diff --git a/CHANGES b/CHANGES index 8159ec3053..451571e2c4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ v3.x.y - YYYY-MMM-DD (to be released) ------------------------------------- + - Fix: quoted Include config with wildcard + [Issue #2905 - @wiseelf, @airween, @martinhsv] - Support isolated PCRE match limits [Issue #2736 - @brandonpayton, @martinhsv] - Fix: meta actions not applied if multiMatch in first rule of chain diff --git a/src/parser/seclang-scanner.cc b/src/parser/seclang-scanner.cc index 22c04dd281..62d90a2dce 100644 --- a/src/parser/seclang-scanner.cc +++ b/src/parser/seclang-scanner.cc @@ -1,5 +1,5 @@ -#line 2 "seclang-scanner.cc" +#line 3 "seclang-scanner.cc" #define YY_INT_ALIGNED short int @@ -5128,7 +5128,7 @@ static const flex_int16_t yy_rule_linenum[546] = 1174, 1179, 1181, 1182, 1183, 1184, 1186, 1187, 1188, 1189, 1191, 1192, 1193, 1194, 1196, 1198, 1199, 1201, 1202, 1203, 1204, 1206, 1211, 1212, 1213, 1217, 1218, 1219, 1224, 1226, - 1227, 1228, 1247, 1276, 1307 + 1227, 1228, 1247, 1276, 1306 } ; /* The intent behind this definition is that it'll catch @@ -5214,15 +5214,15 @@ static std::stack YY_PREVIOUS_STATE; #define BEGIN_PREVIOUS() { BEGIN(YY_PREVIOUS_STATE.top()); YY_PREVIOUS_STATE.pop(); } // The location of the current token. -#line 5217 "seclang-scanner.cc" +#line 5218 "seclang-scanner.cc" #define YY_NO_INPUT 1 #line 494 "seclang-scanner.ll" // Code run each time a pattern is matched. # define YY_USER_ACTION driver.loc.back()->columns (yyleng); -#line 5224 "seclang-scanner.cc" #line 5225 "seclang-scanner.cc" +#line 5226 "seclang-scanner.cc" #define INITIAL 0 #define EXPECTING_ACTION_PREDICATE_VARIABLE 1 @@ -5544,7 +5544,7 @@ YY_DECL // Code run each time yylex is called. driver.loc.back()->step(); -#line 5547 "seclang-scanner.cc" +#line 5548 "seclang-scanner.cc" while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */ { @@ -8597,9 +8597,9 @@ YY_RULE_SETUP { std::string err; const char *tmpStr = yytext + strlen("include"); - const char *file = tmpStr + strspn( tmpStr, " \t"); - char *f = strdup(file); - std::string fi = modsecurity::utils::find_resource(f, *driver.loc.back()->end.filename, &err); + const char *afterWhitespace = tmpStr + strspn( tmpStr, " \t"); + std::string file(afterWhitespace+1, strlen(afterWhitespace)-2); + std::string fi = modsecurity::utils::find_resource(file, *driver.loc.back()->end.filename, &err); if (fi.empty() == true) { BEGIN(INITIAL); driver.error (*driver.loc.back(), "", file + std::string(": Not able to open file. ") + err); @@ -8622,13 +8622,12 @@ YY_RULE_SETUP } yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE )); } - free(f); } YY_BREAK case 545: /* rule 545 can match eol */ YY_RULE_SETUP -#line 1307 "seclang-scanner.ll" +#line 1306 "seclang-scanner.ll" { HttpsClient c; std::string key; @@ -8667,7 +8666,7 @@ YY_RULE_SETUP YY_BREAK case 546: YY_RULE_SETUP -#line 1344 "seclang-scanner.ll" +#line 1343 "seclang-scanner.ll" ECHO; YY_BREAK #line 8673 "seclang-scanner.cc" @@ -9775,7 +9774,7 @@ void yyfree (void * ptr ) /* %ok-for-header */ -#line 1344 "seclang-scanner.ll" +#line 1343 "seclang-scanner.ll" namespace modsecurity { diff --git a/src/parser/seclang-scanner.ll b/src/parser/seclang-scanner.ll index cf02b32bfd..4f7bcd0f99 100755 --- a/src/parser/seclang-scanner.ll +++ b/src/parser/seclang-scanner.ll @@ -1275,9 +1275,9 @@ EQUALS_MINUS (?i:=\-) {CONFIG_INCLUDE}[ \t]+["]{CONFIG_VALUE_PATH}["] { std::string err; const char *tmpStr = yytext + strlen("include"); - const char *file = tmpStr + strspn( tmpStr, " \t"); - char *f = strdup(file); - std::string fi = modsecurity::utils::find_resource(f, *driver.loc.back()->end.filename, &err); + const char *afterWhitespace = tmpStr + strspn( tmpStr, " \t"); + std::string file(afterWhitespace+1, strlen(afterWhitespace)-2); + std::string fi = modsecurity::utils::find_resource(file, *driver.loc.back()->end.filename, &err); if (fi.empty() == true) { BEGIN(INITIAL); driver.error (*driver.loc.back(), "", file + std::string(": Not able to open file. ") + err); @@ -1300,7 +1300,6 @@ EQUALS_MINUS (?i:=\-) } yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE )); } - free(f); } {CONFIG_SEC_REMOTE_RULES}[ ][^ ]+[ ][^\n\r ]+ { diff --git a/test/test-cases/regression/config-include.json b/test/test-cases/regression/config-include.json index a2e0b91081..ab73de0760 100644 --- a/test/test-cases/regression/config-include.json +++ b/test/test-cases/regression/config-include.json @@ -2,7 +2,7 @@ { "enabled":1, "version_min":300000, - "title":"Include (1/7)", + "title":"Include (1/8)", "client":{ "ip":"200.249.12.31", "port":123 @@ -42,7 +42,7 @@ { "enabled":1, "version_min":300000, - "title":"Include (2/7)", + "title":"Include (2/8)", "client":{ "ip":"200.249.12.31", "port":123 @@ -82,7 +82,7 @@ { "enabled":1, "version_min":300000, - "title":"Include (3/7)", + "title":"Include (3/8)", "client":{ "ip":"200.249.12.31", "port":123 @@ -122,7 +122,7 @@ { "enabled":1, "version_min":300000, - "title":"Include (4/7)", + "title":"Include (4/8)", "client":{ "ip":"200.249.12.31", "port":123 @@ -162,7 +162,7 @@ { "enabled":1, "version_min":300000, - "title":"Include (5/7)", + "title":"Include (5/8)", "client":{ "ip":"200.249.12.31", "port":123 @@ -203,7 +203,7 @@ { "enabled":1, "version_min":300000, - "title":"Include (6/7)", + "title":"Include (6/8)", "client":{ "ip":"200.249.12.31", "port":123 @@ -243,7 +243,7 @@ { "enabled":1, "version_min":300000, - "title":"Include (7/7)", + "title":"Include (7/8)", "client":{ "ip":"200.249.12.31", "port":123 @@ -279,5 +279,45 @@ "Include test-cases/data/conasdffig_example2.txt", "SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\"" ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Include (8/8) -- quoted with wildcard", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host":"localhost", + "User-Agent":"curl/7.38.0", + "Accept":"*/*" + }, + "uri":"/?key=value&key=other_value", + "method":"GET" + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "debug_log":"Executing operator \"Contains\" with param \"config_example2\" against ARGS." + }, + "rules":[ + "SecRuleEngine On", + "Include \"test-cases/data/config_ex*ple2.txt\"", + "SecRule ARGS \"@contains test\" \"id:9,pass,t:trim\"" + ] } ]