|
From: Breno S. P. (JIRA) <no...@mo...> - 2011-03-11 19:16:40
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-30?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-30.
-------------------------------------
Resolution: Not a Bug
> mod_rewrite incompatibility
> ---------------------------
>
> Key: MODSEC-30
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-30
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Core
> Affects Versions: 2.5.7
> Environment: CentOS 4.6 (Linux linux-dev 2.6.9-78.0.1.ELsmp #1 SMP Tue Aug 5 11:02:47 EDT 2008 i686 i686 i386 GNU/Linux)
> # /usr/local/apache2/bin/httpd -V
> Server version: Apache/2.2.10 (Unix)
> Server built: Oct 23 2008 09:05:23
> Server's Module Magic Number: 20051115:18
> Server loaded: APR 1.3.3, APR-Util 1.3.4
> Compiled using: APR 1.3.3, APR-Util 1.3.4
> Architecture: 32-bit
> Server MPM: Prefork
> threaded: no
> forked: yes (variable process count)
> Server compiled with....
> -D APACHE_MPM_DIR="server/mpm/prefork"
> -D APR_HAS_SENDFILE
> -D APR_HAS_MMAP
> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> -D APR_USE_SYSVSEM_SERIALIZE
> -D APR_USE_PTHREAD_SERIALIZE
> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
> -D APR_HAS_OTHER_CHILD
> -D AP_HAVE_RELIABLE_PIPED_LOGS
> -D DYNAMIC_MODULE_LIMIT=128
> -D HTTPD_ROOT="/usr/local/apache2"
> -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
> -D DEFAULT_PIDLOG="logs/httpd.pid"
> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> -D DEFAULT_LOCKFILE="logs/accept.lock"
> -D DEFAULT_ERRORLOG="logs/error_log"
> -D AP_TYPES_CONFIG_FILE="conf/mime.types"
> -D SERVER_CONFIG_FILE="conf/httpd.conf"
> # /usr/local/apache2/bin/httpd -M
> Loaded Modules:
> core_module (static)
> authn_file_module (static)
> authn_default_module (static)
> authz_host_module (static)
> authz_groupfile_module (static)
> authz_user_module (static)
> authz_default_module (static)
> auth_basic_module (static)
> filter_module (static)
> deflate_module (static)
> log_config_module (static)
> env_module (static)
> unique_id_module (static)
> setenvif_module (static)
> ssl_module (static)
> mpm_prefork_module (static)
> http_module (static)
> mime_module (static)
> status_module (static)
> autoindex_module (static)
> asis_module (static)
> cgi_module (static)
> negotiation_module (static)
> dir_module (static)
> actions_module (static)
> alias_module (static)
> rewrite_module (static)
> so_module (static)
> php5_module (shared)
> security2_module (shared)
> Syntax OK
> Reporter: Michael Caplan
> Assignee: Breno Silva Pinto
> Fix For: 2.6.0
>
> Attachments: modsec_debug.zip, rewrite.zip
>
>
> modsecurity outbound filtering rules (modsecurity_crs_50_outbound.conf) are not being applied if the incoming request goes through the following mod_rewrite recipe:
> RewriteEngine on
> RewriteCond %{SCRIPT_FILENAME} !-f
> RewriteCond %{SCRIPT_FILENAME} !-d
> RewriteRule ^(.*)$ index.php/$1
> Inbound modsecurity rules are seemingly applied fine, but all tests against the response body are not being executed. Running with modsecurity debug log set to 9, I see no evidence of any of the outbound rules being attempted.
> Brian Rectanus' initial thoughts:
> This looks like a bug. Those rewrite rule produce an internal request.
> When this happens, ModSecurity does not see the response on the main request that it is looking at (ie the MODSECURITY_OUT output filter is never called). The response seems to be attached to the internal request which is ignored.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
