Merge remote-tracking branch 'upstream/v2/master' into v2/master

Author: allanrbo

CHANGES

@@ -1,3 +1,26 @@
+DD MMM YYYY - 2.9.3 - To be released
+------------------------------------
+
+ * Optionally preallocates memory when SecStreamInBodyInspection is on
+   [Issue #1366 - @allanbomsft, @zimmerle]
+ * Fixed typo in build_yajl.bat
+   [Issue #1366 - @allanbomsft]
+ * Fixes SecConnWriteStateLimit
+   [Issue #1545 - @nicjansma]
+ * Added "empy chunk" check
+   [Issue #1347, #1446 - @gravagli, @bostrt, @zimmerle]
+ * Add capture action to @detectXSS operator
+   [Issue #1488, #1482 - @victorhora]
+ * Fix for wildcard operator when loading conf files on Nginx / IIS
+   [Issue #1486, #1285 - @victorhora and @thierry-f-78]
+ * Set of fixies to make windows build workable with the buildbots
+   [Commit 94fe3 - @zimmerle]
+ * Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH
+   [Issue #1510 - @marcstern]
+ * Adds missing headers
+   [Issue #1454 - @devnexen]
+
+
 18 Jul 2017 - 2.9.2
 -------------------
 

apache2/apache2_io.c

@@ -85,10 +85,11 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *bb_out,
         return APR_EGENERAL;
     }
 
-    if (chunk && (!msr->txcfg->stream_inbody_inspection || (msr->txcfg->stream_inbody_inspection && msr->if_stream_changed == 0))) {
-        /* Copy the data we received in the chunk */
-        bucket = apr_bucket_heap_create(chunk->data, chunk->length, NULL,
-                f->r->connection->bucket_alloc);
+    if (chunk && chunk->length > 0) {
+        if (chunk && (!msr->txcfg->stream_inbody_inspection || (msr->txcfg->stream_inbody_inspection && msr->if_stream_changed == 0))) {
+            /* Copy the data we received in the chunk */
+            bucket = apr_bucket_heap_create(chunk->data, chunk->length, NULL,
+                    f->r->connection->bucket_alloc);
 
 #if 0
 
@@ -107,33 +108,34 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *bb_out,
 
 #endif
 
-        if (bucket == NULL) return APR_EGENERAL;
-        APR_BRIGADE_INSERT_TAIL(bb_out, bucket);
+            if (bucket == NULL) return APR_EGENERAL;
+            APR_BRIGADE_INSERT_TAIL(bb_out, bucket);
 
-        if (msr->txcfg->debuglog_level >= 4) {
-            msr_log(msr, 4, "Input filter: Forwarded %" APR_SIZE_T_FMT " bytes.", chunk->length);
-        }
-    } else if (msr->stream_input_data != NULL) {
+            if (msr->txcfg->debuglog_level >= 4) {
+                msr_log(msr, 4, "Input filter: Forwarded %" APR_SIZE_T_FMT " bytes.", chunk->length);
+            }
+        } else if (msr->stream_input_data != NULL) {
 
-        msr->if_stream_changed = 0;
+            msr->if_stream_changed = 0;
 
-        bucket = apr_bucket_heap_create(msr->stream_input_data, msr->stream_input_length, NULL,
-                f->r->connection->bucket_alloc);
+            bucket = apr_bucket_heap_create(msr->stream_input_data, msr->stream_input_length, NULL,
+                    f->r->connection->bucket_alloc);
 
-        if (msr->txcfg->stream_inbody_inspection)  {
-            if(msr->stream_input_data != NULL) {
-                free(msr->stream_input_data);
-                msr->stream_input_data = NULL;
+            if (msr->txcfg->stream_inbody_inspection)  {
+                if(msr->stream_input_data != NULL) {
+                    free(msr->stream_input_data);
+                    msr->stream_input_data = NULL;
+                }
             }
-        }
 
-        if (bucket == NULL) return APR_EGENERAL;
-        APR_BRIGADE_INSERT_TAIL(bb_out, bucket);
+            if (bucket == NULL) return APR_EGENERAL;
+            APR_BRIGADE_INSERT_TAIL(bb_out, bucket);
 
-        if (msr->txcfg->debuglog_level >= 4) {
-            msr_log(msr, 4, "Input stream filter: Forwarded %" APR_SIZE_T_FMT " bytes.", msr->stream_input_length);
-        }
+            if (msr->txcfg->debuglog_level >= 4) {
+                msr_log(msr, 4, "Input stream filter: Forwarded %" APR_SIZE_T_FMT " bytes.", msr->stream_input_length);
+            }
 
+        }
     }
 
     if (rc == 0) {
@@ -190,7 +192,6 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
     if (msr->txcfg->debuglog_level >= 4) {
         msr_log(msr, 4, "Input filter: Reading request body.");
     }
-
     if (modsecurity_request_body_start(msr, error_msg) < 0) {
         return -1;
     }
@@ -281,9 +282,14 @@ apr_status_t read_request_body(modsec_rec *msr, char **error_msg) {
             }
 
             if (msr->txcfg->stream_inbody_inspection == 1)   {
+#ifndef MSC_LARGE_STREAM_INPUT
+                msr->stream_input_length+=buflen;
+                modsecurity_request_body_to_stream(msr, buf, buflen, error_msg);
+#else
                 if (modsecurity_request_body_to_stream(msr, buf, buflen, error_msg) < 0) {
                     return -1;
                 }
+#endif
             }
 
             msr->reqbody_length += buflen;

apache2/mod_security2.c

@@ -1597,7 +1597,7 @@ static int hook_connection_early(conn_rec *conn)
                     "Possible DoS Consumption Attack [Rejected]", ip_count_w,
                     conn_write_state_limit, client_ip);
 
-                if (!conn_limits_filter_state == MODSEC_ENABLED)
+                if (conn_limits_filter_state == MODSEC_ENABLED)
                     return OK;
             }
         }

apache2/modsecurity.h

@@ -287,7 +287,10 @@ struct modsec_rec {
     unsigned int         resbody_contains_html;
 
     apr_size_t           stream_input_length;
+#ifdef MSC_LARGE_STREAM_INPUT
     apr_size_t           stream_input_allocated_length;
+#endif
+
     char                *stream_input_data;
     apr_size_t           stream_output_length;
     char                *stream_output_data;

apache2/msc_logging.c

@@ -1165,7 +1165,7 @@ void sec_audit_logger_json(modsec_rec *msr) {
 
 
         /* Stopwatch2 */
-#ifdef DLOG_NO_STOPWATCH
+#ifdef LOG_NO_STOPWATCH
         if (msr->txcfg->debuglog_level >= 9)
 #endif
         format_performance_variables_json(msr, g);
@@ -1998,7 +1998,7 @@ void sec_audit_logger_native(modsec_rec *msr) {
         }
 
         /* Stopwatch; left in for compatibility reasons */
-#ifdef DLOG_NO_STOPWATCH
+#ifdef LOG_NO_STOPWATCH
 	if (msr->txcfg->debuglog_level >= 9) {
 #endif
         text = apr_psprintf(msr->mp, "Stopwatch: %" APR_TIME_T_FMT " %" APR_TIME_T_FMT " (- - -)\n",
@@ -2013,7 +2013,7 @@ void sec_audit_logger_native(modsec_rec *msr) {
                 "; %s\n", msr->request_time, (now - msr->request_time), perf_all);
             sec_auditlog_write(msr, text, strlen(text));
         }
-#ifdef DLOG_NO_STOPWATCH
+#ifdef LOG_NO_STOPWATCH
         }
 #endif
 

apache2/msc_reqbody.c

@@ -428,9 +428,59 @@ apr_status_t modsecurity_request_body_store(modsec_rec *msr,
 }
 
 apr_status_t modsecurity_request_body_to_stream(modsec_rec *msr, const char *buffer, int buflen, char **error_msg) {
+#ifndef MSC_LARGE_STREAM_INPUT
+    char *stream_input_body = NULL;
+    char *data = NULL;
+    int first_pkt = 0;
+#else
     apr_size_t allocate_length = 0;
     char* allocated = NULL;
+#endif
+
+#ifndef MSC_LARGE_STREAM_INPUT
+    if(msr->stream_input_data == NULL)  {
+        msr->stream_input_data = (char *)calloc(sizeof(char), msr->stream_input_length + 1);
+        first_pkt = 1;
+    }
+    else    {
+
+        data = (char *)malloc(msr->stream_input_length + 1 - buflen);
+
+        if(data == NULL)
+            return -1;
+
+        memset(data, 0, msr->stream_input_length + 1 - buflen);
+        memcpy(data, msr->stream_input_data, msr->stream_input_length - buflen);
+
+        stream_input_body = (char *)realloc(msr->stream_input_data, msr->stream_input_length + 1);
+
+        msr->stream_input_data = (char *)stream_input_body;
+    }
+
+    if (msr->stream_input_data == NULL) {
+        if(data)    {
+            free(data);
+            data = NULL;
+        }
+        *error_msg = apr_psprintf(msr->mp, "Unable to allocate memory to hold request body on stream. Asked for %" APR_SIZE_T_FMT " bytes.",
+                msr->stream_input_length + 1);
+        return -1;
+    }
+
+    memset(msr->stream_input_data, 0, msr->stream_input_length+1);
+
+    if(first_pkt)   {
+        memcpy(msr->stream_input_data, buffer, msr->stream_input_length);
+    } else {
+        memcpy(msr->stream_input_data, data, msr->stream_input_length - buflen);
+        memcpy(msr->stream_input_data+(msr->stream_input_length - buflen), buffer, buflen);
+    }
 
+    if(data)    {
+        free(data);
+        data = NULL;
+    }
+#else
     if (msr->stream_input_data == NULL)  {
         // Is the request body length known beforehand? (requests that are not Transfer-Encoding: chunked)
         if (msr->request_content_length > 0) {
@@ -458,7 +508,6 @@ apr_status_t modsecurity_request_body_to_stream(modsec_rec *msr, const char *buf
     else {
         // Do we need to expand the space we have previously allocated?
         if ((msr->stream_input_length + buflen) > msr->stream_input_allocated_length) {
-
             // If this becomes a hotspot again, consider increasing by some percent extra each time, for fewer reallocs
             allocate_length = msr->stream_input_length + buflen;
 
@@ -480,10 +529,10 @@ apr_status_t modsecurity_request_body_to_stream(modsec_rec *msr, const char *buf
             }
         }
     }
-
     // Append buffer to msr->stream_input_data
     memcpy(msr->stream_input_data + msr->stream_input_length, buffer, buflen);
     msr->stream_input_length += buflen;
+#endif
 
     return 1;
 }

apache2/msc_status_engine.c

@@ -19,6 +19,9 @@
 #ifdef WIN32
 #include <winsock2.h>
 #include <iphlpapi.h>
+#else
+#include <sys/ioctl.h>
+#include <netdb.h>
 #endif
 
 #ifdef DARWIN

apache2/msc_tree.c

@@ -14,6 +14,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <apr.h>
 #if APR_HAVE_STDINT_H
 #include <stdint.h>
 #endif

apache2/msc_util.c

@@ -22,6 +22,10 @@
 #include "msc_release.h"
 #include "msc_util.h"
 
+#include <apr.h>
+#if APR_HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
 #include <apr_lib.h>
 #include <apr_sha1.h>
 #include "modsecurity_config.h"

apache2/re_operators.c

@@ -634,18 +634,25 @@ static int msre_op_rsub_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
         free(msr->stream_input_data);
         msr->stream_input_data = NULL;
         msr->stream_input_length = 0;
+#ifdef MSC_LARGE_STREAM_INPUT
         msr->stream_input_allocated_length  = 0;
 
         msr->stream_input_data = (char *)malloc(size);
+#else
+        msr->stream_input_data = (char *)malloc(size+1);
+#endif
 
         if(msr->stream_input_data == NULL)  {
             return -1;
         }
 
         msr->stream_input_length = size;
+#ifdef MSC_LARGE_STREAM_INPUT
         msr->stream_input_allocated_length = size;
         memset(msr->stream_input_data, 0x0, size);
-
+#else
+        memset(msr->stream_input_data, 0x0, size+1);
+#endif
         msr->if_stream_changed = 1;
 
         memcpy(msr->stream_input_data, data, size);
@@ -2160,12 +2167,14 @@ static int msre_op_detectSQLi_execute(modsec_rec *msr, msre_rule *rule, msre_var
  */
 static int msre_op_detectXSS_execute(modsec_rec *msr, msre_rule *rule, msre_var *var,
     char **error_msg) {
-
+    int capture;
     int is_xss;
 
     is_xss = libinjection_xss(var->value, var->value_len);
+    capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0;
 
     if (is_xss) {
+        set_match_to_tx(msr, capture, var->value, 0);
         *error_msg = apr_psprintf(msr->mp, "detected XSS using libinjection.");
 
         if (msr->txcfg->debuglog_level >= 9) {