[mod-security-users] Lua Segfaults
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Lua Segfaults
|
From: Josh K. <jos...@gt...> - 2008-12-15 20:26:45
|
Testing out a Lua script today I discovered 2 mod_security variables
which cause the apache process to segfault when accessed inside a lua
script. The two variables are "ENV" and "RESPONSE_HEADERS_NAMES".
An example script which will crash is:
function main()
m.log(1, "Entering the crasher")
local var = m.getvar("RESPONSE_HEADERS_NAMES")
m.log(1, "I made it, whew")
return nil;
end
This was triggered with the rule:
SecRuleScript /usr/local/sbin/modsec-scanner.lua "log,pass,phase:2"
Also, it seems that while a REQUEST_BODY can be sent to the XML
processor and validated using validateDTD or validateSchema, it is not
available to the lua environment.
And lastly, I would like to recommend that m.getvar() return 1 in all
cases so that when the result is passed directly to a function like
tostring() the function doesn't error about requiring a value to be
passed.
--- msc_lua.c.orig 2008-12-15 15:25:15.000000000 -0500
+++ msc_lua.c 2008-12-15 15:25:27.000000000 -0500
@@ -250,7 +250,7 @@ static int l_getvar(lua_State *L) {
if (vx == NULL) {
lua_pushnil(L);
- return 0;
+ return 1;
}
/* Return variable value. */
should be all that is needed.
Thanks,
josh
|