From ac3e8a9ac65877ab0eeebf416c26f2457ffe8296 Mon Sep 17 00:00:00 2001
From: Victor Hora <victorminuto@gmail.com>
Date: Sun, 26 Jan 2020 19:00:46 -0500
Subject: [PATCH] Fix audit_log not generated for disruptive actions

---
 CHANGES                                  | 2 ++
 src/ngx_http_modsecurity_header_filter.c | 7 +++----
 src/ngx_http_modsecurity_log.c           | 4 ----
 src/ngx_http_modsecurity_pre_access.c    | 7 +++----
 src/ngx_http_modsecurity_rewrite.c       | 7 +++----
 5 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/CHANGES b/CHANGES
index b18f6f6..c963574 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
 v1.0.x - YYYY-MMM-DD (To be released)
 -------------------------------------
 
+ - Fix audit_log not generated for disruptive actions 
+   [Issue #170, #2220, #2237 - @victorhora]
  - Exit more gracefully if uri length is zero
    [@martinhsv]
 
diff --git a/src/ngx_http_modsecurity_header_filter.c b/src/ngx_http_modsecurity_header_filter.c
index 04ad7ac..bf75a8e 100644
--- a/src/ngx_http_modsecurity_header_filter.c
+++ b/src/ngx_http_modsecurity_header_filter.c
@@ -420,10 +420,6 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
 
 /* XXX: if NOT_MODIFIED, do we need to process it at all?  see xslt_header_filter() */
 
-    if (r->error_page) {
-        return ngx_http_next_header_filter(r);
-    }
-
     ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
     dd("header filter, recovering ctx: %p", ctx);
@@ -527,6 +523,9 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
     msc_process_response_headers(ctx->modsec_transaction, status, http_response_ver);
     ngx_http_modsecurity_pcre_malloc_done(old_pool);
     ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
+    if (r->error_page) {
+        return ngx_http_next_header_filter(r);
+        }
     if (ret > 0) {
         return ret;
     }
diff --git a/src/ngx_http_modsecurity_log.c b/src/ngx_http_modsecurity_log.c
index 39cf6b7..5546596 100644
--- a/src/ngx_http_modsecurity_log.c
+++ b/src/ngx_http_modsecurity_log.c
@@ -41,10 +41,6 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
     ngx_http_modsecurity_ctx_t   *ctx;
     ngx_http_modsecurity_conf_t  *mcf;
 
-    if (r->error_page) {
-        return NGX_OK;
-    }
-
     dd("catching a new _log_ phase handler");
 
     mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
diff --git a/src/ngx_http_modsecurity_pre_access.c b/src/ngx_http_modsecurity_pre_access.c
index d5389ad..e072460 100644
--- a/src/ngx_http_modsecurity_pre_access.c
+++ b/src/ngx_http_modsecurity_pre_access.c
@@ -48,10 +48,6 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
     ngx_http_modsecurity_ctx_t   *ctx;
     ngx_http_modsecurity_conf_t  *mcf;
 
-    if (r->error_page) {
-        return NGX_DECLINED;
-    }
-
     dd("catching a new _preaccess_ phase handler");
 
     mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
@@ -207,6 +203,9 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
         ngx_http_modsecurity_pcre_malloc_done(old_pool);
 
         ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
+        if (r->error_page) {
+            return NGX_DECLINED;
+            }
         if (ret > 0) {
             return ret;
         }
diff --git a/src/ngx_http_modsecurity_rewrite.c b/src/ngx_http_modsecurity_rewrite.c
index 7ce4355..1c3ccc4 100644
--- a/src/ngx_http_modsecurity_rewrite.c
+++ b/src/ngx_http_modsecurity_rewrite.c
@@ -27,10 +27,6 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
     ngx_http_modsecurity_ctx_t   *ctx;
     ngx_http_modsecurity_conf_t  *mcf;
 
-    if (r->error_page) {
-        return NGX_DECLINED;
-    }
-
     mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
     if (mcf == NULL || mcf->enable != 1) {
         dd("ModSecurity not enabled... returning");
@@ -204,6 +200,9 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
         ngx_http_modsecurity_pcre_malloc_done(old_pool);
         dd("Processing intervention with the request headers information filled in");
         ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r);
+        if (r->error_page) {
+            return NGX_DECLINED;
+            }
         if (ret > 0) {
             return ret;
         }