diff --git a/src/mod_security3.c b/src/mod_security3.c
index f3ce7b0..bb40c99 100644
--- a/src/mod_security3.c
+++ b/src/mod_security3.c
@@ -10,10 +10,14 @@
*/
msc_global *msc_apache;
+char err_calloc[] = "ModSecurity: can't allocate memory for logmsg.";
void modsecurity_log_cb(void *log, const void* data)
{
const char *msg;
+ char *msglog;
+ unsigned int i, j;
+
if (log == NULL || data == NULL) {
return;
}
@@ -21,9 +25,28 @@ void modsecurity_log_cb(void *log, const void* data)
request_rec *r = (request_rec *) log;
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
- ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
- msg,
- r->status);
+ msglog = calloc(sizeof(char), strlen(msg)*2);
+ if (msglog == NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
+ err_calloc,
+ r->status);
+ }
+ else {
+ // add % escape to avoid the '%' chars placeholder mark in logmsg
+ j = 0;
+ for(i=0; msg[i] != '\0'; i++) {
+ if (msg[i] == '%') {
+ msglog[j++] = '%';
+ }
+ msglog[j++] = msg[i];
+ }
+ msglog[j] = '\0';
+
+ ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
+ msglog,
+ r->status);
+ free(msglog);
+ }
#else
ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server,
@@ -399,14 +422,6 @@ static int hook_request_late(request_rec *r)
}
#endif
-
- msc_process_request_body(msr->t);
- it = process_intervention(msr->t, r);
- if (it != N_INTERVENTION_STATUS)
- {
- return it;
- }
-
return DECLINED;
}
diff --git a/src/msc_filters.c b/src/msc_filters.c
index 3a18e21..c25237d 100644
--- a/src/msc_filters.c
+++ b/src/msc_filters.c
@@ -11,6 +11,9 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut,
apr_bucket_brigade *pbbTmp;
int ret;
+ int it;
+ int body_checked = 0;
+ char logmsg[100];
msc_t *msr = (msc_t *)f->ctx;
@@ -39,7 +42,6 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut,
const char *data;
apr_size_t len;
apr_size_t n;
- int it;
if (APR_BUCKET_IS_EOS(pbktIn))
{
@@ -55,20 +57,34 @@ apr_status_t input_filter(ap_filter_t *f, apr_bucket_brigade *pbbOut,
}
msc_append_request_body(msr->t, data, len);
+ msc_process_request_body(msr->t);
+ body_checked = 1;
it = process_intervention(msr->t, r);
if (it != N_INTERVENTION_STATUS)
{
ap_remove_output_filter(f);
+ f->r->status = it;
return send_error_bucket(msr, f, it);
}
- // FIXME: Now we should have the body. Is this sane?
- msc_process_request_body(msr->t);
-
pbktOut = apr_bucket_heap_create(data, len, 0, c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(pbbOut, pbktOut);
apr_bucket_delete(pbktIn);
}
+ if (body_checked == 0) {
+ msc_process_request_body(msr->t);
+ it = process_intervention(msr->t, r);
+ if (it != N_INTERVENTION_STATUS)
+ {
+ ap_remove_output_filter(f);
+ sprintf(logmsg, "it: %d", it);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r,
+ logmsg,
+ r->status);
+ r->status = it;
+ return send_error_bucket(msr, f, it);
+ }
+ }
return APR_SUCCESS;
}
diff --git a/src/msc_utils.c b/src/msc_utils.c
index 1b4d16c..7f48b1a 100644
--- a/src/msc_utils.c
+++ b/src/msc_utils.c
@@ -1,6 +1,7 @@
#include "msc_utils.h"
+char logmsg[100];
int id(const char *fn, const char *format, ...)
{
@@ -20,6 +21,7 @@ apr_status_t send_error_bucket(msc_t *msr, ap_filter_t *f, int status)
{
apr_bucket_brigade *brigade = NULL;
apr_bucket *bucket = NULL;
+ request_rec *r = f->r;
/* Set the status line explicitly for the error document */
f->r->status_line = ap_get_status_line(status);
diff --git a/t/conf/extra.conf.in b/t/conf/extra.conf.in
index 6518559..4854268 100644
--- a/t/conf/extra.conf.in
+++ b/t/conf/extra.conf.in
@@ -9,6 +9,7 @@ LoadModule security3_module "@ServerRoot@/.././src/.libs/mod_security3.so"
# Lets make sure that the engine is on.
modsecurity_rules 'SecRuleEngine On'
+modsecurity_rules 'SecDefaultAction "phase:2,log,auditlog,deny,status:403"'
# Debug logs
modsecurity_rules 'SecDebugLog @ServerRoot@/logs/debug_logs.txt'
@@ -20,7 +21,6 @@ modsecurity_rules 'SecDebugLogLevel 9'
- modsecurity_rules 'SecRequestBodyAccess On'
modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:403,block,deny"'
@@ -44,7 +44,6 @@ modsecurity_rules 'SecDebugLogLevel 9'
- modsecurity_rules 'SecRequestBodyAccess On'
modsecurity_rules 'SecRule ARGS "evil" "phase:2,id:112,log,status:402,block,deny"'