diff --git a/apache2/re_operators.c b/apache2/re_operators.c index e54a540700..f444d3c506 100644 --- a/apache2/re_operators.c +++ b/apache2/re_operators.c @@ -2158,12 +2158,14 @@ static int msre_op_detectSQLi_execute(modsec_rec *msr, msre_rule *rule, msre_var */ static int msre_op_detectXSS_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { - + int capture; int is_xss; is_xss = libinjection_xss(var->value, var->value_len); + capture = apr_table_get(rule->actionset->actions, "capture") ? 1 : 0; if (is_xss) { + set_match_to_tx(msr, capture, var->value, 0); *error_msg = apr_psprintf(msr->mp, "detected XSS using libinjection."); if (msr->txcfg->debuglog_level >= 9) { diff --git a/iis/build_dependencies.bat b/iis/build_dependencies.bat index fc0d6095d6..fe6add3f53 100644 --- a/iis/build_dependencies.bat +++ b/iis/build_dependencies.bat @@ -1,4 +1,4 @@ -:: Those variable should be edited as needed. +:: Those variables should be edited as needed. :: Use full paths. :: General paths @@ -6,24 +6,31 @@ @set OUTPUT_DIR=%cd%\dependencies\release_files @set SOURCE_DIR=%USERPROFILE%\Downloads +:: Dependencies +@set CMAKE=cmake-3.8.2-win32-x86.zip +@set PCRE=pcre-8.40.zip +@set ZLIB=zlib-1.2.11.tar.gz +@set LIBXML2=libxml2-2.9.4.tar.gz +@set LUA=lua-5.3.4.tar.gz +@set CURL=curl-7.54.1.zip +@set APACHE_SRC=httpd-2.4.26.tar.gz +@set APACHE_BIN32=httpd-2.4.26-win32-VC11.zip +@set APACHE_BIN64=httpd-2.4.26-win64-VC11.zip +@set YAJL=yajl-2.1.0.zip +@set SSDEEP=ssdeep-2.13.tar.gz +@set SSDEEP_BIN=ssdeep-2.13.zip + +@set CMAKE_DIR=%WORK_DIR%\%CMAKE:~0,-4%\bin + :: Aditional paths. -@set PATH=%PATH%;c:\work\cmake-2.8.7-win32-x86\bin;"c:\program files\7-zip" - -@set PCRE=pcre-8.33.zip -@set ZLIB=zlib-1.2.8.tar.gz -@set LIBXML2=libxml2-2.9.1.tar.gz -@set LUA=lua-5.1.5.tar.gz -@set CURL=curl-7.39.0.zip -@set APACHE_SRC=httpd-2.4.6.tar.gz -@set APACHE_BIN32=httpd-2.4.6-win32-VC11.zip -@set APACHE_BIN64=httpd-2.4.6-win64-VC11.zip -@set YAJL=lloyd-yajl-f4b2b1a.zip -@set SSDEEP=ssdeep-2.10.tar.gz -@set SSDEEP_BIN=ssdeep-2.10.zip +@set PATH=%PATH%;%CMAKE_DIR%;"c:\program files\7-zip" + :: @set VCARGS32="C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\vcvars32.bat" :: @set VCARGS64="C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\x86_amd64\vcvarsx86_amd64.bat" +:: Uncomment the line below if you want to attempt downloading all dependency files prior to build +:: @call download_files.bat :: Do not edit bellow this line. @set CURRENT_DIR=%cd% @@ -45,6 +52,12 @@ call cl 2>&1 | findstr /C:"x64" @if (%ERRORLEVEL%) == (0) set APACHE_BIN=%APACHE_BIN64% @echo Starting with the depdendencies... +@echo # CMake. - %CMAKE% +@call dependencies/build_cmake.bat +@if NOT (%ERRORLEVEL%) == (0) goto build_failed_cmake +@cd "%CURRENT_DIR%" + + @echo # Apache - %HTTPD%/%APACHE24_ZIP% @call dependencies/build_apache.bat @if NOT (%ERRORLEVEL%) == (0) goto build_failed_apache @@ -129,6 +142,10 @@ call cl 2>&1 | findstr /C:"x64" @echo Failed to setup %SSDEEP%... @goto failed +:build_failed_cmake +@echo Failed to setup %CMAKE%... +@goto failed + :failed @cd %CURRENT_DIR% @exit /B 1 diff --git a/iis/build_modsecurity.bat b/iis/build_modsecurity.bat index 680c05e8fb..76f6fd2508 100644 --- a/iis/build_modsecurity.bat +++ b/iis/build_modsecurity.bat @@ -15,7 +15,7 @@ set CURRENT_DIR=%cd% cd ..\apache2 del *.obj *.dll *.lib del libinjection\*.obj libinjection\*.dll libinjection\*.lib -NMAKE -f Makefile.win APACHE=..\iis\%DEPENDENCIES_DIR%\Apache24 PCRE=..\iis\%DEPENDENCIES_DIR%\pcre LIBXML2=..\iis\%DEPENDENCIES_DIR%\libxml2 LUA=..\iis\%DEPENDENCIES_DIR%\lua\src VERSION=VERSION_IIS YAJL=..\iis\%DEPENDENCIES_DIR%\yajl\build\yajl-2.0.1 SSDEEP=..\iis\%DEPENDENCIES_DIR%\ssdeep CURL=..\iis\%DEPENDENCIES_DIR%\curl IIS_BUILD=yes +NMAKE -f Makefile.win APACHE=..\iis\%DEPENDENCIES_DIR%\Apache24 PCRE=..\iis\%DEPENDENCIES_DIR%\pcre LIBXML2=..\iis\%DEPENDENCIES_DIR%\libxml2 LUA=..\iis\%DEPENDENCIES_DIR%\lua\src VERSION=VERSION_IIS YAJL=..\iis\%DEPENDENCIES_DIR%\yajl\build\%YAJL_DIR% SSDEEP=..\iis\%DEPENDENCIES_DIR%\ssdeep CURL=..\iis\%DEPENDENCIES_DIR%\curl IIS_BUILD=yes @if NOT (%ERRORLEVEL%) == (0) goto build_failed @echo mlogc... @@ -29,7 +29,7 @@ nmake -f Makefile.win APACHE=..\iis\%DEPENDENCIES_DIR%\Apache24 PCRE=..\iis\%DEP cd ..\iis del *.obj *.dll *.lib nmake -f Makefile.win clean -NMAKE -f Makefile.win APACHE=..\iis\%DEPENDENCIES_DIR%\Apache24 PCRE=..\iis\%DEPENDENCIES_DIR%\pcre LIBXML2=..\iis\%DEPENDENCIES_DIR%\libxml2 LUA=..\iis\%DEPENDENCIES_DIR%\lua\src VERSION=VERSION_IIS YAJL=..\iis\%DEPENDENCIES_DIR%\yajl\build\yajl-2.0.1 SSDEEP=..\iis\%DEPENDENCIES_DIR%\ssdeep CURL=..\iis\%DEPENDENCIES_DIR%\curl +NMAKE -f Makefile.win APACHE=..\iis\%DEPENDENCIES_DIR%\Apache24 PCRE=..\iis\%DEPENDENCIES_DIR%\pcre LIBXML2=..\iis\%DEPENDENCIES_DIR%\libxml2 LUA=..\iis\%DEPENDENCIES_DIR%\lua\src VERSION=VERSION_IIS YAJL=..\iis\%DEPENDENCIES_DIR%\yajl\build\%YAJL_DIR% SSDEEP=..\iis\%DEPENDENCIES_DIR%\ssdeep CURL=..\iis\%DEPENDENCIES_DIR%\curl @if NOT (%ERRORLEVEL%) == (0) goto build_failed cd %CURRENT_DIR% diff --git a/iis/dependencies/build_cmake.bat b/iis/dependencies/build_cmake.bat new file mode 100644 index 0000000000..f76847153a --- /dev/null +++ b/iis/dependencies/build_cmake.bat @@ -0,0 +1,20 @@ +@cd "%WORK_DIR%" + +@if NOT EXIST "%SOURCE_DIR%\%CMAKE%" goto file_not_found + + +@7z.exe x "%SOURCE_DIR%\%CMAKE%" +@if NOT (%ERRORLEVEL%) == (0) goto something_went_wrong + +@exit /B 0 + +:file_not_found +@echo File not found: %SOURCE_DIR%\%CMAKE% +@goto failed + +:something_went_wrong +@echo Something went wrong while unzip CMake files. +@goto failed + +:failed +@exit /B 1 \ No newline at end of file diff --git a/iis/dependencies/build_pcre.bat b/iis/dependencies/build_pcre.bat index 9d728a4042..9eb481260c 100644 --- a/iis/dependencies/build_pcre.bat +++ b/iis/dependencies/build_pcre.bat @@ -1,32 +1,39 @@ -cd "%WORK_DIR%" - -@if NOT EXIST "%SOURCE_DIR%\%APACHE_BIN%" goto file_not_found_bin - -7z.exe x "%SOURCE_DIR%\%PCRE%" -set PCRE_DIR=%PCRE:~0,-4% - +::@if NOT (%ERRORLEVEL%) == (1) Echo "Patch successfull... For more info on patch see: https://vcs.pcre.org/pcre/code/trunk/CMakeLists.txt?r1=1659&r2=1677&view=patch" + +cd "%WORK_DIR%" + +@if NOT EXIST "%SOURCE_DIR%\%APACHE_BIN%" goto file_not_found_bin + +7z.exe x "%SOURCE_DIR%\%PCRE%" +set PCRE_DIR=%PCRE:~0,-4% + move "%PCRE_DIR%" "pcre" - + +@if "%PCRE_DIR%" == "pcre-8.40" ( + Echo. && Echo "PCRE 8.40 found... patching with patch-pcre-8.40.vbs..." + cscript /B /Nologo ../patch-pcre-8.40.vbs +) + cd "pcre" -CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True -@if NOT (%ERRORLEVEL%) == (0) goto build_failed -NMAKE -@if NOT (%ERRORLEVEL%) == (0) goto build_failed -cd "%WORK%" - +CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True +@if NOT (%ERRORLEVEL%) == (0) goto build_failed +NMAKE +@if NOT (%ERRORLEVEL%) == (0) goto build_failed +cd "%WORK%" + copy /y "%WORK_DIR%\pcre\pcre.dll" "%OUTPUT_DIR%" copy /y "%WORK_DIR%\pcre\pcre.pdb" "%OUTPUT_DIR%" copy /y "%WORK_DIR%\pcre\pcre.lib" "%OUTPUT_DIR%" -echo "a" -@exit /B 0 - -:file_not_found_bin -@echo File not found: "%SOURCE_DIR%\%PCRE%" -@goto failed - -:build_failed -@echo Problems during the building phase -@goto failed - -:failed -@exit /B 1 +echo "a" +@exit /B 0 + +:file_not_found_bin +@echo File not found: "%SOURCE_DIR%\%PCRE%" +@goto failed + +:build_failed +@echo Problems during the building phase +@goto failed + +:failed +@exit /B 1 diff --git a/iis/dependencies/build_yajl.bat b/iis/dependencies/build_yajl.bat index 33ebc234ac..42d65df01a 100644 --- a/iis/dependencies/build_yajl.bat +++ b/iis/dependencies/build_yajl.bat @@ -20,10 +20,10 @@ nmake cd "%WORK%" -copy /y "%WORK_DIR%\yajl\build\yajl-2.0.1\lib\yajl.dll" "%OUTPUT_DIR%" -copy /y "%WORK_DIR%\yajl\build\yajl-2.0.1\lib\yajl.pdb" "%OUTPUT_DIR%" -copy /y "%WORK_DIR%\yajl\build\yajl-2.0.1\lib\yajl.lib" "%OUTPUT_DIR%" -copy /y "%WORK_DIR%\yajl\build\yajl-2.0.1\lib\yajl_s.lib" "%OUTPUT_DIR%" +copy /y "%WORK_DIR%\yajl\build\%YAJL_DIR%\lib\yajl.dll" "%OUTPUT_DIR%" +copy /y "%WORK_DIR%\yajl\build\%YAJL_DIR%\lib\yajl.pdb" "%OUTPUT_DIR%" +copy /y "%WORK_DIR%\yajl\build\%YAJL_DIR%\lib\yajl.lib" "%OUTPUT_DIR%" +copy /y "%WORK_DIR%\yajl\build\%YAJL_DIR%\lib\yajl_s.lib" "%OUTPUT_DIR%" @exit /B 0 diff --git a/iis/dependencies/howto.txt b/iis/dependencies/howto.txt index 1505a5f95d..84ead84ba6 100644 --- a/iis/dependencies/howto.txt +++ b/iis/dependencies/howto.txt @@ -1,44 +1,52 @@ -WARNING! - -Building ModSecurityIIS on Windows is a relatively complicated process. Understanding it requires advanced knowledge of Windows and Unix environments. -Using the same versions of libraries as listed below is strongly recommended. - --------------------------------------- -Tested on: - -Windows 7 x64 -Vistual Studio 2010 Ultimate SP1 -IIS enabled/installed - -cmake 2.8.7 -curl 7.24.0 -apache 2.2.22 or apache 2.4.3 -libxml2 2.7.7 -lua 5.1.5 -pcre 8.30 -zlib 1.2.7 -7-Zip --------------------------------------- - -1. Create working directory c:\work and drop directory c:\drop -2. Sync SVN ModSecurity branch to c:\work\mod_security -3. Copy files from c:\work\mod_security\iis\winbuild to c:\work -4. Download and install cmake (unpack to c:\work\cmake-2.8.7-win32-x86) -5. Download and install 7-Zip -6. Adjust paths in c:\work\init.bat accordingly if needed -7. Download curl, apache, libxml2, lua, pcre and zlib, place them in zip files in c:\work - -curl-7.24.0.zip -httpd-2.2.22-win32-src.zip or (httpd-2.4.3.zip (source) and httpd-2.4.3-win32.zip + httpd-2.4.3-win64.zip (binaries)) -libxml2-2.7.7.zip -lua-5.1.5.zip -pcre-8.30.zip -zlib-1.2.7.zip - -Modify c:\work\build.bat accordingly (if other versions were used) - -8. Open cmd.exe window, go to c:\work and run buildall.bat -9. When done, the binaries, lib and pdb files should appear under c:\drop\x86 (32-bit) and c:\drop\amd64 (64-bit) -10. Open the VS ModSecurity IIS installer project -11. Copy new binaries to the installer's x86 and amd64 directories -12. Build installer from within VS +The build process for ModSecurityIIS for Windows was a relatively complicated process. Understanding it required advanced knowledge of Windows and Unix environments. +So the build process was refactored to make it easier for users to create their own builds with the automated batch scripts. + +* build_release.bat -> The main build script that calls all the others to have a working release +* build_msi.bat -> Creates the MSI self-installer for easy deploy / removal / distribution + +* build_dependencies.bat -> Sets (and downloads if needed) all required dependencies +* build_modsecurity.bat -> Builds ModSecurity (requires all depenedencies being set) + +* download_files.bat -> Downloads all required dependencies to the default Downloads folder +** This script is disabled by default. If you want to enable it, uncomment the "@call download_files.bat" line on build_dependencies.bat + +The dependencies folder also includes a set o batch scripts which sets each dependency +on its own. These scripts are called by the build_dependencies.bat script. + +Using the same versions of libraries as listed below is recommended. +-------------------------------------- +Compilation Prerequisites: + +* Windows 7 x86_x64 (Should work on newer versions of Windows too) +* Vistual Studio 2013 Express (Other versions should work, but you need to set the correct path for vcvars.bat scripts) +* IIS enabled/installed +* 7-Zip + +-------------------------------------- + +The latest versions of ModSecurity dependencies known to work well are the following: + +cmake-3.8.2-win32-x86 +pcre-8.40 (patch required and included on file "patch-pcre-8.40.vbs") +zlib-1.2.11 +libxml2-2.9.4 +lua-5.3.4 +curl-7.54.1 +httpd-2.4.26 (bin-VC11) +yajl-2.1.0 +ssdeep-2.13 + +-------------------------------------- + +1. Create working directory (e.g. c:\work) and drop the latest clone from ModSecurity's 2.x Github (https://github.com/SpiderLabs/ModSecurity/archive/v2/master.zip) +2. Make sure the prerequisites mentioned above are all set +3. If you haven't download the dependency files before, uncomment the "@call download_files.bat" line on build_dependencies.bat to have them downloaded prior +4. Open a command prompt (cmd.exe) and head to the "iis" folder inside ModSecurity tree working directory (e.g. cd c:\work\ModSecurity\iis) +5. If you need to modify anything (e.g. paths, versions etc), carefully edit the batch files. +6. Run build_release.bat +7. When done, the binaries, lib and pdb files should appear under c:\work\ModSecurity\iis\release\x86 (32-bit) and c:\work\ModSecurity\iis\release\amd64 (64-bit) +* At this point, if you had a previous installation of ModSecurity and would like to test you can place the x86 files to "C:\Windows\SysWOW64\inetsrv" and x64 files to "C:\Windows\System32\inetsrv" + +8. If all went well, you can build the MSI installer by running the build_msi.bat script. + +* The built installable package places the files to the correct folders, automatically configures the ModSecurity IIS native module and configures web.config to enable ModSecurity for all IIS sites. \ No newline at end of file diff --git a/iis/dependencies/patch-pcre-8.40.vbs b/iis/dependencies/patch-pcre-8.40.vbs new file mode 100644 index 0000000000..fc0063fd9d --- /dev/null +++ b/iis/dependencies/patch-pcre-8.40.vbs @@ -0,0 +1,33 @@ +'Dirty patch for compiling PCRE 8.40 on Windows as per:https://vcs.pcre.org/pcre/code/trunk/CMakeLists.txt?r1=1659&r2=1677&view=patch + + +Set oShell = CreateObject( "WScript.Shell" ) +workdir=oShell.ExpandEnvironmentStrings("%WORK_DIR%") + + +strFile = workdir & "\pcre\CMakeLists.txt" +strFileTmp = workdir & "\pcre\CMakeLists-patched.txt" + +'strFile = "c:\Users\vhora\Downloads\CMakeLists.txt" +'strFileTmp = "c:\Users\vhora\Downloads\CMakeLists-patched.txt" + +Dim fso +Set fso = WScript.CreateObject("Scripting.Filesystemobject") +Set f = fso.CreateTextFile(strFileTmp, 2) +Set objFS = CreateObject("Scripting.FileSystemObject") +Set objFile = objFS.OpenTextFile(strFile) + +Do Until objFile.AtEndOfStream + strLine = objFile.ReadLine + If InStr(strLine,"OPTION(PCRE_STATIC_RUNTIME OFF CACHE BOOL")> 0 Then + strLine = Replace(strLine,"OPTION(PCRE_STATIC_RUNTIME OFF CACHE BOOL","OPTION(PCRE_STATIC_RUNTIME") + End If + f.WriteLine strLine +Loop + +f.Close + + +objFile.Close +objFS.DeleteFile(strFile) +objFS.MoveFile strFileTmp, strFile \ No newline at end of file diff --git a/iis/download_files.bat b/iis/download_files.bat new file mode 100644 index 0000000000..8db0214c48 --- /dev/null +++ b/iis/download_files.bat @@ -0,0 +1,41 @@ + +::@set CMAKE=cmake-3.8.2-win32-x86.zip +::@set PCRE=pcre-8.40.zip +::@set ZLIB=zlib-1.2.11.tar.gz +::@set LIBXML2=libxml2-2.9.4.tar.gz +::@set LUA=lua-5.3.4.tar.gz +::@set CURL=curl-7.54.1.zip +::@set APACHE_SRC=httpd-2.4.26.tar.gz +::@set APACHE_BIN32=httpd-2.4.26-win32-VC11.zip +::@set APACHE_BIN64=httpd-2.4.26-win64-VC11.zip +::@set YAJL=yajl-2.1.0.zip +::@set SSDEEP=ssdeep-2.13.tar.gz +::@set SSDEEP_BIN=ssdeep-2.13.zip + +:: BITSAdmin refuses to download YAJL from GitHub URL +:: @set YAJL_URL=https://github.com/lloyd/yajl/archive/%YAJL:~-9% +@set YAJL_URL=http://http.debian.net/debian/pool/main/y/yajl/yajl_2.1.0.orig.tar.gz + +@set CMAKE_URL=https://cmake.org/files/v3.8/%CMAKE% +@set PCRE_URL=https://ftp.pcre.org/pub/pcre/%PCRE% +@set ZLIB_URL=https://zlib.net/%ZLIB% +@set LIBXML2_URL=http://xmlsoft.org/sources/%LIBXML2% +@set LUA_URL=https://www.lua.org/ftp/%LUA% +@set CURL_URL=http://curl.askapache.com/download/%CURL% +@set APACHE_SRC_URL=https://www.apache.org/dist/httpd/%APACHE_SRC% +@set APACHE_BIN_URL=https://www.apachelounge.com/download/VC11/binaries +@set SSDEEP_URL=https://downloads.sourceforge.net/project/ssdeep/ssdeep-2.13 + +bitsadmin.exe /transfer "Downloading dependencies..." %CMAKE_URL% %SOURCE_DIR%\%CMAKE% %PCRE_URL% %SOURCE_DIR%\%PCRE% %ZLIB_URL% %SOURCE_DIR%\%ZLIB% %LIBXML2_URL% %SOURCE_DIR%\%LIBXML2% %LUA_URL% %SOURCE_DIR%\%LUA% %CURL_URL% %SOURCE_DIR%\%CURL% %APACHE_SRC_URL% %SOURCE_DIR%\%APACHE_SRC% %APACHE_BIN_URL%/%APACHE_BIN32% %SOURCE_DIR%\%APACHE_BIN32% %APACHE_BIN_URL%/%APACHE_BIN64% %SOURCE_DIR%\%APACHE_BIN64% %YAJL_URL% %SOURCE_DIR%\%YAJL% %SSDEEP_URL%/%SSDEEP% %SOURCE_DIR%\%SSDEEP% %SSDEEP_URL%/%SSDEEP_BIN% %SOURCE_DIR%\%SSDEEP_BIN% + + +@if NOT (%ERRORLEVEL%) == (0) goto :failed_to_download +@exit /B 0 + +:failed_to_download +@echo. && echo Failed to download dependency files... Try again or manually download the files to %SOURCE_DIR% and comment "@call download_files.bat" from build_dependencies.bat +@goto failed + +:failed +@exit /B 1 + diff --git a/standalone/config.c b/standalone/config.c index 800d5b4344..5b3d0b21d0 100644 --- a/standalone/config.c +++ b/standalone/config.c @@ -742,12 +742,12 @@ AP_DECLARE(char *) ap_make_full_path(apr_pool_t *a, const char *src1, return path; } -static int fname_alphasort(const void *fn1, const void *fn2) +static int fname_reversealphasort(const void *fn1, const void *fn2) { const fnames *f1 = fn1; const fnames *f2 = fn2; - return strcmp(f1->fname,f2->fname); + return strcmp(f2->fname,f1->fname); } int fnmatch_test(const char *pattern) @@ -840,7 +840,7 @@ static const char *process_resource_config_nofnmatch(const char *fname, apr_dir_close(dirp); if (candidates->nelts != 0) { qsort((void *) candidates->elts, candidates->nelts, - sizeof(fnames), fname_alphasort); + sizeof(fnames), fname_reversealphasort); /* * Now recurse these... we handle errors and subdirectories @@ -941,7 +941,7 @@ static const char *process_resource_config_fnmatch(const char *path, const char *error; qsort((void *) candidates->elts, candidates->nelts, - sizeof(fnames), fname_alphasort); + sizeof(fnames), fname_reversealphasort); /* * Now recurse these... we handle errors and subdirectories @@ -1201,3 +1201,4 @@ const char *process_command_config(server_rec *s, return errmsg; } +