Commit Graph

17 Commits

Author SHA1 Message Date
Ilya Shipitsin
ce7b00f926 CLEANUP: assorted typo fixes in the code and comments
This is fifth iteration of typo fixes
2020-03-31 17:09:35 +02:00
Ilya Shipitsin
1fae8db7b7 DOC: assorted typo fixes in the documentation
This is the fourth round of cleanups in various docs
2020-03-18 11:34:33 +01:00
Christopher Faulet
711ed6ae4a MAJOR: http: Remove the HTTP legacy code
First of all, all legacy HTTP analyzers and all functions exclusively used by
them were removed. So the most of the functions in proto_http.{c,h} were
removed. Only functions to deal with the HTTP transaction have been kept. Then,
http_msg and hdr_idx modules were entirely removed. And finally the structure
http_msg was lightened of all its useless information about the legacy HTTP. The
structure hdr_ctx was also removed because unused now, just like unused states
in the enum h1_state. Note that the memory pool "hdr_idx" was removed and
"http_txn" is now smaller.
2019-07-19 09:24:12 +02:00
Yann Cézard
bf60f6b803 BUG/MEDIUM: contrib/modsecurity: If host header is NULL, don't try to strdup it
I discovered this bug when running OWASP regression tests against HAProxy +
modsecurity-spoa (it's a POC to evaluate how it is working).  I found out that
modsecurity spoa will crash when the request doesn't have any Host header.

See the pull request #86 on github for details.

This patch must be backported to 1.9 and 1.8.
2019-04-29 16:26:05 +02:00
Yann Cézard
494ddbff47 DOC: contrib/modsecurity: Typos and fix the reject example
Thanks to https://www.mail-archive.com/haproxy@formilux.org/msg30056.html

This patch may be backported to 1.9 and 1.8.
2019-04-29 16:25:49 +02:00
Joseph Herlant
9fe83fa639 CLEANUP: fix typos in comments for the contrib/modsecurity subsystem
3 typos detected in code comments in the contrib/modsecurity subsystem.
2018-11-12 08:52:36 +01:00
Willy Tarreau
843b7cbe9d MEDIUM: chunks: make the chunk struct's fields match the buffer struct
Chunks are only a subset of a buffer (a non-wrapping version with no head
offset). Despite this we still carry a lot of duplicated code between
buffers and chunks. Replacing chunks with buffers would significantly
reduce the maintenance efforts. This first patch renames the chunk's
fields to match the name and types used by struct buffers, with the goal
of isolating the code changes from the declaration changes.

Most of the changes were made with spatch using this coccinelle script :

  @rule_d1@
  typedef chunk;
  struct chunk chunk;
  @@
  - chunk.str
  + chunk.area

  @rule_d2@
  typedef chunk;
  struct chunk chunk;
  @@
  - chunk.len
  + chunk.data

  @rule_i1@
  typedef chunk;
  struct chunk *chunk;
  @@
  - chunk->str
  + chunk->area

  @rule_i2@
  typedef chunk;
  struct chunk *chunk;
  @@
  - chunk->len
  + chunk->data

Some minor updates to 3 http functions had to be performed to take size_t
ints instead of ints in order to match the unsigned length here.
2018-07-19 16:23:43 +02:00
Dragan Dosen
ee07dbeca5 BUG/MINOR: contrib/modsecurity: update pointer on the end of the frame
Similar to commit 94bb4c6 ("BUG/MINOR: spoa: Update pointer on the end of
the frame when a reply is encoded").

This patch should be backported to 1.8.
2018-06-04 17:41:25 +02:00
Christopher Faulet
58b8e492a3 BUG/MINOR: contrib/modsecurity: Don't reset the status code during disconnect
When the connection is closed by HAProxy, the status code provided in the
DISCONNECT frame is lost. By retransmitting it in the agent's reply, we are sure
to have it in the SPOE logs.

This patch may be backported in 1.8.
2018-06-04 17:34:51 +02:00
Christopher Faulet
6381650516 MAJOR: spoe: upgrade the SPOP version to 2.0 and remove the support for 1.0
The commit c4dcaff3 ("BUG/MEDIUM: spoe: Flags are not encoded in network order")
introduced an incompatibility with older agents. So the major version of the
SPOP is increased to make the situation unambiguous. And because before the fix,
the protocol is buggy, the support of the version 1.0 is removed to be sure to
not continue to support buggy agents.

The agents in the contrib folder (spoa_example, modsecurity and mod_defender)
are also updated to announce the SPOP version 2.0.

So, to be clear, from the patch, connections to agents announcing the SPOP
version 1.0 will be rejected.

This patch must be backported in 1.8.
2018-06-04 17:33:48 +02:00
David Carlier
53d31594bf DOC: contrib/modsecurity: few typo fixes
Few typo fixes.
2018-05-31 20:47:39 +02:00
Christopher Faulet
633f3bffed BUG/MEDIUM: contrib/modsecurity: Use network order to encode/decode flags
A recent fix on the SPOE revealed a mismatch between the SPOE specification and
the modsecurity implementation on the way flags are encoded or decoded. They
must be exchanged using the network bytes order and not the host one.

Be careful though, this patch breaks the compatiblity with HAProxy SPOE before
commit c4dcaff3 ("BUG/MEDIUM: spoe: Flags are not encoded in network order").
2018-05-18 15:06:31 +02:00
Christian Ruppert
57dc283014 BUILD: Fix LDFLAGS vs. LIBS re linking order in various makefiles
Libraries should always be listed last. Should be backported to 1.8.

Signed-off-by: Christian Ruppert <idl0r@qasl.de>
2017-12-02 14:36:15 +01:00
Dragan Dosen
2f1cacb1aa BUG/MINOR: contrib/modsecurity: close the va_list ap before return
Make sure the va_list ap is closed before return in case the function
vsnprintf() returned an error.
2017-09-18 11:18:34 +02:00
David Carlier
0f4df640d2 BUG/MINOR: contrib/modsecurity: BSD build fix
previous version introduced in the last commit was not the correct one.
2017-07-19 14:34:31 +02:00
David CARLIER
8abbd3daa7 BUG/MINOR: contrib/mod_security: fix build on FreeBSD
Fix linker flags settings since 3rd parties libraries are not in
/usr/lib
Plus libfuzzy needs to be added.
undef LIST_HEAD from event2 which conflicts with haproxy's
2017-05-04 07:16:26 +02:00
Thierry FOURNIER
a5ec06de2c MINOR: Add ModSecurity wrapper as contrib
This patch contains a base for a modsecurity wrapper in HAProxy using SPOE.
2017-04-27 11:59:02 +02:00