Ensure that proper intervention response code gets into audit log

in case of internal redirects due to e.g. error_page
defanator · Feb 4, 2021 · cd3f904 · cd3f904
1 parent a76a0c9
commit cd3f904
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 9 deletions.
diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c
@@ -208,12 +208,13 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
     if (intervention.status != 200)
     {
         /**
-         * FIXME: this one will call msc_process_logging() but code may be
-         * 200 instead of 403 by some reason.
+         * FIXME: this will bring proper response code to audit log in case
+         * when e.g. error_page redirect was triggered, but there still won't be another
+         * required pieces like response headers etc.
          *
          */
-        r->err_status = intervention.status;
-        r->headers_out.status = intervention.status;
+        msc_update_status_code(ctx->modsec_transaction, intervention.status);
+
         dd("intervention -- calling log handler manually with code: %d", intervention.status);
         ngx_http_modsecurity_log_handler(r);
         ctx->logged = 1;

diff --git a/tests/modsecurity-config-custom-error-page.t b/tests/modsecurity-config-custom-error-page.t
@@ -157,14 +157,9 @@ like($t4, qr/$index_txt/, 'ModSecurity at server / other');
 like($global, qr/what=root/, 'ModSecurity at server / root present in auditlog');
 unlike($global, qr/what=other/, 'ModSecurity at server / other not present in auditlog');
 
-TODO: {
-local $TODO = 'not yet';
-
 like($local, qr/Access denied with code 403/, 'ModSecurity at location / 403 in auditlog');
 like($global, qr/Access denied with code 403/, 'ModSecurity at server / 403 in auditlog');
 
-}
-
 ###############################################################################
 
 sub http_get_host {