Merge branch 'v2/master' into v2/stop_processing_after_reqbody_limit_for_process_partial

Author: hnakamur

.github/workflows/ci.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-22.04]
+        os: [ubuntu-24.04]
         platform: [x32, x64]
         compiler: [gcc, clang]
         configure:
@@ -27,7 +27,7 @@ jobs:
       - name: Setup Dependencies
         run: |
           sudo apt-get update -y -qq
-          sudo apt-get install -y apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev pkg-config libyajl-dev apache2 apache2-bin apache2-data
+          sudo apt-get install -y apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data
       - uses: actions/checkout@v2
       - name: autogen.sh
         run: ./autogen.sh
@@ -79,7 +79,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-22.04]
+        os: [ubuntu-24.04]
         platform: [x32, x64]
         compiler: [gcc, clang]
         configure:
@@ -97,7 +97,7 @@ jobs:
       - name: Setup Dependencies
         run: |
           sudo apt-get update -y -qq
-          sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev pkg-config libyajl-dev apache2 apache2-bin apache2-data
+          sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data
       - uses: actions/checkout@v2
       - name: autogen.sh
         run: ./autogen.sh
@@ -110,3 +110,68 @@ jobs:
         run: sudo make install
       - name: run tests
         run: make test
+
+  test-regression-linux:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-24.04]
+        platform: [x64]
+        compiler: [gcc]
+        configure:
+          - {label: "with pcre2, with study, with jit",  opt: "--enable-pcre-study=yes --enable-pcre-jit" }
+    steps:
+      - name: Setup Dependencies
+        run: |
+          sudo apt-get update -y -qq
+          sudo apt-get install -y --no-install-recommends apache2-dev libxml2-dev liblua5.1-0-dev libcurl4-gnutls-dev libpcre2-dev libpcre3-dev libpcre3 pkg-config libyajl-dev apache2 apache2-bin apache2-data perl libwww-perl ssdeep libfuzzy-dev libfuzzy2
+      - uses: actions/checkout@v2
+      - name: autogen.sh
+        run: ./autogen.sh
+      - name: configure ${{ matrix.configure.label }}
+        run: ./configure ${{ matrix.configure.opt }} 'CFLAGS=-Werror=format-security'
+      - uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 #v0.3.0
+      - name: make
+        run: make -j `nproc`
+      - name: install module
+        run: sudo make install
+      - name: run regression tests
+        run: make test-regression
+
+  cppcheck:
+    runs-on: [ubuntu-24.04]
+    container:
+      image: debian:sid
+    steps:
+      - name: Setup Dependencies
+        run: |
+              apt-get update -y -qq
+              apt-get install -y --no-install-recommends build-essential \
+              autoconf \
+              automake \
+              libtool \
+              pkg-config \
+              cppcheck \
+              apache2-dev \
+              libpcre2-dev \
+              libapr1-dev \
+              libaprutil1-dev \
+              libxml2-dev \
+              liblua5.3-dev \
+              libyajl-dev \
+              libfuzzy-dev \
+              ssdeep \
+              curl \
+              ca-certificates
+      - uses: actions/checkout@v4
+        with:
+          submodules: false
+          fetch-depth: 0
+      - name: configure
+        run: |
+          ./autogen.sh
+          ./configure --with-apxs=/usr/bin/apxs
+      - name: cppcheck
+        run: |
+          make check-static
+

Makefile.am

@@ -35,12 +35,28 @@ test: check
 test-regression:
 	(cd tests && $(MAKE) test-regression)
 
-test-regression-nginx:
-	(cd tests && $(MAKE) test-regression-nginx)
-
-
 cppcheck:
-	cppcheck . --enable=all --force 2>&1 | sed 's/^/warning: /g' 1>&2;
+	@cppcheck \
+	    -j `getconf _NPROCESSORS_ONLN 2>/dev/null || sysctl -n hw.ncpu || echo 1` \
+	    --enable=all \
+	    --force \
+	    --verbose \
+	    --library=gnu \
+	    --library=posix \
+	    --std=c++17 \
+		-I ./apache2 \
+	    -I /usr/include/libxml2 \
+		-I @APXS_INCLUDEDIR@ \
+	    -I @APR_INCLUDEDIR@ \
+	    -I @APU_INCLUDEDIR@ \
+	    --suppressions-list=./tests/cppcheck_suppressions.txt \
+	    --inline-suppr \
+	    --inconclusive \
+	    --template="warning: {file},{line},{severity},{id},{message}" \
+	    --error-exitcode=1 \
+		standalone/ 
+
+check-static: cppcheck
 
 check-coding-style:
 	for i in `(find . -iname "*.c" ; find . -iname "*.h")`; \

apache2/mod_security2.c

@@ -91,7 +91,7 @@ TreeRoot DSOLOCAL *conn_write_state_whitelist = 0;
 TreeRoot DSOLOCAL *conn_write_state_suspicious_list = 0;
 
 
-#if defined(WIN32) || defined(VERSION_NGINX)
+#if defined(WIN32)
 int (*modsecDropAction)(request_rec *r) = NULL;
 #endif
 static int server_limit, thread_limit;
@@ -235,7 +235,7 @@ int perform_interception(modsec_rec *msr) {
             break;
 
         case ACTION_PROXY :
-#if !(defined(VERSION_IIS)) && !(defined(VERSION_NGINX)) && !(defined(VERSION_STANDALONE))
+#if !(defined(VERSION_IIS)) && !(defined(VERSION_STANDALONE))
             if (msr->phase < 3) {
                 if (ap_find_linked_module("mod_proxy.c") == NULL) {
                     log_level = 1;
@@ -275,7 +275,7 @@ int perform_interception(modsec_rec *msr) {
             /* ENH This does not seem to work on Windows. Is there a
              *     better way to drop a connection anyway?
              */
-            #if !defined(WIN32) && !defined(VERSION_NGINX)
+            #if !defined(WIN32)
             {
                 extern module core_module;
                 apr_socket_t *csd;
@@ -608,10 +608,10 @@ static apr_status_t change_server_signature(server_rec *s) {
     char *server_version = NULL;
 
     /* This is a very particular way to handle the server banner. It is Apache
-     * only. Stanalone and descendants should address that in its specifics
-     * implementations, e.g. Nginx module.
+     * only. Standalone and descendants should address that in its specifics
+     * implementations, e.g. IIS module.
      */
-#if !(defined(VERSION_IIS)) && !(defined(VERSION_NGINX)) && !(defined(VERSION_STANDALONE))
+#if !(defined(VERSION_IIS)) && !(defined(VERSION_STANDALONE))
     if (new_server_signature == NULL) return 0;
 
     server_version = (char *)apache_get_server_version();

apache2/msc_lua.c

@@ -433,12 +433,12 @@ int lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rul
 #else
 
     /* Create new state. */
-#if LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 504 || LUA_VERSION_NUM == 501
+#if LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 504 || LUA_VERSION_NUM == 505 || LUA_VERSION_NUM == 501
     L = luaL_newstate();
 #elif LUA_VERSION_NUM == 500
     L = lua_open();
 #else
-#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3, or 5.4.
+#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3, 5.4 or 5.5.
 #endif
     luaL_openlibs(L);
 
@@ -463,10 +463,10 @@ int lua_execute(msc_script *script, char *param, modsec_rec *msr, msre_rule *rul
     /* Register functions. */
 #if LUA_VERSION_NUM == 500 || LUA_VERSION_NUM == 501
     luaL_register(L, "m", mylib);
-#elif LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 504
+#elif LUA_VERSION_NUM == 502 || LUA_VERSION_NUM == 503 || LUA_VERSION_NUM == 504 || LUA_VERSION_NUM == 505
     luaL_setfuncs(L, mylib, 0);
 #else
-#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3, or 5.4.
+#error We are only tested under Lua 5.0, 5.1, 5.2, 5.3, 5.4 or 5.5.
 #endif
 
     lua_setglobal(L, "m");

apache2/msc_release.h

@@ -49,19 +49,14 @@
   MODSEC_VERSION_SUFFIX
 
 /* Apache Module Defines */
-#ifdef	VERSION_IIS
-#define MODSEC_MODULE_NAME "ModSecurity for IIS (STABLE)"
+#if defined(VERSION_IIS)
+  #define MODSEC_MODULE_NAME "ModSecurity for IIS (STABLE)"
+#elif defined(VERSION_STANDALONE)
+  #define MODSEC_MODULE_NAME "ModSecurity Standalone (STABLE)"
 #else
-#ifdef	VERSION_NGINX
-#define MODSEC_MODULE_NAME "ModSecurity for nginx (STABLE)"
-#else
-#ifdef	VERSION_STANDALONE
-#define MODSEC_MODULE_NAME "ModSecurity Standalone (STABLE)"
-#else
-#define MODSEC_MODULE_NAME "ModSecurity for Apache"
-#endif
-#endif
+  #define MODSEC_MODULE_NAME "ModSecurity for Apache"
 #endif
+
 #define MODSEC_MODULE_VERSION MODSEC_VERSION
 #define MODSEC_MODULE_NAME_FULL MODSEC_MODULE_NAME "/" MODSEC_MODULE_VERSION " (http://www.modsecurity.org/)"
 

apache2/msc_status_engine.c

@@ -361,8 +361,6 @@ int DSOLOCAL msc_beacon_string (char *beacon_string, int beacon_string_max_len)
     modsec = MODSEC_VERSION;
 #ifdef VERSION_IIS
     apache = "IIS";
-#elif VERSION_NGINX
-    apache = "nginx";
 #else
     apache = real_server_signature;
 #endif

autogen.sh

@@ -9,7 +9,7 @@ rm -rf autom4te.cache
 rm -f aclocal.m4
 case `uname` in Darwin*) glibtoolize --force --copy ;;
   *) libtoolize --force --copy ;; esac
-autoreconf --install
+autoreconf --install --force
 autoheader
 automake --add-missing --foreign --copy --force-missing
 autoconf --force

configure.ac

@@ -189,7 +189,7 @@ fi
 # Standalone Module
 AC_ARG_ENABLE(standalone-module,
               AS_HELP_STRING([--enable-standalone-module],
-                             [Enable building standalone module.]),
+                             [Enable building standalone module (IIS, test server). Note: NGINX support has been removed.]),
 [
   if test "$enableval" != "no"; then
     build_standalone_module=1
@@ -297,7 +297,6 @@ if test "$build_docs" -eq 1; then
        AC_CONFIG_FILES([doc/doxygen-apache])
     fi
     if test "$build_standalone_module" -eq 1; then
-       AC_CONFIG_FILES([doc/doxygen-nginx])
        AC_CONFIG_FILES([doc/doxygen-iis])
        AC_CONFIG_FILES([doc/doxygen-standalone])
     fi
@@ -937,7 +936,6 @@ AC_CONFIG_FILES([apache2/Makefile])
 fi
 if test "$build_standalone_module" -ne 0; then
 AC_CONFIG_FILES([standalone/Makefile])
-AC_CONFIG_FILES([nginx/modsecurity/config])
 fi
 if test "$build_extentions" -ne 0; then
 AC_CONFIG_FILES([ext/Makefile])

doc/Makefile.am

@@ -6,9 +6,6 @@ iis:
 	$(DOXYGEN) doxygen-iis
 	touch iis.stamp
 
-nginx:
-	$(DOXYGEN) doxygen-nginx
-	touch nginx.stamp
 
 standalone:
 	$(DOXYGEN) doxygen-standalone
@@ -20,8 +17,8 @@ all-local: apache
 endif
 
 if BUILD_STANDALONE_MODULE
-all-local: iis nginx standalone
+all-local: iis standalone
 endif
 
 clean-local:
-	rm -rf apache iis nginx standalone
+	rm -rf apache iis standalone

doc/doxygen-apache.in

@@ -44,7 +44,7 @@ PROJECT_NUMBER         =
 # for a project that appears at the top of each page and should give viewer a
 # quick idea about the purpose of the project. Keep the description short.
 
-PROJECT_BRIEF          = "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence."
+PROJECT_BRIEF          = "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache and IIS that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence."
 
 # With the PROJECT_LOGO tag one can specify a logo or an icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55