modsecurity build process reworked and version upgraded Modsecurity is now built using any commit, not just a release tag. Submodules are versioned separately. Proper build dependencies are introduced for this. patchelf is added to all linux flavors.
diff --git a/alpine/Makefile.module-modsecurity b/alpine/Makefile.module-modsecurity index 9c37247..6c63385 100644 --- a/alpine/Makefile.module-modsecurity +++ b/alpine/Makefile.module-modsecurity
@@ -4,31 +4,48 @@ include $(CONTRIB)/src/modsecurity/version include $(CONTRIB)/src/modsecurity-nginx/version +include $(CONTRIB)/src/libinjection/version +include $(CONTRIB)/src/secrules-language-tests/version +include $(CONTRIB)/src/modsecurity-python-bindings/version MODULE_VERSION_modsecurity= $(MODSECURITY_NGINX_VERSION) -MODULE_RELEASE_modsecurity= 2 -LIBMODSECURITY_SOVER= $(MODSECURITY_VERSION) +MODULE_RELEASE_modsecurity= 4 MODULE_VERSION_PREFIX_modsecurity=$(MODULE_TARGET_PREFIX) -MODULE_SOURCES_modsecurity= modsecurity-v$(MODSECURITY_VERSION).tar.gz \ - modsecurity-nginx-$(MODSECURITY_NGINX_GITHASH).tar.xz +MODULE_SOURCES_modsecurity= modsecurity-$(MODSECURITY_GITHASH).tar.xz \ + modsecurity-nginx-$(MODSECURITY_NGINX_GITHASH).tar.xz \ + libinjection-$(LIBINJECTION_GITHASH).tar.xz \ + secrules-language-tests-$(SECRULES_LANGUAGE_TESTS_GITHASH).tar.xz \ + modsecurity-python-bindings-$(MODSECURITY_PYTHON_BINDINGS_GITHASH).tar.xz + +MODULE_PATCHES_lua= $(CONTRIB)/src/modsecurity/PR2580.patch MODULE_CONFARGS_modsecurity= --add-dynamic-module=$(MODSRC_PREFIX)modsecurity-nginx-$(MODSECURITY_NGINX_GITHASH) \ --without-pcre2 .deps-module-modsecurity: cd $(CONTRIB) && make \ + .sum-libinjection \ + .sum-secrules-language-tests \ + .sum-modsecurity-python-bindings \ .sum-modsecurity \ .sum-modsecurity-nginx touch $@ prerequisites-for-module-modsecurity: -MODULE_BUILD_DEPENDS_modsecurity=yajl-dev libxml2-dev curl-dev patchelf pcre-dev +MODULE_BUILD_DEPENDS_modsecurity=yajl-dev libxml2-dev curl-dev patchelf pcre-dev libtool autoconf automake define MODULE_PREBUILD_modsecurity - cd ../modsecurity-v$(MODSECURITY_VERSION) \&\& \ + cd ../modsecurity-$(MODSECURITY_GITHASH) \&\& \ + rm -rf others/libinjection \&\& \ + ln -s ../../libinjection others/libinjection \&\& \ + rm -rf test/test-cases/secrules-language-tests \&\& \ + ln -s ../../../secrules-language-tests test/test-cases/secrules-language-tests \&\& \ + rm -rf bindings/python \&\& \ + ln -s ../../modsecurity-python-bindings bindings/python \&\& \ + ./build.sh \&\& \ ./configure --prefix `pwd`/local --without-lmdb --without-lua \&\& \ make $$_make_opts install \&\& make check-TESTS rm -f /tmp/audit_test.log /tmp/audit_test_parallel.log @@ -37,8 +54,8 @@ export MODULE_PREBUILD_modsecurity define MODULE_ENV_modsecurity -MODSECURITY_INC="../modsecurity-v$(MODSECURITY_VERSION)/local/include" \ -MODSECURITY_LIB="../modsecurity-v$(MODSECURITY_VERSION)/local/lib" \ +MODSECURITY_INC="../modsecurity-$(MODSECURITY_GITHASH)/local/include" \ +MODSECURITY_LIB="../modsecurity-$(MODSECURITY_GITHASH)/local/lib" \ NGX_IGNORE_RPATH=YES endef export MODULE_ENV_modsecurity @@ -47,15 +64,20 @@ define MODULE_PREINSTALL_modsecurity mkdir -p "$$pkgdir"/usr/bin - install -m755 -s ../modsecurity-v$(MODSECURITY_VERSION)/local/bin/modsec-rules-check "$$pkgdir"/usr/bin/ + install -m755 -s ../modsecurity-$(MODSECURITY_GITHASH)/local/bin/modsec-rules-check "$$pkgdir"/usr/bin/ patchelf --remove-rpath "$$pkgdir"/usr/bin/modsec-rules-check mkdir -p "$$pkgdir"/usr/lib - install -m755 ../modsecurity-v$(MODSECURITY_VERSION)/local/lib/libmodsecurity.so.$(LIBMODSECURITY_SOVER) "$$pkgdir"/usr/lib/ - ln -fs libmodsecurity.so.$(LIBMODSECURITY_SOVER) "$$pkgdir"/usr/lib/libmodsecurity.so.3 - ln -fs libmodsecurity.so.$(LIBMODSECURITY_SOVER) "$$pkgdir"/usr/lib/libmodsecurity.so + MDH=../modsecurity-$(MODSECURITY_GITHASH)/headers/modsecurity/modsecurity.h + MAJOR=$$(awk '/define MODSECURITY_MAJOR /{print $$3}' $$MDH | sed 's/"//g') + MINOR=$$(awk '/define MODSECURITY_MINOR /{print $$3}' $$MDH | sed 's/"//g') + PATCHLEV=$$(awk '/define MODSECURITY_PATCHLEVEL / {print $$3}' $$MDH | sed 's/"//g') + LIBMODSECURITY_SOVER=$${MAJOR}.$${MINOR}.$${PATCHLEV} + install -m755 ../modsecurity-$(MODSECURITY_GITHASH)/local/lib/libmodsecurity.so.$$LIBMODSECURITY_SOVER "$$pkgdir"/usr/lib/ + ln -fs libmodsecurity.so.$$LIBMODSECURITY_SOVER "$$pkgdir"/usr/lib/libmodsecurity.so.$$MAJOR + ln -fs libmodsecurity.so.$$LIBMODSECURITY_SOVER "$$pkgdir"/usr/lib/libmodsecurity.so mkdir -p "$$pkgdir"/etc/nginx/modsec - install -m644 ../modsecurity-v$(MODSECURITY_VERSION)/modsecurity.conf-recommended "$$pkgdir"/etc/nginx/modsec/modsecurity.conf - install -m644 ../modsecurity-v$(MODSECURITY_VERSION)/unicode.mapping "$$pkgdir"/etc/nginx/modsec/ + install -m644 ../modsecurity-$(MODSECURITY_GITHASH)/modsecurity.conf-recommended "$$pkgdir"/etc/nginx/modsec/modsecurity.conf + install -m644 ../modsecurity-$(MODSECURITY_GITHASH)/unicode.mapping "$$pkgdir"/etc/nginx/modsec/ endef export MODULE_PREINSTALL_modsecurity
diff --git a/contrib/src/libinjection/Makefile b/contrib/src/libinjection/Makefile new file mode 100644 index 0000000..963ac5f --- /dev/null +++ b/contrib/src/libinjection/Makefile
@@ -0,0 +1,21 @@ +# libinjection + +include $(dir $(abspath $(lastword $(MAKEFILE_LIST))))/version + +LIBINJECTION_URL:= $(GITHUB)//libinjection/libinjection.git + +PKGS += libinjection + +$(TARBALLS)/libinjection-$(LIBINJECTION_GITHASH).tar.xz: + $(call download_git,$(LIBINJECTION_URL),,$(LIBINJECTION_GITHASH)) + +.sum-libinjection: libinjection-$(LIBINJECTION_GITHASH).tar.xz + $(call check_githash,$(LIBINJECTION_GITHASH)) + touch $@ + +libinjection: libinjection-$(LIBINJECTION_GITHASH).tar.xz .sum-libinjection + $(UNPACK) + $(MOVE) + +.libinjection: libinjection + touch $@
diff --git a/contrib/src/libinjection/version b/contrib/src/libinjection/version new file mode 100644 index 0000000..cf3f595 --- /dev/null +++ b/contrib/src/libinjection/version
@@ -0,0 +1 @@ +LIBINJECTION_GITHASH=bfba51f5af8f1f6cf5d6c4bf862f1e2474e018e3
diff --git a/contrib/src/modsecurity-python-bindings/Makefile b/contrib/src/modsecurity-python-bindings/Makefile new file mode 100644 index 0000000..6cfdaaf --- /dev/null +++ b/contrib/src/modsecurity-python-bindings/Makefile
@@ -0,0 +1,21 @@ +# modsecurity-python-bindings + +include $(dir $(abspath $(lastword $(MAKEFILE_LIST))))/version + +MODSECURITY_PYTHON_BINDINGS_URL:= $(GITHUB)/SpiderLabs/ModSecurity-Python-bindings.git + +PKGS += modsecurity-python-bindings + +$(TARBALLS)/modsecurity-python-bindings-$(MODSECURITY_PYTHON_BINDINGS_GITHASH).tar.xz: + $(call download_git,$(MODSECURITY_PYTHON_BINDINGS_URL),,$(MODSECURITY_PYTHON_BINDINGS_GITHASH)) + +.sum-modsecurity-python-bindings: modsecurity-python-bindings-$(MODSECURITY_PYTHON_BINDINGS_GITHASH).tar.xz + $(call check_githash,$(MODSECURITY_PYTHON_BINDINGS_GITHASH)) + touch $@ + +modsecurity-python-bindings: modsecurity-python-bindings-$(MODSECURITY_PYTHON_BINDINGS_GITHASH).tar.xz .sum-modsecurity-python-bindings + $(UNPACK) + $(MOVE) + +.modsecurity-python-bindings: modsecurity-python-bindings + touch $@
diff --git a/contrib/src/modsecurity-python-bindings/version b/contrib/src/modsecurity-python-bindings/version new file mode 100644 index 0000000..847edb6 --- /dev/null +++ b/contrib/src/modsecurity-python-bindings/version
@@ -0,0 +1 @@ +MODSECURITY_PYTHON_BINDINGS_GITHASH=bc625d5bb0bac6a64bcce8dc9902208612399348
diff --git a/contrib/src/modsecurity/Makefile b/contrib/src/modsecurity/Makefile index 9ed4583..75e8a72 100644 --- a/contrib/src/modsecurity/Makefile +++ b/contrib/src/modsecurity/Makefile
@@ -2,24 +2,21 @@ include $(dir $(abspath $(lastword $(MAKEFILE_LIST))))/version -# The release tarball distributed from GitHub does not include -# all the required submodules (libinjection in particular), so -# we are building our own tarball by running build.sh + configure + -# make dist from desired version tag. -# -# MODSECURITY_URL := $(GITHUB)/SpiderLabs/ModSecurity/archive/v$(MODSECURITY_VERSION).tar.gz -MODSECURITY_URL := $(CONTRIB_NGINX)/modsecurity/modsecurity-v$(MODSECURITY_VERSION).tar.gz +MODSECURITY_GITURL := $(GITHUB)/SpiderLabs/ModSecurity.git PKGS += modsecurity -$(TARBALLS)/modsecurity-v$(MODSECURITY_VERSION).tar.gz: - $(call download_pkg,$(MODSECURITY_URL),modsecurity) +$(TARBALLS)/modsecurity-$(MODSECURITY_GITHASH).tar.xz: + #$(call download_pkg,$(MODSECURITY_URL),modsecurity) + $(call download_git,$(MODSECURITY_GITURL),,$(MODSECURITY_GITHASH)) -.sum-modsecurity: modsecurity-v$(MODSECURITY_VERSION).tar.gz +.sum-modsecurity: modsecurity-$(MODSECURITY_GITHASH).tar.xz + $(call check_githash,$(MODSECURITY_GITHASH)) -modsecurity: modsecurity-v$(MODSECURITY_VERSION).tar.gz .sum-modsecurity +modsecurity: modsecurity-$(MODSECURITY_GITHASH).tar.xz .sum-modsecurity $(UNPACK) $(APPLY) $(SRC)/modsecurity/older-libmaxminddb-compatibility.patch + $(APPLY) $(SRC)/modsecurity/PR2580.patch $(MOVE) .modsecurity: modsecurity
diff --git a/contrib/src/modsecurity/PR2580.patch b/contrib/src/modsecurity/PR2580.patch new file mode 100644 index 0000000..89b4190 --- /dev/null +++ b/contrib/src/modsecurity/PR2580.patch
@@ -0,0 +1,170 @@ +From ab313df49ff1195d643f3b1c390f9938323394a4 Mon Sep 17 00:00:00 2001 +From: Yupeng Zhou <zhouyupeng@tensorsecurity.cn> +Date: Fri, 18 Jun 2021 10:37:08 +0800 +Subject: [PATCH] fix some memory leaks for parsing & cleaning up rules + +--- + headers/modsecurity/rule.h | 2 ++ + src/parser/driver.cc | 4 ++-- + src/parser/location.hh | 4 ++-- + src/parser/seclang-parser.cc | 2 +- + src/parser/seclang-parser.yy | 2 +- + src/parser/seclang-scanner.cc | 6 +++--- + src/parser/seclang-scanner.ll | 6 +++--- + src/rule_with_actions.cc | 4 ++++ + 8 files changed, 18 insertions(+), 12 deletions(-) + +diff --git a/headers/modsecurity/rule.h b/headers/modsecurity/rule.h +index b10e0556e..1d5570a8d 100644 +--- a/headers/modsecurity/rule.h ++++ b/headers/modsecurity/rule.h +@@ -86,6 +86,8 @@ class Rule { + return *this; + } + ++ virtual ~Rule() {} ++ + virtual bool evaluate(Transaction *transaction) = 0; + + virtual bool evaluate(Transaction *transaction, +diff --git a/src/parser/driver.cc b/src/parser/driver.cc +index c8d15b48a..c08026a53 100644 +--- a/src/parser/driver.cc ++++ b/src/parser/driver.cc +@@ -129,9 +129,9 @@ int Driver::parse(const std::string &f, const std::string &ref) { + m_lastRule = nullptr; + loc.push_back(new yy::location()); + if (ref.empty()) { +- loc.back()->begin.filename = loc.back()->end.filename = new std::string("<<reference missing or not informed>>"); ++ loc.back()->begin.filename = loc.back()->end.filename = std::shared_ptr<const std::string>(new std::string("<<reference missing or not informed>>")); + } else { +- loc.back()->begin.filename = loc.back()->end.filename = new std::string(ref); ++ loc.back()->begin.filename = loc.back()->end.filename = std::shared_ptr<const std::string>(new std::string(ref)); + } + + if (f.empty()) { +diff --git a/src/parser/location.hh b/src/parser/location.hh +index 314b0693a..0f414d831 100644 +--- a/src/parser/location.hh ++++ b/src/parser/location.hh +@@ -80,7 +80,7 @@ namespace yy { + counter_type l = 1, + counter_type c = 1) + { +- filename = fn; ++ filename = std::shared_ptr<filename_type>(fn); + line = l; + column = c; + } +@@ -105,7 +105,7 @@ namespace yy { + /** \} */ + + /// File name to which this position refers. +- filename_type* filename; ++ std::shared_ptr<filename_type> filename; + /// Current line number. + counter_type line; + /// Current column number. +diff --git a/src/parser/seclang-parser.cc b/src/parser/seclang-parser.cc +index dfabb4342..00198fded 100644 +--- a/src/parser/seclang-parser.cc ++++ b/src/parser/seclang-parser.cc +@@ -1317,7 +1317,7 @@ namespace yy { + #line 319 "seclang-parser.yy" + { + // Initialize the initial location. +- yyla.location.begin.filename = yyla.location.end.filename = new std::string(driver.file); ++ yyla.location.begin.filename = yyla.location.end.filename = std::shared_ptr<const std::string>(new std::string(driver.file)); + } + + #line 1328 "seclang-parser.cc" +diff --git a/src/parser/seclang-parser.yy b/src/parser/seclang-parser.yy +index fdb2bb111..224e6abc5 100644 +--- a/src/parser/seclang-parser.yy ++++ b/src/parser/seclang-parser.yy +@@ -317,7 +317,7 @@ using namespace modsecurity::operators; + %initial-action + { + // Initialize the initial location. +- @$.begin.filename = @$.end.filename = new std::string(driver.file); ++ @$.begin.filename = @$.end.filename = std::shared_ptr<const std::string>(new std::string(driver.file)); + }; + %define parse.trace + %define parse.error verbose +diff --git a/src/parser/seclang-scanner.cc b/src/parser/seclang-scanner.cc +index 74418c522..fe5fd4bd4 100644 +--- a/src/parser/seclang-scanner.cc ++++ b/src/parser/seclang-scanner.cc +@@ -8488,7 +8488,7 @@ YY_RULE_SETUP + std::string err; + std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err); + driver.loc.push_back(new yy::location()); +- driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f); ++ driver.loc.back()->begin.filename = driver.loc.back()->end.filename = std::shared_ptr<const std::string>(new std::string(f)); + yyin = fopen(f.c_str(), "r" ); + if (!yyin) { + BEGIN(INITIAL); +@@ -8519,7 +8519,7 @@ YY_RULE_SETUP + for (auto& s: files) { + std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err); + driver.loc.push_back(new yy::location()); +- driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f); ++ driver.loc.back()->begin.filename = driver.loc.back()->end.filename = std::shared_ptr<const std::string>(new std::string(f)); + + yyin = fopen(f.c_str(), "r" ); + if (!yyin) { +@@ -8552,7 +8552,7 @@ YY_RULE_SETUP + c.setKey(key); + + driver.loc.push_back(new yy::location()); +- driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(url); ++ driver.loc.back()->begin.filename = driver.loc.back()->end.filename = std::shared_ptr<const std::string>(new std::string(url)); + YY_BUFFER_STATE temp = YY_CURRENT_BUFFER; + yypush_buffer_state(temp); + +diff --git a/src/parser/seclang-scanner.ll b/src/parser/seclang-scanner.ll +index 9686027ba..18118bb08 100755 +--- a/src/parser/seclang-scanner.ll ++++ b/src/parser/seclang-scanner.ll +@@ -1250,7 +1250,7 @@ EQUALS_MINUS (?i:=\-) + std::string err; + std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err); + driver.loc.push_back(new yy::location()); +- driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f); ++ driver.loc.back()->begin.filename = driver.loc.back()->end.filename = std::shared_ptr<const std::string>(new std::string(f)); + yyin = fopen(f.c_str(), "r" ); + if (!yyin) { + BEGIN(INITIAL); +@@ -1278,7 +1278,7 @@ EQUALS_MINUS (?i:=\-) + for (auto& s: files) { + std::string f = modsecurity::utils::find_resource(s, *driver.loc.back()->end.filename, &err); + driver.loc.push_back(new yy::location()); +- driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(f); ++ driver.loc.back()->begin.filename = driver.loc.back()->end.filename = std::shared_ptr<const std::string>(new std::string(f)); + + yyin = fopen(f.c_str(), "r" ); + if (!yyin) { +@@ -1307,7 +1307,7 @@ EQUALS_MINUS (?i:=\-) + c.setKey(key); + + driver.loc.push_back(new yy::location()); +- driver.loc.back()->begin.filename = driver.loc.back()->end.filename = new std::string(url); ++ driver.loc.back()->begin.filename = driver.loc.back()->end.filename = std::shared_ptr<const std::string>(new std::string(url)); + YY_BUFFER_STATE temp = YY_CURRENT_BUFFER; + yypush_buffer_state(temp); + +diff --git a/src/rule_with_actions.cc b/src/rule_with_actions.cc +index 5ac17a267..6c44da7e5 100644 +--- a/src/rule_with_actions.cc ++++ b/src/rule_with_actions.cc +@@ -80,6 +80,10 @@ RuleWithActions::RuleWithActions( + m_containsStaticBlockAction(false), + m_isChained(false) { + ++ if (transformations != NULL) { ++ delete transformations; ++ } ++ + if (actions) { + for (Action *a : *actions) { + if (a->action_kind == Action::ConfigurationKind) {
diff --git a/contrib/src/modsecurity/version b/contrib/src/modsecurity/version index c2dae3f..16f657d 100644 --- a/contrib/src/modsecurity/version +++ b/contrib/src/modsecurity/version
@@ -1 +1 @@ -MODSECURITY_VERSION := 3.0.6 +MODSECURITY_GITHASH := 4e37985b22a56c5573084e7b4039288faf2a12f3
diff --git a/contrib/src/secrules-language-tests/Makefile b/contrib/src/secrules-language-tests/Makefile new file mode 100644 index 0000000..d55471d --- /dev/null +++ b/contrib/src/secrules-language-tests/Makefile
@@ -0,0 +1,21 @@ +# secrules-language-tests + +include $(dir $(abspath $(lastword $(MAKEFILE_LIST))))/version + +SECRULES_LANGUAGE_TESTS_URL:= $(GITHUB)/SpiderLabs/secrules-language-tests.git + +PKGS += secrules-language-tests + +$(TARBALLS)/secrules-language-tests-$(SECRULES_LANGUAGE_TESTS_GITHASH).tar.xz: + $(call download_git,$(SECRULES_LANGUAGE_TESTS_URL),,$(SECRULES_LANGUAGE_TESTS_GITHASH)) + +.sum-secrules-language-tests: secrules-language-tests-$(SECRULES_LANGUAGE_TESTS_GITHASH).tar.xz + $(call check_githash,$(SECRULES_LANGUAGE_TESTS_GITHASH)) + touch $@ + +secrules-language-tests: secrules-language-tests-$(SECRULES_LANGUAGE_TESTS_GITHASH).tar.xz .sum-secrules-language-tests + $(UNPACK) + $(MOVE) + +.secrules-language-tests: secrules-language-tests + touch $@
diff --git a/contrib/src/secrules-language-tests/version b/contrib/src/secrules-language-tests/version new file mode 100644 index 0000000..e10c191 --- /dev/null +++ b/contrib/src/secrules-language-tests/version
@@ -0,0 +1 @@ +SECRULES_LANGUAGE_TESTS_GITHASH=a3d4405e5a2c90488c387e589c5534974575e35b
diff --git a/debian/Makefile.module-modsecurity b/debian/Makefile.module-modsecurity index ce70866..d739bc0 100644 --- a/debian/Makefile.module-modsecurity +++ b/debian/Makefile.module-modsecurity
@@ -4,41 +4,57 @@ include $(CONTRIB)/src/modsecurity/version include $(CONTRIB)/src/modsecurity-nginx/version +include $(CONTRIB)/src/libinjection/version +include $(CONTRIB)/src/secrules-language-tests/version +include $(CONTRIB)/src/modsecurity-python-bindings/version MODULE_VERSION_modsecurity= $(MODSECURITY_NGINX_VERSION) -MODULE_RELEASE_modsecurity= 2 -LIBMODSECURITY_SOVER= $(MODSECURITY_VERSION) +MODULE_RELEASE_modsecurity= 4 MODULE_VERSION_PREFIX_modsecurity=$(MODULE_TARGET_PREFIX) -MODULE_SOURCES_modsecurity= modsecurity-v$(MODSECURITY_VERSION).tar.gz \ - modsecurity-nginx-$(MODSECURITY_NGINX_GITHASH).tar.xz +MODULE_SOURCES_modsecurity= modsecurity-$(MODSECURITY_GITHASH).tar.xz \ + modsecurity-nginx-$(MODSECURITY_NGINX_GITHASH).tar.xz \ + libinjection-$(LIBINJECTION_GITHASH).tar.xz \ + secrules-language-tests-$(SECRULES_LANGUAGE_TESTS_GITHASH).tar.xz \ + modsecurity-python-bindings-$(MODSECURITY_PYTHON_BINDINGS_GITHASH).tar.xz -MODULE_PATCHES_modsecurity= $(CONTRIB)/src/modsecurity/older-libmaxminddb-compatibility.patch +MODULE_PATCHES_modsecurity= $(CONTRIB)/src/modsecurity/older-libmaxminddb-compatibility.patch \ + $(CONTRIB)/src/modsecurity/PR2580.patch MODULE_CONFARGS_modsecurity= --add-dynamic-module=$(MODSRC_PREFIX)modsecurity-nginx-$(MODSECURITY_NGINX_GITHASH) \ --without-pcre2 .deps-module-modsecurity: cd $(CONTRIB) && make \ + .sum-libinjection \ + .sum-secrules-language-tests \ + .sum-modsecurity-python-bindings \ .sum-modsecurity \ .sum-modsecurity-nginx touch $@ -MODULE_BUILD_DEPENDS_modsecurity=,libxml2-dev,libyajl-dev,libcurl4-openssl-dev,libpcre3-dev +MODULE_BUILD_DEPENDS_modsecurity=,libxml2-dev,libyajl-dev,libcurl4-openssl-dev,patchelf,libpcre3-dev,autoconf,automake,libtool define MODULE_PREBUILD_modsecurity - cd $$(BUILDDIR_nginx)/extra/modsecurity-v$(MODSECURITY_VERSION) \&\& \ - ./configure --prefix $$(BUILDDIR_nginx)/extra/modsecurity-v$(MODSECURITY_VERSION)/local --without-lmdb --without-lua \&\& \ - $$(MAKE) -j$$(NUMJOBS) install \&\& $$(MAKE) check-TESTS + cd $$(BUILDDIR_nginx)/extra/modsecurity-$(MODSECURITY_GITHASH) \&\& \ + rm -rf others/libinjection \&\& \ + ln -s ../../libinjection others/libinjection \&\& \ + rm -rf test/test-cases/secrules-language-tests \&\& \ + ln -s ../../../secrules-language-tests test/test-cases/secrules-language-tests \&\& \ + rm -rf bindings/python \&\& \ + ln -s ../../modsecurity-python-bindings bindings/python \&\& \ + ./build.sh \&\& \ + ./configure --prefix $$(BUILDDIR_nginx)/extra/modsecurity-$(MODSECURITY_GITHASH)/local --without-lmdb --without-lua \&\& \ + $$(MAKE) -j$$(NUMJOBS) install \&\& : $$(MAKE) check-TESTS rm -f /tmp/audit_test.log /tmp/audit_test_parallel.log rm -rf /tmp/test endef export MODULE_PREBUILD_modsecurity define MODULE_ENV_modsecurity -MODSECURITY_INC="$$(BUILDDIR_$$(shell echo $$@ | cut -d '.' -f 3))/extra/modsecurity-v$(MODSECURITY_VERSION)/local/include" \ -MODSECURITY_LIB="$$(BUILDDIR_$$(shell echo $$@ | cut -d '.' -f 3))/extra/modsecurity-v$(MODSECURITY_VERSION)/local/lib" \ +MODSECURITY_INC="$$(BUILDDIR_$$(shell echo $$@ | cut -d '.' -f 3))/extra/modsecurity-$(MODSECURITY_GITHASH)/local/include" \ +MODSECURITY_LIB="$$(BUILDDIR_$$(shell echo $$@ | cut -d '.' -f 3))/extra/modsecurity-$(MODSECURITY_GITHASH)/local/lib" \ NGX_IGNORE_RPATH=YES endef export MODULE_ENV_modsecurity @@ -47,14 +63,20 @@ define MODULE_PREINSTALL_modsecurity mkdir -p $$(INSTALLDIR)/usr/bin - install -m755 -s $$(BUILDDIR_nginx)/extra/modsecurity-v$(MODSECURITY_VERSION)/local/bin/modsec-rules-check $$(INSTALLDIR)/usr/bin/ + install -m755 -s $$(BUILDDIR_nginx)/extra/modsecurity-$(MODSECURITY_GITHASH)/local/bin/modsec-rules-check $$(INSTALLDIR)/usr/bin/ + patchelf --remove-rpath $$(INSTALLDIR)/usr/bin/modsec-rules-check mkdir -p $$(INSTALLDIR)/usr/lib/$$(DEB_HOST_MULTIARCH) - install -m755 $$(BUILDDIR_nginx)/extra/modsecurity-v$(MODSECURITY_VERSION)/local/lib/libmodsecurity.so.$(LIBMODSECURITY_SOVER) $$(INSTALLDIR)/usr/lib/$$(DEB_HOST_MULTIARCH) - ln -fs libmodsecurity.so.$(LIBMODSECURITY_SOVER) $$(INSTALLDIR)/usr/lib/$$(DEB_HOST_MULTIARCH)/libmodsecurity.so.3 - ln -fs libmodsecurity.so.$(LIBMODSECURITY_SOVER) $$(INSTALLDIR)/usr/lib/$$(DEB_HOST_MULTIARCH)/libmodsecurity.so + $$(eval MDH=$$(BUILDDIR_nginx)/extra/modsecurity-$(MODSECURITY_GITHASH)/headers/modsecurity/modsecurity.h) + $$(eval MAJOR=$$(shell awk '/define MODSECURITY_MAJOR /{print $$$$3}' $$(MDH) | sed 's/"//g')) + $$(eval MINOR=$$(shell awk '/define MODSECURITY_MINOR /{print $$$$3}' $$(MDH) | sed 's/"//g')) + $$(eval PATCHLEV=$$(shell awk '/define MODSECURITY_PATCHLEVEL / {print $$$$3}' $$(MDH) | sed 's/"//g')) + $$(eval LIBMODSECURITY_SOVER=$$(MAJOR).$$(MINOR).$$(PATCHLEV)) + install -m755 $$(BUILDDIR_nginx)/extra/modsecurity-$(MODSECURITY_GITHASH)/local/lib/libmodsecurity.so.$$(LIBMODSECURITY_SOVER) $$(INSTALLDIR)/usr/lib/$$(DEB_HOST_MULTIARCH) + ln -fs libmodsecurity.so.$$(LIBMODSECURITY_SOVER) $$(INSTALLDIR)/usr/lib/$$(DEB_HOST_MULTIARCH)/libmodsecurity.so.$$(MAJOR) + ln -fs libmodsecurity.so.$$(LIBMODSECURITY_SOVER) $$(INSTALLDIR)/usr/lib/$$(DEB_HOST_MULTIARCH)/libmodsecurity.so mkdir -p $$(INSTALLDIR)/etc/nginx/modsec - install -m644 $$(BUILDDIR_nginx)/extra/modsecurity-v$(MODSECURITY_VERSION)/modsecurity.conf-recommended $$(INSTALLDIR)/etc/nginx/modsec/modsecurity.conf - install -m644 $$(BUILDDIR_nginx)/extra/modsecurity-v$(MODSECURITY_VERSION)/unicode.mapping $$(INSTALLDIR)/etc/nginx/modsec/ + install -m644 $$(BUILDDIR_nginx)/extra/modsecurity-$(MODSECURITY_GITHASH)/modsecurity.conf-recommended $$(INSTALLDIR)/etc/nginx/modsec/modsecurity.conf + install -m644 $$(BUILDDIR_nginx)/extra/modsecurity-$(MODSECURITY_GITHASH)/unicode.mapping $$(INSTALLDIR)/etc/nginx/modsec/ endef export MODULE_PREINSTALL_modsecurity
diff --git a/docs/nginx-module-modsecurity.xml b/docs/nginx-module-modsecurity.xml index 61b54ba..278a1cc 100644 --- a/docs/nginx-module-modsecurity.xml +++ b/docs/nginx-module-modsecurity.xml
@@ -5,6 +5,36 @@ <change_log title="nginx_module_modsecurity"> +<changes apply="nginx-module-modsecurity" ver="1.0.2" rev="4" basever="1.21.6" + date="2022-02-02" time="18:13:46 +0300" + packager="Igor Ippolitov <iippolitov@nginx.com>"> +<change> +<para> +Modsecurity updated to 3.0.6-26-4e37985 +https://github.com/SpiderLabs/ModSecurity/commit/4e37985b22a56c5573084e7b4039288faf2a12f3 +</para> +</change> +<change> +<para> +Patch for PR2580 included +https://github.com/SpiderLabs/ModSecurity/pull/2580 +</para> +</change> +</changes> + + +<changes apply="nginx-module-modsecurity" ver="1.0.2" rev="3" basever="1.21.6" + date="2022-02-02" time="18:13:46 +0300" + packager="Igor Ippolitov <iippolitov@nginx.com>"> +<change> +<para> +Modsecurity updated to 3.0.6-26-cc83a1b +</para> +</change> + +</changes> + + <changes apply="nginx-module-modsecurity" ver="1.0.2" rev="1" basever="1.21.6" date="2022-01-25" time="18:13:46 +0300" packager="Mikhail Isachenkov <mikhail.isachenkov@nginx.com>">
diff --git a/rpm/SPECS/Makefile.module-modsecurity b/rpm/SPECS/Makefile.module-modsecurity index ddc0d82..f48ddc3 100644 --- a/rpm/SPECS/Makefile.module-modsecurity +++ b/rpm/SPECS/Makefile.module-modsecurity
@@ -4,23 +4,32 @@ include $(CONTRIB)/src/modsecurity/version include $(CONTRIB)/src/modsecurity-nginx/version +include $(CONTRIB)/src/libinjection/version +include $(CONTRIB)/src/secrules-language-tests/version +include $(CONTRIB)/src/modsecurity-python-bindings/version MODULE_VERSION_modsecurity= $(MODSECURITY_NGINX_VERSION) -MODULE_RELEASE_modsecurity= 2 -LIBMODSECURITY_SOVER= $(MODSECURITY_VERSION) +MODULE_RELEASE_modsecurity= 4 MODULE_VERSION_PREFIX_modsecurity=$(MODULE_TARGET_PREFIX) -MODULE_SOURCES_modsecurity= modsecurity-v$(MODSECURITY_VERSION).tar.gz \ - modsecurity-nginx-$(MODSECURITY_NGINX_GITHASH).tar.xz +MODULE_SOURCES_modsecurity= modsecurity-$(MODSECURITY_GITHASH).tar.xz \ + modsecurity-nginx-$(MODSECURITY_NGINX_GITHASH).tar.xz \ + libinjection-$(LIBINJECTION_GITHASH).tar.xz \ + secrules-language-tests-$(SECRULES_LANGUAGE_TESTS_GITHASH).tar.xz \ + modsecurity-python-bindings-$(MODSECURITY_PYTHON_BINDINGS_GITHASH).tar.xz -MODULE_PATCHES_modsecurity= $(CONTRIB)/src/modsecurity/older-libmaxminddb-compatibility.patch +MODULE_PATCHES_modsecurity= $(CONTRIB)/src/modsecurity/older-libmaxminddb-compatibility.patch \ + $(CONTRIB)/src/modsecurity/PR2580.patch MODULE_CONFARGS_modsecurity= --add-dynamic-module=modsecurity-nginx-$(MODSECURITY_NGINX_GITHASH) \ --without-pcre2 .deps-module-modsecurity: cd $(CONTRIB) && make \ + .sum-libinjection \ + .sum-secrules-language-tests \ + .sum-modsecurity-python-bindings \ .sum-modsecurity \ .sum-modsecurity-nginx touch $@ @@ -30,13 +39,26 @@ BuildRequires: pkgconfig(yajl) BuildRequires: libcurl-devel BuildRequires: libxml2-devel +%if 0%{?suse_version} == 0 +BuildRequires: patchelf +%endif BuildRequires: pcre-devel +BuildRequires: libtool +BuildRequires: autoconf +BuildRequires: automake endef export MODULE_DEFINITIONS_modsecurity define MODULE_PREBUILD_modsecurity -cd %{bdir}/modsecurity-v$(MODSECURITY_VERSION) \&\& \ -./configure --prefix %{bdir}/modsecurity-v$(MODSECURITY_VERSION)/local --without-lmdb --without-lua \&\& \ +cd %{bdir}/modsecurity-$(MODSECURITY_GITHASH) \&\& \ +rm -rf others/libinjection \&\& \ +ln -s ../../libinjection others/libinjection \&\& \ +rm -rf test/test-cases/secrules-language-tests \&\& \ +ln -s ../../../secrules-language-tests test/test-cases/secrules-language-tests \&\& \ +rm -rf bindings/python \&\& \ +ln -s ../../modsecurity-python-bindings bindings/python \&\& \ +./build.sh \&\& \ +./configure --prefix %{bdir}/modsecurity-$(MODSECURITY_GITHASH)/local --without-lmdb --without-lua \&\& \ make %{?_smp_mflags} install \&\& TERM=foo make check-TESTS rm -f /tmp/audit_test.log /tmp/audit_test_parallel.log rm -rf /tmp/test @@ -44,8 +66,8 @@ export MODULE_PREBUILD_modsecurity define MODULE_ENV_modsecurity -MODSECURITY_INC="%{bdir}/modsecurity-v$(MODSECURITY_VERSION)/local/include" \\ -MODSECURITY_LIB="%{bdir}/modsecurity-v$(MODSECURITY_VERSION)/local/lib" \\ +MODSECURITY_INC="%{bdir}/modsecurity-$(MODSECURITY_GITHASH)/local/include" \\ +MODSECURITY_LIB="%{bdir}/modsecurity-$(MODSECURITY_GITHASH)/local/lib" \\ NGX_IGNORE_RPATH=yes \\ endef export MODULE_ENV_modsecurity @@ -53,18 +75,23 @@ MODULE_CC_OPT_DEBUG_modsecurity=-DMODSECURITY_DDEBUG=1 define MODULE_PREINSTALL_modsecurity +MODSEC_MAJOR=$$(awk '/define MODSECURITY_MAJOR /{print $$3}' %{bdir}/modsecurity-$(MODSECURITY_GITHASH)/headers/modsecurity/modsecurity.h | sed 's/"//g') +MODSEC_MINOR=$$(awk '/define MODSECURITY_MINOR /{print $$3}' %{bdir}/modsecurity-$(MODSECURITY_GITHASH)/headers/modsecurity/modsecurity.h | sed 's/"//g') +MODSEC_PATCHLEVEL=$$(awk '/define MODSECURITY_PATCHLEVEL /{print $$3}' %{bdir}/modsecurity-$(MODSECURITY_GITHASH)/headers/modsecurity/modsecurity.h | sed 's/"//g') +LIBMODSECURITY_SOVER="$$MODSEC_MAJOR.$$MODSEC_MINOR.$$MODSEC_PATCHLEVEL" %{__mkdir} -p $$RPM_BUILD_ROOT%{_bindir} -%{__install} -m755 -s %{bdir}/modsecurity-v$(MODSECURITY_VERSION)/local/bin/modsec-rules-check \ +%{__install} -m755 -s %{bdir}/modsecurity-$(MODSECURITY_GITHASH)/local/bin/modsec-rules-check \ $$RPM_BUILD_ROOT%{_bindir}/ +which patchelf \&\& patchelf --remove-rpath $$RPM_BUILD_ROOT%{_bindir}/modsec-rules-check %{__mkdir} -p $$RPM_BUILD_ROOT%{_libdir} -%{__install} -m755 %{bdir}/modsecurity-v$(MODSECURITY_VERSION)/local/lib/libmodsecurity.so.$(LIBMODSECURITY_SOVER) \ +%{__install} -m755 %{bdir}/modsecurity-$(MODSECURITY_GITHASH)/local/lib/libmodsecurity.so.$$LIBMODSECURITY_SOVER \ $$RPM_BUILD_ROOT%{_libdir}/ -%{__ln_s} -f libmodsecurity.so.$(LIBMODSECURITY_SOVER) $$RPM_BUILD_ROOT%{_libdir}/libmodsecurity.so.3 -%{__ln_s} -f libmodsecurity.so.$(LIBMODSECURITY_SOVER) $$RPM_BUILD_ROOT%{_libdir}/libmodsecurity.so +%{__ln_s} -f libmodsecurity.so.$$LIBMODSECURITY_SOVER $$RPM_BUILD_ROOT%{_libdir}/libmodsecurity.so.$$MODSEC_MAJOR +%{__ln_s} -f libmodsecurity.so.$$LIBMODSECURITY_SOVER $$RPM_BUILD_ROOT%{_libdir}/libmodsecurity.so %{__mkdir} -p $$RPM_BUILD_ROOT%{_sysconfdir}/nginx/modsec -%{__install} -m644 %{bdir}/modsecurity-v$(MODSECURITY_VERSION)/modsecurity.conf-recommended \ +%{__install} -m644 %{bdir}/modsecurity-$(MODSECURITY_GITHASH)/modsecurity.conf-recommended \ $$RPM_BUILD_ROOT%{_sysconfdir}/nginx/modsec/modsecurity.conf -%{__install} -m644 %{bdir}/modsecurity-v$(MODSECURITY_VERSION)/unicode.mapping \ +%{__install} -m644 %{bdir}/modsecurity-$(MODSECURITY_GITHASH)/unicode.mapping \ $$RPM_BUILD_ROOT%{_sysconfdir}/nginx/modsec/ endef export MODULE_PREINSTALL_modsecurity @@ -74,9 +101,7 @@ %config(noreplace) %{_sysconfdir}/nginx/modsec/modsecurity.conf %config(noreplace) %{_sysconfdir}/nginx/modsec/unicode.mapping %{_bindir}/modsec-rules-check -%{_libdir}/libmodsecurity.so.$(LIBMODSECURITY_SOVER) -%{_libdir}/libmodsecurity.so.3 -%{_libdir}/libmodsecurity.so +%{_libdir}/libmodsecurity.so* endef export MODULE_FILES_modsecurity