Thread: [Mod-security-developers] ModSecurity 2.6.7: PCRE version check
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-developers
|
From: Peter H. <hei...@we...> - 2012-08-02 07:20:20
|
The PCRE version check produces spurious warnings
(x.0 does not match x.00).
% diff modsecurity-apache_2.6.6/apache2/mod_security2.c
modsecurity-apache_2.6.7/apache2/mod_security2.c
87c87
< pcre_vrs = apr_psprintf(mp,"%d.%d", PCRE_MAJOR, PCRE_MINOR);
---
> pcre_vrs = apr_psprintf(mp,"%d.%02d", PCRE_MAJOR, PCRE_MINOR);
The comparison in line 93
if (strstr(pcre_version(),pcre_vrs) == NULL) {
fails for single-digit minor versions.
I think the change in line 87 should be reverted.
--
Peter Heimann
|
|
From: Breno S. <bre...@gm...> - 2012-08-02 13:24:50
|
Can you send me your warning message ?
We applied it to avoid version mismatch like 8.2 == 8.02
Thanks
Breno
On Thu, Aug 2, 2012 at 2:20 AM, Peter Heimann <hei...@we...> wrote:
> The PCRE version check produces spurious warnings
> (x.0 does not match x.00).
>
> % diff modsecurity-apache_2.6.6/apache2/mod_security2.c
> modsecurity-apache_2.6.7/apache2/mod_security2.c
> 87c87
> < pcre_vrs = apr_psprintf(mp,"%d.%d", PCRE_MAJOR, PCRE_MINOR);
> ---
> > pcre_vrs = apr_psprintf(mp,"%d.%02d", PCRE_MAJOR, PCRE_MINOR);
>
> The comparison in line 93
> if (strstr(pcre_version(),pcre_vrs) == NULL) {
> fails for single-digit minor versions.
>
> I think the change in line 87 should be reverted.
>
> --
> Peter Heimann
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
|
|
From: Peter H. <hei...@we...> - 2012-08-02 21:08:56
|
Breno Silva wrote:
> Can you send me your warning message ?
>
> We applied it to avoid version mismatch like 8.2 == 8.02
Example warning (5.0 compiled in and loaded):
[notice] ModSecurity: PCRE compiled version="5.00"; loaded version="5.0
13-Sep-2004"
[warn] ModSecurity: Loaded PCRE do not match with compiled!
pcre_version() is implemented as
XSTRING(PCRE_MAJOR.PCRE_MINOR PCRE_DATE)
I propose to use in ModSecurity:
pcre_vrs = apr_psprintf(mp,"%d.%d ", PCRE_MAJOR, PCRE_MINOR);
(note the space, which prevents that "8.2 " and "8.20" are considered
equal).
--
Peter Heimann
|
|
From: Breno S. <bre...@gm...> - 2012-08-02 23:04:29
|
I reverted it. Are you sure your idea will prevents 8.2 and 8.02 are considered equal ? Thanks Breno On Thu, Aug 2, 2012 at 4:08 PM, Peter Heimann <hei...@we...> wrote: > > Breno Silva wrote: > > Can you send me your warning message ? > > > > We applied it to avoid version mismatch like 8.2 == 8.02 > > Example warning (5.0 compiled in and loaded): > > [notice] ModSecurity: PCRE compiled version="5.00"; loaded version="5.0 > 13-Sep-2004" > [warn] ModSecurity: Loaded PCRE do not match with compiled! > > pcre_version() is implemented as > XSTRING(PCRE_MAJOR.PCRE_MINOR PCRE_DATE) > > I propose to use in ModSecurity: > > pcre_vrs = apr_psprintf(mp,"%d.%d ", PCRE_MAJOR, PCRE_MINOR); > > (note the space, which prevents that "8.2 " and "8.20" are considered > equal). > > -- > Peter Heimann > |
|
From: Breno S. <bre...@gm...> - 2012-08-02 23:10:03
|
Let me check in the lib pcre history if 8.2 means (two) or twenty :) On Thu, Aug 2, 2012 at 6:04 PM, Breno Silva <bre...@gm...> wrote: > I reverted it. > > Are you sure your idea will prevents 8.2 and 8.02 are considered equal ? > > Thanks > > Breno > > > On Thu, Aug 2, 2012 at 4:08 PM, Peter Heimann <hei...@we...> wrote: > >> >> Breno Silva wrote: >> > Can you send me your warning message ? >> > >> > We applied it to avoid version mismatch like 8.2 == 8.02 >> >> Example warning (5.0 compiled in and loaded): >> >> [notice] ModSecurity: PCRE compiled version="5.00"; loaded version="5.0 >> 13-Sep-2004" >> [warn] ModSecurity: Loaded PCRE do not match with compiled! >> >> pcre_version() is implemented as >> XSTRING(PCRE_MAJOR.PCRE_MINOR PCRE_DATE) >> >> I propose to use in ModSecurity: >> >> pcre_vrs = apr_psprintf(mp,"%d.%d ", PCRE_MAJOR, PCRE_MINOR); >> >> (note the space, which prevents that "8.2 " and "8.20" are considered >> equal). >> >> -- >> Peter Heimann >> > > |
|
From: Peter H. <hei...@we...> - 2012-08-02 23:53:24
|
On 08/03/2012 01:04 AM, Breno Silva wrote:
> I reverted it.
>
> Are you sure your idea will prevents 8.2 and 8.02 are considered equal ?
> Let me check in the lib pcre history if 8.2 means (two) or twenty :)
As far as I can see, there hasn't been a version 8.2.
For all versions up to PCRE 7.9, the minor version did not have leading
zeroes, and the ModSecurity 2.6.6 comparison is correct. The original
ModSecurity 2.6.7 code adds a leading zero in these cases, and breaks
the comparison ("7.9" turned into "7.09", although the version _is_
identical).
For PCRE 8.00, 8.01, 8.02 my previous proposal does not fix the problem
completely. Futhermore, we don't know whether PCRE will use versions
9.0, 9.1, 9.2, ... or 9.00, 9,01, 0.02, ... in the future.
As the PCRE code itself uses string concatenation to build the
pcre_version() return string, I feel we need to do away with "%d" and
use string operations as well:
pcre_vrs = apr_psprintf(mp,"%s.%s ", PCRE_MAJOR, PCRE_MINOR);
(This will still produce a warning for PCRE prerelease versions, though.)
--
Peter Heimann
|
|
From: Breno S. <bre...@gm...> - 2012-08-03 00:21:22
|
True. I will consider work with %s.
On Thu, Aug 2, 2012 at 6:53 PM, Peter Heimann <hei...@we...> wrote:
> On 08/03/2012 01:04 AM, Breno Silva wrote:
> > I reverted it.
> >
> > Are you sure your idea will prevents 8.2 and 8.02 are considered equal ?
> > Let me check in the lib pcre history if 8.2 means (two) or twenty :)
>
> As far as I can see, there hasn't been a version 8.2.
>
> For all versions up to PCRE 7.9, the minor version did not have leading
> zeroes, and the ModSecurity 2.6.6 comparison is correct. The original
> ModSecurity 2.6.7 code adds a leading zero in these cases, and breaks
> the comparison ("7.9" turned into "7.09", although the version _is_
> identical).
>
> For PCRE 8.00, 8.01, 8.02 my previous proposal does not fix the problem
> completely. Futhermore, we don't know whether PCRE will use versions
> 9.0, 9.1, 9.2, ... or 9.00, 9,01, 0.02, ... in the future.
>
> As the PCRE code itself uses string concatenation to build the
> pcre_version() return string, I feel we need to do away with "%d" and
> use string operations as well:
>
> pcre_vrs = apr_psprintf(mp,"%s.%s ", PCRE_MAJOR, PCRE_MINOR);
>
> (This will still produce a warning for PCRE prerelease versions, though.)
>
> --
> Peter Heimann
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X