Picked up code from PR #273

Author: airween

src/ngx_http_modsecurity_body_filter.c

@@ -55,7 +55,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
  }
 
 /* get context for request */
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 dd("body filter, recovering ctx: %p", ctx);
 
 if (ctx==NULL||r->filter_finalize||ctx->response_body_filtered){

src/ngx_http_modsecurity_common.h

@@ -102,6 +102,7 @@ typedef struct{
 unsignedresponse_body_filtered:1;
 unsignedlogged:1;
 unsignedintervention_triggered:1;
+unsignedrequest_body_processed:1;
 } ngx_http_modsecurity_ctx_t;
 
 
@@ -142,6 +143,7 @@ extern ngx_module_t ngx_http_modsecurity_module;
 /* ngx_http_modsecurity_module.c */
 intngx_http_modsecurity_process_intervention (Transaction*transaction, ngx_http_request_t*r, ngx_int_tearly_log);
 ngx_http_modsecurity_ctx_t*ngx_http_modsecurity_create_ctx(ngx_http_request_t*r);
+ngx_http_modsecurity_ctx_t*ngx_http_modsecurity_get_module_ctx(ngx_http_request_t*r);
 char*ngx_str_to_char(ngx_str_ta, ngx_pool_t*p);
 #if (NGX_PCRE2)
 #definengx_http_modsecurity_pcre_malloc_init(x) NULL

src/ngx_http_modsecurity_header_filter.c

@@ -109,7 +109,7 @@ ngx_http_modsecurity_store_ctx_header(ngx_http_request_t *r, ngx_str_t *name, ng
 ngx_http_modsecurity_conf_t*mcf;
 ngx_http_modsecurity_header_t*hdr;
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 if (ctx==NULL||ctx->sanity_headers_out==NULL){
 returnNGX_ERROR;
  }
@@ -152,7 +152,7 @@ ngx_http_modsecurity_resolv_header_server(ngx_http_request_t *r, ngx_str_t name,
 ngx_str_tvalue;
 
 clcf=ngx_http_get_module_loc_conf(r, ngx_http_core_module);
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 if (r->headers_out.server==NULL){
 if (clcf->server_tokens){
@@ -186,7 +186,7 @@ ngx_http_modsecurity_resolv_header_date(ngx_http_request_t *r, ngx_str_t name, o
 ngx_http_modsecurity_ctx_t*ctx=NULL;
 ngx_str_tdate;
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 if (r->headers_out.date==NULL){
 date.data=ngx_cached_http_time.data;
@@ -216,7 +216,7 @@ ngx_http_modsecurity_resolv_header_content_length(ngx_http_request_t *r, ngx_str
 ngx_str_tvalue;
 charbuf[NGX_INT64_LEN+2];
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 if (r->headers_out.content_length_n>0)
 {
@@ -243,7 +243,7 @@ ngx_http_modsecurity_resolv_header_content_type(ngx_http_request_t *r, ngx_str_t
 {
 ngx_http_modsecurity_ctx_t*ctx=NULL;
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 if (r->headers_out.content_type.len>0)
 {
@@ -270,7 +270,7 @@ ngx_http_modsecurity_resolv_header_last_modified(ngx_http_request_t *r, ngx_str_
 u_charbuf[1024], *p;
 ngx_str_tvalue;
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 if (r->headers_out.last_modified_time==-1){
 return1;
@@ -302,7 +302,7 @@ ngx_http_modsecurity_resolv_header_connection(ngx_http_request_t *r, ngx_str_t n
 ngx_str_tvalue;
 
 clcf=ngx_http_get_module_loc_conf(r, ngx_http_core_module);
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 if (r->headers_out.status==NGX_HTTP_SWITCHING_PROTOCOLS){
 connection="upgrade";
@@ -353,7 +353,7 @@ ngx_http_modsecurity_resolv_header_transfer_encoding(ngx_http_request_t *r, ngx_
 if (r->chunked){
 ngx_str_tvalue=ngx_string("chunked");
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
 ngx_http_modsecurity_store_ctx_header(r, &name, &value);
@@ -380,7 +380,7 @@ ngx_http_modsecurity_resolv_header_vary(ngx_http_request_t *r, ngx_str_t name, o
 if (r->gzip_vary&&clcf->gzip_vary){
 ngx_str_tvalue=ngx_string("Accept-Encoding");
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
 ngx_http_modsecurity_store_ctx_header(r, &name, &value);
@@ -422,7 +422,7 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
 
 /* XXX: if NOT_MODIFIED, do we need to process it at all? see xslt_header_filter() */
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 dd("header filter, recovering ctx: %p", ctx);
 

src/ngx_http_modsecurity_log.c

@@ -60,13 +60,13 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
  return NGX_OK;
  }
  */
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 dd("recovering ctx: %p", ctx);
 
 if (ctx==NULL){
-dd("something really bad happened here. returning NGX_ERROR");
-returnNGX_ERROR;
+dd("ModSecurity not enabled or error occurred");
+returnNGX_OK;
  }
 
 if (ctx->logged){

src/ngx_http_modsecurity_module.c

@@ -149,7 +149,7 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
 
 dd("processing intervention");
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 if (ctx==NULL)
 {
 returnNGX_HTTP_INTERNAL_SERVER_ERROR;
@@ -314,6 +314,27 @@ ngx_http_modsecurity_create_ctx(ngx_http_request_t *r)
 returnctx;
 }
 
+ngx_inlinengx_http_modsecurity_ctx_t*
+ngx_http_modsecurity_get_module_ctx(ngx_http_request_t*r)
+{
+ngx_http_modsecurity_ctx_t*ctx;
+ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+if (ctx==NULL){
+/*
+ * refer <nginx>/src/http/modules/ngx_http_realip_module.c
+ * if module context was reset, the original address
+ * can still be found in the cleanup handler
+ */
+ngx_pool_cleanup_t*cln;
+for (cln=r->pool->cleanup; cln; cln=cln->next){
+if (cln->handler==ngx_http_modsecurity_cleanup){
+ctx=cln->data;
+break;
+ }
+ }
+ }
+returnctx;
+}
 
 char*
 ngx_conf_set_rules(ngx_conf_t*cf, ngx_command_t*cmd, void*conf)

src/ngx_http_modsecurity_pre_access.c

@@ -27,7 +27,7 @@ ngx_http_modsecurity_request_read(ngx_http_request_t *r)
 {
 ngx_http_modsecurity_ctx_t*ctx;
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 #if defined(nginx_version) &&nginx_version >= 8011
 r->main->count--;
@@ -70,7 +70,7 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
  }
  */
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 dd("recovering ctx: %p", ctx);
 
@@ -80,6 +80,11 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
 returnNGX_HTTP_INTERNAL_SERVER_ERROR;
  }
 
+if (ctx->request_body_processed){
+// should we use r->internal or r->filter_finalize?
+returnNGX_DECLINED;
+ }
+
 if (ctx->intervention_triggered){
 returnNGX_DECLINED;
  }
@@ -212,6 +217,7 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
 
 old_pool=ngx_http_modsecurity_pcre_malloc_init(r->pool);
 msc_process_request_body(ctx->modsec_transaction);
+ctx->request_body_processed=1;
 ngx_http_modsecurity_pcre_malloc_done(old_pool);
 
 ret=ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);

src/ngx_http_modsecurity_rewrite.c

@@ -46,7 +46,7 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
 
 dd("catching a new _rewrite_ phase handler");
 
-ctx=ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
+ctx=ngx_http_modsecurity_get_module_ctx(r);
 
 dd("recovering ctx: %p", ctx);