Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/mod_security.git#bfa3bdd4e8b195f45d0c670b6a784254f93e2fb4
2021-03-11 20:34:58 +00:00 · 2021-03-11 20:34:58 +00:00 · e8ac0b9a3f
commit e8ac0b9a3f
parent be76d766d4
2 changed files with 95 additions and 6 deletions
--- a/mod_security-2.9.3-remote-rules-timeout.patch
+++ b/mod_security-2.9.3-remote-rules-timeout.patch
@ -0,0 +1,85 @@
+diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
+index 80f8f2b..7912d84 100644
+--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
+@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
+ }
+ 
+ 
+static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
+    directory_config *dcfg = (directory_config *)_dcfg;
+    long int timeout;
+
+    if (dcfg == NULL) return NULL;
+
+    timeout = strtol(p1, NULL, 10);
+    if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1);
+    }
+
+    remote_rules_timeout = timeout;
+
+    return NULL;
+}
+
+
+ static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
+ {
+     if (strcasecmp(p1, "on") == 0) {
+@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = {
+         "Abort or Warn"
+     ),
+ 
+    AP_INIT_TAKE1 (
+        "SecRemoteTimeout",
+        cmd_remote_timeout,
+        NULL,
+        CMD_SCOPE_ANY,
+        "timeout in seconds"
+    ),
+
+ 
+     AP_INIT_TAKE1 (
+         "SecXmlExternalEntity",
+diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
+index 7bb215e..c155495 100644
+--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
+@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
+ #endif
+ int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
+ char DSOLOCAL *remote_rules_fail_message = NULL;
+unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET;
+
+ 
+ int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
+ 
+diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
+index f24bc75..8bcd453 100644
+--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
+@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
+ #endif
+ extern DSOLOCAL int remote_rules_fail_action;
+ extern DSOLOCAL char *remote_rules_fail_message;
+extern DSOLOCAL unsigned long int remote_rules_timeout;
+ 
+ extern DSOLOCAL int status_engine_state;
+ 
+diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
+index 99968f0..b8db13e 100644
+--- a/apache2/msc_remote_rules.c
+++ b/apache2/msc_remote_rules.c
+@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
+         /* We want Curl to return error in case there is an HTTP error code */
+         curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
+ 
+        /* In case we want different timeout than a default one */
+        if (remote_rules_timeout != NOT_SET){
+            curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout);
+        }
+
+         res = curl_easy_perform(curl);
+ 
+         if (res != CURLE_OK)
--- a/mod_security.spec
+++ b/mod_security.spec
@ -10,7 +10,7 @@
 Summary: Security module for the Apache HTTP Server
 Name: mod_security
 Version: 2.9.3
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: ASL 2.0
 URL: http://www.modsecurity.org/
 Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz
@ -19,6 +19,7 @@ Source2: 10-mod_security.conf
 Source3: modsecurity_localrules.conf
 Patch0: modsecurity-2.9.3-lua-54.patch
 Patch1: modsecurity-2.9.3-apulibs.patch
+Patch2: mod_security-2.9.3-remote-rules-timeout.patch

 Requires: httpd httpd-mmn = %{_httpd_mmn}
 %if 0%{?fedora} || 0%{?rhel} > 7
@ -48,7 +49,7 @@ for web applications. It operates embedded into the web server, acting
 as a powerful umbrella - shielding web applications from attacks.

 %if %{with mlogc}
-%package -n     mlogc
+%package        mlogc
 Summary:        ModSecurity Audit Log Collector
 Requires:       mod_security
 %if 0%{?fedora} || 0%{?rhel} > 7
@ -56,7 +57,7 @@ Requires:       mod_security
 Requires(pre):  httpd-filesystem
 %endif

-%description -n mlogc
+%description mlogc
 This package contains the ModSecurity Audit Log Collector.
 %endif

@ -70,6 +71,7 @@ This package contains the ModSecurity Audit Log Collector.
           --with-apxs=%{_httpd_apxs} \
           --with-yajl \
           --disable-static
+
 # remove rpath
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
@ -131,7 +133,7 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}

 %if %{with mlogc}
-%files -n mlogc
+%files mlogc
 %doc mlogc/INSTALL
 %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/mlogc.conf
 %attr(0755,root,root) %dir %{_localstatedir}/log/mlogc
@ -141,8 +143,10 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %endif

 %changelog
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-10
+- Resolves: #1930664 - RFE: Add a feature that can set a mod_security/libcurl
+  timeout for retrieving the rules
+- rename mlogc to mod_security-mlogc

 * Fri Jan 22 2021 Joe Orton <jorton@redhat.com> - 2.9.3-8
 - don't link against redundant apr-util dependent libraries