mod-security-developers Mailing List for ModSecurity (Page 26)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-developers — Development discussion about mod_security
You can subscribe to this list here.
| 2006 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(8) |
Aug
(2) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(9) |
Sep
|
Oct
(1) |
Nov
|
Dec
(3) |
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(12) |
Mar
(42) |
Apr
(68) |
May
(30) |
Jun
(50) |
Jul
(17) |
Aug
(3) |
Sep
(5) |
Oct
(7) |
Nov
(3) |
Dec
(4) |
| 2012 |
Jan
(11) |
Feb
(11) |
Mar
(37) |
Apr
|
May
(21) |
Jun
(21) |
Jul
(12) |
Aug
(41) |
Sep
(19) |
Oct
(31) |
Nov
(24) |
Dec
(10) |
| 2013 |
Jan
(12) |
Feb
(18) |
Mar
(3) |
Apr
(8) |
May
(35) |
Jun
(5) |
Jul
(38) |
Aug
(5) |
Sep
(2) |
Oct
(4) |
Nov
(11) |
Dec
(6) |
| 2014 |
Jan
(3) |
Feb
(12) |
Mar
(11) |
Apr
(18) |
May
(2) |
Jun
(1) |
Jul
(11) |
Aug
(5) |
Sep
|
Oct
(15) |
Nov
(13) |
Dec
(9) |
| 2015 |
Jan
(2) |
Feb
(8) |
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(11) |
Oct
(14) |
Nov
(4) |
Dec
(1) |
| 2016 |
Jan
(11) |
Feb
(19) |
Mar
(20) |
Apr
(6) |
May
(3) |
Jun
(17) |
Jul
(5) |
Aug
|
Sep
(7) |
Oct
(2) |
Nov
(2) |
Dec
(12) |
| 2017 |
Jan
(4) |
Feb
(1) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
(3) |
Oct
(1) |
Nov
|
Dec
(15) |
| 2018 |
Jan
(13) |
Feb
(2) |
Mar
(14) |
Apr
(9) |
May
|
Jun
(6) |
Jul
(3) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
(13) |
Dec
(1) |
| 2019 |
Jan
(2) |
Feb
(9) |
Mar
(28) |
Apr
(4) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
(2) |
| 2020 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(3) |
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(10) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2024 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(4) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <msd...@15...> - 2012-10-17 06:42:01
|
Noting the new 2.7 release, switching to 2.7.x branch, svn info Path: . Working Copy Root Path: /usr/local/src/modsecurity URL: https://mod-security.svn.sourceforge.net/svnroot/mod-security/m2/branches/2.7.x Repository Root: https://mod-security.svn.sourceforge.net/svnroot/mod-security Repository UUID: 9017d574-64ec-4062-9424-5e00b32a252b Revision: 2088 Node Kind: directory Schedule: normal Last Changed Author: brenosilva Last Changed Rev: 2087 Last Changed Date: 2012-10-16 06:16:14 -0700 (Tue, 16 Oct 2012) even with, > removing "-Wall -Werror" from automake init, > > perl -pi -e 's|^(AM_INIT_AUTOMAKE\(\[).*(\]\))|$1foreign$2|g' configure.ac as before, now, it won't build copmletely at all; `make` now fails @ ... Making all in mlogc make[1]: Entering directory `/usr/local/src/modsecurity/mlogc' /usr/bin/gcc-4.7 -DHAVE_CONFIG_H -I. -I../apache2 -D_REENTRANT -D_GNU_SOURCE -I../apache2 -I/usr/local/include -I/usr/local/ssl/include -I/usr/include -I/usr/local/apache24x/include -I/usr/include -I/usr/local/include -O3 -march=amdfam10 -mtune=amdfam10 -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -MT mlogc-mlogc.o -MD -MP -MF .deps/mlogc-mlogc.Tpo -c -o mlogc-mlogc.o `test -f 'mlogc.c' || echo './'`mlogc.c mv -f .deps/mlogc-mlogc.Tpo .deps/mlogc-mlogc.Po /bin/sh ../libtool --tag=CC --mode=link /usr/bin/gcc-4.7 -I/usr/local/apache24x/include -I/usr/include -I/usr/local/include -O3 -march=amdfam10 -mtune=amdfam10 -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -lcrypt -luuid -lrt -lcrypt -lpthread -ldl -lexpat -L/usr/local/ssl/lib64 -Wl,-rpath,/usr/local/ssl/lib64 -lssl -lcrypto -o mlogc mlogc-mlogc.o /usr/local/apache24x/lib/libapr-2.la -L/usr/local/lib64 -lpcre -lcurl libtool: link: /usr/bin/gcc-4.7 -I/usr/local/apache24x/include -I/usr/include -I/usr/local/include -O3 -march=amdfam10 -mtune=amdfam10 -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -Wl,-rpath -Wl,/usr/local/ssl/lib64 -o mlogc mlogc-mlogc.o -L/usr/local/ssl/lib64 /usr/local/apache24x/lib/libapr-2.so -lssl -lcrypto -luuid -lrt -lcrypt -lpthread -ldl -lexpat -L/usr/local/lib64 /usr/local/lib64/libpcre.so -lcurl -pthread -Wl,-rpath -Wl,/usr/local/apache24x/lib -Wl,-rpath -Wl,/usr/local/apache24x/lib make[1]: Leaving directory `/usr/local/src/modsecurity/mlogc' Making all in docs /bin/sh: line 17: cd: docs: No such file or directory make: *** [all-recursive] Error 1 On Sun, Oct 14, 2012, at 10:24 AM, msd...@15... wrote: > Hi > > Building latest mod-security, > > svn co > https://mod-security.svn.sourceforge.net/svnroot/mod-security/m2/branches/2.6.x > modsecurity > cd /usr/local/src/modsecurity > svn info > Path: . > Working Copy Root Path: /usr/local/src/modsecurity > URL: > https://mod-security.svn.sourceforge.net/svnroot/mod-security/m2/branches/2.6.x > Repository Root: > https://mod-security.svn.sourceforge.net/svnroot/mod-security > Repository UUID: 9017d574-64ec-4062-9424-5e00b32a252b > Revision: 2079 > Node Kind: directory > Schedule: normal > Last Changed Author: brenosilva > Last Changed Rev: 2064 > Last Changed Date: 2012-09-25 07:02:50 -0700 (Tue, 25 > Sep 2012) > > I see a number of configure & build failures. > > On linux/64 with > > gcc -v | grep version > Using built-in specs. > COLLECT_GCC=/usr/bin/gcc-4.7 > COLLECT_LTO_WRAPPER=/usr/lib64/gcc/x86_64-suse-linux/4.7/lto-wrapper > Target: x86_64-suse-linux > Configured with: ../configure --prefix=/usr > --infodir=/usr/share/info --mandir=/usr/share/man > --libdir=/usr/lib64 --libexecdir=/usr/lib64 > --enable-languages=c,c++,objc,fortran,obj-c++,java,ada > --enable-checking=release > --with-gxx-include-dir=/usr/include/c++/4.7 --enable-ssp > --disable-libssp --disable-libitm --disable-plugin > --with-bugurl=http://bugs.opensuse.org/ > --with-pkgversion='SUSE Linux' --disable-libgcj > --disable-libmudflap --with-slibdir=/lib64 > --with-system-zlib --enable-__cxa_atexit > --enable-libstdcxx-allocator=new --disable-libstdcxx-pch > --enable-version-specific-runtime-libs > --enable-linker-build-id --program-suffix=-4.7 > --enable-linux-futex --without-system-libunwind > --with-arch-32=i586 --with-tune=generic > --build=x86_64-suse-linux > Thread model: posix > gcc version 4.7.2 20120920 [gcc-4_7-branch revision > 191568] (SUSE Linux) > > > and ENV including > > echo -e $CFLAGS "\n" $CXXFLAGS "\n" $LDFLAGS "\n" $CPPFLAGS > -O3 -march=amdfam10 -mtune=amdfam10 -fPIC -DPIC > -D_GNU_SOURCE -fno-strict-aliasing > -O3 -march=amdfam10 -mtune=amdfam10 -fPIC -DPIC > -D_GNU_SOURCE -fno-strict-aliasing > -L/usr/local/ssl/lib64 -Wl,-rpath,/usr/local/ssl/lib64 > -lssl -lcrypto > -I/usr/local/include -I/usr/local/ssl/include > -I/usr/include > > 'autogen.sh' complains > > sh autogen.sh > > libtoolize: putting auxiliary files in > AC_CONFIG_AUX_DIR, `build'. > libtoolize: copying file `build/ltmain.sh' > libtoolize: putting macros in AC_CONFIG_MACRO_DIR, > `build'. > libtoolize: copying file `build/libtool.m4' > libtoolize: copying file `build/ltoptions.m4' > libtoolize: copying file `build/ltsugar.m4' > libtoolize: copying file `build/ltversion.m4' > libtoolize: copying file `build/lt~obsolete.m4' > configure.ac:20: installing 'build/config.guess' > configure.ac:20: installing 'build/config.sub' > configure.ac:17: installing 'build/install-sh' > configure.ac:17: installing 'build/missing' > automake: warnings are treated as errors > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'libalp2.la': linking libtool libraries using a > non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > alp2/Makefile.am:1: while processing Libtool library > 'libalp2.la' > alp2/Makefile.am: installing 'build/depcomp' > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'mod_security2.la': linking libtool libraries using a > non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > apache2/Makefile.am:2: while processing Libtool > library 'mod_security2.la' > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'mod_op_strstr.la': linking libtool libraries using a > non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > ext/Makefile.am:11: while processing Libtool library > 'mod_op_strstr.la' > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'mod_reqbody_example.la': linking libtool libraries > using a non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > ext/Makefile.am:11: while processing Libtool library > 'mod_reqbody_example.la' > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'mod_tfn_reverse.la': linking libtool libraries using a > non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > ext/Makefile.am:11: while processing Libtool library > 'mod_tfn_reverse.la' > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'mod_var_remote_addr_port.la': linking libtool libraries > using a non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > ext/Makefile.am:11: while processing Libtool library > 'mod_var_remote_addr_port.la' > mlogc/Makefile.am:3: warning: compiling 'mlogc.c' with > per-target flags requires 'AM_PROG_CC_C_O' in > 'configure.ac' > autoreconf: automake failed with exit status: 1 > automake: warnings are treated as errors > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'libalp2.la': linking libtool libraries using a > non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > alp2/Makefile.am:1: while processing Libtool library > 'libalp2.la' > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'mod_security2.la': linking libtool libraries using a > non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > apache2/Makefile.am:2: while processing Libtool > library 'mod_security2.la' > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'mod_op_strstr.la': linking libtool libraries using a > non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > ext/Makefile.am:11: while processing Libtool library > 'mod_op_strstr.la' > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'mod_reqbody_example.la': linking libtool libraries > using a non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > ext/Makefile.am:11: while processing Libtool library > 'mod_reqbody_example.la' > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'mod_tfn_reverse.la': linking libtool libraries using a > non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > ext/Makefile.am:11: while processing Libtool library > 'mod_tfn_reverse.la' > /usr/share/automake-1.12/am/ltlibrary.am: warning: > 'mod_var_remote_addr_port.la': linking libtool libraries > using a non-POSIX > /usr/share/automake-1.12/am/ltlibrary.am: archiver > requires 'AM_PROG_AR' in 'configure.ac' > ext/Makefile.am:11: while processing Libtool library > 'mod_var_remote_addr_port.la' > mlogc/Makefile.am:3: warning: compiling 'mlogc.c' with > per-target flags requires 'AM_PROG_CC_C_O' in > 'configure.ac' > > causing a subsequent 'configure' > > ./configure \ > --enable-shared --disable-static \ > --enable-apache2-module \ > --with-apxs=/usr/local/apache24x/bin/apxs \ > --with-apr=/usr/local/apache24x/bin/apr-2-config \ > --with-apu=/usr/local/apache24x/bin/apr-2-config \ > --with-pcre=/usr/local/bin/pcre-config > --enable-strict-compile=no > > to FAIL, > > ... > checking if libcurl is linked with gnutls... no > configure: using curl v7.25.0 > checking that generated files are newer than configure... done > configure: creating ./config.status > config.status: creating Makefile > config.status: error: cannot find input file: > `tools/Makefile.in' > > removing "-Wall -Werror" from automake init, > > perl -pi -e 's|^(AM_INIT_AUTOMAKE\(\[).*(\]\))|$1foreign$2|g' > configure.ac > > quiets down autgen.sh > > make clean > sh autogen.sh > libtoolize: putting auxiliary files in > AC_CONFIG_AUX_DIR, `build'. > libtoolize: copying file `build/ltmain.sh' > libtoolize: putting macros in AC_CONFIG_MACRO_DIR, > `build'. > libtoolize: copying file `build/libtool.m4' > libtoolize: copying file `build/ltoptions.m4' > libtoolize: copying file `build/ltsugar.m4' > libtoolize: copying file `build/ltversion.m4' > libtoolize: copying file `build/lt~obsolete.m4' > > and enables configure, > > ./configure \ > --enable-shared --disable-static \ > --enable-apache2-module \ > --with-apxs=/usr/local/apache24x/bin/apxs \ > --with-apr=/usr/local/apache24x/bin/apr-2-config \ > --with-apu=/usr/local/apache24x/bin/apr-2-config \ > --with-pcre=/usr/local/bin/pcre-config \ > --enable-strict-compile=no > > to complete. but now subsequent 'make' FAILS, > ... > msc_lua.c: In function 'lua_restore': > msc_lua.c:82:5: error: too few arguments to function 'lua_load' > In file included from msc_lua.h:23:0, > from msc_lua.c:17: > /usr/include/lua.h:256:16: note: declared here > msc_lua.c: In function 'lua_compile': > msc_lua.c:93:7: warning: assignment makes pointer from integer > without a cast [enabled by default] > msc_lua.c: In function 'lua_execute': > msc_lua.c:408:7: warning: assignment makes pointer from integer > without a cast [enabled by default] > make[2]: *** [mod_security2_la-msc_lua.lo] Error 1 > make[2]: Leaving directory `/usr/local/src/modsecurity/apache2' > make[1]: *** [all] Error 2 > make[1]: Leaving directory `/usr/local/src/modsecurity/apache2' > make: *** [all-recursive] Error 1 > > disabling 'lua' > > ./configure \ > --enable-shared --disable-static \ > --enable-apache2-module \ > --with-apxs=/usr/local/apache24x/bin/apxs \ > --with-apr=/usr/local/apache24x/bin/apr-2-config \ > --with-apu=/usr/local/apache24x/bin/apr-2-config \ > --with-pcre=/usr/local/bin/pcre-config \ > --enable-strict-compile=no \ > + --without-lua > > fixes that. 'make' completes, but, > > ldd ./apache2/.libs/mod_security2.so > linux-vdso.so.1 (0x00007fff7c5b7000) > libapr-2.so.0 => /usr/local/apache24x/lib/libapr-2.so.0 > (0x00007f7577602000) > libssl.so.1.0.0 => /usr/local/ssl/lib64/libssl.so.1.0.0 > (0x00007f7577397000) > libcrypto.so.1.0.0 => /usr/local/ssl/lib64/libcrypto.so.1.0.0 > (0x00007f7576fac000) > libuuid.so.1 => /usr/lib64/libuuid.so.1 (0x00007f7576da7000) > librt.so.1 => /lib64/librt.so.1 (0x00007f7576b65000) > libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f757692a000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f757670e000) > libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007f75764e3000) > !! libpcre.so.1 => /usr/lib64/libpcre.so.1 (0x00007f7576289000) > libxml2.so.2 => /usr/lib64/libxml2.so.2 (0x00007f7575f2b000) > libdl.so.2 => /lib64/libdl.so.2 (0x00007f7575d26000) > liblzma.so.5 => /usr/lib64/liblzma.so.5 (0x00007f7575b00000) > libz.so.1 => /lib64/libz.so.1 (0x00007f75758ea000) > libm.so.6 => /lib64/libm.so.6 (0x00007f75755f2000) > libc.so.6 => /lib64/libc.so.6 (0x00007f757524d000) > /lib64/ld-linux-x86-64.so.2 (0x00007f7577ac3000) > > > the lib is linked against an incorrect 'libpcre' > > libpcre.so.1 => /usr/lib64/libpcre.so.1 (0x00007f7576289000) > > since > > ... > --with-pcre=/usr/local/bin/pcre-config \ > ... > > should link against > > /usr/local/bin/pcre-config --libs --cflags > -L/usr/local/lib64 -lpcre > -I/usr/local/include > ls -al /usr/local/lib64/libpcre.so* > lrwxrwxrwx 1 root root 16 Oct 13 21:35 > /usr/local/lib64/libpcre.so -> libpcre.so.1.0.1* > lrwxrwxrwx 1 root root 16 Oct 13 21:35 > /usr/local/lib64/libpcre.so.1 -> libpcre.so.1.0.1* > -rwxr-xr-x 1 root root 573K Oct 13 21:35 > /usr/local/lib64/libpcre.so.1.0.1* > |
|
From: Breno S. <bre...@gm...> - 2012-10-17 01:03:46
|
Availability of ModSecurity 2.7.0
The ModSecurity Development Team is pleased to announce the availability of
ModSecurity 2.7.0 Stable Release.The stability of this release is good and
includes many new features and bug fixes.
Highlights include:
* Internationalization (I18N) Support
* HMAC Token Injection to prevent data manipulation
* PCRE JIT Support to speed up regular expression operators
* Caching Lua VMs to speed up multiple scripts
* Ability to add exceptions based on TAG and MSG data
* Per-rule Performance information in audit log
Please see the release notes included into CHANGES file. For known problems
and more information about bug fixes, please see the online ModSecurity
Jira. Please report any bug to mod...@li....
Thanks
Breno Silva
|
|
From: <msd...@15...> - 2012-10-14 17:24:43
|
Hi Building latest mod-security, svn co https://mod-security.svn.sourceforge.net/svnroot/mod-security/m2/branches/2.6.x modsecurity cd /usr/local/src/modsecurity svn info Path: . Working Copy Root Path: /usr/local/src/modsecurity URL: https://mod-security.svn.sourceforge.net/svnroot/mod-security/m2/branches/2.6.x Repository Root: https://mod-security.svn.sourceforge.net/svnroot/mod-security Repository UUID: 9017d574-64ec-4062-9424-5e00b32a252b Revision: 2079 Node Kind: directory Schedule: normal Last Changed Author: brenosilva Last Changed Rev: 2064 Last Changed Date: 2012-09-25 07:02:50 -0700 (Tue, 25 Sep 2012) I see a number of configure & build failures. On linux/64 with gcc -v | grep version Using built-in specs. COLLECT_GCC=/usr/bin/gcc-4.7 COLLECT_LTO_WRAPPER=/usr/lib64/gcc/x86_64-suse-linux/4.7/lto-wrapper Target: x86_64-suse-linux Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib64 --libexecdir=/usr/lib64 --enable-languages=c,c++,objc,fortran,obj-c++,java,ada --enable-checking=release --with-gxx-include-dir=/usr/include/c++/4.7 --enable-ssp --disable-libssp --disable-libitm --disable-plugin --with-bugurl=http://bugs.opensuse.org/ --with-pkgversion='SUSE Linux' --disable-libgcj --disable-libmudflap --with-slibdir=/lib64 --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --enable-version-specific-runtime-libs --enable-linker-build-id --program-suffix=-4.7 --enable-linux-futex --without-system-libunwind --with-arch-32=i586 --with-tune=generic --build=x86_64-suse-linux Thread model: posix gcc version 4.7.2 20120920 [gcc-4_7-branch revision 191568] (SUSE Linux) and ENV including echo -e $CFLAGS "\n" $CXXFLAGS "\n" $LDFLAGS "\n" $CPPFLAGS -O3 -march=amdfam10 -mtune=amdfam10 -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -O3 -march=amdfam10 -mtune=amdfam10 -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -L/usr/local/ssl/lib64 -Wl,-rpath,/usr/local/ssl/lib64 -lssl -lcrypto -I/usr/local/include -I/usr/local/ssl/include -I/usr/include 'autogen.sh' complains sh autogen.sh libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build'. libtoolize: copying file `build/ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'. libtoolize: copying file `build/libtool.m4' libtoolize: copying file `build/ltoptions.m4' libtoolize: copying file `build/ltsugar.m4' libtoolize: copying file `build/ltversion.m4' libtoolize: copying file `build/lt~obsolete.m4' configure.ac:20: installing 'build/config.guess' configure.ac:20: installing 'build/config.sub' configure.ac:17: installing 'build/install-sh' configure.ac:17: installing 'build/missing' automake: warnings are treated as errors /usr/share/automake-1.12/am/ltlibrary.am: warning: 'libalp2.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' alp2/Makefile.am:1: while processing Libtool library 'libalp2.la' alp2/Makefile.am: installing 'build/depcomp' /usr/share/automake-1.12/am/ltlibrary.am: warning: 'mod_security2.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' apache2/Makefile.am:2: while processing Libtool library 'mod_security2.la' /usr/share/automake-1.12/am/ltlibrary.am: warning: 'mod_op_strstr.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' ext/Makefile.am:11: while processing Libtool library 'mod_op_strstr.la' /usr/share/automake-1.12/am/ltlibrary.am: warning: 'mod_reqbody_example.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' ext/Makefile.am:11: while processing Libtool library 'mod_reqbody_example.la' /usr/share/automake-1.12/am/ltlibrary.am: warning: 'mod_tfn_reverse.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' ext/Makefile.am:11: while processing Libtool library 'mod_tfn_reverse.la' /usr/share/automake-1.12/am/ltlibrary.am: warning: 'mod_var_remote_addr_port.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' ext/Makefile.am:11: while processing Libtool library 'mod_var_remote_addr_port.la' mlogc/Makefile.am:3: warning: compiling 'mlogc.c' with per-target flags requires 'AM_PROG_CC_C_O' in 'configure.ac' autoreconf: automake failed with exit status: 1 automake: warnings are treated as errors /usr/share/automake-1.12/am/ltlibrary.am: warning: 'libalp2.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' alp2/Makefile.am:1: while processing Libtool library 'libalp2.la' /usr/share/automake-1.12/am/ltlibrary.am: warning: 'mod_security2.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' apache2/Makefile.am:2: while processing Libtool library 'mod_security2.la' /usr/share/automake-1.12/am/ltlibrary.am: warning: 'mod_op_strstr.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' ext/Makefile.am:11: while processing Libtool library 'mod_op_strstr.la' /usr/share/automake-1.12/am/ltlibrary.am: warning: 'mod_reqbody_example.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' ext/Makefile.am:11: while processing Libtool library 'mod_reqbody_example.la' /usr/share/automake-1.12/am/ltlibrary.am: warning: 'mod_tfn_reverse.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' ext/Makefile.am:11: while processing Libtool library 'mod_tfn_reverse.la' /usr/share/automake-1.12/am/ltlibrary.am: warning: 'mod_var_remote_addr_port.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' ext/Makefile.am:11: while processing Libtool library 'mod_var_remote_addr_port.la' mlogc/Makefile.am:3: warning: compiling 'mlogc.c' with per-target flags requires 'AM_PROG_CC_C_O' in 'configure.ac' causing a subsequent 'configure' ./configure \ --enable-shared --disable-static \ --enable-apache2-module \ --with-apxs=/usr/local/apache24x/bin/apxs \ --with-apr=/usr/local/apache24x/bin/apr-2-config \ --with-apu=/usr/local/apache24x/bin/apr-2-config \ --with-pcre=/usr/local/bin/pcre-config --enable-strict-compile=no to FAIL, ... checking if libcurl is linked with gnutls... no configure: using curl v7.25.0 checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating Makefile config.status: error: cannot find input file: `tools/Makefile.in' removing "-Wall -Werror" from automake init, perl -pi -e 's|^(AM_INIT_AUTOMAKE\(\[).*(\]\))|$1foreign$2|g' configure.ac quiets down autgen.sh make clean sh autogen.sh libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build'. libtoolize: copying file `build/ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'. libtoolize: copying file `build/libtool.m4' libtoolize: copying file `build/ltoptions.m4' libtoolize: copying file `build/ltsugar.m4' libtoolize: copying file `build/ltversion.m4' libtoolize: copying file `build/lt~obsolete.m4' and enables configure, ./configure \ --enable-shared --disable-static \ --enable-apache2-module \ --with-apxs=/usr/local/apache24x/bin/apxs \ --with-apr=/usr/local/apache24x/bin/apr-2-config \ --with-apu=/usr/local/apache24x/bin/apr-2-config \ --with-pcre=/usr/local/bin/pcre-config \ --enable-strict-compile=no to complete. but now subsequent 'make' FAILS, ... msc_lua.c: In function 'lua_restore': msc_lua.c:82:5: error: too few arguments to function 'lua_load' In file included from msc_lua.h:23:0, from msc_lua.c:17: /usr/include/lua.h:256:16: note: declared here msc_lua.c: In function 'lua_compile': msc_lua.c:93:7: warning: assignment makes pointer from integer without a cast [enabled by default] msc_lua.c: In function 'lua_execute': msc_lua.c:408:7: warning: assignment makes pointer from integer without a cast [enabled by default] make[2]: *** [mod_security2_la-msc_lua.lo] Error 1 make[2]: Leaving directory `/usr/local/src/modsecurity/apache2' make[1]: *** [all] Error 2 make[1]: Leaving directory `/usr/local/src/modsecurity/apache2' make: *** [all-recursive] Error 1 disabling 'lua' ./configure \ --enable-shared --disable-static \ --enable-apache2-module \ --with-apxs=/usr/local/apache24x/bin/apxs \ --with-apr=/usr/local/apache24x/bin/apr-2-config \ --with-apu=/usr/local/apache24x/bin/apr-2-config \ --with-pcre=/usr/local/bin/pcre-config \ --enable-strict-compile=no \ + --without-lua fixes that. 'make' completes, but, ldd ./apache2/.libs/mod_security2.so linux-vdso.so.1 (0x00007fff7c5b7000) libapr-2.so.0 => /usr/local/apache24x/lib/libapr-2.so.0 (0x00007f7577602000) libssl.so.1.0.0 => /usr/local/ssl/lib64/libssl.so.1.0.0 (0x00007f7577397000) libcrypto.so.1.0.0 => /usr/local/ssl/lib64/libcrypto.so.1.0.0 (0x00007f7576fac000) libuuid.so.1 => /usr/lib64/libuuid.so.1 (0x00007f7576da7000) librt.so.1 => /lib64/librt.so.1 (0x00007f7576b65000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f757692a000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f757670e000) libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007f75764e3000) !! libpcre.so.1 => /usr/lib64/libpcre.so.1 (0x00007f7576289000) libxml2.so.2 => /usr/lib64/libxml2.so.2 (0x00007f7575f2b000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f7575d26000) liblzma.so.5 => /usr/lib64/liblzma.so.5 (0x00007f7575b00000) libz.so.1 => /lib64/libz.so.1 (0x00007f75758ea000) libm.so.6 => /lib64/libm.so.6 (0x00007f75755f2000) libc.so.6 => /lib64/libc.so.6 (0x00007f757524d000) /lib64/ld-linux-x86-64.so.2 (0x00007f7577ac3000) the lib is linked against an incorrect 'libpcre' libpcre.so.1 => /usr/lib64/libpcre.so.1 (0x00007f7576289000) since ... --with-pcre=/usr/local/bin/pcre-config \ ... should link against /usr/local/bin/pcre-config --libs --cflags -L/usr/local/lib64 -lpcre -I/usr/local/include ls -al /usr/local/lib64/libpcre.so* lrwxrwxrwx 1 root root 16 Oct 13 21:35 /usr/local/lib64/libpcre.so -> libpcre.so.1.0.1* lrwxrwxrwx 1 root root 16 Oct 13 21:35 /usr/local/lib64/libpcre.so.1 -> libpcre.so.1.0.1* -rwxr-xr-x 1 root root 573K Oct 13 21:35 /usr/local/lib64/libpcre.so.1.0.1* |
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-10-08 19:01:58
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-261?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-261.
--------------------------------------
Resolution: Fixed
Marc,
Added a code that try to find the separator. It is working for me.
Going to close this now. However if necessary we can re-open.
Thanks
> Cookies delimiter
> -----------------
>
> Key: MODSEC-261
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-261
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Core
> Reporter: Marc Stern
> Assignee: Breno Silva Pinto
> Fix For: 2.7.0
>
>
> Some (?) user-agents (at least BlackBerry) delimit cookies with a colon instead of a semi-colon.
> RFC 2109 states "A server should also accept comma (,) as the separator between cookie-values for future compatibility".
> Shouldn't ModSecurity support it also?
> In case a User-Agent uses this (new?) syntax, cookies parsing is completely broken and most of cookies-related rules are confused.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-10-08 18:51:22
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-337.
--------------------------------------
Resolution: Fixed
> Wrong %REMOTE_ADDR with NGINX version
> -------------------------------------
>
> Key: MODSEC-337
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-337
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Configuration, Core, Logging, Rules
> Affects Versions: 2.7.0
> Environment: EL6
> Reporter: Mike Fisher
> Assignee: Breno Silva Pinto
> Fix For: 2.7.0
>
>
> Getting the remote address doesn't work properly with the latest NGINX version from SVN, it's always 127.0.0.1.
> The second issue is that it's not writing the $SecDataDir/ip file, so the IP counter always stays at 0 or 1. I've tried the /tmp directory and the NGINX log directory, which both have rw permissions for NGINX.
> [08/Oct/2012:19:50:12 +0400] [standalone/sid#f8d2158][rid#10ebad08][/portal.php][5] Rule f8d5d28: SecAction "phase:2,auditlog,pass,initcol:ip=%{REMOTE_ADDR},id:101"
> [08/Oct/2012:19:50:12 +0400] [standalone/sid#f8d2158][rid#10ebad08][/portal.php][4] Transformation completed in 1 usec.
> [08/Oct/2012:19:50:12 +0400] [standalone/sid#f8d2158][rid#10ebad08][/portal.php][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR.
> [08/Oct/2012:19:50:12 +0400] [standalone/sid#f8d2158][rid#10ebad08][/portal.php][9] Target value: "127.0.0.1"
> [08/Oct/2012:19:50:12 +0400] [standalone/sid#f8d2158][rid#10ebad08][/portal.php][4] Operator completed in 0 usec.
> [08/Oct/2012:19:50:12 +0400] [standalone/sid#f8d2158][rid#10ebad08][/portal.php][9] Resolved macro %{remote_addr} to: 127.0.0.1
> [08/Oct/2012:19:50:12 +0400] [standalone/sid#f8d2158][rid#10ebad08][/portal.php][9] collection_retrieve_ex: Retrieving collection (name "ip", filename "/var/log/nginx/ip")
> [08/Oct/2012:19:50:12 +0400] [standalone/sid#f8d2158][rid#10ebad08][/portal.php][4] Creating collection (name "ip", key "127.0.0.1").
> [08/Oct/2012:19:50:12 +0400] [standalone/sid#f8d2158][rid#10ebad08][/portal.php][4] Setting default timeout collection value 3600.
> [08/Oct/2012:19:50:12 +0400] [standalone/sid#f8d2158][rid#10ebad08][/portal.php][9] Recorded original collection variable: ip.UPDATE_COUNTER = "0"
> [08/Oct/2012:19:50:12 +0400] [standalone/sid#f8d2158][rid#10ebad08][/portal.php][4] Added collection "ip" to the list.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-10-08 15:22:21
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-226?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-226.
--------------------------------------
Resolution: Fixed
> Pb with environment variables set by SetEnv
> -------------------------------------------
>
> Key: MODSEC-226
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-226
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Core
> Affects Versions: 2.5.13
> Environment: All
> Reporter: Marc Stern
> Assignee: Breno Silva Pinto
> Fix For: 2.7.0
>
>
> Inconsistent behaviour with environment variables set by SetEnv:
> Setenv var SETENV
> SecAction "phase:3,pass,auditlog,msg:'phase 3: var=<%{ENV.var}>'"
> shows the value "SETENV", thus var is in the collection
> Adding the following directive to use it:
> SecAction "phase:2,pass,nolog,setenv:var=%{ENV.var}/MS"
> shows the value "/MS"
> same result in phase 1, but works Ok in phase 3
> The behaviour is inconsistent: either the rule runs before setEnv and var should be overwritten, or it runs after and it should use it. In no case we expect to have only "/MS".
> Note that this is probably linked to a strange behaviour of SetEnv which runs, for instance, before mod_rewrite & mod_ setenvif, but the values are not seen by these modules either.
> Although the problem may lie in mod_env, it is strange that %{ENV.var} works in logging but not in a setenv: (I did not test with setvar:).
> Note that everything works correctly when setting the variable with SetEnvIf.
> Maybe the best solution would be to push for a fix in mod_env ...
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-10-08 14:00:31
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-297.
--------------------------------------
Resolution: Fixed
> Pause-action silently ignored in combination with Pass-action
> -------------------------------------------------------------
>
> Key: MODSEC-297
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-297
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Rules
> Affects Versions: 2.6.3
> Environment: SUSE Linux Enterprise Server 11 SP1 (x86_64), selfcompiled. Apache 2.2.22
> Reporter: Christian Folini
> Assignee: Breno Silva Pinto
> Priority: Low
> Fix For: 2.7.0
>
>
> Trying to find new uses for ModSecurity, I am not using it as a backend application simulator in reverse proxy performance test.
> This rule does not work as expected:
> SecRule ARGS_GET:pause "^(1000)$" "phase:2,pass,pause:1000"
> While these two work fine:
> SecRule ARGS_GET:pause "^(2000)$" "phase:2,allow,pause:2000"
> SecRule ARGS_GET:pause "^(3000)$" "phase:2,deny,pause:3000"
> I admit this is a small bug, but it I ModSecurity to behave as expected. Or to find some hint/explanation in the documentation.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-10-08 14:00:26
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-297.
--------------------------------------
Resolution: Fixed
Fixed in the trunk. Also changed in the documentation to set it as a Disruptive action.
Do you have time for test ? I can send you a tarball.
Thanks
Breno
> Pause-action silently ignored in combination with Pass-action
> -------------------------------------------------------------
>
> Key: MODSEC-297
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-297
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Rules
> Affects Versions: 2.6.3
> Environment: SUSE Linux Enterprise Server 11 SP1 (x86_64), selfcompiled. Apache 2.2.22
> Reporter: Christian Folini
> Assignee: Breno Silva Pinto
> Priority: Low
> Fix For: 2.8.0
>
>
> Trying to find new uses for ModSecurity, I am not using it as a backend application simulator in reverse proxy performance test.
> This rule does not work as expected:
> SecRule ARGS_GET:pause "^(1000)$" "phase:2,pass,pause:1000"
> While these two work fine:
> SecRule ARGS_GET:pause "^(2000)$" "phase:2,allow,pause:2000"
> SecRule ARGS_GET:pause "^(3000)$" "phase:2,deny,pause:3000"
> I admit this is a small bug, but it I ModSecurity to behave as expected. Or to find some hint/explanation in the documentation.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Thomas K. <mad...@gm...> - 2012-10-08 07:39:29
|
hello, i've got the common examplesetup for my server using the modsec-clamscan.plto check Fileupload with ClamAV: SecRule FILES_TMPNAMES "@inspectFile /usr/bin/modsec-clamscan.pl" "phase:2,t:none,log,status:403,deny" using apache 2 and PHP as apache-module. Unfortunaly mod_security produces the ENV variable PATH_TRANSLATED which irritates some softwarepackages of my customers. The scripts are using PATH_TRANSLATED instead of SCRIPT_FILENAME and i'am not able to patch all customerscripts (since some got also crypted PHP code like Oxid-Shop etc). patching modsecurity-apache_2.6.7/apache2/apache2_util.c line 76 will solve the problem, but no glue if this will affect mod_security anyhow?: /* PHP hack, getting around its silly security checks. */ apr_table_add(r->subprocess_env, "PATH_TRANSLATED", command); apr_table_add(r->subprocess_env, "REDIRECT_STATUS", "302"); Google gives me a hint: http://blog.modsecurity.org/2003/07/fun-with-php-cl.html why does mod_security set this ENV and how can i fix it? Can i patch it out of the source, iam only using mod_security as a apache modul, no CLI php is used. greetings - thomas |
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-10-05 19:56:10
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto closed MODSEC-331.
------------------------------------
> Documentation update
> --------------------
>
> Key: MODSEC-331
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-331
> Project: ModSecurity
> Issue Type: Task
> Security Level: Normal
> Components: Documentation
> Affects Versions: 2.6.7
> Environment: Reference_Manual wiki
> Reporter: Klaubert Herr
> Assignee: Breno Silva Pinto
> Labels: Documentation
> Original Estimate: 3 minutes
> Remaining Estimate: 3 minutes
>
> Update the "Chain" section where:
> "Also note that disruptive actions, execution phases, metadata actions (id, rev, msg), skip, and skipAfter actions can be specified only by the chain starter rule."
> Like this
> "Also note that disruptive actions, execution phases, metadata actions (id, rev, msg, tag, severity, logdata), skip, and skipAfter actions can be specified only by the chain starter rule."
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-10-05 19:56:10
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-336.
--------------------------------------
Resolution: Fixed
> Errors on compiling with NGINX
> ------------------------------
>
> Key: MODSEC-336
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-336
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Build System
> Affects Versions: 2.7.0
> Environment: EL6 x86_64, GCC 4.4.6
> Reporter: Mike Fisher
> Assignee: Breno Silva Pinto
> Priority: High
> Fix For: 2.7.0
>
> Attachments: make.log
>
>
> It seems impossible to compile mod_security with NGINX on a CentOS 6 x86_64 machine with GCC 4.4.6. I've tried various NGINX versions from 1.2.0 to 1.2.4, the mod_security SVN trunk and also the latest downloadable RC release, following the instructions on: http://www.modsecurity.org/projects/modsecurity/nginx/index.html
> Log: http://pastebin.com/B3YA555R
> Someone from the mailing list has the same issue: http://sourceforge.net/mailarchive/forum.php?thread_name=CAD4%3DBrkSMV4bJSAceDCb6nkWPCV4S06-oLf3yufW4yYxi2E-cA%40mail.gmail.com&forum_name=mod-security-users
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Alan S. <ala...@ac...> - 2012-10-03 21:48:11
|
Hi, You had a detailed log for compile fail??? Sent to us, please!!! Regards, Alan On Tuesday, October 2, 2012 at 10:15 PM, Alexandro Silva wrote: > Hey guys, > > I'm testing the Modsecurity for Nginx but I've a problem during the nginx compiling process. > > ../modsecurity/nginx/modsecurity/ngx_http_modsecurity.c > cc1: warnings being treated as errors > > ../modsecurity/nginx/modsecurity/ngx_http_modsecurity.c: In function ‘modsecurity_read_body_cb’: > > ../modsecurity/nginx/modsecurity/ngx_http_modsecurity.c:782: error: comparison between signed and unsigned integer expressions > make[1]: *** [objs/addon/modsecurity/ngx_http_modsecurity.o] Error 1 > make[1]: Leaving directory `/root/nginx-1.2.4' > make: *** [build] Error 2 > > Can someone help me please? > > System infos: > > Debian Squeeze > Nginx 1.2.4 > Latest modsecurity build > > Thanks in advance > > Alexos > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > > _______________________________________________ > mod-security-developers mailing list > mod...@li... (mailto:mod...@li...) > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > > |
|
From: Ulisses M. <uli...@gm...> - 2012-10-03 15:23:40
|
Breno,
Working on it. It turns out there are only 2 streaming JSON parsers
for C available, and neither provide samples of working code for
actual streaming usage -- they use files, which can be
rewound/replayed as needed. I am working on a hackish implementation
first, which buffers the entire JSON data and parses it entirely. I
also need to understand better how this data would be exposed to
mod_security's rules.
I will keep everyone up to date on any relevant progress, and I will
certainly need help testing it.
Thanks!
On Wed, Oct 3, 2012 at 11:25 AM, Breno Silva <bre...@gm...> wrote:
> Hello Ulisses,
>
> Did you have any news about this ?
> Let me know your ETA to have it done, maybe we can include it into 2.7 code.
>
> Thanks
>
> Breno
>
>
> On Sun, Sep 23, 2012 at 2:36 PM, Breno Silva <bre...@gm...> wrote:
>>
>> Ulisses,
>>
>> I think something like:
>>
>> SecRule JSON "@rx test" "..." <- This will loop and execute operation
>> against all JSON variable values
>> SecRule JSON:name "@rx test" "..."
>> SecRule JSON:user/phone "@rx 123456" "..."
>>
>> SecRule JSON_RAW "@rx test" "..." -> an unique string with all json data.
>> SecRule JSON_NAMES "@rx [a-b] "..."-> collection with variable names
>>
>> Let see what Ryan think about it from rule creation point of view.
>>
>> Thanks
>>
>> Breno
>>
>>
>> On Sun, Sep 23, 2012 at 1:54 PM, Ulisses Montenegro
>> <uli...@gm...> wrote:
>>>
>>> Breno,
>>>
>>> Perhaps it would be easier to look at this the order way around --
>>> what would be the most flexible way to write rules for matching JSON
>>> data? From a parsing perspective, most libraries offer a
>>> JSON-string-to-hashtable approach, which would work for all either
>>> scenario.
>>>
>>> Ryan, do you have any real world use cases for rules matching JSON
>>> parameters?
>>>
>>> Thanks!
>>>
>>> On Sun, Sep 23, 2012 at 3:38 PM, Breno Silva <bre...@gm...>
>>> wrote:
>>> > Ulisses,
>>> >
>>> > I never had a change to think more about this issue.
>>> > Looking for this specific case i really don't think would be a good
>>> > idea to
>>> > create a new logic to ARGS* collections. Not sure what Ryan B. think
>>> > about
>>> > it, but from my point of view, if we need a new logic we must create
>>> > specific collections.
>>> >
>>> > ie: JSON, JSON_NAMES ....
>>> >
>>> > Is "." (dot) allowed to create variables names ? I think yes.
>>> > If so, we should go json specification and find a better way to create
>>> > this
>>> > logic. Maybe using "/" ?
>>> >
>>> > ie: user/name, user/manager/name
>>> >
>>> > What do you think ?
>>> >
>>> > Breno
>>> >
>>> > On Sun, Sep 23, 2012 at 12:34 PM, Ulisses Montenegro
>>> > <uli...@gm...> wrote:
>>> >>
>>> >> Breno & Ryan
>>> >>
>>> >> Thanks for the pointers. Ryan, I need to look further into how ARGS
>>> >> could be used to handle nested data structures. Although deeper
>>> >> structures are more common in responses, I've seen some in requests
>>> >> too. If we go deeper then 2 levels, then how would we break that data
>>> >> into ARGS?
>>> >>
>>> >> { 'user': {
>>> >> 'name': 'John Doe',
>>> >> 'email': 'jo...@do...',
>>> >> 'manager': {
>>> >> 'name': 'Manager John',
>>> >> 'email': 'ma...@do...',
>>> >> 'company': {
>>> >> 'name': 'ModSecurity Corp.',
>>> >> (...)
>>> >> },
>>> >> }
>>> >> }
>>> >>
>>> >> I was thinking that maybe using the fully qualified name for the
>>> >> variable might be easier, and would not introduce any artificial
>>> >> limitations on the depth on the data structure in the JSON data:
>>> >>
>>> >> ARGS:user.name = 'John Doe'
>>> >> ARGS:user.email = 'jo...@do...'
>>> >> ARGS:user.manager.name = 'Manager John'
>>> >> ARGS:user.manager.company.name = 'ModSecurity Corp.'
>>> >> (...)
>>> >>
>>> >> Of course, JSON also supports arrays, but since mod_security already
>>> >> handles multiple instances of the same parameter, that would not be an
>>> >> issue for either option.
>>> >>
>>> >> Does that make sense, or am I misunderstanding how ARGS work?
>>> >>
>>> >> Thanks,
>>> >> Ulisses
>>> >>
>>> >> On Sun, Sep 23, 2012 at 1:46 PM, Ryan Barnett <RBa...@tr...>
>>> >> wrote:
>>> >> > Regarding #2 below - we have two options.
>>> >> >
>>> >> > 1) A JSON parse could work like the XML parse and access the request
>>> >> > body
>>> >> > content and simply populate a new collection called JSON. This is
>>> >> > like
>>> >> > the XML collection that is simply a long string of text. The
>>> >> > downside
>>> >> > of
>>> >> > this approach is that here is no context as to what are parameter
>>> >> > names/values. Another option would be to have the JSON parser
>>> >> > simply
>>> >> > populate this string of text into the current REQUEST_BODY variable.
>>> >> > A
>>> >> > rule writer can do this today if they wish using the following
>>> >> > example
>>> >> > pseudo-rule -
>>> >> >
>>> >> > SecRule REQUEST_HEADERS:Content-Type "@contains application/json"
>>> >> > "phase:1,id:1,nolog,pass,ctl:forceRequestBodyVariable"
>>> >> >
>>> >> > 2) I think that the best way to do this is to attempt to parse the
>>> >> > JSON
>>> >> > data into name/value pairs and populate that into ARGS. If it is
>>> >> > parsed
>>> >> > in this way, then we don't need to change anything in the current
>>> >> > rules.
>>> >> >
>>> >> > As just one example, I was reviewing the JSON data sent back to
>>> >> > twitter
>>> >> > in
>>> >> > response to a Content Security Policy (CSP) violation. The
>>> >> > content-type
>>> >> > is application/json and uses the name/value pairs -
>>> >> >
>>> >> > POST /scribes/csp_report HTTP/1.1
>>> >> > Host: twitter.com
>>> >> > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0)
>>> >> > Gecko/20100101 Firefox/15.0
>>> >> > Accept:
>>> >> > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> >> > Accept-Language: en-us,en;q=0.5
>>> >> > Accept-Encoding: gzip, deflate
>>> >> > DNT: 1
>>> >> > Connection: keep-alive
>>> >> > Content-Length: 338
>>> >> > Content-Type: application/json
>>> >> >
>>> >> >
>>> >> >
>>> >> > {"csp-report":{"document-uri":"https://mobile.twitter.com/i/templates/m5?re
>>> >> >
>>> >> >
>>> >> > v=1347385509950","referrer":"https://mobile.twitter.com/","blocked-uri":"se
>>> >> > lf","violated-directive":"inline
>>> >> >
>>> >> >
>>> >> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>>> >> >
>>> >> >
>>> >> > %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>>> >> > ted-directive%22:%22inline> script base
>>> >> >
>>> >> >
>>> >> > restriction","source-file":"https://mobile.twitter.com/i/templates/m5?rev=1
>>> >> > 347385509950","script-sample":"onclick
>>> >> >
>>> >> >
>>> >> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
>>> >> > ample%22:%22onclick> attribute on DIV element"}}
>>> >> >
>>> >> > Based on this you would split the name/value pairs by the "Š":"Š."
>>> >> > format and have parsed ARGS variable data for use in our rules like
>>> >> > -
>>> >> >
>>> >> > ######################
>>> >> > ARGS:csp-report =
>>> >> >
>>> >> >
>>> >> > "document-uri":"https://mobile.twitter.com/i/templates/m5?rev=1347385509950
>>> >> >
>>> >> >
>>> >> > ","referrer":"https://mobile.twitter.com/","blocked-uri":"self","violated-d
>>> >> > irective":"inline
>>> >> >
>>> >> >
>>> >> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>>> >> >
>>> >> >
>>> >> > %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>>> >> > ted-directive%22:%22inline> script base
>>> >> >
>>> >> >
>>> >> > restriction","source-file":"https://mobile.twitter.com/i/templates/m5?rev=1
>>> >> > 347385509950","script-sample":"onclick
>>> >> >
>>> >> >
>>> >> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
>>> >> > ample%22:%22onclick> attribute on DIV element"
>>> >> >
>>> >> > ARGS:document-uri =
>>> >> > https://mobile.twitter.com/i/templates/m5?rev=1347385509950
>>> >> >
>>> >> >
>>> >> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>>> >> >
>>> >> >
>>> >> > %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>>> >> > ted-directive%22:%22inline>
>>> >> >
>>> >> > ARGS:referrer = https://mobile.twitter.com/
>>> >> >
>>> >> >
>>> >> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>>> >> >
>>> >> >
>>> >> > %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>>> >> > ted-directive%22:%22inline>
>>> >> >
>>> >> > ARGS:blocked-uri = self
>>> >> >
>>> >> > ARGS:violated-directive = inline script base restriction
>>> >> >
>>> >> > ARGS:source-file =
>>> >> > https://mobile.twitter.com/i/templates/m5?rev=1347385509950
>>> >> >
>>> >> >
>>> >> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
>>> >> > ample%22:%22onclick>
>>> >> >
>>> >> > ARGS:script-sample = onclick attribute on DIV element
>>> >> > #######################
>>> >> >
>>> >> > Hope this helps.
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Ryan Barnett
>>> >> > Trustwave SpiderLabs
>>> >> > ModSecurity Project Leader
>>> >> > OWASP ModSecurity CRS Project Leader
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> > On 9/23/12 9:31 AM, "Ulisses Montenegro"
>>> >> > <uli...@gm...>
>>> >> > wrote:
>>> >> >
>>> >> >>Team
>>> >> >>
>>> >> >>As my first attempt in contributing to mod_security I've decided to
>>> >> >>tackle MODSEC-253, a JSON body processor. I've gone through the XML
>>> >> >>and multipart body processors and found them apparently
>>> >> >>straightforward. I would like some pointers on issues which I need
>>> >> >> to
>>> >> >>address before deciding on my solution, though.
>>> >> >>
>>> >> >>1. The XML body processor uses libxml for the actual XML parsing, I
>>> >> >>assume adding a JSON parser library would be acceptable as well. If
>>> >> >>so, what licenses would be acceptable?
>>> >> >>2. XML processor offers a XPath interface for rules to match XML
>>> >> >>contents, which is a standard, but AFAIK there is nothing equivalent
>>> >> >>for JSON (aside from evaluating Javascript object references). What
>>> >> >>interface would work best for the rules to gain access to the JSON
>>> >> >>contents?
>>> >> >>3. Are there any guidelines/rules regarding memory usage and
>>> >> >>performance, i.e., how can if my code or the library I'm using is
>>> >> >>performing acceptably? I know I can always benchmark/profile other
>>> >> >>body processors and compare the results directly, but I'm looking
>>> >> >> more
>>> >> >>towards hard numbers, if they're available.
>>> >> >>4. Finally, do these kind of questions go into JIRA? I decided to
>>> >> >> try
>>> >> >>the mailing list first as I did not want to add possibly irrelevant
>>> >> >>information to the JIRA issue, but I think at least items [1] and
>>> >> >> [2]
>>> >> >>should be registered there -- is that how it usually works?
>>> >> >>
>>> >> >>Thanks a lot for the great work on mod_security
>>> >> >>Ulisses
>>> >> >>
>>> >> >>--
>>> >> >>³If debugging is the process of removing software bugs, then
>>> >> >>programming must be the process of putting them in.² - Edsger
>>> >> >> Dijkstra
>>> >> >>
>>> >>
>>> >> >>
>>> >> >> >> >>--------------------------------------------------------------------------
>>> >> >>----
>>> >> >>Everyone hates slow websites. So do we.
>>> >> >>Make your web apps faster with AppDynamics
>>> >> >>Download AppDynamics Lite for free today:
>>> >> >>http://ad.doubleclick.net/clk;258768047;13503038;j?
>>> >> >>http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>> >> >>_______________________________________________
>>> >> >>mod-security-developers mailing list
>>> >> >>mod...@li...
>>> >> >>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> >> >>ModSecurity Services from Trustwave's SpiderLabs:
>>> >> >>https://www.trustwave.com/spiderLabs.php
>>> >> >
>>> >> >
>>> >> > ________________________________
>>> >> >
>>> >> > This transmission may contain information that is privileged,
>>> >> > confidential, and/or exempt from disclosure under applicable law. If
>>> >> > you are
>>> >> > not the intended recipient, you are hereby notified that any
>>> >> > disclosure,
>>> >> > copying, distribution, or use of the information contained herein
>>> >> > (including
>>> >> > any reliance thereon) is STRICTLY PROHIBITED. If you received this
>>> >> > transmission in error, please immediately contact the sender and
>>> >> > destroy the
>>> >> > material in its entirety, whether in electronic or hard copy format.
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> > ------------------------------------------------------------------------------
>>> >> > Everyone hates slow websites. So do we.
>>> >> > Make your web apps faster with AppDynamics
>>> >> > Download AppDynamics Lite for free today:
>>> >> > http://ad.doubleclick.net/clk;258768047;13503038;j?
>>> >> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>> >> > _______________________________________________
>>> >> > mod-security-developers mailing list
>>> >> > mod...@li...
>>> >> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> >> > ModSecurity Services from Trustwave's SpiderLabs:
>>> >> > https://www.trustwave.com/spiderLabs.php
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> “If debugging is the process of removing software bugs, then
>>> >> programming must be the process of putting them in.” - Edsger Dijkstra
>>> >>
>>> >>
>>> >>
>>> >> ------------------------------------------------------------------------------
>>> >> Everyone hates slow websites. So do we.
>>> >> Make your web apps faster with AppDynamics
>>> >> Download AppDynamics Lite for free today:
>>> >> http://ad.doubleclick.net/clk;258768047;13503038;j?
>>> >> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>> >> _______________________________________________
>>> >> mod-security-developers mailing list
>>> >> mod...@li...
>>> >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> >> ModSecurity Services from Trustwave's SpiderLabs:
>>> >> https://www.trustwave.com/spiderLabs.php
>>> >
>>> >
>>> >
>>> >
>>> > ------------------------------------------------------------------------------
>>> > Everyone hates slow websites. So do we.
>>> > Make your web apps faster with AppDynamics
>>> > Download AppDynamics Lite for free today:
>>> > http://ad.doubleclick.net/clk;258768047;13503038;j?
>>> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>> > _______________________________________________
>>> > mod-security-developers mailing list
>>> > mod...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> > ModSecurity Services from Trustwave's SpiderLabs:
>>> > https://www.trustwave.com/spiderLabs.php
>>>
>>>
>>>
>>> --
>>> “If debugging is the process of removing software bugs, then
>>> programming must be the process of putting them in.” - Edsger Dijkstra
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Everyone hates slow websites. So do we.
>>> Make your web apps faster with AppDynamics
>>> Download AppDynamics Lite for free today:
>>> http://ad.doubleclick.net/clk;258768047;13503038;j?
>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>> _______________________________________________
>>> mod-security-developers mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> ModSecurity Services from Trustwave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>>
>>
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
--
“If debugging is the process of removing software bugs, then
programming must be the process of putting them in.” - Edsger Dijkstra
|
|
From: Breno S. <bre...@gm...> - 2012-10-03 14:25:50
|
Hello Ulisses,
Did you have any news about this ?
Let me know your ETA to have it done, maybe we can include it into 2.7 code.
Thanks
Breno
On Sun, Sep 23, 2012 at 2:36 PM, Breno Silva <bre...@gm...> wrote:
> Ulisses,
>
> I think something like:
>
> SecRule JSON "@rx test" "..." <- This will loop and execute operation
> against all JSON variable values
> SecRule JSON:name "@rx test" "..."
> SecRule JSON:user/phone "@rx 123456" "..."
>
> SecRule JSON_RAW "@rx test" "..." -> an unique string with all json data.
> SecRule JSON_NAMES "@rx [a-b] "..."-> collection with variable names
>
> Let see what Ryan think about it from rule creation point of view.
>
> Thanks
>
> Breno
>
>
> On Sun, Sep 23, 2012 at 1:54 PM, Ulisses Montenegro <
> uli...@gm...> wrote:
>
>> Breno,
>>
>> Perhaps it would be easier to look at this the order way around --
>> what would be the most flexible way to write rules for matching JSON
>> data? From a parsing perspective, most libraries offer a
>> JSON-string-to-hashtable approach, which would work for all either
>> scenario.
>>
>> Ryan, do you have any real world use cases for rules matching JSON
>> parameters?
>>
>> Thanks!
>>
>> On Sun, Sep 23, 2012 at 3:38 PM, Breno Silva <bre...@gm...>
>> wrote:
>> > Ulisses,
>> >
>> > I never had a change to think more about this issue.
>> > Looking for this specific case i really don't think would be a good
>> idea to
>> > create a new logic to ARGS* collections. Not sure what Ryan B. think
>> about
>> > it, but from my point of view, if we need a new logic we must create
>> > specific collections.
>> >
>> > ie: JSON, JSON_NAMES ....
>> >
>> > Is "." (dot) allowed to create variables names ? I think yes.
>> > If so, we should go json specification and find a better way to create
>> this
>> > logic. Maybe using "/" ?
>> >
>> > ie: user/name, user/manager/name
>> >
>> > What do you think ?
>> >
>> > Breno
>> >
>> > On Sun, Sep 23, 2012 at 12:34 PM, Ulisses Montenegro
>> > <uli...@gm...> wrote:
>> >>
>> >> Breno & Ryan
>> >>
>> >> Thanks for the pointers. Ryan, I need to look further into how ARGS
>> >> could be used to handle nested data structures. Although deeper
>> >> structures are more common in responses, I've seen some in requests
>> >> too. If we go deeper then 2 levels, then how would we break that data
>> >> into ARGS?
>> >>
>> >> { 'user': {
>> >> 'name': 'John Doe',
>> >> 'email': 'jo...@do...',
>> >> 'manager': {
>> >> 'name': 'Manager John',
>> >> 'email': 'ma...@do...',
>> >> 'company': {
>> >> 'name': 'ModSecurity Corp.',
>> >> (...)
>> >> },
>> >> }
>> >> }
>> >>
>> >> I was thinking that maybe using the fully qualified name for the
>> >> variable might be easier, and would not introduce any artificial
>> >> limitations on the depth on the data structure in the JSON data:
>> >>
>> >> ARGS:user.name = 'John Doe'
>> >> ARGS:user.email = 'jo...@do...'
>> >> ARGS:user.manager.name = 'Manager John'
>> >> ARGS:user.manager.company.name = 'ModSecurity Corp.'
>> >> (...)
>> >>
>> >> Of course, JSON also supports arrays, but since mod_security already
>> >> handles multiple instances of the same parameter, that would not be an
>> >> issue for either option.
>> >>
>> >> Does that make sense, or am I misunderstanding how ARGS work?
>> >>
>> >> Thanks,
>> >> Ulisses
>> >>
>> >> On Sun, Sep 23, 2012 at 1:46 PM, Ryan Barnett <RBa...@tr...>
>> >> wrote:
>> >> > Regarding #2 below - we have two options.
>> >> >
>> >> > 1) A JSON parse could work like the XML parse and access the request
>> >> > body
>> >> > content and simply populate a new collection called JSON. This is
>> like
>> >> > the XML collection that is simply a long string of text. The
>> downside
>> >> > of
>> >> > this approach is that here is no context as to what are parameter
>> >> > names/values. Another option would be to have the JSON parser simply
>> >> > populate this string of text into the current REQUEST_BODY variable.
>> A
>> >> > rule writer can do this today if they wish using the following
>> example
>> >> > pseudo-rule -
>> >> >
>> >> > SecRule REQUEST_HEADERS:Content-Type "@contains application/json"
>> >> > "phase:1,id:1,nolog,pass,ctl:forceRequestBodyVariable"
>> >> >
>> >> > 2) I think that the best way to do this is to attempt to parse the
>> JSON
>> >> > data into name/value pairs and populate that into ARGS. If it is
>> parsed
>> >> > in this way, then we don't need to change anything in the current
>> rules.
>> >> >
>> >> > As just one example, I was reviewing the JSON data sent back to
>> twitter
>> >> > in
>> >> > response to a Content Security Policy (CSP) violation. The
>> content-type
>> >> > is application/json and uses the name/value pairs -
>> >> >
>> >> > POST /scribes/csp_report HTTP/1.1
>> >> > Host: twitter.com
>> >> > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0)
>> >> > Gecko/20100101 Firefox/15.0
>> >> > Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> >> > Accept-Language: en-us,en;q=0.5
>> >> > Accept-Encoding: gzip, deflate
>> >> > DNT: 1
>> >> > Connection: keep-alive
>> >> > Content-Length: 338
>> >> > Content-Type: application/json
>> >> >
>> >> >
>> >> > {"csp-report":{"document-uri":"
>> https://mobile.twitter.com/i/templates/m5?re
>> >> >
>> >> > v=1347385509950","referrer":"https://mobile.twitter.com/
>> ","blocked-uri":"se
>> >> > lf","violated-directive":"inline
>> >> >
>> >> > <
>> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>> >> >
>> >> > %22:%22
>> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>> >> > ted-directive%22:%22inline> script base
>> >> >
>> >> > restriction","source-file":"
>> https://mobile.twitter.com/i/templates/m5?rev=1
>> >> > 347385509950","script-sample":"onclick
>> >> >
>> >> > <
>> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
>> >> > ample%22:%22onclick> attribute on DIV element"}}
>> >> >
>> >> > Based on this you would split the name/value pairs by the "Š":"Š."
>> >> > format and have parsed ARGS variable data for use in our rules like -
>> >> >
>> >> > ######################
>> >> > ARGS:csp-report =
>> >> >
>> >> > "document-uri":"
>> https://mobile.twitter.com/i/templates/m5?rev=1347385509950
>> >> >
>> >> > ","referrer":"https://mobile.twitter.com/
>> ","blocked-uri":"self","violated-d
>> >> > irective":"inline
>> >> >
>> >> > <
>> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>> >> >
>> >> > %22:%22
>> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>> >> > ted-directive%22:%22inline> script base
>> >> >
>> >> > restriction","source-file":"
>> https://mobile.twitter.com/i/templates/m5?rev=1
>> >> > 347385509950","script-sample":"onclick
>> >> >
>> >> > <
>> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
>> >> > ample%22:%22onclick> attribute on DIV element"
>> >> >
>> >> > ARGS:document-uri =
>> >> > https://mobile.twitter.com/i/templates/m5?rev=1347385509950
>> >> >
>> >> > <
>> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>> >> >
>> >> > %22:%22
>> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>> >> > ted-directive%22:%22inline>
>> >> >
>> >> > ARGS:referrer = https://mobile.twitter.com/
>> >> >
>> >> > <
>> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>> >> >
>> >> > %22:%22
>> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>> >> > ted-directive%22:%22inline>
>> >> >
>> >> > ARGS:blocked-uri = self
>> >> >
>> >> > ARGS:violated-directive = inline script base restriction
>> >> >
>> >> > ARGS:source-file =
>> >> > https://mobile.twitter.com/i/templates/m5?rev=1347385509950
>> >> >
>> >> > <
>> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
>> >> > ample%22:%22onclick>
>> >> >
>> >> > ARGS:script-sample = onclick attribute on DIV element
>> >> > #######################
>> >> >
>> >> > Hope this helps.
>> >> >
>> >> >
>> >> > --
>> >> > Ryan Barnett
>> >> > Trustwave SpiderLabs
>> >> > ModSecurity Project Leader
>> >> > OWASP ModSecurity CRS Project Leader
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > On 9/23/12 9:31 AM, "Ulisses Montenegro" <
>> uli...@gm...>
>> >> > wrote:
>> >> >
>> >> >>Team
>> >> >>
>> >> >>As my first attempt in contributing to mod_security I've decided to
>> >> >>tackle MODSEC-253, a JSON body processor. I've gone through the XML
>> >> >>and multipart body processors and found them apparently
>> >> >>straightforward. I would like some pointers on issues which I need to
>> >> >>address before deciding on my solution, though.
>> >> >>
>> >> >>1. The XML body processor uses libxml for the actual XML parsing, I
>> >> >>assume adding a JSON parser library would be acceptable as well. If
>> >> >>so, what licenses would be acceptable?
>> >> >>2. XML processor offers a XPath interface for rules to match XML
>> >> >>contents, which is a standard, but AFAIK there is nothing equivalent
>> >> >>for JSON (aside from evaluating Javascript object references). What
>> >> >>interface would work best for the rules to gain access to the JSON
>> >> >>contents?
>> >> >>3. Are there any guidelines/rules regarding memory usage and
>> >> >>performance, i.e., how can if my code or the library I'm using is
>> >> >>performing acceptably? I know I can always benchmark/profile other
>> >> >>body processors and compare the results directly, but I'm looking
>> more
>> >> >>towards hard numbers, if they're available.
>> >> >>4. Finally, do these kind of questions go into JIRA? I decided to try
>> >> >>the mailing list first as I did not want to add possibly irrelevant
>> >> >>information to the JIRA issue, but I think at least items [1] and [2]
>> >> >>should be registered there -- is that how it usually works?
>> >> >>
>> >> >>Thanks a lot for the great work on mod_security
>> >> >>Ulisses
>> >> >>
>> >> >>--
>> >> >>³If debugging is the process of removing software bugs, then
>> >> >>programming must be the process of putting them in.² - Edsger
>> Dijkstra
>> >> >>
>> >>
>> >> >>
>> >>--------------------------------------------------------------------------
>> >> >>----
>> >> >>Everyone hates slow websites. So do we.
>> >> >>Make your web apps faster with AppDynamics
>> >> >>Download AppDynamics Lite for free today:
>> >> >>http://ad.doubleclick.net/clk;258768047;13503038;j?
>> >> >>http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> >> >>_______________________________________________
>> >> >>mod-security-developers mailing list
>> >> >>mod...@li...
>> >> >>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> >> >>ModSecurity Services from Trustwave's SpiderLabs:
>> >> >>https://www.trustwave.com/spiderLabs.php
>> >> >
>> >> >
>> >> > ________________________________
>> >> >
>> >> > This transmission may contain information that is privileged,
>> >> > confidential, and/or exempt from disclosure under applicable law. If
>> you are
>> >> > not the intended recipient, you are hereby notified that any
>> disclosure,
>> >> > copying, distribution, or use of the information contained herein
>> (including
>> >> > any reliance thereon) is STRICTLY PROHIBITED. If you received this
>> >> > transmission in error, please immediately contact the sender and
>> destroy the
>> >> > material in its entirety, whether in electronic or hard copy format.
>> >> >
>> >> >
>> >> >
>> >> >
>> ------------------------------------------------------------------------------
>> >> > Everyone hates slow websites. So do we.
>> >> > Make your web apps faster with AppDynamics
>> >> > Download AppDynamics Lite for free today:
>> >> > http://ad.doubleclick.net/clk;258768047;13503038;j?
>> >> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> >> > _______________________________________________
>> >> > mod-security-developers mailing list
>> >> > mod...@li...
>> >> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> >> > ModSecurity Services from Trustwave's SpiderLabs:
>> >> > https://www.trustwave.com/spiderLabs.php
>> >>
>> >>
>> >>
>> >> --
>> >> “If debugging is the process of removing software bugs, then
>> >> programming must be the process of putting them in.” - Edsger Dijkstra
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Everyone hates slow websites. So do we.
>> >> Make your web apps faster with AppDynamics
>> >> Download AppDynamics Lite for free today:
>> >> http://ad.doubleclick.net/clk;258768047;13503038;j?
>> >> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> >> _______________________________________________
>> >> mod-security-developers mailing list
>> >> mod...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> >> ModSecurity Services from Trustwave's SpiderLabs:
>> >> https://www.trustwave.com/spiderLabs.php
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Everyone hates slow websites. So do we.
>> > Make your web apps faster with AppDynamics
>> > Download AppDynamics Lite for free today:
>> > http://ad.doubleclick.net/clk;258768047;13503038;j?
>> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> > _______________________________________________
>> > mod-security-developers mailing list
>> > mod...@li...
>> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> > ModSecurity Services from Trustwave's SpiderLabs:
>> > https://www.trustwave.com/spiderLabs.php
>>
>>
>>
>> --
>> “If debugging is the process of removing software bugs, then
>> programming must be the process of putting them in.” - Edsger Dijkstra
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://ad.doubleclick.net/clk;258768047;13503038;j?
>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
|
|
From: Alexandro S. <ale...@gm...> - 2012-10-03 01:14:24
|
Hey guys, I'm testing the Modsecurity for Nginx but I've a problem during the nginx compiling process. ../modsecurity/nginx/modsecurity/ngx_http_modsecurity.c cc1: warnings being treated as errors ../modsecurity/nginx/modsecurity/ngx_http_modsecurity.c: In function 'modsecurity_read_body_cb': *../modsecurity/nginx/modsecurity/ngx_http_modsecurity.c:782: error: comparison between signed and unsigned integer expressions make[1]: *** [objs/addon/modsecurity/ngx_http_modsecurity.o] Error 1 make[1]: Leaving directory `/root/nginx-1.2.4' make: *** [build] Error 2* Can someone help me please? System infos: Debian Squeeze Nginx 1.2.4 Latest modsecurity build Thanks in advance Alexos |
|
From: Breno S. <bre...@gm...> - 2012-09-26 13:14:01
|
The ModSecurity Development Team is pleased to announce the availability of ModSecurity 2.6.8 Release. The stability of this release is good and includes some bug fixes. Please see the release notes included into CHANGES<http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.6.x/CHANGES>file. For known problems and more information about bug fixes, please see the online ModSecurity Jira <https://www.modsecurity.org/tracker/>. Please report any bug to mod...@li...<http://lists.sourceforge.net/lists/listinfo/mod-security-developers> . Thanks Breno Silva |
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-09-25 14:19:50
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-333.
--------------------------------------
Resolution: Fixed
> ruleRemoveTargetById targets order issue
> ----------------------------------------
>
> Key: MODSEC-333
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-333
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Actions
> Affects Versions: 2.6.7
> Reporter: Armadillo Dasypodidae
> Assignee: Breno Silva Pinto
> Fix For: 2.6.8
>
>
> Hi,
> I just discovered a bug while using the "ruleRemoveTargetById" action. When the action is used with multiple targets in a specific order: collections (like ARGS:test) followed by simple ones (like REQUEST_BODY, ARGS), the exception will not be applied to the simple targets.
> For example, if the action is used this way:
> ...ctl:ruleRemoveTargetByid=xxxxxx;ARGS:test,REQUEST_BODY...
> the exception will work for "ARGS:test" but not for "REQUEST_BODY".
> The problem is in the "fetch_target_exception" function. The "value" variable is not set to NULL when the "strchr(variable,':') != NULL" check fails.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-09-25 14:17:45
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-315.
--------------------------------------
Fix Version/s: 2.6.8
(was: 2.8.0)
Resolution: Fixed
> HIGHEST_SEVERITY variable incorrectly gets reset when portions of a rule chain match
> ------------------------------------------------------------------------------------
>
> Key: MODSEC-315
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-315
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Targets
> Reporter: Ryan Barnett
> Assignee: Breno Silva Pinto
> Fix For: 2.6.8
>
>
> HIGHEST_SEVERITY variable should only be reset when an entire rule chain matches. Currently, it will get reset if an individual rule chain matches and if it is indeed a higher severity level than the current variable setting.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Alan S. <ala...@ac...> - 2012-09-25 12:34:42
|
Hi, We have just committed a brand new version of NGINX module that has the basic functions for requests treating (header and body). Thus, we have a new beta version of NGINX module. But we are in need of beta-testers. If problems are detected, please let us know so that we can provide a more stable module for our community. Actually we don't have a package of NGINX module, you need get it from source via SVN or http in http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/ and compile it. If necessary, we can provide basic instructions for building and testing. Thanks for help, Regards, Alan |
|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-09-24 15:20:19
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-323.
--------------------------------------
Resolution: Invalid Config
Breno,
As it turns out, the duplicate ID issue may not be a defect after all. IN the httpd.conf file was the following:
LoadModule security2_module modules/mod_security2.so
<IfModule security2_module>
Include /usr/local/apache2/conf/crs/activated_rules/modsecurity_crs_10_setup.conf
Include /usr/local/apache2/conf/crs/activated_rules/*.conf
</IfModule>
I changed it to...
LoadModule security2_module modules/mod_security2.so
<IfModule security2_module>
Include /usr/local/apache2/conf/crs/activated_rules/*.conf
</IfModule>
Now it works fine. I guess it loads the conf files in each time and considers that duplication. Sorry about that.
Best Regards,
Mark Detrick
> Found another rule with the same id
> -----------------------------------
>
> Key: MODSEC-323
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-323
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Rules
> Affects Versions: 2.7.0
> Environment: Arch Linux 2.6.35.4-rscloud #8 SMP Mon Sep 20 15:54:33 UTC 2010 x86_64 Quad-Core AMD Opteron(tm) Processor 2374 HE AuthenticAMD GNU/Linux. Apache2 2.4.2.
> Reporter: Mark Detrick
> Assignee: Breno Silva Pinto
> Fix For: 2.7.0
>
> Attachments: crs2.2.5_rules_modsec2.7.0-bug323.tar.gz
>
>
> After due diligence to ensure that there are no duplicate id numbers in any modsecure conf file, the error: "Found another rule with the same id" continues to terminate apachectl.
> Screen output:
> [root@Dev1 activated_rules]# apachectl -t
> AH00526: Syntax error on line 29 of /usr/local/apache2/conf/crs/activated_rules/modsecurity_crs_10_setup.conf:
> Found another rule with the same id
> Line 29 is as follows:
> SecRule REQBODY_ERROR "!@eq 0" \
> "id:123486,phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
> If I remove the id number then I get an error saying I need an action id number. No matter what number I enter into this SecRule the error is the same. If I enclose the number in as such: "id:'444555', ..." it makes no difference with or without the single quotes. There is currently no way to use both modsecure and apache2 at the same time with this bug. Versions prior to 2.7.0 are also not usable for other reasons.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
|
From: Breno S. <bre...@gm...> - 2012-09-23 19:36:50
|
Ulisses,
I think something like:
SecRule JSON "@rx test" "..." <- This will loop and execute operation
against all JSON variable values
SecRule JSON:name "@rx test" "..."
SecRule JSON:user/phone "@rx 123456" "..."
SecRule JSON_RAW "@rx test" "..." -> an unique string with all json data.
SecRule JSON_NAMES "@rx [a-b] "..."-> collection with variable names
Let see what Ryan think about it from rule creation point of view.
Thanks
Breno
On Sun, Sep 23, 2012 at 1:54 PM, Ulisses Montenegro <
uli...@gm...> wrote:
> Breno,
>
> Perhaps it would be easier to look at this the order way around --
> what would be the most flexible way to write rules for matching JSON
> data? From a parsing perspective, most libraries offer a
> JSON-string-to-hashtable approach, which would work for all either
> scenario.
>
> Ryan, do you have any real world use cases for rules matching JSON
> parameters?
>
> Thanks!
>
> On Sun, Sep 23, 2012 at 3:38 PM, Breno Silva <bre...@gm...>
> wrote:
> > Ulisses,
> >
> > I never had a change to think more about this issue.
> > Looking for this specific case i really don't think would be a good idea
> to
> > create a new logic to ARGS* collections. Not sure what Ryan B. think
> about
> > it, but from my point of view, if we need a new logic we must create
> > specific collections.
> >
> > ie: JSON, JSON_NAMES ....
> >
> > Is "." (dot) allowed to create variables names ? I think yes.
> > If so, we should go json specification and find a better way to create
> this
> > logic. Maybe using "/" ?
> >
> > ie: user/name, user/manager/name
> >
> > What do you think ?
> >
> > Breno
> >
> > On Sun, Sep 23, 2012 at 12:34 PM, Ulisses Montenegro
> > <uli...@gm...> wrote:
> >>
> >> Breno & Ryan
> >>
> >> Thanks for the pointers. Ryan, I need to look further into how ARGS
> >> could be used to handle nested data structures. Although deeper
> >> structures are more common in responses, I've seen some in requests
> >> too. If we go deeper then 2 levels, then how would we break that data
> >> into ARGS?
> >>
> >> { 'user': {
> >> 'name': 'John Doe',
> >> 'email': 'jo...@do...',
> >> 'manager': {
> >> 'name': 'Manager John',
> >> 'email': 'ma...@do...',
> >> 'company': {
> >> 'name': 'ModSecurity Corp.',
> >> (...)
> >> },
> >> }
> >> }
> >>
> >> I was thinking that maybe using the fully qualified name for the
> >> variable might be easier, and would not introduce any artificial
> >> limitations on the depth on the data structure in the JSON data:
> >>
> >> ARGS:user.name = 'John Doe'
> >> ARGS:user.email = 'jo...@do...'
> >> ARGS:user.manager.name = 'Manager John'
> >> ARGS:user.manager.company.name = 'ModSecurity Corp.'
> >> (...)
> >>
> >> Of course, JSON also supports arrays, but since mod_security already
> >> handles multiple instances of the same parameter, that would not be an
> >> issue for either option.
> >>
> >> Does that make sense, or am I misunderstanding how ARGS work?
> >>
> >> Thanks,
> >> Ulisses
> >>
> >> On Sun, Sep 23, 2012 at 1:46 PM, Ryan Barnett <RBa...@tr...>
> >> wrote:
> >> > Regarding #2 below - we have two options.
> >> >
> >> > 1) A JSON parse could work like the XML parse and access the request
> >> > body
> >> > content and simply populate a new collection called JSON. This is
> like
> >> > the XML collection that is simply a long string of text. The downside
> >> > of
> >> > this approach is that here is no context as to what are parameter
> >> > names/values. Another option would be to have the JSON parser simply
> >> > populate this string of text into the current REQUEST_BODY variable.
> A
> >> > rule writer can do this today if they wish using the following example
> >> > pseudo-rule -
> >> >
> >> > SecRule REQUEST_HEADERS:Content-Type "@contains application/json"
> >> > "phase:1,id:1,nolog,pass,ctl:forceRequestBodyVariable"
> >> >
> >> > 2) I think that the best way to do this is to attempt to parse the
> JSON
> >> > data into name/value pairs and populate that into ARGS. If it is
> parsed
> >> > in this way, then we don't need to change anything in the current
> rules.
> >> >
> >> > As just one example, I was reviewing the JSON data sent back to
> twitter
> >> > in
> >> > response to a Content Security Policy (CSP) violation. The
> content-type
> >> > is application/json and uses the name/value pairs -
> >> >
> >> > POST /scribes/csp_report HTTP/1.1
> >> > Host: twitter.com
> >> > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0)
> >> > Gecko/20100101 Firefox/15.0
> >> > Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> >> > Accept-Language: en-us,en;q=0.5
> >> > Accept-Encoding: gzip, deflate
> >> > DNT: 1
> >> > Connection: keep-alive
> >> > Content-Length: 338
> >> > Content-Type: application/json
> >> >
> >> >
> >> > {"csp-report":{"document-uri":"
> https://mobile.twitter.com/i/templates/m5?re
> >> >
> >> > v=1347385509950","referrer":"https://mobile.twitter.com/
> ","blocked-uri":"se
> >> > lf","violated-directive":"inline
> >> >
> >> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> >> >
> >> > %22:%22
> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> >> > ted-directive%22:%22inline> script base
> >> >
> >> > restriction","source-file":"
> https://mobile.twitter.com/i/templates/m5?rev=1
> >> > 347385509950","script-sample":"onclick
> >> >
> >> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
> >> > ample%22:%22onclick> attribute on DIV element"}}
> >> >
> >> > Based on this you would split the name/value pairs by the "Š":"Š."
> >> > format and have parsed ARGS variable data for use in our rules like -
> >> >
> >> > ######################
> >> > ARGS:csp-report =
> >> >
> >> > "document-uri":"
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950
> >> >
> >> > ","referrer":"https://mobile.twitter.com/
> ","blocked-uri":"self","violated-d
> >> > irective":"inline
> >> >
> >> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> >> >
> >> > %22:%22
> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> >> > ted-directive%22:%22inline> script base
> >> >
> >> > restriction","source-file":"
> https://mobile.twitter.com/i/templates/m5?rev=1
> >> > 347385509950","script-sample":"onclick
> >> >
> >> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
> >> > ample%22:%22onclick> attribute on DIV element"
> >> >
> >> > ARGS:document-uri =
> >> > https://mobile.twitter.com/i/templates/m5?rev=1347385509950
> >> >
> >> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> >> >
> >> > %22:%22
> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> >> > ted-directive%22:%22inline>
> >> >
> >> > ARGS:referrer = https://mobile.twitter.com/
> >> >
> >> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> >> >
> >> > %22:%22
> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> >> > ted-directive%22:%22inline>
> >> >
> >> > ARGS:blocked-uri = self
> >> >
> >> > ARGS:violated-directive = inline script base restriction
> >> >
> >> > ARGS:source-file =
> >> > https://mobile.twitter.com/i/templates/m5?rev=1347385509950
> >> >
> >> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
> >> > ample%22:%22onclick>
> >> >
> >> > ARGS:script-sample = onclick attribute on DIV element
> >> > #######################
> >> >
> >> > Hope this helps.
> >> >
> >> >
> >> > --
> >> > Ryan Barnett
> >> > Trustwave SpiderLabs
> >> > ModSecurity Project Leader
> >> > OWASP ModSecurity CRS Project Leader
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > On 9/23/12 9:31 AM, "Ulisses Montenegro" <
> uli...@gm...>
> >> > wrote:
> >> >
> >> >>Team
> >> >>
> >> >>As my first attempt in contributing to mod_security I've decided to
> >> >>tackle MODSEC-253, a JSON body processor. I've gone through the XML
> >> >>and multipart body processors and found them apparently
> >> >>straightforward. I would like some pointers on issues which I need to
> >> >>address before deciding on my solution, though.
> >> >>
> >> >>1. The XML body processor uses libxml for the actual XML parsing, I
> >> >>assume adding a JSON parser library would be acceptable as well. If
> >> >>so, what licenses would be acceptable?
> >> >>2. XML processor offers a XPath interface for rules to match XML
> >> >>contents, which is a standard, but AFAIK there is nothing equivalent
> >> >>for JSON (aside from evaluating Javascript object references). What
> >> >>interface would work best for the rules to gain access to the JSON
> >> >>contents?
> >> >>3. Are there any guidelines/rules regarding memory usage and
> >> >>performance, i.e., how can if my code or the library I'm using is
> >> >>performing acceptably? I know I can always benchmark/profile other
> >> >>body processors and compare the results directly, but I'm looking more
> >> >>towards hard numbers, if they're available.
> >> >>4. Finally, do these kind of questions go into JIRA? I decided to try
> >> >>the mailing list first as I did not want to add possibly irrelevant
> >> >>information to the JIRA issue, but I think at least items [1] and [2]
> >> >>should be registered there -- is that how it usually works?
> >> >>
> >> >>Thanks a lot for the great work on mod_security
> >> >>Ulisses
> >> >>
> >> >>--
> >> >>³If debugging is the process of removing software bugs, then
> >> >>programming must be the process of putting them in.² - Edsger Dijkstra
> >> >>
> >>
> >> >>
> >>--------------------------------------------------------------------------
> >> >>----
> >> >>Everyone hates slow websites. So do we.
> >> >>Make your web apps faster with AppDynamics
> >> >>Download AppDynamics Lite for free today:
> >> >>http://ad.doubleclick.net/clk;258768047;13503038;j?
> >> >>http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> >> >>_______________________________________________
> >> >>mod-security-developers mailing list
> >> >>mod...@li...
> >> >>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >> >>ModSecurity Services from Trustwave's SpiderLabs:
> >> >>https://www.trustwave.com/spiderLabs.php
> >> >
> >> >
> >> > ________________________________
> >> >
> >> > This transmission may contain information that is privileged,
> >> > confidential, and/or exempt from disclosure under applicable law. If
> you are
> >> > not the intended recipient, you are hereby notified that any
> disclosure,
> >> > copying, distribution, or use of the information contained herein
> (including
> >> > any reliance thereon) is STRICTLY PROHIBITED. If you received this
> >> > transmission in error, please immediately contact the sender and
> destroy the
> >> > material in its entirety, whether in electronic or hard copy format.
> >> >
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > Everyone hates slow websites. So do we.
> >> > Make your web apps faster with AppDynamics
> >> > Download AppDynamics Lite for free today:
> >> > http://ad.doubleclick.net/clk;258768047;13503038;j?
> >> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> >> > _______________________________________________
> >> > mod-security-developers mailing list
> >> > mod...@li...
> >> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >> > ModSecurity Services from Trustwave's SpiderLabs:
> >> > https://www.trustwave.com/spiderLabs.php
> >>
> >>
> >>
> >> --
> >> “If debugging is the process of removing software bugs, then
> >> programming must be the process of putting them in.” - Edsger Dijkstra
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Everyone hates slow websites. So do we.
> >> Make your web apps faster with AppDynamics
> >> Download AppDynamics Lite for free today:
> >> http://ad.doubleclick.net/clk;258768047;13503038;j?
> >> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> >> _______________________________________________
> >> mod-security-developers mailing list
> >> mod...@li...
> >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >> ModSecurity Services from Trustwave's SpiderLabs:
> >> https://www.trustwave.com/spiderLabs.php
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://ad.doubleclick.net/clk;258768047;13503038;j?
> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> > _______________________________________________
> > mod-security-developers mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> > ModSecurity Services from Trustwave's SpiderLabs:
> > https://www.trustwave.com/spiderLabs.php
>
>
>
> --
> “If debugging is the process of removing software bugs, then
> programming must be the process of putting them in.” - Edsger Dijkstra
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://ad.doubleclick.net/clk;258768047;13503038;j?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
|
|
From: Ulisses M. <uli...@gm...> - 2012-09-23 18:54:47
|
Breno,
Perhaps it would be easier to look at this the order way around --
what would be the most flexible way to write rules for matching JSON
data? From a parsing perspective, most libraries offer a
JSON-string-to-hashtable approach, which would work for all either
scenario.
Ryan, do you have any real world use cases for rules matching JSON parameters?
Thanks!
On Sun, Sep 23, 2012 at 3:38 PM, Breno Silva <bre...@gm...> wrote:
> Ulisses,
>
> I never had a change to think more about this issue.
> Looking for this specific case i really don't think would be a good idea to
> create a new logic to ARGS* collections. Not sure what Ryan B. think about
> it, but from my point of view, if we need a new logic we must create
> specific collections.
>
> ie: JSON, JSON_NAMES ....
>
> Is "." (dot) allowed to create variables names ? I think yes.
> If so, we should go json specification and find a better way to create this
> logic. Maybe using "/" ?
>
> ie: user/name, user/manager/name
>
> What do you think ?
>
> Breno
>
> On Sun, Sep 23, 2012 at 12:34 PM, Ulisses Montenegro
> <uli...@gm...> wrote:
>>
>> Breno & Ryan
>>
>> Thanks for the pointers. Ryan, I need to look further into how ARGS
>> could be used to handle nested data structures. Although deeper
>> structures are more common in responses, I've seen some in requests
>> too. If we go deeper then 2 levels, then how would we break that data
>> into ARGS?
>>
>> { 'user': {
>> 'name': 'John Doe',
>> 'email': 'jo...@do...',
>> 'manager': {
>> 'name': 'Manager John',
>> 'email': 'ma...@do...',
>> 'company': {
>> 'name': 'ModSecurity Corp.',
>> (...)
>> },
>> }
>> }
>>
>> I was thinking that maybe using the fully qualified name for the
>> variable might be easier, and would not introduce any artificial
>> limitations on the depth on the data structure in the JSON data:
>>
>> ARGS:user.name = 'John Doe'
>> ARGS:user.email = 'jo...@do...'
>> ARGS:user.manager.name = 'Manager John'
>> ARGS:user.manager.company.name = 'ModSecurity Corp.'
>> (...)
>>
>> Of course, JSON also supports arrays, but since mod_security already
>> handles multiple instances of the same parameter, that would not be an
>> issue for either option.
>>
>> Does that make sense, or am I misunderstanding how ARGS work?
>>
>> Thanks,
>> Ulisses
>>
>> On Sun, Sep 23, 2012 at 1:46 PM, Ryan Barnett <RBa...@tr...>
>> wrote:
>> > Regarding #2 below - we have two options.
>> >
>> > 1) A JSON parse could work like the XML parse and access the request
>> > body
>> > content and simply populate a new collection called JSON. This is like
>> > the XML collection that is simply a long string of text. The downside
>> > of
>> > this approach is that here is no context as to what are parameter
>> > names/values. Another option would be to have the JSON parser simply
>> > populate this string of text into the current REQUEST_BODY variable. A
>> > rule writer can do this today if they wish using the following example
>> > pseudo-rule -
>> >
>> > SecRule REQUEST_HEADERS:Content-Type "@contains application/json"
>> > "phase:1,id:1,nolog,pass,ctl:forceRequestBodyVariable"
>> >
>> > 2) I think that the best way to do this is to attempt to parse the JSON
>> > data into name/value pairs and populate that into ARGS. If it is parsed
>> > in this way, then we don't need to change anything in the current rules.
>> >
>> > As just one example, I was reviewing the JSON data sent back to twitter
>> > in
>> > response to a Content Security Policy (CSP) violation. The content-type
>> > is application/json and uses the name/value pairs -
>> >
>> > POST /scribes/csp_report HTTP/1.1
>> > Host: twitter.com
>> > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0)
>> > Gecko/20100101 Firefox/15.0
>> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> > Accept-Language: en-us,en;q=0.5
>> > Accept-Encoding: gzip, deflate
>> > DNT: 1
>> > Connection: keep-alive
>> > Content-Length: 338
>> > Content-Type: application/json
>> >
>> >
>> > {"csp-report":{"document-uri":"https://mobile.twitter.com/i/templates/m5?re
>> >
>> > v=1347385509950","referrer":"https://mobile.twitter.com/","blocked-uri":"se
>> > lf","violated-directive":"inline
>> >
>> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>> >
>> > %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>> > ted-directive%22:%22inline> script base
>> >
>> > restriction","source-file":"https://mobile.twitter.com/i/templates/m5?rev=1
>> > 347385509950","script-sample":"onclick
>> >
>> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
>> > ample%22:%22onclick> attribute on DIV element"}}
>> >
>> > Based on this you would split the name/value pairs by the "Š":"Š."
>> > format and have parsed ARGS variable data for use in our rules like -
>> >
>> > ######################
>> > ARGS:csp-report =
>> >
>> > "document-uri":"https://mobile.twitter.com/i/templates/m5?rev=1347385509950
>> >
>> > ","referrer":"https://mobile.twitter.com/","blocked-uri":"self","violated-d
>> > irective":"inline
>> >
>> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>> >
>> > %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>> > ted-directive%22:%22inline> script base
>> >
>> > restriction","source-file":"https://mobile.twitter.com/i/templates/m5?rev=1
>> > 347385509950","script-sample":"onclick
>> >
>> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
>> > ample%22:%22onclick> attribute on DIV element"
>> >
>> > ARGS:document-uri =
>> > https://mobile.twitter.com/i/templates/m5?rev=1347385509950
>> >
>> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>> >
>> > %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>> > ted-directive%22:%22inline>
>> >
>> > ARGS:referrer = https://mobile.twitter.com/
>> >
>> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
>> >
>> > %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
>> > ted-directive%22:%22inline>
>> >
>> > ARGS:blocked-uri = self
>> >
>> > ARGS:violated-directive = inline script base restriction
>> >
>> > ARGS:source-file =
>> > https://mobile.twitter.com/i/templates/m5?rev=1347385509950
>> >
>> > <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
>> > ample%22:%22onclick>
>> >
>> > ARGS:script-sample = onclick attribute on DIV element
>> > #######################
>> >
>> > Hope this helps.
>> >
>> >
>> > --
>> > Ryan Barnett
>> > Trustwave SpiderLabs
>> > ModSecurity Project Leader
>> > OWASP ModSecurity CRS Project Leader
>> >
>> >
>> >
>> >
>> >
>> > On 9/23/12 9:31 AM, "Ulisses Montenegro" <uli...@gm...>
>> > wrote:
>> >
>> >>Team
>> >>
>> >>As my first attempt in contributing to mod_security I've decided to
>> >>tackle MODSEC-253, a JSON body processor. I've gone through the XML
>> >>and multipart body processors and found them apparently
>> >>straightforward. I would like some pointers on issues which I need to
>> >>address before deciding on my solution, though.
>> >>
>> >>1. The XML body processor uses libxml for the actual XML parsing, I
>> >>assume adding a JSON parser library would be acceptable as well. If
>> >>so, what licenses would be acceptable?
>> >>2. XML processor offers a XPath interface for rules to match XML
>> >>contents, which is a standard, but AFAIK there is nothing equivalent
>> >>for JSON (aside from evaluating Javascript object references). What
>> >>interface would work best for the rules to gain access to the JSON
>> >>contents?
>> >>3. Are there any guidelines/rules regarding memory usage and
>> >>performance, i.e., how can if my code or the library I'm using is
>> >>performing acceptably? I know I can always benchmark/profile other
>> >>body processors and compare the results directly, but I'm looking more
>> >>towards hard numbers, if they're available.
>> >>4. Finally, do these kind of questions go into JIRA? I decided to try
>> >>the mailing list first as I did not want to add possibly irrelevant
>> >>information to the JIRA issue, but I think at least items [1] and [2]
>> >>should be registered there -- is that how it usually works?
>> >>
>> >>Thanks a lot for the great work on mod_security
>> >>Ulisses
>> >>
>> >>--
>> >>³If debugging is the process of removing software bugs, then
>> >>programming must be the process of putting them in.² - Edsger Dijkstra
>> >>
>>
>> >> >>--------------------------------------------------------------------------
>> >>----
>> >>Everyone hates slow websites. So do we.
>> >>Make your web apps faster with AppDynamics
>> >>Download AppDynamics Lite for free today:
>> >>http://ad.doubleclick.net/clk;258768047;13503038;j?
>> >>http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> >>_______________________________________________
>> >>mod-security-developers mailing list
>> >>mod...@li...
>> >>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> >>ModSecurity Services from Trustwave's SpiderLabs:
>> >>https://www.trustwave.com/spiderLabs.php
>> >
>> >
>> > ________________________________
>> >
>> > This transmission may contain information that is privileged,
>> > confidential, and/or exempt from disclosure under applicable law. If you are
>> > not the intended recipient, you are hereby notified that any disclosure,
>> > copying, distribution, or use of the information contained herein (including
>> > any reliance thereon) is STRICTLY PROHIBITED. If you received this
>> > transmission in error, please immediately contact the sender and destroy the
>> > material in its entirety, whether in electronic or hard copy format.
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Everyone hates slow websites. So do we.
>> > Make your web apps faster with AppDynamics
>> > Download AppDynamics Lite for free today:
>> > http://ad.doubleclick.net/clk;258768047;13503038;j?
>> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> > _______________________________________________
>> > mod-security-developers mailing list
>> > mod...@li...
>> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> > ModSecurity Services from Trustwave's SpiderLabs:
>> > https://www.trustwave.com/spiderLabs.php
>>
>>
>>
>> --
>> “If debugging is the process of removing software bugs, then
>> programming must be the process of putting them in.” - Edsger Dijkstra
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://ad.doubleclick.net/clk;258768047;13503038;j?
>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://ad.doubleclick.net/clk;258768047;13503038;j?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
--
“If debugging is the process of removing software bugs, then
programming must be the process of putting them in.” - Edsger Dijkstra
|
|
From: Breno S. <bre...@gm...> - 2012-09-23 18:39:04
|
Ulisses,
I never had a change to think more about this issue.
Looking for this specific case i really don't think would be a good idea to
create a new logic to ARGS* collections. Not sure what Ryan B. think about
it, but from my point of view, if we need a new logic we must create
specific collections.
ie: JSON, JSON_NAMES ....
Is "." (dot) allowed to create variables names ? I think yes.
If so, we should go json specification and find a better way to create this
logic. Maybe using "/" ?
ie: user/name, user/manager/name
What do you think ?
Breno
On Sun, Sep 23, 2012 at 12:34 PM, Ulisses Montenegro <
uli...@gm...> wrote:
> Breno & Ryan
>
> Thanks for the pointers. Ryan, I need to look further into how ARGS
> could be used to handle nested data structures. Although deeper
> structures are more common in responses, I've seen some in requests
> too. If we go deeper then 2 levels, then how would we break that data
> into ARGS?
>
> { 'user': {
> 'name': 'John Doe',
> 'email': 'jo...@do...',
> 'manager': {
> 'name': 'Manager John',
> 'email': 'ma...@do...',
> 'company': {
> 'name': 'ModSecurity Corp.',
> (...)
> },
> }
> }
>
> I was thinking that maybe using the fully qualified name for the
> variable might be easier, and would not introduce any artificial
> limitations on the depth on the data structure in the JSON data:
>
> ARGS:user.name = 'John Doe'
> ARGS:user.email = 'jo...@do...'
> ARGS:user.manager.name = 'Manager John'
> ARGS:user.manager.company.name = 'ModSecurity Corp.'
> (...)
>
> Of course, JSON also supports arrays, but since mod_security already
> handles multiple instances of the same parameter, that would not be an
> issue for either option.
>
> Does that make sense, or am I misunderstanding how ARGS work?
>
> Thanks,
> Ulisses
>
> On Sun, Sep 23, 2012 at 1:46 PM, Ryan Barnett <RBa...@tr...>
> wrote:
> > Regarding #2 below - we have two options.
> >
> > 1) A JSON parse could work like the XML parse and access the request body
> > content and simply populate a new collection called JSON. This is like
> > the XML collection that is simply a long string of text. The downside of
> > this approach is that here is no context as to what are parameter
> > names/values. Another option would be to have the JSON parser simply
> > populate this string of text into the current REQUEST_BODY variable. A
> > rule writer can do this today if they wish using the following example
> > pseudo-rule -
> >
> > SecRule REQUEST_HEADERS:Content-Type "@contains application/json"
> > "phase:1,id:1,nolog,pass,ctl:forceRequestBodyVariable"
> >
> > 2) I think that the best way to do this is to attempt to parse the JSON
> > data into name/value pairs and populate that into ARGS. If it is parsed
> > in this way, then we don't need to change anything in the current rules.
> >
> > As just one example, I was reviewing the JSON data sent back to twitter
> in
> > response to a Content Security Policy (CSP) violation. The content-type
> > is application/json and uses the name/value pairs -
> >
> > POST /scribes/csp_report HTTP/1.1
> > Host: twitter.com
> > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0)
> > Gecko/20100101 Firefox/15.0
> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > Accept-Language: en-us,en;q=0.5
> > Accept-Encoding: gzip, deflate
> > DNT: 1
> > Connection: keep-alive
> > Content-Length: 338
> > Content-Type: application/json
> >
> > {"csp-report":{"document-uri":"
> https://mobile.twitter.com/i/templates/m5?re
> > v=1347385509950","referrer":"https://mobile.twitter.com/
> ","blocked-uri":"se
> > lf","violated-directive":"inline
> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> > %22:%22
> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> > ted-directive%22:%22inline> script base
> > restriction","source-file":"
> https://mobile.twitter.com/i/templates/m5?rev=1
> > 347385509950","script-sample":"onclick
> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
> > ample%22:%22onclick> attribute on DIV element"}}
> >
> > Based on this you would split the name/value pairs by the "Š":"Š."
> > format and have parsed ARGS variable data for use in our rules like -
> >
> > ######################
> > ARGS:csp-report =
> > "document-uri":"
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950
> > ","referrer":"https://mobile.twitter.com/
> ","blocked-uri":"self","violated-d
> > irective":"inline
> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> > %22:%22
> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> > ted-directive%22:%22inline> script base
> > restriction","source-file":"
> https://mobile.twitter.com/i/templates/m5?rev=1
> > 347385509950","script-sample":"onclick
> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
> > ample%22:%22onclick> attribute on DIV element"
> >
> > ARGS:document-uri =
> > https://mobile.twitter.com/i/templates/m5?rev=1347385509950
> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> > %22:%22
> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> > ted-directive%22:%22inline>
> >
> > ARGS:referrer = https://mobile.twitter.com/
> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> > %22:%22
> https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> > ted-directive%22:%22inline>
> >
> > ARGS:blocked-uri = self
> >
> > ARGS:violated-directive = inline script base restriction
> >
> > ARGS:source-file =
> > https://mobile.twitter.com/i/templates/m5?rev=1347385509950
> > <
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
> > ample%22:%22onclick>
> >
> > ARGS:script-sample = onclick attribute on DIV element
> > #######################
> >
> > Hope this helps.
> >
> >
> > --
> > Ryan Barnett
> > Trustwave SpiderLabs
> > ModSecurity Project Leader
> > OWASP ModSecurity CRS Project Leader
> >
> >
> >
> >
> >
> > On 9/23/12 9:31 AM, "Ulisses Montenegro" <uli...@gm...>
> > wrote:
> >
> >>Team
> >>
> >>As my first attempt in contributing to mod_security I've decided to
> >>tackle MODSEC-253, a JSON body processor. I've gone through the XML
> >>and multipart body processors and found them apparently
> >>straightforward. I would like some pointers on issues which I need to
> >>address before deciding on my solution, though.
> >>
> >>1. The XML body processor uses libxml for the actual XML parsing, I
> >>assume adding a JSON parser library would be acceptable as well. If
> >>so, what licenses would be acceptable?
> >>2. XML processor offers a XPath interface for rules to match XML
> >>contents, which is a standard, but AFAIK there is nothing equivalent
> >>for JSON (aside from evaluating Javascript object references). What
> >>interface would work best for the rules to gain access to the JSON
> >>contents?
> >>3. Are there any guidelines/rules regarding memory usage and
> >>performance, i.e., how can if my code or the library I'm using is
> >>performing acceptably? I know I can always benchmark/profile other
> >>body processors and compare the results directly, but I'm looking more
> >>towards hard numbers, if they're available.
> >>4. Finally, do these kind of questions go into JIRA? I decided to try
> >>the mailing list first as I did not want to add possibly irrelevant
> >>information to the JIRA issue, but I think at least items [1] and [2]
> >>should be registered there -- is that how it usually works?
> >>
> >>Thanks a lot for the great work on mod_security
> >>Ulisses
> >>
> >>--
> >>³If debugging is the process of removing software bugs, then
> >>programming must be the process of putting them in.² - Edsger Dijkstra
> >>
>
> >>--------------------------------------------------------------------------
> >>----
> >>Everyone hates slow websites. So do we.
> >>Make your web apps faster with AppDynamics
> >>Download AppDynamics Lite for free today:
> >>http://ad.doubleclick.net/clk;258768047;13503038;j?
> >>http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> >>_______________________________________________
> >>mod-security-developers mailing list
> >>mod...@li...
> >>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >>ModSecurity Services from Trustwave's SpiderLabs:
> >>https://www.trustwave.com/spiderLabs.php
> >
> >
> > ________________________________
> >
> > This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
> >
> >
> >
> ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://ad.doubleclick.net/clk;258768047;13503038;j?
> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> > _______________________________________________
> > mod-security-developers mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> > ModSecurity Services from Trustwave's SpiderLabs:
> > https://www.trustwave.com/spiderLabs.php
>
>
>
> --
> “If debugging is the process of removing software bugs, then
> programming must be the process of putting them in.” - Edsger Dijkstra
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://ad.doubleclick.net/clk;258768047;13503038;j?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
|
|
From: Ulisses M. <uli...@gm...> - 2012-09-23 17:34:13
|
Breno & Ryan
Thanks for the pointers. Ryan, I need to look further into how ARGS
could be used to handle nested data structures. Although deeper
structures are more common in responses, I've seen some in requests
too. If we go deeper then 2 levels, then how would we break that data
into ARGS?
{ 'user': {
'name': 'John Doe',
'email': 'jo...@do...',
'manager': {
'name': 'Manager John',
'email': 'ma...@do...',
'company': {
'name': 'ModSecurity Corp.',
(...)
},
}
}
I was thinking that maybe using the fully qualified name for the
variable might be easier, and would not introduce any artificial
limitations on the depth on the data structure in the JSON data:
ARGS:user.name = 'John Doe'
ARGS:user.email = 'jo...@do...'
ARGS:user.manager.name = 'Manager John'
ARGS:user.manager.company.name = 'ModSecurity Corp.'
(...)
Of course, JSON also supports arrays, but since mod_security already
handles multiple instances of the same parameter, that would not be an
issue for either option.
Does that make sense, or am I misunderstanding how ARGS work?
Thanks,
Ulisses
On Sun, Sep 23, 2012 at 1:46 PM, Ryan Barnett <RBa...@tr...> wrote:
> Regarding #2 below - we have two options.
>
> 1) A JSON parse could work like the XML parse and access the request body
> content and simply populate a new collection called JSON. This is like
> the XML collection that is simply a long string of text. The downside of
> this approach is that here is no context as to what are parameter
> names/values. Another option would be to have the JSON parser simply
> populate this string of text into the current REQUEST_BODY variable. A
> rule writer can do this today if they wish using the following example
> pseudo-rule -
>
> SecRule REQUEST_HEADERS:Content-Type "@contains application/json"
> "phase:1,id:1,nolog,pass,ctl:forceRequestBodyVariable"
>
> 2) I think that the best way to do this is to attempt to parse the JSON
> data into name/value pairs and populate that into ARGS. If it is parsed
> in this way, then we don't need to change anything in the current rules.
>
> As just one example, I was reviewing the JSON data sent back to twitter in
> response to a Content Security Policy (CSP) violation. The content-type
> is application/json and uses the name/value pairs -
>
> POST /scribes/csp_report HTTP/1.1
> Host: twitter.com
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0)
> Gecko/20100101 Firefox/15.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> DNT: 1
> Connection: keep-alive
> Content-Length: 338
> Content-Type: application/json
>
> {"csp-report":{"document-uri":"https://mobile.twitter.com/i/templates/m5?re
> v=1347385509950","referrer":"https://mobile.twitter.com/","blocked-uri":"se
> lf","violated-directive":"inline
> <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> ted-directive%22:%22inline> script base
> restriction","source-file":"https://mobile.twitter.com/i/templates/m5?rev=1
> 347385509950","script-sample":"onclick
> <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
> ample%22:%22onclick> attribute on DIV element"}}
>
> Based on this you would split the name/value pairs by the "Š":"Š."
> format and have parsed ARGS variable data for use in our rules like -
>
> ######################
> ARGS:csp-report =
> "document-uri":"https://mobile.twitter.com/i/templates/m5?rev=1347385509950
> ","referrer":"https://mobile.twitter.com/","blocked-uri":"self","violated-d
> irective":"inline
> <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> ted-directive%22:%22inline> script base
> restriction","source-file":"https://mobile.twitter.com/i/templates/m5?rev=1
> 347385509950","script-sample":"onclick
> <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
> ample%22:%22onclick> attribute on DIV element"
>
> ARGS:document-uri =
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950
> <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> ted-directive%22:%22inline>
>
> ARGS:referrer = https://mobile.twitter.com/
> <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer
> %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola
> ted-directive%22:%22inline>
>
> ARGS:blocked-uri = self
>
> ARGS:violated-directive = inline script base restriction
>
> ARGS:source-file =
> https://mobile.twitter.com/i/templates/m5?rev=1347385509950
> <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s
> ample%22:%22onclick>
>
> ARGS:script-sample = onclick attribute on DIV element
> #######################
>
> Hope this helps.
>
>
> --
> Ryan Barnett
> Trustwave SpiderLabs
> ModSecurity Project Leader
> OWASP ModSecurity CRS Project Leader
>
>
>
>
>
> On 9/23/12 9:31 AM, "Ulisses Montenegro" <uli...@gm...>
> wrote:
>
>>Team
>>
>>As my first attempt in contributing to mod_security I've decided to
>>tackle MODSEC-253, a JSON body processor. I've gone through the XML
>>and multipart body processors and found them apparently
>>straightforward. I would like some pointers on issues which I need to
>>address before deciding on my solution, though.
>>
>>1. The XML body processor uses libxml for the actual XML parsing, I
>>assume adding a JSON parser library would be acceptable as well. If
>>so, what licenses would be acceptable?
>>2. XML processor offers a XPath interface for rules to match XML
>>contents, which is a standard, but AFAIK there is nothing equivalent
>>for JSON (aside from evaluating Javascript object references). What
>>interface would work best for the rules to gain access to the JSON
>>contents?
>>3. Are there any guidelines/rules regarding memory usage and
>>performance, i.e., how can if my code or the library I'm using is
>>performing acceptably? I know I can always benchmark/profile other
>>body processors and compare the results directly, but I'm looking more
>>towards hard numbers, if they're available.
>>4. Finally, do these kind of questions go into JIRA? I decided to try
>>the mailing list first as I did not want to add possibly irrelevant
>>information to the JIRA issue, but I think at least items [1] and [2]
>>should be registered there -- is that how it usually works?
>>
>>Thanks a lot for the great work on mod_security
>>Ulisses
>>
>>--
>>³If debugging is the process of removing software bugs, then
>>programming must be the process of putting them in.² - Edsger Dijkstra
>>
>>--------------------------------------------------------------------------
>>----
>>Everyone hates slow websites. So do we.
>>Make your web apps faster with AppDynamics
>>Download AppDynamics Lite for free today:
>>http://ad.doubleclick.net/clk;258768047;13503038;j?
>>http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>_______________________________________________
>>mod-security-developers mailing list
>>mod...@li...
>>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>ModSecurity Services from Trustwave's SpiderLabs:
>>https://www.trustwave.com/spiderLabs.php
>
>
> ________________________________
>
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://ad.doubleclick.net/clk;258768047;13503038;j?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
--
“If debugging is the process of removing software bugs, then
programming must be the process of putting them in.” - Edsger Dijkstra
|
|
From: Ryan B. <RBa...@tr...> - 2012-09-23 16:46:30
|
Regarding #2 below - we have two options. 1) A JSON parse could work like the XML parse and access the request body content and simply populate a new collection called JSON. This is like the XML collection that is simply a long string of text. The downside of this approach is that here is no context as to what are parameter names/values. Another option would be to have the JSON parser simply populate this string of text into the current REQUEST_BODY variable. A rule writer can do this today if they wish using the following example pseudo-rule - SecRule REQUEST_HEADERS:Content-Type "@contains application/json" "phase:1,id:1,nolog,pass,ctl:forceRequestBodyVariable" 2) I think that the best way to do this is to attempt to parse the JSON data into name/value pairs and populate that into ARGS. If it is parsed in this way, then we don't need to change anything in the current rules. As just one example, I was reviewing the JSON data sent back to twitter in response to a Content Security Policy (CSP) violation. The content-type is application/json and uses the name/value pairs - POST /scribes/csp_report HTTP/1.1 Host: twitter.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20100101 Firefox/15.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Content-Length: 338 Content-Type: application/json {"csp-report":{"document-uri":"https://mobile.twitter.com/i/templates/m5?re v=1347385509950","referrer":"https://mobile.twitter.com/","blocked-uri":"se lf","violated-directive":"inline <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola ted-directive%22:%22inline> script base restriction","source-file":"https://mobile.twitter.com/i/templates/m5?rev=1 347385509950","script-sample":"onclick <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s ample%22:%22onclick> attribute on DIV element"}} Based on this you would split the name/value pairs by the "Š":"Š." format and have parsed ARGS variable data for use in our rules like - ###################### ARGS:csp-report = "document-uri":"https://mobile.twitter.com/i/templates/m5?rev=1347385509950 ","referrer":"https://mobile.twitter.com/","blocked-uri":"self","violated-d irective":"inline <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola ted-directive%22:%22inline> script base restriction","source-file":"https://mobile.twitter.com/i/templates/m5?rev=1 347385509950","script-sample":"onclick <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s ample%22:%22onclick> attribute on DIV element" ARGS:document-uri = https://mobile.twitter.com/i/templates/m5?rev=1347385509950 <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola ted-directive%22:%22inline> ARGS:referrer = https://mobile.twitter.com/ <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22referrer %22:%22https://mobile.twitter.com/%22,%22blocked-uri%22:%22self%22,%22viola ted-directive%22:%22inline> ARGS:blocked-uri = self ARGS:violated-directive = inline script base restriction ARGS:source-file = https://mobile.twitter.com/i/templates/m5?rev=1347385509950 <https://mobile.twitter.com/i/templates/m5?rev=1347385509950%22,%22script-s ample%22:%22onclick> ARGS:script-sample = onclick attribute on DIV element ####################### Hope this helps. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader On 9/23/12 9:31 AM, "Ulisses Montenegro" <uli...@gm...> wrote: >Team > >As my first attempt in contributing to mod_security I've decided to >tackle MODSEC-253, a JSON body processor. I've gone through the XML >and multipart body processors and found them apparently >straightforward. I would like some pointers on issues which I need to >address before deciding on my solution, though. > >1. The XML body processor uses libxml for the actual XML parsing, I >assume adding a JSON parser library would be acceptable as well. If >so, what licenses would be acceptable? >2. XML processor offers a XPath interface for rules to match XML >contents, which is a standard, but AFAIK there is nothing equivalent >for JSON (aside from evaluating Javascript object references). What >interface would work best for the rules to gain access to the JSON >contents? >3. Are there any guidelines/rules regarding memory usage and >performance, i.e., how can if my code or the library I'm using is >performing acceptably? I know I can always benchmark/profile other >body processors and compare the results directly, but I'm looking more >towards hard numbers, if they're available. >4. Finally, do these kind of questions go into JIRA? I decided to try >the mailing list first as I did not want to add possibly irrelevant >information to the JIRA issue, but I think at least items [1] and [2] >should be registered there -- is that how it usually works? > >Thanks a lot for the great work on mod_security >Ulisses > >-- >³If debugging is the process of removing software bugs, then >programming must be the process of putting them in.² - Edsger Dijkstra > >-------------------------------------------------------------------------- >---- >Everyone hates slow websites. So do we. >Make your web apps faster with AppDynamics >Download AppDynamics Lite for free today: >http://ad.doubleclick.net/clk;258768047;13503038;j? >http://info.appdynamics.com/FreeJavaPerformanceDownload.html >_______________________________________________ >mod-security-developers mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-developers >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
10 messages has been excluded from this view by a project administrator.
