From 90c7eb5cb511f90fb25cf7db48ef3c6791c0a2cf Mon Sep 17 00:00:00 2001
From: Lubos Uhliarik <luhliari@redhat.com>
Date: Tue, 23 Feb 2021 15:49:07 +0100
Subject: [PATCH] Resolves: #1930664 - RFE: Add a feature that can set a
 mod_security/libcurl   timeout for retrieving the rules rename mlogc to
 mod_security-mlogc

---
 mod_security-2.9.3-remote-rules-timeout.patch | 85 +++++++++++++++++++
 mod_security.spec                             | 12 ++-
 2 files changed, 93 insertions(+), 4 deletions(-)
 create mode 100644 mod_security-2.9.3-remote-rules-timeout.patch

diff --git a/mod_security-2.9.3-remote-rules-timeout.patch b/mod_security-2.9.3-remote-rules-timeout.patch
new file mode 100644
index 0000000..1d347ac
--- /dev/null
+++ b/mod_security-2.9.3-remote-rules-timeout.patch
@@ -0,0 +1,85 @@
+diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
+index 80f8f2b..7912d84 100644
+--- a/apache2/apache2_config.c
++++ b/apache2/apache2_config.c
+@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
+ }
+ 
+ 
++static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1)
++{
++    directory_config *dcfg = (directory_config *)_dcfg;
++    long int timeout;
++
++    if (dcfg == NULL) return NULL;
++
++    timeout = strtol(p1, NULL, 10);
++    if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) {
++        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1);
++    }
++
++    remote_rules_timeout = timeout;
++
++    return NULL;
++}
++
++
+ static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
+ {
+     if (strcasecmp(p1, "on") == 0) {
+@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = {
+         "Abort or Warn"
+     ),
+ 
++    AP_INIT_TAKE1 (
++        "SecRemoteTimeout",
++        cmd_remote_timeout,
++        NULL,
++        CMD_SCOPE_ANY,
++        "timeout in seconds"
++    ),
++
+ 
+     AP_INIT_TAKE1 (
+         "SecXmlExternalEntity",
+diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
+index 7bb215e..c155495 100644
+--- a/apache2/mod_security2.c
++++ b/apache2/mod_security2.c
+@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
+ #endif
+ int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
+ char DSOLOCAL *remote_rules_fail_message = NULL;
++unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET;
++
+ 
+ int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
+ 
+diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
+index f24bc75..8bcd453 100644
+--- a/apache2/modsecurity.h
++++ b/apache2/modsecurity.h
+@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
+ #endif
+ extern DSOLOCAL int remote_rules_fail_action;
+ extern DSOLOCAL char *remote_rules_fail_message;
++extern DSOLOCAL unsigned long int remote_rules_timeout;
+ 
+ extern DSOLOCAL int status_engine_state;
+ 
+diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
+index 99968f0..b8db13e 100644
+--- a/apache2/msc_remote_rules.c
++++ b/apache2/msc_remote_rules.c
+@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
+         /* We want Curl to return error in case there is an HTTP error code */
+         curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
+ 
++        /* In case we want different timeout than a default one */
++        if (remote_rules_timeout != NOT_SET){
++            curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout);
++        }
++
+         res = curl_easy_perform(curl);
+ 
+         if (res != CURLE_OK)
diff --git a/mod_security.spec b/mod_security.spec
index aa78c6a..b0a0062 100644
--- a/mod_security.spec
+++ b/mod_security.spec
@@ -19,6 +19,7 @@ Source2: 10-mod_security.conf
 Source3: modsecurity_localrules.conf
 Patch0: modsecurity-2.9.3-lua-54.patch
 Patch1: modsecurity-2.9.3-apulibs.patch
+Patch2: mod_security-2.9.3-remote-rules-timeout.patch
 
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 %if 0%{?fedora} || 0%{?rhel} > 7
@@ -48,7 +49,7 @@ for web applications. It operates embedded into the web server, acting
 as a powerful umbrella - shielding web applications from attacks.
 
 %if %{with mlogc}
-%package -n     mlogc
+%package        mlogc
 Summary:        ModSecurity Audit Log Collector
 Requires:       mod_security
 %if 0%{?fedora} || 0%{?rhel} > 7
@@ -56,7 +57,7 @@ Requires:       mod_security
 Requires(pre):  httpd-filesystem
 %endif
 
-%description -n mlogc
+%description mlogc
 This package contains the ModSecurity Audit Log Collector.
 %endif
 
@@ -70,6 +71,7 @@ This package contains the ModSecurity Audit Log Collector.
            --with-apxs=%{_httpd_apxs} \
            --with-yajl \
            --disable-static
+
 # remove rpath
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
@@ -131,7 +133,7 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}
 
 %if %{with mlogc}
-%files -n mlogc
+%files mlogc
 %doc mlogc/INSTALL
 %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/mlogc.conf
 %attr(0755,root,root) %dir %{_localstatedir}/log/mlogc
@@ -142,7 +144,9 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 
 %changelog
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+- Resolves: #1930664 - RFE: Add a feature that can set a mod_security/libcurl
+  timeout for retrieving the rules
+- rename mlogc to mod_security-mlogc
 
 * Fri Jan 22 2021 Joe Orton <jorton@redhat.com> - 2.9.3-8
 - don't link against redundant apr-util dependent libraries