Index: head/security/modsecurity3/Makefile =================================================================== --- head/security/modsecurity3/Makefile (revision 550722) +++ head/security/modsecurity3/Makefile (revision 550723) @@ -1,44 +1,44 @@ # $FreeBSD$ PORTNAME= modsecurity DISTVERSIONPREFIX= v DISTVERSION= 3.0.4 -PORTREVISION= 0 +PORTREVISION= 1 CATEGORIES= security www MASTER_SITES= https://github.com/SpiderLabs/ModSecurity/releases/download/v${PORTVERSION}/ PKGNAMESUFFIX= 3 MAINTAINER= marius.halden@modirum.com COMMENT= Intrusion detection and prevention engine LICENSE= APACHE20 LICENSE_FILE= ${WRKSRC}/LICENSE LIB_DEPENDS= libcurl.so:ftp/curl \ libpcre.so:devel/pcre \ libyajl.so:devel/yajl \ libmaxminddb.so:net/libmaxminddb USES= compiler:c++11-lang gmake gnome libtool pkgconfig:build USE_GNOME= libxml2 # GCC because of https://github.com/SpiderLabs/ModSecurity/issues/1411 USE_GCC= yes USE_LDCONFIG= yes GNU_CONFIGURE= yes CONFIGURE_ARGS= --without-lmdb --without-ssdeep --without-lua PLIST_SUB= SHLIBVER=${DISTVERSION} ETCDIR= ${PREFIX}/etc/modsecurity CONFLICTS_INSTALL= ap??-mod_security mod_security3 INSTALL_TARGET= install-strip post-install: @${MKDIR} ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${WRKSRC}/modsecurity.conf-recommended \ ${STAGEDIR}${ETCDIR}/modsecurity.conf.sample .include Index: head/security/modsecurity3/files/patch-src_operators_rx.cc =================================================================== --- head/security/modsecurity3/files/patch-src_operators_rx.cc (nonexistent) +++ head/security/modsecurity3/files/patch-src_operators_rx.cc (revision 550723) @@ -0,0 +1,51 @@ +--- src/operators/rx.cc.orig 2020-01-13 13:09:28 UTC ++++ src/operators/rx.cc +@@ -38,7 +38,6 @@ bool Rx::init(const std::string &arg, st + + bool Rx::evaluate(Transaction *transaction, Rule *rule, + const std::string& input, std::shared_ptr ruleMessage) { +- std::list matches; + Regex *re; + + if (m_param.empty() && !m_string->m_containsMacro) { +@@ -52,29 +51,29 @@ bool Rx::evaluate(Transaction *transacti + re = m_re; + } + +- matches = re->searchAll(input); ++ std::vector captures; ++ re->searchOneMatch(input, captures); ++ + if (rule && rule->m_containsCaptureAction && transaction) { +- int i = 0; +- matches.reverse(); +- for (const SMatch& a : matches) { ++ for (const Utils::SMatchCapture& capture : captures) { ++ const std::string capture_substring(input.substr(capture.m_offset,capture.m_length)); + transaction->m_collections.m_tx_collection->storeOrUpdateFirst( +- std::to_string(i), a.str()); ++ std::to_string(capture.m_group), capture_substring); + ms_dbg_a(transaction, 7, "Added regex subexpression TX." + +- std::to_string(i) + ": " + a.str()); +- transaction->m_matched.push_back(a.str()); +- i++; ++ std::to_string(capture.m_group) + ": " + capture_substring); ++ transaction->m_matched.push_back(capture_substring); + } + } + +- for (const auto & i : matches) { +- logOffset(ruleMessage, i.offset(), i.str().size()); ++ for (const auto & capture : captures) { ++ logOffset(ruleMessage, capture.m_offset, capture.m_length); + } + + if (m_string->m_containsMacro) { + delete re; + } + +- if (matches.size() > 0) { ++ if (captures.size() > 0) { + return true; + } + Property changes on: head/security/modsecurity3/files/patch-src_operators_rx.cc ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/modsecurity3/files/patch-src_utils_regex.cc =================================================================== --- head/security/modsecurity3/files/patch-src_utils_regex.cc (nonexistent) +++ head/security/modsecurity3/files/patch-src_utils_regex.cc (revision 550723) @@ -0,0 +1,40 @@ +--- src/utils/regex.cc.orig 2020-01-13 13:09:28 UTC ++++ src/utils/regex.cc +@@ -16,10 +16,6 @@ + #include "src/utils/regex.h" + + #include +-#include +-#include +-#include +-#include + #include + #include + +@@ -99,6 +95,26 @@ std::list Regex::searchAll(const + return retList; + } + ++bool Regex::searchOneMatch(const std::string& s, std::vector& captures) const { ++ const char *subject = s.c_str(); ++ int ovector[OVECCOUNT]; ++ ++ int rc = pcre_exec(m_pc, m_pce, subject, s.size(), 0, 0, ovector, OVECCOUNT); ++ ++ for (int i = 0; i < rc; i++) { ++ size_t start = ovector[2*i]; ++ size_t end = ovector[2*i+1]; ++ size_t len = end - start; ++ if (end > s.size()) { ++ continue; ++ } ++ SMatchCapture capture(i, start, len); ++ captures.push_back(capture); ++ } ++ ++ return (rc > 0); ++} ++ + int Regex::search(const std::string& s, SMatch *match) const { + int ovector[OVECCOUNT]; + int ret = pcre_exec(m_pc, m_pce, s.c_str(), Property changes on: head/security/modsecurity3/files/patch-src_utils_regex.cc ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/modsecurity3/files/patch-src_utils_regex.h =================================================================== --- head/security/modsecurity3/files/patch-src_utils_regex.h (nonexistent) +++ head/security/modsecurity3/files/patch-src_utils_regex.h (revision 550723) @@ -0,0 +1,35 @@ +--- src/utils/regex.h.orig 2020-01-13 13:09:28 UTC ++++ src/utils/regex.h +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #ifndef SRC_UTILS_REGEX_H_ + #define SRC_UTILS_REGEX_H_ +@@ -47,6 +48,16 @@ class SMatch { + size_t m_offset; + }; + ++struct SMatchCapture { ++ SMatchCapture(size_t group, size_t offset, size_t length) : ++ m_group(group), ++ m_offset(offset), ++ m_length(length) { } ++ ++ size_t m_group; // E.g. 0 = full match; 6 = capture group 6 ++ size_t m_offset; // offset of match within the analyzed string ++ size_t m_length; ++}; + + class Regex { + public: +@@ -58,6 +69,7 @@ class Regex { + Regex& operator=(const Regex&) = delete; + + std::list searchAll(const std::string& s) const; ++ bool searchOneMatch(const std::string& s, std::vector& captures) const; + int search(const std::string &s, SMatch *m) const; + int search(const std::string &s) const; + Property changes on: head/security/modsecurity3/files/patch-src_utils_regex.h ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json =================================================================== --- head/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json (nonexistent) +++ head/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json (revision 550723) @@ -0,0 +1,146 @@ +--- test/test-cases/regression/variable-TX.json.orig 2020-01-13 13:09:28 UTC ++++ test/test-cases/regression/variable-TX.json +@@ -80,5 +80,143 @@ + "SecRule REQUEST_HEADERS \"@rx ([A-z]+)\" \"id:1,log,pass,capture,id:14\"", + "SecRule TX:0 \"@rx ([A-z]+)\" \"id:15\"" + ] ++ }, ++ { ++ "enabled":1, ++ "version_min":300000, ++ "title":"Testing Variables :: capture group match after unused group", ++ "client":{ ++ "ip":"200.249.12.31", ++ "port":123 ++ }, ++ "server":{ ++ "ip":"200.249.12.31", ++ "port":80 ++ }, ++ "request":{ ++ "uri":"/?key=aadd", ++ "method":"GET" ++ }, ++ "response":{ ++ "headers":{ ++ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", ++ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", ++ "Content-Type":"text/html" ++ }, ++ "body":[ ++ "no need." ++ ] ++ }, ++ "expected":{ ++ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]*Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]*Rule returned 1" ++ }, ++ "rules":[ ++ "SecRuleEngine On", ++ "SecRule ARGS \"@rx (aa)(bb|cc)?(dd)\" \"id:1,log,pass,capture,id:16\"", ++ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\"" ++ ] ++ }, ++ { ++ "enabled":1, ++ "version_min":300000, ++ "title":"Testing Variables :: empty capture group match followed by nonempty capture group", ++ "client":{ ++ "ip":"200.249.12.31", ++ "port":123 ++ }, ++ "server":{ ++ "ip":"200.249.12.31", ++ "port":80 ++ }, ++ "request":{ ++ "uri":"/?key=aadd", ++ "method":"GET" ++ }, ++ "response":{ ++ "headers":{ ++ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", ++ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", ++ "Content-Type":"text/html" ++ }, ++ "body":[ ++ "no need." ++ ] ++ }, ++ "expected":{ ++ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]*Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]*Rule returned 1" ++ }, ++ "rules":[ ++ "SecRuleEngine On", ++ "SecRule ARGS \"@rx (aa)(bb|cc|)(dd)\" \"id:18,phase:1,log,pass,capture\"", ++ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\"" ++ ] ++ }, ++ { ++ "enabled":1, ++ "version_min":300000, ++ "title":"Testing Variables :: repeating capture group -- alternates", ++ "client":{ ++ "ip":"200.249.12.31", ++ "port":123 ++ }, ++ "server":{ ++ "ip":"200.249.12.31", ++ "port":80 ++ }, ++ "request":{ ++ "uri":"/?key=_abc123_", ++ "method":"GET" ++ }, ++ "response":{ ++ "headers":{ ++ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", ++ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", ++ "Content-Type":"text/html" ++ }, ++ "body":[ ++ "no need." ++ ] ++ }, ++ "expected":{ ++ "debug_log":"Added regex subexpression TX\\.2: abc[\\s\\S]*Added regex subexpression TX\\.3: 123" ++ }, ++ "rules":[ ++ "SecRuleEngine On", ++ "SecRule ARGS \"@rx _((?:(abc)|(123))+)_\" \"id:18,phase:1,log,pass,capture\"" ++ ] ++ }, ++ { ++ "enabled":1, ++ "version_min":300000, ++ "title":"Testing Variables :: repeating capture group -- same (nested)", ++ "client":{ ++ "ip":"200.249.12.31", ++ "port":123 ++ }, ++ "server":{ ++ "ip":"200.249.12.31", ++ "port":80 ++ }, ++ "request":{ ++ "uri":"/?key=a:5a:8a:9", ++ "method":"GET" ++ }, ++ "response":{ ++ "headers":{ ++ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", ++ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", ++ "Content-Type":"text/html" ++ }, ++ "body":[ ++ "no need." ++ ] ++ }, ++ "expected":{ ++ "debug_log":"Added regex subexpression TX\\.1: 5[\\s\\S]*Added regex subexpression TX\\.2: 8[\\s\\S]*Added regex subexpression TX\\.3: 9" ++ }, ++ "rules":[ ++ "SecRuleEngine On", ++ "SecRule ARGS \"@rx a:([0-9])(?:a:([0-9])(?:a:([0-9]))*)*\" \"id:18,phase:1,log,pass,capture\"" ++ ] + } + ] Property changes on: head/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property