Merge branch 'SpiderLabs:v3/master' into v3/master

Author: pr4u4t

CHANGES

@@ -1,6 +1,22 @@
-v3.x.y - YYYY-MMM-DD (to be released)
--------------------------------------
+v3.0.7 - 2022-May-30
+--------------------
 
+  - Move PCRE2 match block from member variable
+    [@martinhsv]
+  - Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
+    [Issue #2738 - @jleproust, @martinhsv]
+  - Fix memory leak when concurrent log includes REMOTE_USER
+    [Issue #2727 - @liudongmiao]
+  - Fix LMDB initialization issues
+    [Issue #2688 - @ziollek, @martinhsv]
+  - Fix initcol error message wording
+    [Issue #2732 - @877509395, @martinhsv]
+  - Tolerate other parameters after boundary in multipart C-T
+    [Issue #1900 - @martinhsv]
+  - Add DebugLog message for bad pattern in rx operator
+    [Issue #2723 - @martinhsv]
+  - Support PCRE2
+    [Issue #2668 - @martinhsv]
   - Support SecRequestBodyNoFilesLimit
     [Issue #2670 - @airween, @martinhsv]
   - Fix misuses of LMDB API
@@ -14,11 +30,11 @@ v3.x.y - YYYY-MMM-DD (to be released)
   - Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
     [Issue #2627, #2648 - @lontchianicet, @victorserbu2709, @martinhsv]
   - Adjust confusing variable name in setRequestBody method
-    [Issue #2635 @Mesar-Ali, @martinhsv]
+    [Issue #2635 - @Mesar-Ali, @martinhsv]
   - Multipart names/filenames may include single quote if double-quote enclosed
-    [Issue #2352 @martinhsv]
+    [Issue #2352 - @martinhsv]
   - Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
-    [Issue #2647 @theMiddleBlue, @airween, @877509395 ,@martinhsv]
+    [Issue #2647 - @theMiddleBlue, @airween, @877509395 ,@martinhsv]
 
 
 v3.0.6 - 2021-Nov-19

build/pcre2.m4

@@ -0,0 +1,183 @@
+dnl Check for PCRE2 Libraries
+dnl CHECK_PCRE2(ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND])
+
+AC_DEFUN([PROG_PCRE2], [
+
+# Possible names for the pcre2 library/package (pkg-config)
+PCRE2_POSSIBLE_LIB_NAMES="pcre2 pcre2-8"
+
+# Possible extensions for the library
+PCRE2_POSSIBLE_EXTENSIONS="so so0 la sl dll dylib so.0.0.0"
+
+# Possible paths (if pkg-config was not found, proceed with the file lookup)
+PCRE2_POSSIBLE_PATHS="/usr/lib /usr/local/lib /usr/local/libpcre2-8 /usr/local/pcre2 /usr/local /opt/libpcre2-8 /opt/pcre2 /opt /usr /usr/lib64 /opt/local"
+
+# Variables to be set by this very own script.
+PCRE2_VERSION=""
+PCRE2_CFLAGS=""
+PCRE2_CPPFLAGS=""
+PCRE2_LDADD=""
+PCRE2_LDFLAGS=""
+
+AC_ARG_WITH(
+    pcre2,
+    AC_HELP_STRING(
+      [--with-pcre2=PATH],
+      [Path to pcre2 prefix or config script]
+    )
+)
+
+if test "x${with_pcre2}" == "xno"; then
+    AC_DEFINE(HAVE_PCRE2, 0, [Support for PCRE2 was disabled by the utilization of --without-pcre2 or --with-pcre2=no])
+    AC_MSG_NOTICE([Support for PCRE2 was disabled by the utilization of --without-pcre2 or --with-pcre2=no])
+    PCRE2_DISABLED=yes
+else
+    if test "x${with_pcre2}" == "xyes"; then
+        PCRE2_MANDATORY=yes
+        AC_MSG_NOTICE([PCRE2 support was marked as mandatory by the utilization of --with-pcre2=yes])
+    fi
+#        for x in ${PCRE2_POSSIBLE_LIB_NAMES}; do
+#            CHECK_FOR_PCRE2_AT(${x})
+#            if test -n "${PCRE2_VERSION}"; then
+#                break
+#            fi
+#        done
+
+#    if test "x${with_pcre2}" != "xyes" or test "x${with_pcre2}" == "xyes"; then
+        if test "x${with_pcre2}" == "x" || test "x${with_pcre2}" == "xyes"; then
+            # Nothing about PCRE2 was informed, using the pkg-config to figure things out.
+            if test -n "${PKG_CONFIG}"; then
+                PCRE2_PKG_NAME=""
+                for x in ${PCRE2_POSSIBLE_LIB_NAMES}; do
+                    if ${PKG_CONFIG} --exists ${x}; then
+                        PCRE2_PKG_NAME="$x"
+                        break
+                    fi
+                done
+            fi
+            AC_MSG_NOTICE([Nothing about PCRE2 was informed during the configure phase. Trying to detect it on the platform...])
+            if test -n "${PCRE2_PKG_NAME}"; then
+                # Package was found using the pkg-config scripts
+                PCRE2_VERSION="`${PKG_CONFIG} ${PCRE2_PKG_NAME} --modversion`"
+                PCRE2_CFLAGS="`${PKG_CONFIG} ${PCRE2_PKG_NAME} --cflags`"
+                PCRE2_LDADD="`${PKG_CONFIG} ${PCRE2_PKG_NAME} --libs-only-l`"
+                PCRE2_LDFLAGS="`${PKG_CONFIG} ${PCRE2_PKG_NAME} --libs-only-L --libs-only-other`"
+                PCRE2_DISPLAY="${PCRE2_LDADD}, ${PCRE2_CFLAGS}"
+            else
+                # If pkg-config did not find anything useful, go over file lookup.
+                for x in ${PCRE2_POSSIBLE_PATHS}; do
+                    CHECK_FOR_PCRE2_AT(${x})
+                    if test -n "${PCRE2_VERSION}"; then
+                        break
+                    fi
+                done
+            fi
+        fi
+        if test "x${with_pcre2}" != "x"; then
+            # An specific path was informed, lets check.
+            PCRE2_MANDATORY=yes
+            CHECK_FOR_PCRE2_AT(${with_pcre2})
+        fi
+#    fi
+fi
+
+if test -z "${PCRE2_LDADD}"; then
+    if test -z "${PCRE2_MANDATORY}"; then
+        if test -z "${PCRE2_DISABLED}"; then
+            AC_MSG_NOTICE([PCRE2 library was not found])
+            PCRE2_FOUND=0
+        else
+            PCRE2_FOUND=2
+        fi
+    else
+        AC_MSG_ERROR([PCRE2 was explicitly referenced but it was not found])
+        PCRE2_FOUND=-1
+    fi
+else
+    if test -z "${PCRE2_MANDATORY}"; then
+        PCRE2_FOUND=2
+        AC_MSG_NOTICE([PCRE2 is disabled by default.])
+    else
+        PCRE2_FOUND=1
+        AC_MSG_NOTICE([using PCRE2 v${PCRE2_VERSION}])
+        PCRE2_CFLAGS="-DWITH_PCRE2 ${PCRE2_CFLAGS}"
+        PCRE2_DISPLAY="${PCRE2_LDADD}, ${PCRE2_CFLAGS}"
+        AC_SUBST(PCRE2_VERSION)
+        AC_SUBST(PCRE2_LDADD)
+        AC_SUBST(PCRE2_LIBS)
+        AC_SUBST(PCRE2_LDFLAGS)
+        AC_SUBST(PCRE2_CFLAGS)
+        AC_SUBST(PCRE2_DISPLAY)
+    fi
+fi
+
+
+AC_SUBST(PCRE2_FOUND)
+
+]) # AC_DEFUN [PROG_PCRE2]
+
+
+AC_DEFUN([CHECK_FOR_PCRE2_AT], [
+    path=$1
+    echo "*** LOOKING AT PATH: " ${path}
+    for y in ${PCRE2_POSSIBLE_EXTENSIONS}; do
+        for z in ${PCRE2_POSSIBLE_LIB_NAMES}; do
+           if test -e "${path}/${z}.${y}"; then
+               pcre2_lib_path="${path}/"
+               pcre2_lib_name="${z}"
+               pcre2_lib_file="${pcre2_lib_path}/${z}.${y}"
+               break
+           fi
+           if test -e "${path}/lib${z}.${y}"; then
+               pcre2_lib_path="${path}/"
+               pcre2_lib_name="${z}"
+               pcre2_lib_file="${pcre2_lib_path}/lib${z}.${y}"
+               break
+           fi
+           if test -e "${path}/lib/lib${z}.${y}"; then
+               pcre2_lib_path="${path}/lib/"
+               pcre2_lib_name="${z}"
+               pcre2_lib_file="${pcre2_lib_path}/lib${z}.${y}"
+               break
+           fi
+           if test -e "${path}/lib/x86_64-linux-gnu/lib${z}.${y}"; then
+               pcre2_lib_path="${path}/lib/x86_64-linux-gnu/"
+               pcre2_lib_name="${z}"
+               pcre2_lib_file="${pcre2_lib_path}/lib${z}.${y}"
+               break
+           fi
+           if test -e "${path}/lib/i386-linux-gnu/lib${z}.${y}"; then
+               pcre2_lib_path="${path}/lib/i386-linux-gnu/"
+               pcre2_lib_name="${z}"
+               pcre2_lib_file="${pcre2_lib_path}/lib${z}.${y}"
+               break
+           fi
+       done
+       if test -n "$pcre2_lib_path"; then
+           break
+       fi
+    done
+    if test -e "${path}/include/pcre2.h"; then
+        pcre2_inc_path="${path}/include"
+    elif test -e "${path}/pcre2.h"; then
+        pcre2_inc_path="${path}"
+    elif test -e "${path}/include/pcre2/pcre2.h"; then
+        pcre2_inc_path="${path}/include"
+    fi
+
+    if test -n "${pcre2_lib_path}"; then
+        AC_MSG_NOTICE([PCRE2 library found at: ${pcre2_lib_file}])
+    fi
+
+    if test -n "${pcre2_inc_path}"; then
+        AC_MSG_NOTICE([PCRE2 headers found at: ${pcre2_inc_path}])
+    fi
+
+    if test -n "${pcre2_lib_path}" -a -n "${pcre2_inc_path}"; then
+        # TODO: Compile a piece of code to check the version.
+        PCRE2_CFLAGS="-I${pcre2_inc_path}"
+        PCRE2_LDADD="-l${pcre2_lib_name}"
+        PCRE2_LDFLAGS="-L${pcre2_lib_path}"
+        PCRE2_DISPLAY="${pcre2_lib_file}, ${pcre2_inc_path}"
+    fi
+]) # AC_DEFUN [CHECK_FOR_PCRE2_AT]

configure.ac

@@ -129,6 +129,13 @@ CHECK_LIBXML2
 CHECK_PCRE
 
 
+#
+# Check for pcre2
+#
+PROG_PCRE2
+AM_CONDITIONAL([PCRE2_CFLAGS], [test "PCRE2_CFLAGS" != ""])
+
+
 # Checks for header files.
 AC_HEADER_STDC
 AC_CHECK_HEADERS([string])
@@ -555,6 +562,23 @@ if test "x$LUA_FOUND" = "x2"; then
 fi
 
 
+## PCRE2
+if test "x$PCRE2_FOUND" = "x0"; then
+    echo "   + PCRE2                                          ....not found"
+fi
+if test "x$PCRE2_FOUND" = "x1"; then
+    echo -n "   + PCRE2                                          ....found "
+    if ! test "x$PCRE2_VERSION" = "x"; then
+        echo "v${PCRE2_VERSION}"
+    else
+        echo ""
+    fi
+    echo "      ${PCRE2_DISPLAY}"
+fi
+if test "x$PCRE2_FOUND" = "x2"; then
+    echo "   + PCRE2                                          ....disabled"
+fi
+
 echo " "
 echo " Other Options"
 if test $buildTestUtilities = true; then

headers/modsecurity/modsecurity.h

@@ -190,15 +190,15 @@ namespace modsecurity {
 
 #define MODSECURITY_MAJOR "3"
 #define MODSECURITY_MINOR "0"
-#define MODSECURITY_PATCHLEVEL "6"
+#define MODSECURITY_PATCHLEVEL "7"
 #define MODSECURITY_TAG ""
 #define MODSECURITY_TAG_NUM "100"
 
 #define MODSECURITY_VERSION MODSECURITY_MAJOR "." \
     MODSECURITY_MINOR "." MODSECURITY_PATCHLEVEL \
     MODSECURITY_TAG
 
-#define MODSECURITY_VERSION_NUM 3060100
+#define MODSECURITY_VERSION_NUM 3070100
 
 #define MODSECURITY_CHECK_VERSION(a) (MODSECURITY_VERSION_NUM <= a)
 

headers/modsecurity/transaction.h

@@ -399,7 +399,7 @@ class Transaction : public TransactionAnchoredVariables, public TransactionSecMa
     size_t getRequestBodyLength();
 
 #ifndef NO_LOGS
-    void debug(int, std::string) const;
+    void debug(int, const std::string&) const;
 #endif
     void serverLog(std::shared_ptr<RuleMessage> rm);
 

modsecurity.conf-recommended

@@ -57,6 +57,16 @@ SecRequestBodyLimitAction Reject
 #
 SecRequestBodyJsonDepthLimit 512
 
+# Maximum number of args allowed per request. You want to keep this
+# value as low as practical. The value should match that in rule 200007.
+SecArgumentsLimit 1000
+
+# If SecArgumentsLimit has been set, you probably want to reject any
+# request body that has only been partly parsed. The value used in this
+# rule should match what was used with SecArgumentsLimit
+SecRule &ARGS "@ge 1000" \
+"id:'200007', phase:2,t:none,log,deny,status:400,msg:'Failed to fully parse request body due to large argument count',severity:2"
+
 # Verify that we've correctly processed the request body.
 # As a rule of thumb, when failing to process a request body
 # you should reject the request (when deployed in blocking mode)

src/Makefile.am

@@ -324,6 +324,7 @@ libmodsecurity_la_CPPFLAGS = \
 	$(YAJL_CFLAGS) \
 	$(LMDB_CFLAGS) \
 	$(PCRE_CFLAGS) \
+	$(PCRE2_CFLAGS) \
 	$(SSDEEP_CFLAGS) \
 	$(MAXMIND_CFLAGS) \
 	$(LUA_CFLAGS) \
@@ -339,6 +340,7 @@ libmodsecurity_la_LDFLAGS = \
 	$(LMDB_LDFLAGS) \
 	$(LUA_LDFLAGS) \
 	$(PCRE_LDFLAGS) \
+	$(PCRE2_LDFLAGS) \
 	$(SSDEEP_LDFLAGS) \
 	$(MAXMIND_LDFLAGS) \
 	$(YAJL_LDFLAGS) \
@@ -355,6 +357,7 @@ libmodsecurity_la_LIBADD = \
 	../others/libinjection.la \
 	../others/libmbedtls.la \
 	$(PCRE_LDADD) \
+	$(PCRE2_LDADD) \
 	$(MAXMIND_LDADD) \
 	$(SSDEEP_LDADD) \
 	$(YAJL_LDADD)

src/actions/init_col.cc

@@ -46,7 +46,7 @@ bool InitCol::init(std::string *error) {
         m_collection_key != "global" &&
         m_collection_key != "resource") {
         error->assign("Something wrong with initcol: collection must be " \
-            "`ip' or `global'");
+            "`ip', `global' or `resource'");
         return false;
     }