From e8ac0b9a3f52a0ebfd3d4a581fe119bfa63e0fe1 Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Thu, 11 Mar 2021 20:34:58 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/mod_security.git#bfa3bdd4e8b195f45d0c670b6a784254f93e2fb4 --- mod_security-2.9.3-remote-rules-timeout.patch | 85 +++++++++++++++++++ mod_security.spec | 16 ++-- 2 files changed, 95 insertions(+), 6 deletions(-) create mode 100644 mod_security-2.9.3-remote-rules-timeout.patch diff --git a/mod_security-2.9.3-remote-rules-timeout.patch b/mod_security-2.9.3-remote-rules-timeout.patch new file mode 100644 index 0000000..1d347ac --- /dev/null +++ b/mod_security-2.9.3-remote-rules-timeout.patch @@ -0,0 +1,85 @@ +diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c +index 80f8f2b..7912d84 100644 +--- a/apache2/apache2_config.c ++++ b/apache2/apache2_config.c +@@ -2354,6 +2354,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1, + } + + ++static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1) ++{ ++ directory_config *dcfg = (directory_config *)_dcfg; ++ long int timeout; ++ ++ if (dcfg == NULL) return NULL; ++ ++ timeout = strtol(p1, NULL, 10); ++ if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) { ++ return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1); ++ } ++ ++ remote_rules_timeout = timeout; ++ ++ return NULL; ++} ++ ++ + static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1) + { + if (strcasecmp(p1, "on") == 0) { +@@ -3667,6 +3685,14 @@ const command_rec module_directives[] = { + "Abort or Warn" + ), + ++ AP_INIT_TAKE1 ( ++ "SecRemoteTimeout", ++ cmd_remote_timeout, ++ NULL, ++ CMD_SCOPE_ANY, ++ "timeout in seconds" ++ ), ++ + + AP_INIT_TAKE1 ( + "SecXmlExternalEntity", +diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c +index 7bb215e..c155495 100644 +--- a/apache2/mod_security2.c ++++ b/apache2/mod_security2.c +@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL; + #endif + int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL; + char DSOLOCAL *remote_rules_fail_message = NULL; ++unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET; ++ + + int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED; + +diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h +index f24bc75..8bcd453 100644 +--- a/apache2/modsecurity.h ++++ b/apache2/modsecurity.h +@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server; + #endif + extern DSOLOCAL int remote_rules_fail_action; + extern DSOLOCAL char *remote_rules_fail_message; ++extern DSOLOCAL unsigned long int remote_rules_timeout; + + extern DSOLOCAL int status_engine_state; + +diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c +index 99968f0..b8db13e 100644 +--- a/apache2/msc_remote_rules.c ++++ b/apache2/msc_remote_rules.c +@@ -358,6 +358,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key + /* We want Curl to return error in case there is an HTTP error code */ + curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1); + ++ /* In case we want different timeout than a default one */ ++ if (remote_rules_timeout != NOT_SET){ ++ curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout); ++ } ++ + res = curl_easy_perform(curl); + + if (res != CURLE_OK) diff --git a/mod_security.spec b/mod_security.spec index aa78c6a..0b5330c 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -10,7 +10,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.9.3 -Release: 9%{?dist} +Release: 10%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz @@ -19,6 +19,7 @@ Source2: 10-mod_security.conf Source3: modsecurity_localrules.conf Patch0: modsecurity-2.9.3-lua-54.patch Patch1: modsecurity-2.9.3-apulibs.patch +Patch2: mod_security-2.9.3-remote-rules-timeout.patch Requires: httpd httpd-mmn = %{_httpd_mmn} %if 0%{?fedora} || 0%{?rhel} > 7 @@ -48,7 +49,7 @@ for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding web applications from attacks. %if %{with mlogc} -%package -n mlogc +%package mlogc Summary: ModSecurity Audit Log Collector Requires: mod_security %if 0%{?fedora} || 0%{?rhel} > 7 @@ -56,7 +57,7 @@ Requires: mod_security Requires(pre): httpd-filesystem %endif -%description -n mlogc +%description mlogc This package contains the ModSecurity Audit Log Collector. %endif @@ -70,6 +71,7 @@ This package contains the ModSecurity Audit Log Collector. --with-apxs=%{_httpd_apxs} \ --with-yajl \ --disable-static + # remove rpath sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool @@ -131,7 +133,7 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf %attr(770,apache,root) %dir %{_localstatedir}/lib/%{name} %if %{with mlogc} -%files -n mlogc +%files mlogc %doc mlogc/INSTALL %attr(0640,root,apache) %config(noreplace) %{_sysconfdir}/mlogc.conf %attr(0755,root,root) %dir %{_localstatedir}/log/mlogc @@ -141,8 +143,10 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf %endif %changelog -* Tue Jan 26 2021 Fedora Release Engineering - 2.9.3-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild +* Tue Jan 26 2021 Fedora Release Engineering - 2.9.3-10 +- Resolves: #1930664 - RFE: Add a feature that can set a mod_security/libcurl + timeout for retrieving the rules +- rename mlogc to mod_security-mlogc * Fri Jan 22 2021 Joe Orton - 2.9.3-8 - don't link against redundant apr-util dependent libraries