Fixed inspectFile operator does not pass FILES_TMPNAMES

kadirerdogan · zimmerle · commit 6624a18a4e7f · 2019-11-26T08:40:53.000-03:00
pass FILES_TMPNAMES variable to lua engine Fixed Lua engine
should also be aware of the variable and pass it to the target
lua script main function
diff --git a/CHANGES b/CHANGES
@@ -1,6 +1,9 @@
 v3.0.4 - YYYY-MMM-DD (to be released)
 -------------------------------------
 
+ - Fix: ModSecurity 3.x inspectFile operator does not pass
+   FILES_TMPNAMES parameter to lua engine
+   [Issue #2204, #2205 - @kadirerdogan]
  - XML: Remove error messages from stderr
    [Issue #2010 - @JaiHarpalani, @zimmerle]
  - Filter comment or blank line for pmFromFile operator
diff --git a/src/engine/lua.cc b/src/engine/lua.cc
@@ -121,7 +121,8 @@ const char *Lua::blob_reader(lua_State *L, void *ud, size_t *size) {
 }
 #endif
 
-int Lua::run(Transaction *t) {
+
+int Lua::run(Transaction *t, const std::string &str) {
 #ifdef WITH_LUA
     std::string luaRet;
     const char *a = NULL;
@@ -184,7 +185,15 @@ int Lua::run(Transaction *t) {
     lua_setglobal(L, "modsec");
 
     lua_getglobal(L, "main");
-    if (lua_pcall(L, 0, 1, 0)) {
+
+    ms_dbg_a(t, 1, str);
+
+    /* Put the parameter on the stack. */
+    if (!str.empty() ) {
+        lua_pushlstring(L, str.c_str(), str.length());
+    }
+
+    if (lua_pcall(L, ((!str.empty()) ? 1 : 0), 1, 0)) {
         std::string e;
         const char *luaerr = lua_tostring(L, -1);
         e.assign("Failed to execute lua script: " + m_scriptName + " (main)");
diff --git a/src/engine/lua.h b/src/engine/lua.h
@@ -69,7 +69,7 @@ class Lua {
     Lua() { }
 
     bool load(std::string script, std::string *err);
-    int run(Transaction *t);
+    int run(Transaction *t, const std::string &str="");
     static bool isCompatible(std::string script, Lua *l, std::string *error);
 
 #ifdef WITH_LUA
diff --git a/src/operators/inspect_file.cc b/src/operators/inspect_file.cc
@@ -51,7 +51,7 @@ bool InspectFile::init(const std::string &param2, std::string *error) {
 
 bool InspectFile::evaluate(Transaction *transaction, const std::string &str) {
     if (m_isScript) {
-        return m_lua.run(transaction);
+        return m_lua.run(transaction, str);
     } else {
         FILE *in;
         char buff[512];
