Compare commits
37 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
b964b09c4d | ||
|
eff88774af | ||
|
fcffe49bdb | ||
|
74bb5ef6ac | ||
|
5674c3eeb8 | ||
|
9f867be7f4 | ||
|
1c04ae212a | ||
|
0a837562bb | ||
|
ee4d4b6b08 | ||
|
516bd4be33 | ||
|
b6e1bc306b | ||
|
fea112790b | ||
|
91ccd3988e | ||
|
d934a872f3 | ||
|
33b43334cf | ||
|
7b62d15613 | ||
|
de6b96be9b | ||
|
3aca1bcdc9 | ||
|
8591cc1a40 | ||
|
96c9b51ade | ||
|
c9ed66101b | ||
|
8c545ffa74 | ||
|
b0fa109735 | ||
|
e8e9a0c385 | ||
|
a10f689594 | ||
|
dc4a57cecd | ||
|
c078f6ef5f | ||
|
9cbab86ceb | ||
|
97c7d3ea80 | ||
|
3c31e4d46c | ||
|
c5b504983e | ||
|
0419751394 | ||
|
b10da42fb9 | ||
|
df1f19229c | ||
|
33d10cb255 | ||
|
2b8e464cb8 | ||
|
3a3819e6ac |
2
.gitignore
vendored
2
.gitignore
vendored
@ -3,5 +3,3 @@ modsecurity-apache_2.5.12.tar.gz
|
|||||||
/modsecurity-apache_2.6.5.tar.gz
|
/modsecurity-apache_2.6.5.tar.gz
|
||||||
/modsecurity-apache_2.6.6.tar.gz
|
/modsecurity-apache_2.6.6.tar.gz
|
||||||
/modsecurity-apache_2.6.8.tar.gz
|
/modsecurity-apache_2.6.8.tar.gz
|
||||||
/modsecurity-apache_2.7.0.tar.gz
|
|
||||||
/modsecurity-apache_2.7.1.tar.gz
|
|
||||||
|
38
mod_security-2.6.8-fix-m_strcasestr-issue-rhbz1089343.patch
Normal file
38
mod_security-2.6.8-fix-m_strcasestr-issue-rhbz1089343.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
diff -ru modsecurity-apache_2.6.8/apache2/msc_util.c modsecurity-apache_2.6.8-patched/apache2/msc_util.c
|
||||||
|
--- modsecurity-apache_2.6.8/apache2/msc_util.c 2012-09-25 14:05:00.000000000 +0100
|
||||||
|
+++ modsecurity-apache_2.6.8-patched/apache2/msc_util.c 2014-04-18 16:11:02.765000000 +0100
|
||||||
|
@@ -368,6 +368,24 @@
|
||||||
|
return d;
|
||||||
|
}
|
||||||
|
|
||||||
|
+char *m_strcasestr(const char *haystack, const char *needle) {
|
||||||
|
+ char aux, lower_aux;
|
||||||
|
+ int length;
|
||||||
|
+
|
||||||
|
+ if ((aux = *needle++) != 0) {
|
||||||
|
+ aux = (char)tolower((unsigned char)aux);
|
||||||
|
+ length = strlen(needle);
|
||||||
|
+ do {
|
||||||
|
+ do {
|
||||||
|
+ if ((lower_aux = *haystack++) == 0)
|
||||||
|
+ return NULL;
|
||||||
|
+ } while ((char)tolower((unsigned char)lower_aux) != aux);
|
||||||
|
+ } while (strncasecmp(haystack, needle, length) != 0);
|
||||||
|
+ haystack--;
|
||||||
|
+ }
|
||||||
|
+ return ((char *)haystack);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
diff -ru modsecurity-apache_2.6.8/apache2/msc_util.h modsecurity-apache_2.6.8-patched/apache2/msc_util.h
|
||||||
|
--- modsecurity-apache_2.6.8/apache2/msc_util.h 2012-09-25 14:05:00.000000000 +0100
|
||||||
|
+++ modsecurity-apache_2.6.8-patched/apache2/msc_util.h 2014-04-18 16:09:40.007000000 +0100
|
||||||
|
@@ -111,4 +111,6 @@
|
||||||
|
|
||||||
|
char DSOLOCAL *format_all_performance_variables(modsec_rec *msr, apr_pool_t *mp);
|
||||||
|
|
||||||
|
+char DSOLOCAL *m_strcasestr(const char *haystack, const char *needle);
|
||||||
|
+
|
||||||
|
#endif
|
133
mod_security-2.6.8-rhbz947842.patch
Normal file
133
mod_security-2.6.8-rhbz947842.patch
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
diff -ru modsecurity-apache_2.6.8.orig/apache2/apache2_config.c modsecurity-apache_2.6.8/apache2/apache2_config.c
|
||||||
|
--- modsecurity-apache_2.6.8.orig/apache2/apache2_config.c 2012-09-25 14:05:00.000000000 +0100
|
||||||
|
+++ modsecurity-apache_2.6.8/apache2/apache2_config.c 2013-04-09 14:46:47.000000000 +0100
|
||||||
|
@@ -128,6 +128,10 @@
|
||||||
|
/* Collection timeout */
|
||||||
|
dcfg->col_timeout = NOT_SET;
|
||||||
|
|
||||||
|
+ /* xml external entity */
|
||||||
|
+ dcfg->xml_external_entity = NOT_SET;
|
||||||
|
+
|
||||||
|
+
|
||||||
|
return dcfg;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -517,6 +521,11 @@
|
||||||
|
|
||||||
|
merged->col_timeout = (child->col_timeout == NOT_SET
|
||||||
|
? parent->col_timeout : child->col_timeout);
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ /* xml external entity */
|
||||||
|
+ merged->xml_external_entity = (child->xml_external_entity == NOT_SET
|
||||||
|
+ ? parent->xml_external_entity : child->xml_external_entity);
|
||||||
|
|
||||||
|
return merged;
|
||||||
|
}
|
||||||
|
@@ -615,6 +624,9 @@
|
||||||
|
if (dcfg->disable_backend_compression == NOT_SET) dcfg->disable_backend_compression = 0;
|
||||||
|
|
||||||
|
if (dcfg->col_timeout == NOT_SET) dcfg->col_timeout = 3600;
|
||||||
|
+
|
||||||
|
+ /* xml external entity */
|
||||||
|
+ if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
@@ -1705,6 +1717,34 @@
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/**
|
||||||
|
+* \brief Add SecXmlExternalEntity configuration option
|
||||||
|
+*
|
||||||
|
+* \param cmd Pointer to configuration data
|
||||||
|
+* \param _dcfg Pointer to directory configuration
|
||||||
|
+* \param p1 Pointer to configuration option
|
||||||
|
+*
|
||||||
|
+* \retval NULL On failure
|
||||||
|
+* \retval apr_psprintf On Success
|
||||||
|
+*/
|
||||||
|
+static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1)
|
||||||
|
+{
|
||||||
|
+ directory_config *dcfg = (directory_config *)_dcfg;
|
||||||
|
+ if (dcfg == NULL) return NULL;
|
||||||
|
+
|
||||||
|
+ if (strcasecmp(p1, "on") == 0) {
|
||||||
|
+ dcfg->xml_external_entity = 1;
|
||||||
|
+ }
|
||||||
|
+ else if (strcasecmp(p1, "off") == 0) {
|
||||||
|
+ dcfg->xml_external_entity = 0;
|
||||||
|
+ }
|
||||||
|
+ else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1);
|
||||||
|
+
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* \brief Add SecRuleUpdateTargetById
|
||||||
|
*
|
||||||
|
@@ -2680,5 +2720,16 @@
|
||||||
|
"id"
|
||||||
|
),
|
||||||
|
|
||||||
|
+ AP_INIT_TAKE1 (
|
||||||
|
+ "SecXmlExternalEntity",
|
||||||
|
+ cmd_xml_external_entity,
|
||||||
|
+ NULL,
|
||||||
|
+ CMD_SCOPE_ANY,
|
||||||
|
+ "On or Off"
|
||||||
|
+ ),
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
{ NULL }
|
||||||
|
};
|
||||||
|
diff -ru modsecurity-apache_2.6.8.orig/apache2/modsecurity.h modsecurity-apache_2.6.8/apache2/modsecurity.h
|
||||||
|
--- modsecurity-apache_2.6.8.orig/apache2/modsecurity.h 2012-09-25 14:05:00.000000000 +0100
|
||||||
|
+++ modsecurity-apache_2.6.8/apache2/modsecurity.h 2013-04-09 14:48:34.000000000 +0100
|
||||||
|
@@ -523,6 +523,9 @@
|
||||||
|
|
||||||
|
/* Collection timeout */
|
||||||
|
int col_timeout;
|
||||||
|
+
|
||||||
|
+ /* xml */
|
||||||
|
+ int xml_external_entity;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct error_message {
|
||||||
|
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_xml.c modsecurity-apache_2.6.8/apache2/msc_xml.c
|
||||||
|
--- modsecurity-apache_2.6.8.orig/apache2/msc_xml.c 2012-09-25 14:05:00.000000000 +0100
|
||||||
|
+++ modsecurity-apache_2.6.8/apache2/msc_xml.c 2013-04-09 14:39:48.000000000 +0100
|
||||||
|
@@ -14,17 +14,28 @@
|
||||||
|
|
||||||
|
#include "msc_xml.h"
|
||||||
|
|
||||||
|
+static xmlParserInputBufferPtr
|
||||||
|
+xml_unload_external_entity(const char *URI, xmlCharEncoding enc) {
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Initialise XML parser.
|
||||||
|
*/
|
||||||
|
int xml_init(modsec_rec *msr, char **error_msg) {
|
||||||
|
+ xmlParserInputBufferCreateFilenameFunc entity;
|
||||||
|
+
|
||||||
|
if (error_msg == NULL) return -1;
|
||||||
|
*error_msg = NULL;
|
||||||
|
|
||||||
|
msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data));
|
||||||
|
if (msr->xml == NULL) return -1;
|
||||||
|
|
||||||
|
+ if(msr->txcfg->xml_external_entity == 0) {
|
||||||
|
+ entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
11
mod_security-2.6.8_fix_cve-2013-2765.patch
Normal file
11
mod_security-2.6.8_fix_cve-2013-2765.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_reqbody.c modsecurity-apache_2.6.8/apache2/msc_reqbody.c
|
||||||
|
--- modsecurity-apache_2.6.8.orig/apache2/msc_reqbody.c 2012-09-25 14:05:00.000000000 +0100
|
||||||
|
+++ modsecurity-apache_2.6.8/apache2/msc_reqbody.c 2013-05-28 15:18:49.000000000 +0100
|
||||||
|
@@ -170,6 +170,7 @@
|
||||||
|
|
||||||
|
/* Would storing this chunk mean going over the limit? */
|
||||||
|
if ((msr->msc_reqbody_spilltodisk)
|
||||||
|
+ && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON)
|
||||||
|
&& (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit))
|
||||||
|
{
|
||||||
|
msc_data_chunk **chunks;
|
@ -0,0 +1,25 @@
|
|||||||
|
From f8d441cd25172fdfe5b613442fedfc0da3cc333d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Breno Silva <breno.silva@gmail.com>
|
||||||
|
Date: Wed, 4 Sep 2013 08:57:07 -0300
|
||||||
|
Subject: [PATCH] Fix Chunked string case sensitive issue - CVE-2013-5705
|
||||||
|
|
||||||
|
---
|
||||||
|
apache2/modsecurity.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c
|
||||||
|
index 6b77132..b36775d 100644
|
||||||
|
--- a/apache2/modsecurity.c
|
||||||
|
+++ b/apache2/modsecurity.c
|
||||||
|
@@ -297,7 +297,7 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
|
||||||
|
if (msr->request_content_length == -1) {
|
||||||
|
/* There's no C-L, but is chunked encoding used? */
|
||||||
|
char *transfer_encoding = (char *)apr_table_get(msr->request_headers, "Transfer-Encoding");
|
||||||
|
- if ((transfer_encoding != NULL)&&(strstr(transfer_encoding, "chunked") != NULL)) {
|
||||||
|
+ if ((transfer_encoding != NULL)&&(m_strcasestr(transfer_encoding, "chunked") != NULL)) {
|
||||||
|
msr->reqbody_should_exist = 1;
|
||||||
|
msr->reqbody_chunked = 1;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
1.9.1
|
||||||
|
|
@ -1,82 +0,0 @@
|
|||||||
--- apache2/msc_crypt.c.orig 2012-10-18 10:42:43.381000000 +0100
|
|
||||||
+++ apache2/msc_crypt.c 2012-10-18 10:46:52.442000000 +0100
|
|
||||||
@@ -1079,6 +1079,70 @@
|
|
||||||
|
|
||||||
htmlDocContentDumpFormatOutput(output_buf, msr->crypto_html_tree, NULL, 0);
|
|
||||||
|
|
||||||
+#ifdef LIBXML2_NEW_BUFFER
|
|
||||||
+
|
|
||||||
+ if (output_buf->conv == NULL || (output_buf->conv && xmlOutputBufferGetSize(output_buf) == 0)) {
|
|
||||||
+
|
|
||||||
+ if(output_buf->buffer == NULL || xmlOutputBufferGetSize(output_buf) == 0) {
|
|
||||||
+ xmlOutputBufferClose(output_buf);
|
|
||||||
+ xmlFreeDoc(msr->crypto_html_tree);
|
|
||||||
+ msr->of_stream_changed = 0;
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if(msr->stream_output_data != NULL) {
|
|
||||||
+ free(msr->stream_output_data);
|
|
||||||
+ msr->stream_output_data = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
|
|
||||||
+ msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
|
|
||||||
+
|
|
||||||
+ if (msr->stream_output_data == NULL) {
|
|
||||||
+ xmlOutputBufferClose(output_buf);
|
|
||||||
+ xmlFreeDoc(msr->crypto_html_tree);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
|
|
||||||
+ memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
|
|
||||||
+
|
|
||||||
+ if (msr->txcfg->debuglog_level >= 4)
|
|
||||||
+ msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONTENT to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
|
|
||||||
+
|
|
||||||
+ } else {
|
|
||||||
+
|
|
||||||
+ if(output_buf->conv == NULL || xmlOutputBufferGetSize(output_buf) == 0) {
|
|
||||||
+ xmlOutputBufferClose(output_buf);
|
|
||||||
+ xmlFreeDoc(msr->crypto_html_tree);
|
|
||||||
+ msr->of_stream_changed = 0;
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if(msr->stream_output_data != NULL) {
|
|
||||||
+ free(msr->stream_output_data);
|
|
||||||
+ msr->stream_output_data = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ msr->stream_output_length = xmlOutputBufferGetSize(output_buf);
|
|
||||||
+ msr->stream_output_data = (char *)malloc(msr->stream_output_length+1);
|
|
||||||
+
|
|
||||||
+ if (msr->stream_output_data == NULL) {
|
|
||||||
+ xmlOutputBufferClose(output_buf);
|
|
||||||
+ xmlFreeDoc(msr->crypto_html_tree);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memset(msr->stream_output_data, 0x0, msr->stream_output_length+1);
|
|
||||||
+ memcpy(msr->stream_output_data, xmlOutputBufferGetContent(output_buf), msr->stream_output_length);
|
|
||||||
+
|
|
||||||
+ if (msr->txcfg->debuglog_level >= 4)
|
|
||||||
+ msr_log(msr, 4, "inject_encrypted_response_body: Copying XML tree from CONV to stream buffer [%d] bytes.", xmlOutputBufferGetSize(output_buf));
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#else
|
|
||||||
+
|
|
||||||
if (output_buf->conv == NULL || (output_buf->conv && output_buf->conv->use == 0)) {
|
|
||||||
|
|
||||||
if(output_buf->buffer == NULL || output_buf->buffer->use == 0) {
|
|
||||||
@@ -1139,6 +1203,8 @@
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
xmlOutputBufferClose(output_buf);
|
|
||||||
|
|
||||||
content_value = (char*)apr_psprintf(msr->mp, "%"APR_SIZE_T_FMT, msr->stream_output_length);
|
|
82
mod_security-fix-cve-2012-4528.patch
Normal file
82
mod_security-fix-cve-2012-4528.patch
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_multipart.c modsecurity-apache_2.6.8/apache2/msc_multipart.c
|
||||||
|
--- modsecurity-apache_2.6.8.orig/apache2/msc_multipart.c 2012-11-17 09:30:50.499143902 +0100
|
||||||
|
+++ modsecurity-apache_2.6.8/apache2/msc_multipart.c 2012-11-17 09:42:41.362779780 +0100
|
||||||
|
@@ -653,6 +653,7 @@
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
+ msr->mpd->flag_invalid_part = 1;
|
||||||
|
msr_log(msr, 3, "Multipart: Skipping invalid part %pp (part name missing): "
|
||||||
|
"(offset %u, length %u)", msr->mpd->mpp,
|
||||||
|
msr->mpd->mpp->offset, msr->mpd->mpp->length);
|
||||||
|
@@ -961,6 +962,11 @@
|
||||||
|
msr_log(msr, 4, "Multipart: Warning: invalid quoting used.");
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (msr->mpd->flag_invalid_part) {
|
||||||
|
+ msr_log(msr, 4, "Multipart: Warning: invalid part parsing.");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+
|
||||||
|
if (msr->mpd->flag_invalid_header_folding) {
|
||||||
|
msr_log(msr, 4, "Multipart: Warning: invalid header folding used.");
|
||||||
|
}
|
||||||
|
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_multipart.h modsecurity-apache_2.6.8/apache2/msc_multipart.h
|
||||||
|
--- modsecurity-apache_2.6.8.orig/apache2/msc_multipart.h 2012-11-17 09:30:50.499143902 +0100
|
||||||
|
+++ modsecurity-apache_2.6.8/apache2/msc_multipart.h 2012-11-17 09:44:04.235930720 +0100
|
||||||
|
@@ -117,6 +117,7 @@
|
||||||
|
int flag_boundary_whitespace;
|
||||||
|
int flag_missing_semicolon;
|
||||||
|
int flag_invalid_quoting;
|
||||||
|
+ int flag_invalid_part;
|
||||||
|
int flag_invalid_header_folding;
|
||||||
|
int flag_file_limit_exceeded;
|
||||||
|
};
|
||||||
|
diff -ru modsecurity-apache_2.6.8.orig/apache2/re_variables.c modsecurity-apache_2.6.8/apache2/re_variables.c
|
||||||
|
--- modsecurity-apache_2.6.8.orig/apache2/re_variables.c 2012-11-17 09:30:50.499143902 +0100
|
||||||
|
+++ modsecurity-apache_2.6.8/apache2/re_variables.c 2012-11-17 09:48:11.176457660 +0100
|
||||||
|
@@ -1377,6 +1377,18 @@
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* MULTIPART_INVALID_PART */
|
||||||
|
+
|
||||||
|
+static int var_multipart_invalid_part_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
|
||||||
|
+ apr_table_t *vartab, apr_pool_t *mptmp)
|
||||||
|
+{
|
||||||
|
+ if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_part != 0)) {
|
||||||
|
+ return var_simple_generate(var, vartab, mptmp, "1");
|
||||||
|
+ } else {
|
||||||
|
+ return var_simple_generate(var, vartab, mptmp, "0");
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* MULTIPART_INVALID_QUOTING */
|
||||||
|
|
||||||
|
static int var_multipart_invalid_quoting_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
|
||||||
|
@@ -1429,6 +1441,7 @@
|
||||||
|
||(msr->mpd->flag_lf_line != 0)
|
||||||
|
||(msr->mpd->flag_missing_semicolon != 0)
|
||||||
|
||(msr->mpd->flag_invalid_quoting != 0)
|
||||||
|
+ ||(msr->mpd->flag_invalid_part != 0)
|
||||||
|
||(msr->mpd->flag_invalid_header_folding != 0)
|
||||||
|
||(msr->mpd->flag_file_limit_exceeded != 0)
|
||||||
|
) {
|
||||||
|
@@ -2835,6 +2848,17 @@
|
||||||
|
VAR_DONT_CACHE, /* flag */
|
||||||
|
PHASE_REQUEST_BODY
|
||||||
|
);
|
||||||
|
+
|
||||||
|
+ /* MULTIPART_INVALID_PART */
|
||||||
|
+ msre_engine_variable_register(engine,
|
||||||
|
+ "MULTIPART_INVALID_PART",
|
||||||
|
+ VAR_SIMPLE,
|
||||||
|
+ 0, 0,
|
||||||
|
+ NULL,
|
||||||
|
+ var_multipart_invalid_part_generate,
|
||||||
|
+ VAR_DONT_CACHE, /* flag */
|
||||||
|
+ PHASE_REQUEST_BODY
|
||||||
|
+ );
|
||||||
|
|
||||||
|
/* MULTIPART_INVALID_QUOTING */
|
||||||
|
msre_engine_variable_register(engine,
|
@ -1,57 +1,94 @@
|
|||||||
|
|
||||||
LoadModule security2_module modules/mod_security2.so
|
LoadModule security2_module modules/mod_security2.so
|
||||||
LoadModule unique_id_module modules/mod_unique_id.so
|
LoadModule unique_id_module modules/mod_unique_id.so
|
||||||
|
|
||||||
<IfModule mod_security2.c>
|
<IfModule mod_security2.c>
|
||||||
# ModSecurity Core Rules Set configuration
|
# This is the ModSecurity Core Rules Set.
|
||||||
|
|
||||||
|
# Basic configuration goes in here
|
||||||
Include modsecurity.d/*.conf
|
Include modsecurity.d/*.conf
|
||||||
Include modsecurity.d/activated_rules/*.conf
|
Include modsecurity.d/activated_rules/*.conf
|
||||||
|
|
||||||
# Default recommended configuration
|
|
||||||
SecRuleEngine On
|
|
||||||
SecRequestBodyAccess On
|
|
||||||
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
|
|
||||||
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
|
||||||
SecRequestBodyLimit 13107200
|
|
||||||
SecRequestBodyNoFilesLimit 131072
|
|
||||||
SecRequestBodyInMemoryLimit 131072
|
|
||||||
SecRequestBodyLimitAction Reject
|
|
||||||
SecRule REQBODY_ERROR "!@eq 0" \
|
|
||||||
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
|
||||||
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
|
||||||
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
|
|
||||||
failed strict validation: \
|
|
||||||
PE %{REQBODY_PROCESSOR_ERROR}, \
|
|
||||||
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
|
||||||
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
|
||||||
DB %{MULTIPART_DATA_BEFORE}, \
|
|
||||||
DA %{MULTIPART_DATA_AFTER}, \
|
|
||||||
HF %{MULTIPART_HEADER_FOLDING}, \
|
|
||||||
LF %{MULTIPART_LF_LINE}, \
|
|
||||||
SM %{MULTIPART_MISSING_SEMICOLON}, \
|
|
||||||
IQ %{MULTIPART_INVALID_QUOTING}, \
|
|
||||||
IP %{MULTIPART_INVALID_PART}, \
|
|
||||||
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
|
||||||
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
|
||||||
|
|
||||||
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
|
# Additional items taken from new minimal modsecurity conf
|
||||||
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
|
# Basic configuration options
|
||||||
|
SecRuleEngine On
|
||||||
|
SecRequestBodyAccess On
|
||||||
|
SecResponseBodyAccess Off
|
||||||
|
|
||||||
|
# Handling of file uploads
|
||||||
|
# TODO Choose a folder private to Apache.
|
||||||
|
# SecUploadDir /opt/apache-frontend/tmp/
|
||||||
|
SecUploadKeepFiles Off
|
||||||
|
SecUploadFileLimit 10
|
||||||
|
|
||||||
SecPcreMatchLimit 1000
|
# Debug log
|
||||||
SecPcreMatchLimitRecursion 1000
|
SecDebugLog /var/log/httpd/modsec_debug.log
|
||||||
|
SecDebugLogLevel 0
|
||||||
|
|
||||||
SecRule TX:/^MSC_/ "!@streq 0" \
|
# Audit log
|
||||||
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
|
SecAuditEngine RelevantOnly
|
||||||
|
SecAuditLogRelevantStatus ^5
|
||||||
|
SecAuditLogType Serial
|
||||||
|
SecAuditLogParts ABIFHZ
|
||||||
|
SecAuditLog /var/log/httpd/modsec_audit.log
|
||||||
|
|
||||||
SecResponseBodyAccess Off
|
# Alternative mlogc configuration
|
||||||
SecDebugLog /var/log/httpd/modsec_debug.log
|
#SecAuditLogType Concurrent
|
||||||
SecDebugLogLevel 0
|
#SecAuditLogParts ABIDEFGHZ
|
||||||
SecAuditEngine RelevantOnly
|
#SecAuditLogStorageDir /var/log/mlogc/data
|
||||||
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
|
#SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
|
||||||
SecAuditLogParts ABIJDEFHZ
|
|
||||||
SecAuditLogType Serial
|
# Set Data Directory
|
||||||
SecAuditLog /var/log/httpd/modsec_audit.log
|
|
||||||
SecArgumentSeparator &
|
|
||||||
SecCookieFormat 0
|
|
||||||
SecTmpDir /var/lib/mod_security
|
SecTmpDir /var/lib/mod_security
|
||||||
SecDataDir /var/lib/mod_security
|
SecDataDir /var/lib/mod_security
|
||||||
|
|
||||||
|
# Maximum request body size we will
|
||||||
|
# accept for buffering
|
||||||
|
SecRequestBodyLimit 131072
|
||||||
|
|
||||||
|
# Store up to 128 KB in memory
|
||||||
|
SecRequestBodyInMemoryLimit 131072
|
||||||
|
|
||||||
|
# Buffer response bodies of up to
|
||||||
|
# 512 KB in length
|
||||||
|
SecResponseBodyLimit 524288
|
||||||
|
|
||||||
|
# Verify that we've correctly processed the request body.
|
||||||
|
# As a rule of thumb, when failing to process a request body
|
||||||
|
# you should reject the request (when deployed in blocking mode)
|
||||||
|
# or log a high-severity alert (when deployed in detection-only mode).
|
||||||
|
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
|
||||||
|
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
|
||||||
|
|
||||||
|
# By default be strict with what we accept in the multipart/form-data
|
||||||
|
# request body. If the rule below proves to be too strict for your
|
||||||
|
# environment consider changing it to detection-only. You are encouraged
|
||||||
|
# _not_ to remove it altogether.
|
||||||
|
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
||||||
|
"phase:2,t:none,log,deny,msg:'Multipart request body \
|
||||||
|
failed strict validation: \
|
||||||
|
PE %{REQBODY_PROCESSOR_ERROR}, \
|
||||||
|
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
||||||
|
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
||||||
|
DB %{MULTIPART_DATA_BEFORE}, \
|
||||||
|
DA %{MULTIPART_DATA_AFTER}, \
|
||||||
|
HF %{MULTIPART_HEADER_FOLDING}, \
|
||||||
|
LF %{MULTIPART_LF_LINE}, \
|
||||||
|
SM %{MULTIPART_SEMICOLON_MISSING}, \
|
||||||
|
IQ %{MULTIPART_INVALID_QUOTING}, \
|
||||||
|
IQ %{MULTIPART_INVALID_PART}, \
|
||||||
|
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
||||||
|
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
||||||
|
|
||||||
|
# Did we see anything that might be a boundary?
|
||||||
|
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
|
||||||
|
"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
|
||||||
|
|
||||||
|
# Some internal errors will set flags in TX and we will need to look for these.
|
||||||
|
# All of these are prefixed with "MSC_". The following flags currently exist:
|
||||||
|
#
|
||||||
|
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
|
||||||
|
#
|
||||||
|
SecRule TX:/^MSC_/ "!@streq 0" \
|
||||||
|
"phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
|
||||||
</IfModule>
|
</IfModule>
|
||||||
|
@ -7,15 +7,21 @@
|
|||||||
|
|
||||||
Summary: Security module for the Apache HTTP Server
|
Summary: Security module for the Apache HTTP Server
|
||||||
Name: mod_security
|
Name: mod_security
|
||||||
Version: 2.7.1
|
Version: 2.6.8
|
||||||
Release: 3%{?dist}
|
Release: 6%{?dist}
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: http://www.modsecurity.org/
|
URL: http://www.modsecurity.org/
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
Source: https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_%{version}.tar.gz
|
Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
|
||||||
Source1: mod_security.conf
|
Source1: mod_security.conf
|
||||||
|
Patch0: mod_security-fix-cve-2012-4528.patch
|
||||||
|
Patch1: mod_security-2.6.8-rhbz947842.patch
|
||||||
|
Patch2: mod_security-2.6.8_fix_cve-2013-2765.patch
|
||||||
|
Patch3: mod_security-2.7.6-fix_chunked_string_case_sensitive_issue-cve-2013-5705.patch
|
||||||
|
Patch4: mod_security-2.6.8-fix-m_strcasestr-issue-rhbz1089343.patch
|
||||||
Requires: httpd httpd-mmn = %{_httpd_mmn}
|
Requires: httpd httpd-mmn = %{_httpd_mmn}
|
||||||
BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
|
BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
|
||||||
%description
|
%description
|
||||||
ModSecurity is an open source intrusion detection and prevention engine
|
ModSecurity is an open source intrusion detection and prevention engine
|
||||||
@ -32,6 +38,11 @@ This package contains the ModSecurity Audit Log Collector.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n modsecurity-apache_%{version}
|
%setup -q -n modsecurity-apache_%{version}
|
||||||
|
%patch0 -p1
|
||||||
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --enable-pcre-match-limit=1000000 \
|
%configure --enable-pcre-match-limit=1000000 \
|
||||||
@ -65,7 +76,7 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_
|
|||||||
# 2.2-style
|
# 2.2-style
|
||||||
install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
|
install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
|
||||||
%endif
|
%endif
|
||||||
install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name}
|
install -m 700 -d %{buildroot}%{_localstatedir}/lib/%{name}
|
||||||
|
|
||||||
# mlogc
|
# mlogc
|
||||||
install -d %{buildroot}%{_localstatedir}/log/mlogc
|
install -d %{buildroot}%{_localstatedir}/log/mlogc
|
||||||
@ -74,7 +85,6 @@ install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
|
|||||||
install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
|
install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
|
||||||
install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
|
install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
|
||||||
|
|
||||||
|
|
||||||
%clean
|
%clean
|
||||||
rm -rf %{buildroot}
|
rm -rf %{buildroot}
|
||||||
|
|
||||||
@ -100,34 +110,26 @@ rm -rf %{buildroot}
|
|||||||
%attr(0755,root,root) %{_bindir}/mlogc-batch-load
|
%attr(0755,root,root) %{_bindir}/mlogc-batch-load
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-3
|
* Fri Apr 18 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-6
|
||||||
|
- Fix m_strcasestr not defined in old mod_security branch issue (RHBZ #1089343)
|
||||||
|
|
||||||
|
* Tue Apr 01 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-5
|
||||||
|
- Fix Chunked string case sensitive issue (CVE-2013-5705, RHBZ #1082904 #1082905 #1082906)
|
||||||
|
|
||||||
|
* Tue May 28 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-4
|
||||||
|
- Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615)
|
||||||
|
|
||||||
|
* Wed Apr 3 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-3
|
||||||
|
- Backport security patch from 2.7.3 (RHBZ #947842)
|
||||||
|
|
||||||
|
* Sat Nov 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-2
|
||||||
- Add some missing directives RHBZ #569360
|
- Add some missing directives RHBZ #569360
|
||||||
- Fix multipart/invalid part ruleset bypass issue (CVE-2012-4528)
|
- Backport the fix multipart/invalid part ruleset bypass issue (CVE-2012-4528)
|
||||||
(RHBZ #867424, #867773, #867774)
|
(RHBZ #867424, #867773, #867774)
|
||||||
|
|
||||||
* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-2
|
|
||||||
- Fix mod_security.conf
|
|
||||||
|
|
||||||
* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-1
|
|
||||||
- Update to 2.7.1
|
|
||||||
- Remove libxml2 build patch (upstreamed)
|
|
||||||
- Update spec since upstream moved to github
|
|
||||||
|
|
||||||
* Thu Oct 18 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-2
|
|
||||||
- Add a patch to fix failed build against libxml2 >= 2.9.0
|
|
||||||
|
|
||||||
* Wed Oct 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-1
|
|
||||||
- Update to 2.7.0
|
|
||||||
|
|
||||||
* Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1
|
* Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1
|
||||||
- Update to 2.6.8
|
- Update to 2.6.8
|
||||||
|
|
||||||
* Wed Sep 12 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-2
|
|
||||||
- Re-add mlogc sub-package for epel (#856525)
|
|
||||||
|
|
||||||
* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
|
|
||||||
- Update to 2.6.7
|
|
||||||
|
|
||||||
* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
|
* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
|
||||||
- Update to 2.6.7
|
- Update to 2.6.7
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user