From nobody Mon Oct 11 16:16:27 2021 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3AE101801361; Mon, 11 Oct 2021 16:16:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HSkSX0w42z3lS0; Mon, 11 Oct 2021 16:16:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id F032D24037; Mon, 11 Oct 2021 16:16:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 19BGGRRX069801; Mon, 11 Oct 2021 16:16:27 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 19BGGR8Y069800; Mon, 11 Oct 2021 16:16:27 GMT (envelope-from git) Date: Mon, 11 Oct 2021 16:16:27 GMT Message-Id: <202110111616.19BGGR8Y069800@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Ryan Steinmetz Subject: git: 0b71d7d972e6 - main - security/modsecurity3: Update to 3.0.5 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: zi X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0b71d7d972e6f39c36ff9cc93dfa5c349c4a949a Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by zi: URL: https://cgit.FreeBSD.org/ports/commit/?id=0b71d7d972e6f39c36ff9cc93dfa5c349c4a949a commit 0b71d7d972e6f39c36ff9cc93dfa5c349c4a949a Author: Ryan Steinmetz AuthorDate: 2021-10-11 16:14:56 +0000 Commit: Ryan Steinmetz CommitDate: 2021-10-11 16:16:10 +0000 security/modsecurity3: Update to 3.0.5 PR: 258801 Approved by: maintainer --- security/modsecurity3/Makefile | 6 +- security/modsecurity3/distinfo | 6 +- .../modsecurity3/files/patch-src_operators_rx.cc | 51 ------- .../modsecurity3/files/patch-src_utils_regex.cc | 40 ------ .../modsecurity3/files/patch-src_utils_regex.h | 35 ----- ...tch-test_test-cases_regression_variable-TX.json | 146 --------------------- security/modsecurity3/pkg-plist | 31 +++-- 7 files changed, 24 insertions(+), 291 deletions(-) diff --git a/security/modsecurity3/Makefile b/security/modsecurity3/Makefile index 9cee083b764e..6cffad6e8317 100644 --- a/security/modsecurity3/Makefile +++ b/security/modsecurity3/Makefile @@ -1,7 +1,6 @@ PORTNAME= modsecurity DISTVERSIONPREFIX= v -DISTVERSION= 3.0.4 -PORTREVISION= 2 +DISTVERSION= 3.0.5 CATEGORIES= security www MASTER_SITES= https://github.com/SpiderLabs/ModSecurity/releases/download/v${PORTVERSION}/ PKGNAMESUFFIX= 3 @@ -17,10 +16,9 @@ LIB_DEPENDS= libcurl.so:ftp/curl \ libyajl.so:devel/yajl \ libmaxminddb.so:net/libmaxminddb -USES= compiler:c++11-lang cpe gmake gnome libtool pkgconfig:build +USES= cpe gmake gnome libtool pkgconfig:build USE_GNOME= libxml2 # GCC because of https://github.com/SpiderLabs/ModSecurity/issues/1411 -USE_GCC= yes USE_LDCONFIG= yes CPE_VENDOR= trustwave diff --git a/security/modsecurity3/distinfo b/security/modsecurity3/distinfo index 378c1b80adc1..5e9158a0a40c 100644 --- a/security/modsecurity3/distinfo +++ b/security/modsecurity3/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1579339210 -SHA256 (modsecurity-v3.0.4.tar.gz) = b4231177dd80b4e076b228e57d498670113b69d445bab86db25f65346c24db22 -SIZE (modsecurity-v3.0.4.tar.gz) = 2806291 +TIMESTAMP = 1632981543 +SHA256 (modsecurity-v3.0.5.tar.gz) = 751bf95a7a8d39c440d0c26ec1f73961550ca2eb2ac9e2e7a56dce2dd7b959e9 +SIZE (modsecurity-v3.0.5.tar.gz) = 3485840 diff --git a/security/modsecurity3/files/patch-src_operators_rx.cc b/security/modsecurity3/files/patch-src_operators_rx.cc deleted file mode 100644 index 0e8f626e59c1..000000000000 --- a/security/modsecurity3/files/patch-src_operators_rx.cc +++ /dev/null @@ -1,51 +0,0 @@ ---- src/operators/rx.cc.orig 2020-01-13 13:09:28 UTC -+++ src/operators/rx.cc -@@ -38,7 +38,6 @@ bool Rx::init(const std::string &arg, st - - bool Rx::evaluate(Transaction *transaction, Rule *rule, - const std::string& input, std::shared_ptr ruleMessage) { -- std::list matches; - Regex *re; - - if (m_param.empty() && !m_string->m_containsMacro) { -@@ -52,29 +51,29 @@ bool Rx::evaluate(Transaction *transacti - re = m_re; - } - -- matches = re->searchAll(input); -+ std::vector captures; -+ re->searchOneMatch(input, captures); -+ - if (rule && rule->m_containsCaptureAction && transaction) { -- int i = 0; -- matches.reverse(); -- for (const SMatch& a : matches) { -+ for (const Utils::SMatchCapture& capture : captures) { -+ const std::string capture_substring(input.substr(capture.m_offset,capture.m_length)); - transaction->m_collections.m_tx_collection->storeOrUpdateFirst( -- std::to_string(i), a.str()); -+ std::to_string(capture.m_group), capture_substring); - ms_dbg_a(transaction, 7, "Added regex subexpression TX." + -- std::to_string(i) + ": " + a.str()); -- transaction->m_matched.push_back(a.str()); -- i++; -+ std::to_string(capture.m_group) + ": " + capture_substring); -+ transaction->m_matched.push_back(capture_substring); - } - } - -- for (const auto & i : matches) { -- logOffset(ruleMessage, i.offset(), i.str().size()); -+ for (const auto & capture : captures) { -+ logOffset(ruleMessage, capture.m_offset, capture.m_length); - } - - if (m_string->m_containsMacro) { - delete re; - } - -- if (matches.size() > 0) { -+ if (captures.size() > 0) { - return true; - } - diff --git a/security/modsecurity3/files/patch-src_utils_regex.cc b/security/modsecurity3/files/patch-src_utils_regex.cc deleted file mode 100644 index ec2b6195545b..000000000000 --- a/security/modsecurity3/files/patch-src_utils_regex.cc +++ /dev/null @@ -1,40 +0,0 @@ ---- src/utils/regex.cc.orig 2020-01-13 13:09:28 UTC -+++ src/utils/regex.cc -@@ -16,10 +16,6 @@ - #include "src/utils/regex.h" - - #include --#include --#include --#include --#include - #include - #include - -@@ -99,6 +95,26 @@ std::list Regex::searchAll(const - return retList; - } - -+bool Regex::searchOneMatch(const std::string& s, std::vector& captures) const { -+ const char *subject = s.c_str(); -+ int ovector[OVECCOUNT]; -+ -+ int rc = pcre_exec(m_pc, m_pce, subject, s.size(), 0, 0, ovector, OVECCOUNT); -+ -+ for (int i = 0; i < rc; i++) { -+ size_t start = ovector[2*i]; -+ size_t end = ovector[2*i+1]; -+ size_t len = end - start; -+ if (end > s.size()) { -+ continue; -+ } -+ SMatchCapture capture(i, start, len); -+ captures.push_back(capture); -+ } -+ -+ return (rc > 0); -+} -+ - int Regex::search(const std::string& s, SMatch *match) const { - int ovector[OVECCOUNT]; - int ret = pcre_exec(m_pc, m_pce, s.c_str(), diff --git a/security/modsecurity3/files/patch-src_utils_regex.h b/security/modsecurity3/files/patch-src_utils_regex.h deleted file mode 100644 index 32652ce5c525..000000000000 --- a/security/modsecurity3/files/patch-src_utils_regex.h +++ /dev/null @@ -1,35 +0,0 @@ ---- src/utils/regex.h.orig 2020-01-13 13:09:28 UTC -+++ src/utils/regex.h -@@ -19,6 +19,7 @@ - #include - #include - #include -+#include - - #ifndef SRC_UTILS_REGEX_H_ - #define SRC_UTILS_REGEX_H_ -@@ -47,6 +48,16 @@ class SMatch { - size_t m_offset; - }; - -+struct SMatchCapture { -+ SMatchCapture(size_t group, size_t offset, size_t length) : -+ m_group(group), -+ m_offset(offset), -+ m_length(length) { } -+ -+ size_t m_group; // E.g. 0 = full match; 6 = capture group 6 -+ size_t m_offset; // offset of match within the analyzed string -+ size_t m_length; -+}; - - class Regex { - public: -@@ -58,6 +69,7 @@ class Regex { - Regex& operator=(const Regex&) = delete; - - std::list searchAll(const std::string& s) const; -+ bool searchOneMatch(const std::string& s, std::vector& captures) const; - int search(const std::string &s, SMatch *m) const; - int search(const std::string &s) const; - diff --git a/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json b/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json deleted file mode 100644 index 485a9081af87..000000000000 --- a/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json +++ /dev/null @@ -1,146 +0,0 @@ ---- test/test-cases/regression/variable-TX.json.orig 2020-01-13 13:09:28 UTC -+++ test/test-cases/regression/variable-TX.json -@@ -80,5 +80,143 @@ - "SecRule REQUEST_HEADERS \"@rx ([A-z]+)\" \"id:1,log,pass,capture,id:14\"", - "SecRule TX:0 \"@rx ([A-z]+)\" \"id:15\"" - ] -+ }, -+ { -+ "enabled":1, -+ "version_min":300000, -+ "title":"Testing Variables :: capture group match after unused group", -+ "client":{ -+ "ip":"200.249.12.31", -+ "port":123 -+ }, -+ "server":{ -+ "ip":"200.249.12.31", -+ "port":80 -+ }, -+ "request":{ -+ "uri":"/?key=aadd", -+ "method":"GET" -+ }, -+ "response":{ -+ "headers":{ -+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", -+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", -+ "Content-Type":"text/html" -+ }, -+ "body":[ -+ "no need." -+ ] -+ }, -+ "expected":{ -+ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]*Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]*Rule returned 1" -+ }, -+ "rules":[ -+ "SecRuleEngine On", -+ "SecRule ARGS \"@rx (aa)(bb|cc)?(dd)\" \"id:1,log,pass,capture,id:16\"", -+ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\"" -+ ] -+ }, -+ { -+ "enabled":1, -+ "version_min":300000, -+ "title":"Testing Variables :: empty capture group match followed by nonempty capture group", -+ "client":{ -+ "ip":"200.249.12.31", -+ "port":123 -+ }, -+ "server":{ -+ "ip":"200.249.12.31", -+ "port":80 -+ }, -+ "request":{ -+ "uri":"/?key=aadd", -+ "method":"GET" -+ }, -+ "response":{ -+ "headers":{ -+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", -+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", -+ "Content-Type":"text/html" -+ }, -+ "body":[ -+ "no need." -+ ] -+ }, -+ "expected":{ -+ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]*Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]*Rule returned 1" -+ }, -+ "rules":[ -+ "SecRuleEngine On", -+ "SecRule ARGS \"@rx (aa)(bb|cc|)(dd)\" \"id:18,phase:1,log,pass,capture\"", -+ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\"" -+ ] -+ }, -+ { -+ "enabled":1, -+ "version_min":300000, -+ "title":"Testing Variables :: repeating capture group -- alternates", -+ "client":{ -+ "ip":"200.249.12.31", -+ "port":123 -+ }, -+ "server":{ -+ "ip":"200.249.12.31", -+ "port":80 -+ }, -+ "request":{ -+ "uri":"/?key=_abc123_", -+ "method":"GET" -+ }, -+ "response":{ -+ "headers":{ -+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", -+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", -+ "Content-Type":"text/html" -+ }, -+ "body":[ -+ "no need." -+ ] -+ }, -+ "expected":{ -+ "debug_log":"Added regex subexpression TX\\.2: abc[\\s\\S]*Added regex subexpression TX\\.3: 123" -+ }, -+ "rules":[ -+ "SecRuleEngine On", -+ "SecRule ARGS \"@rx _((?:(abc)|(123))+)_\" \"id:18,phase:1,log,pass,capture\"" -+ ] -+ }, -+ { -+ "enabled":1, -+ "version_min":300000, -+ "title":"Testing Variables :: repeating capture group -- same (nested)", -+ "client":{ -+ "ip":"200.249.12.31", -+ "port":123 -+ }, -+ "server":{ -+ "ip":"200.249.12.31", -+ "port":80 -+ }, -+ "request":{ -+ "uri":"/?key=a:5a:8a:9", -+ "method":"GET" -+ }, -+ "response":{ -+ "headers":{ -+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", -+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", -+ "Content-Type":"text/html" -+ }, -+ "body":[ -+ "no need." -+ ] -+ }, -+ "expected":{ -+ "debug_log":"Added regex subexpression TX\\.1: 5[\\s\\S]*Added regex subexpression TX\\.2: 8[\\s\\S]*Added regex subexpression TX\\.3: 9" -+ }, -+ "rules":[ -+ "SecRuleEngine On", -+ "SecRule ARGS \"@rx a:([0-9])(?:a:([0-9])(?:a:([0-9]))*)*\" \"id:18,phase:1,log,pass,capture\"" -+ ] - } - ] diff --git a/security/modsecurity3/pkg-plist b/security/modsecurity3/pkg-plist index b3c760bc04f2..44f6c5f9c1a0 100644 --- a/security/modsecurity3/pkg-plist +++ b/security/modsecurity3/pkg-plist @@ -1,22 +1,29 @@ bin/modsec-rules-check -include/modsecurity/actions/action.h include/modsecurity/anchored_set_variable.h +include/modsecurity/anchored_set_variable_translation_proxy.h +include/modsecurity/rule_message.h +include/modsecurity/rule_unconditional.h +include/modsecurity/variable_origin.h +include/modsecurity/transaction.h include/modsecurity/anchored_variable.h -include/modsecurity/audit_log.h -include/modsecurity/collection/collection.h -include/modsecurity/collection/collections.h -include/modsecurity/debug_log.h include/modsecurity/intervention.h +include/modsecurity/collection/collections.h +include/modsecurity/collection/collection.h +include/modsecurity/rule_with_operator.h +include/modsecurity/variable_value.h +include/modsecurity/rules_set.h +include/modsecurity/audit_log.h include/modsecurity/modsecurity.h -include/modsecurity/reading_logs_via_rule_message.h -include/modsecurity/rule.h -include/modsecurity/rule_message.h +include/modsecurity/debug_log.h +include/modsecurity/rule_with_actions.h +include/modsecurity/rules_set_properties.h +include/modsecurity/rule_marker.h include/modsecurity/rules.h include/modsecurity/rules_exceptions.h -include/modsecurity/rules_properties.h -include/modsecurity/transaction.h -include/modsecurity/variable_origin.h -include/modsecurity/variable_value.h +include/modsecurity/rules_set_phases.h +include/modsecurity/reading_logs_via_rule_message.h +include/modsecurity/actions/action.h +include/modsecurity/rule.h lib/libmodsecurity.a lib/libmodsecurity.so lib/libmodsecurity.so.3