fix(*) compatible with nginx-1.23.0

https://trac.nginx.org/nginx/ticket/2312
ADD-SP · Jul 9, 2022 · 4765a3c · 4765a3c
1 parent b5a6995
commit 4765a3c
Show file tree

Hide file tree

Showing 13 changed files with 152 additions and 188 deletions.
diff --git a/bison/parser.yacc b/bison/parser.yacc
@@ -1,11 +1,11 @@
 %{
+    #include <ngx_http_waf_module_type.h>
+    #include <ngx_http_waf_module_util.h>
+    #include <ngx_http_waf_module_lexer.h>
     #include <math.h>
     #include <stdio.h>
     #include <utarray.h>
     #include <ngx_core.h>
-    #include <ngx_http_waf_module_type.h>
-    #include <ngx_http_waf_module_util.h>
-    #include <ngx_http_waf_module_lexer.h>
     int ngx_http_waf_lex (void);
     void ngx_http_waf_error (UT_array* array, ngx_pool_t* pool, const char* msg);
     void ngx_http_waf_gen_push_str_code(UT_array* array, char* str);

diff --git a/inc/ngx_http_waf_module_check.h b/inc/ngx_http_waf_module_check.h
@@ -3,23 +3,17 @@
  * @brief 检查诸如 IP，URL 等是否命中规则。
 */
 
-#include <uthash.h>
-#include <math.h>
-#include <ngx_config.h>
-#include <ngx_core.h>
-#include <ngx_http.h>
-#include <ngx_regex.h>
-#include <ngx_inet.h>
 #include <ngx_http_waf_module_macro.h>
 #include <ngx_http_waf_module_type.h>
 #include <ngx_http_waf_module_util.h>
 #include <ngx_http_waf_module_ip_trie.h>
 #include <ngx_http_waf_module_lru_cache.h>
+#include <uthash.h>
+#include <math.h>
 #include <libinjection.h>
 #include <libinjection_sqli.h>
 #include <libinjection_xss.h>
 
-
 #ifndef NGX_HTTP_WAF_MODLULE_CHECK_H
 #define NGX_HTTP_WAF_MODLULE_CHECK_H
 

diff --git a/inc/ngx_http_waf_module_config.h b/inc/ngx_http_waf_module_config.h
@@ -3,14 +3,6 @@
  * @brief 读取 nginx.conf 内的配置以及规则文件。
 */
 
-#include <stdio.h>
-
-#ifndef __STDC_WANT_LIB_EXT1__
-#define __STDC_WANT_LIB_EXT1__ 1
-#endif
-
-#include <string.h>
-#include <utarray.h>
 #include <ngx_http_waf_module_macro.h>
 #include <ngx_http_waf_module_type.h>
 #include <ngx_http_waf_module_util.h>
@@ -22,9 +14,18 @@
 #include <ngx_http_waf_module_vm.h>
 
 
+#ifndef __STDC_WANT_LIB_EXT1__
+#define __STDC_WANT_LIB_EXT1__ 1
+#endif
+
+#include <utarray.h>
+#include <stdio.h>
+#include <string.h>
+
 #ifndef NGX_HTTP_WAF_MODULE_CONFIG_H
 #define NGX_HTTP_WAF_MODULE_CONFIG_H
 
+
 ngx_int_t ngx_http_waf_handler_access_phase(ngx_http_request_t* r);
 
 /**

diff --git a/inc/ngx_http_waf_module_core.h b/inc/ngx_http_waf_module_core.h
@@ -3,24 +3,23 @@
  * @brief 配置块的初始化和请求检测函数。
 */
 
-#include <stdio.h>
-#include <uthash.h>
-#include <time.h>
-#include <math.h>
-#include <ngx_config.h>
-#include <ngx_core.h>
-#include <ngx_http.h>
-#include <ngx_regex.h>
-#include <ngx_inet.h>
+
 #include <ngx_http_waf_module_macro.h>
 #include <ngx_http_waf_module_type.h>
 #include <ngx_http_waf_module_check.h>
 #include <ngx_http_waf_module_config.h>
 #include <ngx_http_waf_module_util.h>
+#include <stdio.h>
+#include <uthash.h>
+#include <time.h>
+#include <math.h>
+
+
 
 #ifndef NGX_HTTP_WAF_MODULE_CORE_H
 #define NGX_HTTP_WAF_MODULE_CORE_H
 
+
 /**
  * @defgroup core 核心模块
  * @brief 配置块的初始化和请求检测函数。

diff --git a/inc/ngx_http_waf_module_ip_trie.h b/inc/ngx_http_waf_module_ip_trie.h
@@ -3,13 +3,13 @@
  * @brief IP 前缀树。
 */
 
-#ifndef NGX_HTTP_WAF_MODULE_IP_TRIE_h
-#define NGX_HTTP_WAF_MODULE_IP_TRIE_h
-
 #include <ngx_http_waf_module_macro.h>
 #include <ngx_http_waf_module_type.h>
 #include <ngx_http_waf_module_mem_pool.h>
 
+#ifndef NGX_HTTP_WAF_MODULE_IP_TRIE_h
+#define NGX_HTTP_WAF_MODULE_IP_TRIE_h
+
 /**
  * @defgroup ip_trie IP 前缀树
  * @addtogroup ip_trie IP 前缀树

diff --git a/inc/ngx_http_waf_module_lru_cache.h b/inc/ngx_http_waf_module_lru_cache.h
@@ -3,13 +3,13 @@
  * @brief LRU 缓存管理器
 */
 
-#ifndef __NGX_HTTP_WAF_MODULE_LRU_CACHE_H__
-#define __NGX_HTTP_WAF_MODULE_LRU_CACHE_H__
-
 #include <ngx_http_waf_module_macro.h>
 #include <ngx_http_waf_module_type.h>
 #include <ngx_http_waf_module_mem_pool.h>
 
+#ifndef __NGX_HTTP_WAF_MODULE_LRU_CACHE_H__
+#define __NGX_HTTP_WAF_MODULE_LRU_CACHE_H__
+
 
 void lru_cache_init(lru_cache_t** lru, size_t capacity, mem_pool_type_e pool_type, void* native_pool);
 

diff --git a/inc/ngx_http_waf_module_mem_pool.h b/inc/ngx_http_waf_module_mem_pool.h
@@ -3,13 +3,13 @@
  * @brief 内存池
 */
 
+#include <ngx_http_waf_module_macro.h>
+#include <ngx_http_waf_module_type.h>
+
 
 #ifndef __NGX_HTTP_WAF_MODULE_MEMORY_POOL_H__
 #define __NGX_HTTP_WAF_MODULE_MEMORY_POOL_H__
 
-#include <ngx_http_waf_module_macro.h>
-#include <ngx_http_waf_module_type.h>
-
 
 /**
  * @brief 初始化一个内存池

diff --git a/inc/ngx_http_waf_module_type.h b/inc/ngx_http_waf_module_type.h
@@ -3,21 +3,20 @@
  * @brief 相关结构体的定义
 */
 
-#include <uthash.h>
-#include <utarray.h>
-#include <utlist.h>
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_http.h>
-#include <ngx_regex.h>
-#include <ngx_inet.h>
+// #include <ngx_regex.h>
+// #include <ngx_inet.h>
 #include <ngx_http_waf_module_macro.h>
+#include <uthash.h>
+#include <utarray.h>
+#include <utlist.h>
 
 
 #ifndef NGX_HTTP_WAF_MODULE_TYPE_H
 #define NGX_HTTP_WAF_MODULE_TYPE_H
 
-
 /**
  * @typedef ngx_http_waf_check
  * @brief 请求检查函数的函数指针

diff --git a/inc/ngx_http_waf_module_under_attack.h b/inc/ngx_http_waf_module_under_attack.h
@@ -1,11 +1,11 @@
-#ifndef __NGX_HTTP_WAF_MODULE_UNDER_ATTACK_H__
-#define __NGX_HTTP_WAF_MODULE_UNDER_ATTACK_H__
-
-
 #include <ngx_http_waf_module_type.h>
 #include <ngx_http_waf_module_util.h>
 #include <ngx_http_waf_module_check.h>
 
+#ifndef __NGX_HTTP_WAF_MODULE_UNDER_ATTACK_H__
+#define __NGX_HTTP_WAF_MODULE_UNDER_ATTACK_H__
+
+
 extern ngx_module_t ngx_http_waf_module; /**< 模块详情 */
 
 /**

diff --git a/inc/ngx_http_waf_module_util.h b/inc/ngx_http_waf_module_util.h
@@ -3,14 +3,16 @@
  * @brief IPV4 字符串解析，nginx 风格转化为 C 风格字符串。
 */
 
-#ifndef NGX_HTTP_WAF_MODULE_UTIL_H
-#define NGX_HTTP_WAF_MODULE_UTIL_H
 
-#include <utarray.h>
 #include <ngx_http_waf_module_macro.h>
 #include <ngx_http_waf_module_type.h>
+#include <utarray.h>
 #include <sodium.h>
 
+#ifndef NGX_HTTP_WAF_MODULE_UTIL_H
+#define NGX_HTTP_WAF_MODULE_UTIL_H
+
+
 /**
  * @defgroup util 工具代码
  * @addtogroup util 工具代码

diff --git a/inc/ngx_http_waf_module_vm.h b/inc/ngx_http_waf_module_vm.h
@@ -1,16 +1,15 @@
-#ifndef __NGX_HTTP_WAF_MODULE_VM_H__
-#define __NGX_HTTP_WAF_MODULE_VM_H__
-
 #include <ngx_http_waf_module_macro.h>
 #include <ngx_http_waf_module_type.h>
 #include <ngx_http_waf_module_check.h>
 #include <ngx_http_waf_module_util.h>
-#include <ngx_inet.h>
 #include <utstack.h>
 #include <libinjection.h>
 #include <libinjection_sqli.h>
 #include <libinjection_xss.h>
 
+#ifndef __NGX_HTTP_WAF_MODULE_VM_H__
+#define __NGX_HTTP_WAF_MODULE_VM_H__
+
 void ngx_http_waf_print_code(UT_array* array);
 
 

diff --git a/src/ngx_http_waf_module_check.c b/src/ngx_http_waf_module_check.c
@@ -610,96 +610,74 @@ ngx_int_t ngx_http_waf_handler_check_black_cookie(ngx_http_request_t* r, ngx_int
         ngx_log_debug(NGX_LOG_DEBUG_CORE, r->connection->log, 0, 
             "ngx_waf_debug: Because this Inspection is disabled in the configuration, no Inspection is performed.");
         ret_value = NGX_HTTP_WAF_NOT_MATCHED;
-    } else if (r->headers_in.cookies.nelts != 0) {
-        ngx_log_debug(NGX_LOG_DEBUG_CORE, r->connection->log, 0, 
-            "ngx_waf_debug: Inspection has begun.");
-
-        ngx_table_elt_t** ppcookie = r->headers_in.cookies.elts;
-        size_t i;
-        for (i = 0; i < r->headers_in.cookies.nelts; i++, ppcookie++) {
-            ngx_str_t* native_cookies = &((**ppcookie).value);
-            UT_array* cookies = NULL;
-            if (ngx_http_waf_parse_cookie(native_cookies, &cookies) != NGX_HTTP_WAF_SUCCESS) {
-                continue;
-            }
-
-            ngx_str_t* key = NULL;
-            ngx_str_t* value = NULL;
-            ngx_str_t* p = NULL;
-
-            do {
-                if (key = (ngx_str_t*)utarray_next(cookies, p), p = key, key == NULL) {
-                    break;
-                }
-
-                if (value = (ngx_str_t*)utarray_next(cookies, p), p = value, value == NULL) {
-                    break;
-                }
-
-                ngx_str_t temp;
-                temp.len = key->len + value->len;
-                temp.data = (u_char*)ngx_pcalloc(r->pool, sizeof(u_char*) * temp.len);
-
-                if (temp.data == NULL) {
-                    utarray_free(cookies);
-                    goto exception;
-                }
-
-                ngx_memcpy(temp.data, key->data, key->len);
-                ngx_memcpy(temp.data + key->len, value->data, sizeof(u_char) * value->len);
+    } else {
+#if (nginx_version >= 1023000)
+        if (r->headers_in.cookie == NULL) {
+            return NGX_HTTP_WAF_NOT_MATCHED;
+        }
 
-                ngx_array_t* regex_array = loc_conf->black_cookie;
-                lru_cache_t* cache = loc_conf->black_cookie_inspection_cache;
+        ngx_table_elt_t* p = r->headers_in.cookie;
 
-                ret_value = ngx_http_waf_regex_exec_arrray_sqli_xss(r, 
-                                                                    &temp, 
-                                                                    regex_array, 
-                                                                    (u_char*)"BLACK-COOKIE", 
-                                                                    cache, 
-                                                                    NGX_HTTP_WAF_TRUE,
-                                                                    NGX_HTTP_WAF_TRUE);
+        for (p = r->headers_in.cookie; p != NULL; p = p->next) {
+            size_t len = p->key.len + p->value.len + 1;
+            u_char* buf = ngx_pcalloc(r->pool, sizeof(u_char) * (len + 1));
 
-                if (ret_value != NGX_HTTP_WAF_MATCHED) {
-                    ret_value = ngx_http_waf_regex_exec_arrray_sqli_xss(r, 
-                                                                        key, 
-                                                                        regex_array, 
-                                                                        (u_char*)"BLACK-COOKIE", 
-                                                                        cache, 
-                                                                        NGX_HTTP_WAF_TRUE,
-                                                                        NGX_HTTP_WAF_TRUE);
-                }
+            size_t offset = 0;
+            ngx_memcpy(buf + offset, p->key.data, sizeof(u_char) * p->key.len);
 
-                if (ret_value != NGX_HTTP_WAF_MATCHED) {
-                    ret_value = ngx_http_waf_regex_exec_arrray_sqli_xss(r, 
-                                                                        value, 
-                                                                        regex_array, 
-                                                                        (u_char*)"BLACK-COOKIE", 
-                                                                        cache, 
-                                                                        NGX_HTTP_WAF_TRUE,
-                                                                        NGX_HTTP_WAF_TRUE);
-                }
+            offset += sizeof(u_char) * p->key.len;
+            buf[offset] = '=';
 
-                ngx_pfree(r->pool, temp.data);
-
-                if (ret_value == NGX_HTTP_WAF_MATCHED) {
-                    ctx->blocked = NGX_HTTP_WAF_TRUE;
-                    *out_http_status = loc_conf->waf_http_status;
-                    break;
-                }
+            ++offset;
+            ngx_memcpy(buf + offset, p->value.data, sizeof(u_char) * p->value.len);
 
-            } while (p != NULL);
+            ngx_str_t cookie;
+            cookie.len = len;
+            cookie.data = buf;
 
-            utarray_free(cookies);
+            ngx_array_t* regex_array = loc_conf->black_cookie;
+            lru_cache_t* cache = loc_conf->black_cookie_inspection_cache;
+            ret_value = ngx_http_waf_regex_exec_arrray_sqli_xss(r, 
+                                                                &cookie, 
+                                                                regex_array, 
+                                                                (u_char*)"BLACK-COOKIE", 
+                                                                cache, 
+                                                                NGX_HTTP_WAF_TRUE,
+                                                                NGX_HTTP_WAF_TRUE);
 
-            if (ctx->blocked == NGX_HTTP_WAF_TRUE) {
+            if (ret_value == NGX_HTTP_WAF_MATCHED) {
+                ctx->blocked = 1;
+                *out_http_status = loc_conf->waf_http_status;
                 break;
             }
         }
+    #else
+        if (r->headers_in.cookies.nelts == 0) {
+            return NGX_HTTP_WAF_NOT_MATCHED;
+        }
 
-        exception:
+        ngx_table_elt_t** ppcookie = r->headers_in.cookies.elts;
+        size_t i;
+        for (i = 0; i < r->headers_in.cookies.nelts; i++, ppcookie++) {
+            ngx_str_t* native_cookies = &((**ppcookie).value);
 
-        ngx_log_debug(NGX_LOG_DEBUG_CORE, r->connection->log, 0, 
-            "ngx_waf_debug: Inspection is over.");
+            ngx_array_t* regex_array = loc_conf->black_cookie;
+            lru_cache_t* cache = loc_conf->black_cookie_inspection_cache;
+            ret_value = ngx_http_waf_regex_exec_arrray_sqli_xss(r, 
+                                                                native_cookies, 
+                                                                regex_array, 
+                                                                (u_char*)"BLACK-COOKIE", 
+                                                                cache, 
+                                                                NGX_HTTP_WAF_TRUE,
+                                                                NGX_HTTP_WAF_TRUE);
+
+            if (ret_value == NGX_HTTP_WAF_MATCHED) {
+                ctx->blocked = 1;
+                *out_http_status = loc_conf->waf_http_status;
+                break;
+            }
+        }
+#endif
     }
 
     ngx_log_debug(NGX_LOG_DEBUG_CORE, r->connection->log, 0,