Merge branch 'master' into el6

Conflicts: .gitignore mod_security.conf mod_security.spec sources
2012-11-15 10:56:34 +01:00 · 2012-11-15 10:56:34 +01:00 · a4d02532a4
commit a4d02532a4
parent 516bd4be33 b4feb280b3
5 changed files with 169 additions and 86 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,11 @@
 modsecurity-apache_2.5.12.tar.gz
 <<<<<<< HEAD
 /modsecurity-apache_2.6.7.tar.gz
 =======
 /modsecurity-apache_2.5.13.tar.gz
 /modsecurity-apache_2.6.5.tar.gz
 /modsecurity-apache_2.6.6.tar.gz
 /modsecurity-apache_2.6.8.tar.gz
 /modsecurity-apache_2.7.0.tar.gz
 /modsecurity-apache_2.7.1.tar.gz
 >>>>>>> master
--- a/mod_security-fix-build-with-libxml29.patch
+++ b/mod_security-fix-build-with-libxml29.patch
@ -0,0 +1,82 @@
 --- apache2/msc_crypt.c.orig	2012-10-18 10:42:43.381000000 +0100
 +++ apache2/msc_crypt.c	2012-10-18 10:46:52.442000000 +0100
@@ -1079,6 +1079,70 @@
     htmlDocContentDumpFormatOutput(output_buf, msr->crypto_html_tree, NULL, 0);
 +#ifdef  LIBXML2_NEW_BUFFER
 +
 +    if (output_buf->conv == NULL || (output_buf->conv && xmlOutputBufferGetSize(output_buf) == 0)) {
 +
 +        if(output_buf->buffer == NULL || xmlOutputBufferGetSize(output_buf) == 0)  {
 +            xmlOutputBufferClose(output_buf);
 +            xmlFreeDoc(msr->crypto_html_tree);
 +            msr->of_stream_changed = 0;
 +            return -1;
 +        }
 +
 +        if(msr->stream_output_data != NULL) {
 +            free(msr->stream_output_data);
 +            msr->stream_output_data =  NULL;
 +        }
 +
 +        msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
 +        msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
 +
 +        if (msr->stream_output_data == NULL) {
 +            xmlOutputBufferClose(output_buf);
 +            xmlFreeDoc(msr->crypto_html_tree);
 +            return -1;
 +        }
 +
 +        memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
 +        memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
 +
 +        if (msr->txcfg->debuglog_level >= 4)
 +            msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONTENT to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
 +
 +    } else {
 +
 +        if(output_buf->conv == NULL || xmlOutputBufferGetSize(output_buf) == 0)  {
 +            xmlOutputBufferClose(output_buf);
 +            xmlFreeDoc(msr->crypto_html_tree);
 +            msr->of_stream_changed = 0;
 +            return -1;
 +        }
 +
 +        if(msr->stream_output_data != NULL) {
 +            free(msr->stream_output_data);
 +            msr->stream_output_data =  NULL;
 +        }
 +
 +        msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
 +        msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
 +
 +        if (msr->stream_output_data == NULL) {
 +            xmlOutputBufferClose(output_buf);
 +            xmlFreeDoc(msr->crypto_html_tree);
 +            return -1;
 +        }
 +
 +        memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
 +        memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
 +
 +        if (msr->txcfg->debuglog_level >= 4)
 +            msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONV to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
 +
 +    }
 +
 +#else
 +
     if (output_buf->conv == NULL || (output_buf->conv && output_buf->conv->use == 0)) {
         if(output_buf->buffer == NULL || output_buf->buffer->use == 0)  {
@@ -1139,6 +1203,8 @@
     }
 +#endif
 +
     xmlOutputBufferClose(output_buf);
     content_value = (char*)apr_psprintf(msr->mp, "%"APR_SIZE_T_FMT, msr->stream_output_length);
--- a/mod_security.conf
+++ b/mod_security.conf
@ -1,92 +1,57 @@
 LoadModule security2_module modules/mod_security2.so
 LoadModule unique_id_module modules/mod_unique_id.so
 <IfModule mod_security2.c>
-	# This is the ModSecurity Core Rules Set.
+    # ModSecurity Core Rules Set configuration
 	# Basic configuration goes in here
 	Include modsecurity.d/*.conf
 	Include modsecurity.d/activated_rules/*.conf
    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject
    SecRule REQBODY_ERROR "!@eq 0" \
    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
    failed strict validation: \
    PE %{REQBODY_PROCESSOR_ERROR}, \
    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
    DB %{MULTIPART_DATA_BEFORE}, \
    DA %{MULTIPART_DATA_AFTER}, \
    HF %{MULTIPART_HEADER_FOLDING}, \
    LF %{MULTIPART_LF_LINE}, \
    SM %{MULTIPART_MISSING_SEMICOLON}, \
    IQ %{MULTIPART_INVALID_QUOTING}, \
    IP %{MULTIPART_INVALID_PART}, \
    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-	# Additional items taken from new minimal modsecurity conf
+    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
-	# Basic configuration options
+    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
 	SecRuleEngine On
 	SecRequestBodyAccess On
 	SecResponseBodyAccess Off
 	# Handling of file uploads
 	# TODO Choose a folder private to Apache.
 	# SecUploadDir /opt/apache-frontend/tmp/
 	SecUploadKeepFiles Off
 	SecUploadFileLimit 10
-	# Debug log
+    SecPcreMatchLimit 1000
-	SecDebugLog /var/log/httpd/modsec_debug.log
+    SecPcreMatchLimitRecursion 1000
 	SecDebugLogLevel 0
-	# Audit log
+    SecRule TX:/^MSC_/ "!@streq 0" \
-	SecAuditEngine RelevantOnly
+            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
 	SecAuditLogRelevantStatus ^5
 	SecAuditLogType Serial
 	SecAuditLogParts ABIFHZ
 	SecAuditLog /var/log/httpd/modsec_audit.log
-	# Alternative mlogc configuration
+    SecResponseBodyAccess Off
-	#SecAuditLogType Concurrent
+    SecDebugLog /var/log/httpd/modsec_debug.log
-	#SecAuditLogParts ABIDEFGHZ
+    SecDebugLogLevel 0
-	#SecAuditLogStorageDir /var/log/mlogc/data
+    SecAuditEngine RelevantOnly
-	#SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
+    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
-
+    SecAuditLogParts ABIJDEFHZ
-	# Set Data Directory
+    SecAuditLogType Serial
-	SecDataDir /var/log/httpd/
+    SecAuditLog /var/log/httpd/modsec_audit.log
-
+    SecArgumentSeparator &
-	# Maximum request body size we will
+    SecCookieFormat 0
-	# accept for buffering
+    SecTmpDir /var/lib/mod_security
-	SecRequestBodyLimit 131072
+    SecDataDir /var/lib/mod_security
 	# Store up to 128 KB in memory
 	SecRequestBodyInMemoryLimit 131072
 	# Buffer response bodies of up to
 	# 512 KB in length
 	SecResponseBodyLimit 524288
 	# Verify that we've correctly processed the request body.
 	# As a rule of thumb, when failing to process a request body
 	# you should reject the request (when deployed in blocking mode)
 	# or log a high-severity alert (when deployed in detection-only mode).
 	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
 	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
 	# By default be strict with what we accept in the multipart/form-data
 	# request body. If the rule below proves to be too strict for your
 	# environment consider changing it to detection-only. You are encouraged
 	# _not_ to remove it altogether.
 	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
 	"phase:2,t:none,log,deny,msg:'Multipart request body \
 	failed strict validation: \
 	PE %{REQBODY_PROCESSOR_ERROR}, \
 	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
 	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
 	DB %{MULTIPART_DATA_BEFORE}, \
 	DA %{MULTIPART_DATA_AFTER}, \
 	HF %{MULTIPART_HEADER_FOLDING}, \
 	LF %{MULTIPART_LF_LINE}, \
 	SM %{MULTIPART_SEMICOLON_MISSING}, \
 	IQ %{MULTIPART_INVALID_QUOTING}, \
 	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
 	IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
 	# Did we see anything that might be a boundary?
 	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
 	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
 	# Some internal errors will set flags in TX and we will need to look for these.
 	# All of these are prefixed with "MSC_".  The following flags currently exist:
 	#
 	# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
 	#
 	SecRule TX:/^MSC_/ "!@streq 0" \
 	        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
 </IfModule>
--- a/mod_security.spec
+++ b/mod_security.spec
@ -7,16 +7,15 @@
 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
-Version: 2.6.7
+Version: 2.7.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: ASL 2.0
 URL: http://www.modsecurity.org/
 Group: System Environment/Daemons
-Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
+Source: https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_%{version}.tar.gz
 Source1: mod_security.conf
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 %description
 ModSecurity is an open source intrusion detection and prevention engine
@ -66,6 +65,7 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_
 # 2.2-style
 install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
 %endif
 install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name}
 # mlogc
 install -d %{buildroot}%{_localstatedir}/log/mlogc
@ -74,6 +74,7 @@ install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
 install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
 install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %clean
 rm -rf %{buildroot}
@ -87,6 +88,7 @@ rm -rf %{buildroot}
 %endif
 %dir %{_sysconfdir}/httpd/modsecurity.d
 %dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules
 %attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}
 %files -n mlogc
 %defattr (-,root,root)
@ -98,8 +100,33 @@ rm -rf %{buildroot}
 %attr(0755,root,root) %{_bindir}/mlogc-batch-load
 %changelog
 * Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-3
 - Add some missing directives RHBZ #569360
 - Fix multipart/invalid part ruleset bypass issue (CVE-2012-4528)
  (RHBZ #867424, #867773, #867774)
 * Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-2
 - Fix mod_security.conf
 * Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-1
 - Update to 2.7.1
 - Remove libxml2 build patch (upstreamed)
 - Update spec since upstream moved to github
 * Thu Oct 18 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-2
 - Add a patch to fix failed build against libxml2 >= 2.9.0
 * Wed Oct 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-1
 - Update to 2.7.0
 * Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1
 - Update to 2.6.8
 * Wed Sep 12 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-2
 - Re-add mlogc sub-package for epel (#856525)
 * Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
 - Update to 2.6.7
 * Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
 - Update to 2.6.7
--- a/2
+++ b/2
@ -1 +1 @@
-b3ffc5886f7126d012b60e1d5c6b0a1f  modsecurity-apache_2.6.7.tar.gz
+dbd30b714abe831098993213f30c1b96  modsecurity-apache_2.7.1.tar.gz
`@ -1 +1 @@`
	`b3ffc5886f7126d012b60e1d5c6b0a1f modsecurity-apache_2.6.7.tar.gz`	`dbd30b714abe831098993213f30c1b96 modsecurity-apache_2.7.1.tar.gz`