134 lines
3.5 KiB
Diff
134 lines
3.5 KiB
Diff
diff -ru modsecurity-apache_2.6.8.orig/apache2/apache2_config.c modsecurity-apache_2.6.8/apache2/apache2_config.c
|
|
--- modsecurity-apache_2.6.8.orig/apache2/apache2_config.c 2012-09-25 14:05:00.000000000 +0100
|
|
+++ modsecurity-apache_2.6.8/apache2/apache2_config.c 2013-04-09 14:46:47.000000000 +0100
|
|
@@ -128,6 +128,10 @@
|
|
/* Collection timeout */
|
|
dcfg->col_timeout = NOT_SET;
|
|
|
|
+ /* xml external entity */
|
|
+ dcfg->xml_external_entity = NOT_SET;
|
|
+
|
|
+
|
|
return dcfg;
|
|
}
|
|
|
|
@@ -517,6 +521,11 @@
|
|
|
|
merged->col_timeout = (child->col_timeout == NOT_SET
|
|
? parent->col_timeout : child->col_timeout);
|
|
+
|
|
+
|
|
+ /* xml external entity */
|
|
+ merged->xml_external_entity = (child->xml_external_entity == NOT_SET
|
|
+ ? parent->xml_external_entity : child->xml_external_entity);
|
|
|
|
return merged;
|
|
}
|
|
@@ -615,6 +624,9 @@
|
|
if (dcfg->disable_backend_compression == NOT_SET) dcfg->disable_backend_compression = 0;
|
|
|
|
if (dcfg->col_timeout == NOT_SET) dcfg->col_timeout = 3600;
|
|
+
|
|
+ /* xml external entity */
|
|
+ if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0;
|
|
}
|
|
|
|
/**
|
|
@@ -1705,6 +1717,34 @@
|
|
return NULL;
|
|
}
|
|
|
|
+/**
|
|
+* \brief Add SecXmlExternalEntity configuration option
|
|
+*
|
|
+* \param cmd Pointer to configuration data
|
|
+* \param _dcfg Pointer to directory configuration
|
|
+* \param p1 Pointer to configuration option
|
|
+*
|
|
+* \retval NULL On failure
|
|
+* \retval apr_psprintf On Success
|
|
+*/
|
|
+static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1)
|
|
+{
|
|
+ directory_config *dcfg = (directory_config *)_dcfg;
|
|
+ if (dcfg == NULL) return NULL;
|
|
+
|
|
+ if (strcasecmp(p1, "on") == 0) {
|
|
+ dcfg->xml_external_entity = 1;
|
|
+ }
|
|
+ else if (strcasecmp(p1, "off") == 0) {
|
|
+ dcfg->xml_external_entity = 0;
|
|
+ }
|
|
+ else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1);
|
|
+
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
/*
|
|
* \brief Add SecRuleUpdateTargetById
|
|
*
|
|
@@ -2680,5 +2720,16 @@
|
|
"id"
|
|
),
|
|
|
|
+ AP_INIT_TAKE1 (
|
|
+ "SecXmlExternalEntity",
|
|
+ cmd_xml_external_entity,
|
|
+ NULL,
|
|
+ CMD_SCOPE_ANY,
|
|
+ "On or Off"
|
|
+ ),
|
|
+
|
|
+
|
|
+
|
|
+
|
|
{ NULL }
|
|
};
|
|
diff -ru modsecurity-apache_2.6.8.orig/apache2/modsecurity.h modsecurity-apache_2.6.8/apache2/modsecurity.h
|
|
--- modsecurity-apache_2.6.8.orig/apache2/modsecurity.h 2012-09-25 14:05:00.000000000 +0100
|
|
+++ modsecurity-apache_2.6.8/apache2/modsecurity.h 2013-04-09 14:48:34.000000000 +0100
|
|
@@ -523,6 +523,9 @@
|
|
|
|
/* Collection timeout */
|
|
int col_timeout;
|
|
+
|
|
+ /* xml */
|
|
+ int xml_external_entity;
|
|
};
|
|
|
|
struct error_message {
|
|
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_xml.c modsecurity-apache_2.6.8/apache2/msc_xml.c
|
|
--- modsecurity-apache_2.6.8.orig/apache2/msc_xml.c 2012-09-25 14:05:00.000000000 +0100
|
|
+++ modsecurity-apache_2.6.8/apache2/msc_xml.c 2013-04-09 14:39:48.000000000 +0100
|
|
@@ -14,17 +14,28 @@
|
|
|
|
#include "msc_xml.h"
|
|
|
|
+static xmlParserInputBufferPtr
|
|
+xml_unload_external_entity(const char *URI, xmlCharEncoding enc) {
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
|
|
/**
|
|
* Initialise XML parser.
|
|
*/
|
|
int xml_init(modsec_rec *msr, char **error_msg) {
|
|
+ xmlParserInputBufferCreateFilenameFunc entity;
|
|
+
|
|
if (error_msg == NULL) return -1;
|
|
*error_msg = NULL;
|
|
|
|
msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data));
|
|
if (msr->xml == NULL) return -1;
|
|
|
|
+ if(msr->txcfg->xml_external_entity == 0) {
|
|
+ entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity);
|
|
+ }
|
|
+
|
|
return 1;
|
|
}
|
|
|