Created
November 2, 2014 07:56
-
-
Save ju5t/0d61ee80b23f0987d65e to your computer and use it in GitHub Desktop.
A patch for modsecurity and mpm-itk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/apache2/msc_logging.c b/apache2/msc_logging.c | |
| index 3323fac..ce8b069 100644 | |
| --- a/apache2/msc_logging.c | |
| +++ b/apache2/msc_logging.c | |
| @@ -225,10 +225,20 @@ static char *construct_auditlog_filename(apr_pool_t *mp, const char *uniqueid) { | |
| char tstr[300]; | |
| apr_size_t len; | |
| + /** | |
| + * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations | |
| + * It also changes the return statement. | |
| + */ | |
| + char *username; | |
| + apr_uid_t uid; | |
| + apr_gid_t gid; | |
| + apr_uid_current(&uid, &gid, mp); | |
| + apr_uid_name_get(&username, uid, mp); | |
| + | |
| apr_time_exp_lt(&t, apr_time_now()); | |
| apr_strftime(tstr, &len, 299, "/%Y%m%d/%Y%m%d-%H%M/%Y%m%d-%H%M%S", &t); | |
| - return apr_psprintf(mp, "%s-%s", tstr, uniqueid); | |
| + return apr_psprintf(mp, "/%s%s-%s", username, tstr, uniqueid); | |
| } | |
| /** | |
| diff --git a/apache2/persist_dbm.c b/apache2/persist_dbm.c | |
| index b698e79..8631ac9 100644 | |
| --- a/apache2/persist_dbm.c | |
| +++ b/apache2/persist_dbm.c | |
| @@ -101,6 +101,15 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec | |
| int expired = 0; | |
| int i; | |
| + /** | |
| + * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations | |
| + */ | |
| + char *username; | |
| + apr_uid_t uid; | |
| + apr_gid_t gid; | |
| + apr_uid_current(&uid, &gid, msr->mp); | |
| + apr_uid_name_get(&username, uid, msr->mp); | |
| + | |
| if (msr->txcfg->data_dir == NULL) { | |
| msr_log(msr, 1, "collection_retrieve_ex: Unable to retrieve collection (name \"%s\", key \"%s\"). Use " | |
| "SecDataDir to define data directory first.", log_escape(msr->mp, col_name), | |
| @@ -108,7 +117,7 @@ static apr_table_t *collection_retrieve_ex(apr_sdbm_t *existing_dbm, modsec_rec | |
| goto cleanup; | |
| } | |
| - dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", col_name, NULL); | |
| + dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", col_name, NULL); | |
| if (msr->txcfg->debuglog_level >= 9) { | |
| msr_log(msr, 9, "collection_retrieve_ex: collection_retrieve_ex: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name), | |
| @@ -336,6 +345,15 @@ int collection_store(modsec_rec *msr, apr_table_t *col) { | |
| const apr_table_t *stored_col = NULL; | |
| const apr_table_t *orig_col = NULL; | |
| + /** | |
| + * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations | |
| + */ | |
| + char *username; | |
| + apr_uid_t uid; | |
| + apr_gid_t gid; | |
| + apr_uid_current(&uid, &gid, msr->mp); | |
| + apr_uid_name_get(&username, uid, msr->mp); | |
| + | |
| var_name = (msc_string *)apr_table_get(col, "__name"); | |
| if (var_name == NULL) { | |
| goto error; | |
| @@ -354,7 +372,7 @@ int collection_store(modsec_rec *msr, apr_table_t *col) { | |
| } | |
| // ENH: lowercase the var name in the filename | |
| - dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", var_name->value, NULL); | |
| + dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", var_name->value, NULL); | |
| if (msr->txcfg->debuglog_level >= 9) { | |
| msr_log(msr, 9, "collection_store: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, var_name->value), | |
| @@ -585,6 +603,15 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) { | |
| apr_time_t now = apr_time_sec(msr->request_time); | |
| int i; | |
| + /** | |
| + * This is required for mpm-itk & mod_ruid2, though should be harmless for other implementations | |
| + */ | |
| + char *username; | |
| + apr_uid_t uid; | |
| + apr_gid_t gid; | |
| + apr_uid_current(&uid, &gid, msr->mp); | |
| + apr_uid_name_get(&username, uid, msr->mp); | |
| + | |
| if (msr->txcfg->data_dir == NULL) { | |
| /* The user has been warned about this problem enough times already by now. | |
| * msr_log(msr, 1, "Unable to access collection file (name \"%s\"). Use SecDataDir to " | |
| @@ -594,9 +621,9 @@ int collections_remove_stale(modsec_rec *msr, const char *col_name) { | |
| } | |
| if(strstr(col_name,"USER") || strstr(col_name,"SESSION") || strstr(col_name, "RESOURCE")) | |
| - dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", msr->txcfg->webappid, "_", col_name, NULL); | |
| + dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", msr->txcfg->webappid, "_", col_name, NULL); | |
| else | |
| - dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", col_name, NULL); | |
| + dbm_filename = apr_pstrcat(msr->mp, msr->txcfg->data_dir, "/", username, "-", col_name, NULL); | |
| if (msr->txcfg->debuglog_level >= 9) { | |
| msr_log(msr, 9, "collections_remove_stale: Retrieving collection (name \"%s\", filename \"%s\")",log_escape(msr->mp, col_name), |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment