From 39f547540180005bdfddeaad0829ffb19d93567f Mon Sep 17 00:00:00 2001 From: Andrei Belov Date: Wed, 21 Mar 2018 14:54:24 +0300 Subject: [PATCH 1/2] Reverse logic of checking output in @inspectFile This change makes @inspectFile in ModSecurity 3.x to operate in exact the same way as it operates in ModSecurity 2.x, so existing helper scripts like runav.pl [1] will work without any changes. [1] https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/util/av-scanning/runav.pl --- src/operators/inspect_file.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/operators/inspect_file.cc b/src/operators/inspect_file.cc index 1ea1737de0..a72db488ed 100644 --- a/src/operators/inspect_file.cc +++ b/src/operators/inspect_file.cc @@ -73,10 +73,11 @@ bool InspectFile::evaluate(Transaction *transaction, const std::string &str) { pclose(in); res.append(s.str()); - if (res.size() > 1 && res.at(0) == '1') { - return true; + if (res.size() > 1 && res.at(0) != '1') { + return true; /* match */ } + /* no match */ return false; } } From be4d4a0b9206bc4d91c98fa8148d3b696d6d1b92 Mon Sep 17 00:00:00 2001 From: Andrei Belov Date: Wed, 21 Mar 2018 17:00:29 +0300 Subject: [PATCH 2/2] Adjust tests for @inspectFile operator --- test/test-cases/regression/operator-inpectFile.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/test-cases/regression/operator-inpectFile.json b/test/test-cases/regression/operator-inpectFile.json index 72cd6e2168..4252deae0c 100644 --- a/test/test-cases/regression/operator-inpectFile.json +++ b/test/test-cases/regression/operator-inpectFile.json @@ -19,7 +19,7 @@ "Content-Length": "27", "Content-Type": "application/x-www-form-urlencoded" }, - "uri":"/whee?res=0", + "uri":"/whee?res=1", "method":"GET", "body": [ ] }, @@ -57,7 +57,7 @@ "Content-Length": "27", "Content-Type": "application/x-www-form-urlencoded" }, - "uri":"/whee?res=1", + "uri":"/whee?res=0", "method":"GET", "body": [ ] }, @@ -106,7 +106,7 @@ ] }, "expected":{ - "debug_log":"Rule returned 0." + "debug_log":"Rule returned 1." }, "rules":[ "SecRuleEngine On",