[arch-commits] Commit in nginx-mod-naxsi/repos (3 files)
Giancarlo Razzolini
grazzolini at gemini.archlinux.org
Fri Jun 10 14:45:46 UTC 2022
Date: Friday, June 10, 2022 @ 14:45:46
Author: grazzolini
Revision: 1230291
archrelease: copy trunk to community-staging-x86_64
Added:
nginx-mod-naxsi/repos/community-staging-x86_64/
nginx-mod-naxsi/repos/community-staging-x86_64/587-pcre2.patch
(from rev 1230290, nginx-mod-naxsi/trunk/587-pcre2.patch)
nginx-mod-naxsi/repos/community-staging-x86_64/PKGBUILD
(from rev 1230290, nginx-mod-naxsi/trunk/PKGBUILD)
-----------------+
587-pcre2.patch | 268 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 48 +++++++++
2 files changed, 316 insertions(+)
Copied: nginx-mod-naxsi/repos/community-staging-x86_64/587-pcre2.patch (from rev 1230290, nginx-mod-naxsi/trunk/587-pcre2.patch)
===================================================================
--- community-staging-x86_64/587-pcre2.patch (rev 0)
+++ community-staging-x86_64/587-pcre2.patch 2022-06-10 14:45:46 UTC (rev 1230291)
@@ -0,0 +1,268 @@
+From 5046ff477cf4216950ad6bb5a84869700578534b Mon Sep 17 00:00:00 2001
+From: laluigino <99279306+laluigino at users.noreply.github.com>
+Date: Fri, 11 Feb 2022 13:21:22 +0100
+Subject: [PATCH 1/3] Fix: use pcre2 when building with nginx >= 1.21.5
+
+I've tried to compile naxsi 1.3 as module for nginx 1.21.6, and got the error:
+
+error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
+ 205 | (tmp_idx < len && (match = pcre_exec(rl->br->rx->regex->code,
+
+I found this issue report: Ref: https://github.com/nbs-system/naxsi/issues/580
+then i tried to solve the pcre2 compatibility issue.
+
+I've included an helper function that is 'copied' from: https://github.com/nginx/nginx/blob/master/src/core/ngx_regex.c#L393
+that it is called in place of 'pcre_exec' when nginx_version >= 1021005
+
+Not sure if this is the best solution, but I managed to build naxsi 1.3 as module for nginx 1.21.6 succesfully, and it seems to work well.
+
+I'm not used to develop in C anymore (since 25 years ago, at least!), but I hope that this patch I made can help anybody else.
+---
+ naxsi_src/naxsi_runtime.c | 80 ++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 78 insertions(+), 2 deletions(-)
+
+diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c
+index b63da5b9..f7961be8 100644
+--- a/naxsi_src/naxsi_runtime.c
++++ b/naxsi_src/naxsi_runtime.c
+@@ -181,6 +181,73 @@ ngx_http_naxsi_rawbody_parse(ngx_http_request_ctx_t* ctx,
+ unsigned char*
+ ngx_utf8_check(ngx_str_t* str);
+
++/*
++ * variables to use pcre2
++ */
++static pcre2_match_data *ngx_pcre2_match_data;
++static ngx_uint_t ngx_pcre2_match_data_size;
++
++/*
++ * helper function to use pcre2
++ */
++ngx_int_t
++ngx_pcre2_exec(ngx_regex_t *re, unsigned char* str, unsigned int len, ngx_int_t tmp_idx, int *captures, ngx_uint_t size)
++{
++ size_t *ov;
++ ngx_int_t rc;
++ ngx_uint_t n, i;
++
++ /*
++ * The pcre2_match() function might allocate memory for backtracking
++ * frames, typical allocations are from 40k and above. So the allocator
++ * is configured to do direct allocations from heap during matching.
++ */
++
++ if (ngx_pcre2_match_data == NULL
++ || size > ngx_pcre2_match_data_size)
++ {
++ /*
++ * Allocate a match data if not yet allocated or smaller than
++ * needed.
++ */
++
++ if (ngx_pcre2_match_data) {
++ pcre2_match_data_free(ngx_pcre2_match_data);
++ }
++
++ ngx_pcre2_match_data_size = size;
++ ngx_pcre2_match_data = pcre2_match_data_create(size / 3, NULL);
++
++ if (ngx_pcre2_match_data == NULL) {
++ rc = PCRE2_ERROR_NOMEMORY;
++ goto failed;
++ }
++ }
++
++ rc = pcre2_match(re, str, len, tmp_idx, 0, ngx_pcre2_match_data, NULL);
++
++ if (rc < 0) {
++ goto failed;
++ }
++
++ n = pcre2_get_ovector_count(ngx_pcre2_match_data);
++ ov = pcre2_get_ovector_pointer(ngx_pcre2_match_data);
++
++ if (n > size / 3) {
++ n = size / 3;
++ }
++
++ for (i = 0; i < n; i++) {
++ captures[i * 2] = ov[i * 2];
++ captures[i * 2 + 1] = ov[i * 2 + 1];
++ }
++
++failed:
++
++ return rc;
++
++}
++
+ /*
+ ** in : string to inspect, associated rule
+ ** does : apply the rule on the string, return 1 if matched,
+@@ -201,7 +268,14 @@ ngx_http_process_basic_rule_buffer(ngx_str_t* str, ngx_http_rule_t* rl, ngx_int_
+ tmp_idx = 0;
+ len = str->len;
+ while
+-#if defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000)
++#if defined nginx_version && (nginx_version >= 1021005)
++ (tmp_idx < len && (match = ngx_pcre2_exec(rl->br->rx->regex,
++ str->data,
++ str->len,
++ tmp_idx,
++ captures,
++ 30)) >= 0)
++#elif defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000)
+ (tmp_idx < len && (match = pcre_exec(rl->br->rx->regex->code,
+ 0,
+ (const char*)str->data,
+@@ -496,7 +570,9 @@ ngx_http_naxsi_pcre_wrapper(ngx_regex_compile_t* rx, unsigned char* str, unsigne
+ int match;
+ int captures[30];
+
+-#if defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000)
++#if defined nginx_version && (nginx_version >= 1021005)
++ match = ngx_pcre2_exec(rx->regex, str, len, 0, captures, 1);
++#elif defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000)
+ match = pcre_exec(rx->regex->code, 0, (const char*)str, len, 0, 0, captures, 1);
+ #elif defined nginx_version && (nginx_version > 1001011)
+ match = pcre_exec(rx->regex->pcre, 0, (const char*)str, len, 0, 0, captures, 1);
+
+From 61466698c4afb6d52cd0c8bee3309ac5e5ee53ab Mon Sep 17 00:00:00 2001
+From: laluigino <99279306+laluigino at users.noreply.github.com>
+Date: Fri, 11 Feb 2022 18:30:30 +0100
+Subject: [PATCH 2/3] Added a check for nginx_version >= 1021005
+
+Added a check for nginx_version >= 1021005 to avoid helper function definition on older versions
+---
+ naxsi_src/naxsi_runtime.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c
+index f7961be8..c2956375 100644
+--- a/naxsi_src/naxsi_runtime.c
++++ b/naxsi_src/naxsi_runtime.c
+@@ -181,6 +181,7 @@ ngx_http_naxsi_rawbody_parse(ngx_http_request_ctx_t* ctx,
+ unsigned char*
+ ngx_utf8_check(ngx_str_t* str);
+
++#if defined nginx_version && (nginx_version >= 1021005)
+ /*
+ * variables to use pcre2
+ */
+@@ -247,6 +248,7 @@ ngx_pcre2_exec(ngx_regex_t *re, unsigned char* str, unsigned int len, ngx_int_t
+ return rc;
+
+ }
++#endif
+
+ /*
+ ** in : string to inspect, associated rule
+
+From 545c8953f95ffce368f219b932039eb0a0daf1c0 Mon Sep 17 00:00:00 2001
+From: Danila Vershinin <ciapnz at gmail.com>
+Date: Tue, 22 Feb 2022 12:32:10 +0300
+Subject: [PATCH 3/3] Use NGX_PCRE2 conditional
+
+Update naxsi.h
+
+Don't include pcre.h in order for compilation to work both against pcre and pcre2
+
+Fix pcre vs pcre2 compilation
+---
+ naxsi_src/naxsi.h | 1 -
+ naxsi_src/naxsi_config.c | 9 ++++++++-
+ naxsi_src/naxsi_runtime.c | 4 ++--
+ naxsi_src/naxsi_utils.c | 8 ++++++++
+ 4 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/naxsi_src/naxsi.h b/naxsi_src/naxsi.h
+index 53df1bd8..b2f5c1a5 100644
+--- a/naxsi_src/naxsi.h
++++ b/naxsi_src/naxsi.h
+@@ -19,7 +19,6 @@
+ #include <ngx_http.h>
+ #include <ngx_http_core_module.h>
+ #include <ngx_md5.h>
+-#include <pcre.h>
+
+ extern ngx_module_t ngx_http_naxsi_module;
+
+diff --git a/naxsi_src/naxsi_config.c b/naxsi_src/naxsi_config.c
+index 4ea15567..6d2f0e23 100644
+--- a/naxsi_src/naxsi_config.c
++++ b/naxsi_src/naxsi_config.c
+@@ -322,8 +322,11 @@ naxsi_zone(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule)
+
+ custom_rule->target_rx = ngx_pcalloc(r->pool, sizeof(ngx_regex_compile_t));
+ return_value_if(!custom_rule->target_rx, NGX_CONF_ERROR);
+-
++#if (NGX_PCRE2)
++ custom_rule->target_rx->options = PCRE2_CASELESS | PCRE2_MULTILINE;
++#else
+ custom_rule->target_rx->options = PCRE_CASELESS | PCRE_MULTILINE;
++#endif
+ custom_rule->target_rx->pattern = custom_rule->target;
+ custom_rule->target_rx->pool = r->pool;
+ custom_rule->target_rx->err.len = 0;
+@@ -442,7 +445,11 @@ naxsi_rx(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule)
+ ha.len = tmp->len - strlen(RX_T);
+ rgc = ngx_pcalloc(r->pool, sizeof(ngx_regex_compile_t));
+ return_value_if(!rgc, NGX_CONF_ERROR);
++#if (NGX_PCRE2)
++ rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE;
++#else
+ rgc->options = PCRE_CASELESS | PCRE_MULTILINE;
++#endif
+ rgc->pattern = ha;
+ rgc->pool = r->pool;
+ rgc->err.len = 0;
+diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c
+index c2956375..33c20e27 100644
+--- a/naxsi_src/naxsi_runtime.c
++++ b/naxsi_src/naxsi_runtime.c
+@@ -270,7 +270,7 @@ ngx_http_process_basic_rule_buffer(ngx_str_t* str, ngx_http_rule_t* rl, ngx_int_
+ tmp_idx = 0;
+ len = str->len;
+ while
+-#if defined nginx_version && (nginx_version >= 1021005)
++#if (NGX_PCRE2)
+ (tmp_idx < len && (match = ngx_pcre2_exec(rl->br->rx->regex,
+ str->data,
+ str->len,
+@@ -572,7 +572,7 @@ ngx_http_naxsi_pcre_wrapper(ngx_regex_compile_t* rx, unsigned char* str, unsigne
+ int match;
+ int captures[30];
+
+-#if defined nginx_version && (nginx_version >= 1021005)
++#if (NGX_PCRE2)
+ match = ngx_pcre2_exec(rx->regex, str, len, 0, captures, 1);
+ #elif defined nginx_version && (nginx_version >= 1002002 && nginx_version != 1003000)
+ match = pcre_exec(rx->regex->code, 0, (const char*)str, len, 0, 0, captures, 1);
+diff --git a/naxsi_src/naxsi_utils.c b/naxsi_src/naxsi_utils.c
+index e3d6f185..d2ecedec 100644
+--- a/naxsi_src/naxsi_utils.c
++++ b/naxsi_src/naxsi_utils.c
+@@ -800,7 +800,11 @@ ngx_http_naxsi_create_hashtables_n(ngx_http_naxsi_loc_conf_t* dlc, ngx_conf_t* c
+ ngx_pcalloc(cf->pool, sizeof(ngx_regex_compile_t));
+ rgc = custloc_array(curr_r->br->custom_locations->elts)[name_idx].target_rx;
+ if (rgc) {
++#if (NGX_PCRE2)
++ rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE;
++#else
+ rgc->options = PCRE_CASELESS | PCRE_MULTILINE;
++#endif
+ rgc->pattern = custloc_array(curr_r->br->custom_locations->elts)[name_idx].target;
+ rgc->pool = cf->pool;
+ rgc->err.len = 0;
+@@ -816,7 +820,11 @@ ngx_http_naxsi_create_hashtables_n(ngx_http_naxsi_loc_conf_t* dlc, ngx_conf_t* c
+ ngx_pcalloc(cf->pool, sizeof(ngx_regex_compile_t));
+ rgc = custloc_array(curr_r->br->custom_locations->elts)[uri_idx].target_rx;
+ if (rgc) {
++#if (NGX_PCRE2)
++ rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE;
++#else
+ rgc->options = PCRE_CASELESS | PCRE_MULTILINE;
++#endif
+ rgc->pattern = custloc_array(curr_r->br->custom_locations->elts)[uri_idx].target;
+ rgc->pool = cf->pool;
+ rgc->err.len = 0;
Copied: nginx-mod-naxsi/repos/community-staging-x86_64/PKGBUILD (from rev 1230290, nginx-mod-naxsi/trunk/PKGBUILD)
===================================================================
--- community-staging-x86_64/PKGBUILD (rev 0)
+++ community-staging-x86_64/PKGBUILD 2022-06-10 14:45:46 UTC (rev 1230291)
@@ -0,0 +1,48 @@
+# Maintainer: Massimiliano Torromeo <massimiliano.torromeo at gmail.com>
+
+pkgname=nginx-mod-naxsi
+pkgver=1.3
+pkgrel=6
+_modname=naxsi
+pkgdesc='Nginx Anti XSS & SQL Injection'
+arch=('x86_64')
+depends=('nginx')
+makedepends=('nginx-src')
+url="https://github.com/nbs-system/naxsi"
+license=('GPL3')
+backup=('etc/nginx/naxsi_core.rules')
+source=(
+ https://github.com/nbs-system/$_modname/archive/$pkgver/$_modname-$pkgver.tar.gz
+ 587-pcre2.patch
+)
+validpgpkeys=(B0F4253373F8F6F510D42178520A9993A1C052F8) # Maxim Dounin <mdounin at mdounin.ru>
+sha256sums=('439c8677372d2597b4360bbcc10bc86490de1fc75695b193ad5df154a214d628'
+ 'e99f3c96e53599c0c7d1a124f422d6a878be1c571b1c29d1e9f72edd34eabe01')
+
+prepare() {
+ mkdir -p $srcdir/build
+ cd $srcdir/build
+
+ ln -sf /usr/src/nginx/auto
+ ln -sf /usr/src/nginx/src
+
+ # pcre2 patch
+ cd $srcdir/$_modname-$pkgver
+ patch -Np1 < $srcdir/587-pcre2.patch
+}
+
+build() {
+ cd $srcdir/build
+ /usr/src/nginx/configure --with-compat --add-dynamic-module=../$_modname-$pkgver/naxsi_src
+ make modules
+}
+
+package() {
+ cd $srcdir/build/objs
+ for mod in *.so; do
+ install -Dm755 $mod "$pkgdir"/usr/lib/nginx/modules/$mod
+ done
+
+ cd "$srcdir"/$_modname-$pkgver
+ install -Dm644 naxsi_config/naxsi_core.rules "$pkgdir"/etc/nginx/naxsi_core.rules
+}
More information about the arch-commits
mailing list