From: Adam Osuchowski Date: Fri, 31 Jul 2015 21:59:24 +0000 (+0200) Subject: - modsecurity fixing patch (https://github.com/SpiderLabs/ModSecurity/issues/582) X-Git-Tag: auto/th/nginx-1.8.0-4 X-Git-Url: https://git.pld-linux.org/?p=packages%2Fnginx.git;a=commitdiff_plain;h=7ce2935cc5ca3aa2ea15cd8707127c32b343fc22 - modsecurity fixing patch (https://github.com/SpiderLabs/ModSecurity/issues/582) --- diff --git a/nginx-modsecurity-xheaders.patch b/nginx-modsecurity-xheaders.patch new file mode 100644 index 0000000..1391d17 --- /dev/null +++ b/nginx-modsecurity-xheaders.patch @@ -0,0 +1,83 @@ +diff -ruNp modsecurity-2.9.0.orig/nginx/modsecurity/ngx_http_modsecurity.c modsecurity-2.9.0/nginx/modsecurity/ngx_http_modsecurity.c +--- modsecurity-2.9.0.orig/nginx/modsecurity/ngx_http_modsecurity.c 2015-02-12 20:08:31.000000000 +0100 ++++ modsecurity-2.9.0/nginx/modsecurity/ngx_http_modsecurity.c 2015-07-31 23:34:31.601688075 +0200 +@@ -28,6 +28,7 @@ + + typedef struct { + ngx_flag_t enable; ++ ngx_flag_t x_headers; + directory_config *config; + + ngx_str_t *file; +@@ -83,6 +84,12 @@ static ngx_command_t ngx_http_modsecuri + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_modsecurity_loc_conf_t, enable), + NULL }, ++ { ngx_string("ModSecurityXHeaders"), ++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_flag_slot, ++ NGX_HTTP_LOC_CONF_OFFSET, ++ offsetof(ngx_http_modsecurity_loc_conf_t, x_headers), ++ NULL }, + ngx_null_command + }; + +@@ -432,7 +439,11 @@ ngx_http_modsecurity_save_headers_in_vis + } + + ngx_strlow(h->lowcase_key, h->key.data, h->key.len); ++ h->lowcase_key[h->key.len] = '\0'; + ++ if (!ngx_strcmp(h->lowcase_key, "host")) ++ return 1; ++ + h->hash = ngx_hash_key(h->lowcase_key, h->key.len); + + cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module); +@@ -737,8 +748,10 @@ ngx_http_modsecurity_save_headers_out_vi + ngx_table_elt_t *h, he; + ngx_http_upstream_header_t *hh; + ngx_http_upstream_main_conf_t *umcf; ++ ngx_table_elt_t *tmp_header; + + umcf = ngx_http_get_module_main_conf(r, ngx_http_upstream_module); ++ ngx_http_modsecurity_loc_conf_t *conf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity); + + h = &he; + +@@ -755,6 +768,19 @@ ngx_http_modsecurity_save_headers_out_vi + + ngx_strlow(h->lowcase_key, h->key.data, h->key.len); + ++ if (conf->x_headers) { ++ h->lowcase_key[h->key.len] = '\0'; ++ if (h->lowcase_key[0] == 'x' && ++ h->lowcase_key[1] == '-') { ++ ++ tmp_header = ngx_list_push(&r->headers_out.headers); ++ tmp_header->key = h->key; ++ tmp_header->value = h->value; ++ tmp_header->hash = 1; ++ return 1; ++ } ++ } ++ + h->hash = ngx_hash_key(h->lowcase_key, h->key.len); + + hh = ngx_hash_find(&umcf->headers_in_hash, h->hash, +@@ -810,6 +836,7 @@ ngx_http_modsecurity_create_loc_conf(ngx + + conf->config = NGX_CONF_UNSET_PTR; + conf->enable = NGX_CONF_UNSET; ++ conf->x_headers = NGX_CONF_UNSET; + + return conf; + } +@@ -823,6 +850,7 @@ ngx_http_modsecurity_merge_loc_conf(ngx_ + ngx_http_modsecurity_loc_conf_t *conf = child; + + ngx_conf_merge_value(conf->enable, prev->enable, 0); ++ ngx_conf_merge_value(conf->x_headers, prev->x_headers, 0); + ngx_conf_merge_ptr_value(conf->config, prev->config, NULL); + + if (conf->enable && conf->config == NULL) { diff --git a/nginx.spec b/nginx.spec index ad59d5c..0f24de2 100644 --- a/nginx.spec +++ b/nginx.spec @@ -65,6 +65,7 @@ Source22: http://www.modsecurity.org/tarball/%{modsecurity_version}/modsecurity- Source101: https://github.com/arut/nginx-rtmp-module/archive/v%{rtmp_version}/nginx-rtmp-module-%{rtmp_version}.tar.gz # Source101-md5: 8006de2560db3e55bb15d110220076ac Patch0: %{name}-no-Werror.patch +Patch1: %{name}-modsecurity-xheaders.patch URL: http://nginx.net/ %{?with_modsecurity:BuildRequires: lua-devel} BuildRequires: mailcap @@ -283,6 +284,7 @@ Plik monitrc do monitorowania serwera WWW nginx. %prep %setup -q %{?with_rtmp:-a101} %{?with_modsecurity:-a22} %patch0 -p0 +%{?with_modsecurity:%patch1 -p0} %if %{with rtmp} mv nginx-rtmp-module-%{rtmp_version} nginx-rtmp-module