Merge branch 'master' into master

Author: martinhsv

.travis.yml

@@ -16,8 +16,8 @@ addons:
     - liblmdb-dev
 
 env:
-  - VER_NGINX=1.17.6
-  - VER_NGINX=1.16.1
+  - VER_NGINX=1.21.0
+  - VER_NGINX=1.20.1
 
 before_script:
   - cd ..

CHANGES

@@ -1,8 +1,18 @@
 v1.0.x - YYYY-MMM-DD (To be released)
--------------------------------------
+--------------------
 
  - Support http protocol versions besides 0.9, 1.0, 1.1, 2.0
    [Issue #224 - @HQuest, @martinhsv]
+ - Support for building with nginx configured with PCRE2
+   [Issue #260 - @defanator]
+
+v1.0.2 - 2021-Jun-02
+--------------------
+
+ - Fix auditlog in case of internal redirect
+   [Issue #90 - @AirisX, @defanator]
+ - Fix nginx sends response without headers
+   [Issue #238 - @airween, @defanator]
  - Fix nginx not clearing body cache (caused by incomplete fix for #187)
    [Issue #216 - @krewi1, @martinhsv]
  - Fix config setting not respected: client_body_in_file_only on

src/ngx_http_modsecurity_body_filter.c

@@ -56,6 +56,10 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
         return ngx_http_next_body_filter(r, in);
     }
 
+    if (ctx->intervention_triggered) {
+        return ngx_http_next_body_filter(r, in);
+    }
+
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
     mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
     if (mcf != NULL && mcf->sanity_checks_enabled != NGX_CONF_UNSET)
@@ -141,7 +145,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
         int ret;
 
         msc_append_response_body(ctx->modsec_transaction, data, chain->buf->last - data);
-        ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
+        ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
         if (ret > 0) {
             return ngx_http_filter_finalize_request(r,
                 &ngx_http_modsecurity_module, ret);
@@ -159,7 +163,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
 
 /* XXX: I don't get how body from modsec being transferred to nginx's buffer.  If so - after adjusting of nginx's
    XXX: body we can proceed to adjust body size (content-length).  see xslt_body_filter() for example */
-            ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
+            ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
             if (ret > 0) {
                 return ret;
             }

src/ngx_http_modsecurity_common.h

@@ -56,7 +56,7 @@
 
 #define MODSECURITY_NGINX_MAJOR "1"
 #define MODSECURITY_NGINX_MINOR "0"
-#define MODSECURITY_NGINX_PATCHLEVEL "1"
+#define MODSECURITY_NGINX_PATCHLEVEL "2"
 #define MODSECURITY_NGINX_TAG ""
 #define MODSECURITY_NGINX_TAG_NUM "100"
 
@@ -97,6 +97,8 @@ typedef struct {
     unsigned waiting_more_body:1;
     unsigned body_requested:1;
     unsigned processed:1;
+    unsigned logged:1;
+    unsigned intervention_triggered:1;
 } ngx_http_modsecurity_ctx_t;
 
 
@@ -135,11 +137,16 @@ typedef struct {
 extern ngx_module_t ngx_http_modsecurity_module;
 
 /* ngx_http_modsecurity_module.c */
-int ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_request_t *r);
+int ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_request_t *r, ngx_int_t early_log);
 ngx_http_modsecurity_ctx_t *ngx_http_modsecurity_create_ctx(ngx_http_request_t *r);
 char *ngx_str_to_char(ngx_str_t a, ngx_pool_t *p);
+#if (NGX_PCRE2)
+#define ngx_http_modsecurity_pcre_malloc_init(x) NULL
+#define ngx_http_modsecurity_pcre_malloc_done(x) (void)x
+#else
 ngx_pool_t *ngx_http_modsecurity_pcre_malloc_init(ngx_pool_t *pool);
 void ngx_http_modsecurity_pcre_malloc_done(ngx_pool_t *old_pool);
+#endif
 
 /* ngx_http_modsecurity_body_filter.c */
 ngx_int_t ngx_http_modsecurity_body_filter_init(void);
@@ -149,7 +156,7 @@ ngx_int_t ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *i
 ngx_int_t ngx_http_modsecurity_header_filter_init(void);
 ngx_int_t ngx_http_modsecurity_header_filter(ngx_http_request_t *r);
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-int ngx_http_modescurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value);
+int ngx_http_modsecurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value);
 #endif
 
 /* ngx_http_modsecurity_log.c */

src/ngx_http_modsecurity_header_filter.c

@@ -101,7 +101,7 @@ ngx_http_modsecurity_header_out_t ngx_http_modsecurity_headers_out[] = {
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
 int
-ngx_http_modescurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value)
+ngx_http_modsecurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value)
 {
     ngx_http_modsecurity_ctx_t     *ctx;
     ngx_http_modsecurity_conf_t    *mcf;
@@ -167,7 +167,7 @@ ngx_http_modsecurity_resolv_header_server(ngx_http_request_t *r, ngx_str_t name,
     }
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modescurity_store_ctx_header(r, &name, &value);
+    ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
 
     return msc_add_n_response_header(ctx->modsec_transaction,
@@ -196,7 +196,7 @@ ngx_http_modsecurity_resolv_header_date(ngx_http_request_t *r, ngx_str_t name, o
     }
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modescurity_store_ctx_header(r, &name, &date);
+    ngx_http_modsecurity_store_ctx_header(r, &name, &date);
 #endif
 
     return msc_add_n_response_header(ctx->modsec_transaction,
@@ -223,7 +223,7 @@ ngx_http_modsecurity_resolv_header_content_length(ngx_http_request_t *r, ngx_str
         value.len = strlen(buf);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &name, &value);
+        ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
         return msc_add_n_response_header(ctx->modsec_transaction,
             (const unsigned char *) name.data,
@@ -247,7 +247,7 @@ ngx_http_modsecurity_resolv_header_content_type(ngx_http_request_t *r, ngx_str_t
     {
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &name, &r->headers_out.content_type);
+        ngx_http_modsecurity_store_ctx_header(r, &name, &r->headers_out.content_type);
 #endif
 
         return msc_add_n_response_header(ctx->modsec_transaction,
@@ -280,7 +280,7 @@ ngx_http_modsecurity_resolv_header_last_modified(ngx_http_request_t *r, ngx_str_
     value.len = (int)(p-buf);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modescurity_store_ctx_header(r, &name, &value);
+    ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
 
     return msc_add_n_response_header(ctx->modsec_transaction,
@@ -316,7 +316,7 @@ ngx_http_modsecurity_resolv_header_connection(ngx_http_request_t *r, ngx_str_t n
             value.len = strlen((char *)buf);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-            ngx_http_modescurity_store_ctx_header(r, &name2, &value);
+            ngx_http_modsecurity_store_ctx_header(r, &name2, &value);
 #endif
 
             msc_add_n_response_header(ctx->modsec_transaction,
@@ -333,7 +333,7 @@ ngx_http_modsecurity_resolv_header_connection(ngx_http_request_t *r, ngx_str_t n
     value.len = strlen(connection);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modescurity_store_ctx_header(r, &name, &value);
+    ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
 
     return msc_add_n_response_header(ctx->modsec_transaction,
@@ -354,7 +354,7 @@ ngx_http_modsecurity_resolv_header_transfer_encoding(ngx_http_request_t *r, ngx_
         ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &name, &value);
+        ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
 
         return msc_add_n_response_header(ctx->modsec_transaction,
@@ -381,7 +381,7 @@ ngx_http_modsecurity_resolv_header_vary(ngx_http_request_t *r, ngx_str_t name, o
         ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &name, &value);
+        ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
 
         return msc_add_n_response_header(ctx->modsec_transaction,
@@ -430,6 +430,10 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
         return ngx_http_next_header_filter(r);
     }
 
+    if (ctx->intervention_triggered) {
+        return ngx_http_next_header_filter(r);
+    }
+
 /* XXX: can it happen ?  already processed i mean */
 /* XXX: check behaviour on 'ModSecurity off' */
 
@@ -488,7 +492,7 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
         }
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &data[i].key, &data[i].value);
+        ngx_http_modsecurity_store_ctx_header(r, &data[i].key, &data[i].value);
 #endif
 
         /*
@@ -522,12 +526,12 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
     old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
     msc_process_response_headers(ctx->modsec_transaction, status, http_response_ver);
     ngx_http_modsecurity_pcre_malloc_done(old_pool);
-    ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
+    ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
     if (r->error_page) {
         return ngx_http_next_header_filter(r);
-        }
+    }
     if (ret > 0) {
-        return ret;
+        return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity_module, ret);
     }
 
     /*

src/ngx_http_modsecurity_log.c

@@ -67,6 +67,11 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
         return NGX_ERROR;
     }
 
+    if (ctx->logged) {
+        dd("already logged earlier");
+        return NGX_OK;
+    }
+
     dd("calling msc_process_logging for %p", ctx);
     old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
     msc_process_logging(ctx->modsec_transaction);

src/ngx_http_modsecurity_module.c

@@ -38,6 +38,7 @@ static void ngx_http_modsecurity_cleanup_rules(void *data);
  * https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_pcrefix.c
  */
 
+#if !(NGX_PCRE2)
 static void *(*old_pcre_malloc)(size_t);
 static void (*old_pcre_free)(void *ptr);
 static ngx_pool_t *ngx_http_modsec_pcre_pool = NULL;
@@ -103,6 +104,7 @@ ngx_http_modsecurity_pcre_malloc_done(ngx_pool_t *old_pool)
         pcre_free = old_pcre_free;
     }
 }
+#endif
 
 /*
  * ngx_string's are not null-terminated in common case, so we need to convert
@@ -130,17 +132,24 @@ ngx_inline char *ngx_str_to_char(ngx_str_t a, ngx_pool_t *p)
 
 
 ngx_inline int
-ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_request_t *r)
+ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_request_t *r, ngx_int_t early_log)
 {
     char *log = NULL;
     ModSecurityIntervention intervention;
     intervention.status = 200;
     intervention.url = NULL;
     intervention.log = NULL;
     intervention.disruptive = 0;
+    ngx_http_modsecurity_ctx_t *ctx = NULL;
 
     dd("processing intervention");
 
+    ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+    if (ctx == NULL)
+    {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
+
     if (msc_intervention(transaction, &intervention) == 0) {
         dd("nothing to do");
         return 0;
@@ -192,14 +201,28 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
         r->headers_out.location->hash = 1;
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &location->key, &location->value);
+        ngx_http_modsecurity_store_ctx_header(r, &location->key, &location->value);
 #endif
 
         return intervention.status;
     }
 
     if (intervention.status != 200)
     {
+        /**
+         * FIXME: this will bring proper response code to audit log in case
+         * when e.g. error_page redirect was triggered, but there still won't be another
+         * required pieces like response headers etc.
+         *
+         */
+        msc_update_status_code(ctx->modsec_transaction, intervention.status);
+
+        if (early_log) {
+            dd("intervention -- calling log handler manually with code: %d", intervention.status);
+            ngx_http_modsecurity_log_handler(r);
+            ctx->logged = 1;
+	}
+
         if (r->header_sent)
         {
             dd("Headers are already sent. Cannot perform the redirection at this point.");

src/ngx_http_modsecurity_pre_access.c

@@ -78,6 +78,10 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
         return NGX_HTTP_INTERNAL_SERVER_ERROR;
     }
 
+    if (ctx->intervention_triggered) {
+        return NGX_DECLINED;
+    }
+
     if (ctx->waiting_more_body == 1)
     {
         dd("waiting for more data before proceed. / count: %d",
@@ -189,7 +193,7 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
              * it may ask for a intervention in consequence of that.
              *
              */
-            ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
+            ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
             if (ret > 0) {
                 return ret;
             }
@@ -208,7 +212,7 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
         msc_process_request_body(ctx->modsec_transaction);
         ngx_http_modsecurity_pcre_malloc_done(old_pool);
 
-        ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
+        ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
         if (r->error_page) {
             return NGX_DECLINED;
             }

src/ngx_http_modsecurity_rewrite.c

@@ -115,8 +115,9 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
          *
          */
         dd("Processing intervention with the connection information filled in");
-        ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
+        ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 1);
         if (ret > 0) {
+            ctx->intervention_triggered = 1;
             return ret;
         }
 
@@ -163,8 +164,9 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
         ngx_http_modsecurity_pcre_malloc_done(old_pool);
 
         dd("Processing intervention with the transaction information filled in (uri, method and version)");
-        ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
+        ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 1);
         if (ret > 0) {
+            ctx->intervention_triggered = 1;
             return ret;
         }
 
@@ -211,11 +213,12 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
         msc_process_request_headers(ctx->modsec_transaction);
         ngx_http_modsecurity_pcre_malloc_done(old_pool);
         dd("Processing intervention with the request headers information filled in");
-        ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
+        ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 1);
         if (r->error_page) {
             return NGX_DECLINED;
             }
         if (ret > 0) {
+            ctx->intervention_triggered = 1;
             return ret;
         }
     }