diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index 05de75b69d..95fd84b757 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -64,6 +64,9 @@ unsigned long int DSOLOCAL conn_read_state_limit = 0; unsigned long int DSOLOCAL conn_write_state_limit = 0; +#if defined(WIN32) || defined(VERSION_NGINX) +int (*modsecDropAction)(request_rec *r) = NULL; +#endif static int server_limit, thread_limit; typedef struct { @@ -250,11 +253,25 @@ int perform_interception(modsec_rec *msr) { } } #else + { + if (modsecDropAction == NULL) { + log_level = 1; + status = HTTP_INTERNAL_SERVER_ERROR; + message = apr_psprintf(msr->mp, "Access denied with code 500%s " + "(Error: Connection drop not implemented on this platform.", + phase_text); + } else if (modsecDropAction(msr->r) == 0) { + status = HTTP_FORBIDDEN; + message = apr_psprintf(msr->mp, "Access denied with connection close%s.", + phase_text); + } else { log_level = 1; status = HTTP_INTERNAL_SERVER_ERROR; message = apr_psprintf(msr->mp, "Access denied with code 500%s " - "(Error: Connection drop not implemented on this platform).", + "(Error: Connection drop request failed.", phase_text); + } + } #endif break; diff --git a/nginx/modsecurity/ngx_http_modsecurity.c b/nginx/modsecurity/ngx_http_modsecurity.c index 683727b497..a6cd4b578c 100644 --- a/nginx/modsecurity/ngx_http_modsecurity.c +++ b/nginx/modsecurity/ngx_http_modsecurity.c @@ -81,6 +81,8 @@ static char *ngx_http_modsecurity_add_handler(ngx_conf_t *cf, ngx_command_t *cmd static char *ngx_http_modsecurity_pass(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static ngx_int_t ngx_http_modsecurity_pass_to_backend(ngx_http_request_t *r); +static int ngx_http_modsecurity_drop_action(request_rec *r); + /* command handled by the module */ static ngx_command_t ngx_http_modsecurity_commands[] = { { ngx_string("ModSecurityConfig"), @@ -223,6 +225,8 @@ ngx_http_modsecurity_init_process(ngx_cycle_t *cycle) modsecSetLogHook(cycle->log, modsecLog); + modsecSetDropAction(ngx_http_modsecurity_drop_action); + modsecInit(); /* config was already parsed in master process */ // modsecStartConfig(); @@ -1094,3 +1098,16 @@ ngx_http_modsecurity_pass(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) return NGX_CONF_OK; } + +static int +ngx_http_modsecurity_drop_action(request_rec *r) +{ + ngx_http_modsecurity_ctx_t *ctx; + ctx = (ngx_http_modsecurity_ctx_t *) apr_table_get(r->notes, NOTE_NGINX_REQUEST_CTX); + + if (ctx == NULL) { + return -1; + } + ctx->r->connection->error = 1; + return 0; +} diff --git a/standalone/api.c b/standalone/api.c index 5a08d8e333..806c5daf44 100644 --- a/standalone/api.c +++ b/standalone/api.c @@ -41,7 +41,7 @@ extern void *modsecLogObj; extern void (*modsecLogHook)(void *obj, int level, char *str); - +extern int (*modsecDropAction)(request_rec *r); apr_status_t (*modsecReadBody)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos); apr_status_t (*modsecReadResponse)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos); apr_status_t (*modsecWriteBody)(request_rec *r, char *buf, unsigned int length); @@ -528,3 +528,7 @@ void modsecSetWriteBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length)) { modsecWriteResponse = func; } + +void modsecSetDropAction(int (*func)(request_rec *r)) { + modsecDropAction = func; +} diff --git a/standalone/api.h b/standalone/api.h index 49a5f1637c..9ef43f1335 100644 --- a/standalone/api.h +++ b/standalone/api.h @@ -1,78 +1,78 @@ -/* -* ModSecurity for Apache 2.x, http://www.modsecurity.org/ -* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) -* -* You may not use this file except in compliance with -* the License.  You may obtain a copy of the License at -* -*     http://www.apache.org/licenses/LICENSE-2.0 -* -* If any of the files related to licensing are missing or if you have any -* other questions related to licensing please contact Trustwave Holdings, Inc. -* directly using the email address security@modsecurity.org. -*/ - - -#pragma once - -#include - -#include "http_core.h" -#include "http_request.h" - -#include "modsecurity.h" -#include "apache2.h" -#include "http_main.h" -#include "http_connection.h" - -#include "apr_optional.h" -#include "mod_log_config.h" - -#include "msc_logging.h" -#include "msc_util.h" - -#include "ap_mpm.h" -#include "scoreboard.h" - -#include "apr_version.h" - -#include "apr_lib.h" -#include "ap_config.h" -#include "http_config.h" - - -#ifdef __cplusplus -extern "C" -{ -#endif - -server_rec *modsecInit(); -void modsecTerminate(); - -void modsecStartConfig(); -directory_config *modsecGetDefaultConfig(); -const char *modsecProcessConfig(directory_config *config, const char *dir); -void modsecFinalizeConfig(); - -void modsecInitProcess(); - -conn_rec *modsecNewConnection(); -void modsecProcessConnection(conn_rec *c); - -request_rec *modsecNewRequest(conn_rec *connection, directory_config *config); -int modsecProcessRequest(request_rec *r); -int modsecProcessResponse(request_rec *r); -int modsecFinishRequest(request_rec *r); - -void modsecSetLogHook(void *obj, void (*hook)(void *obj, int level, char *str)); - -void modsecSetReadBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)); -void modsecSetReadResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)); -void modsecSetWriteBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length)); -void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length)); - -int modsecIsResponseBodyAccessEnabled(request_rec *r); - -#ifdef __cplusplus -} -#endif +/* +* ModSecurity for Apache 2.x, http://www.modsecurity.org/ +* Copyright (c) 2004-2011 Trustwave Holdings, Inc. (http://www.trustwave.com/) +* +* You may not use this file except in compliance with +* the License.  You may obtain a copy of the License at +* +*     http://www.apache.org/licenses/LICENSE-2.0 +* +* If any of the files related to licensing are missing or if you have any +* other questions related to licensing please contact Trustwave Holdings, Inc. +* directly using the email address security@modsecurity.org. +*/ + + +#pragma once + +#include + +#include "http_core.h" +#include "http_request.h" + +#include "modsecurity.h" +#include "apache2.h" +#include "http_main.h" +#include "http_connection.h" + +#include "apr_optional.h" +#include "mod_log_config.h" + +#include "msc_logging.h" +#include "msc_util.h" + +#include "ap_mpm.h" +#include "scoreboard.h" + +#include "apr_version.h" + +#include "apr_lib.h" +#include "ap_config.h" +#include "http_config.h" + + +#ifdef __cplusplus +extern "C" +{ +#endif + +server_rec *modsecInit(); +void modsecTerminate(); + +void modsecStartConfig(); +directory_config *modsecGetDefaultConfig(); +const char *modsecProcessConfig(directory_config *config, const char *dir); +void modsecFinalizeConfig(); + +void modsecInitProcess(); + +conn_rec *modsecNewConnection(); +void modsecProcessConnection(conn_rec *c); + +request_rec *modsecNewRequest(conn_rec *connection, directory_config *config); +int modsecProcessRequest(request_rec *r); +int modsecProcessResponse(request_rec *r); +int modsecFinishRequest(request_rec *r); + +void modsecSetLogHook(void *obj, void (*hook)(void *obj, int level, char *str)); + +void modsecSetReadBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)); +void modsecSetReadResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)); +void modsecSetWriteBody(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length)); +void modsecSetWriteResponse(apr_status_t (*func)(request_rec *r, char *buf, unsigned int length)); +void modsecSetDropAction(int (*func)(request_rec *r)); +int modsecIsResponseBodyAccessEnabled(request_rec *r); + +#ifdef __cplusplus +} +#endif