From 698fccf1610b6fae76856495f4759d2803119b7d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 18 May 2021 02:46:05 -0400 Subject: [PATCH] import mod_security-2.9.2-9.el8 --- ..._security-2.9.2-remote-rules-timeout.patch | 85 +++++++++++++++++++ SPECS/mod_security.spec | 8 +- 2 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 SOURCES/mod_security-2.9.2-remote-rules-timeout.patch diff --git a/SOURCES/mod_security-2.9.2-remote-rules-timeout.patch b/SOURCES/mod_security-2.9.2-remote-rules-timeout.patch new file mode 100644 index 0000000..ec1cc59 --- /dev/null +++ b/SOURCES/mod_security-2.9.2-remote-rules-timeout.patch @@ -0,0 +1,85 @@ +diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c +index ce97950..5d4e9b5 100644 +--- a/apache2/apache2_config.c ++++ b/apache2/apache2_config.c +@@ -2345,6 +2345,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1, + } + + ++static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1) ++{ ++ directory_config *dcfg = (directory_config *)_dcfg; ++ long int timeout; ++ ++ if (dcfg == NULL) return NULL; ++ ++ timeout = strtol(p1, NULL, 10); ++ if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) { ++ return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1); ++ } ++ ++ remote_rules_timeout = timeout; ++ ++ return NULL; ++} ++ ++ + static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1) + { + if (strcasecmp(p1, "on") == 0) { +@@ -3658,6 +3677,14 @@ const command_rec module_directives[] = { + "Abort or Warn" + ), + ++ AP_INIT_TAKE1 ( ++ "SecRemoteTimeout", ++ cmd_remote_timeout, ++ NULL, ++ CMD_SCOPE_ANY, ++ "timeout in seconds" ++ ), ++ + + AP_INIT_TAKE1 ( + "SecXmlExternalEntity", +diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c +index b6e98e9..1410ac7 100644 +--- a/apache2/mod_security2.c ++++ b/apache2/mod_security2.c +@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL; + #endif + int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL; + char DSOLOCAL *remote_rules_fail_message = NULL; ++unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET; ++ + + int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED; + +diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h +index f170034..d9de1f0 100644 +--- a/apache2/modsecurity.h ++++ b/apache2/modsecurity.h +@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server; + #endif + extern DSOLOCAL int remote_rules_fail_action; + extern DSOLOCAL char *remote_rules_fail_message; ++extern DSOLOCAL unsigned long int remote_rules_timeout; + + extern DSOLOCAL int status_engine_state; + +diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c +index 8a6df9e..af437d1 100644 +--- a/apache2/msc_remote_rules.c ++++ b/apache2/msc_remote_rules.c +@@ -353,6 +353,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key + /* We want Curl to return error in case there is an HTTP error code */ + curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1); + ++ /* In case we want different timeout than a default one */ ++ if (remote_rules_timeout != NOT_SET){ ++ curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout); ++ } ++ + res = curl_easy_perform(curl); + + if (res != CURLE_OK) diff --git a/SPECS/mod_security.spec b/SPECS/mod_security.spec index 2a56f55..d0e4001 100644 --- a/SPECS/mod_security.spec +++ b/SPECS/mod_security.spec @@ -10,7 +10,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.9.2 -Release: 8%{?dist} +Release: 9%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -18,6 +18,7 @@ Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/ Source1: mod_security.conf Source2: 10-mod_security.conf Source3: modsecurity_localrules.conf +Patch1: mod_security-2.9.2-remote-rules-timeout.patch Requires: httpd httpd-mmn = %{_httpd_mmn} # To ensure correct file ownership Requires(pre): httpd-filesystem @@ -56,6 +57,7 @@ This package contains the ModSecurity Audit Log Collector. %prep %setup -q -n modsecurity-%{version} +%patch1 -p1 -b .remote-rules-timeout %build %configure --enable-pcre-match-limit=1000000 \ @@ -134,6 +136,10 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf %endif %changelog +* Sun Nov 15 2020 Lubos Uhliarik - 2.9.2-9 +- Resolves: #1824859 - RFE: Add a feature that can set a mod_security/libcurl + timeout for retrieving the rules + * Mon Dec 17 2018 Joe Orton - 2.9.2-8 - enable collection global lock (#1650268)