From 954ebcb7779388b11b23fc523be5236411a63d33 Mon Sep 17 00:00:00 2001 From: Andrei Belov Date: Tue, 25 Dec 2018 17:59:03 +0300 Subject: [PATCH 1/4] Implemented merge() method for ConfigInt, ConfigDouble, ConfigString This change makes the following directives to be merged properly: SecRequestBodyLimit SecResponseBodyLimit SecUploadFileLimit SecUploadFileMode SecUploadDir SecTmpDir SecArgumentSeparator SecWebAppId SecHttpBlKey --- headers/modsecurity/rules_properties.h | 79 ++++++++++++-------------- 1 file changed, 36 insertions(+), 43 deletions(-) diff --git a/headers/modsecurity/rules_properties.h b/headers/modsecurity/rules_properties.h index 73fab2186c..80021a2d9d 100644 --- a/headers/modsecurity/rules_properties.h +++ b/headers/modsecurity/rules_properties.h @@ -54,6 +54,15 @@ class ConfigInt { ConfigInt() : m_set(false), m_value(0) { } bool m_set; int m_value; + + void merge(ConfigInt *from) { + if (m_set == true || from->m_set == false) { + return; + } + m_set = true; + m_value = from->m_value; + return; + } }; @@ -62,6 +71,15 @@ class ConfigDouble { ConfigDouble() : m_set(false), m_value(0) { } bool m_set; double m_value; + + void merge(ConfigDouble *from) { + if (m_set == true || from->m_set == false) { + return; + } + m_set = true; + m_value = from->m_value; + return; + } }; @@ -70,6 +88,15 @@ class ConfigString { ConfigString() : m_set(false), m_value("") { } bool m_set; std::string m_value; + + void merge(ConfigString *from) { + if (m_set == true || from->m_set == false) { + return; + } + m_set = true; + m_value = from->m_value; + return; + } }; @@ -341,15 +368,8 @@ class RulesProperties { to->m_tmpSaveUploadedFiles = from->m_tmpSaveUploadedFiles; } - if (from->m_requestBodyLimit.m_set == true) { - to->m_requestBodyLimit.m_value = from->m_requestBodyLimit.m_value; - to->m_requestBodyLimit.m_set = true; - } - - if (from->m_responseBodyLimit.m_set == true) { - to->m_responseBodyLimit.m_value = from->m_responseBodyLimit.m_value; - to->m_responseBodyLimit.m_set = true; - } + to->m_requestBodyLimit.merge(&from->m_requestBodyLimit); + to->m_responseBodyLimit.merge(&from->m_responseBodyLimit); if (from->m_requestBodyLimitAction != PropertyNotSetBodyLimitAction) { to->m_requestBodyLimitAction = from->m_requestBodyLimitAction; @@ -359,45 +379,18 @@ class RulesProperties { to->m_responseBodyLimitAction = from->m_responseBodyLimitAction; } - if (from->m_uploadFileLimit.m_set == true) { - to->m_uploadFileLimit.m_value = from->m_uploadFileLimit.m_value; - to->m_uploadFileLimit.m_set = true; - } + to->m_uploadFileLimit.merge(&from->m_uploadFileLimit); + to->m_uploadFileMode.merge(&from->m_uploadFileMode); + to->m_uploadDirectory.merge(&from->m_uploadDirectory); + to->m_uploadTmpDirectory.merge(&from->m_uploadTmpDirectory); - if (from->m_uploadFileMode.m_set == true) { - to->m_uploadFileMode.m_value = from->m_uploadFileMode.m_value; - to->m_uploadFileMode.m_set = true; - } + to->m_secArgumentSeparator.merge(&from->m_secArgumentSeparator); - if (from->m_uploadDirectory.m_set == true) { - to->m_uploadDirectory.m_value = from->m_uploadDirectory.m_value; - to->m_uploadDirectory.m_set = true; - } - - if (from->m_uploadTmpDirectory.m_set == true) { - to->m_uploadTmpDirectory.m_value = \ - from->m_uploadTmpDirectory.m_value; - to->m_uploadTmpDirectory.m_set = true; - } - - if (from->m_secArgumentSeparator.m_set == true) { - to->m_secArgumentSeparator.m_value = \ - from->m_secArgumentSeparator.m_value; - to->m_secArgumentSeparator.m_set = true; - } - - if (from->m_secWebAppId.m_set == true) { - to->m_secWebAppId.m_value = \ - from->m_secWebAppId.m_value; - to->m_secWebAppId.m_set = true; - } + to->m_secWebAppId.merge(&from->m_secWebAppId); to->m_unicodeMapTable.merge(&from->m_unicodeMapTable); - if (from->m_httpblKey.m_set == true) { - to->m_httpblKey.m_value = from->m_httpblKey.m_value; - to->m_httpblKey.m_set = from->m_httpblKey.m_set; - } + to->m_httpblKey.merge(&from->m_httpblKey); to->m_exceptions.merge(&from->m_exceptions); From 6d0b753f90beff68c0e1f3b81a7fe24d2799faae Mon Sep 17 00:00:00 2001 From: Andrei Belov Date: Tue, 25 Dec 2018 18:33:30 +0300 Subject: [PATCH 2/4] Implemented merge_boolean_value() for ConfigBoolean This change makes the following directives to be merged properly: SecRequestBodyAccess SecResponseBodyAccess SecXmlExternalEntity SecUploadKeepFiles SecTmpSaveUploadedFiles --- headers/modsecurity/rules_properties.h | 35 +++++++++++++++----------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/headers/modsecurity/rules_properties.h b/headers/modsecurity/rules_properties.h index 80021a2d9d..b78cb534cb 100644 --- a/headers/modsecurity/rules_properties.h +++ b/headers/modsecurity/rules_properties.h @@ -37,6 +37,11 @@ #define CODEPAGE_SEPARATORS " \t\n\r" +#define merge_boolean_value(to, from, default) \ + if (to == PropertyNotSetConfigBoolean) { \ + to = (from == PropertyNotSetConfigBoolean) ? default : from; \ + } + #ifdef __cplusplus namespace modsecurity { @@ -348,25 +353,25 @@ class RulesProperties { to->m_secRuleEngine = from->m_secRuleEngine; } - if (from->m_secRequestBodyAccess != PropertyNotSetConfigBoolean) { - to->m_secRequestBodyAccess = from->m_secRequestBodyAccess; - } + merge_boolean_value(to->m_secRequestBodyAccess, + from->m_secRequestBodyAccess, + PropertyNotSetConfigBoolean); - if (from->m_secResponseBodyAccess != PropertyNotSetConfigBoolean) { - to->m_secResponseBodyAccess = from->m_secResponseBodyAccess; - } + merge_boolean_value(to->m_secResponseBodyAccess, + from->m_secResponseBodyAccess, + PropertyNotSetConfigBoolean); - if (from->m_secXMLExternalEntity != PropertyNotSetConfigBoolean) { - to->m_secXMLExternalEntity = from->m_secXMLExternalEntity; - } + merge_boolean_value(to->m_secXMLExternalEntity, + from->m_secXMLExternalEntity, + PropertyNotSetConfigBoolean); - if (from->m_uploadKeepFiles != PropertyNotSetConfigBoolean) { - to->m_uploadKeepFiles = from->m_uploadKeepFiles; - } + merge_boolean_value(to->m_uploadKeepFiles, + from->m_uploadKeepFiles, + PropertyNotSetConfigBoolean); - if (from->m_tmpSaveUploadedFiles != PropertyNotSetConfigBoolean) { - to->m_tmpSaveUploadedFiles = from->m_tmpSaveUploadedFiles; - } + merge_boolean_value(to->m_tmpSaveUploadedFiles, + from->m_tmpSaveUploadedFiles, + PropertyNotSetConfigBoolean); to->m_requestBodyLimit.merge(&from->m_requestBodyLimit); to->m_responseBodyLimit.merge(&from->m_responseBodyLimit); From f023122382f69d50aab644072cb26a95dcae2913 Mon Sep 17 00:00:00 2001 From: Andrei Belov Date: Tue, 25 Dec 2018 18:43:20 +0300 Subject: [PATCH 3/4] Implemented merge_ruleengine_value() for RuleEngine This change makes the SecRuleEngine directive to be merged properly. --- headers/modsecurity/rules_properties.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/headers/modsecurity/rules_properties.h b/headers/modsecurity/rules_properties.h index b78cb534cb..dcd16420b2 100644 --- a/headers/modsecurity/rules_properties.h +++ b/headers/modsecurity/rules_properties.h @@ -42,6 +42,11 @@ to = (from == PropertyNotSetConfigBoolean) ? default : from; \ } +#define merge_ruleengine_value(to, from, default) \ + if (to == PropertyNotSetRuleEngine) { \ + to = (from == PropertyNotSetRuleEngine) ? default : from; \ + } + #ifdef __cplusplus namespace modsecurity { @@ -349,9 +354,8 @@ class RulesProperties { return amount_of_rules; } - if (from->m_secRuleEngine != PropertyNotSetRuleEngine) { - to->m_secRuleEngine = from->m_secRuleEngine; - } + merge_ruleengine_value(to->m_secRuleEngine, from->m_secRuleEngine, + PropertyNotSetRuleEngine); merge_boolean_value(to->m_secRequestBodyAccess, from->m_secRequestBodyAccess, From f6afbd09d8736ff1a142568202fd00370379a670 Mon Sep 17 00:00:00 2001 From: Andrei Belov Date: Tue, 25 Dec 2018 18:50:24 +0300 Subject: [PATCH 4/4] Implemented merge_bodylimitaction_value() for BodyLimitAction This change makes the following directives to be merged properly: SecRequestBodyLimitAction SecResponseBodyLimitAction --- headers/modsecurity/rules_properties.h | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/headers/modsecurity/rules_properties.h b/headers/modsecurity/rules_properties.h index dcd16420b2..c43578faa6 100644 --- a/headers/modsecurity/rules_properties.h +++ b/headers/modsecurity/rules_properties.h @@ -47,6 +47,11 @@ to = (from == PropertyNotSetRuleEngine) ? default : from; \ } +#define merge_bodylimitaction_value(to, from, default) \ + if (to == PropertyNotSetBodyLimitAction) { \ + to = (from == PropertyNotSetBodyLimitAction) ? default : from; \ + } + #ifdef __cplusplus namespace modsecurity { @@ -380,13 +385,13 @@ class RulesProperties { to->m_requestBodyLimit.merge(&from->m_requestBodyLimit); to->m_responseBodyLimit.merge(&from->m_responseBodyLimit); - if (from->m_requestBodyLimitAction != PropertyNotSetBodyLimitAction) { - to->m_requestBodyLimitAction = from->m_requestBodyLimitAction; - } + merge_bodylimitaction_value(to->m_requestBodyLimitAction, + from->m_requestBodyLimitAction, + PropertyNotSetBodyLimitAction); - if (from->m_responseBodyLimitAction != PropertyNotSetBodyLimitAction) { - to->m_responseBodyLimitAction = from->m_responseBodyLimitAction; - } + merge_bodylimitaction_value(to->m_responseBodyLimitAction, + from->m_responseBodyLimitAction, + PropertyNotSetBodyLimitAction); to->m_uploadFileLimit.merge(&from->m_uploadFileLimit); to->m_uploadFileMode.merge(&from->m_uploadFileMode);