Resolves: #1930664 - RFE: Add a feature that can set a mod_security/libcurl

timeout for retrieving the rules rename mlogc to mod_security-mlogc
2021-02-23 15:49:07 +01:00 · 2021-02-23 15:49:07 +01:00 · 90c7eb5cb5
commit 90c7eb5cb5
parent ad426ffe3d
2 changed files with 93 additions and 4 deletions
--- a/mod_security-2.9.3-remote-rules-timeout.patch
+++ b/mod_security-2.9.3-remote-rules-timeout.patch
@ -0,0 +1,85 @@
+diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
+index 80f8f2b..7912d84 100644
+--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
+@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
+ }
+ 
+ 
+static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
+    directory_config *dcfg = (directory_config *)_dcfg;
+    long int timeout;
+
+    if (dcfg == NULL) return NULL;
+
+    timeout = strtol(p1, NULL, 10);
+    if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1);
+    }
+
+    remote_rules_timeout = timeout;
+
+    return NULL;
+}
+
+
+ static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
+ {
+     if (strcasecmp(p1, "on") == 0) {
+@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = {
+         "Abort or Warn"
+     ),
+ 
+    AP_INIT_TAKE1 (
+        "SecRemoteTimeout",
+        cmd_remote_timeout,
+        NULL,
+        CMD_SCOPE_ANY,
+        "timeout in seconds"
+    ),
+
+ 
+     AP_INIT_TAKE1 (
+         "SecXmlExternalEntity",
+diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
+index 7bb215e..c155495 100644
+--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
+@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
+ #endif
+ int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
+ char DSOLOCAL *remote_rules_fail_message = NULL;
+unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET;
+
+ 
+ int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
+ 
+diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
+index f24bc75..8bcd453 100644
+--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
+@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
+ #endif
+ extern DSOLOCAL int remote_rules_fail_action;
+ extern DSOLOCAL char *remote_rules_fail_message;
+extern DSOLOCAL unsigned long int remote_rules_timeout;
+ 
+ extern DSOLOCAL int status_engine_state;
+ 
+diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
+index 99968f0..b8db13e 100644
+--- a/apache2/msc_remote_rules.c
+++ b/apache2/msc_remote_rules.c
+@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
+         /* We want Curl to return error in case there is an HTTP error code */
+         curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
+ 
+        /* In case we want different timeout than a default one */
+        if (remote_rules_timeout != NOT_SET){
+            curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout);
+        }
+
+         res = curl_easy_perform(curl);
+ 
+         if (res != CURLE_OK)
--- a/mod_security.spec
+++ b/mod_security.spec
@ -19,6 +19,7 @@ Source2: 10-mod_security.conf
 Source3: modsecurity_localrules.conf
 Patch0: modsecurity-2.9.3-lua-54.patch
 Patch1: modsecurity-2.9.3-apulibs.patch
+Patch2: mod_security-2.9.3-remote-rules-timeout.patch

 Requires: httpd httpd-mmn = %{_httpd_mmn}
 %if 0%{?fedora} || 0%{?rhel} > 7
@ -48,7 +49,7 @@ for web applications. It operates embedded into the web server, acting
 as a powerful umbrella - shielding web applications from attacks.

 %if %{with mlogc}
-%package -n     mlogc
+%package        mlogc
 Summary:        ModSecurity Audit Log Collector
 Requires:       mod_security
 %if 0%{?fedora} || 0%{?rhel} > 7
@ -56,7 +57,7 @@ Requires:       mod_security
 Requires(pre):  httpd-filesystem
 %endif

-%description -n mlogc
+%description mlogc
 This package contains the ModSecurity Audit Log Collector.
 %endif

@ -70,6 +71,7 @@ This package contains the ModSecurity Audit Log Collector.
           --with-apxs=%{_httpd_apxs} \
           --with-yajl \
           --disable-static
+
 # remove rpath
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
@ -131,7 +133,7 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}

 %if %{with mlogc}
-%files -n mlogc
+%files mlogc
 %doc mlogc/INSTALL
 %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/mlogc.conf
 %attr(0755,root,root) %dir %{_localstatedir}/log/mlogc
@ -142,7 +144,9 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf

 %changelog
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+- Resolves: #1930664 - RFE: Add a feature that can set a mod_security/libcurl
+  timeout for retrieving the rules
+- rename mlogc to mod_security-mlogc

 * Fri Jan 22 2021 Joe Orton <jorton@redhat.com> - 2.9.3-8
 - don't link against redundant apr-util dependent libraries