Re: [mod-security-users] about win32 source
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] about win32 source
|
From: Ivan R. <iv...@we...> - 2006-03-15 09:24:32
|
j liu wrote:
> hi
> I am reading the source for win32-----"mod_security.c" , it is from
> "1.9.2" /apache2,
Hi,
Please report any problems to me directly as this is a list for
the users. I doubt the others are interested in the C source code.
Also, if your purpose is to find bugs I suggest you read the latest
code from the CVS (for either branch).
> I think I discovered two mistakes:
> 1. In the function of "cmd_filter_remove", I think that it is the
> same as "cmd_filter_import"
It isn't. Look closer, there's a small difference.
> 2. In the function of "cmd_filter_selective",
>
> " v->type = VAR_UNKNOWN;
> v->name = NULL;
>
> /* when ! is the first character in the variable
> * name, that means that the restrictions need to be
> * relaxed for that variable (within the filter scope)
> */
> if (t[0] == '!') {
> v->action = VAR_ACTION_ALLOW;
> sig->is_negative = 1;
> sig->requires_parsed_args =
> 1; ----------------------------------------- v->type=?
v->type will be assigned later. It's not determined yet.
> x++;
> }
> else {
> v->action = VAR_ACTION_DENY;
> }
>
> .......................................
>
> if (v->type == VAR_UNKNOWN) {
> ------------------------------------------------the same as " t[0] ==
> '!' " ?
No, it's not. Why do you think that?
> v->name = apr_pstrdup(cmd->pool, "UKNOWN");
> return apr_psprintf(cmd->pool, "Unknown variable name: %s", x);
> }
> if ((v->type == VAR_ARGS_NAMES)||(v->type == VAR_ARGS_VALUES))
> sig->requires_parsed_args = 1;
> -----------------------------------------it is impossible that
> "((v->type == VAR_ARGS_NAMES)||(v->type == VAR_ARGS_VALUES)) "
> "
It's possible, v->type can have one of many values. Why do you
think otherwise?
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net
|
