From 39f547540180005bdfddeaad0829ffb19d93567f Mon Sep 17 00:00:00 2001
From: Andrei Belov <defanator@gmail.com>
Date: Wed, 21 Mar 2018 14:54:24 +0300
Subject: [PATCH 1/2] Reverse logic of checking output in @inspectFile

This change makes @inspectFile in ModSecurity 3.x to operate in exact
the same way as it operates in ModSecurity 2.x, so existing helper scripts
like runav.pl [1] will work without any changes.

[1] https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/util/av-scanning/runav.pl
---
 src/operators/inspect_file.cc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/operators/inspect_file.cc b/src/operators/inspect_file.cc
index 1ea1737de0..a72db488ed 100644
--- a/src/operators/inspect_file.cc
+++ b/src/operators/inspect_file.cc
@@ -73,10 +73,11 @@ bool InspectFile::evaluate(Transaction *transaction, const std::string &str) {
         pclose(in);
 
         res.append(s.str());
-        if (res.size() > 1 && res.at(0) == '1') {
-            return true;
+        if (res.size() > 1 && res.at(0) != '1') {
+            return true; /* match */
         }
 
+        /* no match */
         return false;
     }
 }

From be4d4a0b9206bc4d91c98fa8148d3b696d6d1b92 Mon Sep 17 00:00:00 2001
From: Andrei Belov <defanator@gmail.com>
Date: Wed, 21 Mar 2018 17:00:29 +0300
Subject: [PATCH 2/2] Adjust tests for @inspectFile operator

---
 test/test-cases/regression/operator-inpectFile.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/test-cases/regression/operator-inpectFile.json b/test/test-cases/regression/operator-inpectFile.json
index 72cd6e2168..4252deae0c 100644
--- a/test/test-cases/regression/operator-inpectFile.json
+++ b/test/test-cases/regression/operator-inpectFile.json
@@ -19,7 +19,7 @@
         "Content-Length": "27",
         "Content-Type": "application/x-www-form-urlencoded"
       },
-      "uri":"/whee?res=0",
+      "uri":"/whee?res=1",
       "method":"GET",
       "body": [ ]
     },
@@ -57,7 +57,7 @@
         "Content-Length": "27",
         "Content-Type": "application/x-www-form-urlencoded"
       },
-      "uri":"/whee?res=1",
+      "uri":"/whee?res=0",
       "method":"GET",
       "body": [ ]
     },
@@ -106,7 +106,7 @@
       ]
     },
     "expected":{
-      "debug_log":"Rule returned 0."
+      "debug_log":"Rule returned 1."
     },
     "rules":[
       "SecRuleEngine On",