Modsecurity: OpenBSD doesn't have the header wordexp.h

Created on 17 Jul 2018  路  8Comments  路  Source: SpiderLabs/ModSecurity

Hi, I'm trying to create a port of libmodsecurity for OpenBSD. Unfortunately, src/utils/string.cc and src/utils/system.ccneed the header wordexp.h which is not available on OpenBSD. Can you make a workaround for this?. The OpenBSD developers will never implement this API.

3.x RIP - Type - Feature RIP - libmodsecurity enhancement pending feedback pr available

Most helpful comment

@victorhora Robert found the problem with the linker:

@@ -18872,7 +18872,7 @@ fi


 # General link options
-if test "$PLATFORM" != "MacOSX"; then
+if test "$PLATFORM" != "MacOSX" -a "$PLATFORM" != "OpenBSD"; then
     GLOBAL_LDADD="-lrt  "
 fi


I'm waiting the approval for the libmodsecurity/nginx-modsecurity port. I will try to test your patch in the next days.

All 8 comments

I suggest using glob(3). wordexp is evil especially since most libc wordexp implementations execute a shell to glob the input.

@juanfra684 Working on the patch below as workaround. Worked fine so far on my Linux and OpenBSD builds, except that my Linker on BSD is a bit unhappy at the moment with some flags. Still investigating this other issue, but you may have different results...

From b93ecb5eec8276c3bf36d123f0a9c6e4a6fa1b8b Mon Sep 17 00:00:00 2001
From: Victor Hora <[email protected]>
Date: Thu, 19 Jul 2018 02:42:13 -0400
Subject: [PATCH] Use glob.h on OpenBSD

---
 src/utils/string.cc |  4 ++++
 src/utils/system.cc | 16 +++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/utils/string.cc b/src/utils/string.cc
index 4732eec4..37c20a0d 100644
--- a/src/utils/string.cc
+++ b/src/utils/string.cc
@@ -17,7 +17,11 @@
 #include <stdlib.h>
 #include <stddef.h>
 #include <string.h>
+#ifdef __OpenBSD__
+#include <glob.h>
+#else
 #include <wordexp.h>
+#endif
 #include <stdint.h>
 #include <inttypes.h>

diff --git a/src/utils/system.cc b/src/utils/system.cc
index d832640e..730999e9 100644
--- a/src/utils/system.cc
+++ b/src/utils/system.cc
@@ -17,7 +17,11 @@
 #include <stdlib.h>
 #include <stddef.h>
 #include <string.h>
+#ifdef __OpenBSD__
+#include <glob.h>
+#else
 #include <wordexp.h>
+#endif
 #include <stdint.h>
 #include <inttypes.h>

@@ -119,10 +123,17 @@ std::string get_path(const std::string& file) {
 std::list<std::string> expandEnv(const std::string& var, int flags) {
     std::list<std::string> vars;

+#ifdef __OpenBSD__
+    glob_t p;
+    if (glob(var.c_str(), flags, NULL, &p) == false) {
+        if (p.gl_pathc) {
+            for (char** exp = p.gl_pathv; *exp; ++exp) {
+#else
     wordexp_t p;
     if (wordexp(var.c_str(), &p, flags) == false) {
         if (p.we_wordc) {
             for (char** exp = p.we_wordv; *exp; ++exp) {
+#endif
                 std::ifstream *iss = new std::ifstream(exp[0], std::ios::in);
                 if (iss->is_open()) {
                     iss->close();
@@ -131,12 +142,15 @@ std::list<std::string> expandEnv(const std::string& var, int flags) {
                 delete iss;
             }
         }
+#ifdef __OpenBSD__
+        globfree(&p);
+#else
         wordfree(&p);
+#endif
     }
     return vars;
 }

-
 bool createDir(std::string dir, int mode, std::string *error) {
     int ret = mkdir(dir.data(), mode);
     if (ret != 0 && errno != EEXIST) {
--
2.17.0

@victorhora Robert found the problem with the linker:

@@ -18872,7 +18872,7 @@ fi


 # General link options
-if test "$PLATFORM" != "MacOSX"; then
+if test "$PLATFORM" != "MacOSX" -a "$PLATFORM" != "OpenBSD"; then
     GLOBAL_LDADD="-lrt  "
 fi


I'm waiting the approval for the libmodsecurity/nginx-modsecurity port. I will try to test your patch in the next days.

Oh damn. I wish I saw your comment before @juanfra684. Spent some time digging this issue until I've realized OpenBSD doesn't like static and I came out with the same patch as you did haha :/

Well I'll submit a pull request with both as soon as I can confirm it's not breaking anything on my local tests.

By the way, if you run into this issue: multi.c:62:24: error: variable has incomplete type 'struct timeval

You should be fine as ModSec is already compiled/linked, it's just the examples. If you want to omit the error message you can disable the examples compilation with:

./configure --enable-examples=no

I'll see if I can fix this and the testcases as well. Thanks.

The approval for the port is taking more time that the expected, so feel free to commit the change if you consider it correct.

@juanfra684 https://github.com/SpiderLabs/ModSecurity/pull/1852 is up for evaluation. Let us know if you face other issues with the OpenBSD build. Thanks.

Merged already. Closing this issue. Thanks!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

zimmerle picture zimmerle  路  6Comments

jeremyjpj0916 picture jeremyjpj0916  路  5Comments

rainerjung picture rainerjung  路  4Comments

DeoMortis picture DeoMortis  路  4Comments

GustavoKatel picture GustavoKatel  路  6Comments