nginx: copies the req body chain to be processed instead of move

Felipe Zimmerle · daniilyar · commit c712a1629433 · 2016-02-05T15:51:51.000+03:00
Add a check for the definition MOVE_REQUEST_CHAIN_TO_MODSEC, whenever it is set the chain will be moved into the brigade. If it was not set the chain will be only copied. Moving was causing segfaults on the following regression tests: owasp-modsecurity#15 - SecRequestBodyInMemoryLimit owasp-modsecurity#16 - SecRequestBodyInMemoryLimit (greater) owasp-modsecurity#19 - SecRequestBodyLimitAction ProcessPartial (multipart/greater - chunked) (from: regression/config/10-request-directives.t)
diff --git a/nginx/modsecurity/ngx_http_modsecurity.c b/nginx/modsecurity/ngx_http_modsecurity.c
@@ -21,7 +21,6 @@
 /* Those are defined twice, lets keep it defined just once by `undef`
  * the first one.
  */
- */
 #undef CR
 #undef LF
 #undef CRLF
@@ -566,7 +565,6 @@ ngx_http_modsecurity_load_request_body(ngx_http_request_t *r)
     ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
         "ModSec: loading request body.");
 
-
     ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
         "ModSec: loading request body.");
 
@@ -600,6 +598,10 @@ ngx_http_modsecurity_load_request_body(ngx_http_request_t *r)
     }
 #endif
 
+        return NGX_ERROR;
+    }
+#endif
+
     return NGX_OK;
 }
 static ngx_inline ngx_int_t
@@ -610,6 +612,7 @@ ngx_http_modsecurity_save_request_body(ngx_http_request_t *r)
     apr_off_t content_length;
     ngx_buf_t *buf;
 #endif
+
    ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity);
 
 #ifdef MOVE_REQUEST_CHAIN_TO_MODSEC
@@ -652,10 +655,15 @@ ngx_http_modsecurity_save_request_body(ngx_http_request_t *r)
 
     }
 
-
     r->headers_in.content_length_n = content_length;
 
-    ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "ModSec: Content length: %O, Content length n: %O", content_length, r->headers_in.content_length_n);
+    ngx_log_debug(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+            "ModSec: Content length: %O, Content length n: %O", content_length,
+            r->headers_in.content_length_n);
+#else
+    apr_brigade_cleanup(ctx->brigade);
+#endif
+
     return NGX_OK;
 }
 
@@ -1238,10 +1246,18 @@ ngx_http_modsecurity_handler(ngx_http_request_t *r) {
 
         ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
             "ModSec: request is ready to be processed.");
-        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, 
-                "ModSec: chuncked? %d", r->chunked);
-        ngx_http_modsecurity_process_request(r);
+        rc = ngx_http_modsecurity_process_request(r);
         ctx->request_processed = 1;
+
+        if (rc == NGX_ERROR || rc >= NGX_HTTP_SPECIAL_RESPONSE) {
+            ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                "ModSec: returning a special response after process " \
+                "a request: %d", rc);
+
+           return rc;
+        }
+
+
     }
 
         ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
