Merge 2.5.x changes to trunk.

Author: b1v1r

Diff for: CHANGES

@@ -1,4 +1,4 @@
-23 July 2009 - trunk
+27 July 2009 - trunk
 --------------------
 
  * Allow mlogc to periodically flush memory pools.

Diff for: apache2/mlogc-src/mlogc-default.conf

@@ -64,6 +64,13 @@ ErrorLogLevel       3
 # over a slow link (e.g. not over a LAN).
 MaxConnections      10
 
+# How many requests a worker will process before recycling itself.
+# This is to help prevent problems due to any memory leaks that may
+# exists.  If this is set to 0, then no maximum is imposed. The default
+# is 1000 requests per worker (the number of workers is controlled by the
+# MaxConnections limit).
+MaxWorkerRequests   1000
+
 # The time each connection will sit idle before being reused,
 # in milliseconds. Increase if you don't want ModSecurity Console
 # to be hit with too many log collector requests.

Diff for: apache2/mlogc-src/mlogc.c

@@ -151,6 +151,7 @@ int                          keep_entries = 0;
 const char                  *log_repository = NULL;
 void                        *logline_regex = NULL;
 int                          max_connections = 10;
+int                          max_worker_requests = 1000;
 apr_global_mutex_t          *gmutex = NULL;
 apr_thread_mutex_t          *mutex = NULL;
 apr_pool_t                  *pool = NULL;
@@ -835,6 +836,13 @@ static void init_configuration(void)
         error_log(LOG_DEBUG2, NULL, "MaxConnections=%d", max_connections);
     }
 
+    s = apr_table_get(conf, "MaxWorkerRequests");
+    if (s != NULL) {
+        int v = atoi(s);
+        if (v >= 0) max_worker_requests = v;
+        error_log(LOG_DEBUG2, NULL, "MaxWorkerRequests=%d", max_worker_requests);
+    }
+
     s = apr_table_get(conf, "KeepAlive");
     if (s != NULL) {
         int v = atoi(s);
@@ -1221,6 +1229,7 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
     apr_pool_t *tpool;
     struct curl_slist *headerlist = NULL;
     char curl_error_buffer[CURL_ERROR_SIZE] = "";
+    int num_requests = 0;
 
     /* There is no need to do the sleep if this was an invalid entry
      * as the sleep is just to protect flooding the console server
@@ -1311,6 +1320,11 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
         error_log(LOG_DEBUG, thread, "Processing entry.");
         take_new = 0;
 
+        /* Keep track of requests processed if we need to */
+        if (max_worker_requests > 0) {
+            num_requests++;
+        }
+
         rc = pcre_exec(logline_regex, NULL, entry->line, entry->line_size, 0, 0,
             capturevector, CAPTUREVECTORSIZE);
         if (rc == PCRE_ERROR_NOMATCH) { /* No match. */
@@ -1479,6 +1493,15 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
                 take_new = 1;
                 nodelay = 1;
             }
+
+            /* If we are tracking num_requests, then shutdown if we are
+             * over our threshold.
+             */
+            if (num_requests && (num_requests >= max_worker_requests)) {
+                error_log(LOG_NOTICE, thread, "Reached max requests (%d) for this worker, exiting.", max_worker_requests);
+
+                goto THREAD_SHUTDOWN;
+            }
         }
 
         THREAD_CLEANUP:

Diff for: apache2/t/regression/action/10-logging.t

@@ -134,9 +134,7 @@
 		SecAction "phase:1,pass,nolog,auditlog"
 	),
 	match_log => {
-		-error => [ qr/ModSecurity: /, 1 ],
-		# No message, but should have data.  This may need changed
-		audit => [ qr/-H--\s+Stopwatch: /s, 1 ],
+		audit => [ qr/-H--\s+Message: .*Stopwatch: /s, 1 ],
 	},
 	match_response => {
 		status => qr/^200$/,

Diff for: apache2/t/regression/misc/00-multipart-parser.t

@@ -30,11 +30,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 				-----------------------------69343412719991675451336310646--
 			),
@@ -70,11 +70,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 				-----------------------------69343412719991675451336310646--),
 		),
@@ -111,11 +111,11 @@
 			q(
 				--------------------------------------------------boundary
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				--------------------------------------------------boundary
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 				--------------------------------------------------boundary--
 			),
@@ -154,11 +154,11 @@
 			q(
 				----------0xKhTmLbOuNdArY
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				----------0xKhTmLbOuNdArY
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 				----------0xKhTmLbOuNdArY--
 			),
@@ -195,11 +195,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="a"
-
+				
 				--test
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="b"
-
+				
 				--
 				-----------------------------69343412719991675451336310646--),
 		),
@@ -235,11 +235,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 			),
 		),
@@ -273,10 +273,10 @@
 		normalize_raw_request_data(
 			q(
 				-----------------------------69343412719991675451336310646
-
+				
 				1
 				-----------------------------69343412719991675451336310646
-
+				
 				2
 				-----------------------------69343412719991675451336310646--
 			),
@@ -311,11 +311,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data name="a"
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data name="b"
-
+				
 				2
 				-----------------------------69343412719991675451336310646--
 			),
@@ -351,11 +351,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data;
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data;
-
+				
 				2
 				-----------------------------69343412719991675451336310646--
 			),
@@ -391,13 +391,13 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				:
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 				-----------------------------69343412719991675451336310646--
 			),

Diff for: doc/modsecurity2-apache-reference.xml

@@ -6,7 +6,7 @@
   Manual</title>
 
   <articleinfo>
-    <releaseinfo>Version 2.6.0-trunk (July 23, 2009)</releaseinfo>
+    <releaseinfo>Version 2.6.0-trunk (July 27, 2009)</releaseinfo>
 
     <copyright>
       <year>2004-2009</year>
@@ -249,11 +249,12 @@
   <section id="installation">
     <title>Installation</title>
 
-    <para>ModSecurity installation consists of the following steps:</para>
+    <para>ModSecurity installation requirements:</para>
 
     <orderedlist continuation="restarts" inheritnum="ignore">
       <listitem>
-        <para>ModSecurity 2.x works with Apache 2.0.x or better.</para>
+        <para>ModSecurity 2.x works only with Apache 2.0.x or higher. Version
+        2.2.x is highly recommended.</para>
       </listitem>
 
       <listitem>
@@ -264,17 +265,31 @@
       </listitem>
 
       <listitem>
-        <para>Install the latest version of libxml2, if it isn't already
-        installed on the server.</para>
+        <para>libapr and libapr-util</para>
+
+        <para><ulink type=""
+        url="http://apr.apache.org/">http://apr.apache.org/</ulink></para>
+      </listitem>
+
+      <listitem>
+        <para>libpcre</para>
+
+        <para><ulink type=""
+        url="http://www.pcre.org/">http://www.pcre.org/</ulink></para>
+      </listitem>
+
+      <listitem>
+        <para>libxml2</para>
 
         <para><ulink type=""
         url="http://xmlsoft.org/downloads.html">http://xmlsoft.org/downloads.html</ulink></para>
       </listitem>
 
       <listitem>
-        <para>Optionally install the latest version of Lua in the 5.1.x
-        branch, if it isn't already installed on the server and you will be
-        using the new Lua engine.</para>
+        <para>liblua v5.1.x</para>
+
+        <para>This library is optional and only needed if you will be using
+        the new Lua engine.</para>
 
         <para><ulink type=""
         url="http://www.lua.org/download.html">http://www.lua.org/download.html</ulink></para>
@@ -284,6 +299,21 @@
         distribution is recommended.</para>
       </listitem>
 
+      <listitem>
+        <para>libcurl v7.15.1 or higher</para>
+
+        <para>If you will be using the ModSecurity Log Collector (mlogc) to
+        send audit logs to a central repository, then you will also need the
+        curl library.</para>
+
+        <para><ulink type=""
+        url="http://curl.haxx.se/libcurl/">http://curl.haxx.se/libcurl/</ulink></para>
+      </listitem>
+    </orderedlist>
+
+    <para>ModSecurity installation consists of the following steps:</para>
+
+    <orderedlist continuation="restarts" inheritnum="ignore">
       <listitem>
         <para>Stop Apache httpd</para>
       </listitem>
@@ -444,6 +474,16 @@ LoadFile /usr/lib/liblua5.1.so</programlisting></para>
       moreinfo="none">WITH_PCRE_STUDY</literal> defined,which would possibly
       give you a slight performance edge in regular expression
       processing.</para>
+
+      <para>Non-gcc compilers may have problems running out-of-the-box as the
+      current build system was designed around the gcc compiler and some
+      compiler/linker flags may differ. To use a non-gcc compiler you may need
+      some manual Makefile tweaks if issues cannot be solved by exporting
+      custom CFLAGS and CPPFLAGS environment variables.</para>
+
+      <para>If you are upgrading from ModSecurity 1.x, please refer to the
+      migration matrix at <ulink type=""
+      url="http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf">http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf</ulink></para>
     </note>
   </section>