Merge branch 'master' into PR90

Author: defanator

src/ngx_http_modsecurity_common.h

@@ -150,7 +150,7 @@ ngx_int_t ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *i
 ngx_int_t ngx_http_modsecurity_header_filter_init(void);
 ngx_int_t ngx_http_modsecurity_header_filter(ngx_http_request_t *r);
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-int ngx_http_modescurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value);
+int ngx_http_modsecurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value);
 #endif
 
 /* ngx_http_modsecurity_log.c */

src/ngx_http_modsecurity_header_filter.c

@@ -101,7 +101,7 @@ ngx_http_modsecurity_header_out_t ngx_http_modsecurity_headers_out[] = {
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
 int
-ngx_http_modescurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value)
+ngx_http_modsecurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value)
 {
     ngx_http_modsecurity_ctx_t     *ctx;
     ngx_http_modsecurity_conf_t    *mcf;
@@ -167,7 +167,7 @@ ngx_http_modsecurity_resolv_header_server(ngx_http_request_t *r, ngx_str_t name,
     }
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modescurity_store_ctx_header(r, &name, &value);
+    ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
 
     return msc_add_n_response_header(ctx->modsec_transaction,
@@ -196,7 +196,7 @@ ngx_http_modsecurity_resolv_header_date(ngx_http_request_t *r, ngx_str_t name, o
     }
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modescurity_store_ctx_header(r, &name, &date);
+    ngx_http_modsecurity_store_ctx_header(r, &name, &date);
 #endif
 
     return msc_add_n_response_header(ctx->modsec_transaction,
@@ -223,7 +223,7 @@ ngx_http_modsecurity_resolv_header_content_length(ngx_http_request_t *r, ngx_str
         value.len = strlen(buf);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &name, &value);
+        ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
         return msc_add_n_response_header(ctx->modsec_transaction,
             (const unsigned char *) name.data,
@@ -247,7 +247,7 @@ ngx_http_modsecurity_resolv_header_content_type(ngx_http_request_t *r, ngx_str_t
     {
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &name, &r->headers_out.content_type);
+        ngx_http_modsecurity_store_ctx_header(r, &name, &r->headers_out.content_type);
 #endif
 
         return msc_add_n_response_header(ctx->modsec_transaction,
@@ -280,7 +280,7 @@ ngx_http_modsecurity_resolv_header_last_modified(ngx_http_request_t *r, ngx_str_
     value.len = (int)(p-buf);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modescurity_store_ctx_header(r, &name, &value);
+    ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
 
     return msc_add_n_response_header(ctx->modsec_transaction,
@@ -316,7 +316,7 @@ ngx_http_modsecurity_resolv_header_connection(ngx_http_request_t *r, ngx_str_t n
             value.len = strlen((char *)buf);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-            ngx_http_modescurity_store_ctx_header(r, &name2, &value);
+            ngx_http_modsecurity_store_ctx_header(r, &name2, &value);
 #endif
 
             msc_add_n_response_header(ctx->modsec_transaction,
@@ -333,7 +333,7 @@ ngx_http_modsecurity_resolv_header_connection(ngx_http_request_t *r, ngx_str_t n
     value.len = strlen(connection);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modescurity_store_ctx_header(r, &name, &value);
+    ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
 
     return msc_add_n_response_header(ctx->modsec_transaction,
@@ -354,7 +354,7 @@ ngx_http_modsecurity_resolv_header_transfer_encoding(ngx_http_request_t *r, ngx_
         ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &name, &value);
+        ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
 
         return msc_add_n_response_header(ctx->modsec_transaction,
@@ -381,7 +381,7 @@ ngx_http_modsecurity_resolv_header_vary(ngx_http_request_t *r, ngx_str_t name, o
         ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &name, &value);
+        ngx_http_modsecurity_store_ctx_header(r, &name, &value);
 #endif
 
         return msc_add_n_response_header(ctx->modsec_transaction,
@@ -488,7 +488,7 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
         }
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &data[i].key, &data[i].value);
+        ngx_http_modsecurity_store_ctx_header(r, &data[i].key, &data[i].value);
 #endif
 
         /*

src/ngx_http_modsecurity_module.c

@@ -199,7 +199,7 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
         r->headers_out.location->hash = 1;
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-        ngx_http_modescurity_store_ctx_header(r, &location->key, &location->value);
+        ngx_http_modsecurity_store_ctx_header(r, &location->key, &location->value);
 #endif
 
         return intervention.status;

tests/modsecurity-config-merge.t

@@ -160,7 +160,7 @@ $t->plan(10);
 ###############################################################################
 
 like(http_get_body('/', 'GOOD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "http level defaults, pass");
-like(http_get_body('/', 'VERY BAD BODY'), qr/403 Forbidden/, "http level defaults, block");
+like(http_get_body('/', 'VERY BAD BODY'), qr/^HTTP.*403/, "http level defaults, block");
 
 like(http_get_body('/modsec-disabled', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "location override for SecRuleEngine, pass");
 like(http_get_body('/nobodyaccess', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "location override for SecRequestBodyAccess, pass");

tests/modsecurity-config.t

@@ -95,18 +95,18 @@ $t->plan(9);
 
 
 # Performing requests at root
-like(http_get('/index.html?what=root'), qr/302 Moved Temporarily/, 'redirect 302 - root');
+like(http_get('/index.html?what=root'), qr/^HTTP.*302/, 'redirect 302 - root');
 like(http_get('/index.html?what=subfolder1'), qr/should be moved\/blocked before this./, 'nothing - requested subfolder1 at root');
 like(http_get('/index.html?what=subfolder2'), qr/should be moved\/blocked before this./, 'nothing - requested subfolder2 at root');
 
 # Performing requests at subfolder1
 like(http_get('/subfolder1/index.html?what=root'), qr/should be moved\/blocked before this./, 'nothing - requested root at subfolder 1');
-like(http_get('/subfolder1/index.html?what=subfolder1'), qr/302 Moved Temporarily/, 'redirect 302 - subfolder 1');
+like(http_get('/subfolder1/index.html?what=subfolder1'), qr/^HTTP.*302/, 'redirect 302 - subfolder 1');
 like(http_get('/subfolder1/index.html?what=subfolder2'), qr/should be moved\/blocked before this./, 'nothing - requested subfolder2 at subfolder1');
 
 # Performing requests at subfolder2
 like(http_get('/subfolder1/subfolder2/index.html?what=root'), qr/should be moved\/blocked before this./, 'nothing - requested root at subfolder 2');
-like(http_get('/subfolder1/subfolder2/index.html?what=subfolder1'), qr/302 Moved Temporarily/, 'redirect 302 - subfolder 2');
-like(http_get('/subfolder1/subfolder2/index.html?what=subfolder2'), qr/302 Moved Temporarily/, 'redirect 302 - subfolder 2');
+like(http_get('/subfolder1/subfolder2/index.html?what=subfolder1'), qr/^HTTP.*302/, 'redirect 302 - subfolder 2');
+like(http_get('/subfolder1/subfolder2/index.html?what=subfolder2'), qr/^HTTP.*302/, 'redirect 302 - subfolder 2');
 
 

tests/modsecurity-h2.t

@@ -102,7 +102,6 @@ $t->write_file("/phase2", "should be moved/blocked before this.");
 $t->write_file("/phase3", "should be moved/blocked before this.");
 $t->write_file("/phase4", "should not be moved/blocked, headers delivered before phase 4.");
 $t->run();
-$t->todo_alerts();
 $t->plan(20);
 
 ###############################################################################

tests/modsecurity-proxy-h2.t

@@ -103,7 +103,6 @@ http {
 
 EOF
 
-$t->todo_alerts();
 $t->run_daemon(\&http_daemon);
 $t->run()->waitforsocket('127.0.0.1:' . port(8081));
 

tests/modsecurity-proxy.t

@@ -114,27 +114,27 @@ unlike(http_head('/'), qr/SEE-THIS/, 'proxy head request');
 
 
 # Redirect (302)
-like(http_get('/phase1?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 1');
-like(http_get('/phase2?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 2');
-like(http_get('/phase3?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 3');
+like(http_get('/phase1?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 1');
+like(http_get('/phase2?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 2');
+like(http_get('/phase3?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 3');
 is(http_get('/phase4?what=redirect302'), '', 'redirect 302 - phase 4');
 
 # Redirect (301)
-like(http_get('/phase1?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 1');
-like(http_get('/phase2?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 2');
-like(http_get('/phase3?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 3');
+like(http_get('/phase1?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 1');
+like(http_get('/phase2?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 2');
+like(http_get('/phase3?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 3');
 is(http_get('/phase4?what=redirect301'), '', 'redirect 301 - phase 4');
 
 # Block (401)
-like(http_get('/phase1?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 1');
-like(http_get('/phase2?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 2');
-like(http_get('/phase3?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 3');
+like(http_get('/phase1?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 1');
+like(http_get('/phase2?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 2');
+like(http_get('/phase3?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 3');
 is(http_get('/phase4?what=block401'), '', 'block 401 - phase 4');
 
 # Block (403)
-like(http_get('/phase1?what=block403'), qr/403 Forbidden/, 'block 403 - phase 1');
-like(http_get('/phase2?what=block403'), qr/403 Forbidden/, 'block 403 - phase 2');
-like(http_get('/phase3?what=block403'), qr/403 Forbidden/, 'block 403 - phase 3');
+like(http_get('/phase1?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 1');
+like(http_get('/phase2?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 2');
+like(http_get('/phase3?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 3');
 is(http_get('/phase4?what=block403'), '', 'block 403 - phase 4');
 
 # Nothing to detect

tests/modsecurity-request-body.t

@@ -130,13 +130,13 @@ $t->plan(40);
 
 foreach my $method (('GET', 'POST', 'PUT', 'DELETE')) {
 like(http_req_body($method, '/bodyaccess', 'GOOD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body access on, pass");
-like(http_req_body($method, '/bodyaccess', 'VERY BAD BODY'), qr/403 Forbidden/, "$method request body access on, block");
+like(http_req_body($method, '/bodyaccess', 'VERY BAD BODY'), qr/^HTTP.*403/, "$method request body access on, block");
 like(http_req_body($method, '/nobodyaccess', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body access off, pass");
 like(http_req_body_postargs($method, '/nobodyaccess', 'BAD ARG'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body access off (ARGS_POST), pass");
 like(http_req_body($method, '/bodylimitreject', 'BODY' x 32), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body limit reject, pass");
-like(http_req_body($method, '/bodylimitreject', 'BODY' x 33), qr/403 Forbidden/, "$method request body limit reject, block");
+like(http_req_body($method, '/bodylimitreject', 'BODY' x 33), qr/^HTTP.*403/, "$method request body limit reject, block");
 like(http_req_body($method, '/bodylimitprocesspartial', 'BODY' x 32 . 'BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body limit process partial, pass");
-like(http_req_body($method, '/bodylimitprocesspartial', 'BODY' x 30 . 'BAD BODY' x 32), qr/403 Forbidden/, "$method request body limit process partial, block");
+like(http_req_body($method, '/bodylimitprocesspartial', 'BODY' x 30 . 'BAD BODY' x 32), qr/^HTTP.*403/, "$method request body limit process partial, block");
 }
 
 like(http_req_body('POST', '/useauth', 'BODY' x 16), qr/TEST-OK-IF-YOU-SEE-THIS/, "POST with auth_request (request size < client_header_buffer_size)");
@@ -167,7 +167,7 @@ like(
 );
 
 foreach my $method (('GET', 'POST', 'PUT', 'DELETE')) {
-like(http_req_body($method, '/bodylimitrejectserver', 'BODY' x 33), qr/403 Forbidden/, "$method request body limit reject, block (inherited SecRequestBodyLimit)");
+like(http_req_body($method, '/bodylimitrejectserver', 'BODY' x 33), qr/^HTTP.*403/, "$method request body limit reject, block (inherited SecRequestBodyLimit)");
 }
 
 ###############################################################################

tests/modsecurity-response-body.t

@@ -64,6 +64,6 @@ $t->plan(1);
 TODO: {
 local $TODO = 'not yet';
 
-like(http_get('/body1'), qr/403 Forbidden/, 'response body (block)');
+like(http_get('/body1'), qr/^HTTP.*403/, 'response body (block)');
 }
 

tests/modsecurity-scoring.t

@@ -71,9 +71,9 @@ $t->plan(5);
 ###############################################################################
 
 like(http_get('/absolute?what=badarg1'), qr/should be moved\/blocked before this./, 'absolute scoring 1 (pass)');
-like(http_get('/absolute?what=badarg2'), qr/403 Forbidden/, 'absolute scoring 2 (block)');
+like(http_get('/absolute?what=badarg2'), qr/^HTTP.*403/, 'absolute scoring 2 (block)');
 
 like(http_get('/iterative?arg1=badarg1'), qr/should be moved\/blocked before this./, 'iterative scoring 1 (pass)');
 like(http_get('/iterative?arg1=badarg1&arg2=badarg2'), qr/should be moved\/blocked before this./, 'iterative scoring 2 (pass)');
-like(http_get('/iterative?arg1=badarg1&arg2=badarg2&arg3=badarg3'), qr/403 Forbidden/, 'iterative scoring 3 (block)');
+like(http_get('/iterative?arg1=badarg1&arg2=badarg2&arg3=badarg3'), qr/^HTTP.*403/, 'iterative scoring 3 (block)');
 

tests/modsecurity.t

@@ -121,27 +121,27 @@ $t->plan(20);
 
 
 # Redirect (302)
-like(http_get('/phase1?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 1');
-like(http_get('/phase2?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 2');
-like(http_get('/phase3?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 3');
+like(http_get('/phase1?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 1');
+like(http_get('/phase2?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 2');
+like(http_get('/phase3?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 3');
 is(http_get('/phase4?what=redirect302'), '', 'redirect 302 - phase 4');
 
 # Redirect (301)
-like(http_get('/phase1?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 1');
-like(http_get('/phase2?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 2');
-like(http_get('/phase3?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 3');
+like(http_get('/phase1?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 1');
+like(http_get('/phase2?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 2');
+like(http_get('/phase3?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 3');
 is(http_get('/phase4?what=redirect301'), '', 'redirect 301 - phase 4');
 
 # Block (401)
-like(http_get('/phase1?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 1');
-like(http_get('/phase2?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 2');
-like(http_get('/phase3?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 3');
+like(http_get('/phase1?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 1');
+like(http_get('/phase2?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 2');
+like(http_get('/phase3?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 3');
 is(http_get('/phase4?what=block401'), '', 'block 401 - phase 4');
 
 # Block (403)
-like(http_get('/phase1?what=block403'), qr/403 Forbidden/, 'block 403 - phase 1');
-like(http_get('/phase2?what=block403'), qr/403 Forbidden/, 'block 403 - phase 2');
-like(http_get('/phase3?what=block403'), qr/403 Forbidden/, 'block 403 - phase 3');
+like(http_get('/phase1?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 1');
+like(http_get('/phase2?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 2');
+like(http_get('/phase3?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 3');
 is(http_get('/phase4?what=block403'), '', 'block 403 - phase 4');
 
 # Nothing to detect