nginx: Considering modsec state before apply any rules

For some reason the state of modsec (enable, disable or detecting only) was not being checked under certain circumstances. For instance, while reading the body. This was leading ModSecurity to fail and consequently nginx. This patch added the to standalone implementation mechanism to verify the state that is now verified under the nginx module.
owasp-modsecurity · Jan 14, 2014 · fe14d9d · fe14d9d
1 parent 9bf1f6a
commit fe14d9d
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/nginx/modsecurity/ngx_http_modsecurity.c b/nginx/modsecurity/ngx_http_modsecurity.c
@@ -1027,6 +1027,10 @@ ngx_http_modsecurity_handler(ngx_http_request_t *r)
         return rc;
     }
 
+    if (modsecContextState(ctx->req) == MODSEC_DISABLED) {
+        return NGX_DECLINED;
+    }
+
     if (r->method == NGX_HTTP_POST 
             && modsecIsRequestBodyAccessEnabled(ctx->req) ) {
 

diff --git a/standalone/api.c b/standalone/api.c
@@ -500,6 +500,16 @@ void modsecSetConfigForIISRequestBody(request_rec *r)
         msr->txcfg->stream_inbody_inspection = 1;
 }
 
+int modsecContextState(request_rec *r)
+{
+    modsec_rec *msr = retrieve_msr(r);
+
+    if(msr == NULL || msr->txcfg == NULL)
+        return NOT_SET;
+
+    return msr->txcfg->is_enabled;
+}
+
 int modsecIsRequestBodyAccessEnabled(request_rec *r)
 {
     modsec_rec *msr = retrieve_msr(r);
@@ -681,3 +691,4 @@ void modsecSetDropAction(int (*func)(request_rec *r)) {
 const char *modsecIsServerSignatureAvailale(void) {
     return new_server_signature;
 }
+
diff --git a/standalone/api.h b/standalone/api.h
@@ -112,6 +112,8 @@ void modsecSetDropAction(int (*func)(request_rec *r));
 int modsecIsResponseBodyAccessEnabled(request_rec *r);
 int modsecIsRequestBodyAccessEnabled(request_rec *r);
 
+int modsecContextState(request_rec *r);
+
 void modsecSetConfigForIISRequestBody(request_rec *r);
 
 const char *modsecIsServerSignatureAvailale(void);