Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix response body #5

Open
wants to merge 32 commits into
base: master
Choose a base branch
from
Open

Fix response body #5

wants to merge 32 commits into from

Conversation

dennus
Copy link
Owner

@dennus dennus commented May 16, 2018

No description provided.

Felipe Zimmerle and others added 30 commits December 20, 2017 11:30
Adds Andrei Belov in the list of authors
9fbcc24
Updates the CHANGES files
c0ae166
@defanator
travis-ci: update nginx versions to latest available
4582a36
@AirisX
Fixed memory leak
2966dd6
@AirisX
modsec initialized with NULL
c66e52c
CHANGES: Adds info about owasp-modsecurity#80
7e328a3
@defanator
Emit connector version in error log
d77c4c1 
While here, fixed msc_set_connector_info() to use consistent
version string.

This fixes owasp-modsecurity#85.
CHANGES: Adds info about owasp-modsecurity#88
995f631
Fix typo in the CHANGES file
dfb341c
@defanator
Fix memory leak in intervention processing
bcfe69a 
intervention.log is being allocated via strdup() here:
https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/transaction.cc#L1362

and should be freed by connector.
CHANGES: Adds info about owasp-modsecurity#100
6d5f759
@defanator
README: libmodsecurity is now GA, removing outdated notice
6811784
@defanator
README: use common capitalization style for "nginx" as a software
8085a2f
@defanator
README: minor fixes
3c86d57
@defanator
README: revisited configuration directives section
8125265
@defanator
README: improve formatting
c7c0676
@victorhora
Merge pull request owasp-modsecurity#102 from defanator/readme_update
4cde86b 
A number of improvements in README
@dennus
fix log output
08c3fba
@AirisX
The pool pointer is now available for ngx_http_modsecurity_config_cle…
106572e 
…anup
CHANGES: Adds info about owasp-modsecurity#87
c9e38d8
@turchanov
Fix incorrect handling of request/response body
269fde2 
Fix incorrect handling of request/response body data chain of ngx_buf_t
buffers. The documentation
[http://nginx.org/en/docs/dev/development_guide.html#buffer] clearly
states that .pos, .last must be used to reference actual data contained
by the buffer. Whereas .start, .end denote the boundaries of the memory
block allocated for the buffer (in case of dynamically allocated data)
or just NULL (when .pos, .last reference a static memory location - one
can see that kind of usage in
ngx_http_gzip_filter_module.c:ngx_http_gzip_filter_gzheader()). To back
up my words I invite to examine
ngx_http_charset_filter_module.c:ngx_http_charset_recode() as an example
of iteration over data contained in data buffer.

Without this fix ngx_http_modsecurity_body_filter feeds random bytes from
memory pointed by .start, .end range to msc_append_response_body. In my case
is was 8KB of data instead of 10 bytes when referenced by (.pos, .last).
That is this vulnerability may disclose sensitive data like passwords or
whatever from nginx heap.

The fix for ngx_http_modsecurity_pre_access_handler is to use .pos not .start to
reference data as they may differ in general case.
@turchanov
Fixed processing of response body chunks in ngx_http_modsecurity_body…
29409ab 
…_filter.

A body filter function (ngx_http_modsecurity_body_filter in our case)
can be called by Nginx several times during request processing. And
each time with it own unique set of chained buf pointers.

For example, suppose a complete response consists of this chain of data:
    A->B->C->D->E
Ngix may (and actually does, as verified by me in gdb) call body filter two
times like this:
    handler(r, in = A->B->C)
    handler(r, in = D->E), E has last_buf set

Current implementation delays feeding chain->buf to msc_append_response_body
until it comes upon a chain with buf->last_buf set. So we loose chain containing
A->B->C sequence. We must process body bufs as soon as we see them in body
handler otherwise we will not see them again.

N.B. You have PR owasp-modsecurity#84 pending. It goes further and fixes the problem when
a blocking decision is made after headers were sent. I intentionally retained
current (buggy) behavior to make my patch less intrusive and easier to review.
Besides owasp-modsecurity#84 impose an excessive memory usage due to a complete copy of all
bufs passed through body filter (we have sometimes 500K and more replies in our
applications) - I will elaborate on this in code review for owasp-modsecurity#84.
CHANGES: Adds info about owasp-modsecurity#104 & owasp-modsecurity#105
a4f2a5b
@turchanov
Fix processing of response body when gzip compression is enabled
e4df1aa 
Changed placement of ngx_http_modsecurity_module in nginx load order of modules to come after ngx_http_gzip_filter_module so that we could read a response body before it gets compressed.

Prior to this fix ngx_http_modsecurity_body_filter was called after gzip filter
so that msc_append_response_body was fed with compressed body bytes thus
effectively making all further response body processing meaningless.
CHANGES: Adds info about owasp-modsecurity#107
37b76e8
@dennus
Merge branch 'master' into fix_response_body
6faf0b1
@dennus
Switch ResponseBodyAccess on Phase 4
e59954f
@dennus
fix return
17cb5b4
@dennus
case sentivity var name?
42c6a98
@dennus
Update ngx_http_modsecurity_body_filter.c
5f5a32c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dennus @defanator @AirisX @victorhora @turchanov