nginx uses its own constants for compiling regular expressions (NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE), including for PCRE since version 1.21.5, rather than PCRE-library-specific ones
When compiling, there was an error "regex \"%V\" compilation failed: invalid options" (regex.с:295), but it (like everyone else) was lost when parsing the configuration
don't use this repository since it is abandoned, use mine directly (linke below). this has been fixed, along with other bugs.
https://github.com/wargio/naxsi
Good day
nginx uses its own constants for compiling regular expressions (NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE), including for PCRE since version 1.21.5, rather than PCRE-library-specific ones When compiling, there was an error "regex \"%V\" compilation failed: invalid options" (regex.с:295), but it (like everyone else) was lost when parsing the configuration
diff here
``` diff --git a/naxsi_src/naxsi_config.c b/naxsi_src/naxsi_config.c index 6d2f0e2..e92b100 100644 --- a/naxsi_src/naxsi_config.c +++ b/naxsi_src/naxsi_config.c @@ -156,10 +156,10 @@ naxsi_score(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) } } #if defined(_debug_score) && _debug_score != 0 - unsigned int z; - ngx_http_special_score_t* scr; - scr = rule->sscores->elts; if (rule->sscores) { + unsigned int z; + ngx_http_special_score_t* scr; + scr = rule->sscores->elts; for (z = 0; z < rule->sscores->nelts; z++) { ngx_conf_log_error(NGX_LOG_EMERG, r, @@ -181,6 +181,7 @@ naxsi_zone(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) int tmp_len, has_zone = 0; ngx_http_custom_rule_location_t* custom_rule; char * tmp_ptr, *tmp_end; + u_char errstr[128]; return_value_if(!rule->br, NGX_CONF_ERROR); @@ -322,20 +323,27 @@ naxsi_zone(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) custom_rule->target_rx = ngx_pcalloc(r->pool, sizeof(ngx_regex_compile_t)); return_value_if(!custom_rule->target_rx, NGX_CONF_ERROR); -#if (NGX_PCRE2) - custom_rule->target_rx->options = PCRE2_CASELESS | PCRE2_MULTILINE; + +#if defined nginx_version && (nginx_version >= 1021005) + custom_rule->target_rx->options = NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE; #else custom_rule->target_rx->options = PCRE_CASELESS | PCRE_MULTILINE; #endif custom_rule->target_rx->pattern = custom_rule->target; custom_rule->target_rx->pool = r->pool; - custom_rule->target_rx->err.len = 0; - custom_rule->target_rx->err.data = NULL; + ngx_memzero(errstr, 128); + custom_rule->target_rx->err.len = 128; + custom_rule->target_rx->err.data = errstr; if (ngx_regex_compile(custom_rule->target_rx) != NGX_OK) { - NX_LOG_DEBUG(_debug_rx, NGX_LOG_EMERG, r, 0, "XX-FAILED RX:%V", custom_rule->target); + ngx_conf_log_error(NGX_LOG_EMERG, r, 0, "XX-FAILED RX(naxsi_zone):%V (\"%V\")", + custom_rule->target, &(custom_rule->target_rx->err)); + custom_rule->target_rx->err.len = 0; + custom_rule->target_rx->err.data = NULL; return (NGX_CONF_ERROR); } + custom_rule->target_rx->err.len = 0; + custom_rule->target_rx->err.data = NULL; } custom_rule->hash = ngx_hash_key_lc(custom_rule->target.data, custom_rule->target.len); @@ -436,6 +444,7 @@ naxsi_rx(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) { ngx_regex_compile_t* rgc; ngx_str_t ha; + u_char errstr[128]; return_value_if(!rule->br, NGX_CONF_ERROR); @@ -445,20 +454,26 @@ naxsi_rx(ngx_conf_t* r, ngx_str_t* tmp, ngx_http_rule_t* rule) ha.len = tmp->len - strlen(RX_T); rgc = ngx_pcalloc(r->pool, sizeof(ngx_regex_compile_t)); return_value_if(!rgc, NGX_CONF_ERROR); -#if (NGX_PCRE2) - rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE; + +#if defined nginx_version && (nginx_version >= 1021005) + rgc->options = NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE; #else rgc->options = PCRE_CASELESS | PCRE_MULTILINE; #endif rgc->pattern = ha; rgc->pool = r->pool; - rgc->err.len = 0; - rgc->err.data = NULL; + ngx_memzero(errstr, 128); + rgc->err.len = 128; + rgc->err.data = errstr; if (ngx_regex_compile(rgc) != NGX_OK) { - NX_LOG_DEBUG(_debug_rx, NGX_LOG_EMERG, r, 0, "XX-FAILED RX:%V", tmp); + ngx_conf_log_error(NGX_LOG_EMERG, r, 0, "XX-FAILED RX:%V (\"%V\")", tmp, &(rgc->err)); + rgc->err.len = 0; + rgc->err.data = NULL; return (NGX_CONF_ERROR); } + rgc->err.len = 0; + rgc->err.data = NULL; rule->br->rx = rgc; NX_LOG_DEBUG(_debug_rx, NGX_LOG_EMERG, r, 0, "XX- RX:[%V]", &(rule->br->rx->pattern)); return (NGX_CONF_OK); @@ -497,12 +512,11 @@ ngx_http_naxsi_cfg_parse_one_rule(ngx_conf_t* cf, current_rule->br = ngx_pcalloc(cf->pool, sizeof(ngx_http_basic_rule_t)); return_value_if(!current_rule->br, NGX_CONF_ERROR); } else { - NX_LOG_DEBUG(_debug_cfg_parse_one_rule, - NGX_LOG_EMERG, + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "Unknown start keyword in rule %V", - &(value[1])); + &(value[0])); return (NGX_CONF_ERROR); } @@ -515,8 +529,7 @@ ngx_http_naxsi_cfg_parse_one_rule(ngx_conf_t* cf, ret = np->pars(cf, &value[i], current_rule); if (ret != NGX_CONF_OK) { - NX_LOG_DEBUG(_debug_cfg_parse_one_rule, - NGX_LOG_EMERG, + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "XX-FAILED PARSING '%s'", diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c index 6b55d2b..40524b5 100644 --- a/naxsi_src/naxsi_runtime.c +++ b/naxsi_src/naxsi_runtime.c @@ -181,7 +181,7 @@ ngx_http_naxsi_rawbody_parse(ngx_http_request_ctx_t* ctx, unsigned char* ngx_utf8_check(ngx_str_t* str); -#if defined nginx_version && (nginx_version >= 1021005) +#if (NGX_PCRE2) /* * variables to use pcre2 */ diff --git a/naxsi_src/naxsi_utils.c b/naxsi_src/naxsi_utils.c index d2ecede..cc11a8f 100644 --- a/naxsi_src/naxsi_utils.c +++ b/naxsi_src/naxsi_utils.c @@ -800,8 +800,8 @@ ngx_http_naxsi_create_hashtables_n(ngx_http_naxsi_loc_conf_t* dlc, ngx_conf_t* c ngx_pcalloc(cf->pool, sizeof(ngx_regex_compile_t)); rgc = custloc_array(curr_r->br->custom_locations->elts)[name_idx].target_rx; if (rgc) { -#if (NGX_PCRE2) - rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE; +#if defined nginx_version && (nginx_version >= 1021005) + rgc->options = NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE; #else rgc->options = PCRE_CASELESS | PCRE_MULTILINE; #endif @@ -820,8 +820,8 @@ ngx_http_naxsi_create_hashtables_n(ngx_http_naxsi_loc_conf_t* dlc, ngx_conf_t* c ngx_pcalloc(cf->pool, sizeof(ngx_regex_compile_t)); rgc = custloc_array(curr_r->br->custom_locations->elts)[uri_idx].target_rx; if (rgc) { -#if (NGX_PCRE2) - rgc->options = PCRE2_CASELESS | PCRE2_MULTILINE; +#if defined nginx_version && (nginx_version >= 1021005) + rgc->options = NGX_REGEX_CASELESS | NGX_REGEX_MULTILINE; #else rgc->options = PCRE_CASELESS | PCRE_MULTILINE; #endif ```