Re: [mod-security-users] Problem trying to catch malformed requests

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Ryan Barnett wrote:
> Ivan can speak better on this, however I believe that the problem is
> that Apache does some processing early in the request loop cycle
> before mod_security has a hook to inspect it.
> 
> Take a look here at the Apache request loop -
> http://modperlbook.org/html/ch01_04.html.  Then compare this will the
> hooks that mod_security has into Apache. -
>
 > ...
>     NULL,                       /* [#8] MIME-typed-dispatched handlers */
>     NULL,                       /* [#1] URI to filename translation    */
>     NULL,                       /* [#4] validate user id from request  */
>     NULL,                       /* [#5] check if the user is ok _here_ */
>     NULL,                       /* [#3] check access by host address   */
>     NULL,                       /* [#6] determine MIME type            */
>     sec_check_access,           /* [#7] pre-run fixups                 */
>     sec_logger,                 /* [#9] log a transaction              */
>     NULL,                       /* [#2] header parser                  */
>     sec_child_init,             /* child_init                          */
>     NULL,                       /* child_exit                          */
>     NULL                        /* [#0] post read-request              */
> 
> Apache runs through steps 0 -  6 before mod_security has a hook to
> perform any actions.

   That's correct. For me it was always a matter of choice whether I
   want to protect applications, or Apache itself. At the moment
   mod_security is configured to protect applications. A further problem
   is that, as Apache processes phases 0-6, it creates a lot of
   information (which mod_security uses) which would otherwise be
   unavailable in hook #0 (for example).

   My idea is to split rule processing into two phases. One would happen
   in hook #0, and the other #6.

   However, as I was making improvements to 1.9 I solved one of the
   major obstacles to move mod_security from hook #7 into earlier phase.
   I won't bother you with programming details but now it may be possible
   to run from hook #0. I don't have time to test it thoroughly but since
   there is demand for it, I'll do a couple of test to see if it works,
   and if does I will release 1.9dev3 (by the end of week) with a
   configuration option to choose the hook to run at.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org