Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: owasp-modsecurity/ModSecurity-nginx
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: lmq1999/ModSecurity-nginx
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
  • 2 commits
  • 7 files changed
  • 1 contributor

Commits on Oct 25, 2022

  1. Add error custom

    lmq1999 committed Oct 25, 2022
    Copy the full SHA
    5cec98b View commit details

Commits on Nov 8, 2024

  1. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature.
    Copy the full SHA
    66ff4bb View commit details
2 changes: 1 addition & 1 deletion src/ngx_http_modsecurity_body_filter.c
Original file line number Diff line number Diff line change
@@ -50,7 +50,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
return ngx_http_next_body_filter(r, in);
}

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r)

dd("body filter, recovering ctx: %p", ctx);

2 changes: 2 additions & 0 deletions src/ngx_http_modsecurity_common.h
Original file line number Diff line number Diff line change
@@ -99,6 +99,7 @@ typedef struct {
unsigned processed:1;
unsigned logged:1;
unsigned intervention_triggered:1;
unsigned request_body_processed:1;
} ngx_http_modsecurity_ctx_t;


@@ -139,6 +140,7 @@ extern ngx_module_t ngx_http_modsecurity_module;
/* ngx_http_modsecurity_module.c */
int ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_request_t *r, ngx_int_t early_log);
ngx_http_modsecurity_ctx_t *ngx_http_modsecurity_create_ctx(ngx_http_request_t *r);
ngx_http_modsecurity_ctx_t *ngx_http_modsecurity_get_module_ctx(ngx_http_request_t *r);
char *ngx_str_to_char(ngx_str_t a, ngx_pool_t *p);
#if (NGX_PCRE2)
#define ngx_http_modsecurity_pcre_malloc_init(x) NULL
20 changes: 10 additions & 10 deletions src/ngx_http_modsecurity_header_filter.c
Original file line number Diff line number Diff line change
@@ -109,7 +109,7 @@ ngx_http_modsecurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ng
ngx_http_modsecurity_conf_t *mcf;
ngx_http_modsecurity_header_t *hdr;

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);
if (ctx == NULL || ctx->sanity_headers_out == NULL) {
return NGX_ERROR;
}
@@ -152,7 +152,7 @@ ngx_http_modsecurity_resolv_header_server(ngx_http_request_t *r, ngx_str_t name,
ngx_str_t value;

clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

if (r->headers_out.server == NULL) {
if (clcf->server_tokens) {
@@ -186,7 +186,7 @@ ngx_http_modsecurity_resolv_header_date(ngx_http_request_t *r, ngx_str_t name, o
ngx_http_modsecurity_ctx_t *ctx = NULL;
ngx_str_t date;

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

if (r->headers_out.date == NULL) {
date.data = ngx_cached_http_time.data;
@@ -216,7 +216,7 @@ ngx_http_modsecurity_resolv_header_content_length(ngx_http_request_t *r, ngx_str
ngx_str_t value;
char buf[NGX_INT64_LEN+2];

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

if (r->headers_out.content_length_n > 0)
{
@@ -243,7 +243,7 @@ ngx_http_modsecurity_resolv_header_content_type(ngx_http_request_t *r, ngx_str_t
{
ngx_http_modsecurity_ctx_t *ctx = NULL;

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

if (r->headers_out.content_type.len > 0)
{
@@ -270,7 +270,7 @@ ngx_http_modsecurity_resolv_header_last_modified(ngx_http_request_t *r, ngx_str_
u_char buf[1024], *p;
ngx_str_t value;

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

if (r->headers_out.last_modified_time == -1) {
return 1;
@@ -302,7 +302,7 @@ ngx_http_modsecurity_resolv_header_connection(ngx_http_request_t *r, ngx_str_t n
ngx_str_t value;

clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

if (r->headers_out.status == NGX_HTTP_SWITCHING_PROTOCOLS) {
connection = "upgrade";
@@ -353,7 +353,7 @@ ngx_http_modsecurity_resolv_header_transfer_encoding(ngx_http_request_t *r, ngx_
if (r->chunked) {
ngx_str_t value = ngx_string("chunked");

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ngx_http_modsecurity_get_module_ctx(r);

#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
ngx_http_modsecurity_store_ctx_header(r, &name, &value);
@@ -380,7 +380,7 @@ ngx_http_modsecurity_resolv_header_vary(ngx_http_request_t *r, ngx_str_t name, o
if (r->gzip_vary && clcf->gzip_vary) {
ngx_str_t value = ngx_string("Accept-Encoding");

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
ngx_http_modsecurity_store_ctx_header(r, &name, &value);
@@ -422,7 +422,7 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)

/* XXX: if NOT_MODIFIED, do we need to process it at all? see xslt_header_filter() */

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

dd("header filter, recovering ctx: %p", ctx);

14 changes: 3 additions & 11 deletions src/ngx_http_modsecurity_log.c
Original file line number Diff line number Diff line change
@@ -41,17 +41,9 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
{
ngx_pool_t *old_pool;
ngx_http_modsecurity_ctx_t *ctx;
ngx_http_modsecurity_conf_t *mcf;

dd("catching a new _log_ phase handler");

mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
if (mcf == NULL || mcf->enable != 1)
{
dd("ModSecurity not enabled... returning");
return NGX_OK;
}

/*
if (r->method != NGX_HTTP_GET &&
r->method != NGX_HTTP_POST && r->method != NGX_HTTP_HEAD) {
@@ -60,13 +52,13 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
return NGX_OK;
}
*/
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

dd("recovering ctx: %p", ctx);

if (ctx == NULL) {
dd("something really bad happened here. returning NGX_ERROR");
return NGX_ERROR;
dd("ModSecurity not enabled or error occurred");
return NGX_OK;
}

if (ctx->logged) {
23 changes: 22 additions & 1 deletion src/ngx_http_modsecurity_module.c
Original file line number Diff line number Diff line change
@@ -149,7 +149,7 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re

dd("processing intervention");

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);
if (ctx == NULL)
{
return NGX_HTTP_INTERNAL_SERVER_ERROR;
@@ -313,6 +313,27 @@ ngx_http_modsecurity_create_ctx(ngx_http_request_t *r)
return ctx;
}

ngx_inline ngx_http_modsecurity_ctx_t *
ngx_http_modsecurity_get_module_ctx(ngx_http_request_t *r)
{
ngx_http_modsecurity_ctx_t *ctx;
ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
if (ctx == NULL) {
/*
* refer <nginx>/src/http/modules/ngx_http_realip_module.c
* if module context was reset, the original address
* can still be found in the cleanup handler
*/
ngx_pool_cleanup_t *cln;
for (cln = r->pool->cleanup; cln; cln = cln->next) {
if (cln->handler == ngx_http_modsecurity_cleanup) {
ctx = cln->data;
break;
}
}
}
return ctx;
}

char *
ngx_conf_set_rules(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
10 changes: 8 additions & 2 deletions src/ngx_http_modsecurity_pre_access.c
Original file line number Diff line number Diff line change
@@ -27,7 +27,7 @@ ngx_http_modsecurity_request_read(ngx_http_request_t *r)
{
ngx_http_modsecurity_ctx_t *ctx;

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

#if defined(nginx_version) && nginx_version >= 8011
r->main->count--;
@@ -70,7 +70,7 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
}
*/

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

dd("recovering ctx: %p", ctx);

@@ -80,6 +80,11 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}

if (ctx->request_body_processed) {
// should we use r->internal or r->filter_finalize?
return NGX_DECLINED;
}

if (ctx->intervention_triggered) {
return NGX_DECLINED;
}
@@ -212,6 +217,7 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)

old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
msc_process_request_body(ctx->modsec_transaction);
ctx->request_body_processed = 1;
ngx_http_modsecurity_pcre_malloc_done(old_pool);

ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
2 changes: 1 addition & 1 deletion src/ngx_http_modsecurity_rewrite.c
Original file line number Diff line number Diff line change
@@ -46,7 +46,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)

dd("catching a new _rewrite_ phase handler");

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
ctx = ngx_http_modsecurity_get_module_ctx(r);

dd("recovering ctx: %p", ctx);