owasp-modsecurity · martinhsv · May 31, 2023 · May 30, 2023
diff --git a/CHANGES b/CHANGES
@@ -1,6 +1,8 @@
 v3.x.y - YYYY-MMM-DD (to be released)
 -------------------------------------
 
+  - Fix: quoted Include config with wildcard
+    [Issue #2905 - @wiseelf, @airween, @martinhsv]
   - Support isolated PCRE match limits
     [Issue #2736 - @brandonpayton, @martinhsv]
   - Fix: meta actions not applied if multiMatch in first rule of chain

diff --git a/src/parser/seclang-scanner.cc b/src/parser/seclang-scanner.cc
@@ -1,5 +1,5 @@
 
-#line 2 "seclang-scanner.cc"
+#line 3 "seclang-scanner.cc"
 
 #define  YY_INT_ALIGNED short int
 
@@ -5128,7 +5128,7 @@ static const flex_int16_t yy_rule_linenum[546] =
      1174, 1179, 1181, 1182, 1183, 1184, 1186, 1187, 1188, 1189,
      1191, 1192, 1193, 1194, 1196, 1198, 1199, 1201, 1202, 1203,
      1204, 1206, 1211, 1212, 1213, 1217, 1218, 1219, 1224, 1226,
-     1227, 1228, 1247, 1276, 1307
+     1227, 1228, 1247, 1276, 1306
     } ;
 
 /* The intent behind this definition is that it'll catch
@@ -5214,15 +5214,15 @@ static std::stack<int> YY_PREVIOUS_STATE;
 #define BEGIN_PREVIOUS() { BEGIN(YY_PREVIOUS_STATE.top()); YY_PREVIOUS_STATE.pop(); }
 
 // The location of the current token.
-#line 5217 "seclang-scanner.cc"
+#line 5218 "seclang-scanner.cc"
 #define YY_NO_INPUT 1
 
 #line 494 "seclang-scanner.ll"
   // Code run each time a pattern is matched.
   # define YY_USER_ACTION  driver.loc.back()->columns (yyleng);
 
-#line 5224 "seclang-scanner.cc"
 #line 5225 "seclang-scanner.cc"
+#line 5226 "seclang-scanner.cc"
 
 #define INITIAL 0
 #define EXPECTING_ACTION_PREDICATE_VARIABLE 1
@@ -5544,7 +5544,7 @@ YY_DECL
   // Code run each time yylex is called.
   driver.loc.back()->step();
 
-#line 5547 "seclang-scanner.cc"
+#line 5548 "seclang-scanner.cc"
 
 	while ( /*CONSTCOND*/1 )		/* loops until end-of-file is reached */
 		{
@@ -8597,9 +8597,9 @@ YY_RULE_SETUP
 {
     std::string err;
     const char *tmpStr = yytext + strlen("include");
-    const char *file   = tmpStr + strspn( tmpStr, " \t");
-    char *f = strdup(file);
-    std::string fi = modsecurity::utils::find_resource(f, *driver.loc.back()->end.filename, &err);
+    const char *afterWhitespace   = tmpStr + strspn( tmpStr, " \t");
+    std::string file(afterWhitespace+1, strlen(afterWhitespace)-2);
+    std::string fi = modsecurity::utils::find_resource(file, *driver.loc.back()->end.filename, &err);
     if (fi.empty() == true) {
         BEGIN(INITIAL);
         driver.error (*driver.loc.back(), "", file + std::string(": Not able to open file. ") + err);
@@ -8622,13 +8622,12 @@ YY_RULE_SETUP
         }
         yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE ));
     }
-    free(f);
 }
 	YY_BREAK
 case 545:
 /* rule 545 can match eol */
 YY_RULE_SETUP
-#line 1307 "seclang-scanner.ll"
+#line 1306 "seclang-scanner.ll"
 {
     HttpsClient c;
     std::string key;
@@ -8667,7 +8666,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 546:
 YY_RULE_SETUP
-#line 1344 "seclang-scanner.ll"
+#line 1343 "seclang-scanner.ll"
 ECHO;
 	YY_BREAK
 #line 8673 "seclang-scanner.cc"
@@ -9775,7 +9774,7 @@ void yyfree (void * ptr )
 
 /* %ok-for-header */
 
-#line 1344 "seclang-scanner.ll"
+#line 1343 "seclang-scanner.ll"
 
 
 namespace modsecurity {

diff --git a/src/parser/seclang-scanner.ll b/src/parser/seclang-scanner.ll
@@ -1275,9 +1275,9 @@ EQUALS_MINUS                            (?i:=\-)
 {CONFIG_INCLUDE}[ \t]+["]{CONFIG_VALUE_PATH}["] {
     std::string err;
     const char *tmpStr = yytext + strlen("include");
-    const char *file   = tmpStr + strspn( tmpStr, " \t");
-    char *f = strdup(file);
-    std::string fi = modsecurity::utils::find_resource(f, *driver.loc.back()->end.filename, &err);
+    const char *afterWhitespace   = tmpStr + strspn( tmpStr, " \t");
+    std::string file(afterWhitespace+1, strlen(afterWhitespace)-2);
+    std::string fi = modsecurity::utils::find_resource(file, *driver.loc.back()->end.filename, &err);
     if (fi.empty() == true) {
         BEGIN(INITIAL);
         driver.error (*driver.loc.back(), "", file + std::string(": Not able to open file. ") + err);
@@ -1300,7 +1300,6 @@ EQUALS_MINUS                            (?i:=\-)
         }
         yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE ));
     }
-    free(f);
 }
 
 {CONFIG_SEC_REMOTE_RULES}[ ][^ ]+[ ][^\n\r ]+ {

diff --git a/test/test-cases/regression/config-include.json b/test/test-cases/regression/config-include.json
@@ -2,7 +2,7 @@
   {
     "enabled":1,
     "version_min":300000,
-    "title":"Include (1/7)",
+    "title":"Include (1/8)",
     "client":{
       "ip":"200.249.12.31",
       "port":123
@@ -42,7 +42,7 @@
   {
     "enabled":1,
     "version_min":300000,
-    "title":"Include (2/7)",
+    "title":"Include (2/8)",
     "client":{
       "ip":"200.249.12.31",
       "port":123
@@ -82,7 +82,7 @@
   {
     "enabled":1,
     "version_min":300000,
-    "title":"Include (3/7)",
+    "title":"Include (3/8)",
     "client":{
       "ip":"200.249.12.31",
       "port":123
@@ -122,7 +122,7 @@
   {
     "enabled":1,
     "version_min":300000,
-    "title":"Include (4/7)",
+    "title":"Include (4/8)",
     "client":{
       "ip":"200.249.12.31",
       "port":123
@@ -162,7 +162,7 @@
   {
     "enabled":1,
     "version_min":300000,
-    "title":"Include (5/7)",
+    "title":"Include (5/8)",
     "client":{
       "ip":"200.249.12.31",
       "port":123
@@ -203,7 +203,7 @@
   {
     "enabled":1,
     "version_min":300000,
-    "title":"Include (6/7)",
+    "title":"Include (6/8)",
     "client":{
       "ip":"200.249.12.31",
       "port":123
@@ -243,7 +243,7 @@
   {
     "enabled":1,
     "version_min":300000,
-    "title":"Include (7/7)",
+    "title":"Include (7/8)",
     "client":{
       "ip":"200.249.12.31",
       "port":123
@@ -279,5 +279,45 @@
       "Include test-cases/data/conasdffig_example2.txt",
       "SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\""
     ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Include (8/8) -- quoted with wildcard",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value&key=other_value",
+      "method":"GET"
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "debug_log":"Executing operator \"Contains\" with param \"config_example2\" against ARGS."
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "Include \"test-cases/data/config_ex*ple2.txt\"",
+      "SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\""
+    ]
   }
 ]