
+# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
+# in the source code. If set to NO, only conditional compilation will be
# performed. Macro expansion can be done in a controlled way by setting
# EXPAND_ONLY_PREDEF to YES.
# The default value is: NO.
@@ -1905,7 +1997,7 @@ MACRO_EXPANSION = NO
EXPAND_ONLY_PREDEF = NO
-# If the SEARCH_INCLUDES tag is set to YES the includes files in the
+# If the SEARCH_INCLUDES tag is set to YES, the include files in the
# INCLUDE_PATH will be searched if a #include is found.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@@ -1917,7 +2009,7 @@ SEARCH_INCLUDES = YES
# preprocessor.
# This tag requires that the tag SEARCH_INCLUDES is set to YES.
-INCLUDE_PATH = "apache2"
+INCLUDE_PATH = "../apache2"
# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
# patterns (like *.h and *.hpp) to filter out the header-files in the
@@ -1925,7 +2017,7 @@ INCLUDE_PATH = "apache2"
# used.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-INCLUDE_FILE_PATTERNS =
+INCLUDE_FILE_PATTERNS =
# The PREDEFINED tag can be used to specify one or more macro names that are
# defined before the preprocessor is started (similar to the -D option of e.g.
@@ -1935,7 +2027,7 @@ INCLUDE_FILE_PATTERNS =
# recursively expanded use the := operator instead of the = operator.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-PREDEFINED =
+PREDEFINED =
# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
# tag can be used to specify a list of macro names that should be expanded. The
@@ -1944,12 +2036,12 @@ PREDEFINED =
# definition found in the source code.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-EXPAND_AS_DEFINED =
+EXPAND_AS_DEFINED =
# If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
-# remove all refrences to function-like macros that are alone on a line, have an
-# all uppercase name, and do not end with a semicolon. Such function macros are
-# typically used for boiler-plate code, and will confuse the parser if not
+# remove all references to function-like macros that are alone on a line, have
+# an all uppercase name, and do not end with a semicolon. Such function macros
+# are typically used for boiler-plate code, and will confuse the parser if not
# removed.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@@ -1969,32 +2061,33 @@ SKIP_FUNCTION_MACROS = YES
# where loc1 and loc2 can be relative or absolute paths or URLs. See the
# section "Linking to external documentation" for more information about the use
# of tag files.
-# Note: Each tag file must have an unique name (where the name does NOT include
+# Note: Each tag file must have a unique name (where the name does NOT include
# the path). If a tag file is not located in the directory in which doxygen is
# run, you must also specify the path to the tagfile here.
-TAGFILES =
+TAGFILES =
# When a file name is specified after GENERATE_TAGFILE, doxygen will create a
# tag file that is based on the input files it reads. See section "Linking to
# external documentation" for more information about the usage of tag files.
-GENERATE_TAGFILE =
+GENERATE_TAGFILE =
-# If the ALLEXTERNALS tag is set to YES all external class will be listed in the
-# class index. If set to NO only the inherited external classes will be listed.
+# If the ALLEXTERNALS tag is set to YES, all external class will be listed in
+# the class index. If set to NO, only the inherited external classes will be
+# listed.
# The default value is: NO.
ALLEXTERNALS = NO
-# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed in
-# the modules index. If set to NO, only the current project's groups will be
+# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will be
# listed.
# The default value is: YES.
EXTERNAL_GROUPS = YES
-# If the EXTERNAL_PAGES tag is set to YES all external pages will be listed in
+# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
# the related pages index. If set to NO, only the current project's pages will
# be listed.
# The default value is: YES.
@@ -2011,7 +2104,7 @@ PERL_PATH = /usr/bin/perl
# Configuration options related to the dot tool
#---------------------------------------------------------------------------
-# If the CLASS_DIAGRAMS tag is set to YES doxygen will generate a class diagram
+# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram
# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
# NO turns the diagrams off. Note that this option also works with HAVE_DOT
# disabled, but it is recommended to install and use dot, since it yields more
@@ -2027,16 +2120,16 @@ CLASS_DIAGRAMS = YES
# the mscgen tool resides. If left empty the tool is assumed to be found in the
# default search path.
-MSCGEN_PATH =
+MSCGEN_PATH =
# You can include diagrams made with dia in doxygen documentation. Doxygen will
# then run dia to produce the diagram and insert it in the documentation. The
# DIA_PATH tag allows you to specify the directory where the dia binary resides.
# If left empty dia is assumed to be found in the default search path.
-DIA_PATH =
+DIA_PATH =
-# If set to YES, the inheritance and collaboration graphs will hide inheritance
+# If set to YES the inheritance and collaboration graphs will hide inheritance
# and usage relations if the target is undocumented or is not a class.
# The default value is: YES.
@@ -2049,7 +2142,7 @@ HIDE_UNDOC_RELATIONS = YES
# set to NO
# The default value is: NO.
-HAVE_DOT = YES
+HAVE_DOT = NO
# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
# to run in parallel. When set to 0 doxygen will base this on the number of
@@ -2061,7 +2154,7 @@ HAVE_DOT = YES
DOT_NUM_THREADS = 0
-# When you want a differently looking font n the dot files that doxygen
+# When you want a differently looking font in the dot files that doxygen
# generates you can specify the font name using DOT_FONTNAME. You need to make
# sure dot is able to find the font, which can be done by putting it in a
# standard location or by setting the DOTFONTPATH environment variable or by
@@ -2083,7 +2176,7 @@ DOT_FONTSIZE = 10
# the path where dot can find it using this tag.
# This tag requires that the tag HAVE_DOT is set to YES.
-DOT_FONTPATH =
+DOT_FONTPATH =
# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for
# each documented class showing the direct and indirect inheritance relations.
@@ -2109,7 +2202,7 @@ COLLABORATION_GRAPH = YES
GROUP_GRAPHS = YES
-# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
+# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and
# collaboration diagrams in a style similar to the OMG's Unified Modeling
# Language.
# The default value is: NO.
@@ -2161,7 +2254,8 @@ INCLUDED_BY_GRAPH = YES
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable call graphs for selected
-# functions only using the \callgraph command.
+# functions only using the \callgraph command. Disabling a call graph can be
+# accomplished by means of the command \hidecallgraph.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2172,7 +2266,8 @@ CALL_GRAPH = YES
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable caller graphs for selected
-# functions only using the \callergraph command.
+# functions only using the \callergraph command. Disabling a caller graph can be
+# accomplished by means of the command \hidecallergraph.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2195,11 +2290,15 @@ GRAPHICAL_HIERARCHY = YES
DIRECTORY_GRAPH = YES
# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
-# generated by dot.
+# generated by dot. For an explanation of the image formats see the section
+# output formats in the documentation of the dot tool (Graphviz (see:
+# http://www.graphviz.org/)).
# Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order
# to make the SVG files visible in IE 9+ (other browsers do not have this
# requirement).
-# Possible values are: png, jpg, gif and svg.
+# Possible values are: png, jpg, gif, svg, png:gd, png:gd:gd, png:cairo,
+# png:cairo:gd, png:cairo:cairo, png:cairo:gdiplus, png:gdiplus and
+# png:gdiplus:gdiplus.
# The default value is: png.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2221,26 +2320,44 @@ INTERACTIVE_SVG = YES
# found. If left blank, it is assumed the dot tool can be found in the path.
# This tag requires that the tag HAVE_DOT is set to YES.
-DOT_PATH =
+DOT_PATH =
# The DOTFILE_DIRS tag can be used to specify one or more directories that
# contain dot files that are included in the documentation (see the \dotfile
# command).
# This tag requires that the tag HAVE_DOT is set to YES.
-DOTFILE_DIRS =
+DOTFILE_DIRS =
# The MSCFILE_DIRS tag can be used to specify one or more directories that
# contain msc files that are included in the documentation (see the \mscfile
# command).
-MSCFILE_DIRS =
+MSCFILE_DIRS =
# The DIAFILE_DIRS tag can be used to specify one or more directories that
# contain dia files that are included in the documentation (see the \diafile
# command).
-DIAFILE_DIRS =
+DIAFILE_DIRS =
+
+# When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the
+# path where java can find the plantuml.jar file. If left blank, it is assumed
+# PlantUML is not used or called during a preprocessing step. Doxygen will
+# generate a warning when it encounters a \startuml command in this case and
+# will not generate output for the diagram.
+
+PLANTUML_JAR_PATH =
+
+# When using plantuml, the PLANTUML_CFG_FILE tag can be used to specify a
+# configuration file for plantuml.
+
+PLANTUML_CFG_FILE =
+
+# When using plantuml, the specified paths are searched for files specified by
+# the !include statement in a plantuml block.
+
+PLANTUML_INCLUDE_PATH =
# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
# that will be shown in the graph. If the number of nodes in a graph becomes
@@ -2278,7 +2395,7 @@ MAX_DOT_GRAPH_DEPTH = 0
DOT_TRANSPARENT = NO
-# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
+# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output
# files in one run (i.e. multiple -o and -T options on the command line). This
# makes dot run faster, but since only newer versions of dot (>1.8.10) support
# this, this feature is disabled by default.
@@ -2295,7 +2412,7 @@ DOT_MULTI_TARGETS = YES
GENERATE_LEGEND = YES
-# If the DOT_CLEANUP tag is set to YES doxygen will remove the intermediate dot
+# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot
# files that are used to generate the various graphs.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
diff --git a/doc/doxygen-iis.conf b/doc/doxygen-iis.in
similarity index 84%
rename from doc/doxygen-iis.conf
rename to doc/doxygen-iis.in
index 5a6d9d3661..9b0d5d83ff 100644
--- a/doc/doxygen-iis.conf
+++ b/doc/doxygen-iis.in
@@ -1,4 +1,4 @@
-# Doxyfile 1.8.6
+# Doxyfile 1.8.13
# This file describes the settings to be used by the documentation system
# doxygen (www.doxygen.org) for a project.
@@ -38,7 +38,7 @@ PROJECT_NAME = "ModSecurity (IIS)"
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER =
+PROJECT_NUMBER =
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
@@ -46,21 +46,21 @@ PROJECT_NUMBER =
PROJECT_BRIEF = "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence."
-# With the PROJECT_LOGO tag one can specify an logo or icon that is included in
-# the documentation. The maximum height of the logo should not exceed 55 pixels
-# and the maximum width should not exceed 200 pixels. Doxygen will copy the logo
-# to the output directory.
+# With the PROJECT_LOGO tag one can specify a logo or an icon that is included
+# in the documentation. The maximum height of the logo should not exceed 55
+# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
+# the logo to the output directory.
-PROJECT_LOGO = ./doc/doxygen-logo.png
+PROJECT_LOGO = ./doxygen-logo.png
# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path
# into which the generated documentation will be written. If a relative path is
# entered, it will be relative to the location where doxygen was started. If
# left blank the current directory will be used.
-OUTPUT_DIRECTORY = doc/iis
+OUTPUT_DIRECTORY = iis
-# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub-
+# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
# directories (in 2 levels) under the output directory of each output format and
# will distribute the generated files over these directories. Enabling this
# option can be useful when feeding doxygen a huge amount of source files, where
@@ -70,6 +70,14 @@ OUTPUT_DIRECTORY = doc/iis
CREATE_SUBDIRS = YES
+# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
+# characters to appear in the names of generated files. If set to NO, non-ASCII
+# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
+# U+3044.
+# The default value is: NO.
+
+ALLOW_UNICODE_NAMES = NO
+
# The OUTPUT_LANGUAGE tag is used to specify the language in which all
# documentation generated by doxygen is written. Doxygen will use this
# information to generate all constant output in the proper language.
@@ -85,14 +93,14 @@ CREATE_SUBDIRS = YES
OUTPUT_LANGUAGE = English
-# If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member
+# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member
# descriptions after the members that are listed in the file and class
# documentation (similar to Javadoc). Set to NO to disable this.
# The default value is: YES.
BRIEF_MEMBER_DESC = YES
-# If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief
+# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief
# description of a member or function before the detailed description
#
# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
@@ -110,7 +118,7 @@ REPEAT_BRIEF = YES
# the entity):The $name class, The $name widget, The $name file, is, provides,
# specifies, contains, represents, a, an and the.
-ABBREVIATE_BRIEF =
+ABBREVIATE_BRIEF =
# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
# doxygen will generate a detailed section even if there is only a brief
@@ -127,7 +135,7 @@ ALWAYS_DETAILED_SEC = NO
INLINE_INHERITED_MEMB = NO
-# If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path
+# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path
# before files name in the file list and in the header files. If set to NO the
# shortest path that makes the file name unique will be used
# The default value is: YES.
@@ -144,7 +152,7 @@ FULL_PATH_NAMES = YES
# will be relative from the directory where doxygen is started.
# This tag requires that the tag FULL_PATH_NAMES is set to YES.
-STRIP_FROM_PATH =
+STRIP_FROM_PATH =
# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the
# path mentioned in the documentation of a class, which tells the reader which
@@ -153,7 +161,7 @@ STRIP_FROM_PATH =
# specify the list of include paths that are normally passed to the compiler
# using the -I flag.
-STRIP_FROM_INC_PATH =
+STRIP_FROM_INC_PATH =
# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but
# less readable) file names. This can be useful is your file systems doesn't
@@ -197,9 +205,9 @@ MULTILINE_CPP_IS_BRIEF = NO
INHERIT_DOCS = YES
-# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a
-# new page for each member. If set to NO, the documentation of a member will be
-# part of the file/class/namespace that contains it.
+# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new
+# page for each member. If set to NO, the documentation of a member will be part
+# of the file/class/namespace that contains it.
# The default value is: NO.
SEPARATE_MEMBER_PAGES = NO
@@ -220,13 +228,13 @@ TAB_SIZE = 4
# "Side Effects:". You can put \n's in the value part of an alias to insert
# newlines.
-ALIASES =
+ALIASES =
# This tag can be used to specify a number of word-keyword mappings (TCL only).
# A mapping has the form "name=value". For example adding "class=itcl::class"
# will allow you to use the command class in the itcl::class meaning.
-TCL_SUBST =
+TCL_SUBST =
# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
# only. Doxygen will then generate output that is more tailored for C. For
@@ -261,16 +269,19 @@ OPTIMIZE_OUTPUT_VHDL = NO
# extension. Doxygen has a built-in mapping, but you can override or extend it
# using this tag. The format is ext=language, where ext is a file extension, and
# language is one of the parsers supported by doxygen: IDL, Java, Javascript,
-# C#, C, C++, D, PHP, Objective-C, Python, Fortran, VHDL. For instance to make
-# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C
-# (default is Fortran), use: inc=Fortran f=C.
+# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran:
+# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran:
+# Fortran. In the later case the parser tries to guess whether the code is fixed
+# or free formatted code, this is the default for Fortran type files), VHDL. For
+# instance to make doxygen treat .inc files as Fortran files (default is PHP),
+# and .f files as C (default is Fortran), use: inc=Fortran f=C.
#
-# Note For files without extension you can use no_extension as a placeholder.
+# Note: For files without extension you can use no_extension as a placeholder.
#
# Note that for custom extensions you also need to set FILE_PATTERNS otherwise
# the files are not read by doxygen.
-EXTENSION_MAPPING =
+EXTENSION_MAPPING =
# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments
# according to the Markdown format, which allows for more readable
@@ -282,10 +293,19 @@ EXTENSION_MAPPING =
MARKDOWN_SUPPORT = YES
+# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up
+# to that level are automatically included in the table of contents, even if
+# they do not have an id attribute.
+# Note: This feature currently applies only to Markdown headings.
+# Minimum value: 0, maximum value: 99, default value: 0.
+# This tag requires that the tag MARKDOWN_SUPPORT is set to YES.
+
+TOC_INCLUDE_HEADINGS = 0
+
# When enabled doxygen tries to link words that correspond to documented
# classes, or namespaces to their corresponding documentation. Such a link can
-# be prevented in individual cases by by putting a % sign in front of the word
-# or globally by setting AUTOLINK_SUPPORT to NO.
+# be prevented in individual cases by putting a % sign in front of the word or
+# globally by setting AUTOLINK_SUPPORT to NO.
# The default value is: YES.
AUTOLINK_SUPPORT = YES
@@ -325,13 +345,20 @@ SIP_SUPPORT = NO
IDL_PROPERTY_SUPPORT = YES
# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
-# tag is set to YES, then doxygen will reuse the documentation of the first
+# tag is set to YES then doxygen will reuse the documentation of the first
# member in the group (if any) for the other members of the group. By default
# all members of a group must be documented explicitly.
# The default value is: NO.
DISTRIBUTE_GROUP_DOC = NO
+# If one adds a struct or class to a group and this option is enabled, then also
+# any nested class or struct is added to the same group. By default this option
+# is disabled and one has to add nested compounds explicitly via \ingroup.
+# The default value is: NO.
+
+GROUP_NESTED_COMPOUNDS = NO
+
# Set the SUBGROUPING tag to YES to allow class member groups of the same type
# (for instance a group of public functions) to be put as a subgroup of that
# type (e.g. under the Public Functions section). Set it to NO to prevent
@@ -390,7 +417,7 @@ LOOKUP_CACHE_SIZE = 0
# Build related configuration options
#---------------------------------------------------------------------------
-# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
+# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in
# documentation are documented, even if no documentation was available. Private
# class members and static file members will be hidden unless the
# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
@@ -400,35 +427,35 @@ LOOKUP_CACHE_SIZE = 0
EXTRACT_ALL = YES
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class will
+# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will
# be included in the documentation.
# The default value is: NO.
EXTRACT_PRIVATE = NO
-# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal
+# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal
# scope will be included in the documentation.
# The default value is: NO.
EXTRACT_PACKAGE = NO
-# If the EXTRACT_STATIC tag is set to YES all static members of a file will be
+# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be
# included in the documentation.
# The default value is: NO.
EXTRACT_STATIC = NO
-# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined
-# locally in source files will be included in the documentation. If set to NO
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined
+# locally in source files will be included in the documentation. If set to NO,
# only classes defined in header files are included. Does not have any effect
# for Java sources.
# The default value is: YES.
EXTRACT_LOCAL_CLASSES = YES
-# This flag is only useful for Objective-C code. When set to YES local methods,
+# This flag is only useful for Objective-C code. If set to YES, local methods,
# which are defined in the implementation section but not in the interface are
-# included in the documentation. If set to NO only methods in the interface are
+# included in the documentation. If set to NO, only methods in the interface are
# included.
# The default value is: NO.
@@ -453,21 +480,21 @@ HIDE_UNDOC_MEMBERS = NO
# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
# undocumented classes that are normally visible in the class hierarchy. If set
-# to NO these classes will be included in the various overviews. This option has
-# no effect if EXTRACT_ALL is enabled.
+# to NO, these classes will be included in the various overviews. This option
+# has no effect if EXTRACT_ALL is enabled.
# The default value is: NO.
HIDE_UNDOC_CLASSES = NO
# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
-# (class|struct|union) declarations. If set to NO these declarations will be
+# (class|struct|union) declarations. If set to NO, these declarations will be
# included in the documentation.
# The default value is: NO.
HIDE_FRIEND_COMPOUNDS = NO
# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
-# documentation blocks found inside the body of a function. If set to NO these
+# documentation blocks found inside the body of a function. If set to NO, these
# blocks will be appended to the function's detailed documentation block.
# The default value is: NO.
@@ -481,7 +508,7 @@ HIDE_IN_BODY_DOCS = NO
INTERNAL_DOCS = NO
# If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
-# names in lower-case letters. If set to YES upper-case letters are also
+# names in lower-case letters. If set to YES, upper-case letters are also
# allowed. This is useful if you have classes or files whose names only differ
# in case and if your file system supports case sensitive file names. Windows
# and Mac users are advised to set this option to NO.
@@ -490,12 +517,19 @@ INTERNAL_DOCS = NO
CASE_SENSE_NAMES = YES
# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
-# their full class and namespace scopes in the documentation. If set to YES the
+# their full class and namespace scopes in the documentation. If set to YES, the
# scope will be hidden.
# The default value is: NO.
HIDE_SCOPE_NAMES = YES
+# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will
+# append additional text to a page's title, such as Class Reference. If set to
+# YES the compound reference will be hidden.
+# The default value is: NO.
+
+HIDE_COMPOUND_REFERENCE= NO
+
# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
# the files that are included by a file in the documentation of that file.
# The default value is: YES.
@@ -523,14 +557,14 @@ INLINE_INFO = YES
# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
# (detailed) documentation of file and class members alphabetically by member
-# name. If set to NO the members will appear in declaration order.
+# name. If set to NO, the members will appear in declaration order.
# The default value is: YES.
SORT_MEMBER_DOCS = YES
# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
# descriptions of file, namespace and class members alphabetically by member
-# name. If set to NO the members will appear in declaration order. Note that
+# name. If set to NO, the members will appear in declaration order. Note that
# this will also influence the order of the classes in the class list.
# The default value is: NO.
@@ -575,27 +609,25 @@ SORT_BY_SCOPE_NAME = NO
STRICT_PROTO_MATCHING = NO
-# The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the
-# todo list. This list is created by putting \todo commands in the
-# documentation.
+# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo
+# list. This list is created by putting \todo commands in the documentation.
# The default value is: YES.
GENERATE_TODOLIST = YES
-# The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the
-# test list. This list is created by putting \test commands in the
-# documentation.
+# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test
+# list. This list is created by putting \test commands in the documentation.
# The default value is: YES.
GENERATE_TESTLIST = YES
-# The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug
+# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug
# list. This list is created by putting \bug commands in the documentation.
# The default value is: YES.
GENERATE_BUGLIST = YES
-# The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO)
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)
# the deprecated list. This list is created by putting \deprecated commands in
# the documentation.
# The default value is: YES.
@@ -606,7 +638,7 @@ GENERATE_DEPRECATEDLIST= YES
# sections, marked by \if <section_label> ... \endif and \cond <section_label>
# ... \endcond blocks.
-ENABLED_SECTIONS =
+ENABLED_SECTIONS =
# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the
# initial value of a variable or macro / define can have for it to appear in the
@@ -620,8 +652,8 @@ ENABLED_SECTIONS =
MAX_INITIALIZER_LINES = 30
# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
-# the bottom of the documentation of classes and structs. If set to YES the list
-# will mention the files that were used to generate the documentation.
+# the bottom of the documentation of classes and structs. If set to YES, the
+# list will mention the files that were used to generate the documentation.
# The default value is: YES.
SHOW_USED_FILES = YES
@@ -648,7 +680,7 @@ SHOW_NAMESPACES = YES
# by doxygen. Whatever the program writes to standard output is used as the file
# version. For an example see the documentation.
-FILE_VERSION_FILTER =
+FILE_VERSION_FILTER =
# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
# by doxygen. The layout file controls the global structure of the generated
@@ -661,7 +693,7 @@ FILE_VERSION_FILTER =
# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE
# tag is left empty.
-LAYOUT_FILE =
+LAYOUT_FILE =
# The CITE_BIB_FILES tag can be used to specify one or more bib files containing
# the reference definitions. This must be a list of .bib files. The .bib
@@ -669,10 +701,9 @@ LAYOUT_FILE =
# to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info.
# For LaTeX the style of the bibliography can be controlled using
# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
-# search path. Do not use file names with spaces, bibtex cannot handle them. See
-# also \cite for info how to create references.
+# search path. See also \cite for info how to create references.
-CITE_BIB_FILES =
+CITE_BIB_FILES =
#---------------------------------------------------------------------------
# Configuration options related to warning and progress messages
@@ -686,7 +717,7 @@ CITE_BIB_FILES =
QUIET = NO
# The WARNINGS tag can be used to turn on/off the warning messages that are
-# generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES
+# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES
# this implies that the warnings are on.
#
# Tip: Turn warnings on while writing the documentation.
@@ -694,7 +725,7 @@ QUIET = NO
WARNINGS = YES
-# If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate
+# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate
# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
# will automatically be disabled.
# The default value is: YES.
@@ -711,12 +742,18 @@ WARN_IF_DOC_ERROR = YES
# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
# are documented, but have no documentation for their parameters or return
-# value. If set to NO doxygen will only warn about wrong or incomplete parameter
-# documentation, but not about the absence of documentation.
+# value. If set to NO, doxygen will only warn about wrong or incomplete
+# parameter documentation, but not about the absence of documentation.
# The default value is: NO.
WARN_NO_PARAMDOC = NO
+# If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when
+# a warning is encountered.
+# The default value is: NO.
+
+WARN_AS_ERROR = NO
+
# The WARN_FORMAT tag determines the format of the warning messages that doxygen
# can produce. The string should contain the $file, $line, and $text tags, which
# will be replaced by the file and line number from which the warning originated
@@ -731,7 +768,7 @@ WARN_FORMAT = "$file:$line: $text"
# messages should be written. If left blank the output is written to standard
# error (stderr).
-WARN_LOGFILE =
+WARN_LOGFILE =
#---------------------------------------------------------------------------
# Configuration options related to the input files
@@ -740,10 +777,10 @@ WARN_LOGFILE =
# The INPUT tag is used to specify the files and/or directories that contain
# documented source files. You may enter file names like myfile.cpp or
# directories like /usr/src/myproject. Separate the files or directories with
-# spaces.
+# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
# Note: If this tag is empty the current directory is searched.
-INPUT = iis
+INPUT = ../iis
# This tag can be used to specify the character encoding of the source files
# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
@@ -756,14 +793,19 @@ INPUT_ENCODING = UTF-8
# If the value of the INPUT tag contains directories, you can use the
# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and
-# *.h) to filter out the source-files in the directories. If left blank the
-# following patterns are tested:*.c, *.cc, *.cxx, *.cpp, *.c++, *.java, *.ii,
-# *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h, *.hh, *.hxx, *.hpp,
-# *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc, *.m, *.markdown,
-# *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf,
-# *.qsf, *.as and *.js.
+# *.h) to filter out the source-files in the directories.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# read by doxygen.
+#
+# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cpp,
+# *.c++, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h,
+# *.hh, *.hxx, *.hpp, *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc,
+# *.m, *.markdown, *.md, *.mm, *.dox, *.py, *.pyw, *.f90, *.f95, *.f03, *.f08,
+# *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf and *.qsf.
-FILE_PATTERNS =
+FILE_PATTERNS =
# The RECURSIVE tag can be used to specify whether or not subdirectories should
# be searched for input files as well.
@@ -778,7 +820,7 @@ RECURSIVE = YES
# Note that relative paths are relative to the directory from which doxygen is
# run.
-EXCLUDE =
+EXCLUDE =
# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
# directories that are symbolic links (a Unix file system feature) are excluded
@@ -794,7 +836,7 @@ EXCLUDE_SYMLINKS = NO
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories for example use the pattern */test/*
-EXCLUDE_PATTERNS =
+EXCLUDE_PATTERNS =
# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
# (namespaces, classes, functions, etc.) that should be excluded from the
@@ -805,20 +847,20 @@ EXCLUDE_PATTERNS =
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories use the pattern */test/*
-EXCLUDE_SYMBOLS =
+EXCLUDE_SYMBOLS =
# The EXAMPLE_PATH tag can be used to specify one or more files or directories
# that contain example code fragments that are included (see the \include
# command).
-EXAMPLE_PATH =
+EXAMPLE_PATH =
# If the value of the EXAMPLE_PATH tag contains directories, you can use the
# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
# *.h) to filter out the source-files in the directories. If left blank all
# files are included.
-EXAMPLE_PATTERNS =
+EXAMPLE_PATTERNS =
# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
# searched for input files to be used with the \include or \dontinclude commands
@@ -831,7 +873,7 @@ EXAMPLE_RECURSIVE = NO
# that contain images that are to be included in the documentation (see the
# \image command).
-IMAGE_PATH =
+IMAGE_PATH =
# The INPUT_FILTER tag can be used to specify a program that doxygen should
# invoke to filter for each input file. Doxygen will invoke the filter program
@@ -847,8 +889,12 @@ IMAGE_PATH =
# Note that the filter must not add or remove lines; it is applied before the
# code is scanned, but not when the output code is generated. If lines are added
# or removed, the anchors will not be placed correctly.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
-INPUT_FILTER =
+INPUT_FILTER =
# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
# basis. Doxygen will compare the file name with each pattern and apply the
@@ -856,11 +902,15 @@ INPUT_FILTER =
# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how
# filters are used. If the FILTER_PATTERNS tag is empty or if none of the
# patterns match the file name, INPUT_FILTER is applied.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
-FILTER_PATTERNS =
+FILTER_PATTERNS =
# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
-# INPUT_FILTER ) will also be used to filter the input files that are used for
+# INPUT_FILTER) will also be used to filter the input files that are used for
# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
# The default value is: NO.
@@ -872,14 +922,14 @@ FILTER_SOURCE_FILES = NO
# *.ext= (so without naming a filter).
# This tag requires that the tag FILTER_SOURCE_FILES is set to YES.
-FILTER_SOURCE_PATTERNS =
+FILTER_SOURCE_PATTERNS =
# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that
# is part of the input, its contents will be placed on the main page
# (index.html). This can be useful if you have a project on for instance GitHub
# and want to reuse the introduction page also for the doxygen output.
-USE_MDFILE_AS_MAINPAGE =
+USE_MDFILE_AS_MAINPAGE =
#---------------------------------------------------------------------------
# Configuration options related to source browsing
@@ -920,7 +970,7 @@ REFERENCED_BY_RELATION = NO
REFERENCES_RELATION = NO
# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
-# to YES, then the hyperlinks from functions in REFERENCES_RELATION and
+# to YES then the hyperlinks from functions in REFERENCES_RELATION and
# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
# link to the documentation.
# The default value is: YES.
@@ -991,13 +1041,13 @@ COLS_IN_ALPHA_INDEX = 5
# while generating the index headers.
# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
-IGNORE_PREFIX =
+IGNORE_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the HTML output
#---------------------------------------------------------------------------
-# If the GENERATE_HTML tag is set to YES doxygen will generate HTML output
+# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output
# The default value is: YES.
GENERATE_HTML = YES
@@ -1035,7 +1085,7 @@ HTML_FILE_EXTENSION = .html
# of the possible markers and block names see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_HEADER =
+HTML_HEADER =
# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each
# generated HTML page. If the tag is left blank doxygen will generate a standard
@@ -1045,7 +1095,7 @@ HTML_HEADER =
# that doxygen normally uses.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_FOOTER =
+HTML_FOOTER =
# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style
# sheet that is used by each HTML page. It can be used to fine-tune the look of
@@ -1057,18 +1107,20 @@ HTML_FOOTER =
# obsolete.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_STYLESHEET =
+HTML_STYLESHEET =
-# The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user-
-# defined cascading style sheet that is included after the standard style sheets
+# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# cascading style sheets that are included after the standard style sheets
# created by doxygen. Using this option one can overrule certain style aspects.
# This is preferred over using HTML_STYLESHEET since it does not replace the
-# standard style sheet and is therefor more robust against future updates.
-# Doxygen will copy the style sheet file to the output directory. For an example
-# see the documentation.
+# standard style sheet and is therefore more robust against future updates.
+# Doxygen will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list). For an example see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_EXTRA_STYLESHEET =
+HTML_EXTRA_STYLESHEET =
# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the HTML output directory. Note
@@ -1078,10 +1130,10 @@ HTML_EXTRA_STYLESHEET =
# files will be copied as-is; there are no commands or markers available.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_EXTRA_FILES =
+HTML_EXTRA_FILES =
# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
-# will adjust the colors in the stylesheet and background images according to
+# will adjust the colors in the style sheet and background images according to
# this color. Hue is specified as an angle on a colorwheel, see
# http://en.wikipedia.org/wiki/Hue for more information. For instance the value
# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
@@ -1112,8 +1164,9 @@ HTML_COLORSTYLE_GAMMA = 80
# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
# page will contain the date and time when the page was generated. Setting this
-# to NO can help when comparing the output of multiple runs.
-# The default value is: YES.
+# to YES can help to show when doxygen was last run and thus if the
+# documentation is up to date.
+# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_TIMESTAMP = YES
@@ -1206,31 +1259,32 @@ GENERATE_HTMLHELP = NO
# written to the html output directory.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-CHM_FILE =
+CHM_FILE =
# The HHC_LOCATION tag can be used to specify the location (absolute path
-# including file name) of the HTML help compiler ( hhc.exe). If non-empty
+# including file name) of the HTML help compiler (hhc.exe). If non-empty,
# doxygen will try to run the HTML help compiler on the generated index.hhp.
# The file has to be specified with full path.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-HHC_LOCATION =
+HHC_LOCATION =
-# The GENERATE_CHI flag controls if a separate .chi index file is generated (
-# YES) or that it should be included in the master .chm file ( NO).
+# The GENERATE_CHI flag controls if a separate .chi index file is generated
+# (YES) or that it should be included in the master .chm file (NO).
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
GENERATE_CHI = NO
-# The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc)
+# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)
# and project file content.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-CHM_INDEX_ENCODING =
+CHM_INDEX_ENCODING =
-# The BINARY_TOC flag controls whether a binary table of contents is generated (
-# YES) or a normal table of contents ( NO) in the .chm file.
+# The BINARY_TOC flag controls whether a binary table of contents is generated
+# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it
+# enables the Previous and Next buttons.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
@@ -1257,7 +1311,7 @@ GENERATE_QHP = NO
# the HTML output folder.
# This tag requires that the tag GENERATE_QHP is set to YES.
-QCH_FILE =
+QCH_FILE =
# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help
# Project output. For more information please see Qt Help Project / Namespace
@@ -1282,7 +1336,7 @@ QHP_VIRTUAL_FOLDER = doc
# filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_CUST_FILTER_NAME =
+QHP_CUST_FILTER_NAME =
# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the
# custom filter to add. For more information please see Qt Help Project / Custom
@@ -1290,21 +1344,21 @@ QHP_CUST_FILTER_NAME =
# filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_CUST_FILTER_ATTRS =
+QHP_CUST_FILTER_ATTRS =
# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
# project's filter section matches. Qt Help Project / Filter Attributes (see:
# http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_SECT_FILTER_ATTRS =
+QHP_SECT_FILTER_ATTRS =
# The QHG_LOCATION tag can be used to specify the location of Qt's
# qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the
# generated .qhp file.
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHG_LOCATION =
+QHG_LOCATION =
# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be
# generated, together with the HTML files, they form an Eclipse help plugin. To
@@ -1343,7 +1397,7 @@ DISABLE_INDEX = NO
# index structure (just like the one that is generated for HTML Help). For this
# to work a browser that supports JavaScript, DHTML, CSS and frames is required
# (i.e. any modern browser). Windows users are probably better off using the
-# HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can
+# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can
# further fine-tune the look of the index. As an example, the default style
# sheet generated by doxygen has an example that shows how to put an image at
# the root of the tree instead of the PROJECT_NAME. Since the tree basically has
@@ -1371,7 +1425,7 @@ ENUM_VALUES_PER_LINE = 4
TREEVIEW_WIDTH = 250
-# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to
+# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to
# external symbols imported via tag files in a separate window.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
@@ -1400,7 +1454,7 @@ FORMULA_TRANSPARENT = YES
# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
# http://www.mathjax.org) which uses client side Javascript for the rendering
-# instead of using prerendered bitmaps. Use this if you do not have LaTeX
+# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX
# installed or if you want to formulas look prettier in the HTML output. When
# enabled you may also need to install MathJax separately and configure the path
# to it using the MATHJAX_RELPATH option.
@@ -1437,7 +1491,7 @@ MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest
# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols
# This tag requires that the tag USE_MATHJAX is set to YES.
-MATHJAX_EXTENSIONS =
+MATHJAX_EXTENSIONS =
# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces
# of code that will be used on startup of the MathJax code. See the MathJax site
@@ -1445,7 +1499,7 @@ MATHJAX_EXTENSIONS =
# example see the documentation.
# This tag requires that the tag USE_MATHJAX is set to YES.
-MATHJAX_CODEFILE =
+MATHJAX_CODEFILE =
# When the SEARCHENGINE tag is enabled doxygen will generate a search box for
# the HTML output. The underlying search engine uses javascript and DHTML and
@@ -1470,11 +1524,11 @@ SEARCHENGINE = YES
# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
# implemented using a web server instead of a web client using Javascript. There
-# are two flavours of web server based searching depending on the
-# EXTERNAL_SEARCH setting. When disabled, doxygen will generate a PHP script for
-# searching and an index file used by the script. When EXTERNAL_SEARCH is
-# enabled the indexing and searching needs to be provided by external tools. See
-# the section "External Indexing and Searching" for details.
+# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
+# setting. When disabled, doxygen will generate a PHP script for searching and
+# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
+# and searching needs to be provided by external tools. See the section
+# "External Indexing and Searching" for details.
# The default value is: NO.
# This tag requires that the tag SEARCHENGINE is set to YES.
@@ -1486,7 +1540,7 @@ SERVER_BASED_SEARCH = NO
# external search engine pointed to by the SEARCHENGINE_URL option to obtain the
# search results.
#
-# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# Doxygen ships with an example indexer (doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see: http://xapian.org/).
#
@@ -1499,13 +1553,13 @@ EXTERNAL_SEARCH = NO
# The SEARCHENGINE_URL should point to a search engine hosted by a web server
# which will return the search results when EXTERNAL_SEARCH is enabled.
#
-# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# Doxygen ships with an example indexer (doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see: http://xapian.org/). See the section "External Indexing and
# Searching" for details.
# This tag requires that the tag SEARCHENGINE is set to YES.
-SEARCHENGINE_URL =
+SEARCHENGINE_URL =
# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed
# search data is written to a file for indexing by an external tool. With the
@@ -1521,7 +1575,7 @@ SEARCHDATA_FILE = searchdata.xml
# projects and redirect the results back to the right project.
# This tag requires that the tag SEARCHENGINE is set to YES.
-EXTERNAL_SEARCH_ID =
+EXTERNAL_SEARCH_ID =
# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through doxygen
# projects other than the one defined by this configuration file, but that are
@@ -1531,13 +1585,13 @@ EXTERNAL_SEARCH_ID =
# EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ...
# This tag requires that the tag SEARCHENGINE is set to YES.
-EXTRA_SEARCH_MAPPINGS =
+EXTRA_SEARCH_MAPPINGS =
#---------------------------------------------------------------------------
# Configuration options related to the LaTeX output
#---------------------------------------------------------------------------
-# If the GENERATE_LATEX tag is set to YES doxygen will generate LaTeX output.
+# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output.
# The default value is: YES.
GENERATE_LATEX = YES
@@ -1568,7 +1622,7 @@ LATEX_CMD_NAME = latex
MAKEINDEX_CMD_NAME = makeindex
-# If the COMPACT_LATEX tag is set to YES doxygen generates more compact LaTeX
+# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
@@ -1586,13 +1640,16 @@ COMPACT_LATEX = NO
PAPER_TYPE = a4
# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
-# that should be included in the LaTeX output. To get the times font for
-# instance you can specify
-# EXTRA_PACKAGES=times
+# that should be included in the LaTeX output. The package can be specified just
+# by its name or with the correct syntax as to be used with the LaTeX
+# \usepackage command. To get the times font for instance you can specify :
+# EXTRA_PACKAGES=times or EXTRA_PACKAGES={times}
+# To use the option intlimits with the amsmath package you can specify:
+# EXTRA_PACKAGES=[intlimits]{amsmath}
# If left blank no extra packages will be included.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-EXTRA_PACKAGES =
+EXTRA_PACKAGES =
# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the
# generated LaTeX document. The header should contain everything until the first
@@ -1602,22 +1659,35 @@ EXTRA_PACKAGES =
#
# Note: Only use a user-defined header if you know what you are doing! The
# following commands have a special meaning inside the header: $title,
-# $datetime, $date, $doxygenversion, $projectname, $projectnumber. Doxygen will
-# replace them by respectively the title of the page, the current date and time,
-# only the current date, the version number of doxygen, the project name (see
-# PROJECT_NAME), or the project number (see PROJECT_NUMBER).
+# $datetime, $date, $doxygenversion, $projectname, $projectnumber,
+# $projectbrief, $projectlogo. Doxygen will replace $title with the empty
+# string, for the replacement values of the other commands the user is referred
+# to HTML_HEADER.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_HEADER =
+LATEX_HEADER =
# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
# generated LaTeX document. The footer should contain everything after the last
-# chapter. If it is left blank doxygen will generate a standard footer.
+# chapter. If it is left blank doxygen will generate a standard footer. See
+# LATEX_HEADER for more information on how to generate a default footer and what
+# special commands can be used inside the footer.
#
# Note: Only use a user-defined footer if you know what you are doing!
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_FOOTER =
+LATEX_FOOTER =
+
+# The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# LaTeX style sheets that are included after the standard style sheets created
+# by doxygen. Using this option one can overrule certain style aspects. Doxygen
+# will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list).
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_STYLESHEET =
# The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the LATEX_OUTPUT output
@@ -1625,7 +1695,7 @@ LATEX_FOOTER =
# markers available.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_EXTRA_FILES =
+LATEX_EXTRA_FILES =
# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated is
# prepared for conversion to PDF (using ps2pdf or pdflatex). The PDF file will
@@ -1636,8 +1706,8 @@ LATEX_EXTRA_FILES =
PDF_HYPERLINKS = YES
-# If the LATEX_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
-# the PDF file directly from the LaTeX files. Set this option to YES to get a
+# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
+# the PDF file directly from the LaTeX files. Set this option to YES, to get a
# higher quality PDF documentation.
# The default value is: YES.
# This tag requires that the tag GENERATE_LATEX is set to YES.
@@ -1678,11 +1748,19 @@ LATEX_SOURCE_CODE = NO
LATEX_BIB_STYLE = plain
+# If the LATEX_TIMESTAMP tag is set to YES then the footer of each generated
+# page will contain the date and time when the page was generated. Setting this
+# to NO can help when comparing the output of multiple runs.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_TIMESTAMP = NO
+
#---------------------------------------------------------------------------
# Configuration options related to the RTF output
#---------------------------------------------------------------------------
-# If the GENERATE_RTF tag is set to YES doxygen will generate RTF output. The
+# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The
# RTF output is optimized for Word 97 and may not look too pretty with other RTF
# readers/editors.
# The default value is: NO.
@@ -1697,7 +1775,7 @@ GENERATE_RTF = NO
RTF_OUTPUT = rtf
-# If the COMPACT_RTF tag is set to YES doxygen generates more compact RTF
+# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
@@ -1725,20 +1803,30 @@ RTF_HYPERLINKS = NO
# default style sheet that doxygen normally uses.
# This tag requires that the tag GENERATE_RTF is set to YES.
-RTF_STYLESHEET_FILE =
+RTF_STYLESHEET_FILE =
# Set optional variables used in the generation of an RTF document. Syntax is
# similar to doxygen's config file. A template extensions file can be generated
# using doxygen -e rtf extensionFile.
# This tag requires that the tag GENERATE_RTF is set to YES.
-RTF_EXTENSIONS_FILE =
+RTF_EXTENSIONS_FILE =
+
+# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code
+# with syntax highlighting in the RTF output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_SOURCE_CODE = NO
#---------------------------------------------------------------------------
# Configuration options related to the man page output
#---------------------------------------------------------------------------
-# If the GENERATE_MAN tag is set to YES doxygen will generate man pages for
+# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for
# classes and files.
# The default value is: NO.
@@ -1762,6 +1850,13 @@ MAN_OUTPUT = man
MAN_EXTENSION = .3
+# The MAN_SUBDIR tag determines the name of the directory created within
+# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
+# MAN_EXTENSION with the initial . removed.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_SUBDIR =
+
# If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
# will generate one additional man file for each entity documented in the real
# man page(s). These additional files only source the real man page, but without
@@ -1775,7 +1870,7 @@ MAN_LINKS = NO
# Configuration options related to the XML output
#---------------------------------------------------------------------------
-# If the GENERATE_XML tag is set to YES doxygen will generate an XML file that
+# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that
# captures the structure of the code including all documentation.
# The default value is: NO.
@@ -1789,19 +1884,7 @@ GENERATE_XML = NO
XML_OUTPUT = xml
-# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_SCHEMA =
-
-# The XML_DTD tag can be used to specify a XML DTD, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_DTD =
-
-# If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program
+# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program
# listings (including syntax highlighting and cross-referencing information) to
# the XML output. Note that enabling this will significantly increase the size
# of the XML output.
@@ -1814,7 +1897,7 @@ XML_PROGRAMLISTING = YES
# Configuration options related to the DOCBOOK output
#---------------------------------------------------------------------------
-# If the GENERATE_DOCBOOK tag is set to YES doxygen will generate Docbook files
+# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files
# that can be used to generate PDF.
# The default value is: NO.
@@ -1828,14 +1911,23 @@ GENERATE_DOCBOOK = NO
DOCBOOK_OUTPUT = docbook
+# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the
+# program listings (including syntax highlighting and cross-referencing
+# information) to the DOCBOOK output. Note that enabling this will significantly
+# increase the size of the DOCBOOK output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_PROGRAMLISTING = NO
+
#---------------------------------------------------------------------------
# Configuration options for the AutoGen Definitions output
#---------------------------------------------------------------------------
-# If the GENERATE_AUTOGEN_DEF tag is set to YES doxygen will generate an AutoGen
-# Definitions (see http://autogen.sf.net) file that captures the structure of
-# the code including all documentation. Note that this feature is still
-# experimental and incomplete at the moment.
+# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an
+# AutoGen Definitions (see http://autogen.sf.net) file that captures the
+# structure of the code including all documentation. Note that this feature is
+# still experimental and incomplete at the moment.
# The default value is: NO.
GENERATE_AUTOGEN_DEF = NO
@@ -1844,7 +1936,7 @@ GENERATE_AUTOGEN_DEF = NO
# Configuration options related to the Perl module output
#---------------------------------------------------------------------------
-# If the GENERATE_PERLMOD tag is set to YES doxygen will generate a Perl module
+# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module
# file that captures the structure of the code including all documentation.
#
# Note that this feature is still experimental and incomplete at the moment.
@@ -1852,7 +1944,7 @@ GENERATE_AUTOGEN_DEF = NO
GENERATE_PERLMOD = NO
-# If the PERLMOD_LATEX tag is set to YES doxygen will generate the necessary
+# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary
# Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
# output from the Perl module output.
# The default value is: NO.
@@ -1860,9 +1952,9 @@ GENERATE_PERLMOD = NO
PERLMOD_LATEX = NO
-# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be nicely
+# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely
# formatted so it can be parsed by a human reader. This is useful if you want to
-# understand what is going on. On the other hand, if this tag is set to NO the
+# understand what is going on. On the other hand, if this tag is set to NO, the
# size of the Perl module output will be much smaller and Perl will parse it
# just the same.
# The default value is: YES.
@@ -1876,20 +1968,20 @@ PERLMOD_PRETTY = YES
# overwrite each other's variables.
# This tag requires that the tag GENERATE_PERLMOD is set to YES.
-PERLMOD_MAKEVAR_PREFIX =
+PERLMOD_MAKEVAR_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the preprocessor
#---------------------------------------------------------------------------
-# If the ENABLE_PREPROCESSING tag is set to YES doxygen will evaluate all
+# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all
# C-preprocessor directives found in the sources and include files.
# The default value is: YES.
ENABLE_PREPROCESSING = YES
-# If the MACRO_EXPANSION tag is set to YES doxygen will expand all macro names
-# in the source code. If set to NO only conditional compilation will be
+# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
+# in the source code. If set to NO, only conditional compilation will be
# performed. Macro expansion can be done in a controlled way by setting
# EXPAND_ONLY_PREDEF to YES.
# The default value is: NO.
@@ -1905,7 +1997,7 @@ MACRO_EXPANSION = NO
EXPAND_ONLY_PREDEF = NO
-# If the SEARCH_INCLUDES tag is set to YES the includes files in the
+# If the SEARCH_INCLUDES tag is set to YES, the include files in the
# INCLUDE_PATH will be searched if a #include is found.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@@ -1917,7 +2009,7 @@ SEARCH_INCLUDES = YES
# preprocessor.
# This tag requires that the tag SEARCH_INCLUDES is set to YES.
-INCLUDE_PATH = "apache2"
+INCLUDE_PATH = "../apache2"
# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
# patterns (like *.h and *.hpp) to filter out the header-files in the
@@ -1925,7 +2017,7 @@ INCLUDE_PATH = "apache2"
# used.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-INCLUDE_FILE_PATTERNS =
+INCLUDE_FILE_PATTERNS =
# The PREDEFINED tag can be used to specify one or more macro names that are
# defined before the preprocessor is started (similar to the -D option of e.g.
@@ -1935,7 +2027,7 @@ INCLUDE_FILE_PATTERNS =
# recursively expanded use the := operator instead of the = operator.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-PREDEFINED =
+PREDEFINED =
# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
# tag can be used to specify a list of macro names that should be expanded. The
@@ -1944,12 +2036,12 @@ PREDEFINED =
# definition found in the source code.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-EXPAND_AS_DEFINED =
+EXPAND_AS_DEFINED =
# If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
-# remove all refrences to function-like macros that are alone on a line, have an
-# all uppercase name, and do not end with a semicolon. Such function macros are
-# typically used for boiler-plate code, and will confuse the parser if not
+# remove all references to function-like macros that are alone on a line, have
+# an all uppercase name, and do not end with a semicolon. Such function macros
+# are typically used for boiler-plate code, and will confuse the parser if not
# removed.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@@ -1969,32 +2061,33 @@ SKIP_FUNCTION_MACROS = YES
# where loc1 and loc2 can be relative or absolute paths or URLs. See the
# section "Linking to external documentation" for more information about the use
# of tag files.
-# Note: Each tag file must have an unique name (where the name does NOT include
+# Note: Each tag file must have a unique name (where the name does NOT include
# the path). If a tag file is not located in the directory in which doxygen is
# run, you must also specify the path to the tagfile here.
-TAGFILES =
+TAGFILES =
# When a file name is specified after GENERATE_TAGFILE, doxygen will create a
# tag file that is based on the input files it reads. See section "Linking to
# external documentation" for more information about the usage of tag files.
-GENERATE_TAGFILE =
+GENERATE_TAGFILE =
-# If the ALLEXTERNALS tag is set to YES all external class will be listed in the
-# class index. If set to NO only the inherited external classes will be listed.
+# If the ALLEXTERNALS tag is set to YES, all external class will be listed in
+# the class index. If set to NO, only the inherited external classes will be
+# listed.
# The default value is: NO.
ALLEXTERNALS = NO
-# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed in
-# the modules index. If set to NO, only the current project's groups will be
+# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will be
# listed.
# The default value is: YES.
EXTERNAL_GROUPS = YES
-# If the EXTERNAL_PAGES tag is set to YES all external pages will be listed in
+# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
# the related pages index. If set to NO, only the current project's pages will
# be listed.
# The default value is: YES.
@@ -2011,7 +2104,7 @@ PERL_PATH = /usr/bin/perl
# Configuration options related to the dot tool
#---------------------------------------------------------------------------
-# If the CLASS_DIAGRAMS tag is set to YES doxygen will generate a class diagram
+# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram
# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
# NO turns the diagrams off. Note that this option also works with HAVE_DOT
# disabled, but it is recommended to install and use dot, since it yields more
@@ -2027,16 +2120,16 @@ CLASS_DIAGRAMS = YES
# the mscgen tool resides. If left empty the tool is assumed to be found in the
# default search path.
-MSCGEN_PATH =
+MSCGEN_PATH =
# You can include diagrams made with dia in doxygen documentation. Doxygen will
# then run dia to produce the diagram and insert it in the documentation. The
# DIA_PATH tag allows you to specify the directory where the dia binary resides.
# If left empty dia is assumed to be found in the default search path.
-DIA_PATH =
+DIA_PATH =
-# If set to YES, the inheritance and collaboration graphs will hide inheritance
+# If set to YES the inheritance and collaboration graphs will hide inheritance
# and usage relations if the target is undocumented or is not a class.
# The default value is: YES.
@@ -2049,7 +2142,7 @@ HIDE_UNDOC_RELATIONS = YES
# set to NO
# The default value is: NO.
-HAVE_DOT = YES
+HAVE_DOT = NO
# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
# to run in parallel. When set to 0 doxygen will base this on the number of
@@ -2061,7 +2154,7 @@ HAVE_DOT = YES
DOT_NUM_THREADS = 0
-# When you want a differently looking font n the dot files that doxygen
+# When you want a differently looking font in the dot files that doxygen
# generates you can specify the font name using DOT_FONTNAME. You need to make
# sure dot is able to find the font, which can be done by putting it in a
# standard location or by setting the DOTFONTPATH environment variable or by
@@ -2083,7 +2176,7 @@ DOT_FONTSIZE = 10
# the path where dot can find it using this tag.
# This tag requires that the tag HAVE_DOT is set to YES.
-DOT_FONTPATH =
+DOT_FONTPATH =
# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for
# each documented class showing the direct and indirect inheritance relations.
@@ -2109,7 +2202,7 @@ COLLABORATION_GRAPH = YES
GROUP_GRAPHS = YES
-# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
+# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and
# collaboration diagrams in a style similar to the OMG's Unified Modeling
# Language.
# The default value is: NO.
@@ -2161,7 +2254,8 @@ INCLUDED_BY_GRAPH = YES
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable call graphs for selected
-# functions only using the \callgraph command.
+# functions only using the \callgraph command. Disabling a call graph can be
+# accomplished by means of the command \hidecallgraph.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2172,7 +2266,8 @@ CALL_GRAPH = YES
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable caller graphs for selected
-# functions only using the \callergraph command.
+# functions only using the \callergraph command. Disabling a caller graph can be
+# accomplished by means of the command \hidecallergraph.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2195,11 +2290,15 @@ GRAPHICAL_HIERARCHY = YES
DIRECTORY_GRAPH = YES
# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
-# generated by dot.
+# generated by dot. For an explanation of the image formats see the section
+# output formats in the documentation of the dot tool (Graphviz (see:
+# http://www.graphviz.org/)).
# Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order
# to make the SVG files visible in IE 9+ (other browsers do not have this
# requirement).
-# Possible values are: png, jpg, gif and svg.
+# Possible values are: png, jpg, gif, svg, png:gd, png:gd:gd, png:cairo,
+# png:cairo:gd, png:cairo:cairo, png:cairo:gdiplus, png:gdiplus and
+# png:gdiplus:gdiplus.
# The default value is: png.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2221,26 +2320,44 @@ INTERACTIVE_SVG = YES
# found. If left blank, it is assumed the dot tool can be found in the path.
# This tag requires that the tag HAVE_DOT is set to YES.
-DOT_PATH =
+DOT_PATH =
# The DOTFILE_DIRS tag can be used to specify one or more directories that
# contain dot files that are included in the documentation (see the \dotfile
# command).
# This tag requires that the tag HAVE_DOT is set to YES.
-DOTFILE_DIRS =
+DOTFILE_DIRS =
# The MSCFILE_DIRS tag can be used to specify one or more directories that
# contain msc files that are included in the documentation (see the \mscfile
# command).
-MSCFILE_DIRS =
+MSCFILE_DIRS =
# The DIAFILE_DIRS tag can be used to specify one or more directories that
# contain dia files that are included in the documentation (see the \diafile
# command).
-DIAFILE_DIRS =
+DIAFILE_DIRS =
+
+# When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the
+# path where java can find the plantuml.jar file. If left blank, it is assumed
+# PlantUML is not used or called during a preprocessing step. Doxygen will
+# generate a warning when it encounters a \startuml command in this case and
+# will not generate output for the diagram.
+
+PLANTUML_JAR_PATH =
+
+# When using plantuml, the PLANTUML_CFG_FILE tag can be used to specify a
+# configuration file for plantuml.
+
+PLANTUML_CFG_FILE =
+
+# When using plantuml, the specified paths are searched for files specified by
+# the !include statement in a plantuml block.
+
+PLANTUML_INCLUDE_PATH =
# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
# that will be shown in the graph. If the number of nodes in a graph becomes
@@ -2278,7 +2395,7 @@ MAX_DOT_GRAPH_DEPTH = 0
DOT_TRANSPARENT = NO
-# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
+# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output
# files in one run (i.e. multiple -o and -T options on the command line). This
# makes dot run faster, but since only newer versions of dot (>1.8.10) support
# this, this feature is disabled by default.
@@ -2295,7 +2412,7 @@ DOT_MULTI_TARGETS = YES
GENERATE_LEGEND = YES
-# If the DOT_CLEANUP tag is set to YES doxygen will remove the intermediate dot
+# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot
# files that are used to generate the various graphs.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
diff --git a/doc/doxygen-nginx.conf b/doc/doxygen-nginx.in
similarity index 84%
rename from doc/doxygen-nginx.conf
rename to doc/doxygen-nginx.in
index 847c1e3df3..6a280f31e7 100644
--- a/doc/doxygen-nginx.conf
+++ b/doc/doxygen-nginx.in
@@ -1,4 +1,4 @@
-# Doxyfile 1.8.6
+# Doxyfile 1.8.13
# This file describes the settings to be used by the documentation system
# doxygen (www.doxygen.org) for a project.
@@ -38,7 +38,7 @@ PROJECT_NAME = "ModSecurity (Nginx)"
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER =
+PROJECT_NUMBER =
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
@@ -46,21 +46,21 @@ PROJECT_NUMBER =
PROJECT_BRIEF = "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence."
-# With the PROJECT_LOGO tag one can specify an logo or icon that is included in
-# the documentation. The maximum height of the logo should not exceed 55 pixels
-# and the maximum width should not exceed 200 pixels. Doxygen will copy the logo
-# to the output directory.
+# With the PROJECT_LOGO tag one can specify a logo or an icon that is included
+# in the documentation. The maximum height of the logo should not exceed 55
+# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
+# the logo to the output directory.
-PROJECT_LOGO = ./doc/doxygen-logo.png
+PROJECT_LOGO = ./doxygen-logo.png
# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path
# into which the generated documentation will be written. If a relative path is
# entered, it will be relative to the location where doxygen was started. If
# left blank the current directory will be used.
-OUTPUT_DIRECTORY = doc/nginx
+OUTPUT_DIRECTORY = nginx
-# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub-
+# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
# directories (in 2 levels) under the output directory of each output format and
# will distribute the generated files over these directories. Enabling this
# option can be useful when feeding doxygen a huge amount of source files, where
@@ -70,6 +70,14 @@ OUTPUT_DIRECTORY = doc/nginx
CREATE_SUBDIRS = YES
+# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
+# characters to appear in the names of generated files. If set to NO, non-ASCII
+# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
+# U+3044.
+# The default value is: NO.
+
+ALLOW_UNICODE_NAMES = NO
+
# The OUTPUT_LANGUAGE tag is used to specify the language in which all
# documentation generated by doxygen is written. Doxygen will use this
# information to generate all constant output in the proper language.
@@ -85,14 +93,14 @@ CREATE_SUBDIRS = YES
OUTPUT_LANGUAGE = English
-# If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member
+# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member
# descriptions after the members that are listed in the file and class
# documentation (similar to Javadoc). Set to NO to disable this.
# The default value is: YES.
BRIEF_MEMBER_DESC = YES
-# If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief
+# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief
# description of a member or function before the detailed description
#
# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
@@ -110,7 +118,7 @@ REPEAT_BRIEF = YES
# the entity):The $name class, The $name widget, The $name file, is, provides,
# specifies, contains, represents, a, an and the.
-ABBREVIATE_BRIEF =
+ABBREVIATE_BRIEF =
# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
# doxygen will generate a detailed section even if there is only a brief
@@ -127,7 +135,7 @@ ALWAYS_DETAILED_SEC = NO
INLINE_INHERITED_MEMB = NO
-# If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path
+# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path
# before files name in the file list and in the header files. If set to NO the
# shortest path that makes the file name unique will be used
# The default value is: YES.
@@ -144,7 +152,7 @@ FULL_PATH_NAMES = YES
# will be relative from the directory where doxygen is started.
# This tag requires that the tag FULL_PATH_NAMES is set to YES.
-STRIP_FROM_PATH =
+STRIP_FROM_PATH =
# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the
# path mentioned in the documentation of a class, which tells the reader which
@@ -153,7 +161,7 @@ STRIP_FROM_PATH =
# specify the list of include paths that are normally passed to the compiler
# using the -I flag.
-STRIP_FROM_INC_PATH =
+STRIP_FROM_INC_PATH =
# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but
# less readable) file names. This can be useful is your file systems doesn't
@@ -197,9 +205,9 @@ MULTILINE_CPP_IS_BRIEF = NO
INHERIT_DOCS = YES
-# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a
-# new page for each member. If set to NO, the documentation of a member will be
-# part of the file/class/namespace that contains it.
+# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new
+# page for each member. If set to NO, the documentation of a member will be part
+# of the file/class/namespace that contains it.
# The default value is: NO.
SEPARATE_MEMBER_PAGES = NO
@@ -220,13 +228,13 @@ TAB_SIZE = 4
# "Side Effects:". You can put \n's in the value part of an alias to insert
# newlines.
-ALIASES =
+ALIASES =
# This tag can be used to specify a number of word-keyword mappings (TCL only).
# A mapping has the form "name=value". For example adding "class=itcl::class"
# will allow you to use the command class in the itcl::class meaning.
-TCL_SUBST =
+TCL_SUBST =
# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
# only. Doxygen will then generate output that is more tailored for C. For
@@ -261,16 +269,19 @@ OPTIMIZE_OUTPUT_VHDL = NO
# extension. Doxygen has a built-in mapping, but you can override or extend it
# using this tag. The format is ext=language, where ext is a file extension, and
# language is one of the parsers supported by doxygen: IDL, Java, Javascript,
-# C#, C, C++, D, PHP, Objective-C, Python, Fortran, VHDL. For instance to make
-# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C
-# (default is Fortran), use: inc=Fortran f=C.
+# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran:
+# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran:
+# Fortran. In the later case the parser tries to guess whether the code is fixed
+# or free formatted code, this is the default for Fortran type files), VHDL. For
+# instance to make doxygen treat .inc files as Fortran files (default is PHP),
+# and .f files as C (default is Fortran), use: inc=Fortran f=C.
#
-# Note For files without extension you can use no_extension as a placeholder.
+# Note: For files without extension you can use no_extension as a placeholder.
#
# Note that for custom extensions you also need to set FILE_PATTERNS otherwise
# the files are not read by doxygen.
-EXTENSION_MAPPING =
+EXTENSION_MAPPING =
# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments
# according to the Markdown format, which allows for more readable
@@ -282,10 +293,19 @@ EXTENSION_MAPPING =
MARKDOWN_SUPPORT = YES
+# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up
+# to that level are automatically included in the table of contents, even if
+# they do not have an id attribute.
+# Note: This feature currently applies only to Markdown headings.
+# Minimum value: 0, maximum value: 99, default value: 0.
+# This tag requires that the tag MARKDOWN_SUPPORT is set to YES.
+
+TOC_INCLUDE_HEADINGS = 0
+
# When enabled doxygen tries to link words that correspond to documented
# classes, or namespaces to their corresponding documentation. Such a link can
-# be prevented in individual cases by by putting a % sign in front of the word
-# or globally by setting AUTOLINK_SUPPORT to NO.
+# be prevented in individual cases by putting a % sign in front of the word or
+# globally by setting AUTOLINK_SUPPORT to NO.
# The default value is: YES.
AUTOLINK_SUPPORT = YES
@@ -325,13 +345,20 @@ SIP_SUPPORT = NO
IDL_PROPERTY_SUPPORT = YES
# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
-# tag is set to YES, then doxygen will reuse the documentation of the first
+# tag is set to YES then doxygen will reuse the documentation of the first
# member in the group (if any) for the other members of the group. By default
# all members of a group must be documented explicitly.
# The default value is: NO.
DISTRIBUTE_GROUP_DOC = NO
+# If one adds a struct or class to a group and this option is enabled, then also
+# any nested class or struct is added to the same group. By default this option
+# is disabled and one has to add nested compounds explicitly via \ingroup.
+# The default value is: NO.
+
+GROUP_NESTED_COMPOUNDS = NO
+
# Set the SUBGROUPING tag to YES to allow class member groups of the same type
# (for instance a group of public functions) to be put as a subgroup of that
# type (e.g. under the Public Functions section). Set it to NO to prevent
@@ -390,7 +417,7 @@ LOOKUP_CACHE_SIZE = 0
# Build related configuration options
#---------------------------------------------------------------------------
-# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
+# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in
# documentation are documented, even if no documentation was available. Private
# class members and static file members will be hidden unless the
# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
@@ -400,35 +427,35 @@ LOOKUP_CACHE_SIZE = 0
EXTRACT_ALL = YES
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class will
+# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will
# be included in the documentation.
# The default value is: NO.
EXTRACT_PRIVATE = NO
-# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal
+# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal
# scope will be included in the documentation.
# The default value is: NO.
EXTRACT_PACKAGE = NO
-# If the EXTRACT_STATIC tag is set to YES all static members of a file will be
+# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be
# included in the documentation.
# The default value is: NO.
EXTRACT_STATIC = NO
-# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined
-# locally in source files will be included in the documentation. If set to NO
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined
+# locally in source files will be included in the documentation. If set to NO,
# only classes defined in header files are included. Does not have any effect
# for Java sources.
# The default value is: YES.
EXTRACT_LOCAL_CLASSES = YES
-# This flag is only useful for Objective-C code. When set to YES local methods,
+# This flag is only useful for Objective-C code. If set to YES, local methods,
# which are defined in the implementation section but not in the interface are
-# included in the documentation. If set to NO only methods in the interface are
+# included in the documentation. If set to NO, only methods in the interface are
# included.
# The default value is: NO.
@@ -453,21 +480,21 @@ HIDE_UNDOC_MEMBERS = NO
# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
# undocumented classes that are normally visible in the class hierarchy. If set
-# to NO these classes will be included in the various overviews. This option has
-# no effect if EXTRACT_ALL is enabled.
+# to NO, these classes will be included in the various overviews. This option
+# has no effect if EXTRACT_ALL is enabled.
# The default value is: NO.
HIDE_UNDOC_CLASSES = NO
# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
-# (class|struct|union) declarations. If set to NO these declarations will be
+# (class|struct|union) declarations. If set to NO, these declarations will be
# included in the documentation.
# The default value is: NO.
HIDE_FRIEND_COMPOUNDS = NO
# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
-# documentation blocks found inside the body of a function. If set to NO these
+# documentation blocks found inside the body of a function. If set to NO, these
# blocks will be appended to the function's detailed documentation block.
# The default value is: NO.
@@ -481,7 +508,7 @@ HIDE_IN_BODY_DOCS = NO
INTERNAL_DOCS = NO
# If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
-# names in lower-case letters. If set to YES upper-case letters are also
+# names in lower-case letters. If set to YES, upper-case letters are also
# allowed. This is useful if you have classes or files whose names only differ
# in case and if your file system supports case sensitive file names. Windows
# and Mac users are advised to set this option to NO.
@@ -490,12 +517,19 @@ INTERNAL_DOCS = NO
CASE_SENSE_NAMES = YES
# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
-# their full class and namespace scopes in the documentation. If set to YES the
+# their full class and namespace scopes in the documentation. If set to YES, the
# scope will be hidden.
# The default value is: NO.
HIDE_SCOPE_NAMES = YES
+# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will
+# append additional text to a page's title, such as Class Reference. If set to
+# YES the compound reference will be hidden.
+# The default value is: NO.
+
+HIDE_COMPOUND_REFERENCE= NO
+
# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
# the files that are included by a file in the documentation of that file.
# The default value is: YES.
@@ -523,14 +557,14 @@ INLINE_INFO = YES
# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
# (detailed) documentation of file and class members alphabetically by member
-# name. If set to NO the members will appear in declaration order.
+# name. If set to NO, the members will appear in declaration order.
# The default value is: YES.
SORT_MEMBER_DOCS = YES
# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
# descriptions of file, namespace and class members alphabetically by member
-# name. If set to NO the members will appear in declaration order. Note that
+# name. If set to NO, the members will appear in declaration order. Note that
# this will also influence the order of the classes in the class list.
# The default value is: NO.
@@ -575,27 +609,25 @@ SORT_BY_SCOPE_NAME = NO
STRICT_PROTO_MATCHING = NO
-# The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the
-# todo list. This list is created by putting \todo commands in the
-# documentation.
+# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo
+# list. This list is created by putting \todo commands in the documentation.
# The default value is: YES.
GENERATE_TODOLIST = YES
-# The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the
-# test list. This list is created by putting \test commands in the
-# documentation.
+# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test
+# list. This list is created by putting \test commands in the documentation.
# The default value is: YES.
GENERATE_TESTLIST = YES
-# The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug
+# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug
# list. This list is created by putting \bug commands in the documentation.
# The default value is: YES.
GENERATE_BUGLIST = YES
-# The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO)
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)
# the deprecated list. This list is created by putting \deprecated commands in
# the documentation.
# The default value is: YES.
@@ -606,7 +638,7 @@ GENERATE_DEPRECATEDLIST= YES
# sections, marked by \if <section_label> ... \endif and \cond <section_label>
# ... \endcond blocks.
-ENABLED_SECTIONS =
+ENABLED_SECTIONS =
# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the
# initial value of a variable or macro / define can have for it to appear in the
@@ -620,8 +652,8 @@ ENABLED_SECTIONS =
MAX_INITIALIZER_LINES = 30
# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
-# the bottom of the documentation of classes and structs. If set to YES the list
-# will mention the files that were used to generate the documentation.
+# the bottom of the documentation of classes and structs. If set to YES, the
+# list will mention the files that were used to generate the documentation.
# The default value is: YES.
SHOW_USED_FILES = YES
@@ -648,7 +680,7 @@ SHOW_NAMESPACES = YES
# by doxygen. Whatever the program writes to standard output is used as the file
# version. For an example see the documentation.
-FILE_VERSION_FILTER =
+FILE_VERSION_FILTER =
# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
# by doxygen. The layout file controls the global structure of the generated
@@ -661,7 +693,7 @@ FILE_VERSION_FILTER =
# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE
# tag is left empty.
-LAYOUT_FILE =
+LAYOUT_FILE =
# The CITE_BIB_FILES tag can be used to specify one or more bib files containing
# the reference definitions. This must be a list of .bib files. The .bib
@@ -669,10 +701,9 @@ LAYOUT_FILE =
# to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info.
# For LaTeX the style of the bibliography can be controlled using
# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
-# search path. Do not use file names with spaces, bibtex cannot handle them. See
-# also \cite for info how to create references.
+# search path. See also \cite for info how to create references.
-CITE_BIB_FILES =
+CITE_BIB_FILES =
#---------------------------------------------------------------------------
# Configuration options related to warning and progress messages
@@ -686,7 +717,7 @@ CITE_BIB_FILES =
QUIET = NO
# The WARNINGS tag can be used to turn on/off the warning messages that are
-# generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES
+# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES
# this implies that the warnings are on.
#
# Tip: Turn warnings on while writing the documentation.
@@ -694,7 +725,7 @@ QUIET = NO
WARNINGS = YES
-# If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate
+# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate
# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
# will automatically be disabled.
# The default value is: YES.
@@ -711,12 +742,18 @@ WARN_IF_DOC_ERROR = YES
# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
# are documented, but have no documentation for their parameters or return
-# value. If set to NO doxygen will only warn about wrong or incomplete parameter
-# documentation, but not about the absence of documentation.
+# value. If set to NO, doxygen will only warn about wrong or incomplete
+# parameter documentation, but not about the absence of documentation.
# The default value is: NO.
WARN_NO_PARAMDOC = NO
+# If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when
+# a warning is encountered.
+# The default value is: NO.
+
+WARN_AS_ERROR = NO
+
# The WARN_FORMAT tag determines the format of the warning messages that doxygen
# can produce. The string should contain the $file, $line, and $text tags, which
# will be replaced by the file and line number from which the warning originated
@@ -731,7 +768,7 @@ WARN_FORMAT = "$file:$line: $text"
# messages should be written. If left blank the output is written to standard
# error (stderr).
-WARN_LOGFILE =
+WARN_LOGFILE =
#---------------------------------------------------------------------------
# Configuration options related to the input files
@@ -740,10 +777,10 @@ WARN_LOGFILE =
# The INPUT tag is used to specify the files and/or directories that contain
# documented source files. You may enter file names like myfile.cpp or
# directories like /usr/src/myproject. Separate the files or directories with
-# spaces.
+# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
# Note: If this tag is empty the current directory is searched.
-INPUT = nginx
+INPUT = ../nginx
# This tag can be used to specify the character encoding of the source files
# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
@@ -756,14 +793,19 @@ INPUT_ENCODING = UTF-8
# If the value of the INPUT tag contains directories, you can use the
# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and
-# *.h) to filter out the source-files in the directories. If left blank the
-# following patterns are tested:*.c, *.cc, *.cxx, *.cpp, *.c++, *.java, *.ii,
-# *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h, *.hh, *.hxx, *.hpp,
-# *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc, *.m, *.markdown,
-# *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf,
-# *.qsf, *.as and *.js.
+# *.h) to filter out the source-files in the directories.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# read by doxygen.
+#
+# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cpp,
+# *.c++, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h,
+# *.hh, *.hxx, *.hpp, *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc,
+# *.m, *.markdown, *.md, *.mm, *.dox, *.py, *.pyw, *.f90, *.f95, *.f03, *.f08,
+# *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf and *.qsf.
-FILE_PATTERNS =
+FILE_PATTERNS =
# The RECURSIVE tag can be used to specify whether or not subdirectories should
# be searched for input files as well.
@@ -778,7 +820,7 @@ RECURSIVE = YES
# Note that relative paths are relative to the directory from which doxygen is
# run.
-EXCLUDE =
+EXCLUDE =
# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
# directories that are symbolic links (a Unix file system feature) are excluded
@@ -794,7 +836,7 @@ EXCLUDE_SYMLINKS = NO
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories for example use the pattern */test/*
-EXCLUDE_PATTERNS =
+EXCLUDE_PATTERNS =
# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
# (namespaces, classes, functions, etc.) that should be excluded from the
@@ -805,20 +847,20 @@ EXCLUDE_PATTERNS =
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories use the pattern */test/*
-EXCLUDE_SYMBOLS =
+EXCLUDE_SYMBOLS =
# The EXAMPLE_PATH tag can be used to specify one or more files or directories
# that contain example code fragments that are included (see the \include
# command).
-EXAMPLE_PATH =
+EXAMPLE_PATH =
# If the value of the EXAMPLE_PATH tag contains directories, you can use the
# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
# *.h) to filter out the source-files in the directories. If left blank all
# files are included.
-EXAMPLE_PATTERNS =
+EXAMPLE_PATTERNS =
# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
# searched for input files to be used with the \include or \dontinclude commands
@@ -831,7 +873,7 @@ EXAMPLE_RECURSIVE = NO
# that contain images that are to be included in the documentation (see the
# \image command).
-IMAGE_PATH =
+IMAGE_PATH =
# The INPUT_FILTER tag can be used to specify a program that doxygen should
# invoke to filter for each input file. Doxygen will invoke the filter program
@@ -847,8 +889,12 @@ IMAGE_PATH =
# Note that the filter must not add or remove lines; it is applied before the
# code is scanned, but not when the output code is generated. If lines are added
# or removed, the anchors will not be placed correctly.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
-INPUT_FILTER =
+INPUT_FILTER =
# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
# basis. Doxygen will compare the file name with each pattern and apply the
@@ -856,11 +902,15 @@ INPUT_FILTER =
# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how
# filters are used. If the FILTER_PATTERNS tag is empty or if none of the
# patterns match the file name, INPUT_FILTER is applied.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
-FILTER_PATTERNS =
+FILTER_PATTERNS =
# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
-# INPUT_FILTER ) will also be used to filter the input files that are used for
+# INPUT_FILTER) will also be used to filter the input files that are used for
# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
# The default value is: NO.
@@ -872,14 +922,14 @@ FILTER_SOURCE_FILES = NO
# *.ext= (so without naming a filter).
# This tag requires that the tag FILTER_SOURCE_FILES is set to YES.
-FILTER_SOURCE_PATTERNS =
+FILTER_SOURCE_PATTERNS =
# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that
# is part of the input, its contents will be placed on the main page
# (index.html). This can be useful if you have a project on for instance GitHub
# and want to reuse the introduction page also for the doxygen output.
-USE_MDFILE_AS_MAINPAGE =
+USE_MDFILE_AS_MAINPAGE =
#---------------------------------------------------------------------------
# Configuration options related to source browsing
@@ -920,7 +970,7 @@ REFERENCED_BY_RELATION = NO
REFERENCES_RELATION = NO
# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
-# to YES, then the hyperlinks from functions in REFERENCES_RELATION and
+# to YES then the hyperlinks from functions in REFERENCES_RELATION and
# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
# link to the documentation.
# The default value is: YES.
@@ -991,13 +1041,13 @@ COLS_IN_ALPHA_INDEX = 5
# while generating the index headers.
# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
-IGNORE_PREFIX =
+IGNORE_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the HTML output
#---------------------------------------------------------------------------
-# If the GENERATE_HTML tag is set to YES doxygen will generate HTML output
+# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output
# The default value is: YES.
GENERATE_HTML = YES
@@ -1035,7 +1085,7 @@ HTML_FILE_EXTENSION = .html
# of the possible markers and block names see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_HEADER =
+HTML_HEADER =
# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each
# generated HTML page. If the tag is left blank doxygen will generate a standard
@@ -1045,7 +1095,7 @@ HTML_HEADER =
# that doxygen normally uses.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_FOOTER =
+HTML_FOOTER =
# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style
# sheet that is used by each HTML page. It can be used to fine-tune the look of
@@ -1057,18 +1107,20 @@ HTML_FOOTER =
# obsolete.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_STYLESHEET =
+HTML_STYLESHEET =
-# The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user-
-# defined cascading style sheet that is included after the standard style sheets
+# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# cascading style sheets that are included after the standard style sheets
# created by doxygen. Using this option one can overrule certain style aspects.
# This is preferred over using HTML_STYLESHEET since it does not replace the
-# standard style sheet and is therefor more robust against future updates.
-# Doxygen will copy the style sheet file to the output directory. For an example
-# see the documentation.
+# standard style sheet and is therefore more robust against future updates.
+# Doxygen will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list). For an example see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_EXTRA_STYLESHEET =
+HTML_EXTRA_STYLESHEET =
# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the HTML output directory. Note
@@ -1078,10 +1130,10 @@ HTML_EXTRA_STYLESHEET =
# files will be copied as-is; there are no commands or markers available.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_EXTRA_FILES =
+HTML_EXTRA_FILES =
# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
-# will adjust the colors in the stylesheet and background images according to
+# will adjust the colors in the style sheet and background images according to
# this color. Hue is specified as an angle on a colorwheel, see
# http://en.wikipedia.org/wiki/Hue for more information. For instance the value
# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
@@ -1112,8 +1164,9 @@ HTML_COLORSTYLE_GAMMA = 80
# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
# page will contain the date and time when the page was generated. Setting this
-# to NO can help when comparing the output of multiple runs.
-# The default value is: YES.
+# to YES can help to show when doxygen was last run and thus if the
+# documentation is up to date.
+# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_TIMESTAMP = YES
@@ -1206,31 +1259,32 @@ GENERATE_HTMLHELP = NO
# written to the html output directory.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-CHM_FILE =
+CHM_FILE =
# The HHC_LOCATION tag can be used to specify the location (absolute path
-# including file name) of the HTML help compiler ( hhc.exe). If non-empty
+# including file name) of the HTML help compiler (hhc.exe). If non-empty,
# doxygen will try to run the HTML help compiler on the generated index.hhp.
# The file has to be specified with full path.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-HHC_LOCATION =
+HHC_LOCATION =
-# The GENERATE_CHI flag controls if a separate .chi index file is generated (
-# YES) or that it should be included in the master .chm file ( NO).
+# The GENERATE_CHI flag controls if a separate .chi index file is generated
+# (YES) or that it should be included in the master .chm file (NO).
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
GENERATE_CHI = NO
-# The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc)
+# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)
# and project file content.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-CHM_INDEX_ENCODING =
+CHM_INDEX_ENCODING =
-# The BINARY_TOC flag controls whether a binary table of contents is generated (
-# YES) or a normal table of contents ( NO) in the .chm file.
+# The BINARY_TOC flag controls whether a binary table of contents is generated
+# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it
+# enables the Previous and Next buttons.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
@@ -1257,7 +1311,7 @@ GENERATE_QHP = NO
# the HTML output folder.
# This tag requires that the tag GENERATE_QHP is set to YES.
-QCH_FILE =
+QCH_FILE =
# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help
# Project output. For more information please see Qt Help Project / Namespace
@@ -1282,7 +1336,7 @@ QHP_VIRTUAL_FOLDER = doc
# filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_CUST_FILTER_NAME =
+QHP_CUST_FILTER_NAME =
# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the
# custom filter to add. For more information please see Qt Help Project / Custom
@@ -1290,21 +1344,21 @@ QHP_CUST_FILTER_NAME =
# filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_CUST_FILTER_ATTRS =
+QHP_CUST_FILTER_ATTRS =
# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
# project's filter section matches. Qt Help Project / Filter Attributes (see:
# http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_SECT_FILTER_ATTRS =
+QHP_SECT_FILTER_ATTRS =
# The QHG_LOCATION tag can be used to specify the location of Qt's
# qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the
# generated .qhp file.
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHG_LOCATION =
+QHG_LOCATION =
# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be
# generated, together with the HTML files, they form an Eclipse help plugin. To
@@ -1343,7 +1397,7 @@ DISABLE_INDEX = NO
# index structure (just like the one that is generated for HTML Help). For this
# to work a browser that supports JavaScript, DHTML, CSS and frames is required
# (i.e. any modern browser). Windows users are probably better off using the
-# HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can
+# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can
# further fine-tune the look of the index. As an example, the default style
# sheet generated by doxygen has an example that shows how to put an image at
# the root of the tree instead of the PROJECT_NAME. Since the tree basically has
@@ -1371,7 +1425,7 @@ ENUM_VALUES_PER_LINE = 4
TREEVIEW_WIDTH = 250
-# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to
+# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to
# external symbols imported via tag files in a separate window.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
@@ -1400,7 +1454,7 @@ FORMULA_TRANSPARENT = YES
# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
# http://www.mathjax.org) which uses client side Javascript for the rendering
-# instead of using prerendered bitmaps. Use this if you do not have LaTeX
+# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX
# installed or if you want to formulas look prettier in the HTML output. When
# enabled you may also need to install MathJax separately and configure the path
# to it using the MATHJAX_RELPATH option.
@@ -1437,7 +1491,7 @@ MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest
# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols
# This tag requires that the tag USE_MATHJAX is set to YES.
-MATHJAX_EXTENSIONS =
+MATHJAX_EXTENSIONS =
# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces
# of code that will be used on startup of the MathJax code. See the MathJax site
@@ -1445,7 +1499,7 @@ MATHJAX_EXTENSIONS =
# example see the documentation.
# This tag requires that the tag USE_MATHJAX is set to YES.
-MATHJAX_CODEFILE =
+MATHJAX_CODEFILE =
# When the SEARCHENGINE tag is enabled doxygen will generate a search box for
# the HTML output. The underlying search engine uses javascript and DHTML and
@@ -1470,11 +1524,11 @@ SEARCHENGINE = YES
# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
# implemented using a web server instead of a web client using Javascript. There
-# are two flavours of web server based searching depending on the
-# EXTERNAL_SEARCH setting. When disabled, doxygen will generate a PHP script for
-# searching and an index file used by the script. When EXTERNAL_SEARCH is
-# enabled the indexing and searching needs to be provided by external tools. See
-# the section "External Indexing and Searching" for details.
+# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
+# setting. When disabled, doxygen will generate a PHP script for searching and
+# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
+# and searching needs to be provided by external tools. See the section
+# "External Indexing and Searching" for details.
# The default value is: NO.
# This tag requires that the tag SEARCHENGINE is set to YES.
@@ -1486,7 +1540,7 @@ SERVER_BASED_SEARCH = NO
# external search engine pointed to by the SEARCHENGINE_URL option to obtain the
# search results.
#
-# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# Doxygen ships with an example indexer (doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see: http://xapian.org/).
#
@@ -1499,13 +1553,13 @@ EXTERNAL_SEARCH = NO
# The SEARCHENGINE_URL should point to a search engine hosted by a web server
# which will return the search results when EXTERNAL_SEARCH is enabled.
#
-# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# Doxygen ships with an example indexer (doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see: http://xapian.org/). See the section "External Indexing and
# Searching" for details.
# This tag requires that the tag SEARCHENGINE is set to YES.
-SEARCHENGINE_URL =
+SEARCHENGINE_URL =
# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed
# search data is written to a file for indexing by an external tool. With the
@@ -1521,7 +1575,7 @@ SEARCHDATA_FILE = searchdata.xml
# projects and redirect the results back to the right project.
# This tag requires that the tag SEARCHENGINE is set to YES.
-EXTERNAL_SEARCH_ID =
+EXTERNAL_SEARCH_ID =
# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through doxygen
# projects other than the one defined by this configuration file, but that are
@@ -1531,13 +1585,13 @@ EXTERNAL_SEARCH_ID =
# EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ...
# This tag requires that the tag SEARCHENGINE is set to YES.
-EXTRA_SEARCH_MAPPINGS =
+EXTRA_SEARCH_MAPPINGS =
#---------------------------------------------------------------------------
# Configuration options related to the LaTeX output
#---------------------------------------------------------------------------
-# If the GENERATE_LATEX tag is set to YES doxygen will generate LaTeX output.
+# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output.
# The default value is: YES.
GENERATE_LATEX = YES
@@ -1568,7 +1622,7 @@ LATEX_CMD_NAME = latex
MAKEINDEX_CMD_NAME = makeindex
-# If the COMPACT_LATEX tag is set to YES doxygen generates more compact LaTeX
+# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
@@ -1586,13 +1640,16 @@ COMPACT_LATEX = NO
PAPER_TYPE = a4
# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
-# that should be included in the LaTeX output. To get the times font for
-# instance you can specify
-# EXTRA_PACKAGES=times
+# that should be included in the LaTeX output. The package can be specified just
+# by its name or with the correct syntax as to be used with the LaTeX
+# \usepackage command. To get the times font for instance you can specify :
+# EXTRA_PACKAGES=times or EXTRA_PACKAGES={times}
+# To use the option intlimits with the amsmath package you can specify:
+# EXTRA_PACKAGES=[intlimits]{amsmath}
# If left blank no extra packages will be included.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-EXTRA_PACKAGES =
+EXTRA_PACKAGES =
# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the
# generated LaTeX document. The header should contain everything until the first
@@ -1602,22 +1659,35 @@ EXTRA_PACKAGES =
#
# Note: Only use a user-defined header if you know what you are doing! The
# following commands have a special meaning inside the header: $title,
-# $datetime, $date, $doxygenversion, $projectname, $projectnumber. Doxygen will
-# replace them by respectively the title of the page, the current date and time,
-# only the current date, the version number of doxygen, the project name (see
-# PROJECT_NAME), or the project number (see PROJECT_NUMBER).
+# $datetime, $date, $doxygenversion, $projectname, $projectnumber,
+# $projectbrief, $projectlogo. Doxygen will replace $title with the empty
+# string, for the replacement values of the other commands the user is referred
+# to HTML_HEADER.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_HEADER =
+LATEX_HEADER =
# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
# generated LaTeX document. The footer should contain everything after the last
-# chapter. If it is left blank doxygen will generate a standard footer.
+# chapter. If it is left blank doxygen will generate a standard footer. See
+# LATEX_HEADER for more information on how to generate a default footer and what
+# special commands can be used inside the footer.
#
# Note: Only use a user-defined footer if you know what you are doing!
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_FOOTER =
+LATEX_FOOTER =
+
+# The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# LaTeX style sheets that are included after the standard style sheets created
+# by doxygen. Using this option one can overrule certain style aspects. Doxygen
+# will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list).
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_STYLESHEET =
# The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the LATEX_OUTPUT output
@@ -1625,7 +1695,7 @@ LATEX_FOOTER =
# markers available.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_EXTRA_FILES =
+LATEX_EXTRA_FILES =
# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated is
# prepared for conversion to PDF (using ps2pdf or pdflatex). The PDF file will
@@ -1636,8 +1706,8 @@ LATEX_EXTRA_FILES =
PDF_HYPERLINKS = YES
-# If the LATEX_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
-# the PDF file directly from the LaTeX files. Set this option to YES to get a
+# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
+# the PDF file directly from the LaTeX files. Set this option to YES, to get a
# higher quality PDF documentation.
# The default value is: YES.
# This tag requires that the tag GENERATE_LATEX is set to YES.
@@ -1678,11 +1748,19 @@ LATEX_SOURCE_CODE = NO
LATEX_BIB_STYLE = plain
+# If the LATEX_TIMESTAMP tag is set to YES then the footer of each generated
+# page will contain the date and time when the page was generated. Setting this
+# to NO can help when comparing the output of multiple runs.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_TIMESTAMP = NO
+
#---------------------------------------------------------------------------
# Configuration options related to the RTF output
#---------------------------------------------------------------------------
-# If the GENERATE_RTF tag is set to YES doxygen will generate RTF output. The
+# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The
# RTF output is optimized for Word 97 and may not look too pretty with other RTF
# readers/editors.
# The default value is: NO.
@@ -1697,7 +1775,7 @@ GENERATE_RTF = NO
RTF_OUTPUT = rtf
-# If the COMPACT_RTF tag is set to YES doxygen generates more compact RTF
+# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
@@ -1725,20 +1803,30 @@ RTF_HYPERLINKS = NO
# default style sheet that doxygen normally uses.
# This tag requires that the tag GENERATE_RTF is set to YES.
-RTF_STYLESHEET_FILE =
+RTF_STYLESHEET_FILE =
# Set optional variables used in the generation of an RTF document. Syntax is
# similar to doxygen's config file. A template extensions file can be generated
# using doxygen -e rtf extensionFile.
# This tag requires that the tag GENERATE_RTF is set to YES.
-RTF_EXTENSIONS_FILE =
+RTF_EXTENSIONS_FILE =
+
+# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code
+# with syntax highlighting in the RTF output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_SOURCE_CODE = NO
#---------------------------------------------------------------------------
# Configuration options related to the man page output
#---------------------------------------------------------------------------
-# If the GENERATE_MAN tag is set to YES doxygen will generate man pages for
+# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for
# classes and files.
# The default value is: NO.
@@ -1762,6 +1850,13 @@ MAN_OUTPUT = man
MAN_EXTENSION = .3
+# The MAN_SUBDIR tag determines the name of the directory created within
+# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
+# MAN_EXTENSION with the initial . removed.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_SUBDIR =
+
# If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
# will generate one additional man file for each entity documented in the real
# man page(s). These additional files only source the real man page, but without
@@ -1775,7 +1870,7 @@ MAN_LINKS = NO
# Configuration options related to the XML output
#---------------------------------------------------------------------------
-# If the GENERATE_XML tag is set to YES doxygen will generate an XML file that
+# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that
# captures the structure of the code including all documentation.
# The default value is: NO.
@@ -1789,19 +1884,7 @@ GENERATE_XML = NO
XML_OUTPUT = xml
-# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_SCHEMA =
-
-# The XML_DTD tag can be used to specify a XML DTD, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_DTD =
-
-# If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program
+# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program
# listings (including syntax highlighting and cross-referencing information) to
# the XML output. Note that enabling this will significantly increase the size
# of the XML output.
@@ -1814,7 +1897,7 @@ XML_PROGRAMLISTING = YES
# Configuration options related to the DOCBOOK output
#---------------------------------------------------------------------------
-# If the GENERATE_DOCBOOK tag is set to YES doxygen will generate Docbook files
+# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files
# that can be used to generate PDF.
# The default value is: NO.
@@ -1828,14 +1911,23 @@ GENERATE_DOCBOOK = NO
DOCBOOK_OUTPUT = docbook
+# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the
+# program listings (including syntax highlighting and cross-referencing
+# information) to the DOCBOOK output. Note that enabling this will significantly
+# increase the size of the DOCBOOK output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_PROGRAMLISTING = NO
+
#---------------------------------------------------------------------------
# Configuration options for the AutoGen Definitions output
#---------------------------------------------------------------------------
-# If the GENERATE_AUTOGEN_DEF tag is set to YES doxygen will generate an AutoGen
-# Definitions (see http://autogen.sf.net) file that captures the structure of
-# the code including all documentation. Note that this feature is still
-# experimental and incomplete at the moment.
+# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an
+# AutoGen Definitions (see http://autogen.sf.net) file that captures the
+# structure of the code including all documentation. Note that this feature is
+# still experimental and incomplete at the moment.
# The default value is: NO.
GENERATE_AUTOGEN_DEF = NO
@@ -1844,7 +1936,7 @@ GENERATE_AUTOGEN_DEF = NO
# Configuration options related to the Perl module output
#---------------------------------------------------------------------------
-# If the GENERATE_PERLMOD tag is set to YES doxygen will generate a Perl module
+# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module
# file that captures the structure of the code including all documentation.
#
# Note that this feature is still experimental and incomplete at the moment.
@@ -1852,7 +1944,7 @@ GENERATE_AUTOGEN_DEF = NO
GENERATE_PERLMOD = NO
-# If the PERLMOD_LATEX tag is set to YES doxygen will generate the necessary
+# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary
# Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
# output from the Perl module output.
# The default value is: NO.
@@ -1860,9 +1952,9 @@ GENERATE_PERLMOD = NO
PERLMOD_LATEX = NO
-# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be nicely
+# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely
# formatted so it can be parsed by a human reader. This is useful if you want to
-# understand what is going on. On the other hand, if this tag is set to NO the
+# understand what is going on. On the other hand, if this tag is set to NO, the
# size of the Perl module output will be much smaller and Perl will parse it
# just the same.
# The default value is: YES.
@@ -1876,20 +1968,20 @@ PERLMOD_PRETTY = YES
# overwrite each other's variables.
# This tag requires that the tag GENERATE_PERLMOD is set to YES.
-PERLMOD_MAKEVAR_PREFIX =
+PERLMOD_MAKEVAR_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the preprocessor
#---------------------------------------------------------------------------
-# If the ENABLE_PREPROCESSING tag is set to YES doxygen will evaluate all
+# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all
# C-preprocessor directives found in the sources and include files.
# The default value is: YES.
ENABLE_PREPROCESSING = YES
-# If the MACRO_EXPANSION tag is set to YES doxygen will expand all macro names
-# in the source code. If set to NO only conditional compilation will be
+# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
+# in the source code. If set to NO, only conditional compilation will be
# performed. Macro expansion can be done in a controlled way by setting
# EXPAND_ONLY_PREDEF to YES.
# The default value is: NO.
@@ -1905,7 +1997,7 @@ MACRO_EXPANSION = NO
EXPAND_ONLY_PREDEF = NO
-# If the SEARCH_INCLUDES tag is set to YES the includes files in the
+# If the SEARCH_INCLUDES tag is set to YES, the include files in the
# INCLUDE_PATH will be searched if a #include is found.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@@ -1917,7 +2009,7 @@ SEARCH_INCLUDES = YES
# preprocessor.
# This tag requires that the tag SEARCH_INCLUDES is set to YES.
-INCLUDE_PATH = "apache2"
+INCLUDE_PATH = "../apache2"
# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
# patterns (like *.h and *.hpp) to filter out the header-files in the
@@ -1925,7 +2017,7 @@ INCLUDE_PATH = "apache2"
# used.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-INCLUDE_FILE_PATTERNS =
+INCLUDE_FILE_PATTERNS =
# The PREDEFINED tag can be used to specify one or more macro names that are
# defined before the preprocessor is started (similar to the -D option of e.g.
@@ -1935,7 +2027,7 @@ INCLUDE_FILE_PATTERNS =
# recursively expanded use the := operator instead of the = operator.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-PREDEFINED =
+PREDEFINED =
# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
# tag can be used to specify a list of macro names that should be expanded. The
@@ -1944,12 +2036,12 @@ PREDEFINED =
# definition found in the source code.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-EXPAND_AS_DEFINED =
+EXPAND_AS_DEFINED =
# If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
-# remove all refrences to function-like macros that are alone on a line, have an
-# all uppercase name, and do not end with a semicolon. Such function macros are
-# typically used for boiler-plate code, and will confuse the parser if not
+# remove all references to function-like macros that are alone on a line, have
+# an all uppercase name, and do not end with a semicolon. Such function macros
+# are typically used for boiler-plate code, and will confuse the parser if not
# removed.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@@ -1969,32 +2061,33 @@ SKIP_FUNCTION_MACROS = YES
# where loc1 and loc2 can be relative or absolute paths or URLs. See the
# section "Linking to external documentation" for more information about the use
# of tag files.
-# Note: Each tag file must have an unique name (where the name does NOT include
+# Note: Each tag file must have a unique name (where the name does NOT include
# the path). If a tag file is not located in the directory in which doxygen is
# run, you must also specify the path to the tagfile here.
-TAGFILES =
+TAGFILES =
# When a file name is specified after GENERATE_TAGFILE, doxygen will create a
# tag file that is based on the input files it reads. See section "Linking to
# external documentation" for more information about the usage of tag files.
-GENERATE_TAGFILE =
+GENERATE_TAGFILE =
-# If the ALLEXTERNALS tag is set to YES all external class will be listed in the
-# class index. If set to NO only the inherited external classes will be listed.
+# If the ALLEXTERNALS tag is set to YES, all external class will be listed in
+# the class index. If set to NO, only the inherited external classes will be
+# listed.
# The default value is: NO.
ALLEXTERNALS = NO
-# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed in
-# the modules index. If set to NO, only the current project's groups will be
+# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will be
# listed.
# The default value is: YES.
EXTERNAL_GROUPS = YES
-# If the EXTERNAL_PAGES tag is set to YES all external pages will be listed in
+# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
# the related pages index. If set to NO, only the current project's pages will
# be listed.
# The default value is: YES.
@@ -2011,7 +2104,7 @@ PERL_PATH = /usr/bin/perl
# Configuration options related to the dot tool
#---------------------------------------------------------------------------
-# If the CLASS_DIAGRAMS tag is set to YES doxygen will generate a class diagram
+# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram
# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
# NO turns the diagrams off. Note that this option also works with HAVE_DOT
# disabled, but it is recommended to install and use dot, since it yields more
@@ -2027,16 +2120,16 @@ CLASS_DIAGRAMS = YES
# the mscgen tool resides. If left empty the tool is assumed to be found in the
# default search path.
-MSCGEN_PATH =
+MSCGEN_PATH =
# You can include diagrams made with dia in doxygen documentation. Doxygen will
# then run dia to produce the diagram and insert it in the documentation. The
# DIA_PATH tag allows you to specify the directory where the dia binary resides.
# If left empty dia is assumed to be found in the default search path.
-DIA_PATH =
+DIA_PATH =
-# If set to YES, the inheritance and collaboration graphs will hide inheritance
+# If set to YES the inheritance and collaboration graphs will hide inheritance
# and usage relations if the target is undocumented or is not a class.
# The default value is: YES.
@@ -2049,7 +2142,7 @@ HIDE_UNDOC_RELATIONS = YES
# set to NO
# The default value is: NO.
-HAVE_DOT = YES
+HAVE_DOT = NO
# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
# to run in parallel. When set to 0 doxygen will base this on the number of
@@ -2061,7 +2154,7 @@ HAVE_DOT = YES
DOT_NUM_THREADS = 0
-# When you want a differently looking font n the dot files that doxygen
+# When you want a differently looking font in the dot files that doxygen
# generates you can specify the font name using DOT_FONTNAME. You need to make
# sure dot is able to find the font, which can be done by putting it in a
# standard location or by setting the DOTFONTPATH environment variable or by
@@ -2083,7 +2176,7 @@ DOT_FONTSIZE = 10
# the path where dot can find it using this tag.
# This tag requires that the tag HAVE_DOT is set to YES.
-DOT_FONTPATH =
+DOT_FONTPATH =
# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for
# each documented class showing the direct and indirect inheritance relations.
@@ -2109,7 +2202,7 @@ COLLABORATION_GRAPH = YES
GROUP_GRAPHS = YES
-# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
+# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and
# collaboration diagrams in a style similar to the OMG's Unified Modeling
# Language.
# The default value is: NO.
@@ -2161,7 +2254,8 @@ INCLUDED_BY_GRAPH = YES
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable call graphs for selected
-# functions only using the \callgraph command.
+# functions only using the \callgraph command. Disabling a call graph can be
+# accomplished by means of the command \hidecallgraph.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2172,7 +2266,8 @@ CALL_GRAPH = YES
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable caller graphs for selected
-# functions only using the \callergraph command.
+# functions only using the \callergraph command. Disabling a caller graph can be
+# accomplished by means of the command \hidecallergraph.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2195,11 +2290,15 @@ GRAPHICAL_HIERARCHY = YES
DIRECTORY_GRAPH = YES
# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
-# generated by dot.
+# generated by dot. For an explanation of the image formats see the section
+# output formats in the documentation of the dot tool (Graphviz (see:
+# http://www.graphviz.org/)).
# Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order
# to make the SVG files visible in IE 9+ (other browsers do not have this
# requirement).
-# Possible values are: png, jpg, gif and svg.
+# Possible values are: png, jpg, gif, svg, png:gd, png:gd:gd, png:cairo,
+# png:cairo:gd, png:cairo:cairo, png:cairo:gdiplus, png:gdiplus and
+# png:gdiplus:gdiplus.
# The default value is: png.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2221,26 +2320,44 @@ INTERACTIVE_SVG = YES
# found. If left blank, it is assumed the dot tool can be found in the path.
# This tag requires that the tag HAVE_DOT is set to YES.
-DOT_PATH =
+DOT_PATH =
# The DOTFILE_DIRS tag can be used to specify one or more directories that
# contain dot files that are included in the documentation (see the \dotfile
# command).
# This tag requires that the tag HAVE_DOT is set to YES.
-DOTFILE_DIRS =
+DOTFILE_DIRS =
# The MSCFILE_DIRS tag can be used to specify one or more directories that
# contain msc files that are included in the documentation (see the \mscfile
# command).
-MSCFILE_DIRS =
+MSCFILE_DIRS =
# The DIAFILE_DIRS tag can be used to specify one or more directories that
# contain dia files that are included in the documentation (see the \diafile
# command).
-DIAFILE_DIRS =
+DIAFILE_DIRS =
+
+# When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the
+# path where java can find the plantuml.jar file. If left blank, it is assumed
+# PlantUML is not used or called during a preprocessing step. Doxygen will
+# generate a warning when it encounters a \startuml command in this case and
+# will not generate output for the diagram.
+
+PLANTUML_JAR_PATH =
+
+# When using plantuml, the PLANTUML_CFG_FILE tag can be used to specify a
+# configuration file for plantuml.
+
+PLANTUML_CFG_FILE =
+
+# When using plantuml, the specified paths are searched for files specified by
+# the !include statement in a plantuml block.
+
+PLANTUML_INCLUDE_PATH =
# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
# that will be shown in the graph. If the number of nodes in a graph becomes
@@ -2278,7 +2395,7 @@ MAX_DOT_GRAPH_DEPTH = 0
DOT_TRANSPARENT = NO
-# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
+# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output
# files in one run (i.e. multiple -o and -T options on the command line). This
# makes dot run faster, but since only newer versions of dot (>1.8.10) support
# this, this feature is disabled by default.
@@ -2295,7 +2412,7 @@ DOT_MULTI_TARGETS = YES
GENERATE_LEGEND = YES
-# If the DOT_CLEANUP tag is set to YES doxygen will remove the intermediate dot
+# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot
# files that are used to generate the various graphs.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
diff --git a/doc/doxygen-standalone.conf b/doc/doxygen-standalone.in
similarity index 84%
rename from doc/doxygen-standalone.conf
rename to doc/doxygen-standalone.in
index 2bcf761881..bb3dfd7329 100644
--- a/doc/doxygen-standalone.conf
+++ b/doc/doxygen-standalone.in
@@ -1,4 +1,4 @@
-# Doxyfile 1.8.6
+# Doxyfile 1.8.13
# This file describes the settings to be used by the documentation system
# doxygen (www.doxygen.org) for a project.
@@ -38,7 +38,7 @@ PROJECT_NAME = "ModSecurity (Standalone)"
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER =
+PROJECT_NUMBER =
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
@@ -46,21 +46,21 @@ PROJECT_NUMBER =
PROJECT_BRIEF = "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence."
-# With the PROJECT_LOGO tag one can specify an logo or icon that is included in
-# the documentation. The maximum height of the logo should not exceed 55 pixels
-# and the maximum width should not exceed 200 pixels. Doxygen will copy the logo
-# to the output directory.
+# With the PROJECT_LOGO tag one can specify a logo or an icon that is included
+# in the documentation. The maximum height of the logo should not exceed 55
+# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
+# the logo to the output directory.
-PROJECT_LOGO = ./doc/doxygen-logo.png
+PROJECT_LOGO = ./doxygen-logo.png
# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path
# into which the generated documentation will be written. If a relative path is
# entered, it will be relative to the location where doxygen was started. If
# left blank the current directory will be used.
-OUTPUT_DIRECTORY = doc/standalone
+OUTPUT_DIRECTORY = standalone
-# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 4096 sub-
+# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
# directories (in 2 levels) under the output directory of each output format and
# will distribute the generated files over these directories. Enabling this
# option can be useful when feeding doxygen a huge amount of source files, where
@@ -70,6 +70,14 @@ OUTPUT_DIRECTORY = doc/standalone
CREATE_SUBDIRS = YES
+# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
+# characters to appear in the names of generated files. If set to NO, non-ASCII
+# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
+# U+3044.
+# The default value is: NO.
+
+ALLOW_UNICODE_NAMES = NO
+
# The OUTPUT_LANGUAGE tag is used to specify the language in which all
# documentation generated by doxygen is written. Doxygen will use this
# information to generate all constant output in the proper language.
@@ -85,14 +93,14 @@ CREATE_SUBDIRS = YES
OUTPUT_LANGUAGE = English
-# If the BRIEF_MEMBER_DESC tag is set to YES doxygen will include brief member
+# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member
# descriptions after the members that are listed in the file and class
# documentation (similar to Javadoc). Set to NO to disable this.
# The default value is: YES.
BRIEF_MEMBER_DESC = YES
-# If the REPEAT_BRIEF tag is set to YES doxygen will prepend the brief
+# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief
# description of a member or function before the detailed description
#
# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
@@ -110,7 +118,7 @@ REPEAT_BRIEF = YES
# the entity):The $name class, The $name widget, The $name file, is, provides,
# specifies, contains, represents, a, an and the.
-ABBREVIATE_BRIEF =
+ABBREVIATE_BRIEF =
# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
# doxygen will generate a detailed section even if there is only a brief
@@ -127,7 +135,7 @@ ALWAYS_DETAILED_SEC = NO
INLINE_INHERITED_MEMB = NO
-# If the FULL_PATH_NAMES tag is set to YES doxygen will prepend the full path
+# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path
# before files name in the file list and in the header files. If set to NO the
# shortest path that makes the file name unique will be used
# The default value is: YES.
@@ -144,7 +152,7 @@ FULL_PATH_NAMES = YES
# will be relative from the directory where doxygen is started.
# This tag requires that the tag FULL_PATH_NAMES is set to YES.
-STRIP_FROM_PATH =
+STRIP_FROM_PATH =
# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the
# path mentioned in the documentation of a class, which tells the reader which
@@ -153,7 +161,7 @@ STRIP_FROM_PATH =
# specify the list of include paths that are normally passed to the compiler
# using the -I flag.
-STRIP_FROM_INC_PATH =
+STRIP_FROM_INC_PATH =
# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but
# less readable) file names. This can be useful is your file systems doesn't
@@ -197,9 +205,9 @@ MULTILINE_CPP_IS_BRIEF = NO
INHERIT_DOCS = YES
-# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce a
-# new page for each member. If set to NO, the documentation of a member will be
-# part of the file/class/namespace that contains it.
+# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new
+# page for each member. If set to NO, the documentation of a member will be part
+# of the file/class/namespace that contains it.
# The default value is: NO.
SEPARATE_MEMBER_PAGES = NO
@@ -220,13 +228,13 @@ TAB_SIZE = 4
# "Side Effects:". You can put \n's in the value part of an alias to insert
# newlines.
-ALIASES =
+ALIASES =
# This tag can be used to specify a number of word-keyword mappings (TCL only).
# A mapping has the form "name=value". For example adding "class=itcl::class"
# will allow you to use the command class in the itcl::class meaning.
-TCL_SUBST =
+TCL_SUBST =
# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
# only. Doxygen will then generate output that is more tailored for C. For
@@ -261,16 +269,19 @@ OPTIMIZE_OUTPUT_VHDL = NO
# extension. Doxygen has a built-in mapping, but you can override or extend it
# using this tag. The format is ext=language, where ext is a file extension, and
# language is one of the parsers supported by doxygen: IDL, Java, Javascript,
-# C#, C, C++, D, PHP, Objective-C, Python, Fortran, VHDL. For instance to make
-# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C
-# (default is Fortran), use: inc=Fortran f=C.
+# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran:
+# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran:
+# Fortran. In the later case the parser tries to guess whether the code is fixed
+# or free formatted code, this is the default for Fortran type files), VHDL. For
+# instance to make doxygen treat .inc files as Fortran files (default is PHP),
+# and .f files as C (default is Fortran), use: inc=Fortran f=C.
#
-# Note For files without extension you can use no_extension as a placeholder.
+# Note: For files without extension you can use no_extension as a placeholder.
#
# Note that for custom extensions you also need to set FILE_PATTERNS otherwise
# the files are not read by doxygen.
-EXTENSION_MAPPING =
+EXTENSION_MAPPING =
# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments
# according to the Markdown format, which allows for more readable
@@ -282,10 +293,19 @@ EXTENSION_MAPPING =
MARKDOWN_SUPPORT = YES
+# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up
+# to that level are automatically included in the table of contents, even if
+# they do not have an id attribute.
+# Note: This feature currently applies only to Markdown headings.
+# Minimum value: 0, maximum value: 99, default value: 0.
+# This tag requires that the tag MARKDOWN_SUPPORT is set to YES.
+
+TOC_INCLUDE_HEADINGS = 0
+
# When enabled doxygen tries to link words that correspond to documented
# classes, or namespaces to their corresponding documentation. Such a link can
-# be prevented in individual cases by by putting a % sign in front of the word
-# or globally by setting AUTOLINK_SUPPORT to NO.
+# be prevented in individual cases by putting a % sign in front of the word or
+# globally by setting AUTOLINK_SUPPORT to NO.
# The default value is: YES.
AUTOLINK_SUPPORT = YES
@@ -325,13 +345,20 @@ SIP_SUPPORT = NO
IDL_PROPERTY_SUPPORT = YES
# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
-# tag is set to YES, then doxygen will reuse the documentation of the first
+# tag is set to YES then doxygen will reuse the documentation of the first
# member in the group (if any) for the other members of the group. By default
# all members of a group must be documented explicitly.
# The default value is: NO.
DISTRIBUTE_GROUP_DOC = NO
+# If one adds a struct or class to a group and this option is enabled, then also
+# any nested class or struct is added to the same group. By default this option
+# is disabled and one has to add nested compounds explicitly via \ingroup.
+# The default value is: NO.
+
+GROUP_NESTED_COMPOUNDS = NO
+
# Set the SUBGROUPING tag to YES to allow class member groups of the same type
# (for instance a group of public functions) to be put as a subgroup of that
# type (e.g. under the Public Functions section). Set it to NO to prevent
@@ -390,7 +417,7 @@ LOOKUP_CACHE_SIZE = 0
# Build related configuration options
#---------------------------------------------------------------------------
-# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
+# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in
# documentation are documented, even if no documentation was available. Private
# class members and static file members will be hidden unless the
# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
@@ -400,35 +427,35 @@ LOOKUP_CACHE_SIZE = 0
EXTRACT_ALL = YES
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class will
+# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will
# be included in the documentation.
# The default value is: NO.
EXTRACT_PRIVATE = NO
-# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal
+# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal
# scope will be included in the documentation.
# The default value is: NO.
EXTRACT_PACKAGE = NO
-# If the EXTRACT_STATIC tag is set to YES all static members of a file will be
+# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be
# included in the documentation.
# The default value is: NO.
EXTRACT_STATIC = NO
-# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) defined
-# locally in source files will be included in the documentation. If set to NO
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined
+# locally in source files will be included in the documentation. If set to NO,
# only classes defined in header files are included. Does not have any effect
# for Java sources.
# The default value is: YES.
EXTRACT_LOCAL_CLASSES = YES
-# This flag is only useful for Objective-C code. When set to YES local methods,
+# This flag is only useful for Objective-C code. If set to YES, local methods,
# which are defined in the implementation section but not in the interface are
-# included in the documentation. If set to NO only methods in the interface are
+# included in the documentation. If set to NO, only methods in the interface are
# included.
# The default value is: NO.
@@ -453,21 +480,21 @@ HIDE_UNDOC_MEMBERS = NO
# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
# undocumented classes that are normally visible in the class hierarchy. If set
-# to NO these classes will be included in the various overviews. This option has
-# no effect if EXTRACT_ALL is enabled.
+# to NO, these classes will be included in the various overviews. This option
+# has no effect if EXTRACT_ALL is enabled.
# The default value is: NO.
HIDE_UNDOC_CLASSES = NO
# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
-# (class|struct|union) declarations. If set to NO these declarations will be
+# (class|struct|union) declarations. If set to NO, these declarations will be
# included in the documentation.
# The default value is: NO.
HIDE_FRIEND_COMPOUNDS = NO
# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
-# documentation blocks found inside the body of a function. If set to NO these
+# documentation blocks found inside the body of a function. If set to NO, these
# blocks will be appended to the function's detailed documentation block.
# The default value is: NO.
@@ -481,7 +508,7 @@ HIDE_IN_BODY_DOCS = NO
INTERNAL_DOCS = NO
# If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
-# names in lower-case letters. If set to YES upper-case letters are also
+# names in lower-case letters. If set to YES, upper-case letters are also
# allowed. This is useful if you have classes or files whose names only differ
# in case and if your file system supports case sensitive file names. Windows
# and Mac users are advised to set this option to NO.
@@ -490,12 +517,19 @@ INTERNAL_DOCS = NO
CASE_SENSE_NAMES = YES
# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
-# their full class and namespace scopes in the documentation. If set to YES the
+# their full class and namespace scopes in the documentation. If set to YES, the
# scope will be hidden.
# The default value is: NO.
HIDE_SCOPE_NAMES = YES
+# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will
+# append additional text to a page's title, such as Class Reference. If set to
+# YES the compound reference will be hidden.
+# The default value is: NO.
+
+HIDE_COMPOUND_REFERENCE= NO
+
# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
# the files that are included by a file in the documentation of that file.
# The default value is: YES.
@@ -523,14 +557,14 @@ INLINE_INFO = YES
# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
# (detailed) documentation of file and class members alphabetically by member
-# name. If set to NO the members will appear in declaration order.
+# name. If set to NO, the members will appear in declaration order.
# The default value is: YES.
SORT_MEMBER_DOCS = YES
# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
# descriptions of file, namespace and class members alphabetically by member
-# name. If set to NO the members will appear in declaration order. Note that
+# name. If set to NO, the members will appear in declaration order. Note that
# this will also influence the order of the classes in the class list.
# The default value is: NO.
@@ -575,27 +609,25 @@ SORT_BY_SCOPE_NAME = NO
STRICT_PROTO_MATCHING = NO
-# The GENERATE_TODOLIST tag can be used to enable ( YES) or disable ( NO) the
-# todo list. This list is created by putting \todo commands in the
-# documentation.
+# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo
+# list. This list is created by putting \todo commands in the documentation.
# The default value is: YES.
GENERATE_TODOLIST = YES
-# The GENERATE_TESTLIST tag can be used to enable ( YES) or disable ( NO) the
-# test list. This list is created by putting \test commands in the
-# documentation.
+# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test
+# list. This list is created by putting \test commands in the documentation.
# The default value is: YES.
GENERATE_TESTLIST = YES
-# The GENERATE_BUGLIST tag can be used to enable ( YES) or disable ( NO) the bug
+# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug
# list. This list is created by putting \bug commands in the documentation.
# The default value is: YES.
GENERATE_BUGLIST = YES
-# The GENERATE_DEPRECATEDLIST tag can be used to enable ( YES) or disable ( NO)
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)
# the deprecated list. This list is created by putting \deprecated commands in
# the documentation.
# The default value is: YES.
@@ -606,7 +638,7 @@ GENERATE_DEPRECATEDLIST= YES
# sections, marked by \if <section_label> ... \endif and \cond <section_label>
# ... \endcond blocks.
-ENABLED_SECTIONS =
+ENABLED_SECTIONS =
# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the
# initial value of a variable or macro / define can have for it to appear in the
@@ -620,8 +652,8 @@ ENABLED_SECTIONS =
MAX_INITIALIZER_LINES = 30
# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
-# the bottom of the documentation of classes and structs. If set to YES the list
-# will mention the files that were used to generate the documentation.
+# the bottom of the documentation of classes and structs. If set to YES, the
+# list will mention the files that were used to generate the documentation.
# The default value is: YES.
SHOW_USED_FILES = YES
@@ -648,7 +680,7 @@ SHOW_NAMESPACES = YES
# by doxygen. Whatever the program writes to standard output is used as the file
# version. For an example see the documentation.
-FILE_VERSION_FILTER =
+FILE_VERSION_FILTER =
# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
# by doxygen. The layout file controls the global structure of the generated
@@ -661,7 +693,7 @@ FILE_VERSION_FILTER =
# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE
# tag is left empty.
-LAYOUT_FILE =
+LAYOUT_FILE =
# The CITE_BIB_FILES tag can be used to specify one or more bib files containing
# the reference definitions. This must be a list of .bib files. The .bib
@@ -669,10 +701,9 @@ LAYOUT_FILE =
# to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info.
# For LaTeX the style of the bibliography can be controlled using
# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
-# search path. Do not use file names with spaces, bibtex cannot handle them. See
-# also \cite for info how to create references.
+# search path. See also \cite for info how to create references.
-CITE_BIB_FILES =
+CITE_BIB_FILES =
#---------------------------------------------------------------------------
# Configuration options related to warning and progress messages
@@ -686,7 +717,7 @@ CITE_BIB_FILES =
QUIET = NO
# The WARNINGS tag can be used to turn on/off the warning messages that are
-# generated to standard error ( stderr) by doxygen. If WARNINGS is set to YES
+# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES
# this implies that the warnings are on.
#
# Tip: Turn warnings on while writing the documentation.
@@ -694,7 +725,7 @@ QUIET = NO
WARNINGS = YES
-# If the WARN_IF_UNDOCUMENTED tag is set to YES, then doxygen will generate
+# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate
# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
# will automatically be disabled.
# The default value is: YES.
@@ -711,12 +742,18 @@ WARN_IF_DOC_ERROR = YES
# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
# are documented, but have no documentation for their parameters or return
-# value. If set to NO doxygen will only warn about wrong or incomplete parameter
-# documentation, but not about the absence of documentation.
+# value. If set to NO, doxygen will only warn about wrong or incomplete
+# parameter documentation, but not about the absence of documentation.
# The default value is: NO.
WARN_NO_PARAMDOC = NO
+# If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when
+# a warning is encountered.
+# The default value is: NO.
+
+WARN_AS_ERROR = NO
+
# The WARN_FORMAT tag determines the format of the warning messages that doxygen
# can produce. The string should contain the $file, $line, and $text tags, which
# will be replaced by the file and line number from which the warning originated
@@ -731,7 +768,7 @@ WARN_FORMAT = "$file:$line: $text"
# messages should be written. If left blank the output is written to standard
# error (stderr).
-WARN_LOGFILE =
+WARN_LOGFILE =
#---------------------------------------------------------------------------
# Configuration options related to the input files
@@ -740,10 +777,10 @@ WARN_LOGFILE =
# The INPUT tag is used to specify the files and/or directories that contain
# documented source files. You may enter file names like myfile.cpp or
# directories like /usr/src/myproject. Separate the files or directories with
-# spaces.
+# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
# Note: If this tag is empty the current directory is searched.
-INPUT = standalone
+INPUT = ../standalone
# This tag can be used to specify the character encoding of the source files
# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
@@ -756,14 +793,19 @@ INPUT_ENCODING = UTF-8
# If the value of the INPUT tag contains directories, you can use the
# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and
-# *.h) to filter out the source-files in the directories. If left blank the
-# following patterns are tested:*.c, *.cc, *.cxx, *.cpp, *.c++, *.java, *.ii,
-# *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h, *.hh, *.hxx, *.hpp,
-# *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc, *.m, *.markdown,
-# *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf,
-# *.qsf, *.as and *.js.
+# *.h) to filter out the source-files in the directories.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# read by doxygen.
+#
+# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cpp,
+# *.c++, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h,
+# *.hh, *.hxx, *.hpp, *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc,
+# *.m, *.markdown, *.md, *.mm, *.dox, *.py, *.pyw, *.f90, *.f95, *.f03, *.f08,
+# *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf and *.qsf.
-FILE_PATTERNS =
+FILE_PATTERNS =
# The RECURSIVE tag can be used to specify whether or not subdirectories should
# be searched for input files as well.
@@ -778,7 +820,7 @@ RECURSIVE = YES
# Note that relative paths are relative to the directory from which doxygen is
# run.
-EXCLUDE =
+EXCLUDE =
# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
# directories that are symbolic links (a Unix file system feature) are excluded
@@ -794,7 +836,7 @@ EXCLUDE_SYMLINKS = NO
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories for example use the pattern */test/*
-EXCLUDE_PATTERNS =
+EXCLUDE_PATTERNS =
# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
# (namespaces, classes, functions, etc.) that should be excluded from the
@@ -805,20 +847,20 @@ EXCLUDE_PATTERNS =
# Note that the wildcards are matched against the file with absolute path, so to
# exclude all test directories use the pattern */test/*
-EXCLUDE_SYMBOLS =
+EXCLUDE_SYMBOLS =
# The EXAMPLE_PATH tag can be used to specify one or more files or directories
# that contain example code fragments that are included (see the \include
# command).
-EXAMPLE_PATH =
+EXAMPLE_PATH =
# If the value of the EXAMPLE_PATH tag contains directories, you can use the
# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
# *.h) to filter out the source-files in the directories. If left blank all
# files are included.
-EXAMPLE_PATTERNS =
+EXAMPLE_PATTERNS =
# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
# searched for input files to be used with the \include or \dontinclude commands
@@ -831,7 +873,7 @@ EXAMPLE_RECURSIVE = NO
# that contain images that are to be included in the documentation (see the
# \image command).
-IMAGE_PATH =
+IMAGE_PATH =
# The INPUT_FILTER tag can be used to specify a program that doxygen should
# invoke to filter for each input file. Doxygen will invoke the filter program
@@ -847,8 +889,12 @@ IMAGE_PATH =
# Note that the filter must not add or remove lines; it is applied before the
# code is scanned, but not when the output code is generated. If lines are added
# or removed, the anchors will not be placed correctly.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
-INPUT_FILTER =
+INPUT_FILTER =
# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
# basis. Doxygen will compare the file name with each pattern and apply the
@@ -856,11 +902,15 @@ INPUT_FILTER =
# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how
# filters are used. If the FILTER_PATTERNS tag is empty or if none of the
# patterns match the file name, INPUT_FILTER is applied.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
-FILTER_PATTERNS =
+FILTER_PATTERNS =
# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
-# INPUT_FILTER ) will also be used to filter the input files that are used for
+# INPUT_FILTER) will also be used to filter the input files that are used for
# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
# The default value is: NO.
@@ -872,14 +922,14 @@ FILTER_SOURCE_FILES = NO
# *.ext= (so without naming a filter).
# This tag requires that the tag FILTER_SOURCE_FILES is set to YES.
-FILTER_SOURCE_PATTERNS =
+FILTER_SOURCE_PATTERNS =
# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that
# is part of the input, its contents will be placed on the main page
# (index.html). This can be useful if you have a project on for instance GitHub
# and want to reuse the introduction page also for the doxygen output.
-USE_MDFILE_AS_MAINPAGE =
+USE_MDFILE_AS_MAINPAGE =
#---------------------------------------------------------------------------
# Configuration options related to source browsing
@@ -920,7 +970,7 @@ REFERENCED_BY_RELATION = NO
REFERENCES_RELATION = NO
# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
-# to YES, then the hyperlinks from functions in REFERENCES_RELATION and
+# to YES then the hyperlinks from functions in REFERENCES_RELATION and
# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
# link to the documentation.
# The default value is: YES.
@@ -991,13 +1041,13 @@ COLS_IN_ALPHA_INDEX = 5
# while generating the index headers.
# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
-IGNORE_PREFIX =
+IGNORE_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the HTML output
#---------------------------------------------------------------------------
-# If the GENERATE_HTML tag is set to YES doxygen will generate HTML output
+# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output
# The default value is: YES.
GENERATE_HTML = YES
@@ -1035,7 +1085,7 @@ HTML_FILE_EXTENSION = .html
# of the possible markers and block names see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_HEADER =
+HTML_HEADER =
# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each
# generated HTML page. If the tag is left blank doxygen will generate a standard
@@ -1045,7 +1095,7 @@ HTML_HEADER =
# that doxygen normally uses.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_FOOTER =
+HTML_FOOTER =
# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style
# sheet that is used by each HTML page. It can be used to fine-tune the look of
@@ -1057,18 +1107,20 @@ HTML_FOOTER =
# obsolete.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_STYLESHEET =
+HTML_STYLESHEET =
-# The HTML_EXTRA_STYLESHEET tag can be used to specify an additional user-
-# defined cascading style sheet that is included after the standard style sheets
+# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# cascading style sheets that are included after the standard style sheets
# created by doxygen. Using this option one can overrule certain style aspects.
# This is preferred over using HTML_STYLESHEET since it does not replace the
-# standard style sheet and is therefor more robust against future updates.
-# Doxygen will copy the style sheet file to the output directory. For an example
-# see the documentation.
+# standard style sheet and is therefore more robust against future updates.
+# Doxygen will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list). For an example see the documentation.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_EXTRA_STYLESHEET =
+HTML_EXTRA_STYLESHEET =
# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the HTML output directory. Note
@@ -1078,10 +1130,10 @@ HTML_EXTRA_STYLESHEET =
# files will be copied as-is; there are no commands or markers available.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_EXTRA_FILES =
+HTML_EXTRA_FILES =
# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
-# will adjust the colors in the stylesheet and background images according to
+# will adjust the colors in the style sheet and background images according to
# this color. Hue is specified as an angle on a colorwheel, see
# http://en.wikipedia.org/wiki/Hue for more information. For instance the value
# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
@@ -1112,8 +1164,9 @@ HTML_COLORSTYLE_GAMMA = 80
# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
# page will contain the date and time when the page was generated. Setting this
-# to NO can help when comparing the output of multiple runs.
-# The default value is: YES.
+# to YES can help to show when doxygen was last run and thus if the
+# documentation is up to date.
+# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_TIMESTAMP = YES
@@ -1206,31 +1259,32 @@ GENERATE_HTMLHELP = NO
# written to the html output directory.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-CHM_FILE =
+CHM_FILE =
# The HHC_LOCATION tag can be used to specify the location (absolute path
-# including file name) of the HTML help compiler ( hhc.exe). If non-empty
+# including file name) of the HTML help compiler (hhc.exe). If non-empty,
# doxygen will try to run the HTML help compiler on the generated index.hhp.
# The file has to be specified with full path.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-HHC_LOCATION =
+HHC_LOCATION =
-# The GENERATE_CHI flag controls if a separate .chi index file is generated (
-# YES) or that it should be included in the master .chm file ( NO).
+# The GENERATE_CHI flag controls if a separate .chi index file is generated
+# (YES) or that it should be included in the master .chm file (NO).
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
GENERATE_CHI = NO
-# The CHM_INDEX_ENCODING is used to encode HtmlHelp index ( hhk), content ( hhc)
+# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)
# and project file content.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
-CHM_INDEX_ENCODING =
+CHM_INDEX_ENCODING =
-# The BINARY_TOC flag controls whether a binary table of contents is generated (
-# YES) or a normal table of contents ( NO) in the .chm file.
+# The BINARY_TOC flag controls whether a binary table of contents is generated
+# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it
+# enables the Previous and Next buttons.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
@@ -1257,7 +1311,7 @@ GENERATE_QHP = NO
# the HTML output folder.
# This tag requires that the tag GENERATE_QHP is set to YES.
-QCH_FILE =
+QCH_FILE =
# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help
# Project output. For more information please see Qt Help Project / Namespace
@@ -1282,7 +1336,7 @@ QHP_VIRTUAL_FOLDER = doc
# filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_CUST_FILTER_NAME =
+QHP_CUST_FILTER_NAME =
# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the
# custom filter to add. For more information please see Qt Help Project / Custom
@@ -1290,21 +1344,21 @@ QHP_CUST_FILTER_NAME =
# filters).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_CUST_FILTER_ATTRS =
+QHP_CUST_FILTER_ATTRS =
# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
# project's filter section matches. Qt Help Project / Filter Attributes (see:
# http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes).
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHP_SECT_FILTER_ATTRS =
+QHP_SECT_FILTER_ATTRS =
# The QHG_LOCATION tag can be used to specify the location of Qt's
# qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the
# generated .qhp file.
# This tag requires that the tag GENERATE_QHP is set to YES.
-QHG_LOCATION =
+QHG_LOCATION =
# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be
# generated, together with the HTML files, they form an Eclipse help plugin. To
@@ -1343,7 +1397,7 @@ DISABLE_INDEX = NO
# index structure (just like the one that is generated for HTML Help). For this
# to work a browser that supports JavaScript, DHTML, CSS and frames is required
# (i.e. any modern browser). Windows users are probably better off using the
-# HTML help feature. Via custom stylesheets (see HTML_EXTRA_STYLESHEET) one can
+# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can
# further fine-tune the look of the index. As an example, the default style
# sheet generated by doxygen has an example that shows how to put an image at
# the root of the tree instead of the PROJECT_NAME. Since the tree basically has
@@ -1371,7 +1425,7 @@ ENUM_VALUES_PER_LINE = 4
TREEVIEW_WIDTH = 250
-# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open links to
+# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to
# external symbols imported via tag files in a separate window.
# The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES.
@@ -1400,7 +1454,7 @@ FORMULA_TRANSPARENT = YES
# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
# http://www.mathjax.org) which uses client side Javascript for the rendering
-# instead of using prerendered bitmaps. Use this if you do not have LaTeX
+# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX
# installed or if you want to formulas look prettier in the HTML output. When
# enabled you may also need to install MathJax separately and configure the path
# to it using the MATHJAX_RELPATH option.
@@ -1437,7 +1491,7 @@ MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest
# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols
# This tag requires that the tag USE_MATHJAX is set to YES.
-MATHJAX_EXTENSIONS =
+MATHJAX_EXTENSIONS =
# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces
# of code that will be used on startup of the MathJax code. See the MathJax site
@@ -1445,7 +1499,7 @@ MATHJAX_EXTENSIONS =
# example see the documentation.
# This tag requires that the tag USE_MATHJAX is set to YES.
-MATHJAX_CODEFILE =
+MATHJAX_CODEFILE =
# When the SEARCHENGINE tag is enabled doxygen will generate a search box for
# the HTML output. The underlying search engine uses javascript and DHTML and
@@ -1470,11 +1524,11 @@ SEARCHENGINE = YES
# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
# implemented using a web server instead of a web client using Javascript. There
-# are two flavours of web server based searching depending on the
-# EXTERNAL_SEARCH setting. When disabled, doxygen will generate a PHP script for
-# searching and an index file used by the script. When EXTERNAL_SEARCH is
-# enabled the indexing and searching needs to be provided by external tools. See
-# the section "External Indexing and Searching" for details.
+# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
+# setting. When disabled, doxygen will generate a PHP script for searching and
+# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
+# and searching needs to be provided by external tools. See the section
+# "External Indexing and Searching" for details.
# The default value is: NO.
# This tag requires that the tag SEARCHENGINE is set to YES.
@@ -1486,7 +1540,7 @@ SERVER_BASED_SEARCH = NO
# external search engine pointed to by the SEARCHENGINE_URL option to obtain the
# search results.
#
-# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# Doxygen ships with an example indexer (doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see: http://xapian.org/).
#
@@ -1499,13 +1553,13 @@ EXTERNAL_SEARCH = NO
# The SEARCHENGINE_URL should point to a search engine hosted by a web server
# which will return the search results when EXTERNAL_SEARCH is enabled.
#
-# Doxygen ships with an example indexer ( doxyindexer) and search engine
+# Doxygen ships with an example indexer (doxyindexer) and search engine
# (doxysearch.cgi) which are based on the open source search engine library
# Xapian (see: http://xapian.org/). See the section "External Indexing and
# Searching" for details.
# This tag requires that the tag SEARCHENGINE is set to YES.
-SEARCHENGINE_URL =
+SEARCHENGINE_URL =
# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed
# search data is written to a file for indexing by an external tool. With the
@@ -1521,7 +1575,7 @@ SEARCHDATA_FILE = searchdata.xml
# projects and redirect the results back to the right project.
# This tag requires that the tag SEARCHENGINE is set to YES.
-EXTERNAL_SEARCH_ID =
+EXTERNAL_SEARCH_ID =
# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through doxygen
# projects other than the one defined by this configuration file, but that are
@@ -1531,13 +1585,13 @@ EXTERNAL_SEARCH_ID =
# EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ...
# This tag requires that the tag SEARCHENGINE is set to YES.
-EXTRA_SEARCH_MAPPINGS =
+EXTRA_SEARCH_MAPPINGS =
#---------------------------------------------------------------------------
# Configuration options related to the LaTeX output
#---------------------------------------------------------------------------
-# If the GENERATE_LATEX tag is set to YES doxygen will generate LaTeX output.
+# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output.
# The default value is: YES.
GENERATE_LATEX = YES
@@ -1568,7 +1622,7 @@ LATEX_CMD_NAME = latex
MAKEINDEX_CMD_NAME = makeindex
-# If the COMPACT_LATEX tag is set to YES doxygen generates more compact LaTeX
+# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
@@ -1586,13 +1640,16 @@ COMPACT_LATEX = NO
PAPER_TYPE = a4
# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
-# that should be included in the LaTeX output. To get the times font for
-# instance you can specify
-# EXTRA_PACKAGES=times
+# that should be included in the LaTeX output. The package can be specified just
+# by its name or with the correct syntax as to be used with the LaTeX
+# \usepackage command. To get the times font for instance you can specify :
+# EXTRA_PACKAGES=times or EXTRA_PACKAGES={times}
+# To use the option intlimits with the amsmath package you can specify:
+# EXTRA_PACKAGES=[intlimits]{amsmath}
# If left blank no extra packages will be included.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-EXTRA_PACKAGES =
+EXTRA_PACKAGES =
# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the
# generated LaTeX document. The header should contain everything until the first
@@ -1602,22 +1659,35 @@ EXTRA_PACKAGES =
#
# Note: Only use a user-defined header if you know what you are doing! The
# following commands have a special meaning inside the header: $title,
-# $datetime, $date, $doxygenversion, $projectname, $projectnumber. Doxygen will
-# replace them by respectively the title of the page, the current date and time,
-# only the current date, the version number of doxygen, the project name (see
-# PROJECT_NAME), or the project number (see PROJECT_NUMBER).
+# $datetime, $date, $doxygenversion, $projectname, $projectnumber,
+# $projectbrief, $projectlogo. Doxygen will replace $title with the empty
+# string, for the replacement values of the other commands the user is referred
+# to HTML_HEADER.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_HEADER =
+LATEX_HEADER =
# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
# generated LaTeX document. The footer should contain everything after the last
-# chapter. If it is left blank doxygen will generate a standard footer.
+# chapter. If it is left blank doxygen will generate a standard footer. See
+# LATEX_HEADER for more information on how to generate a default footer and what
+# special commands can be used inside the footer.
#
# Note: Only use a user-defined footer if you know what you are doing!
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_FOOTER =
+LATEX_FOOTER =
+
+# The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# LaTeX style sheets that are included after the standard style sheets created
+# by doxygen. Using this option one can overrule certain style aspects. Doxygen
+# will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list).
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_STYLESHEET =
# The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
# other source files which should be copied to the LATEX_OUTPUT output
@@ -1625,7 +1695,7 @@ LATEX_FOOTER =
# markers available.
# This tag requires that the tag GENERATE_LATEX is set to YES.
-LATEX_EXTRA_FILES =
+LATEX_EXTRA_FILES =
# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated is
# prepared for conversion to PDF (using ps2pdf or pdflatex). The PDF file will
@@ -1636,8 +1706,8 @@ LATEX_EXTRA_FILES =
PDF_HYPERLINKS = YES
-# If the LATEX_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
-# the PDF file directly from the LaTeX files. Set this option to YES to get a
+# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
+# the PDF file directly from the LaTeX files. Set this option to YES, to get a
# higher quality PDF documentation.
# The default value is: YES.
# This tag requires that the tag GENERATE_LATEX is set to YES.
@@ -1678,11 +1748,19 @@ LATEX_SOURCE_CODE = NO
LATEX_BIB_STYLE = plain
+# If the LATEX_TIMESTAMP tag is set to YES then the footer of each generated
+# page will contain the date and time when the page was generated. Setting this
+# to NO can help when comparing the output of multiple runs.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_TIMESTAMP = NO
+
#---------------------------------------------------------------------------
# Configuration options related to the RTF output
#---------------------------------------------------------------------------
-# If the GENERATE_RTF tag is set to YES doxygen will generate RTF output. The
+# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The
# RTF output is optimized for Word 97 and may not look too pretty with other RTF
# readers/editors.
# The default value is: NO.
@@ -1697,7 +1775,7 @@ GENERATE_RTF = NO
RTF_OUTPUT = rtf
-# If the COMPACT_RTF tag is set to YES doxygen generates more compact RTF
+# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF
# documents. This may be useful for small projects and may help to save some
# trees in general.
# The default value is: NO.
@@ -1725,20 +1803,30 @@ RTF_HYPERLINKS = NO
# default style sheet that doxygen normally uses.
# This tag requires that the tag GENERATE_RTF is set to YES.
-RTF_STYLESHEET_FILE =
+RTF_STYLESHEET_FILE =
# Set optional variables used in the generation of an RTF document. Syntax is
# similar to doxygen's config file. A template extensions file can be generated
# using doxygen -e rtf extensionFile.
# This tag requires that the tag GENERATE_RTF is set to YES.
-RTF_EXTENSIONS_FILE =
+RTF_EXTENSIONS_FILE =
+
+# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code
+# with syntax highlighting in the RTF output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_SOURCE_CODE = NO
#---------------------------------------------------------------------------
# Configuration options related to the man page output
#---------------------------------------------------------------------------
-# If the GENERATE_MAN tag is set to YES doxygen will generate man pages for
+# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for
# classes and files.
# The default value is: NO.
@@ -1762,6 +1850,13 @@ MAN_OUTPUT = man
MAN_EXTENSION = .3
+# The MAN_SUBDIR tag determines the name of the directory created within
+# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
+# MAN_EXTENSION with the initial . removed.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_SUBDIR =
+
# If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
# will generate one additional man file for each entity documented in the real
# man page(s). These additional files only source the real man page, but without
@@ -1775,7 +1870,7 @@ MAN_LINKS = NO
# Configuration options related to the XML output
#---------------------------------------------------------------------------
-# If the GENERATE_XML tag is set to YES doxygen will generate an XML file that
+# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that
# captures the structure of the code including all documentation.
# The default value is: NO.
@@ -1789,19 +1884,7 @@ GENERATE_XML = NO
XML_OUTPUT = xml
-# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_SCHEMA =
-
-# The XML_DTD tag can be used to specify a XML DTD, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_DTD =
-
-# If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program
+# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program
# listings (including syntax highlighting and cross-referencing information) to
# the XML output. Note that enabling this will significantly increase the size
# of the XML output.
@@ -1814,7 +1897,7 @@ XML_PROGRAMLISTING = YES
# Configuration options related to the DOCBOOK output
#---------------------------------------------------------------------------
-# If the GENERATE_DOCBOOK tag is set to YES doxygen will generate Docbook files
+# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files
# that can be used to generate PDF.
# The default value is: NO.
@@ -1828,14 +1911,23 @@ GENERATE_DOCBOOK = NO
DOCBOOK_OUTPUT = docbook
+# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the
+# program listings (including syntax highlighting and cross-referencing
+# information) to the DOCBOOK output. Note that enabling this will significantly
+# increase the size of the DOCBOOK output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_PROGRAMLISTING = NO
+
#---------------------------------------------------------------------------
# Configuration options for the AutoGen Definitions output
#---------------------------------------------------------------------------
-# If the GENERATE_AUTOGEN_DEF tag is set to YES doxygen will generate an AutoGen
-# Definitions (see http://autogen.sf.net) file that captures the structure of
-# the code including all documentation. Note that this feature is still
-# experimental and incomplete at the moment.
+# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an
+# AutoGen Definitions (see http://autogen.sf.net) file that captures the
+# structure of the code including all documentation. Note that this feature is
+# still experimental and incomplete at the moment.
# The default value is: NO.
GENERATE_AUTOGEN_DEF = NO
@@ -1844,7 +1936,7 @@ GENERATE_AUTOGEN_DEF = NO
# Configuration options related to the Perl module output
#---------------------------------------------------------------------------
-# If the GENERATE_PERLMOD tag is set to YES doxygen will generate a Perl module
+# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module
# file that captures the structure of the code including all documentation.
#
# Note that this feature is still experimental and incomplete at the moment.
@@ -1852,7 +1944,7 @@ GENERATE_AUTOGEN_DEF = NO
GENERATE_PERLMOD = NO
-# If the PERLMOD_LATEX tag is set to YES doxygen will generate the necessary
+# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary
# Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
# output from the Perl module output.
# The default value is: NO.
@@ -1860,9 +1952,9 @@ GENERATE_PERLMOD = NO
PERLMOD_LATEX = NO
-# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be nicely
+# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely
# formatted so it can be parsed by a human reader. This is useful if you want to
-# understand what is going on. On the other hand, if this tag is set to NO the
+# understand what is going on. On the other hand, if this tag is set to NO, the
# size of the Perl module output will be much smaller and Perl will parse it
# just the same.
# The default value is: YES.
@@ -1876,20 +1968,20 @@ PERLMOD_PRETTY = YES
# overwrite each other's variables.
# This tag requires that the tag GENERATE_PERLMOD is set to YES.
-PERLMOD_MAKEVAR_PREFIX =
+PERLMOD_MAKEVAR_PREFIX =
#---------------------------------------------------------------------------
# Configuration options related to the preprocessor
#---------------------------------------------------------------------------
-# If the ENABLE_PREPROCESSING tag is set to YES doxygen will evaluate all
+# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all
# C-preprocessor directives found in the sources and include files.
# The default value is: YES.
ENABLE_PREPROCESSING = YES
-# If the MACRO_EXPANSION tag is set to YES doxygen will expand all macro names
-# in the source code. If set to NO only conditional compilation will be
+# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
+# in the source code. If set to NO, only conditional compilation will be
# performed. Macro expansion can be done in a controlled way by setting
# EXPAND_ONLY_PREDEF to YES.
# The default value is: NO.
@@ -1905,7 +1997,7 @@ MACRO_EXPANSION = NO
EXPAND_ONLY_PREDEF = NO
-# If the SEARCH_INCLUDES tag is set to YES the includes files in the
+# If the SEARCH_INCLUDES tag is set to YES, the include files in the
# INCLUDE_PATH will be searched if a #include is found.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@@ -1917,7 +2009,7 @@ SEARCH_INCLUDES = YES
# preprocessor.
# This tag requires that the tag SEARCH_INCLUDES is set to YES.
-INCLUDE_PATH = "apache2"
+INCLUDE_PATH = "../apache2"
# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
# patterns (like *.h and *.hpp) to filter out the header-files in the
@@ -1925,7 +2017,7 @@ INCLUDE_PATH = "apache2"
# used.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-INCLUDE_FILE_PATTERNS =
+INCLUDE_FILE_PATTERNS =
# The PREDEFINED tag can be used to specify one or more macro names that are
# defined before the preprocessor is started (similar to the -D option of e.g.
@@ -1935,7 +2027,7 @@ INCLUDE_FILE_PATTERNS =
# recursively expanded use the := operator instead of the = operator.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-PREDEFINED =
+PREDEFINED =
# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
# tag can be used to specify a list of macro names that should be expanded. The
@@ -1944,12 +2036,12 @@ PREDEFINED =
# definition found in the source code.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
-EXPAND_AS_DEFINED =
+EXPAND_AS_DEFINED =
# If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
-# remove all refrences to function-like macros that are alone on a line, have an
-# all uppercase name, and do not end with a semicolon. Such function macros are
-# typically used for boiler-plate code, and will confuse the parser if not
+# remove all references to function-like macros that are alone on a line, have
+# an all uppercase name, and do not end with a semicolon. Such function macros
+# are typically used for boiler-plate code, and will confuse the parser if not
# removed.
# The default value is: YES.
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
@@ -1969,32 +2061,33 @@ SKIP_FUNCTION_MACROS = YES
# where loc1 and loc2 can be relative or absolute paths or URLs. See the
# section "Linking to external documentation" for more information about the use
# of tag files.
-# Note: Each tag file must have an unique name (where the name does NOT include
+# Note: Each tag file must have a unique name (where the name does NOT include
# the path). If a tag file is not located in the directory in which doxygen is
# run, you must also specify the path to the tagfile here.
-TAGFILES =
+TAGFILES =
# When a file name is specified after GENERATE_TAGFILE, doxygen will create a
# tag file that is based on the input files it reads. See section "Linking to
# external documentation" for more information about the usage of tag files.
-GENERATE_TAGFILE =
+GENERATE_TAGFILE =
-# If the ALLEXTERNALS tag is set to YES all external class will be listed in the
-# class index. If set to NO only the inherited external classes will be listed.
+# If the ALLEXTERNALS tag is set to YES, all external class will be listed in
+# the class index. If set to NO, only the inherited external classes will be
+# listed.
# The default value is: NO.
ALLEXTERNALS = NO
-# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed in
-# the modules index. If set to NO, only the current project's groups will be
+# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will be
# listed.
# The default value is: YES.
EXTERNAL_GROUPS = YES
-# If the EXTERNAL_PAGES tag is set to YES all external pages will be listed in
+# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
# the related pages index. If set to NO, only the current project's pages will
# be listed.
# The default value is: YES.
@@ -2011,7 +2104,7 @@ PERL_PATH = /usr/bin/perl
# Configuration options related to the dot tool
#---------------------------------------------------------------------------
-# If the CLASS_DIAGRAMS tag is set to YES doxygen will generate a class diagram
+# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram
# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
# NO turns the diagrams off. Note that this option also works with HAVE_DOT
# disabled, but it is recommended to install and use dot, since it yields more
@@ -2027,16 +2120,16 @@ CLASS_DIAGRAMS = YES
# the mscgen tool resides. If left empty the tool is assumed to be found in the
# default search path.
-MSCGEN_PATH =
+MSCGEN_PATH =
# You can include diagrams made with dia in doxygen documentation. Doxygen will
# then run dia to produce the diagram and insert it in the documentation. The
# DIA_PATH tag allows you to specify the directory where the dia binary resides.
# If left empty dia is assumed to be found in the default search path.
-DIA_PATH =
+DIA_PATH =
-# If set to YES, the inheritance and collaboration graphs will hide inheritance
+# If set to YES the inheritance and collaboration graphs will hide inheritance
# and usage relations if the target is undocumented or is not a class.
# The default value is: YES.
@@ -2049,7 +2142,7 @@ HIDE_UNDOC_RELATIONS = YES
# set to NO
# The default value is: NO.
-HAVE_DOT = YES
+HAVE_DOT = NO
# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
# to run in parallel. When set to 0 doxygen will base this on the number of
@@ -2061,7 +2154,7 @@ HAVE_DOT = YES
DOT_NUM_THREADS = 0
-# When you want a differently looking font n the dot files that doxygen
+# When you want a differently looking font in the dot files that doxygen
# generates you can specify the font name using DOT_FONTNAME. You need to make
# sure dot is able to find the font, which can be done by putting it in a
# standard location or by setting the DOTFONTPATH environment variable or by
@@ -2083,7 +2176,7 @@ DOT_FONTSIZE = 10
# the path where dot can find it using this tag.
# This tag requires that the tag HAVE_DOT is set to YES.
-DOT_FONTPATH =
+DOT_FONTPATH =
# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for
# each documented class showing the direct and indirect inheritance relations.
@@ -2109,7 +2202,7 @@ COLLABORATION_GRAPH = YES
GROUP_GRAPHS = YES
-# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
+# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and
# collaboration diagrams in a style similar to the OMG's Unified Modeling
# Language.
# The default value is: NO.
@@ -2161,7 +2254,8 @@ INCLUDED_BY_GRAPH = YES
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable call graphs for selected
-# functions only using the \callgraph command.
+# functions only using the \callgraph command. Disabling a call graph can be
+# accomplished by means of the command \hidecallgraph.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2172,7 +2266,8 @@ CALL_GRAPH = YES
#
# Note that enabling this option will significantly increase the time of a run.
# So in most cases it will be better to enable caller graphs for selected
-# functions only using the \callergraph command.
+# functions only using the \callergraph command. Disabling a caller graph can be
+# accomplished by means of the command \hidecallergraph.
# The default value is: NO.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2195,11 +2290,15 @@ GRAPHICAL_HIERARCHY = YES
DIRECTORY_GRAPH = YES
# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
-# generated by dot.
+# generated by dot. For an explanation of the image formats see the section
+# output formats in the documentation of the dot tool (Graphviz (see:
+# http://www.graphviz.org/)).
# Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order
# to make the SVG files visible in IE 9+ (other browsers do not have this
# requirement).
-# Possible values are: png, jpg, gif and svg.
+# Possible values are: png, jpg, gif, svg, png:gd, png:gd:gd, png:cairo,
+# png:cairo:gd, png:cairo:cairo, png:cairo:gdiplus, png:gdiplus and
+# png:gdiplus:gdiplus.
# The default value is: png.
# This tag requires that the tag HAVE_DOT is set to YES.
@@ -2221,26 +2320,44 @@ INTERACTIVE_SVG = YES
# found. If left blank, it is assumed the dot tool can be found in the path.
# This tag requires that the tag HAVE_DOT is set to YES.
-DOT_PATH =
+DOT_PATH =
# The DOTFILE_DIRS tag can be used to specify one or more directories that
# contain dot files that are included in the documentation (see the \dotfile
# command).
# This tag requires that the tag HAVE_DOT is set to YES.
-DOTFILE_DIRS =
+DOTFILE_DIRS =
# The MSCFILE_DIRS tag can be used to specify one or more directories that
# contain msc files that are included in the documentation (see the \mscfile
# command).
-MSCFILE_DIRS =
+MSCFILE_DIRS =
# The DIAFILE_DIRS tag can be used to specify one or more directories that
# contain dia files that are included in the documentation (see the \diafile
# command).
-DIAFILE_DIRS =
+DIAFILE_DIRS =
+
+# When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the
+# path where java can find the plantuml.jar file. If left blank, it is assumed
+# PlantUML is not used or called during a preprocessing step. Doxygen will
+# generate a warning when it encounters a \startuml command in this case and
+# will not generate output for the diagram.
+
+PLANTUML_JAR_PATH =
+
+# When using plantuml, the PLANTUML_CFG_FILE tag can be used to specify a
+# configuration file for plantuml.
+
+PLANTUML_CFG_FILE =
+
+# When using plantuml, the specified paths are searched for files specified by
+# the !include statement in a plantuml block.
+
+PLANTUML_INCLUDE_PATH =
# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
# that will be shown in the graph. If the number of nodes in a graph becomes
@@ -2278,7 +2395,7 @@ MAX_DOT_GRAPH_DEPTH = 0
DOT_TRANSPARENT = NO
-# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
+# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output
# files in one run (i.e. multiple -o and -T options on the command line). This
# makes dot run faster, but since only newer versions of dot (>1.8.10) support
# this, this feature is disabled by default.
@@ -2295,7 +2412,7 @@ DOT_MULTI_TARGETS = YES
GENERATE_LEGEND = YES
-# If the DOT_CLEANUP tag is set to YES doxygen will remove the intermediate dot
+# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot
# files that are used to generate the various graphs.
# The default value is: YES.
# This tag requires that the tag HAVE_DOT is set to YES.
diff --git a/iis/Makefile.win b/iis/Makefile.win
index 8c2cdbd7ee..d07f795ad9 100644
--- a/iis/Makefile.win
+++ b/iis/Makefile.win
@@ -10,12 +10,12 @@
LIBS = $(APACHE)\lib\libapr-1.lib \
$(APACHE)\lib\libaprutil-1.lib \
$(PCRE)\pcre.lib \
- $(CURL)\libcurl.lib \
+ $(CURL)\libcurl.lib \
$(LIBXML2)\win32\bin.msvc\libxml2.lib \
"kernel32.lib" "user32.lib" "gdi32.lib" "winspool.lib" "comdlg32.lib" "advapi32.lib" "shell32.lib" "ole32.lib" \
"oleaut32.lib" "uuid.lib" "odbc32.lib" "odbccp32.lib" "ws2_32.lib" \
"iphlpapi.lib"
-# $(SSDEEP)\fuzzy.lib \
+# $(SSDEEP)\fuzzy.lib \
###########################################################################
###########################################################################
@@ -24,12 +24,12 @@ LINK = link.exe
MT = mt
-DEFS = /nologo /O2 /LD /W3 /wd4244 /wd4018 -DWITH_YAJL -DWIN32 -DWINNT -Dinline=APR_INLINE -DAP_DECLARE_STATIC -D_MBCS -D$(VERSION)
+DEFS = /nologo /O2 /LD /W3 /wd4244 /wd4018 -DWITH_YAJL -DWIN32 -DWINNT -Dinline=APR_INLINE -DAP_DECLARE_STATIC -D_MBCS -D$(VERSION)
DLL = ModSecurityIIS.dll
INCLUDES = -I. -I.. \
- -I$(YAJL)\.. \
+ -I$(YAJL)\.. \
-I$(PCRE)\include -I$(PCRE) \
-I$(LIBXML2)\include \
-I$(CURL)\include -I$(CURL) \
@@ -37,10 +37,10 @@ INCLUDES = -I. -I.. \
-I..\apache2 \
-I..\standalone
-# Enables support for SecRemoteRules and external resources.
-DEFS=$(DEFS) -DWITH_CURL -DWITH_REMOTE_RULES
-
-# -I$(SSDEEP) \
+# Enables support for SecRemoteRules, external resources and enable optimization for large stream input by default on IIS.
+DEFS=$(DEFS) -DWITH_CURL -DWITH_REMOTE_RULES -DMSC_LARGE_STREAM_INPUT
+
+# -I$(SSDEEP) \
# Lua is optional
!IF "$(LUA)" != ""
LIBS = $(LIBS) $(LUA)\lua5.1.lib
@@ -54,16 +54,16 @@ LIBS = $(LIBS) $(YAJL)\lib\yajl.lib
DEFS=$(DEFS) -DWITH_YAJL
INCLUDES = $(INCLUDES) -I$(YAJL)\include -I$(YAJL) \
!ENDIF
-
+
# ssdeep is optional
# !IF "$(SSDEEP)" != ""
# LIBS = $(LIBS) $(SSDEEP)\fuzzy.lib
# DEFS=$(DEFS) -DWITH_SSDEEP
# INCLUDES = $(INCLUDES) -I$(SSDEEP)\include -I$(SSDEEP) \
# !ENDIF
-
-
-
+
+
+
CFLAGS= -MD /Zi $(INCLUDES) $(DEFS)
@@ -75,10 +75,10 @@ OBJS1 = mod_security2.obj apache2_config.obj apache2_io.obj apache2_util.obj \
msc_parsers.obj msc_util.obj msc_pcre.obj persist_dbm.obj \
msc_reqbody.obj msc_geo.obj msc_gsb.obj msc_unicode.obj acmp.obj msc_lua.obj \
msc_release.obj msc_crypt.obj msc_tree.obj \
- msc_status_engine.obj \
+ msc_status_engine.obj \
msc_json.obj \
- msc_remote_rules.obj
-
+ msc_remote_rules.obj
+
OBJS2 = api.obj buckets.obj config.obj filters.obj hooks.obj regex.obj server.obj
OBJS3 = main.obj moduleconfig.obj mymodule.obj
OBJS4 = libinjection_html5.obj \
diff --git a/iis/build_dependencies.bat b/iis/build_dependencies.bat
old mode 100644
new mode 100755
index fc0d6095d6..e131cd15cd
--- a/iis/build_dependencies.bat
+++ b/iis/build_dependencies.bat
@@ -1,4 +1,4 @@
-:: Those variable should be edited as needed.
+:: Those variables should be edited as needed.
:: Use full paths.
:: General paths
@@ -6,23 +6,28 @@
@set OUTPUT_DIR=%cd%\dependencies\release_files
@set SOURCE_DIR=%USERPROFILE%\Downloads
-:: Aditional paths.
-@set PATH=%PATH%;c:\work\cmake-2.8.7-win32-x86\bin;"c:\program files\7-zip"
+:: Dependencies
+@set CMAKE=cmake-3.12.4-win32-x86.zip
+@set PCRE=pcre-8.45.zip
+@set ZLIB=zlib-1.2.12.tar.gz
+@set LIBXML2=libxml2-2.9.14.tar.gz
+@set LUA=lua-5.3.6.tar.gz
+@set CURL=curl-7.83.1.zip
+@set APACHE_SRC=httpd-2.4.54.tar.gz
+@set APACHE_BIN32=httpd-2.4.54-win32-VS16.zip
+@set APACHE_BIN64=httpd-2.4.54-win64-VS16.zip
+@set YAJL=yajl-2.1.0.zip
+@set SSDEEP=ssdeep-2.14.1.tar.gz
+@set SSDEEP_BIN=ssdeep-2.14.1.zip
+
+@set CMAKE_DIR=%WORK_DIR%\%CMAKE:~0,-4%\bin
-@set PCRE=pcre-8.33.zip
-@set ZLIB=zlib-1.2.8.tar.gz
-@set LIBXML2=libxml2-2.9.1.tar.gz
-@set LUA=lua-5.1.5.tar.gz
-@set CURL=curl-7.39.0.zip
-@set APACHE_SRC=httpd-2.4.6.tar.gz
-@set APACHE_BIN32=httpd-2.4.6-win32-VC11.zip
-@set APACHE_BIN64=httpd-2.4.6-win64-VC11.zip
-@set YAJL=lloyd-yajl-f4b2b1a.zip
-@set SSDEEP=ssdeep-2.10.tar.gz
-@set SSDEEP_BIN=ssdeep-2.10.zip
+:: Aditional paths.
+@set "DIR_7ZIP=c:\program files\7-zip"
+@set PATH=%PATH%;%CMAKE_DIR%;%DIR_7ZIP%
-:: @set VCARGS32="C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\vcvars32.bat"
-:: @set VCARGS64="C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\x86_amd64\vcvarsx86_amd64.bat"
+:: @set VCARGS32="C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars32.bat"
+:: @set VCARGS64="C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvarsx86_amd64.bat"
:: Do not edit bellow this line.
@@ -45,6 +50,12 @@ call cl 2>&1 | findstr /C:"x64"
@if (%ERRORLEVEL%) == (0) set APACHE_BIN=%APACHE_BIN64%
@echo Starting with the depdendencies...
+@echo # CMake. - %CMAKE%
+@call dependencies/build_cmake.bat
+@if NOT (%ERRORLEVEL%) == (0) goto build_failed_cmake
+@cd "%CURRENT_DIR%"
+
+
@echo # Apache - %HTTPD%/%APACHE24_ZIP%
@call dependencies/build_apache.bat
@if NOT (%ERRORLEVEL%) == (0) goto build_failed_apache
@@ -53,7 +64,7 @@ call cl 2>&1 | findstr /C:"x64"
@echo # pcre. - %PCRE%
@call dependencies/build_pcre.bat
@if NOT (%ERRORLEVEL%) == (0) goto build_failed_pcre
-@cd "%CURRENT_DIR%"
+@cd "%CURRENT_DIR%
@echo # zlib - %ZLIB%
@call dependencies/build_zlib.bat
@@ -129,6 +140,10 @@ call cl 2>&1 | findstr /C:"x64"
@echo Failed to setup %SSDEEP%...
@goto failed
+:build_failed_cmake
+@echo Failed to setup %CMAKE%...
+@goto failed
+
:failed
@cd %CURRENT_DIR%
@exit /B 1
diff --git a/iis/build_modsecurity.bat b/iis/build_modsecurity.bat
index 680c05e8fb..4ee8348f56 100644
--- a/iis/build_modsecurity.bat
+++ b/iis/build_modsecurity.bat
@@ -15,21 +15,21 @@ set CURRENT_DIR=%cd%
cd ..\apache2
del *.obj *.dll *.lib
del libinjection\*.obj libinjection\*.dll libinjection\*.lib
-NMAKE -f Makefile.win APACHE=..\iis\%DEPENDENCIES_DIR%\Apache24 PCRE=..\iis\%DEPENDENCIES_DIR%\pcre LIBXML2=..\iis\%DEPENDENCIES_DIR%\libxml2 LUA=..\iis\%DEPENDENCIES_DIR%\lua\src VERSION=VERSION_IIS YAJL=..\iis\%DEPENDENCIES_DIR%\yajl\build\yajl-2.0.1 SSDEEP=..\iis\%DEPENDENCIES_DIR%\ssdeep CURL=..\iis\%DEPENDENCIES_DIR%\curl IIS_BUILD=yes
+NMAKE -f Makefile.win APACHE=..\iis\%DEPENDENCIES_DIR%\Apache24 PCRE=..\iis\%DEPENDENCIES_DIR%\pcre LIBXML2=..\iis\%DEPENDENCIES_DIR%\libxml2 LUA=..\iis\%DEPENDENCIES_DIR%\lua\src VERSION=VERSION_IIS YAJL=..\iis\%DEPENDENCIES_DIR%\yajl\build\yajl-2.1.0 SSDEEP=..\iis\%DEPENDENCIES_DIR%\ssdeep CURL=..\iis\%DEPENDENCIES_DIR%\curl IIS_BUILD=yes
@if NOT (%ERRORLEVEL%) == (0) goto build_failed
@echo mlogc...
cd ..\mlogc
del *.obj *.dll *.lib
nmake -f Makefile.win clean
-nmake -f Makefile.win APACHE=..\iis\%DEPENDENCIES_DIR%\Apache24 PCRE=..\iis\%DEPENDENCIES_DIR%\pcre CURL=..\iis\%DEPENDENCIES_DIR%\curl YAJL=..\iis\%DEPENDENCIES_DIR%\yajl SSDEEP=..\iis\%DEPENDENCIES_DIR%\ssdeep VERSION=VERSION_IIS
+nmake -f Makefile.win APACHE=..\iis\%DEPENDENCIES_DIR%\Apache24 PCRE=..\iis\%DEPENDENCIES_DIR%\pcre CURL=..\iis\%DEPENDENCIES_DIR%\curl YAJL=..\iis\%DEPENDENCIES_DIR%\yajl\build\yajl-2.1.0 SSDEEP=..\iis\%DEPENDENCIES_DIR%\ssdeep VERSION=VERSION_IIS
@if NOT (%ERRORLEVEL%) == (0) goto build_failed
@echo iis...
cd ..\iis
del *.obj *.dll *.lib
nmake -f Makefile.win clean
-NMAKE -f Makefile.win APACHE=..\iis\%DEPENDENCIES_DIR%\Apache24 PCRE=..\iis\%DEPENDENCIES_DIR%\pcre LIBXML2=..\iis\%DEPENDENCIES_DIR%\libxml2 LUA=..\iis\%DEPENDENCIES_DIR%\lua\src VERSION=VERSION_IIS YAJL=..\iis\%DEPENDENCIES_DIR%\yajl\build\yajl-2.0.1 SSDEEP=..\iis\%DEPENDENCIES_DIR%\ssdeep CURL=..\iis\%DEPENDENCIES_DIR%\curl
+NMAKE -f Makefile.win APACHE=..\iis\%DEPENDENCIES_DIR%\Apache24 PCRE=..\iis\%DEPENDENCIES_DIR%\pcre LIBXML2=..\iis\%DEPENDENCIES_DIR%\libxml2 LUA=..\iis\%DEPENDENCIES_DIR%\lua\src VERSION=VERSION_IIS YAJL=..\iis\%DEPENDENCIES_DIR%\yajl\build\yajl-2.1.0 SSDEEP=..\iis\%DEPENDENCIES_DIR%\ssdeep CURL=..\iis\%DEPENDENCIES_DIR%\curl
@if NOT (%ERRORLEVEL%) == (0) goto build_failed
cd %CURRENT_DIR%
diff --git a/iis/build_msi.bat b/iis/build_msi.bat
index 0ea7d369fe..d3c020fdd7 100644
--- a/iis/build_msi.bat
+++ b/iis/build_msi.bat
@@ -1,20 +1,20 @@
-set PATH="%PATH%;C:\Program Files (x86)\WiX Toolset v3.8\bin;C:\Program Files (x86)\WiX Toolset v3.7\bin;"
+set PATH="%PATH%;C:\Program Files (x86)\WiX Toolset v3.11\bin;C:\Program Files (x86)\WiX Toolset v3.8\bin;C:\Program Files (x86)\WiX Toolset v3.7\bin;"
set CURRENT_DIR=%cd%
del installer.wix*
-"candle.exe" -ext WixUtilExtension -ext WixUIExtension "%CURRENT_DIR%\installer.wxs" -out "%CURRENT_DIR%\installer.wixobj" -arch x64
+"C:\Program Files (x86)\WiX Toolset v3.11\bin\candle.exe" -ext WixUtilExtension -ext WixUIExtension "%CURRENT_DIR%\installer.wxs" -out "%CURRENT_DIR%\installer.wixobj" -arch x64
@if NOT (%ERRORLEVEL%) == (0) goto build_failed
-"light.exe" -ext WixUtilExtension -ext WixUIExtension "%CURRENT_DIR%\installer.wixobj" -out "%CURRENT_DIR%\installer-64.msi"
+"C:\Program Files (x86)\WiX Toolset v3.11\bin\light.exe" -ext WixUtilExtension -ext WixUIExtension "%CURRENT_DIR%\installer.wixobj" -out "%CURRENT_DIR%\installer-64.msi"
@if NOT (%ERRORLEVEL%) == (0) goto build_failed
-"candle.exe" -ext WixUtilExtension -ext WixUIExtension "%CURRENT_DIR%\installer.wxs" -out "%CURRENT_DIR%\installer.wixobj" -arch x86
+"C:\Program Files (x86)\WiX Toolset v3.11\bin\candle.exe" -ext WixUtilExtension -ext WixUIExtension "%CURRENT_DIR%\installer.wxs" -out "%CURRENT_DIR%\installer.wixobj" -arch x86
@if NOT (%ERRORLEVEL%) == (0) goto build_failed
-"light.exe" -ext WixUtilExtension -ext WixUIExtension "%CURRENT_DIR%\installer.wixobj" -out "%CURRENT_DIR%\installer-32.msi"
+"C:\Program Files (x86)\WiX Toolset v3.11\bin\light.exe" -ext WixUtilExtension -ext WixUIExtension "%CURRENT_DIR%\installer.wixobj" -out "%CURRENT_DIR%\installer-32.msi"
@if NOT (%ERRORLEVEL%) == (0) goto build_failed
exit /B 0
diff --git a/iis/build_release.bat b/iis/build_release.bat
old mode 100644
new mode 100755
index 68bc587130..c1d8e85eeb
--- a/iis/build_release.bat
+++ b/iis/build_release.bat
@@ -14,8 +14,9 @@ mkdir "%AMD64%"
mkdir "%X86%"
-set VCARGS32="C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\vcvars32.bat"
-set VCARGS64="C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\x86_amd64\vcvarsx86_amd64.bat"
+set VCARGS32="C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars32.bat"
+set VCARGS64="C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvarsx86_amd64.bat"
+
set SSDEEP_ARCH="x64"
call build_dependencies.bat %VCARGS64%
diff --git a/iis/dependencies/build_cmake.bat b/iis/dependencies/build_cmake.bat
new file mode 100644
index 0000000000..f76847153a
--- /dev/null
+++ b/iis/dependencies/build_cmake.bat
@@ -0,0 +1,20 @@
+@cd "%WORK_DIR%"
+
+@if NOT EXIST "%SOURCE_DIR%\%CMAKE%" goto file_not_found
+
+
+@7z.exe x "%SOURCE_DIR%\%CMAKE%"
+@if NOT (%ERRORLEVEL%) == (0) goto something_went_wrong
+
+@exit /B 0
+
+:file_not_found
+@echo File not found: %SOURCE_DIR%\%CMAKE%
+@goto failed
+
+:something_went_wrong
+@echo Something went wrong while unzip CMake files.
+@goto failed
+
+:failed
+@exit /B 1
\ No newline at end of file
diff --git a/iis/dependencies/build_curl.bat b/iis/dependencies/build_curl.bat
index 6d66a1d11c..be26ca9a43 100644
--- a/iis/dependencies/build_curl.bat
+++ b/iis/dependencies/build_curl.bat
@@ -20,9 +20,10 @@ nmake /f Makefile.vc mode=dll ENABLE_WINSSL=yes MACHINE=%ARCH% WITH_ZLIB=dll
cd "%WORK_DIR%"
-copy /y "%WORK_DIR%\curl\builds\libcurl-vc-%ARCH%-release-dll-zlib-dll-ipv6-sspi-winssl-obj-lib\libcurl.dll" "%OUTPUT_DIR%"
-copy /y "%WORK_DIR%\curl\builds\libcurl-vc-%ARCH%-release-dll-zlib-dll-ipv6-sspi-winssl-obj-lib\libcurl.lib" "%OUTPUT_DIR%"
-copy /y "%WORK_DIR%\curl\builds\libcurl-vc-%ARCH%-release-dll-zlib-dll-ipv6-sspi-winssl-obj-lib\libcurl.lib" "%WORK_DIR%\curl\libcurl.lib"
+copy /y "%WORK_DIR%\curl\builds\libcurl-vc-%ARCH%-release-dll-zlib-dll-ipv6-sspi-schannel-obj-lib\libcurl.dll" "%OUTPUT_DIR%"
+copy /y "%WORK_DIR%\curl\builds\libcurl-vc-%ARCH%-release-dll-zlib-dll-ipv6-sspi-schannel-obj-lib\libcurl.lib" "%OUTPUT_DIR%"
+copy /y "%WORK_DIR%\curl\builds\libcurl-vc-%ARCH%-release-dll-zlib-dll-ipv6-sspi-schannel-obj-lib\libcurl.lib" "%WORK_DIR%\curl\libcurl.lib"
+
exit /B 0
diff --git a/iis/dependencies/build_pcre.bat b/iis/dependencies/build_pcre.bat
index 9d728a4042..d2cbcce0f9 100644
--- a/iis/dependencies/build_pcre.bat
+++ b/iis/dependencies/build_pcre.bat
@@ -1,32 +1,45 @@
-cd "%WORK_DIR%"
-
-@if NOT EXIST "%SOURCE_DIR%\%APACHE_BIN%" goto file_not_found_bin
-
-7z.exe x "%SOURCE_DIR%\%PCRE%"
-set PCRE_DIR=%PCRE:~0,-4%
-
+::@if NOT (%ERRORLEVEL%) == (1) Echo "Patch successfull... For more info on patch see: https://vcs.pcre.org/pcre/code/trunk/CMakeLists.txt?r1=1659&r2=1677&view=patch"
+
+cd "%WORK_DIR%"
+
+@if NOT EXIST "%SOURCE_DIR%\%APACHE_BIN%" goto file_not_found_bin
+
+7z.exe x "%SOURCE_DIR%\%PCRE%"
+set PCRE_DIR=%PCRE:~0,-4%
+
move "%PCRE_DIR%" "pcre"
-
+
+@if "%PCRE_DIR%" == "pcre-8.40" (
+ Echo. && Echo "PCRE 8.40 found... trying to patch it to compile cleanly"
+ ::cscript /B /Nologo ../patch-pcre-8.40.vbs
+ cd "pcre"
+ cat CMakeLists.txt | sed "s/PCRE_STATIC_RUNTIME OFF CACHE BOOL/PCRE_STATIC_RUNTIME/g" > CMakeLists.txt.ops
+ move CMakeLists.txt CMakeLists.txt.old
+ move CMakeLists.txt.ops CMakeLists.txt
+ cd ..
+)
+
cd "pcre"
-CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True
-@if NOT (%ERRORLEVEL%) == (0) goto build_failed
-NMAKE
-@if NOT (%ERRORLEVEL%) == (0) goto build_failed
-cd "%WORK%"
-
+CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True
+@if NOT (%ERRORLEVEL%) == (0) goto build_failed
+NMAKE
+@if NOT (%ERRORLEVEL%) == (0) goto build_failed
+cd "%WORK%"
+
copy /y "%WORK_DIR%\pcre\pcre.dll" "%OUTPUT_DIR%"
copy /y "%WORK_DIR%\pcre\pcre.pdb" "%OUTPUT_DIR%"
copy /y "%WORK_DIR%\pcre\pcre.lib" "%OUTPUT_DIR%"
-echo "a"
-@exit /B 0
-
-:file_not_found_bin
-@echo File not found: "%SOURCE_DIR%\%PCRE%"
-@goto failed
-
-:build_failed
-@echo Problems during the building phase
-@goto failed
-
-:failed
-@exit /B 1
+copy /y "%WORK_DIR%\pcre\pcre.h.generic" "%WORK_DIR%\pcre\pcre.h"
+echo "a"
+@exit /B 0
+
+:file_not_found_bin
+@echo File not found: "%SOURCE_DIR%\%PCRE%"
+@goto failed
+
+:build_failed
+@echo Problems during the building phase
+@goto failed
+
+:failed
+@exit /B 1
diff --git a/iis/dependencies/build_ssdeep.bat b/iis/dependencies/build_ssdeep.bat
index 36b8b1595c..3b3a46bcd4 100644
--- a/iis/dependencies/build_ssdeep.bat
+++ b/iis/dependencies/build_ssdeep.bat
@@ -1,5 +1,8 @@
cd "%WORK_DIR%"
+echo "%SOURCE_DIR%\%SSDEEP%"
+echo "%SOURCE_DIR%\%SSDEEP_BIN%"
+
@if NOT EXIST "%SOURCE_DIR%\%SSDEEP%" goto build_failed
@7z.exe x "%SOURCE_DIR%\%SSDEEP_BIN%"
diff --git a/iis/dependencies/build_yajl.bat b/iis/dependencies/build_yajl.bat
index 33ebc234ac..f5c6eff078 100644
--- a/iis/dependencies/build_yajl.bat
+++ b/iis/dependencies/build_yajl.bat
@@ -4,11 +4,13 @@ cd "%WORK_DIR%"
7z.exe x "%SOURCE_DIR%\%YAJL%"
set YAJL_DIR=%YAJL:~0,-4%
-
-move "%YAJL_DIR%" "yajl"
-
+echo "%SOURCE_DIR%\%YAJL%"
+echo "%YAJL_DIR%"
+pwd
+move "%YAJL_DIR%" "%WORK_DIR%\yajl"
+pwd
cd "yajl"
-
+pwd
mkdir build
@if NOT (%ERRORLEVEL%) == (0) goto build_failed
cd build
@@ -20,15 +22,20 @@ nmake
cd "%WORK%"
-copy /y "%WORK_DIR%\yajl\build\yajl-2.0.1\lib\yajl.dll" "%OUTPUT_DIR%"
-copy /y "%WORK_DIR%\yajl\build\yajl-2.0.1\lib\yajl.pdb" "%OUTPUT_DIR%"
-copy /y "%WORK_DIR%\yajl\build\yajl-2.0.1\lib\yajl.lib" "%OUTPUT_DIR%"
-copy /y "%WORK_DIR%\yajl\build\yajl-2.0.1\lib\yajl_s.lib" "%OUTPUT_DIR%"
+copy /y "%WORK_DIR%\yajl\build\%YAJL_DIR%\lib\yajl.dll" "%OUTPUT_DIR%"
+:: copy /y "%WORK_DIR%\yajl\build\%YAJL_DIR%\lib\yajl.pdb" "%OUTPUT_DIR%"
+copy /y "%WORK_DIR%\yajl\build\%YAJL_DIR%\lib\yajl.lib" "%OUTPUT_DIR%"
+copy /y "%WORK_DIR%\yajl\build\%YAJL_DIR%\lib\yajl_s.lib" "%OUTPUT_DIR%"
+
+copy /y "%WORK_DIR%\yajl\build\%YAJL_DIR%\lib\yajl.dll" "%WORK_DIR%\yajl\build\%YAJL_DIR%\include\yajl.dll"
+copy /y "%WORK_DIR%\yajl\build\%YAJL_DIR%\lib\yajl.lib" "%WORK_DIR%\yajl\build\%YAJL_DIR%\include\yajl.lib"
+copy /y "%WORK_DIR%\yajl\build\%YAJL_DIR%\lib\yajl_s.lib" "%WORK_DIR%\yajl\build\%YAJL_DIR%\include\yajl_s.lib"
+
@exit /B 0
:file_not_found_bin
-@echo File not found: "%SOURCE_DIR%\%PCRE%"
+@echo File not found: "%SOURCE_DIR%\%YAJL%"
@goto failed
:build_failed
diff --git a/iis/dependencies/howto.txt b/iis/dependencies/howto.txt
index 1505a5f95d..830851f95a 100644
--- a/iis/dependencies/howto.txt
+++ b/iis/dependencies/howto.txt
@@ -1,44 +1,52 @@
-WARNING!
+The build process for ModSecurityIIS for Windows was a relatively complicated process. Understanding it required advanced knowledge of Windows and Unix environments.
+So the build process was refactored to make it easier for users to create their own builds with the automated batch scripts.
-Building ModSecurityIIS on Windows is a relatively complicated process. Understanding it requires advanced knowledge of Windows and Unix environments.
-Using the same versions of libraries as listed below is strongly recommended.
+* build_release.bat -> The main build script that calls all the others to have a working release
+* build_msi.bat -> Creates the MSI self-installer for easy deploy / removal / distribution
+* build_dependencies.bat -> Sets (and downloads if needed) all required dependencies
+* build_modsecurity.bat -> Builds ModSecurity (requires all depenedencies being set)
+
+* download_files.bat -> Downloads all required dependencies to the default Downloads folder
+** This script is disabled by default. If you want to enable it, uncomment the "@call download_files.bat" line on build_dependencies.bat
+
+The dependencies folder also includes a set o batch scripts which sets each dependency
+on its own. These scripts are called by the build_dependencies.bat script.
+
+Using the same versions of libraries as listed below is recommended.
--------------------------------------
-Tested on:
-
-Windows 7 x64
-Vistual Studio 2010 Ultimate SP1
-IIS enabled/installed
-
-cmake 2.8.7
-curl 7.24.0
-apache 2.2.22 or apache 2.4.3
-libxml2 2.7.7
-lua 5.1.5
-pcre 8.30
-zlib 1.2.7
-7-Zip
+Compilation Prerequisites:
+
+* Windows 7 x86_x64 (Should work on newer versions of Windows too)
+* Vistual Studio 2013 Express (Other versions should work, but you need to set the correct path for vcvars.bat scripts)
+* IIS enabled/installed
+* 7-Zip
+
--------------------------------------
-1. Create working directory c:\work and drop directory c:\drop
-2. Sync SVN ModSecurity branch to c:\work\mod_security
-3. Copy files from c:\work\mod_security\iis\winbuild to c:\work
-4. Download and install cmake (unpack to c:\work\cmake-2.8.7-win32-x86)
-5. Download and install 7-Zip
-6. Adjust paths in c:\work\init.bat accordingly if needed
-7. Download curl, apache, libxml2, lua, pcre and zlib, place them in zip files in c:\work
-
-curl-7.24.0.zip
-httpd-2.2.22-win32-src.zip or (httpd-2.4.3.zip (source) and httpd-2.4.3-win32.zip + httpd-2.4.3-win64.zip (binaries))
-libxml2-2.7.7.zip
-lua-5.1.5.zip
-pcre-8.30.zip
-zlib-1.2.7.zip
-
-Modify c:\work\build.bat accordingly (if other versions were used)
-
-8. Open cmd.exe window, go to c:\work and run buildall.bat
-9. When done, the binaries, lib and pdb files should appear under c:\drop\x86 (32-bit) and c:\drop\amd64 (64-bit)
-10. Open the VS ModSecurity IIS installer project
-11. Copy new binaries to the installer's x86 and amd64 directories
-12. Build installer from within VS
+The latest versions of ModSecurity dependencies known to work well are the following:
+
+cmake-3.8.2-win32-x86
+pcre-8.40 (patch required and included on file "patch-pcre-8.40.vbs")
+zlib-1.2.11
+libxml2-2.9.4
+lua-5.3.4
+curl-7.54.1
+httpd-2.4.27 (bin-VC11)
+yajl-2.1.0
+ssdeep-2.13
+
+--------------------------------------
+
+1. Create working directory (e.g. c:\work) and drop the latest clone from ModSecurity's 2.x Github (https://github.com/owasp-modsecurity/ModSecurity/archive/v2/master.zip)
+2. Make sure the prerequisites mentioned above are all set
+3. If you haven't download the dependency files before, uncomment the "@call download_files.bat" line on build_dependencies.bat to have them downloaded prior
+4. Open a command prompt (cmd.exe) and head to the "iis" folder inside ModSecurity tree working directory (e.g. cd c:\work\ModSecurity\iis)
+5. If you need to modify anything (e.g. paths, versions etc), carefully edit the batch files.
+6. Run build_release.bat
+7. When done, the binaries, lib and pdb files should appear under c:\work\ModSecurity\iis\release\x86 (32-bit) and c:\work\ModSecurity\iis\release\amd64 (64-bit)
+* At this point, if you had a previous installation of ModSecurity and would like to test you can place the x86 files to "C:\Windows\SysWOW64\inetsrv" and x64 files to "C:\Windows\System32\inetsrv"
+
+8. If all went well, you can build the MSI installer by running the build_msi.bat script.
+
+* The built installable package places the files to the correct folders, automatically configures the ModSecurity IIS native module and configures web.config to enable ModSecurity for all IIS sites.
diff --git a/iis/download_files.bat b/iis/download_files.bat
new file mode 100644
index 0000000000..dd0773aad2
--- /dev/null
+++ b/iis/download_files.bat
@@ -0,0 +1,39 @@
+@set CMAKE=cmake-3.12.4-win32-x86.zip
+@set PCRE=pcre-8.41.zip
+@set ZLIB=zlib-1.2.11.tar.gz
+@set LIBXML2=libxml2-2.9.8.tar.gz
+@set LUA=lua-5.3.5.tar.gz
+@set CURL=curl-7.62.0.zip
+@set APACHE_SRC=httpd-2.4.37.tar.gz
+@set APACHE_BIN32=httpd-2.4.37-win32-VC11.zip
+@set APACHE_BIN64=httpd-2.4.37-win64-VC11.zip
+@set YAJL=yajl-2.1.0.zip
+@set SSDEEP=ssdeep-2.13.tar.gz
+@set SSDEEP_BIN=ssdeep-2.13.zip
+
+:: BITSAdmin refuses to download YAJL from GitHub URL
+:: @set YAJL_URL=https://github.com/lloyd/yajl/archive/%YAJL:~-9%
+@set YAJL_URL=http://http.debian.net/debian/pool/main/y/yajl/yajl_2.1.0.orig.tar.gz
+
+@set CMAKE_URL=https://cmake.org/files/v3.12/%CMAKE%
+@set PCRE_URL=https://ftp.pcre.org/pub/pcre/%PCRE%
+@set ZLIB_URL=https://zlib.net/%ZLIB%
+@set LIBXML2_URL=http://xmlsoft.org/sources/%LIBXML2%
+@set LUA_URL=https://www.lua.org/ftp/%LUA%
+@set CURL_URL=http://curl.askapache.com/download/%CURL%
+@set APACHE_SRC_URL=https://www.apache.org/dist/httpd/%APACHE_SRC%
+@set APACHE_BIN_URL=https://home.apache.org/~steffenal/VC11/binaries
+@set SSDEEP_URL=https://downloads.sourceforge.net/project/ssdeep/ssdeep-2.13
+
+bitsadmin.exe /transfer "Downloading dependencies..." %CMAKE_URL% %SOURCE_DIR%\%CMAKE% %PCRE_URL% %SOURCE_DIR%\%PCRE% %ZLIB_URL% %SOURCE_DIR%\%ZLIB% %LIBXML2_URL% %SOURCE_DIR%\%LIBXML2% %LUA_URL% %SOURCE_DIR%\%LUA% %CURL_URL% %SOURCE_DIR%\%CURL% %APACHE_SRC_URL% %SOURCE_DIR%\%APACHE_SRC% %APACHE_BIN_URL%/%APACHE_BIN32% %SOURCE_DIR%\%APACHE_BIN32% %APACHE_BIN_URL%/%APACHE_BIN64% %SOURCE_DIR%\%APACHE_BIN64% %YAJL_URL% %SOURCE_DIR%\%YAJL% %SSDEEP_URL%/%SSDEEP% %SOURCE_DIR%\%SSDEEP% %SSDEEP_URL%/%SSDEEP_BIN% %SOURCE_DIR%\%SSDEEP_BIN%
+
+@if NOT (%ERRORLEVEL%) == (0) goto :failed_to_download
+@exit /B 0
+
+:failed_to_download
+@echo. && echo Failed to download dependency files... Try again or manually download the files to %SOURCE_DIR% and comment "@call download_files.bat" from build_dependencies.bat
+@goto failed
+
+:failed
+@exit /B 1
+
diff --git a/iis/installer.wxs b/iis/installer.wxs
index 51f4878b14..17ed02c047 100644
--- a/iis/installer.wxs
+++ b/iis/installer.wxs
@@ -7,7 +7,7 @@
lightArgs:
-->
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">
- <Product Id="22B04FDB-9BAB-46B0-87B8-A39544ECECD3" Name="ModSecurity IIS" Language="1033" Version="2.9.0" Manufacturer="ModSecurity" UpgradeCode="82F09489-1678-4C38-ADCB-08C3757653DB">
+ <Product Id="22B04FDB-9BAB-46B0-87B8-A39544ECECD3" Name="ModSecurity IIS" Language="1033" Version="2.9.7" Manufacturer="ModSecurity" UpgradeCode="82F09489-1678-4C38-ADCB-08C3757653DB">
<Package Description="ModSecurityISS" Comments="none" InstallerVersion="405" Compressed="yes" InstallPrivileges="elevated" InstallScope="perMachine" />
<?define ProductName = "ModSecuirty IIS" ?>
<?if $(sys.BUILDARCH) = x64 ?>
@@ -91,7 +91,7 @@
<RegistrySearch Id="FindInetPubFolder" Root="HKLM" Key="SOFTWARE\Microsoft\InetStp" Name="PathWWWRoot" Type="directory" />
</Property>
<Property Id="MSIUSEREALADMINDETECTION" Value="1" />
- <Condition Message="This setup requires IIS 7.0 or 8.0."><![CDATA[(IIS="#7") OR (IIS="#8")]]></Condition>
+ <Condition Message="This setup requires IIS 7.0, 8.0 or 10.0. If that's the case, please ensure that the installer is running as administrator or try running it from the 'Apps and features' or 'Add/Remove Programs' menu"><![CDATA[(IIS="#7") OR (IIS="#8") OR (IIS="#10")]]></Condition>
<!-- Version 2.7.5 had an uninstall issue that leaves some files behind. Asking the user to manually hash this out. -->
<Condition Message="A older version of ModSecurityIIS was found in your computer. Please complete uninstall by removing the following file: [FILEEXISTS]. You may have to remove ModSecurity module from IIS, use the IIS Manager to do so."><![CDATA[(NOT FILEEXISTS) OR (Installed)]]></Condition>
<Condition Message="64-bit operating system was detected, please use the 64-bit installer.">
@@ -129,124 +129,95 @@
</Directory>
</Directory>
</Directory>
- <?endif ?>
+ <?endif ?>
<Directory Id="$(var.PlatformProgramFilesFolder)">
<Directory Id="INSTALLFOLDER" Name="ModSecurity IIS">
- <Component Id="OWASP_CRS_V_2_2_9_SETUP" DiskId="1" Guid="64629082-F6A2-4675-9E3E-4EA363CD6500">
- <File Id="MODSECURITY_CRS_10_SETUP.CONF.EXAMPLE" Name="modsecurity_crs_10_setup.conf" Source="release\owasp_crs\modsecurity_crs_10_setup.conf.example" />
- </Component>
+ <!--
+ <Component Id="OWASP_CRS_V_3_0_2_SETUP" DiskId="1" Guid="64629082-F6A2-4675-9E3E-4EA363CD6500">
+ <File Id="CRS_SETUP.CONF.EXAMPLE" Name="crs-setup.conf.example" Source="release\owasp_crs\crs-setup.conf.example" />
+ </Component>
+ -->
+ <!--
<Directory Id="OWASP_CRS" Name="owasp_crs">
- <Component Id="OWASP_CRS_V_2_2_9" DiskId="1" Guid="64629082-F6A2-4675-9E3E-4EA363CD6502">
+ <Component Id="OWASP_CRS_V_3_0_2" DiskId="1" Guid="64629082-F6A2-4675-9E3E-4EA363CD6502">
<File Id="CHANGES" Name="CHANGES" Source="release\owasp_crs\CHANGES" />
+ <File Id="CONTRIBUTORS" Name="CONTRIBUTORS" Source="release\owasp_crs\CONTRIBUTORS" />
+ <File Id="IDNUMBERING" Name="IDNUMBERING" Source="release\owasp_crs\IDNUMBERING" />
<File Id="INSTALL" Name="INSTALL" Source="release\owasp_crs\INSTALL" />
<File Id="LICENSE" Name="LICENSE" Source="release\owasp_crs\LICENSE" />
+ <File Id="KNOWN_BUGS" Name="KNOWN_BUGS" Source="release\owasp_crs\KNOWN_BUGS" />
<File Id="README.MD" Name="README.md" Source="release\owasp_crs\README.md" />
</Component>
- <Directory Id="ACTIVATED_RULES" Name="activated_rules">
+ <Directory Id="DOCUMENTATION" Name="documentation">
<Component Id="README" DiskId="1" Guid="F06FC044-52E6-412E-80E6-6644486A522B">
- <File Id="README" Name="README" Source="release\owasp_crs\activated_rules\README" />
- </Component>
- </Directory>
- <Directory Id="BASE_RULES" Name="base_rules">
- <Component Id="BASE_RULES" DiskId="1" Guid="66EB7DE9-E12D-4360-B096-75CAB0498E88">
- <File Id="MODSECURITY_35_BAD_ROBOTS.DATA" Name="modsecurity_35_bad_robots.data" Source="release\owasp_crs\base_rules\modsecurity_35_bad_robots.data" />
- <File Id="MODSECURITY_35_SCANNERS.DATA" Name="modsecurity_35_scanners.data" Source="release\owasp_crs\base_rules\modsecurity_35_scanners.data" />
- <File Id="MODSECURITY_40_GENERIC_ATTACKS.DATA" Name="modsecurity_40_generic_attacks.data" Source="release\owasp_crs\base_rules\modsecurity_40_generic_attacks.data" />
- <File Id="MODSECURITY_50_OUTBOUND.DATA" Name="modsecurity_50_outbound.data" Source="release\owasp_crs\base_rules\modsecurity_50_outbound.data" />
- <File Id="MODSECURITY_50_OUTBOUND_MALWARE.DATA" Name="modsecurity_50_outbound_malware.data" Source="release\owasp_crs\base_rules\modsecurity_50_outbound_malware.data" />
- <File Id="MODSECURITY_CRS_20_PROTOCOL_VIOLATIONS.CONF" Name="modsecurity_crs_20_protocol_violations.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_20_protocol_violations.conf" />
- <File Id="MODSECURITY_CRS_21_PROTOCOL_ANOMALIES.CONF" Name="modsecurity_crs_21_protocol_anomalies.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_21_protocol_anomalies.conf" />
- <File Id="MODSECURITY_CRS_23_REQUEST_LIMITS.CONF" Name="modsecurity_crs_23_request_limits.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_23_request_limits.conf" />
- <File Id="MODSECURITY_CRS_30_HTTP_POLICY.CONF" Name="modsecurity_crs_30_http_policy.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_30_http_policy.conf" />
- <File Id="MODSECURITY_CRS_35_BAD_ROBOTS.CONF" Name="modsecurity_crs_35_bad_robots.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_35_bad_robots.conf" />
- <File Id="MODSECURITY_CRS_40_GENERIC_ATTACKS.CONF" Name="modsecurity_crs_40_generic_attacks.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_40_generic_attacks.conf" />
- <File Id="MODSECURITY_CRS_41_SQL_INJECTION_ATTACKS.CONF" Name="modsecurity_crs_41_sql_injection_attacks.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_41_sql_injection_attacks.conf" />
- <File Id="MODSECURITY_CRS_41_XSS_ATTACKS.CONF" Name="modsecurity_crs_41_xss_attacks.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_41_xss_attacks.conf" />
- <File Id="MODSECURITY_CRS_42_TIGHT_SECURITY.CONF" Name="modsecurity_crs_42_tight_security.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_42_tight_security.conf" />
- <File Id="MODSECURITY_CRS_45_TROJANS.CONF" Name="modsecurity_crs_45_trojans.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_45_trojans.conf" />
- <File Id="MODSECURITY_CRS_47_COMMON_EXCEPTIONS.CONF" Name="modsecurity_crs_47_common_exceptions.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_47_common_exceptions.conf" />
- <File Id="MODSECURITY_CRS_48_LOCAL_EXCEPTIONS.CONF.EXAMPLE" Name="modsecurity_crs_48_local_exceptions.conf.example" Source="release\owasp_crs\base_rules\modsecurity_crs_48_local_exceptions.conf.example" />
- <File Id="MODSECURITY_CRS_49_INBOUND_BLOCKING.CONF" Name="modsecurity_crs_49_inbound_blocking.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_49_inbound_blocking.conf" />
- <File Id="MODSECURITY_CRS_50_OUTBOUND.CONF" Name="modsecurity_crs_50_outbound.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_50_outbound.conf" />
- <File Id="MODSECURITY_CRS_59_OUTBOUND_BLOCKING.CONF" Name="modsecurity_crs_59_outbound_blocking.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_59_outbound_blocking.conf" />
- <File Id="MODSECURITY_CRS_60_CORRELATION.CONF" Name="modsecurity_crs_60_correlation.conf" Source="release\owasp_crs\base_rules\modsecurity_crs_60_correlation.conf" />
- </Component>
- </Directory>
- <Directory Id="EXPERIMENTAL_RULES" Name="experimental_rules">
- <Component Id="EXPERIMENTAL_RULES" DiskId="1" Guid="B2504C95-7338-49CA-9786-ACEF671ABB93">
- <File Id="MODSECURITY_CRS_11_BRUTE_FORCE.CONF" Name="modsecurity_crs_11_brute_force.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_11_brute_force.conf" />
- <File Id="MODSECURITY_CRS_11_DOS_PROTECTION.CONF" Name="modsecurity_crs_11_dos_protection.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_11_dos_protection.conf" />
- <File Id="MODSECURITY_CRS_11_PROXY_ABUSE.CONF" Name="modsecurity_crs_11_proxy_abuse.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_11_proxy_abuse.conf" />
- <File Id="MODSECURITY_CRS_11_SLOW_DOS_PROTECTION.CONF" Name="modsecurity_crs_11_slow_dos_protection.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_11_slow_dos_protection.conf" />
- <File Id="MODSECURITY_CRS_16_SCANNER_INTEGRATION.CONF" Name="modsecurity_crs_16_scanner_integration.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_16_scanner_integration.conf" />
- <File Id="MODSECURITY_CRS_25_CC_TRACK_PAN.CONF" Name="modsecurity_crs_25_cc_track_pan.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_25_cc_track_pan.conf" />
- <File Id="MODSECURITY_CRS_40_APPSENSOR_DETECTION_POINT_2.0_SETUP.CONF" Name="modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf" />
- <File Id="MODSECURITY_CRS_40_APPSENSOR_DETECTION_POINT_2.1_REQUEST_EXCEPTION.CONF" Name="modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf" />
- <File Id="MODSECURITY_CRS_40_APPSENSOR_DETECTION_POINT_2.9_HONEYTRAP.CONF" Name="modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf" />
- <File Id="MODSECURITY_CRS_40_APPSENSOR_DETECTION_POINT_3.0_END.CONF" Name="modsecurity_crs_40_appsensor_detection_point_3.0_end.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_40_appsensor_detection_point_3.0_end.conf" />
- <File Id="MODSECURITY_CRS_40_HTTP_PARAMETER_POLLUTION.CONF" Name="modsecurity_crs_40_http_parameter_pollution.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_40_http_parameter_pollution.conf" />
- <File Id="MODSECURITY_CRS_42_CSP_ENFORCEMENT.CONF" Name="modsecurity_crs_42_csp_enforcement.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_42_csp_enforcement.conf" />
- <File Id="MODSECURITY_CRS_46_SCANNER_INTEGRATION.CONF" Name="modsecurity_crs_46_scanner_integration.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_46_scanner_integration.conf" />
- <File Id="MODSECURITY_CRS_48_BAYES_ANALYSIS.CONF" Name="modsecurity_crs_48_bayes_analysis.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_48_bayes_analysis.conf" />
- <File Id="MODSECURITY_CRS_55_RESPONSE_PROFILING.CONF" Name="modsecurity_crs_55_response_profiling.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_55_response_profiling.conf" />
- <File Id="MODSECURITY_CRS_56_PVI_CHECKS.CONF" Name="modsecurity_crs_56_pvi_checks.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_56_pvi_checks.conf" />
- <File Id="MODSECURITY_CRS_61_IP_FORENSICS.CONF" Name="modsecurity_crs_61_ip_forensics.conf" Source="release\owasp_crs\experimental_rules\modsecurity_crs_61_ip_forensics.conf" />
- </Component>
- </Directory>
- <Directory Id="LUA" Name="lua">
- <Component Id="LUA" DiskId="1" Guid="BF9033A5-C9A4-4867-92CA-CDD174CBE420">
- <File Id="ADVANCED_FILTER_CONVERTER.LUA" Name="advanced_filter_converter.lua" Source="release\owasp_crs\lua\advanced_filter_converter.lua" />
- <File Id="APPSENSOR_REQUEST_EXCEPTION_ENFORCE.LUA" Name="appsensor_request_exception_enforce.lua" Source="release\owasp_crs\lua\appsensor_request_exception_enforce.lua" />
- <File Id="APPSENSOR_REQUEST_EXCEPTION_PROFILE.LUA" Name="appsensor_request_exception_profile.lua" Source="release\owasp_crs\lua\appsensor_request_exception_profile.lua" />
- <File Id="ARACHNI_INTEGRATION.LUA" Name="arachni_integration.lua" Source="release\owasp_crs\lua\arachni_integration.lua" />
- <File Id="BAYES_CHECK_SPAM.LUA" Name="bayes_check_spam.lua" Source="release\owasp_crs\lua\bayes_check_spam.lua" />
- <File Id="BAYES_TRAIN_HAM.LUA" Name="bayes_train_ham.lua" Source="release\owasp_crs\lua\bayes_train_ham.lua" />
- <File Id="BAYES_TRAIN_SPAM.LUA" Name="bayes_train_spam.lua" Source="release\owasp_crs\lua\bayes_train_spam.lua" />
- <File Id="GATHER_IP_DATA.LUA" Name="gather_ip_data.lua" Source="release\owasp_crs\lua\gather_ip_data.lua" />
- <File Id="OSVDB.LUA" Name="osvdb.lua" Source="release\owasp_crs\lua\osvdb.lua" />
- <File Id="PROFILE_PAGE_SCRIPTS.LUA" Name="profile_page_scripts.lua" Source="release\owasp_crs\lua\profile_page_scripts.lua" />
+ <File Id="README" Name="README" Source="release\owasp_crs\documentation\README" />
</Component>
+ <Directory Id="OWASP_CRS_DOCUMENTATION" Name="OWASP-CRS-Documentation">
+ </Directory>
</Directory>
- <Directory Id="OPTIONAL_RULES" Name="optional_rules">
- <Component Id="OPTIONAL_RULES" DiskId="1" Guid="8744C127-31F0-4C4E-85FB-D86BDEA3627B">
- <File Id="MODSECURITY_42_COMMENT_SPAM.DATA" Name="modsecurity_42_comment_spam.data" Source="release\owasp_crs\optional_rules\modsecurity_42_comment_spam.data" />
- <File Id="MODSECURITY_CRS_10_IGNORE_STATIC.CONF" Name="modsecurity_crs_10_ignore_static.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_10_ignore_static.conf" />
- <File Id="MODSECURITY_CRS_11_AVS_TRAFFIC.CONF" Name="modsecurity_crs_11_avs_traffic.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_11_avs_traffic.conf" />
- <File Id="MODSECURITY_CRS_13_XML_ENABLER.CONF" Name="modsecurity_crs_13_xml_enabler.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_13_xml_enabler.conf" />
- <File Id="MODSECURITY_CRS_16_AUTHENTICATION_TRACKING.CONF" Name="modsecurity_crs_16_authentication_tracking.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_16_authentication_tracking.conf" />
- <File Id="MODSECURITY_CRS_16_SESSION_HIJACKING.CONF" Name="modsecurity_crs_16_session_hijacking.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_16_session_hijacking.conf" />
- <File Id="MODSECURITY_CRS_16_USERNAME_TRACKING.CONF" Name="modsecurity_crs_16_username_tracking.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_16_username_tracking.conf" />
- <File Id="MODSECURITY_CRS_25_CC_KNOWN.CONF" Name="modsecurity_crs_25_cc_known.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_25_cc_known.conf" />
- <File Id="MODSECURITY_CRS_42_COMMENT_SPAM.CONF" Name="modsecurity_crs_42_comment_spam.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_42_comment_spam.conf" />
- <File Id="MODSECURITY_CRS_43_CSRF_PROTECTION.CONF" Name="modsecurity_crs_43_csrf_protection.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_43_csrf_protection.conf" />
- <File Id="MODSECURITY_CRS_46_AV_SCANNING.CONF" Name="modsecurity_crs_46_av_scanning.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_46_av_scanning.conf" />
- <File Id="MODSECURITY_CRS_47_SKIP_OUTBOUND_CHECKS.CONF" Name="modsecurity_crs_47_skip_outbound_checks.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_47_skip_outbound_checks.conf" />
- <File Id="MODSECURITY_CRS_49_HEADER_TAGGING.CONF" Name="modsecurity_crs_49_header_tagging.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_49_header_tagging.conf" />
- <File Id="MODSECURITY_CRS_55_APPLICATION_DEFECTS.CONF" Name="modsecurity_crs_55_application_defects.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_55_application_defects.conf" />
- <File Id="MODSECURITY_CRS_55_MARKETING.CONF" Name="modsecurity_crs_55_marketing.conf" Source="release\owasp_crs\optional_rules\modsecurity_crs_55_marketing.conf" />
+ <Directory Id="ID_RENUMBERING" Name="id_renumbering">
+ <Component Id="ID_NUMBERING" DiskId="1" Guid="F06FC044-52E6-412E-80E6-6644486A522D">
+ <File Id="IDNUMBERING_1" Name="IDNUMBERING" Source="release\owasp_crs\id_renumbering\IDNUMBERING" />
+ <File Id="IDNUMBERING.CSV" Name="IdNumbering.csv" Source="release\owasp_crs\id_renumbering\IdNumbering.csv" />
+ <File Id="UPDATE.PY" Name="update.py" Source="release\owasp_crs\id_renumbering\update.py" />
</Component>
</Directory>
- <Directory Id="SLR_RULES" Name="slr_rules">
- <Component Id="SLR_RULES" DiskId="1" Guid="A880D035-8933-4A83-9D14-2FE010F4BF79">
- <File Id="MODSECURITY_46_SLR_ET_JOOMLA.DATA" Name="modsecurity_46_slr_et_joomla.data" Source="release\owasp_crs\slr_rules\modsecurity_46_slr_et_joomla.data" />
- <File Id="MODSECURITY_46_SLR_ET_LFI.DATA" Name="modsecurity_46_slr_et_lfi.data" Source="release\owasp_crs\slr_rules\modsecurity_46_slr_et_lfi.data" />
- <File Id="MODSECURITY_46_SLR_ET_PHPBB.DATA" Name="modsecurity_46_slr_et_phpbb.data" Source="release\owasp_crs\slr_rules\modsecurity_46_slr_et_phpbb.data" />
- <File Id="MODSECURITY_46_SLR_ET_RFI.DATA" Name="modsecurity_46_slr_et_rfi.data" Source="release\owasp_crs\slr_rules\modsecurity_46_slr_et_rfi.data" />
- <File Id="MODSECURITY_46_SLR_ET_SQLI.DATA" Name="modsecurity_46_slr_et_sqli.data" Source="release\owasp_crs\slr_rules\modsecurity_46_slr_et_sqli.data" />
- <File Id="MODSECURITY_46_SLR_ET_WORDPRESS.DATA" Name="modsecurity_46_slr_et_wordpress.data" Source="release\owasp_crs\slr_rules\modsecurity_46_slr_et_wordpress.data" />
- <File Id="MODSECURITY_46_SLR_ET_XSS.DATA" Name="modsecurity_46_slr_et_xss.data" Source="release\owasp_crs\slr_rules\modsecurity_46_slr_et_xss.data" />
- <File Id="MODSECURITY_CRS_46_SLR_ET_JOOMLA_ATTACKS.CONF" Name="modsecurity_crs_46_slr_et_joomla_attacks.conf" Source="release\owasp_crs\slr_rules\modsecurity_crs_46_slr_et_joomla_attacks.conf" />
- <File Id="MODSECURITY_CRS_46_SLR_ET_LFI_ATTACKS.CONF" Name="modsecurity_crs_46_slr_et_lfi_attacks.conf" Source="release\owasp_crs\slr_rules\modsecurity_crs_46_slr_et_lfi_attacks.conf" />
- <File Id="MODSECURITY_CRS_46_SLR_ET_PHPBB_ATTACKS.CONF" Name="modsecurity_crs_46_slr_et_phpbb_attacks.conf" Source="release\owasp_crs\slr_rules\modsecurity_crs_46_slr_et_phpbb_attacks.conf" />
- <File Id="MODSECURITY_CRS_46_SLR_ET_RFI_ATTACKS.CONF" Name="modsecurity_crs_46_slr_et_rfi_attacks.conf" Source="release\owasp_crs\slr_rules\modsecurity_crs_46_slr_et_rfi_attacks.conf" />
- <File Id="MODSECURITY_CRS_46_SLR_ET_SQLI_ATTACKS.CONF" Name="modsecurity_crs_46_slr_et_sqli_attacks.conf" Source="release\owasp_crs\slr_rules\modsecurity_crs_46_slr_et_sqli_attacks.conf" />
- <File Id="MODSECURITY_CRS_46_SLR_ET_WORDPRESS_ATTACKS.CONF" Name="modsecurity_crs_46_slr_et_wordpress_attacks.conf" Source="release\owasp_crs\slr_rules\modsecurity_crs_46_slr_et_wordpress_attacks.conf" />
- <File Id="MODSECURITY_CRS_46_SLR_ET_XSS_ATTACKS.CONF" Name="modsecurity_crs_46_slr_et_xss_attacks.conf" Source="release\owasp_crs\slr_rules\modsecurity_crs_46_slr_et_xss_attacks.conf" />
+ <Directory Id="RULES" Name="rules">
+ <Component Id="RULES" DiskId="1" Guid="66EB7DE9-E12D-4360-B096-75CAB0498E88">
+ <File Id="CRAWLERS_USER_AGENTS.DATA" Name="crawlers-user-agents.data" Source="release\owasp_crs\rules\crawlers-user-agents.data" />
+ <File Id="IIS_ERRORS.DATA" Name="iis-errors.data" Source="release\owasp_crs\rules\iis-errors.data" />
+ <File Id="JAVA_CODE_LEAKAGES.DATA" Name="java-code-leakages.data" Source="release\owasp_crs\rules\java-code-leakages.data" />
+ <File Id="JAVA_ERRORS.DATA" Name="java-errors.data" Source="release\owasp_crs\rules\java-errors.data" />
+ <File Id="LFI_OS_FILES.DATA" Name="lfi-os-files.data" Source="release\owasp_crs\rules\lfi-os-files.data" />
+ <File Id="PHP_CONFIG_DIRECTIVES.DATA" Name="php-config-directives.data" Source="release\owasp_crs\rules\php-config-directives.data" />
+ <File Id="PHP_ERRORS.DATA" Name="php-errors.data" Source="release\owasp_crs\rules\php-errors.data" />
+ <File Id="PHP_FUNCTION_NAMES_933150.DATA" Name="php-function-names-933150.data" Source="release\owasp_crs\rules\php-function-names-933150.data" />
+ <File Id="PHP_FUNCTION_NAMES_933151.DATA" Name="php-function-names-933151.data" Source="release\owasp_crs\rules\php-function-names-933151.data" />
+ <File Id="PHP_VARIABLES.DATA" Name="php-variables.data" Source="release\owasp_crs\rules\php-variables.data" />
+ <File Id="REQUEST_900_EXCLUSION_RULES_BEFORE_CRS.conf.example" Name="REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" Source="release\owasp_crs\rules\REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" />
+ <File Id="REQUEST_901_INITIALIZATION.conf" Name="REQUEST-901-INITIALIZATION.conf" Source="release\owasp_crs\rules\REQUEST-901-INITIALIZATION.conf" />
+ <File Id="REQUEST_903.9001_DRUPAL_EXCLUSION_RULES.conf" Name="REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf" Source="release\owasp_crs\rules\REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf" />
+ <File Id="REQUEST_903.9002_WORDPRESS_EXCLUSION_RULES.conf" Name="REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf" Source="release\owasp_crs\rules\REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf" />
+ <File Id="REQUEST_905_COMMON_EXCEPTIONS.conf" Name="REQUEST-905-COMMON-EXCEPTIONS.conf" Source="release\owasp_crs\rules\REQUEST-905-COMMON-EXCEPTIONS.conf" />
+ <File Id="REQUEST_910_IP_REPUTATION.conf" Name="REQUEST-910-IP-REPUTATION.conf" Source="release\owasp_crs\rules\REQUEST-910-IP-REPUTATION.conf" />
+ <File Id="REQUEST_911_METHOD_ENFORCEMENT.conf" Name="REQUEST-911-METHOD-ENFORCEMENT.conf" Source="release\owasp_crs\rules\REQUEST-911-METHOD-ENFORCEMENT.conf" />
+ <File Id="REQUEST_912_DOS_PROTECTION.conf" Name="REQUEST-912-DOS-PROTECTION.conf" Source="release\owasp_crs\rules\REQUEST-912-DOS-PROTECTION.conf" />
+ <File Id="REQUEST_913_SCANNER_DETECTION.conf" Name="REQUEST-913-SCANNER-DETECTION.conf" Source="release\owasp_crs\rules\REQUEST-913-SCANNER-DETECTION.conf" />
+ <File Id="REQUEST_920_PROTOCOL_ENFORCEMENT.conf" Name="REQUEST-920-PROTOCOL-ENFORCEMENT.conf" Source="release\owasp_crs\rules\REQUEST-920-PROTOCOL-ENFORCEMENT.conf" />
+ <File Id="REQUEST_921_PROTOCOL_ATTACK.conf" Name="REQUEST-921-PROTOCOL-ATTACK.conf" Source="release\owasp_crs\rules\REQUEST-921-PROTOCOL-ATTACK.conf" />
+ <File Id="REQUEST_930_APPLICATION_ATTACK_LFI.conf" Name="REQUEST-930-APPLICATION-ATTACK-LFI.conf" Source="release\owasp_crs\rules\REQUEST-930-APPLICATION-ATTACK-LFI.conf" />
+ <File Id="REQUEST_931_APPLICATION_ATTACK_RFI.conf" Name="REQUEST-931-APPLICATION-ATTACK-RFI.conf" Source="release\owasp_crs\rules\REQUEST-931-APPLICATION-ATTACK-RFI.conf" />
+ <File Id="REQUEST_932_APPLICATION_ATTACK_RCE.conf" Name="REQUEST-932-APPLICATION-ATTACK-RCE.conf" Source="release\owasp_crs\rules\REQUEST-932-APPLICATION-ATTACK-RCE.conf" />
+ <File Id="REQUEST_933_APPLICATION_ATTACK_PHP.conf" Name="REQUEST-933-APPLICATION-ATTACK-PHP.conf" Source="release\owasp_crs\rules\REQUEST-933-APPLICATION-ATTACK-PHP.conf" />
+ <File Id="REQUEST_941_APPLICATION_ATTACK_XSS.conf" Name="REQUEST-941-APPLICATION-ATTACK-XSS.conf" Source="release\owasp_crs\rules\REQUEST-941-APPLICATION-ATTACK-XSS.conf" />
+ <File Id="REQUEST_942_APPLICATION_ATTACK_SQLI.conf" Name="REQUEST-942-APPLICATION-ATTACK-SQLI.conf" Source="release\owasp_crs\rules\REQUEST-942-APPLICATION-ATTACK-SQLI.conf" />
+ <File Id="REQUEST_943_APPLICATION_ATTACK_SESSION_FIXATION.conf" Name="REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf" Source="release\owasp_crs\rules\REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf" />
+ <File Id="REQUEST_949_BLOCKING_EVALUATION.conf" Name="REQUEST-949-BLOCKING-EVALUATION.conf" Source="release\owasp_crs\rules\REQUEST-949-BLOCKING-EVALUATION.conf" />
+ <File Id="RESPONSE_950_DATA_LEAKAGES.conf" Name="RESPONSE-950-DATA-LEAKAGES.conf" Source="release\owasp_crs\rules\RESPONSE-950-DATA-LEAKAGES.conf" />
+ <File Id="RESPONSE_951_DATA_LEAKAGES_SQL.conf" Name="RESPONSE-951-DATA-LEAKAGES-SQL.conf" Source="release\owasp_crs\rules\RESPONSE-951-DATA-LEAKAGES-SQL.conf" />
+ <File Id="RESPONSE_952_DATA_LEAKAGES_JAVA.conf" Name="RESPONSE-952-DATA-LEAKAGES-JAVA.conf" Source="release\owasp_crs\rules\RESPONSE-952-DATA-LEAKAGES-JAVA.conf" />
+ <File Id="RESPONSE_953_DATA_LEAKAGES_PHP.conf" Name="RESPONSE-953-DATA-LEAKAGES-PHP.conf" Source="release\owasp_crs\rules\RESPONSE-953-DATA-LEAKAGES-PHP.conf" />
+ <File Id="RESPONSE_954_DATA_LEAKAGES_IIS.conf" Name="RESPONSE-954-DATA-LEAKAGES-IIS.conf" Source="release\owasp_crs\rules\RESPONSE-954-DATA-LEAKAGES-IIS.conf" />
+ <File Id="RESPONSE_959_BLOCKING_EVALUATION.conf" Name="RESPONSE-959-BLOCKING-EVALUATION.conf" Source="release\owasp_crs\rules\RESPONSE-959-BLOCKING-EVALUATION.conf" />
+ <File Id="RESPONSE_980_CORRELATION.conf" Name="RESPONSE-980-CORRELATION.conf" Source="release\owasp_crs\rules\RESPONSE-980-CORRELATION.conf" />
+ <File Id="RESPONSE_999_EXCLUSION_RULES_AFTER_CRS.conf" Name="RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf" Source="release\owasp_crs\rules\RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf" />
+ <File Id="RESTRICTED_FILES.DATA" Name="restricted-files.data" Source="release\owasp_crs\rules\restricted-files.data" />
+ <File Id="SCANNERS_HEADERS.DATA" Name="scanners-headers.data" Source="release\owasp_crs\rules\scanners-headers.data" />
+ <File Id="SCANNERS_URLS.DATA" Name="scanners-urls.data" Source="release\owasp_crs\rules\scanners-urls.data" />
+ <File Id="SCANNERS_USER_AGENTS.DATA" Name="scanners-user-agents.data" Source="release\owasp_crs\rules\scanners-user-agents.data" />
+ <File Id="SCRIPTING_USER_AGENTS.DATA" Name="scripting-user-agents.data" Source="release\owasp_crs\rules\scripting-user-agents.data" />
+ <File Id="SQL_ERRORS.DATA" Name="sql-errors.data" Source="release\owasp_crs\rules\sql-errors.data" />
+ <File Id="SQL_FUNCTION_NAMES.DATA" Name="sql-function-names.data" Source="release\owasp_crs\rules\sql-function-names.data" />
+ <File Id="UNIX_SHELL.DATA" Name="unix-shell.data" Source="release\owasp_crs\rules\unix-shell.data" />
+ <File Id="WINDOWS_POWERSHELL_COMMANDS.DATA" Name="windows-powershell-commands.data" Source="release\owasp_crs\rules\windows-powershell-commands.data" />
</Component>
- </Directory>
+ </Directory>
<Directory Id="UTIL" Name="util">
<Component Id="UTIL" DiskId="1" Guid="A95D50D7-4E87-4A87-BAD1-12370B8F5B9B">
+ <File Id="ID_RANGE" Name="id-range" Source="release\owasp_crs\util\id-range" />
<File Id="README_1" Name="README" Source="release\owasp_crs\util\README" />
+ <File Id="UPGRADE.PY" Name="upgrade.py" Source="release\owasp_crs\util\upgrade.py" />
+ <File Id="VERIFY.RB" Name="verify.rb" Source="release\owasp_crs\util\verify.rb" />
</Component>
<Directory Id="AV_SCANNING" Name="av-scanning">
<Component Id="RUNAV" DiskId="1" Guid="398B0257-F78A-4F8C-B313-90D0F61581A9">
@@ -267,6 +238,43 @@
<File Id="JS_OVERRIDES.JS" Name="js-overrides.js" Source="release\owasp_crs\util\browser-tools\js-overrides.js" />
</Component>
</Directory>
+ <Directory Id="DEBUG" Name="debug">
+ <Component Id="DEBUG" DiskId="1" Guid="A81D4319-9C26-4E29-A0BD-FC2DED0045A8">
+ <File Id="RESPONSE_981_DEBUG.CONF" Name="RESPONSE-981-DEBUG.conf" Source="release\owasp_crs\util\debug\RESPONSE-981-DEBUG.conf" />
+ </Component>
+ </Directory>
+ <Directory Id="GEO_LOCATION" Name="geo-location">
+ <Component Id="GEO_LOCATION" DiskId="1" Guid="A81D4319-9C26-4E29-A0BD-FC2DED0045A9">
+ <File Id="README_2" Name="README" Source="release\owasp_crs\util\geo-location\README" />
+ </Component>
+ </Directory>
+ <Directory Id="INTEGRATION" Name="integration">
+ <Component Id="INTEGRATION" DiskId="1" Guid="A81D4319-9C26-4E29-A0BD-FC2DED0045B0">
+ <File Id="FORMAT_TESTS.PY" Name="format_tests.py" Source="release\owasp_crs\util\integration\format_tests.py" />
+ <File Id="REQUIREMENTS.TXT" Name="requirements.txt" Source="release\owasp_crs\util\integration\requirements.txt" />
+ </Component>
+ </Directory>
+ <Directory Id="JOIN_MULTILINE_RULES" Name="join-multiline-rules">
+ <Component Id="JOIN_MULTILINE_RULES" DiskId="1" Guid="A81D4319-9C26-4E29-A0BD-FC2DED0045B1">
+ <File Id="JOIN.PY" Name="join.py" Source="release\owasp_crs\util\join-multiline-rules\join.py" />
+ </Component>
+ </Directory>
+ <Directory Id="REGEXP_ASSEMBLE" Name="regexp-assemble">
+ <Component Id="REGEXP_ASSEMBLE" DiskId="1" Guid="A81D4319-9C26-4E29-A0BD-FC2DED0045B2">
+ <File Id="REGEXP_932130.DATA" Name="regexp-932130.data" Source="release\owasp_crs\util\regexp-assemble\regexp-932130.data" />
+ <File Id="REGEXP_932140.DATA" Name="regexp-932140.data" Source="release\owasp_crs\util\regexp-assemble\regexp-932140.data" />
+ <File Id="REGEXP_933131.DATA" Name="regexp-933131.data" Source="release\owasp_crs\util\regexp-assemble\regexp-933131.data" />
+ <File Id="REGEXP_933160.DATA" Name="regexp-933160.data" Source="release\owasp_crs\util\regexp-assemble\regexp-933160.data" />
+ <File Id="REGEXP_933161.DATA" Name="regexp-933161.data" Source="release\owasp_crs\util\regexp-assemble\regexp-933161.data" />
+ <File Id="REGEXP_ASSEMBLE.PL" Name="regexp-assemble.pl" Source="release\owasp_crs\util\regexp-assemble\regexp-assemble.pl" />
+ <File Id="REGEXP_932100.TXT" Name="regexp-932100.txt" Source="release\owasp_crs\util\regexp-assemble\regexp-932100.txt" />
+ <File Id="REGEXP_932105.TXT" Name="regexp-932105.txt" Source="release\owasp_crs\util\regexp-assemble\regexp-932105.txt" />
+ <File Id="REGEXP_932110.TXT" Name="regexp-932110.txt" Source="release\owasp_crs\util\regexp-assemble\regexp-932110.txt" />
+ <File Id="REGEXP_932115.TXT" Name="regexp-932115.txt" Source="release\owasp_crs\util\regexp-assemble\regexp-932115.txt" />
+ <File Id="REGEXP_932150.TXT" Name="regexp-932150.txt" Source="release\owasp_crs\util\regexp-assemble\regexp-932150.txt" />
+ <File Id="REGEXP_CMDLINE.PY" Name="regexp-cmdline.py" Source="release\owasp_crs\util\regexp-assemble\regexp-cmdline.py" />
+ </Component>
+ </Directory>
<Directory Id="HONEYPOT_SENSOR" Name="honeypot-sensor">
<Component Id="HONEYPOT_SENSOR" DiskId="1" Guid="3D3DD51F-70FF-41CE-A756-2C2935A71BA8">
<File Id="MLOGC_HONEYPOT_SENSOR.CONF" Name="mlogc-honeypot-sensor.conf" Source="release\owasp_crs\util\honeypot-sensor\mlogc-honeypot-sensor.conf" />
@@ -276,35 +284,11 @@
</Directory>
<Directory Id="REGRESSION_TESTS" Name="regression-tests">
<Component Id="REGRESSION_TESTS" DiskId="1" Guid="02AF3C5A-DCF9-4DB6-A1C8-B1EF140C8EBC">
- <File Id="INSTALL_1" Name="INSTALL" Source="release\owasp_crs\util\regression-tests\INSTALL" />
- <File Id="MODSECURITY_CRS_59_HEADER_TAGGING.CONF" Name="modsecurity_crs_59_header_tagging.conf" Source="release\owasp_crs\util\regression-tests\modsecurity_crs_59_header_tagging.conf" />
- <File Id="README_2" Name="README" Source="release\owasp_crs\util\regression-tests\README" />
- <File Id="RULESTEST.CONF" Name="rulestest.conf" Source="release\owasp_crs\util\regression-tests\rulestest.conf" />
- <File Id="RULESTEST.PL" Name="rulestest.pl" Source="release\owasp_crs\util\regression-tests\rulestest.pl" />
- <File Id="TESTSERVER.CGI" Name="testserver.cgi" Source="release\owasp_crs\util\regression-tests\testserver.cgi" />
+ <File Id="README_3" Name="README" Source="release\owasp_crs\util\regression-tests\README" />
</Component>
- <Directory Id="TESTS" Name="tests">
- <Component Id="TESTS" DiskId="1" Guid="FCCBB8FE-4327-4AF0-AB5C-3120858EBB16">
- <File Id="MODSECURITY_CRS_20_PROTOCOL_VIOLATIONS.TESTS" Name="modsecurity_crs_20_protocol_violations.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_20_protocol_violations.tests" />
- <File Id="MODSECURITY_CRS_21_PROTOCOL_ANOMALIES.TESTS" Name="modsecurity_crs_21_protocol_anomalies.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_21_protocol_anomalies.tests" />
- <File Id="MODSECURITY_CRS_23_REQUEST_LIMITS.TESTS" Name="modsecurity_crs_23_request_limits.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_23_request_limits.tests" />
- <File Id="MODSECURITY_CRS_30_HTTP_POLICY.TESTS" Name="modsecurity_crs_30_http_policy.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_30_http_policy.tests" />
- <File Id="MODSECURITY_CRS_35_BAD_ROBOTS.TESTS" Name="modsecurity_crs_35_bad_robots.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_35_bad_robots.tests" />
- <File Id="MODSECURITY_CRS_40_GENERIC_ATTACKS.TESTS" Name="modsecurity_crs_40_generic_attacks.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_40_generic_attacks.tests" />
- <File Id="MODSECURITY_CRS_41_SQL_INJECTION_ATTACKS.TESTS" Name="modsecurity_crs_41_sql_injection_attacks.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_41_sql_injection_attacks.tests" />
- <File Id="MODSECURITY_CRS_41_XSS_ATTACKS.TESTS" Name="modsecurity_crs_41_xss_attacks.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_41_xss_attacks.tests" />
- <File Id="MODSECURITY_CRS_50_OUTBOUND.TESTS" Name="modsecurity_crs_50_outbound.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_50_outbound.tests" />
- <File Id="RUBY.TESTS" Name="ruby.tests" Source="release\owasp_crs\util\regression-tests\tests\ruby.tests" />
- </Component>
+ <Directory Id="OWASP_CRS_REGRESSIONS" Name="OWASP-CRS-regressions">
</Directory>
</Directory>
- <Directory Id="RULE_MANAGEMENT" Name="rule-management">
- <Component Id="RULE_MANAGEMENT" DiskId="1" Guid="0368949F-5721-4648-A789-1D5598F327F5">
- <File Id="ID_RANGE" Name="id-range" Source="release\owasp_crs\util\rule-management\id-range" />
- <File Id="REMOVE_2.7_ACTIONS.PL" Name="remove-2.7-actions.pl" Source="release\owasp_crs\util\rule-management\remove-2.7-actions.pl" />
- <File Id="VERIFY.RB" Name="verify.rb" Source="release\owasp_crs\util\rule-management\verify.rb" />
- </Component>
- </Directory>
<Directory Id="VIRTUAL_PATCHING" Name="virtual-patching">
<Component Id="VIRTUAL_PATCHING" DiskId="1" Guid="DDDD3A2B-CEC1-42B3-9984-2987CA5BA311">
<File Id="ARACHNI2MODSEC.PL" Name="arachni2modsec.pl" Source="release\owasp_crs\util\virtual-patching\arachni2modsec.pl" />
@@ -313,13 +297,14 @@
</Directory>
</Directory>
</Directory>
+ -->
</Directory>
- </Directory>
+ </Directory>
<Directory Id="ProgramMenuFolder">
<Directory Id="ProgramMenuDir" Name="ModSecurity IIS">
<Component Id="StartMenuShortcuts" Guid="43C26B13-C4D8-42F8-8715-3AF78E66C902">
<util:InternetShortcut Id="WebsiteShortcut" Name="ModSecurity" Target="http://www.modsecurity.org/" />
- <util:InternetShortcut Id="CSR" Name="OWASP ModSecurity Core Rule Set" Target="http://spIderlabs.github.io/owasp-modsecurity-crs/" />
+ <!--<util:InternetShortcut Id="CSR" Name="OWASP ModSecurity Core Rule Set" Target="http://spIderlabs.github.io/owasp-modsecurity-crs/" />-->
<RemoveFolder Id="ProgramMenuDir" On="uninstall" />
<RegistryValue Root="HKCU" Key="Software\[Manufacturer]\[ProductName]" Type="string" Value="" />
<Shortcut Id="UninstallProduct" Name="Uninstall" Description="Uninstalls the ModSecurity IIS" Target="[System64Folder]msiexec.exe" Arguments="/x [ProductCode]" />
@@ -334,121 +319,208 @@
</Directory>
</Directory>
</Directory>
- <DirectoryRef Id="INSTALLFOLDER">
- <Component Id="ModSecCommon" DiskId="1" Guid="980270DF-81AB-469B-AB0E-64FA3BA160B6" Location="local">
- <File Id="README.TXT" Name="README.TXT" Source="wix\README.TXT" />
- <File Id="EULA.RTF" Name="EULA.rtf" Source="wix\EULA.rtf" />
- <File Id="modsecurity.conf" Name="modsecurity.conf" Source="wix\modsecurity.conf" />
- <File Id="modsecurity_iis.conf" Name="modsecurity_iis.conf" Source="wix\modsecurity_iis.conf" />
- <!-- <File Id="modsecurity_crs_10_setup.conf" Name="modsecurity_crs_10_setup.conf" Source="wix\modsecurity_crs_10_setup.conf" /> -->
- <File Id="LIST_DEPENDENCIES.BAT" Name="list_dependencies.bat" Source="wix\list_dependencies.bat" />
- <File Id="ModSecurity.xml" Name="ModSecurity.xml" Source="ModSecurity.xml" />
- <!-- Modify ApplicationHost.config -->
- <util:XmlConfig Id="appHostEntry" File="$(var.ConfigFile)" Action="create" ElementPath="//configuration/configSections/sectionGroup[\[]@name='system.webServer'[\]]" VerifyPath="section[\[]@name='ModSecurity'[\]]" Name="section" Node="element" Sequence="1" On="install" />
- <util:XmlConfig Id="appHostEntryName" File="$(var.ConfigFile)" ElementPath="appHostEntry" Name="name" Value="ModSecurity" Sequence="2" />
- <util:XmlConfig Id="appHostEntryOverrideMode" File="$(var.ConfigFile)" ElementPath="appHostEntry" Name="overrideModeDefault" Value="Deny" Sequence="3" />
- <util:XmlConfig Id="appHostEntryAllowDefinition" File="$(var.ConfigFile)" ElementPath="appHostEntry" Name="allowDefinition" Value="Everywhere" Sequence="4" />
- <util:XmlConfig Id="removeAppHostEntry" File="$(var.ConfigFile)" Action="delete" ElementPath="/configuration/configSections/sectionGroup[\[]@name='system.webServer'[\]]" Node="element" VerifyPath="section[\[]@name='ModSecurity'[\]]" On="uninstall" Sequence="1" />
- <util:XmlConfig Id="removeAppHostEntry2" File="$(var.ConfigFile)" Action="delete" ElementPath="/configuration/system.webServer" Node="element" VerifyPath="/configuration/system.webServer/ModSecurity" Name="section" On="uninstall" Sequence="2" />
- <RegistryKey Root="HKLM" Key="SOFTWARE\ModSecurity\ModSecurity" Action="createAndRemoveOnUninstall">
- <RegistryValue Type="string" Name="ModSecurityConfigureIIS" Value="[IIS_SETUP]" KeyPath="yes" />
- </RegistryKey>
- </Component>
- </DirectoryRef>
- <?if $(var.Win64) = "yes" ?>
- <DirectoryRef Id="inetsrv64">
- <Component Id="ModSec64" DiskId="1" Guid="514A81F0-2413-42EF-B19F-E2613125ECE0" Win64="yes" Location="local">
- <File Id="_64_LIBAPR_1" Name="libapr-1.dll" Source="Release\amd64\libapr-1.dll" />
- <File Id="_64_LIBAPRICONV_1" Name="libapriconv-1.dll" Source="Release\amd64\libapriconv-1.dll" />
- <File Id="_64_LIBAPRUTIL_1" Name="libaprutil-1.dll" Source="Release\amd64\libaprutil-1.dll" />
- <File Id="_64_LIBCURL" Name="libcurl.dll" Source="Release\amd64\libcurl.dll" />
- <File Id="_64_LIBXML2" Name="libxml2.dll" Source="Release\amd64\libxml2.dll" />
- <File Id="_64_LUA5.1" Name="lua5.1.dll" Source="Release\amd64\lua5.1.dll" />
- <File Id="_64_YAJL" Name="yajl.dll" Source="Release\amd64\yajl.dll" />
- <File Id="_64_MLOGC" Name="mlogc.exe" Source="Release\amd64\mlogc.exe" />
- <File Id="_64_MODSECURITYIIS" Name="ModSecurityIIS.dll" Source="Release\amd64\ModSecurityIIS.dll" />
- <File Id="_64_PCRE" Name="pcre.dll" Source="Release\amd64\pcre.dll" />
- <File Id="_64_ZLIB1" Name="zlib1.dll" Source="Release\amd64\zlib1.dll" />
- <File Id="_64_FUZZY" Name="fuzzy.dll" Source="Release\amd64\fuzzy.dll" />
- </Component>
- </DirectoryRef>
- <DirectoryRef Id="inetsrv32">
- <Component Id="ModSec32" DiskId="1" Guid="514A81F0-2413-42EF-B19F-E2613125ECE7" Win64="no" Location="local">
- <File Id="_32_LIBAPR_1" Name="libapr-1.dll" Source="Release\x86\libapr-1.dll" />
- <File Id="_32_LIBAPRICONV_1" Name="libapriconv-1.dll" Source="Release\x86\libapriconv-1.dll" />
- <File Id="_32_LIBAPRUTIL_1" Name="libaprutil-1.dll" Source="Release\x86\libaprutil-1.dll" />
- <File Id="_32_LIBCURL" Name="libcurl.dll" Source="Release\x86\libcurl.dll" />
- <File Id="_32_LIBXML2" Name="libxml2.dll" Source="Release\x86\libxml2.dll" />
- <File Id="_32_LUA5.1" Name="lua5.1.dll" Source="Release\x86\lua5.1.dll" />
- <File Id="_32_YAJL" Name="yajl.dll" Source="Release\x86\yajl.dll" />
- <File Id="_32_MLOGC" Name="mlogc.exe" Source="Release\x86\mlogc.exe" />
- <File Id="_32_MODSECURITYIIS" Name="ModSecurityIIS.dll" Source="Release\x86\ModSecurityIIS.dll" />
- <File Id="_32_PCRE" Name="pcre.dll" Source="Release\x86\pcre.dll" />
- <File Id="_32_ZLIB1" Name="zlib1.dll" Source="Release\x86\zlib1.dll" />
- <File Id="_32_FUZZY" Name="fuzzy.dll" Source="Release\x86\fuzzy.dll" />
- </Component>
- </DirectoryRef>
- <DirectoryRef Id="SystemFolderConfigSchema32">
- <Component Id="ConfigSchema32" Guid="514A81F0-2413-42EF-B19F-E2613125EC11" Location="local" Win64="no">
- <File Id="_32_ConfigSchema" Name="ModSecurity.xml" Source="ModSecurity.xml" />
- </Component>
- </DirectoryRef>
- <DirectoryRef Id="SystemFolderConfigSchema64">
- <Component Id="ConfigSchema64" Guid="514A81F0-2413-42EF-B19F-E2613125EC22" Location="local" Win64="yes">
- <File Id="_64_ConfigSchema" Name="ModSecurity.xml" Source="ModSecurity.xml" />
- </Component>
- </DirectoryRef>
- <?else ?>
- <DirectoryRef Id="inetsrv32">
- <Component Id="ModSec32" DiskId="1" Guid="514A81F0-2413-42EF-B19F-E2613125ECE1" Win64="no" Location="local">
- <File Id="_32_LIBAPR_1" Name="libapr-1.dll" Source="Release\x86\libapr-1.dll" />
- <File Id="_32_LIBAPRICONV_1" Name="libapriconv-1.dll" Source="Release\x86\libapriconv-1.dll" />
- <File Id="_32_LIBAPRUTIL_1" Name="libaprutil-1.dll" Source="Release\x86\libaprutil-1.dll" />
- <File Id="_32_LIBCURL" Name="libcurl.dll" Source="Release\x86\libcurl.dll" />
- <File Id="_32_LIBXML2" Name="libxml2.dll" Source="Release\x86\libxml2.dll" />
- <File Id="_32_LUA5.1" Name="lua5.1.dll" Source="Release\x86\lua5.1.dll" />
- <File Id="_32_YAJL" Name="yajl.dll" Source="Release\x86\yajl.dll" />
- <File Id="_32_MLOGC" Name="mlogc.exe" Source="Release\x86\mlogc.exe" />
- <File Id="_32_MODSECURITYIIS" Name="ModSecurityIIS.dll" Source="Release\x86\ModSecurityIIS.dll" />
- <File Id="_32_PCRE" Name="pcre.dll" Source="Release\x86\pcre.dll" />
- <File Id="_32_ZLIB1" Name="zlib1.dll" Source="Release\x86\zlib1.dll" />
- <File Id="_32_FUZZY" Name="fuzzy.dll" Source="Release\x86\fuzzy.dll" />
- </Component>
- </DirectoryRef>
- <DirectoryRef Id="SystemFolderConfigSchema32">
- <Component Id="ConfigSchema32" Guid="514A81F0-2413-42EF-B19F-E2613125EC11" Location="local" Win64="no">
- <File Id="_32_ConfigSchema" Name="ModSecurity.xml" Source="ModSecurity.xml" />
- </Component>
- </DirectoryRef>
- <?endif ?>
- <Feature Id="DefaultFeature" Title="ModSecurity IIS Common files" Level="1" InstallDefault="local" Absent="disallow" Display="expand" AllowAdvertise="no" Description="Configuration and common files">
- <ComponentRef Id="ModSecCommon" />
- <ComponentRef Id="ConfigSchema32" />
- <?if $(var.Win64) = "yes" ?>
- <ComponentRef Id="ConfigSchema64" />
- <?endif ?>
- <ComponentRef Id="StartMenuShortcuts" />
- <Feature Id="OWASP_ModSecurity_CRS_v2.2.9" Level="1" Title="OWASP ModSecurity CRS v2.2.9" InstallDefault="local" Display="expand" AllowAdvertise="no" Description="Install OWASP CRS v2.2.9">
- <ComponentRef Id="OWASP_CRS_V_2_2_9" />
- <ComponentRef Id="OWASP_CRS_V_2_2_9_SETUP" />
+ <DirectoryRef Id="INSTALLFOLDER"> <Component Id="ModSecCommon"
+ DiskId="1" Guid="980270DF-81AB-469B-AB0E-64FA3BA160B6"
+ Location="local"> <File Id="README.TXT"
+ Name="README.TXT" Source="wix\README.TXT" />
+ <File Id="EULA.RTF" Name="EULA.rtf"
+ Source="wix\EULA.rtf" /> <File
+ Id="modsecurity.conf" Name="modsecurity.conf"
+ Source="wix\modsecurity.conf" />
+ <File Id="modsecurity_iis.conf" Name="modsecurity_iis.conf"
+ Source="wix\modsecurity_iis.conf" /> <File
+ Id="unicode.mapping" Name="unicode.mapping"
+ Source="wix\unicode.mapping" />
+ <!-- <File Id="modsecurity_crs_10_setup.conf"
+ Name="modsecurity_crs_10_setup.conf"
+ Source="wix\modsecurity_crs_10_setup.conf" /> --> <File
+ Id="LIST_DEPENDENCIES.BAT" Name="list_dependencies.bat"
+ Source="wix\list_dependencies.bat" /> <File
+ Id="ModSecurity.xml" Name="ModSecurity.xml"
+ Source="ModSecurity.xml" />
+ <!-- Modify ApplicationHost.config --> <util:XmlConfig
+ Id="appHostEntry" File="$(var.ConfigFile)"
+ Action="create"
+ ElementPath="//configuration/configSections/sectionGroup[\[]@name='system.webServer'[\]]"
+ VerifyPath="section[\[]@name='ModSecurity'[\]]"
+ Name="section" Node="element" Sequence="1" On="install"
+ /> <util:XmlConfig Id="appHostEntryName"
+ File="$(var.ConfigFile)" ElementPath="appHostEntry"
+ Name="name" Value="ModSecurity" Sequence="2" />
+ <util:XmlConfig Id="appHostEntryOverrideMode"
+ File="$(var.ConfigFile)" ElementPath="appHostEntry"
+ Name="overrideModeDefault" Value="Allow" Sequence="3"
+ /> <util:XmlConfig Id="appHostEntryAllowDefinition"
+ File="$(var.ConfigFile)" ElementPath="appHostEntry"
+ Name="allowDefinition" Value="Everywhere" Sequence="4"
+ /> <util:XmlConfig Id="removeAppHostEntry"
+ File="$(var.ConfigFile)" Action="delete"
+ ElementPath="/configuration/configSections/sectionGroup[\[]@name='system.webServer'[\]]"
+ Node="element"
+ VerifyPath="section[\[]@name='ModSecurity'[\]]"
+ On="uninstall" Sequence="1" /> <util:XmlConfig
+ Id="removeAppHostEntry2" File="$(var.ConfigFile)"
+ Action="delete"
+ ElementPath="/configuration/system.webServer"
+ Node="element"
+ VerifyPath="/configuration/system.webServer/ModSecurity"
+ Name="section" On="uninstall" Sequence="2" />
+ <RegistryKey Root="HKLM" Key="SOFTWARE\ModSecurity\ModSecurity"
+ Action="createAndRemoveOnUninstall"> <RegistryValue
+ Type="string" Name="ModSecurityConfigureIIS"
+ Value="[IIS_SETUP]" KeyPath="yes" />
+ </RegistryKey> </Component> </DirectoryRef> <?if $(var.Win64) =
+ "yes" ?> <DirectoryRef Id="inetsrv64"> <Component Id="ModSec64"
+ DiskId="1"
+ Guid="514A81F0-2413-42EF-B19F-E2613125ECE0"
+ Win64="yes" Location="local"> <File
+ Id="_64_LIBAPR_1" Name="libapr-1.dll"
+ Source="Release\amd64\libapr-1.dll" />
+ <File Id="_64_LIBAPRICONV_1"
+ Name="libapriconv-1.dll"
+ Source="Release\amd64\libapriconv-1.dll"
+ /> <File Id="_64_LIBAPRUTIL_1"
+ Name="libaprutil-1.dll"
+ Source="Release\amd64\libaprutil-1.dll"
+ /> <File Id="_64_LIBCURL"
+ Name="libcurl.dll"
+ Source="Release\amd64\libcurl.dll" />
+ <File Id="_64_LIBXML2" Name="libxml2.dll"
+ Source="Release\amd64\libxml2.dll" />
+ <File Id="_64_LUA5.1" Name="lua5.1.dll"
+ Source="Release\amd64\lua5.1.dll" />
+ <File Id="_64_YAJL" Name="yajl.dll"
+ Source="Release\amd64\yajl.dll" />
+ <File Id="_64_MLOGC" Name="mlogc.exe"
+ Source="Release\amd64\mlogc.exe" />
+ <File Id="_64_MODSECURITYIIS"
+ Name="ModSecurityIIS.dll"
+ Source="Release\amd64\ModSecurityIIS.dll"
+ /> <File Id="_64_PCRE" Name="pcre.dll"
+ Source="Release\amd64\pcre.dll" />
+ <File Id="_64_ZLIB1" Name="zlib1.dll"
+ Source="Release\amd64\zlib1.dll" />
+ <File Id="_64_FUZZY" Name="fuzzy.dll"
+ Source="Release\amd64\fuzzy.dll" />
+ </Component> </DirectoryRef> <DirectoryRef
+ Id="inetsrv32"> <Component Id="ModSec32" DiskId="1"
+ Guid="514A81F0-2413-42EF-B19F-E2613125ECE7"
+ Win64="no" Location="local"> <File
+ Id="_32_LIBAPR_1" Name="libapr-1.dll"
+ Source="Release\x86\libapr-1.dll" />
+ <File Id="_32_LIBAPRICONV_1"
+ Name="libapriconv-1.dll"
+ Source="Release\x86\libapriconv-1.dll"
+ /> <File Id="_32_LIBAPRUTIL_1"
+ Name="libaprutil-1.dll"
+ Source="Release\x86\libaprutil-1.dll"
+ /> <File Id="_32_LIBCURL"
+ Name="libcurl.dll"
+ Source="Release\x86\libcurl.dll" />
+ <File Id="_32_LIBXML2" Name="libxml2.dll"
+ Source="Release\x86\libxml2.dll" />
+ <File Id="_32_LUA5.1" Name="lua5.1.dll"
+ Source="Release\x86\lua5.1.dll" />
+ <File Id="_32_YAJL" Name="yajl.dll"
+ Source="Release\x86\yajl.dll" /> <File
+ Id="_32_MLOGC" Name="mlogc.exe"
+ Source="Release\x86\mlogc.exe" /> <File
+ Id="_32_MODSECURITYIIS"
+ Name="ModSecurityIIS.dll"
+ Source="Release\x86\ModSecurityIIS.dll"
+ /> <File Id="_32_PCRE" Name="pcre.dll"
+ Source="Release\x86\pcre.dll" /> <File
+ Id="_32_ZLIB1" Name="zlib1.dll"
+ Source="Release\x86\zlib1.dll" /> <File
+ Id="_32_FUZZY" Name="fuzzy.dll"
+ Source="Release\x86\fuzzy.dll" />
+ </Component> </DirectoryRef> <DirectoryRef
+ Id="SystemFolderConfigSchema32"> <Component
+ Id="ConfigSchema32"
+ Guid="514A81F0-2413-42EF-B19F-E2613125EC11"
+ Location="local" Win64="no"> <File
+ Id="_32_ConfigSchema"
+ Name="ModSecurity.xml"
+ Source="ModSecurity.xml" />
+ </Component> </DirectoryRef> <DirectoryRef
+ Id="SystemFolderConfigSchema64"> <Component Id="ConfigSchema64"
+ Guid="514A81F0-2413-42EF-B19F-E2613125EC22"
+ Location="local" Win64="yes"> <File
+ Id="_64_ConfigSchema" Name="ModSecurity.xml"
+ Source="ModSecurity.xml" /> </Component>
+ </DirectoryRef> <?else ?> <DirectoryRef Id="inetsrv32">
+ <Component Id="ModSec32" DiskId="1"
+ Guid="514A81F0-2413-42EF-B19F-E2613125ECE1"
+ Win64="no" Location="local"> <File
+ Id="_32_LIBAPR_1" Name="libapr-1.dll"
+ Source="Release\x86\libapr-1.dll" />
+ <File Id="_32_LIBAPRICONV_1"
+ Name="libapriconv-1.dll"
+ Source="Release\x86\libapriconv-1.dll"
+ /> <File Id="_32_LIBAPRUTIL_1"
+ Name="libaprutil-1.dll"
+ Source="Release\x86\libaprutil-1.dll"
+ /> <File Id="_32_LIBCURL"
+ Name="libcurl.dll"
+ Source="Release\x86\libcurl.dll" />
+ <File Id="_32_LIBXML2" Name="libxml2.dll"
+ Source="Release\x86\libxml2.dll" />
+ <File Id="_32_LUA5.1" Name="lua5.1.dll"
+ Source="Release\x86\lua5.1.dll" />
+ <File Id="_32_YAJL" Name="yajl.dll"
+ Source="Release\x86\yajl.dll" /> <File
+ Id="_32_MLOGC" Name="mlogc.exe"
+ Source="Release\x86\mlogc.exe" /> <File
+ Id="_32_MODSECURITYIIS"
+ Name="ModSecurityIIS.dll"
+ Source="Release\x86\ModSecurityIIS.dll"
+ /> <File Id="_32_PCRE" Name="pcre.dll"
+ Source="Release\x86\pcre.dll" /> <File
+ Id="_32_ZLIB1" Name="zlib1.dll"
+ Source="Release\x86\zlib1.dll" /> <File
+ Id="_32_FUZZY" Name="fuzzy.dll"
+ Source="Release\x86\fuzzy.dll" />
+ </Component> </DirectoryRef> <DirectoryRef
+ Id="SystemFolderConfigSchema32"> <Component
+ Id="ConfigSchema32"
+ Guid="514A81F0-2413-42EF-B19F-E2613125EC11"
+ Location="local" Win64="no"> <File
+ Id="_32_ConfigSchema"
+ Name="ModSecurity.xml"
+ Source="ModSecurity.xml" />
+ </Component> </DirectoryRef> <?endif ?> <Feature
+ Id="DefaultFeature" Title="ModSecurity IIS Common files"
+ Level="1" InstallDefault="local" Absent="disallow"
+ Display="expand" AllowAdvertise="no" Description="Configuration
+ and common files"> <ComponentRef Id="ModSecCommon" />
+ <ComponentRef Id="ConfigSchema32" /> <?if $(var.Win64) = "yes"
+ ?> <ComponentRef Id="ConfigSchema64" /> <?endif ?>
+ <ComponentRef Id="StartMenuShortcuts" />
+ <!--
+ <Feature Id="OWASP_ModSecurity_CRS_v3.0.2" Level="1" Title="OWASP
+ ModSecurity CRS v3.0.2" InstallDefault="local" Display="expand"
+ AllowAdvertise="no" Description="Install OWASP CRS v3.0.2">
+ <ComponentRef Id="OWASP_CRS_V_3_0_2" /> <ComponentRef
+ Id="OWASP_CRS_V_3_0_2_SETUP" />
+ <ComponentRef Id="ID_NUMBERING" />
<ComponentRef Id="README" />
- <ComponentRef Id="BASE_RULES" />
- <ComponentRef Id="EXPERIMENTAL_RULES" />
- <ComponentRef Id="LUA" />
- <ComponentRef Id="OPTIONAL_RULES" />
- <ComponentRef Id="SLR_RULES" />
+ <ComponentRef Id="RULES" />
<ComponentRef Id="UTIL" />
<ComponentRef Id="RUNAV" />
<ComponentRef Id="RUNAV_RUNAV" />
<ComponentRef Id="BROWSER_TOOLS" />
+ <ComponentRef Id="DEBUG" />
+ <ComponentRef Id="GEO_LOCATION" />
+ <ComponentRef Id="INTEGRATION" />
+ <ComponentRef Id="JOIN_MULTILINE_RULES" />
+ <ComponentRef Id="REGEXP_ASSEMBLE" />
<ComponentRef Id="HONEYPOT_SENSOR" />
<ComponentRef Id="REGRESSION_TESTS" />
- <ComponentRef Id="TESTS" />
- <ComponentRef Id="RULE_MANAGEMENT" />
<ComponentRef Id="VIRTUAL_PATCHING" />
</Feature>
- </Feature>
+ -->
+ </Feature>
<Feature Id="VCRedist" Title="Visual C++ 12.0 Runtime" AllowAdvertise="no" Display="hidden" Level="1">
<?if $(var.Win64) = "yes" ?>
<MergeRef Id="VCRedist110_64" />
@@ -545,7 +617,7 @@
<Control Id="Description" Type="Text" X="25" Y="23" Width="280" Height="15" Transparent="yes" NoPrefix="yes" Text="Choose to configure ModSecurity on IIS or not." />
<Control Id="Text" Type="Text" X="25" Y="55" Width="320" Height="50" Text="ModSecurityIIS needs to be configured under IIS as a module. It is recommended to perform this configuration during the installation. However, if you are facing problems in the installation, the recomendation is to disable this step. This will facilitate the debugging process since the files will be installed in place. Note that some scripts will be installed along with ModSecurity common files that can be later used to help this configuration/debugging process." />
<Control Type="CheckBox" Id="ConfigureIIS" Width="200" Height="14" X="25" Y="124" CheckBoxValue="1" Property="IIS_SETUP" Text="Perform ModSecurityIIS configuration." />
- <Control Type="Text" Id="troubleshooting" Width="314" Height="37" X="26" Y="161" Text="For further information about problems during the installation, have a look at ModSecurityIIS Troubleshooting guide. Available at: https://github.com/SpiderLabs/ModSecurity/wiki/IIS-Troubleshooting" />
+ <Control Type="Text" Id="troubleshooting" Width="314" Height="67" X="26" Y="161" Text="For further information about problems during the installation, have a look at ModSecurityIIS Troubleshooting guide. Available at: https://github.com/owasp-modsecurity/ModSecurity/wiki/IIS-Troubleshooting. ATTENTION: This installation process no longer install OWASP CRS. Please refer to the OWASP CRS Project to understand how to install it. " />
</Dialog>
<Binary Id="bannrbmp" SourceFile="wix\banner.jpg" />
<TextStyle Id="WixUI_Font_Normal" FaceName="Tahoma" Size="8" />
diff --git a/iis/moduleconfig.cpp b/iis/moduleconfig.cpp
index a92d51ffb1..d3bcefc9b6 100644
--- a/iis/moduleconfig.cpp
+++ b/iis/moduleconfig.cpp
@@ -466,11 +466,8 @@ MODSECURITY_STORED_CONTEXT::~MODSECURITY_STORED_CONTEXT()
MODSECURITY_STORED_CONTEXT::MODSECURITY_STORED_CONTEXT():
m_bIsEnabled ( FALSE ),
m_pszPath( NULL ),
- m_Config( NULL ),
- m_dwLastCheck( 0 )
+ m_Config( NULL )
{
- m_LastChange.dwLowDateTime = 0;
- m_LastChange.dwHighDateTime = 0;
}
DWORD
diff --git a/iis/moduleconfig.h b/iis/moduleconfig.h
index 83b7517d34..75ee71dca2 100644
--- a/iis/moduleconfig.h
+++ b/iis/moduleconfig.h
@@ -68,8 +68,6 @@ class MODSECURITY_STORED_CONTEXT : public IHttpStoredContext
USHORT* pdwLengthDestination );
void* m_Config;
- DWORD m_dwLastCheck;
- FILETIME m_LastChange;
private:
HRESULT
diff --git a/iis/mymodule.cpp b/iis/mymodule.cpp
index 464968cba9..e9d5ce3768 100644
--- a/iis/mymodule.cpp
+++ b/iis/mymodule.cpp
@@ -32,6 +32,7 @@
#include "winsock2.h"
+
class REQUEST_STORED_CONTEXT : public IHttpStoredContext
{
public:
@@ -84,10 +85,15 @@ class REQUEST_STORED_CONTEXT : public IHttpStoredContext
ULONGLONG m_pResponsePosition;
};
+
//----------------------------------------------------------------------------
char *GetIpAddr(apr_pool_t *pool, PSOCKADDR pAddr)
{
+ const char *format = "%15[0-9.]:%5[0-9]";
+ char ip[16] = { 0 }; // ip4 addresses have max len 15
+ char port[6] = { 0 }; // port numbers are 16bit, ie 5 digits max
+
DWORD len = 50;
char *buf = (char *)apr_palloc(pool, len);
@@ -98,6 +104,14 @@ char *GetIpAddr(apr_pool_t *pool, PSOCKADDR pAddr)
WSAAddressToString(pAddr, sizeof(SOCKADDR), NULL, buf, &len);
+ // test for IPV4 with port on the end
+ if (sscanf(buf, format, ip, port) == 2) {
+ // IPV4 but with port - remove the port
+ char* input = ":";
+ char* ipv4 = strtok(buf, input);
+ return ipv4;
+ }
+
return buf;
}
@@ -274,6 +288,7 @@ REQUEST_STORED_CONTEXT *RetrieveIISContext(request_rec *r)
return NULL;
}
+
HRESULT CMyHttpModule::ReadFileChunk(HTTP_DATA_CHUNK *chunk, char *buf)
{
OVERLAPPED ovl;
@@ -740,11 +755,7 @@ CMyHttpModule::OnBeginRequest(
goto Finished;
}
- // every 3 seconds we check for changes in config file
- //
- DWORD ctime = GetTickCount();
-
- if(pConfig->m_Config == NULL || (ctime - pConfig->m_dwLastCheck) > 3000)
+ if(pConfig->m_Config == NULL)
{
char *path;
USHORT pathlen;
@@ -757,55 +768,42 @@ CMyHttpModule::OnBeginRequest(
goto Finished;
}
- WIN32_FILE_ATTRIBUTE_DATA fdata;
- BOOL ret;
+ pConfig->m_Config = modsecGetDefaultConfig();
- ret = GetFileAttributesEx(path, GetFileExInfoStandard, &fdata);
+ PCWSTR servpath = pHttpContext->GetApplication()->GetApplicationPhysicalPath();
+ char *apppath;
+ USHORT apppathlen;
- pConfig->m_dwLastCheck = ctime;
+ hr = pConfig->GlobalWideCharToMultiByte((WCHAR *)servpath, wcslen(servpath), &apppath, &apppathlen);
- if(pConfig->m_Config == NULL || (ret != 0 && (pConfig->m_LastChange.dwLowDateTime != fdata.ftLastWriteTime.dwLowDateTime ||
- pConfig->m_LastChange.dwHighDateTime != fdata.ftLastWriteTime.dwHighDateTime)))
+ if ( FAILED( hr ) )
{
- pConfig->m_LastChange.dwLowDateTime = fdata.ftLastWriteTime.dwLowDateTime;
- pConfig->m_LastChange.dwHighDateTime = fdata.ftLastWriteTime.dwHighDateTime;
-
- pConfig->m_Config = modsecGetDefaultConfig();
-
- PCWSTR servpath = pHttpContext->GetApplication()->GetApplicationPhysicalPath();
- char *apppath;
- USHORT apppathlen;
+ delete path;
+ hr = E_UNEXPECTED;
+ goto Finished;
+ }
- hr = pConfig->GlobalWideCharToMultiByte((WCHAR *)servpath, wcslen(servpath), &apppath, &apppathlen);
+ if(path[0] != 0)
+ {
+ const char * err = modsecProcessConfig((directory_config *)pConfig->m_Config, path, apppath);
- if ( FAILED( hr ) )
+ if(err != NULL)
{
+ WriteEventViewerLog(err, EVENTLOG_ERROR_TYPE);
+ delete apppath;
delete path;
- hr = E_UNEXPECTED;
goto Finished;
}
- if(path[0] != 0)
+ modsecReportRemoteLoadedRules();
+ if (this->status_call_already_sent == false)
{
- const char * err = modsecProcessConfig((directory_config *)pConfig->m_Config, path, apppath);
-
- if(err != NULL)
- {
- WriteEventViewerLog(err, EVENTLOG_ERROR_TYPE);
- delete apppath;
- delete path;
- goto Finished;
- }
-
- modsecReportRemoteLoadedRules();
- if (this->status_call_already_sent == false)
- {
- this->status_call_already_sent = true;
- modsecStatusEngineCall();
- }
+ this->status_call_already_sent = true;
+ modsecStatusEngineCall();
}
- delete apppath;
}
+
+ delete apppath;
delete path;
}
@@ -1060,7 +1058,9 @@ CMyHttpModule::OnBeginRequest(
#endif
c->remote_host = NULL;
+ LeaveCriticalSection(&m_csLock);
int status = modsecProcessRequest(r);
+ EnterCriticalSection(&m_csLock);
if(status != DECLINED)
{
@@ -1081,42 +1081,43 @@ CMyHttpModule::OnBeginRequest(
return RQ_NOTIFICATION_CONTINUE;
}
+
apr_status_t ReadBodyCallback(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)
{
- REQUEST_STORED_CONTEXT *rsc = RetrieveIISContext(r);
+ REQUEST_STORED_CONTEXT *rsc = RetrieveIISContext(r);
- *readcnt = 0;
+ *readcnt = 0;
- if(rsc == NULL)
- {
- *is_eos = 1;
- return APR_SUCCESS;
- }
+ if (rsc == NULL)
+ {
+ *is_eos = 1;
+ return APR_SUCCESS;
+ }
- IHttpContext *pHttpContext = rsc->m_pHttpContext;
- IHttpRequest *pRequest = pHttpContext->GetRequest();
+ IHttpContext *pHttpContext = rsc->m_pHttpContext;
+ IHttpRequest *pRequest = pHttpContext->GetRequest();
- if(pRequest->GetRemainingEntityBytes() == 0)
- {
- *is_eos = 1;
- return APR_SUCCESS;
- }
+ if (pRequest->GetRemainingEntityBytes() == 0)
+ {
+ *is_eos = 1;
+ return APR_SUCCESS;
+ }
- HRESULT hr = pRequest->ReadEntityBody(buf, length, false, (DWORD *)readcnt, NULL);
+ HRESULT hr = pRequest->ReadEntityBody(buf, length, false, (DWORD *)readcnt, NULL);
- if (FAILED(hr))
+ if (FAILED(hr))
{
// End of data is okay.
- if (ERROR_HANDLE_EOF != (hr & 0x0000FFFF))
+ if (ERROR_HANDLE_EOF != (hr & 0x0000FFFF))
{
// Set the error status.
- rsc->m_pProvider->SetErrorStatus( hr );
+ rsc->m_pProvider->SetErrorStatus(hr);
}
- *is_eos = 1;
+ *is_eos = 1;
}
- return APR_SUCCESS;
+ return APR_SUCCESS;
}
apr_status_t WriteBodyCallback(request_rec *r, char *buf, unsigned int length)
diff --git a/iis/wix/modsecurity.conf b/iis/wix/modsecurity.conf
index 60f09129e1..fcce635963 100644
--- a/iis/wix/modsecurity.conf
+++ b/iis/wix/modsecurity.conf
@@ -16,11 +16,14 @@ SecRuleEngine DetectionOnly
#
SecRequestBodyAccess On
+# SecStreamInBodyInspection is required by IIS for proper body inspection
+# See issue #1299 for more information
+SecStreamInBodyInspection On
# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
-SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# Enable JSON request body parser.
@@ -40,7 +43,7 @@ SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
# Store up to 128 KB of request body data in memory. When the multipart
-# parser reachers this limit, it will start using your hard disk for
+# parser reaches this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072
@@ -110,7 +113,7 @@ SecRule TX:/^MSC_/ "!@streq 0" \
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
-#SecResponseBodyAccess On
+SecResponseBodyAccess On
# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
@@ -151,7 +154,7 @@ SecDataDir c:\inetpub\temp\
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
-#SecUploadDir /opt/modsecurity/var/upload/
+#SecUploadDir c:\inetpub\temp\
# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
@@ -171,7 +174,7 @@ SecDataDir c:\inetpub\temp\
# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
-#SecDebugLog /opt/modsecurity/var/log/debug.log
+#SecDebugLog c:\inetpub\temp\debug.log
#SecDebugLogLevel 3
@@ -181,20 +184,20 @@ SecDataDir c:\inetpub\temp\
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
-#SecAuditEngine RelevantOnly
-#SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# Log everything we know about a transaction.
-#SecAuditLogParts ABIJDEFHZ
+SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
-#SecAuditLogType Serial
-#SecAuditLog c:\inetpub\log\modsec_audit.log
+SecAuditLogType Serial
+#SecAuditLog c:\inetpub\logs\modsec_audit.log
# Specify the path for concurrent audit logging.
-#SecAuditLogStorageDir c:\inetpub\log\
+#SecAuditLogStorageDir c:\inetpub\logs\
# -- Miscellaneous -----------------------------------------------------------
@@ -216,8 +219,7 @@ SecCookieFormat 0
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
-#SecUnicodeCodePage 20127
-#SecUnicodeMapFile unicode.mappinga
+SecUnicodeMapFile unicode.mapping 20127
# Improve the quality of ModSecurity by sharing information about your
# current ModSecurity version and dependencies versions.
diff --git a/iis/wix/modsecurity_iis.conf b/iis/wix/modsecurity_iis.conf
index 85d20ba74f..a18a4a6bca 100644
--- a/iis/wix/modsecurity_iis.conf
+++ b/iis/wix/modsecurity_iis.conf
@@ -1,3 +1 @@
Include modsecurity.conf
-Include modsecurity_crs_10_setup.conf
-Include owasp_crs\base_rules\*.conf
diff --git a/iis/wix/unicode.mapping b/iis/wix/unicode.mapping
new file mode 100644
index 0000000000..2654c4a619
--- /dev/null
+++ b/iis/wix/unicode.mapping
@@ -0,0 +1,96 @@
+(MAC - Roman)
+
+
+(MAC - Icelandic)
+
+
+1250 (ANSI - Central Europe)
+00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+1251 (ANSI - Cyrillic)
+00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+1252 (ANSI - Latin I)
+0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+1253 (ANSI - Greek)
+00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+1254 (ANSI - Turkish)
+00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+1255 (ANSI - Hebrew)
+0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+1256 (ANSI - Arabic)
+0620:41 0621:41 0622:43 0623:45 0624:45 0625:45 0626:45 0627:49 0628:49 0629:4f 062a:55 062b:55 062c:55 062d:46 062e:43 062f:44 0630:45 0631:46 0632:47 0633:48 0634:49 0635:4a 0636:4b 0637:4c 0638:4d 0639:4e 063a:4f 0641:41 0642:42 0643:43 0644:44 0645:45 0646:46 0647:47 0648:48 0649:49 064a:4a 064b:4b 064c:4c 064d:4d 064e:4e 064f:4f 0650:50 0651:51 0652:52
+
+1257 (ANSI - Baltic)
+ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+1258 (ANSI/OEM - Viet Nam)
+ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+20127 (US-ASCII)
+00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+20261 (T.61)
+f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f
+
+20866 (Russian - KOI8)
+00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e
+
+28591 (ISO 8859-1 Latin I)
+0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+28592 (ISO 8859-2 Central Europe)
+00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+28605 (ISO 8859-15 Latin 9)
+00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+37 (IBM EBCDIC - U.S./Canada)
+0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f
+
+437 (OEM - United States)
+00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+500 (IBM EBCDIC - International)
+0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79
+
+850 (OEM - Multilingual Latin I)
+0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+860 (OEM - Portuguese)
+00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07
+
+861 (OEM - Icelandic)
+00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07
+
+863 (OEM - Canadian French)
+00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07
+
+865 (OEM - Nordic)
+00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07
+
+874 (ANSI/OEM - Thai)
+00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+
+932 (ANSI/OEM - Japanese Shift-JIS)
+00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79
+
+936 (ANSI/OEM - Simplified Chinese GBK)
+00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74
+
+949 (ANSI/OEM - Korean)
+00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c
+
+950 (ANSI/OEM - Traditional Chinese Big5)
+00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79
+
+(UTF-7)
+
+
+(UTF-8)
+
+
diff --git a/mlogc/Makefile.am b/mlogc/Makefile.am
index e84e3de504..6946ca492e 100644
--- a/mlogc/Makefile.am
+++ b/mlogc/Makefile.am
@@ -7,17 +7,21 @@ mlogc_SOURCES = mlogc.c
mlogc_CPPFLAGS = @APR_CPPFLAGS@ \
@PCRE_CPPFLAGS@ \
+ @PCRE2_CPPFLAGS@ \
@CURL_CPPFLAGS@ \
-I$(top_srcdir)/apache2
mlogc_CFLAGS = @APR_CFLAGS@ \
@CURL_CFLAGS@ \
- @PCRE_CFLAGS@
+ @PCRE_CFLAGS@ \
+ @PCRE2_CFLAGS@
mlogc_LDFLAGS = @APR_LDFLAGS@ \
@CURL_LDFLAGS@ \
- @PCRE_LDFLAGS@
+ @PCRE_LDFLAGS@ \
+ @PCRE2_LDFLAGS@
mlogc_LDADD = @APR_LDADD@ \
@CURL_LDADD@ \
- @PCRE_LDADD@
+ @PCRE_LDADD@ \
+ @PCRE2_LDADD@
diff --git a/mlogc/mlogc-batch-load.pl.in b/mlogc/mlogc-batch-load.pl.in
index 53da8786a7..60030771db 100755
--- a/mlogc/mlogc-batch-load.pl.in
+++ b/mlogc/mlogc-batch-load.pl.in
@@ -38,7 +38,7 @@ find(
(($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size) = stat($_)) &&
-f _ &&
#### MODSEC-204 /^\d{8}-\d+-\w{24}$/s
- /^\d{8}-\d+-.{24}$/s
+ /^\d{8}-\d+-.{24,}$/s
&& (($fn = $File::Find::name) =~ s/^\Q$ROOTDIR\E//)
&& push(@AUDIT, [$fn, $size]);
},
diff --git a/mlogc/mlogc.c b/mlogc/mlogc.c
index e67da10850..b1030ee45e 100644
--- a/mlogc/mlogc.c
+++ b/mlogc/mlogc.c
@@ -1,6 +1,6 @@
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
-* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+* Copyright (c) 2004-2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -28,7 +28,12 @@
#if APR_HAVE_UNISTD_H
#include <unistd.h> /* for getpid() */
#endif
+#ifdef WITH_PCRE2
+#define PCRE2_CODE_UNIT_WIDTH 8
+#include <pcre2.h>
+#else
#include <pcre.h>
+#endif
#include <curl/curl.h>
#include <fcntl.h>
#include <sys/stat.h>
@@ -96,7 +101,7 @@ do { \
static const char logline_pattern[] =
"^(\\S+)"
"\\ (\\S+)\\ (\\S+)\\ (\\S+)"
- "\\ \\[([^:]+):(\\d+:\\d+:\\d+)\\ ([^\\]]+)\\]"
+ "\\ \\[([^:]+):(\\d+:\\d+:\\d+(?:[.]\\d+)?)\\ ([^\\]]+)\\]"
"\\ \"(.*)\""
"\\ (\\d+)\\ (\\S+)"
"\\ \"(.*)\"\\ \"(.*)\""
@@ -147,7 +152,13 @@ static int keep_alive = 150; /* Not used yet. */
static int keep_alive_timeout = 300; /* Not used yet. */
static int keep_entries = 0;
static const char *log_repository = NULL;
+#ifdef WITH_PCRE2
+static pcre2_code *logline_regex = NULL;
+static pcre2_code *requestline_regex = NULL;
+#else
static void *logline_regex = NULL;
+static void *requestline_regex = NULL;
+#endif
static int max_connections = 10;
static int max_worker_requests = 1000;
static apr_global_mutex_t *gmutex = NULL;
@@ -158,8 +169,9 @@ static apr_pool_t *recv_pool = NULL;
static apr_array_header_t *queue = NULL;
static const char *queue_path = NULL;
static int ssl_validation = 0;
+static int tlsprotocol = 1;
+static curl_version_info_data* curlversion = NULL;
/* static apr_time_t queue_time = 0; */
-static void *requestline_regex = NULL;
static int running = 0;
static const char *sensor_password = NULL;
static const char *sensor_username = NULL;
@@ -810,6 +822,26 @@ static void init_configuration(void)
startup_delay = atoi(s);
}
+ /* TLS Protocol - TLSv1(0) TLSv1.1(1) TLSv1.2(2) (SSLv3 not supported) */
+ s = apr_table_get(conf, "TLSProtocol");
+ if (s != NULL) {
+ int num = atoi(s);
+ switch (num) {
+ case 0:
+ tlsprotocol = 0;
+ break;
+ case 1:
+ tlsprotocol = 1;
+ break;
+ case 2:
+ tlsprotocol = 2;
+ break;
+ default:
+ tlsprotocol = 2; /* Default is TLSv1.2 */
+ }
+ }
+ curlversion = curl_version_info(CURLVERSION_NOW);
+
if ( startup_delay > 0 ) {
error_log(LOG_NOTICE, NULL,
"Delaying execution for %dms.", startup_delay);
@@ -824,6 +856,8 @@ static void init_configuration(void)
error_log(LOG_DEBUG2, NULL, "ErrorLog=%s", error_log_path);
error_log(LOG_DEBUG2, NULL, "ErrorLogLevel=%d", error_log_level);
error_log(LOG_DEBUG2, NULL, "StartupDelay=%d", startup_delay);
+ error_log(LOG_DEBUG2, NULL, "TLSProtocol=%d", tlsprotocol);
+ error_log(LOG_DEBUG2, NULL, "cURL version=%s", curlversion->version);
s = apr_table_get(conf, "CheckpointInterval");
if (s != NULL) {
@@ -1182,6 +1216,12 @@ static void logc_init(void)
apr_status_t rc = 0;
const char *errptr = NULL;
int i, erroffset;
+ /* cURL major, minor and patch version */
+ short cmaj, cmin, cpat = 0;
+#ifdef WITH_PCRE2
+ int pcre2_errorcode = 0;
+ PCRE2_SIZE pcre2_erroffset = 0;
+#endif
queue = apr_array_make(pool, 64, sizeof(entry_t *));
if (queue == NULL) {
@@ -1246,8 +1286,31 @@ static void logc_init(void)
/* Seems like CURL_SSLVERSION_TLSv1_2 is not supported on libcurl
* < v7.34.0
+ *
+ * version_num is a 24 bit number created like this:
+ * <8 bits major number> | <8 bits minor number> | <8 bits patch number>.
*/
- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+ switch (tlsprotocol) {
+ case 0:
+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0);
+ break;
+ case 1:
+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1);
+ break;
+ case 2:
+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+ break;
+ default:
+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+ break;
+ }
+ cmaj = curlversion->version_num >> 16;
+ cmin = (curlversion->version_num & 0x00ff00) >> 8;
+ cpat = (curlversion->version_num & 0x0000ff);
+ /* If cURL version < v7.34.0, use TLS v1.x */
+ if (cmaj <= 7 && cmin < 34) {
+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+ }
curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 15);
curl_easy_setopt(curl, CURLOPT_NOSIGNAL, TRUE);
@@ -1258,16 +1321,30 @@ static void logc_init(void)
*(CURL **)apr_array_push(curl_handles) = curl;
}
+ if (cmaj <= 7 && cmin < 34) {
+ error_log(LOG_DEBUG2, NULL, "TLSv1.2 is unsupported in cURL %d.%d.%d", cmaj, cmin, cpat);
+ }
+
+#ifdef WITH_PCRE2
+ logline_regex = pcre2_compile(logline_pattern, PCRE2_ZERO_TERMINATED, PCRE2_CASELESS,
+ &pcre2_errorcode, &pcre2_erroffset, NULL);
+#else
logline_regex = pcre_compile(logline_pattern, PCRE_CASELESS,
&errptr, &erroffset, NULL);
+#endif
if (logline_regex == NULL) {
error_log(LOG_ERROR, NULL,
"Failed to compile pattern: %s\n", logline_pattern);
logc_shutdown(1);
}
- requestline_regex = pcre_compile(requestline_pattern,
- PCRE_CASELESS, &errptr, &erroffset, NULL);
+#ifdef WITH_PCRE2
+ requestline_regex = pcre2_compile(requestline_pattern, PCRE2_ZERO_TERMINATED, PCRE2_CASELESS,
+ &pcre2_errorcode, &pcre2_erroffset, NULL);
+#else
+ requestline_regex = pcre_compile(requestline_pattern, PCRE_CASELESS,
+ &errptr, &erroffset, NULL);
+#endif
if (requestline_regex == NULL) {
error_log(LOG_ERROR, NULL,
"Failed to compile pattern: %s\n", requestline_pattern);
@@ -1378,6 +1455,9 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
apr_status_t rc;
apr_finfo_t finfo;
int capturevector[CAPTUREVECTORSIZE];
+#ifdef WITH_PCRE2
+ pcre2_match_data *pcre2_match_data = NULL;
+#endif
int take_new = 1;
apr_pool_t *tpool;
struct curl_slist *headerlist = NULL;
@@ -1483,9 +1563,24 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
num_requests++;
}
+#ifdef WITH_PCRE2
+ pcre2_match_data = pcre2_match_data_create_from_pattern(logline_regex, NULL);
+ rc = pcre2_match(logline_regex, entry->line, entry->line_size, 0, 0,
+ pcre2_match_data, NULL);
+ if (rc > 0) {
+ PCRE2_SIZE *pcre2_ovector = pcre2_get_ovector_pointer(pcre2_match_data);
+ for (int i = 0; i < rc; i++) {
+ capturevector[2*i] = pcre2_ovector[2*i];
+ capturevector[2*i+1] = pcre2_ovector[2*i+1];
+ }
+ }
+ pcre2_match_data_free(pcre2_match_data);
+ if (rc == PCRE2_ERROR_NOMATCH) {
+#else
rc = pcre_exec(logline_regex, NULL, entry->line, entry->line_size, 0, 0,
capturevector, CAPTUREVECTORSIZE);
- if (rc == PCRE_ERROR_NOMATCH) { /* No match. */
+ if (rc == PCRE_ERROR_NOMATCH) {
+#endif
error_log(LOG_WARNING, thread,
"Invalid entry (failed to match regex): %s",
_log_escape(tpool, entry->line, entry->line_size));
@@ -2239,6 +2334,11 @@ static void usage(void) {
* Version text.
*/
static void version(void) {
+#ifdef WITH_PCRE2
+ char pcre2_loaded_version_buffer[80] ={0};
+ char *pcre_loaded_version = pcre2_loaded_version_buffer;
+ pcre2_config(PCRE2_CONFIG_VERSION, pcre_loaded_version);
+#endif
fprintf(stderr,
"ModSecurity Log Collector (mlogc) v%s\n", VERSION);
fprintf(stderr,
@@ -2246,7 +2346,11 @@ static void version(void) {
"loaded=\"%s\"\n", APR_VERSION_STRING, apr_version_string());
fprintf(stderr,
" PCRE: compiled=\"%d.%d\"; "
+#ifdef WITH_PCRE2
+ "loaded=\"%s\"\n", PCRE2_MAJOR, PCRE2_MINOR, pcre_loaded_version);
+#else
"loaded=\"%s\"\n", PCRE_MAJOR, PCRE_MINOR, pcre_version());
+#endif
fprintf(stderr,
" cURL: compiled=\"%s\"; "
"loaded=\"%s\"\n", LIBCURL_VERSION, curl_version());
diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended
index 9ee17f2f82..e120daef88 100644
--- a/modsecurity.conf-recommended
+++ b/modsecurity.conf-recommended
@@ -19,16 +19,23 @@ SecRequestBodyAccess On
# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
-SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# Enable JSON request body parser.
# Initiate JSON Processor in case of JSON content-type; change accordingly
# if your application does not use 'application/json'
#
-SecRule REQUEST_HEADERS:Content-Type "application/json" \
+SecRule REQUEST_HEADERS:Content-Type "^application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+# Sample rule to enable JSON request body parser for more subtypes.
+# Uncomment or adapt this rule if you want to engage the JSON
+# Processor for "+json" subtypes
+#
+#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
+# "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+
# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
@@ -39,7 +46,7 @@ SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
# Store up to 128 KB of request body data in memory. When the multipart
-# parser reachers this limit, it will start using your hard disk for
+# parser reaches this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072
@@ -51,6 +58,11 @@ SecRequestBodyInMemoryLimit 131072
#
SecRequestBodyLimitAction Reject
+# Maximum parsing depth allowed for JSON objects. You want to keep this
+# value as low as practical.
+#
+SecRequestBodyJsonDepthLimit 512
+
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
@@ -97,7 +109,7 @@ SecPcreMatchLimitRecursion 1000
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
- "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+ "id:'200005',phase:2,t:none,log,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
# -- Response body handling --------------------------------------------------
@@ -222,5 +234,7 @@ SecUnicodeMapFile unicode.mapping 20127
# The following information will be shared: ModSecurity version,
# Web Server version, APR version, PCRE version, Lua version, Libxml2
# version, Anonymous unique id for host.
-SecStatusEngine On
+# NB: As of April 2022, there is no longer any advantage to turning this
+# setting On, as there is no active receiver for the information.
+SecStatusEngine Off
diff --git a/nginx/modsecurity/ngx_http_modsecurity.c b/nginx/modsecurity/ngx_http_modsecurity.c
index 7c1395315b..d68cda312b 100644
--- a/nginx/modsecurity/ngx_http_modsecurity.c
+++ b/nginx/modsecurity/ngx_http_modsecurity.c
@@ -207,9 +207,13 @@ ngx_http_modsecurity_load_request(ngx_http_request_t *r)
{
ngx_http_modsecurity_ctx_t *ctx;
request_rec *req;
- ngx_str_t str;
size_t root;
ngx_str_t path;
+ ngx_uint_t port;
+ struct sockaddr_in *sin;
+#if (NGX_HAVE_INET6)
+ struct sockaddr_in6 *sin6;
+#endif
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
req = ctx->req;
@@ -252,10 +256,30 @@ ngx_http_modsecurity_load_request(ngx_http_request_t *r)
req->parsed_uri.path = (char *)ngx_pstrdup0(r->pool, &r->uri);
req->parsed_uri.is_initialized = 1;
- str.data = r->port_start;
- str.len = r->port_end - r->port_start;
- req->parsed_uri.port = ngx_atoi(str.data, str.len);
- req->parsed_uri.port_str = (char *)ngx_pstrdup0(r->pool, &str);
+ switch (r->connection->local_sockaddr->sa_family) {
+
+#if (NGX_HAVE_INET6)
+ case AF_INET6:
+ sin6 = (struct sockaddr_in6 *) r->connection->local_sockaddr;
+ port = ntohs(sin6->sin6_port);
+ break;
+#endif
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+ case AF_UNIX:
+ port = 0;
+ break;
+#endif
+
+ default: /* AF_INET */
+ sin = (struct sockaddr_in *) r->connection->local_sockaddr;
+ port = ntohs(sin->sin_port);
+ break;
+ }
+
+ req->parsed_uri.port = port;
+ req->parsed_uri.port_str = ngx_pnalloc(r->pool, sizeof("65535"));
+ (void) ngx_sprintf((u_char *)req->parsed_uri.port_str, "%ui%c", port, '\0');
req->parsed_uri.query = r->args.len ? req->args : NULL;
req->parsed_uri.dns_looked_up = 0;
@@ -528,9 +552,15 @@ ngx_http_modsecurity_save_request_body(ngx_http_request_t *r)
hc = r->http_connection;
+#if defined(nginx_version) && nginx_version >= 1011011
+ if (hc->free && size == cscf->large_client_header_buffers.size) {
+
+ buf = hc->free->buf;
+#else
if (hc->nfree && size == cscf->large_client_header_buffers.size) {
buf = hc->free[--hc->nfree];
+#endif
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"ModSecurity: use http free large header buffer: %p %uz",
diff --git a/standalone/config.c b/standalone/config.c
index 1552c6fabf..6133e7d7e8 100644
--- a/standalone/config.c
+++ b/standalone/config.c
@@ -432,6 +432,7 @@ AP_DECLARE(apr_status_t) ap_pcfg_openfile(ap_configfile_t **ret_cfg,
apr_file_t *file = NULL;
apr_finfo_t finfo;
apr_status_t status;
+ int exist_type;
#ifdef DEBUG
char buf[120];
#endif
@@ -457,13 +458,13 @@ AP_DECLARE(apr_status_t) ap_pcfg_openfile(ap_configfile_t **ret_cfg,
if (status != APR_SUCCESS)
return status;
- if (finfo.filetype != APR_REG &&
+ exist_type = (finfo.filetype != APR_REG);
#if defined(WIN32) || defined(OS2) || defined(NETWARE)
- strcasecmp(apr_filepath_name_get(name), "nul") != 0) {
+ exist_type = (exist_type && strcasecmp(apr_filepath_name_get(name), "nul") != 0);
#else
- strcmp(name, "/dev/null") != 0) {
+ exist_type = (exist_type && strcmp(name, "/dev/null") != 0);
#endif /* WIN32 || OS2 */
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ if (exist_type){ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
"Access to file %s denied by server: not a regular file",
name);
apr_file_close(file);
@@ -503,7 +504,7 @@ AP_DECLARE(apr_status_t) ap_pcfg_openfile(ap_configfile_t **ret_cfg,
#else
new_cfg->getch = cfg_getch;
new_cfg->getstr = cfg_getstr;
- new_cfg->close = cfg_close;
+ new_cfg->close = cfg_close;
#endif
new_cfg->line_number = 0;
*ret_cfg = new_cfg;
@@ -741,12 +742,12 @@ AP_DECLARE(char *) ap_make_full_path(apr_pool_t *a, const char *src1,
return path;
}
-static int fname_alphasort(const void *fn1, const void *fn2)
+static int fname_reversealphasort(const void *fn1, const void *fn2)
{
const fnames *f1 = fn1;
const fnames *f2 = fn2;
- return strcmp(f1->fname,f2->fname);
+ return strcmp(f2->fname,f1->fname);
}
int fnmatch_test(const char *pattern)
@@ -839,7 +840,7 @@ static const char *process_resource_config_nofnmatch(const char *fname,
apr_dir_close(dirp);
if (candidates->nelts != 0) {
qsort((void *) candidates->elts, candidates->nelts,
- sizeof(fnames), fname_alphasort);
+ sizeof(fnames), fname_reversealphasort);
/*
* Now recurse these... we handle errors and subdirectories
@@ -940,7 +941,7 @@ static const char *process_resource_config_fnmatch(const char *path,
const char *error;
qsort((void *) candidates->elts, candidates->nelts,
- sizeof(fnames), fname_alphasort);
+ sizeof(fnames), fname_reversealphasort);
/*
* Now recurse these... we handle errors and subdirectories
@@ -1027,7 +1028,8 @@ const char *process_command_config(server_rec *s,
ap_directive_t *newdir;
int optional;
char *err = NULL;
- char *rootpath, *incpath;
+ const char *rootpath, *incpath;
+ char *configfilepath;
int li;
errmsg = populate_include_files(p, ptemp, ari, filename, 0);
@@ -1107,13 +1109,13 @@ const char *process_command_config(server_rec *s,
/* we allow APR_SUCCESS and APR_EINCOMPLETE */
if (APR_ERELATIVE == status) {
- rootpath = apr_pstrdup(ptemp, parms->config_file->name);
- li = strlen(rootpath) - 1;
+ configfilepath = apr_pstrdup(ptemp, parms->config_file->name);
+ li = strlen(configfilepath) - 1;
- while(li >= 0 && rootpath[li] != '/' && rootpath[li] != '\\')
- rootpath[li--] = 0;
+ while(li >= 0 && configfilepath[li] != '/' && configfilepath[li] != '\\')
+ configfilepath[li--] = 0;
- w = apr_pstrcat(p, rootpath, w, NULL);
+ w = apr_pstrcat(p, configfilepath, w, NULL);
}
else if (APR_EBADPATH == status) {
ap_cfg_closefile(parms->config_file);
@@ -1200,3 +1202,4 @@ const char *process_command_config(server_rec *s,
return errmsg;
}
+
diff --git a/standalone/server.c b/standalone/server.c
index 53beccf9bf..31b12a6dbc 100644
--- a/standalone/server.c
+++ b/standalone/server.c
@@ -187,6 +187,11 @@ static char *http2env(apr_pool_t *a, const char *w)
return res;
}
+AP_DECLARE(apr_uint32_t) ap_random_pick(apr_uint32_t min, apr_uint32_t max)
+{
+ return rand();
+}
+
AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
{
int i, j;
@@ -285,6 +290,58 @@ AP_DECLARE(void) ap_log_error_(const char *file, int line, int module_index,
modsecLogHook(modsecLogObj, level, errstr);
}
+
+#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3
+AP_DECLARE(void) ap_log_cerror(const char *file, int line, int level,
+ apr_status_t status, const conn_rec *r,
+ const char *fmt, ...)
+// __attribute__((format(printf,6,7)))
+#else
+AP_DECLARE(void) ap_log_cerror_(const char *file, int line, int module_index,
+ int level, apr_status_t status,
+ const conn_rec *c, const char *fmt, ...)
+// __attribute__((format(printf,7,8)))
+#endif
+{
+ va_list args;
+ char errstr[MAX_STRING_LEN];
+
+ va_start(args, fmt);
+
+ apr_vsnprintf(errstr, MAX_STRING_LEN, fmt, args);
+
+ va_end(args);
+
+ if(modsecLogHook != NULL)
+ modsecLogHook(modsecLogObj, level, errstr);
+}
+
+
+#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3
+AP_DECLARE(void) ap_log_rerror(const char *file, int line, int level,
+ apr_status_t status, const request_rec *r,
+ const char *fmt, ...)
+// __attribute__((format(printf,6,7)))
+#else
+AP_DECLARE(void) ap_log_rerror_(const char *file, int line, int module_index,
+ int level, apr_status_t status,
+ const request_rec *r, const char *fmt, ...)
+// __attribute__((format(printf,7,8)))
+#endif
+{
+ va_list args;
+ char errstr[MAX_STRING_LEN];
+
+ va_start(args, fmt);
+
+ apr_vsnprintf(errstr, MAX_STRING_LEN, fmt, args);
+
+ va_end(args);
+
+ if(modsecLogHook != NULL)
+ modsecLogHook(modsecLogObj, level, errstr);
+}
+
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER < 3
AP_DECLARE(void) ap_log_perror(const char *file, int line, int level,
apr_status_t status, apr_pool_t *p,
diff --git a/tests/regression/action/00-disruptive-actions.t b/tests/regression/action/00-disruptive-actions.t
index 15c9836d88..f682396ee9 100644
--- a/tests/regression/action/00-disruptive-actions.t
+++ b/tests/regression/action/00-disruptive-actions.t
@@ -474,6 +474,37 @@
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
),
},
+{
+ type => "action",
+ comment => "nocanon proxy in phase:1 (get)",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecResponseBodyAccess On
+ SecResponseBodyMimeType null
+ SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,proxy:'[nocanon]http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt',id:500005"
+ ),
+ match_log => {
+ error => {
+ apache => [qr/ModSecurity: Access denied using proxy to \(phase 1\)/, 1],
+ nginx => [qr/ModSecurity: Access denied with code 500 \(phase 1\) \(Configuration Error: Proxy action to .* requested but proxy is only available in Apache version\)./, 1],
+ },
+ },
+ match_response => {
+ status => {
+ apache => qr/^200$/,
+ nginx => qr/^500$/,
+ },
+ content => {
+ apache => qr/^TEST$/,
+ nginx => qr/^*$/,
+ },
+ },
+
+ request => new HTTP::Request(
+ GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
+ ),
+},
{
type => "action",
comment => "proxy in phase:2 (get)",
diff --git a/tests/regression/config/10-request-directives.t b/tests/regression/config/10-request-directives.t
index 42094e11b1..21b83ff101 100644
--- a/tests/regression/config/10-request-directives.t
+++ b/tests/regression/config/10-request-directives.t
@@ -703,3 +703,50 @@
),
},
+# SecArgumentsLimit
+{
+ type => "config",
+ comment => "SecArgumentsLimit (pos)",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecArgumentsLimit 5
+ SecRule REQBODY_ERROR "!\@eq 0" "id:'500232',phase:2,log,deny,status:403,msg:'Failed to parse request body'"
+ ),
+ match_log => {
+ error => [ qr/Access denied with code 403 /, 1 ],
+ },
+ match_response => {
+ status => qr/^403$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => "application/x-www-form-urlencoded",
+ ],
+ "a=1&b=2&c=3&d=4&e=5&f=6",
+ ),
+},
+{
+ type => "config",
+ comment => "SecArgumentsLimit (neg)",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecArgumentsLimit 5
+ SecRule REQBODY_ERROR "!\@eq 0" "id:'500233',phase:2,log,deny,status:403,msg:'Failed to parse request body'"
+ ),
+ match_log => {
+ },
+ match_response => {
+ status => qr/^200$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => "application/x-www-form-urlencoded",
+ ],
+ "a=1&b=2&c=3&d=4&e=5",
+ ),
+},
+
diff --git a/tests/regression/misc/00-multipart-parser.t b/tests/regression/misc/00-multipart-parser.t
index de39bf0864..e5ee4c13cd 100644
--- a/tests/regression/misc/00-multipart-parser.t
+++ b/tests/regression/misc/00-multipart-parser.t
@@ -736,6 +736,45 @@
),
},
+# Single quote within double quotes is ok
+{
+ type => "misc",
+ comment => "multipart parser (C-D uses single quote within double quotes)",
+ conf => qq(
+ SecRuleEngine On
+ SecDebugLog $ENV{DEBUG_LOG}
+ SecDebugLogLevel 9
+ SecRequestBodyAccess On
+ SecRule MULTIPART_INVALID_QUOTING "!\@eq 0" "phase:2,deny,id:500169"
+ ),
+ match_log => {
+ debug => [ qr/Adding request argument \(BODY\): name "a'b/s, 1 ],
+ -debug => [ qr/Adding request argument \(BODY\): name "b/s, 1 ],
+ },
+ match_response => {
+ status => qr/^200$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => "multipart/form-data; boundary=---------------------------69343412719991675451336310646",
+ ],
+ normalize_raw_request_data(
+ q(
+ -----------------------------69343412719991675451336310646
+ Content-Disposition: form-data; name="a'b"
+
+ 1
+ -----------------------------69343412719991675451336310646
+ Content-Disposition: form-data; name="aaa"; filename="d'ummy"
+
+ 2
+ -----------------------------69343412719991675451336310646--
+ ),
+ ),
+ ),
+},
+
# Invalid boundary separators
{
type => "misc",
@@ -1314,15 +1353,14 @@
SecDebugLog $ENV{DEBUG_LOG}
SecDebugLogLevel 9
SecRequestBodyAccess On
- SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,id:500134"
- SecRule MULTIPART_UNMATCHED_BOUNDARY "\@eq 1" "phase:2,deny,id:500135"
- SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,id:500136"
+ SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,status:400,id:500134"
+ SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:400,id:500136"
),
match_log => {
- debug => [ qr/boundary was quoted.*No boundaries found in payload/s, 1 ],
+ debug => [ qr/Multipart: Warning: boundary was quoted./s, 1 ],
},
match_response => {
- status => qr/^403$/,
+ status => qr/^400$/,
},
request => new HTTP::Request(
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
@@ -1331,20 +1369,20 @@
],
normalize_raw_request_data(
q(
- --0000
+ -- 0000
Content-Disposition: form-data; name="name"
Brian Rectanus
- --0000
+ -- 0000
Content-Disposition: form-data; name="email"
brian.rectanus@breach.com
- --0000
+ -- 0000
Content-Disposition: form-data; name="image"; filename="image.jpg"
Content-Type: image/jpeg
BINARYDATA
- --0000--
+ -- 0000--
),
),
),
@@ -1811,3 +1849,48 @@
),
},
+# part headers
+{
+ type => "misc",
+ comment => "multipart parser (part headers)",
+ conf => qq(
+ SecRuleEngine On
+ SecDebugLog $ENV{DEBUG_LOG}
+ SecDebugLogLevel 9
+ SecRequestBodyAccess On
+ SecRule MULTIPART_STRICT_ERROR "\@eq 1" "phase:2,deny,status:400,id:500168"
+ SecRule REQBODY_PROCESSOR_ERROR "\@eq 1" "phase:2,deny,status:400,id:500169"
+ SecRule MULTIPART_PART_HEADERS:image "\@rx content-type:.*jpeg" "phase:2,deny,status:403,id:500170,t:lowercase"
+ ),
+ match_log => {
+ debug => [ qr/500170.*against MULTIPART_PART_HEADERS:image.*Rule returned 1./s, 1 ],
+ },
+ match_response => {
+ status => qr/^403$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => q(multipart/form-data; boundary=0000),
+ ],
+ normalize_raw_request_data(
+ q(
+ --0000
+ Content-Disposition: form-data; name="username"
+
+ Bill
+ --0000
+ Content-Disposition: form-data; name="email"
+
+ bill@fakesite.com
+ --0000
+ Content-Disposition: form-data; name="image"; filename="image.jpg"
+ Content-Type: image/jpeg
+
+ BINARYDATA
+ --0000--
+ ),
+ ),
+ ),
+},
+
diff --git a/tests/regression/misc/10-tfn-cache.t b/tests/regression/misc/10-tfn-cache.t
index 672b610d22..f0a663e495 100644
--- a/tests/regression/misc/10-tfn-cache.t
+++ b/tests/regression/misc/10-tfn-cache.t
@@ -182,6 +182,6 @@
"Content-Type" => "application/x-www-form-urlencoded",
],
# 1000 Args
- join("&", map { sprintf "arg%08d=0123456789abcdef+0123456789ABCDEF+0123456789abcdef", $_ } (1 .. 1000))."&test=Foo+Bar",
+ join("&", map { sprintf "arg%08d=0123456789abcdef+0123456789ABCDEF+0123456789abcdef", $_ } (1 .. 999))."&test=Foo+Bar",
),
},
diff --git a/tests/regression/misc/50-ipmatchfromfile-external.t.in b/tests/regression/misc/50-ipmatchfromfile-external.t.in
index effe97bf32..6b674cabd0 100644
--- a/tests/regression/misc/50-ipmatchfromfile-external.t.in
+++ b/tests/regression/misc/50-ipmatchfromfile-external.t.in
@@ -65,7 +65,7 @@
SecRule REMOTE_ADDR "\@ipMatchFromFile https://status.modsecurity.org/modsecurity-regression-test-huge-ip-list.txt" "id:10500,pass"
),
match_log => {
- error => [ qr/ModSecurity: Problems loading external resources: Failed to download: \"https:\/\/status.modsecurity.org\/modsecurity-regression-test-huge-ip-list.txt\" error: SSL peer certificate or SSH remote key was not OK./, 1],
+ error => [ qr/ModSecurity: Problems loading external resources: Failed to download: \"https:\/\/status.modsecurity.org\/modsecurity-regression-test-huge-ip-list.txt\" error: [SSL peer certificate or SSH remote key was not OK.|Couldn't connect to server.]/, 1],
},
},
diff --git a/tests/regression/misc/60-pmfromfile-external.t.in b/tests/regression/misc/60-pmfromfile-external.t.in
index bfa4038a4a..2910ed11b9 100644
--- a/tests/regression/misc/60-pmfromfile-external.t.in
+++ b/tests/regression/misc/60-pmfromfile-external.t.in
@@ -67,7 +67,7 @@
),
match_log => {
- error => [ qr/ModSecurity: Problems loading external resources: Failed to download: \"https:\/\/status.modsecurity.org\/modsecurity-regression-test.txt\" error: SSL peer certificate or SSH remote key was not OK./, 1],
+ error => [ qr/ModSecurity: Problems loading external resources: Failed to download: \"https:\/\/status.modsecurity.org\/modsecurity-regression-test.txt\" error: [SSL peer certificate or SSH remote key was not OK.|Couldn't connect to server.]/, 1],
},
match_response => {
status => qr/^404$/,
diff --git a/tests/regression/rule/10-xml.t b/tests/regression/rule/10-xml.t
index ea9d6ad99a..f2632745b7 100644
--- a/tests/regression/rule/10-xml.t
+++ b/tests/regression/rule/10-xml.t
@@ -394,7 +394,7 @@
SecXmlExternalEntity On
SecDebugLog $ENV{DEBUG_LOG}
SecDebugLogLevel 9
- SecRule REQUEST_HEADERS:Content-Type "^text/xml\$" "id:500029, \\
+ SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" "id:500029, \\
phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML"
SecRule REQBODY_PROCESSOR "!^XML\$" nolog,pass,skipAfter:12345,id:500030
SecRule XML "\@validateDTD $ENV{CONF_DIR}/SoapEnvelope-bad.dtd" "id:500031 \\
diff --git a/tests/regression/rule/15-json.t b/tests/regression/rule/15-json.t
index e75f89c154..9c17817503 100644
--- a/tests/regression/rule/15-json.t
+++ b/tests/regression/rule/15-json.t
@@ -35,5 +35,229 @@
),
),
),
+},
+{
+ type => "rule",
+ comment => "json parser - issue #1576 - 1",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecDebugLog $ENV{DEBUG_LOG}
+ SecDebugLogLevel 9
+ SecRule REQUEST_HEADERS:Content-Type "application/json" \\
+ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+ SecRule ARGS "bar" "id:'200441',phase:3,log"
+ ),
+ match_log => {
+ error => [ qr/ModSecurity: Warning. Pattern match "bar" at ARGS:foo.|ModSecurity: JSON support was not enabled/s, 1 ],
+ debug => [ qr/ARGS:foo|ARGS:mod|ARGS:ops.ops.ops|ARGS:ops.ops.ops|ARGS:ops.ops|ARGS:ops.ops|ARGS:ops.ops.eins.eins|ARGS:ops.ops.eins.eins|ARGS:whee/, 1 ],
+ },
+ match_response => {
+ status => qr/^200$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => "application/json",
+ ],
+ normalize_raw_request_data(
+ q(
+ {
+ "foo":"bar",
+ "mod":"sec",
+ "ops":[
+ [
+ "um",
+ "um e meio"
+ ],
+ "dois",
+ "tres",
+ {
+ "eins":[
+ "zwei",
+ "drei"
+ ]
+ }
+ ],
+ "whee":"lhebs"
+ }
+ ),
+ ),
+ ),
+},
+{
+ type => "rule",
+ comment => "json parser - issue #1576 - 2",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecDebugLog $ENV{DEBUG_LOG}
+ SecDebugLogLevel 9
+ SecRule REQUEST_HEADERS:Content-Type "application/json" \\
+ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+ SecRule ARGS "um" "id:'200441',phase:3,log"
+ ),
+ match_log => {
+ error => [ qr/ModSecurity: Warning. Pattern match "um" at ARGS:array.array|ModSecurity: JSON support was not enabled/s, 1 ],
+ debug => [ qr/ARGS:array.array|ARGS:array.array/, 1 ],
+ },
+ match_response => {
+ status => qr/^200$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => "application/json",
+ ],
+ normalize_raw_request_data(
+ q(
+ [
+ "um",
+ "um e meio"
+ ]
+ ),
+ ),
+ ),
+},
+{
+ type => "rule",
+ comment => "json parser - issue #1576 - 3",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecDebugLog $ENV{DEBUG_LOG}
+ SecDebugLogLevel 9
+ SecRule REQUEST_HEADERS:Content-Type "application/json" \\
+ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+ SecRule ARGS "seis" "id:'200441',phase:3,log"
+ ),
+ match_log => {
+ error => [ qr/ModSecurity: Warning. Pattern match "seis" at ARGS:array.array.cinco.|ModSecurity: JSON support was not enabled/s, 1 ],
+ debug => [ qr/ARGS:array.array|ARGS:array.array|ARGS:array.array.tres|ARGS:array.array.cinco/, 1 ],
+ },
+ match_response => {
+ status => qr/^200$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => "application/json",
+ ],
+ normalize_raw_request_data(
+ q(
+ [
+ "um",
+ "um e meio",
+ {
+ "tres": "quatro",
+ "cinco": "seis"
+ }
+ ]
+ ),
+ ),
+ ),
+},
+{
+ type => "rule",
+ comment => "json parser - parsing depth not exceeded",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecDebugLog $ENV{DEBUG_LOG}
+ SecDebugLogLevel 9
+ SecRequestBodyJsonDepthLimit 5
+ SecRule REQUEST_HEADERS:Content-Type "application/json" \\
+ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+ SecRule REQBODY_ERROR "!\@eq 0" "id:'200442',phase:2,log,deny,status:403,msg:'Failed to parse request body'"
+ ),
+ match_log => {
+ debug => [ qr/key/s, 1 ],
+ },
+ match_response => {
+ status => qr/^200$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => "application/json",
+ ],
+ normalize_raw_request_data(
+ q(
+ {
+ "key1":{"key2":{"key3":{"key4":{"key5":"thevalue"}}}}
+ }
+ ),
+ ),
+ ),
+},
+{
+ type => "rule",
+ comment => "json parser - parsing depth exceeded",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecDebugLog $ENV{DEBUG_LOG}
+ SecAuditEngine RelevantOnly
+ SecAuditLog "$ENV{AUDIT_LOG}"
+ SecDebugLogLevel 9
+ SecRequestBodyJsonDepthLimit 3
+ SecRule REQUEST_HEADERS:Content-Type "application/json" \\
+ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+ SecRule REQBODY_ERROR "!\@eq 0" "id:'200443',phase:2,log,deny,status:403,msg:'Failed to parse request body'"
+ ),
+ match_log => {
+ audit => [ qr/JSON parsing error: JSON depth limit exceeded/s, 1 ],
+ },
+ match_response => {
+ status => qr/^403$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => "application/json",
+ ],
+ normalize_raw_request_data(
+ q(
+ {
+ "key1":{"key2":{"key3":{"key4":{"key5":"thevalue"}}}}
+ }
+ ),
+ ),
+ ),
+},
+{
+ type => "rule",
+ comment => "json parser - no-key single value",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecDebugLog $ENV{DEBUG_LOG}
+ SecAuditEngine RelevantOnly
+ SecAuditLog "$ENV{AUDIT_LOG}"
+ SecDebugLogLevel 9
+ SecRequestBodyJsonDepthLimit 3
+ SecRule REQUEST_HEADERS:Content-Type "^application/json" \\
+ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+ SecRule REQBODY_ERROR "!\@eq 0" "id:'200444',phase:2,log,deny,status:403,msg:'Failed to parse request body'"
+ SecRule ARGS "\@streq 25" "id:'200445',phase:2,log,deny,status:403"
+ ),
+ match_log => {
+ audit => [ qr/200445/s, 1 ],
+ },
+ match_response => {
+ status => qr/^403$/,
+ },
+ request => new HTTP::Request(
+ POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+ [
+ "Content-Type" => "application/json",
+ ],
+ normalize_raw_request_data(
+ q(
+ 25
+ ),
+ ),
+ ),
}
+
diff --git a/tests/regression/target/00-targets.t b/tests/regression/target/00-targets.t
index d00b5a50c8..62846c0bef 100644
--- a/tests/regression/target/00-targets.t
+++ b/tests/regression/target/00-targets.t
@@ -475,8 +475,29 @@
"arg1=val1&arg2=val2",
),
},
-
-
+{
+ type => "target",
+ comment => "REQUEST_BASENAME (get)",
+ conf => qq(
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecResponseBodyAccess On
+ SecResponseBodyMimeType null
+ SecDebugLog $ENV{DEBUG_LOG}
+ SecDebugLogLevel 9
+ SecRule REQUEST_BASENAME "index.html" "phase:2,log,pass,id:500189"
+ ),
+ match_log => {
+ error => [ qr/Pattern match "index.html" at REQUEST_BASENAME.*/s, 1 ],
+ debug => [ qr/Pattern match "index.html" at REQUEST_BASENAME.*/s, 1 ],
+ },
+ match_response => {
+ status => qr/^200$/,
+ },
+ request => new HTTP::Request(
+ GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html?apath=/my/cool/path.com",
+ ),
+},
# AUTH_TYPE
#{
diff --git a/tools/parse_modsec.pl b/tools/parse_modsec.pl
new file mode 100755
index 0000000000..8c3b043e95
--- /dev/null
+++ b/tools/parse_modsec.pl
@@ -0,0 +1,603 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use DateTime::Format::Strptime;
+use Getopt::Long qw(:config no_ignore_case bundling);
+use JSON;
+use List::MoreUtils qw(any);
+use NetAddr::IP;
+use Try::Tiny;
+
+=pod
+
+=head1 NAME
+
+parse_modsec.pl
+
+=head1 SYNOPSIS
+
+Parse ModSecurity logs generated as JSON
+
+=head1 USAGE
+
+Usage: $0 [h] [Htsrfdbalspjv]
+ -H|--host Search rules based on the Host request header
+ -t|--transaction-id Search rules based on the unique transaction ID
+ -s|--source-ip Search rules based on the client IP address (can be presented as an address or CIDR block)
+ -r|--rule-id Search rules based on the rule ID
+ -f|--filter Define advanced filters to walk through JSON tree
+ -d|--delim Define a delimiter for advanced filters. Default is '.'
+ -b|--before Search rules before this timeframe
+ -a|--after Search rules after this timeframe
+ -l|--logpath Define a path to read JSON logs from. Default is '/var/log/modsec_audit.log'
+ -S|--stdin Read rules from stdin instead of an on-disk file
+ -p|--partial-chains Do not prune partial chain matches
+ -j|--json Print rule entries as a JSON blob, rather than nice formatting
+ -v|--verbose Be verbose about various details such as JSON parse failures and log data
+
+
+=head2 FILTERS
+
+ModSecurity JSON audit logs are written as a series of atomic JSON documents, as opposed to a single, monolithic structure. This program will read through all JSON documents provided, making certain assumptions about the structure of each document, and will print out relevent entries based on the parameters provided. Log entries can be filtered by key-value pairs; given a key at an arbitrary level in the document, test the value of the key against an expected expression. The best way to understand this is with examples (see EXAMPLES for further details).
+
+Filter values are treated as regular expressions. Each match is anchored by '^' and'$', meaning that values that do not contain PCRE metacharacters will essentially match by string equality.
+
+Filters can be used to search a specific key-pair value, or an array of values. Arrays containing sub-elements can also be traversed. Arrays are identified in a filter key expression through the use of the '%' metacharacter. See EXAMPLES for further discussion of filter key expression syntax.
+
+Multiple filters can be provided, and are used in a logical AND manner (that is, an entry must match all given filters).
+
+
+=head2 FILTER EXAMPLES
+
+Examine the following entry:
+
+ {
+ "foo": "bar",
+ "foo2": "bar2",
+ "qux": {
+ "quux": "corge",
+ "grault": "garply",
+ "wal.do": "fred"
+ },
+ "baz": [
+ "bat",
+ "bam",
+ "bif"
+ ],
+ "bal": [
+ { "hello": "world" },
+ { "how": "are" },
+ { "you": "doing" }
+ ]
+ }
+
+A search for the top level key "foo" containing the value "bar" would look like:
+
+ -f foo=bar
+
+However, the following will not result in the entry being matched:
+
+ -f foo=bar2
+
+This is because the value of "foo" in the JSON document does not match the regex "^bar2$"
+
+Searching sub-keys is possible by providing the traversal path as the filter key, separated by a delimiter. By default the delimiter is '.'. For example, to search the value of the "grault" subkey within the "qux" key:
+
+ -f qux.grault=<expression>
+
+Search arrays is also possible with the use of the '%' metacharacter, which should be used in place of a key name in the filter expression. For example, to search through all the values in the "baz" top-level key:
+
+ -f baz.%=<expression>
+
+Searching for specific keys that are live in an array is also possible. For example, to search for the value of the "hello" key within the top-level key "bal" array:
+
+ -f bal.%.hello=<expression>
+
+If any key contains a period character (.), you can specify an alternative delimiter using the '-d' option. To search the "wal.do" key within "qux":
+
+ -d @ quz@wal.do=<expression>
+
+
+=head2 SHORTCUTS
+
+Quick searches of on-disk log files likely will be performed using simple queries. Rather than forcing users to write a filter for common parameters, we provide a few shortcuts as options. These shortcuts can be combined with additional filters for complex searches. Provided shortcuts (and the matching filter key expression) are listed below:
+
+ Host: request.headers.Host
+ Transaction ID: transaction.transaction_id
+ Rule ID: matched_rules.%.rules.%.actionset.id
+
+Additionally, the '--source-ip' argument allows for searching rule entries based on the remote IP address. This option searches based on CIDR blocks, instead of the filter searching described above.
+
+=head2 TIMEFRAME
+
+Log entries can further be narrowed by time range. The --before and --after flags can be used to return only entries that returned before or after (or both) a given date and time. Values for these options can be provided by the following syntax:
+
+ ^\d+[dDhHmM]?$
+
+For example, to limit the search of entries to between one and 4 days ago:
+
+ -a 4d -b 1d
+
+You may provide one, both, or neither of these flags.
+
+
+=head2 USAGE EXAMPLES
+
+Print all log entries from the default log location:
+
+ parse_modsec.pl
+
+Print all log entries and show more detailed information, such as response data and matched rule details
+
+ parse_modsec.pl -v
+
+Print entries matching a specific source IP:
+
+ parse_modsec.pl -s 1.2.3.4
+
+Print entries matching a source IP in a given subnet:
+
+ parse_modsec.pl -s 1.2.3.0/24
+
+Print entries matching a given host and all its sub domains:
+
+ parse_modsec.pl -H .*example.com
+
+Print entries matching a specific rule ID, that occurred within the last 12 hours:
+
+ parse_modsec.pl -r 123456 -a 12h
+
+Print entries matching a given rule ID, even if that ID was present in a partial chain:
+
+ parse_modsec.pl -r 123456 -p
+
+Print entries that contain an HTTP status code 403
+
+ parse_modsec.pl -f response.status=403
+
+Print entries that contain an HTTP GET request with a 'Content-Length' header
+
+ parse_modsec.pl -f request.headers.Content-Length=.* -f request.request_line=GET.*
+
+=cut
+
+sub usage {
+ print <<"_EOF";
+Usage: $0 [h] [Htsrfdbalspjv]
+ -h|--help Print this help
+ -H|--host Search rules based on the Host request header
+ -t|--transaction-id Search rules based on the unique transaction ID
+ -s|--source-ip Search rules based on the client IP address (can be presented as an address or CIDR block)
+ -r|--rule-id Search rules based on the rule ID
+ -f|--filter Define advanced filters to walk through JSON tree
+ -d|--delim Define a delimiter for advanced filters. Default is '.'
+ -b|--before Search rules before this timeframe
+ -a|--after Search rules after this timeframe
+ -l|--logpath Define a path to read JSON logs from. Default is '/var/log/modsec_audit.log'
+ -S|--stdin Read rules from stdin instead of an on-disk file
+ -p|--partial-chains Do not prune partial chain matches
+ -j|--json Print rule entries as a JSON blob, rather than nice formatting
+ -v|--verbose Be verbose about various details such as JSON parse failures and log data
+
+ For detailed explanations of various options and example usages, see 'perldoc $0'
+
+_EOF
+ exit 1;
+}
+
+# figure the number of seconds based on the command-line option
+sub parse_duration {
+ my ($duration) = @_;
+
+ if ($duration =~ /^(\d+)[dD]$/) {
+ return $1 * 60 * 60 * 24;
+ } elsif ($duration =~ /^(\d+)[hH]$/) {
+ return $1 * 60 * 60;
+ } elsif ($duration =~ /^(\d+)[mM]$/) {
+ return $1 * 60;
+ } elsif ($duration =~ /^(\d+)[sS]?$/) {
+ return $1;
+ } else {
+ die "Couldn't parse duration $duration!\n";
+ }
+}
+
+# build a DateTime representative of the past
+sub build_datetime {
+ my ($duration) = @_;
+
+ return if !$duration;
+ return DateTime->now()->subtract(seconds => parse_duration($duration));
+}
+
+# determine if the log entry occurred within the given timeframe
+sub within_timeframe {
+ my ($args) = @_;
+ my $entry = $args->{entry};
+ my $before = $args->{before};
+ my $after = $args->{after};
+ my $timestamp = parse_modsec_timestamp($entry->{transaction}->{time});
+
+ return (defined $before ? $timestamp < $before : 1) &&
+ (defined $after ? $timestamp > $after : 1);
+}
+
+# sigh...
+sub parse_modsec_timestamp {
+ my ($input) = @_;
+
+ my $format = '%d/%b/%Y:%H:%M:%S -%z';
+ my $locale = 'en_US';
+
+ my $strp = DateTime::Format::Strptime->new(
+ pattern => $format,
+ locale => $locale,
+ );
+
+ return $strp->parse_datetime($input);
+}
+
+# figure out if we're reading from a file or stdin
+# return a file handle representation of our data
+sub get_input {
+ my ($args) = @_;
+ my $logpath = $args->{logpath};
+ my $stdin = $args->{stdin};
+ my $fh;
+
+ $stdin ?
+ $fh = *STDIN :
+ open $fh, '<', $logpath or die $!;
+
+ return $fh;
+}
+
+# figure if the target address/cidr contains the entry's remote address
+sub cidr_match {
+ my ($args) = @_;
+ my $entry = $args->{entry};
+ my $target = $args->{target};
+ my $client_ip = $entry->{transaction}->{remote_address};
+
+ return $target ? $target->contains(NetAddr::IP->new($client_ip)) : 1;
+}
+
+# given a file handle, return an arrayref representing pertinent rule entries
+sub grok_input {
+ my ($args) = @_;
+ my $fh = $args->{fh};
+ my $filters = $args->{filters};
+ my $delim = $args->{delim};
+ my $source_ip = $args->{source_ip};
+ my $before = $args->{before};
+ my $after = $args->{after};
+ my $partial = $args->{partial};
+ my $verbose = $args->{verbose};
+
+ my @ref;
+
+ while (my $line = <$fh>) {
+ my $entry;
+
+ try {
+ $entry = decode_json($line);
+ } catch {
+ warn "Could not decode as JSON:\n$line\n" if $verbose;
+ };
+
+ next if !$entry;
+
+ skim_entry({
+ entry => $entry,
+ partial => $partial,
+ });
+
+ next if !filter({
+ filters => $filters,
+ data => $entry,
+ delim => $delim,
+ });
+
+ next if !cidr_match({
+ entry => $entry,
+ target => $source_ip,
+ });
+
+ next if !within_timeframe({
+ entry => $entry,
+ before => $before,
+ after => $after,
+ });
+
+ push @ref, $entry;
+ }
+
+ return \@ref;
+}
+
+# get rid of partial chains and other noise
+sub skim_entry {
+ my ($args) = @_;
+ my $entry = $args->{entry};
+ my $partial = $args->{partial};
+ my $ctr = 0;
+
+ for my $matched_rule (@{$entry->{matched_rules}}) {
+ splice @{$entry->{matched_rules}}, $ctr++, 1
+ if $matched_rule->{chain} && !$matched_rule->{full_chain_match} && !$partial;
+ }
+}
+
+# print entries after filtering and skimming
+sub print_matches {
+ my ($args) = @_;
+ my $ref = $args->{ref};
+ my $json = $args->{json};
+ my $verbose = $args->{verbose};
+
+ for my $entry (@{$ref}) {
+ if ($json) {
+ print encode_json($entry) . "\n";
+ } else {
+ printf "\n%s\n", '=' x 80;
+
+ my $transaction = $entry->{transaction};
+ my $request = $entry->{request};
+ my $response = $entry->{response};
+ my $audit_data = $entry->{audit_data};
+ my $matched_rules = $entry->{matched_rules};
+
+ if ($transaction) {
+ printf "%s\nTransaction ID: %s\nIP: %s\n\n",
+ parse_modsec_timestamp($transaction->{time}),
+ $transaction->{transaction_id},
+ $transaction->{remote_address};
+ }
+
+ printf "%s\n", $request->{request_line}
+ if $request->{request_line};
+
+ if ($request->{headers}) {
+ for my $header (sort keys %{$request->{headers}}) {
+ printf "%s: %s\n", $header, $request->{headers}->{$header};
+ }
+ }
+
+ if ($verbose) {
+ print join ("\n", @{$request->{body}}) . "\n"
+ if $request->{body};
+
+ printf "\n%s %s\n", $response->{protocol}, $response->{status}
+ if $response->{protocol} && $response->{status};
+
+ for my $header (sort keys %{$response->{headers}}) {
+ printf "%s: %s\n", $header, $response->{headers}->{$header};
+ }
+
+ printf "\n%s\n", $response->{body}
+ if $response->{body};
+ }
+
+ for my $chain (@{$matched_rules}) {
+ print "\n";
+ my @extra_data;
+ my $ctr = 0;
+
+ for my $rule (@{$chain->{rules}}) {
+ printf $rule->{is_matched} ? "%s%s\n" : "%s#%s\n", ' ' x $ctr++, $rule->{unparsed};
+ push @extra_data, $rule->{actionset}->{msg} if $rule->{actionset}->{msg};
+ push @extra_data, $rule->{actionset}->{logdata} if $rule->{actionset}->{logdata};
+ }
+
+ printf "\n-- %s\n", join "\n-- ", @extra_data
+ if @extra_data && $verbose;
+ }
+
+ printf "\n-- %s\n\n", $audit_data->{action}->{message}
+ if $audit_data->{action}->{message} && $verbose;
+
+ printf "%s\n", '=' x 80;
+ }
+ }
+}
+
+# filter out rule entries based on given filter definitions
+sub filter {
+ my ($args) = @_;
+ my $filters = $args->{filters};
+ my $data = $args->{data};
+ my $delim = $args->{delim};
+
+ my $valid_match = 1;
+
+ for my $field (keys %{$filters}) {
+ my $args = {
+ field => $field,
+ match => $filters->{$field},
+ delim => $delim,
+ hash => $data,
+ };
+
+ if (!match($args)) {
+ $valid_match = 0;
+ last;
+ }
+ }
+ return $valid_match;
+}
+
+# match a hash element (may be an array of elements) against a given pattern
+sub match {
+ my ($args) = @_;
+ my $delim = $args->{delim};
+ my $hash = $args->{hash};
+ my $match = $args->{match};
+ my $field = $args->{field};
+
+ my @matches = traverse($args);
+
+ return any { $_ =~ m/^$match$/ } @matches;
+}
+
+# walk a JSON structure in search of a given key
+# borrowed and butchered from view_signatures.pl
+sub traverse {
+ my ($args) = @_;
+ my $delim = $args->{delim};
+ my $hash = $args->{hash};
+ my $match = $args->{match};
+ my $field = $args->{field};
+ my @traverse = split /\Q$delim\E/, $field;
+
+ my @values;
+
+ while (my $level = shift @traverse) {
+ if ($level eq '%') {
+ # match() is called in a list context
+ # so if we have a bad filter expression
+ # we need to bail in a sensible way
+ return () if ref $hash ne 'ARRAY';
+
+ for my $subhash (@{$hash}) {
+ my @match = traverse({
+ hash => $subhash,
+ delim => $delim,
+ match => $match,
+ field => join $delim, @traverse,
+ });
+ push(@values, @match) if @match;
+ }
+ } elsif (ref $hash eq 'HASH' && defined $hash->{$level}) {
+ $hash = $hash->{$level};
+ } else {
+ $hash = undef;
+ last;
+ }
+ }
+
+ push @values, $hash if defined $hash;
+ return ref $hash eq 'ARRAY' ? @{$hash} : @values;
+}
+
+# merge any custom-defined filters with shortcut options
+sub merge_filters {
+ my ($args) = @_;
+ my $filters = $args->{filters};
+ my $delim = $args->{delim};
+
+ my $lookup = {
+ host => [qw(request headers Host)],
+ transaction_id => [qw(transaction transaction_id)],
+ rule_id => [qw(matched_rules % rules % actionset id)]
+ };
+
+ for my $field (keys %{$lookup}) {
+ if (defined $args->{$field}) {
+ my $key = build_filter_key({
+ elements => $lookup->{$field},
+ delim => $delim,
+ });
+
+ $filters->{$key} = $args->{$field};
+ }
+ }
+}
+
+# stub sub to build a filter key
+sub build_filter_key {
+ my ($args) = @_;
+ my $elements = $args->{elements};
+ my $delim = $args->{delim};
+
+ return join $delim, @{$elements};
+}
+
+sub main {
+ my (
+ $host, $transaction_id, # shortcuts
+ $source_ip, $rule_id, # shortcuts
+ %filters, $delim, # used by filters/match/traverse to grok the input
+ $before, $after, # timeframe
+ $logpath, $stdin, # input
+ $partial_chains, $json, # output
+ $verbose, # output
+ $fh, $parsed_ref, # data structures
+ );
+
+ GetOptions(
+ 'h|help' => sub { usage(); },
+ 'H|host=s' => \$host,
+ 't|transaction-id=s' => \$transaction_id,
+ 's|source-ip=s' => \$source_ip,
+ 'r|rule-id=i' => \$rule_id,
+ 'f|filter=s' => \%filters,
+ 'd|delim=s' => \$delim,
+ 'b|before=s' => \$before,
+ 'a|after=s' => \$after,
+ 'l|logpath=s' => \$logpath,
+ 'S|stdin' => \$stdin,
+ 'p|partial-chains' => \$partial_chains,
+ 'j|json' => \$json,
+ 'v|verbose' => \$verbose,
+ ) or usage();
+
+ # sanity checks
+ die "Cannot parse both a file and stdin\n"
+ if defined $logpath && defined $stdin;
+
+ if (defined $source_ip) {
+ $source_ip = NetAddr::IP->new($source_ip);
+ die "Invalid IP/CIDR provided for source IP argument\n"
+ unless $source_ip;
+ }
+
+ # build_datetime will bail out if an invalid format was given
+ $before = build_datetime($before);
+ $after = build_datetime($after);
+
+ # figure where we're reading from
+ $logpath ||= '/var/log/mod_sec/modsec_audit.log';
+ $fh = get_input({
+ logpath => $logpath,
+ stdin => $stdin,
+ });
+
+ die "Could not get a handle on your data\n"
+ unless $fh;
+
+ # build the filters by merging shortcut options with custom filter directives
+ $delim ||= '.';
+ merge_filters({
+ filters => \%filters,
+ host => $host,
+ transaction_id => $transaction_id,
+ source_ip => $source_ip,
+ rule_id => $rule_id,
+ delim => $delim,
+ });
+
+ # walk through our input, getting an arrayref of valid entries based on filters and timeframe
+ $parsed_ref = grok_input({
+ fh => $fh,
+ filters => \%filters,
+ delim => $delim,
+ source_ip => $source_ip,
+ before => $before,
+ after => $after,
+ partial => $partial_chains,
+ verbose => $verbose,
+ });
+
+ close $fh || warn $!;
+
+ # show me the money!
+ print_matches({
+ ref => $parsed_ref,
+ json => $json,
+ verbose => $verbose,
+ });
+}
+
+main();
diff --git a/unicode.mapping b/unicode.mapping
index 6af8117f38..2654c4a619 100644
--- a/unicode.mapping
+++ b/unicode.mapping
@@ -23,7 +23,7 @@
0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
1256 (ANSI - Arabic)
-00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e
+0620:41 0621:41 0622:43 0623:45 0624:45 0625:45 0626:45 0627:49 0628:49 0629:4f 062a:55 062b:55 062c:55 062d:46 062e:43 062f:44 0630:45 0631:46 0632:47 0633:48 0634:49 0635:4a 0636:4b 0637:4c 0638:4d 0639:4e 063a:4f 0641:41 0642:42 0643:43 0644:44 0645:45 0646:46 0647:47 0648:48 0649:49 064a:4a 064b:4b 064c:4c 064d:4d 064e:4e 064f:4f 0650:50 0651:51 0652:52
1257 (ANSI - Baltic)
ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e