Resolves: #1930664 - RFE: Add a feature that can set a mod_security/libcurl

timeout for retrieving the rules rename mlogc to mod_security-mlogc
2021-02-23 15:49:07 +01:00 · 2021-02-23 15:49:07 +01:00 · 90c7eb5cb5
commit 90c7eb5cb5
parent ad426ffe3d
2 changed files with 93 additions and 4 deletions
--- a/mod_security-2.9.3-remote-rules-timeout.patch
+++ b/mod_security-2.9.3-remote-rules-timeout.patch
@ -0,0 +1,85 @@
 diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
 index 80f8f2b..7912d84 100644
 --- a/apache2/apache2_config.c
 +++ b/apache2/apache2_config.c
@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
 }
 +static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1)
 +{
 +    directory_config *dcfg = (directory_config *)_dcfg;
 +    long int timeout;
 +
 +    if (dcfg == NULL) return NULL;
 +
 +    timeout = strtol(p1, NULL, 10);
 +    if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) {
 +        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1);
 +    }
 +
 +    remote_rules_timeout = timeout;
 +
 +    return NULL;
 +}
 +
 +
 static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
 {
     if (strcasecmp(p1, "on") == 0) {
@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = {
         "Abort or Warn"
     ),
 +    AP_INIT_TAKE1 (
 +        "SecRemoteTimeout",
 +        cmd_remote_timeout,
 +        NULL,
 +        CMD_SCOPE_ANY,
 +        "timeout in seconds"
 +    ),
 +
     AP_INIT_TAKE1 (
         "SecXmlExternalEntity",
 diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
 index 7bb215e..c155495 100644
 --- a/apache2/mod_security2.c
 +++ b/apache2/mod_security2.c
@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
 #endif
 int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
 char DSOLOCAL *remote_rules_fail_message = NULL;
 +unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET;
 +
 int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
 diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
 index f24bc75..8bcd453 100644
 --- a/apache2/modsecurity.h
 +++ b/apache2/modsecurity.h
@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
 #endif
 extern DSOLOCAL int remote_rules_fail_action;
 extern DSOLOCAL char *remote_rules_fail_message;
 +extern DSOLOCAL unsigned long int remote_rules_timeout;
 extern DSOLOCAL int status_engine_state;
 diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
 index 99968f0..b8db13e 100644
 --- a/apache2/msc_remote_rules.c
 +++ b/apache2/msc_remote_rules.c
@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
         /* We want Curl to return error in case there is an HTTP error code */
         curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
 +        /* In case we want different timeout than a default one */
 +        if (remote_rules_timeout != NOT_SET){
 +            curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout);
 +        }
 +
         res = curl_easy_perform(curl);
         if (res != CURLE_OK)
--- a/mod_security.spec
+++ b/mod_security.spec
@ -19,6 +19,7 @@ Source2: 10-mod_security.conf
 Source3: modsecurity_localrules.conf
 Patch0: modsecurity-2.9.3-lua-54.patch
 Patch1: modsecurity-2.9.3-apulibs.patch
 Patch2: mod_security-2.9.3-remote-rules-timeout.patch
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 %if 0%{?fedora} || 0%{?rhel} > 7
@ -48,7 +49,7 @@ for web applications. It operates embedded into the web server, acting
 as a powerful umbrella - shielding web applications from attacks.
 %if %{with mlogc}
-%package -n     mlogc
+%package        mlogc
 Summary:        ModSecurity Audit Log Collector
 Requires:       mod_security
 %if 0%{?fedora} || 0%{?rhel} > 7
@ -56,7 +57,7 @@ Requires:       mod_security
 Requires(pre):  httpd-filesystem
 %endif
-%description -n mlogc
+%description mlogc
 This package contains the ModSecurity Audit Log Collector.
 %endif
@ -70,6 +71,7 @@ This package contains the ModSecurity Audit Log Collector.
           --with-apxs=%{_httpd_apxs} \
           --with-yajl \
           --disable-static
 # remove rpath
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
@ -131,7 +133,7 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}
 %if %{with mlogc}
-%files -n mlogc
+%files mlogc
 %doc mlogc/INSTALL
 %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/mlogc.conf
 %attr(0755,root,root) %dir %{_localstatedir}/log/mlogc
@ -142,7 +144,9 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %changelog
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+- Resolves: #1930664 - RFE: Add a feature that can set a mod_security/libcurl
  timeout for retrieving the rules
 - rename mlogc to mod_security-mlogc
 * Fri Jan 22 2021 Joe Orton <jorton@redhat.com> - 2.9.3-8
 - don't link against redundant apr-util dependent libraries