Attachment #228279 for bug #258801

View | Details | Raw Unified | Return to bug 258801
Collapse All | Expand All




PORTNAME=	modsecurity
DISTVERSIONPREFIX=	v
DISTVERSION=	3.0.5
PORTREVISION=	2
CATEGORIES=	security www
MASTER_SITES=	https://github.com/SpiderLabs/ModSecurity/releases/download/v${PORTVERSION}/
PKGNAMESUFFIX=	3

		libyajl.so:devel/yajl \
		libmaxminddb.so:net/libmaxminddb

USES=		cpe gmake gnome libtool pkgconfig:build
USE_GNOME=	libxml2
# GCC because of https://github.com/SpiderLabs/ModSecurity/issues/1411
USE_GCC=	yes
USE_LDCONFIG=	yes

CPE_VENDOR=	trustwave

Lines 1-3 Link Here

(-)b/security/modsecurity3/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1579339210	1	TIMESTAMP = 1632981543
2	SHA256 (modsecurity-v3.0.4.tar.gz) = b4231177dd80b4e076b228e57d498670113b69d445bab86db25f65346c24db22	2	SHA256 (modsecurity-v3.0.5.tar.gz) = 751bf95a7a8d39c440d0c26ec1f73961550ca2eb2ac9e2e7a56dce2dd7b959e9
3	SIZE (modsecurity-v3.0.4.tar.gz) = 2806291	3	SIZE (modsecurity-v3.0.5.tar.gz) = 3485840




--- src/operators/rx.cc.orig	2020-01-13 13:09:28 UTC
+++ src/operators/rx.cc
@@ -38,7 +38,6 @@ bool Rx::init(const std::string &arg, st
 
 bool Rx::evaluate(Transaction *transaction, Rule *rule,
     const std::string& input, std::shared_ptr<RuleMessage> ruleMessage) {
-    std::list<SMatch> matches;
     Regex *re;
 
     if (m_param.empty() && !m_string->m_containsMacro) {
@@ -52,29 +51,29 @@ bool Rx::evaluate(Transaction *transacti
         re = m_re;
     }
 
-    matches = re->searchAll(input);
+    std::vector<Utils::SMatchCapture> captures;
+    re->searchOneMatch(input, captures);
+
     if (rule && rule->m_containsCaptureAction && transaction) {
-        int i = 0;
-        matches.reverse();
-        for (const SMatch& a : matches) {
+        for (const Utils::SMatchCapture& capture : captures) {
+            const std::string capture_substring(input.substr(capture.m_offset,capture.m_length));
             transaction->m_collections.m_tx_collection->storeOrUpdateFirst(
-                std::to_string(i), a.str());
+                std::to_string(capture.m_group), capture_substring);
             ms_dbg_a(transaction, 7, "Added regex subexpression TX." +
-                std::to_string(i) + ": " + a.str());
-            transaction->m_matched.push_back(a.str());
-            i++;
+                std::to_string(capture.m_group) + ": " + capture_substring);
+            transaction->m_matched.push_back(capture_substring);
         }
     }
 
-    for (const auto & i : matches) {
-        logOffset(ruleMessage, i.offset(), i.str().size());
+    for (const auto & capture : captures) {
+        logOffset(ruleMessage, capture.m_offset, capture.m_length);
     }
 
     if (m_string->m_containsMacro) {
         delete re;
     }
 
-    if (matches.size() > 0) {
+    if (captures.size() > 0) {
         return true;
     }
 




--- src/utils/regex.cc.orig	2020-01-13 13:09:28 UTC
+++ src/utils/regex.cc
@@ -16,10 +16,6 @@
 #include "src/utils/regex.h"
 
 #include <pcre.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
 #include <string>
 #include <list>
 
@@ -99,6 +95,26 @@ std::list<SMatch> Regex::searchAll(const
     return retList;
 }
 
+bool Regex::searchOneMatch(const std::string& s, std::vector<SMatchCapture>& captures) const {
+    const char *subject = s.c_str();
+    int ovector[OVECCOUNT];
+
+    int rc = pcre_exec(m_pc, m_pce, subject, s.size(), 0, 0, ovector, OVECCOUNT);
+
+    for (int i = 0; i < rc; i++) {
+        size_t start = ovector[2*i];
+        size_t end = ovector[2*i+1];
+        size_t len = end - start;
+        if (end > s.size()) {
+            continue;
+        }
+        SMatchCapture capture(i, start, len);
+        captures.push_back(capture);
+    }
+
+    return (rc > 0);
+}
+
 int Regex::search(const std::string& s, SMatch *match) const {
     int ovector[OVECCOUNT];
     int ret = pcre_exec(m_pc, m_pce, s.c_str(),




--- src/utils/regex.h.orig	2020-01-13 13:09:28 UTC
+++ src/utils/regex.h
@@ -19,6 +19,7 @@
 #include <fstream>
 #include <string>
 #include <list>
+#include <vector>
 
 #ifndef SRC_UTILS_REGEX_H_
 #define SRC_UTILS_REGEX_H_
@@ -47,6 +48,16 @@ class SMatch {
     size_t m_offset;
 };
 
+struct SMatchCapture {
+    SMatchCapture(size_t group, size_t offset, size_t length) :
+    m_group(group),
+    m_offset(offset),
+    m_length(length) { }
+
+    size_t m_group; // E.g. 0 = full match; 6 = capture group 6
+    size_t m_offset; // offset of match within the analyzed string
+    size_t m_length;
+};
 
 class Regex {
  public:
@@ -58,6 +69,7 @@ class Regex {
     Regex& operator=(const Regex&) = delete;
 
     std::list<SMatch> searchAll(const std::string& s) const;
+    bool searchOneMatch(const std::string& s, std::vector<SMatchCapture>& captures) const;
     int search(const std::string &s, SMatch *m) const;
     int search(const std::string &s) const;
 

Removed Link Here

(-)a/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json (-146 lines)
1	--- test/test-cases/regression/variable-TX.json.orig 2020-01-13 13:09:28 UTC
2	+++ test/test-cases/regression/variable-TX.json
3	@@ -80,5 +80,143 @@
4	"SecRule REQUEST_HEADERS \"@rx ([A-z]+)\" \"id:1,log,pass,capture,id:14\"",
5	"SecRule TX:0 \"@rx ([A-z]+)\" \"id:15\""
6	]
7	+ },
8	+ {
9	+ "enabled":1,
10	+ "version_min":300000,
11	+ "title":"Testing Variables :: capture group match after unused group",
12	+ "client":{
13	+ "ip":"200.249.12.31",
14	+ "port":123
15	+ },
16	+ "server":{
17	+ "ip":"200.249.12.31",
18	+ "port":80
19	+ },
20	+ "request":{
21	+ "uri":"/?key=aadd",
22	+ "method":"GET"
23	+ },
24	+ "response":{
25	+ "headers":{
26	+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
27	+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
28	+ "Content-Type":"text/html"
29	+ },
30	+ "body":[
31	+ "no need."
32	+ ]
33	+ },
34	+ "expected":{
35	+ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]Rule returned 1"
36	+ },
37	+ "rules":[
38	+ "SecRuleEngine On",
39	+ "SecRule ARGS \"@rx (aa)(bb\|cc)?(dd)\" \"id:1,log,pass,capture,id:16\"",
40	+ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\""
41	+ ]
42	+ },
43	+ {
44	+ "enabled":1,
45	+ "version_min":300000,
46	+ "title":"Testing Variables :: empty capture group match followed by nonempty capture group",
47	+ "client":{
48	+ "ip":"200.249.12.31",
49	+ "port":123
50	+ },
51	+ "server":{
52	+ "ip":"200.249.12.31",
53	+ "port":80
54	+ },
55	+ "request":{
56	+ "uri":"/?key=aadd",
57	+ "method":"GET"
58	+ },
59	+ "response":{
60	+ "headers":{
61	+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
62	+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
63	+ "Content-Type":"text/html"
64	+ },
65	+ "body":[
66	+ "no need."
67	+ ]
68	+ },
69	+ "expected":{
70	+ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]Rule returned 1"
71	+ },
72	+ "rules":[
73	+ "SecRuleEngine On",
74	+ "SecRule ARGS \"@rx (aa)(bb\|cc\|)(dd)\" \"id:18,phase:1,log,pass,capture\"",
75	+ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\""
76	+ ]
77	+ },
78	+ {
79	+ "enabled":1,
80	+ "version_min":300000,
81	+ "title":"Testing Variables :: repeating capture group -- alternates",
82	+ "client":{
83	+ "ip":"200.249.12.31",
84	+ "port":123
85	+ },
86	+ "server":{
87	+ "ip":"200.249.12.31",
88	+ "port":80
89	+ },
90	+ "request":{
91	+ "uri":"/?key=_abc123_",
92	+ "method":"GET"
93	+ },
94	+ "response":{
95	+ "headers":{
96	+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
97	+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
98	+ "Content-Type":"text/html"
99	+ },
100	+ "body":[
101	+ "no need."
102	+ ]
103	+ },
104	+ "expected":{
105	+ "debug_log":"Added regex subexpression TX\\.2: abc[\\s\\S]*Added regex subexpression TX\\.3: 123"
106	+ },
107	+ "rules":[
108	+ "SecRuleEngine On",
109	+ "SecRule ARGS \"@rx _((?:(abc)\|(123))+)_\" \"id:18,phase:1,log,pass,capture\""
110	+ ]
111	+ },
112	+ {
113	+ "enabled":1,
114	+ "version_min":300000,
115	+ "title":"Testing Variables :: repeating capture group -- same (nested)",
116	+ "client":{
117	+ "ip":"200.249.12.31",
118	+ "port":123
119	+ },
120	+ "server":{
121	+ "ip":"200.249.12.31",
122	+ "port":80
123	+ },
124	+ "request":{
125	+ "uri":"/?key=a:5a:8a:9",
126	+ "method":"GET"
127	+ },
128	+ "response":{
129	+ "headers":{
130	+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
131	+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
132	+ "Content-Type":"text/html"
133	+ },
134	+ "body":[
135	+ "no need."
136	+ ]
137	+ },
138	+ "expected":{
139	+ "debug_log":"Added regex subexpression TX\\.1: 5[\\s\\S]Added regex subexpression TX\\.2: 8[\\s\\S]Added regex subexpression TX\\.3: 9"
140	+ },
141	+ "rules":[
142	+ "SecRuleEngine On",
143	+ "SecRule ARGS \"@rx a:([0-9])(?:a:([0-9])(?:a:([0-9])))\" \"id:18,phase:1,log,pass,capture\""
144	+ ]
145	}
146	]




bin/modsec-rules-check
include/modsecurity/actions/action.h
include/modsecurity/anchored_set_variable.h
include/modsecurity/anchored_set_variable_translation_proxy.h
include/modsecurity/rule_message.h
include/modsecurity/rule_unconditional.h
include/modsecurity/variable_origin.h
include/modsecurity/transaction.h
include/modsecurity/anchored_variable.h
include/modsecurity/audit_log.h
include/modsecurity/collection/collection.h
include/modsecurity/collection/collections.h
include/modsecurity/debug_log.h
include/modsecurity/intervention.h
include/modsecurity/collection/collections.h
include/modsecurity/collection/collection.h
include/modsecurity/rule_with_operator.h
include/modsecurity/variable_value.h
include/modsecurity/rules_set.h
include/modsecurity/audit_log.h
include/modsecurity/modsecurity.h
include/modsecurity/debug_log.h
include/modsecurity/rule_with_actions.h
include/modsecurity/rules_set_properties.h
include/modsecurity/rule_marker.h
include/modsecurity/rules.h
include/modsecurity/rules_exceptions.h
include/modsecurity/rules_set_phases.h
include/modsecurity/reading_logs_via_rule_message.h
include/modsecurity/actions/action.h
include/modsecurity/rule.h
lib/libmodsecurity.a
lib/libmodsecurity.so
lib/libmodsecurity.so.3

Return to bug 258801

Lines 1-7 Link Here

(-)b/security/modsecurity3/Makefile (-4 / +2 lines)
1	PORTNAME= modsecurity	1	PORTNAME= modsecurity
2	DISTVERSIONPREFIX= v	2	DISTVERSIONPREFIX= v
3	DISTVERSION= 3.0.4	3	DISTVERSION= 3.0.5
4	PORTREVISION= 2
5	CATEGORIES= security www	4	CATEGORIES= security www
6	MASTER_SITES= https://github.com/SpiderLabs/ModSecurity/releases/download/v${PORTVERSION}/	5	MASTER_SITES= https://github.com/SpiderLabs/ModSecurity/releases/download/v${PORTVERSION}/
7	PKGNAMESUFFIX= 3	6	PKGNAMESUFFIX= 3
Lines 17-26 LIB_DEPENDS= libcurl.so:ftp/curl \ Link Here
17	libyajl.so:devel/yajl \	16	libyajl.so:devel/yajl \
18	libmaxminddb.so:net/libmaxminddb	17	libmaxminddb.so:net/libmaxminddb
19		18
20	USES= compiler:c++11-lang cpe gmake gnome libtool pkgconfig:build	19	USES= cpe gmake gnome libtool pkgconfig:build
21	USE_GNOME= libxml2	20	USE_GNOME= libxml2
22	# GCC because of https://github.com/SpiderLabs/ModSecurity/issues/1411	21	# GCC because of https://github.com/SpiderLabs/ModSecurity/issues/1411
23	USE_GCC= yes
24	USE_LDCONFIG= yes	22	USE_LDCONFIG= yes
25		23
26	CPE_VENDOR= trustwave	24	CPE_VENDOR= trustwave

Removed Link Here

(-)a/security/modsecurity3/files/patch-src_operators_rx.cc (-51 lines)
1	--- src/operators/rx.cc.orig 2020-01-13 13:09:28 UTC
2	+++ src/operators/rx.cc
3	@@ -38,7 +38,6 @@ bool Rx::init(const std::string &arg, st
4
5	bool Rx::evaluate(Transaction transaction, Rule rule,
6	const std::string& input, std::shared_ptr<RuleMessage> ruleMessage) {
7	- std::list<SMatch> matches;
8	Regex *re;
9
10	if (m_param.empty() && !m_string->m_containsMacro) {
11	@@ -52,29 +51,29 @@ bool Rx::evaluate(Transaction *transacti
12	re = m_re;
13	}
14
15	- matches = re->searchAll(input);
16	+ std::vector<Utils::SMatchCapture> captures;
17	+ re->searchOneMatch(input, captures);
18	+
19	if (rule && rule->m_containsCaptureAction && transaction) {
20	- int i = 0;
21	- matches.reverse();
22	- for (const SMatch& a : matches) {
23	+ for (const Utils::SMatchCapture& capture : captures) {
24	+ const std::string capture_substring(input.substr(capture.m_offset,capture.m_length));
25	transaction->m_collections.m_tx_collection->storeOrUpdateFirst(
26	- std::to_string(i), a.str());
27	+ std::to_string(capture.m_group), capture_substring);
28	ms_dbg_a(transaction, 7, "Added regex subexpression TX." +
29	- std::to_string(i) + ": " + a.str());
30	- transaction->m_matched.push_back(a.str());
31	- i++;
32	+ std::to_string(capture.m_group) + ": " + capture_substring);
33	+ transaction->m_matched.push_back(capture_substring);
34	}
35	}
36
37	- for (const auto & i : matches) {
38	- logOffset(ruleMessage, i.offset(), i.str().size());
39	+ for (const auto & capture : captures) {
40	+ logOffset(ruleMessage, capture.m_offset, capture.m_length);
41	}
42
43	if (m_string->m_containsMacro) {
44	delete re;
45	}
46
47	- if (matches.size() > 0) {
48	+ if (captures.size() > 0) {
49	return true;
50	}
51

Removed Link Here

(-)a/security/modsecurity3/files/patch-src_utils_regex.cc (-40 lines)
1	--- src/utils/regex.cc.orig 2020-01-13 13:09:28 UTC
2	+++ src/utils/regex.cc
3	@@ -16,10 +16,6 @@
4	#include "src/utils/regex.h"
5
6	#include <pcre.h>
7	-#include <sys/socket.h>
8	-#include <sys/types.h>
9	-#include <netinet/in.h>
10	-#include <arpa/inet.h>
11	#include <string>
12	#include <list>
13
14	@@ -99,6 +95,26 @@ std::list<SMatch> Regex::searchAll(const
15	return retList;
16	}
17
18	+bool Regex::searchOneMatch(const std::string& s, std::vector<SMatchCapture>& captures) const {
19	+ const char *subject = s.c_str();
20	+ int ovector[OVECCOUNT];
21	+
22	+ int rc = pcre_exec(m_pc, m_pce, subject, s.size(), 0, 0, ovector, OVECCOUNT);
23	+
24	+ for (int i = 0; i < rc; i++) {
25	+ size_t start = ovector[2*i];
26	+ size_t end = ovector[2*i+1];
27	+ size_t len = end - start;
28	+ if (end > s.size()) {
29	+ continue;
30	+ }
31	+ SMatchCapture capture(i, start, len);
32	+ captures.push_back(capture);
33	+ }
34	+
35	+ return (rc > 0);
36	+}
37	+
38	int Regex::search(const std::string& s, SMatch *match) const {
39	int ovector[OVECCOUNT];
40	int ret = pcre_exec(m_pc, m_pce, s.c_str(),

Removed Link Here

(-)a/security/modsecurity3/files/patch-src_utils_regex.h (-35 lines)
1	--- src/utils/regex.h.orig 2020-01-13 13:09:28 UTC
2	+++ src/utils/regex.h
3	@@ -19,6 +19,7 @@
4	#include <fstream>
5	#include <string>
6	#include <list>
7	+#include <vector>
8
9	#ifndef SRC_UTILS_REGEX_H_
10	#define SRC_UTILS_REGEX_H_
11	@@ -47,6 +48,16 @@ class SMatch {
12	size_t m_offset;
13	};
14
15	+struct SMatchCapture {
16	+ SMatchCapture(size_t group, size_t offset, size_t length) :
17	+ m_group(group),
18	+ m_offset(offset),
19	+ m_length(length) { }
20	+
21	+ size_t m_group; // E.g. 0 = full match; 6 = capture group 6
22	+ size_t m_offset; // offset of match within the analyzed string
23	+ size_t m_length;
24	+};
25
26	class Regex {
27	public:
28	@@ -58,6 +69,7 @@ class Regex {
29	Regex& operator=(const Regex&) = delete;
30
31	std::list<SMatch> searchAll(const std::string& s) const;
32	+ bool searchOneMatch(const std::string& s, std::vector<SMatchCapture>& captures) const;
33	int search(const std::string &s, SMatch *m) const;
34	int search(const std::string &s) const;
35

Lines 1-22 Link Here

(-)b/security/modsecurity3/pkg-plist (-12 / +19 lines)
1	bin/modsec-rules-check	1	bin/modsec-rules-check
2	include/modsecurity/actions/action.h
3	include/modsecurity/anchored_set_variable.h	2	include/modsecurity/anchored_set_variable.h
		3	include/modsecurity/anchored_set_variable_translation_proxy.h
		4	include/modsecurity/rule_message.h
		5	include/modsecurity/rule_unconditional.h
		6	include/modsecurity/variable_origin.h
		7	include/modsecurity/transaction.h
4	include/modsecurity/anchored_variable.h	8	include/modsecurity/anchored_variable.h
5	include/modsecurity/audit_log.h
6	include/modsecurity/collection/collection.h
7	include/modsecurity/collection/collections.h
8	include/modsecurity/debug_log.h
9	include/modsecurity/intervention.h	9	include/modsecurity/intervention.h
		10	include/modsecurity/collection/collections.h
		11	include/modsecurity/collection/collection.h
		12	include/modsecurity/rule_with_operator.h
		13	include/modsecurity/variable_value.h
		14	include/modsecurity/rules_set.h
		15	include/modsecurity/audit_log.h
10	include/modsecurity/modsecurity.h	16	include/modsecurity/modsecurity.h
11	include/modsecurity/reading_logs_via_rule_message.h	17	include/modsecurity/debug_log.h
12	include/modsecurity/rule.h	18	include/modsecurity/rule_with_actions.h
13	include/modsecurity/rule_message.h	19	include/modsecurity/rules_set_properties.h
		20	include/modsecurity/rule_marker.h
14	include/modsecurity/rules.h	21	include/modsecurity/rules.h
15	include/modsecurity/rules_exceptions.h	22	include/modsecurity/rules_exceptions.h
16	include/modsecurity/rules_properties.h	23	include/modsecurity/rules_set_phases.h
17	include/modsecurity/transaction.h	24	include/modsecurity/reading_logs_via_rule_message.h
18	include/modsecurity/variable_origin.h	25	include/modsecurity/actions/action.h
19	include/modsecurity/variable_value.h	26	include/modsecurity/rule.h
20	lib/libmodsecurity.a	27	lib/libmodsecurity.a
21	lib/libmodsecurity.so	28	lib/libmodsecurity.so
22	lib/libmodsecurity.so.3	29	lib/libmodsecurity.so.3