Revert "Process request in background when in detection mode." (#108)

vkrivopalov · web-flow · commit 7526371c17f8 · 2019-04-02T14:47:09.000-07:00
Let's give it more testing before rolling the fix out in production as we've been hit badly with a bug in a similar fix for Nginx. This reverts commit 2aa9412.
diff --git a/iis/Makefile.win b/iis/Makefile.win
@@ -37,8 +37,7 @@ INCLUDES = -I. -I.. \
            -I..\apache2 \
            -I..\standalone \
            -I..\apache2\ag_mdb \
-           -I..\apache2\waf_lock \
-           -Iasio\asio\include
+           -I..\apache2\waf_lock
 
 # Enables support for SecRemoteRules and external resources.
 DEFS=$(DEFS) -DWITH_CURL -DWITH_REMOTE_RULES
diff --git a/iis/mymodule.cpp b/iis/mymodule.cpp
@@ -19,7 +19,6 @@
 #include <string>
 #include <cctype>
 #include <memory>
-#include <future>
 
 //  IIS7 Server API header file
 #include <Windows.h>
@@ -36,9 +35,6 @@
 
 #include "winsock2.h"
 
-#include "asio/packaged_task.hpp"
-#include "asio/post.hpp"
-
 // These helpers make sure that the underlying structures
 // are correctly released on any exit path due to RAII.
 using ConnRecPtr = std::shared_ptr<conn_rec>;
@@ -66,8 +62,6 @@ struct RequestStoredContext
     char* responseBuffer = nullptr;
     ULONGLONG responseLength = 0;
     ULONGLONG responsePosition = 0;
-    bool responseProcessingEnabled = false;
-    std::future<int> detectionProcessing;
 
     void CleanupStoredContext() override
     {
@@ -506,97 +500,6 @@ static HRESULT SaveRequestBodyToRequestRec(RequestStoredContext* rsc)
     return S_OK;
 }
 
-
-static apr_status_t ReadBodyCallback(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)
-{
-    RequestStoredContext *rsc = RetrieveIISContext(r);
-
-    *readcnt = 0;
-
-    if (rsc == NULL)
-    {
-        *is_eos = 1;
-        return APR_SUCCESS;
-    }
-
-    IHttpContext *pHttpContext = rsc->httpContext;
-    IHttpRequest *pRequest = pHttpContext->GetRequest();
-
-    if (pRequest->GetRemainingEntityBytes() == 0)
-    {
-        *is_eos = 1;
-        return APR_SUCCESS;
-    }
-
-    HRESULT hr = pRequest->ReadEntityBody(buf, length, false, (DWORD *)readcnt, NULL);
-
-    if (FAILED(hr))
-    {
-        // End of data is okay.
-        if (ERROR_HANDLE_EOF != (hr & 0x0000FFFF))
-        {
-            // Set the error status.
-            rsc->provider->SetErrorStatus(hr);
-        }
-
-        *is_eos = 1;
-    }
-
-    return APR_SUCCESS;
-}
-
-static apr_status_t WriteBodyCallback(request_rec *r, char *buf, unsigned int length)
-{
-    RequestStoredContext *rsc = RetrieveIISContext(r);
-
-    if (!rsc || !rsc->requestRec)
-        return APR_SUCCESS;
-
-    IHttpContext *pHttpContext = rsc->httpContext;
-    IHttpRequest *pHttpRequest = pHttpContext->GetRequest();
-
-    auto lengthStr = std::to_string(length);
-
-    // Remove/Modify Transfer-Encoding header if "chunked" Encoding is set in the request. 
-    // This is to avoid sending both Content-Length and Chunked Transfer-Encoding in the request header.
-
-    USHORT ctcch = 0;
-    char *ct = (char *)pHttpRequest->GetHeader(HttpHeaderTransferEncoding, &ctcch);
-    if (ct)
-    {
-        char *ctz = ZeroTerminate(ct, ctcch, r->pool);
-        if (ctcch != 0)
-        {
-            if (0 == stricmp(ctz, "chunked"))
-            {
-                pHttpRequest->DeleteHeader(HttpHeaderTransferEncoding);
-            }
-        }
-    }
-
-    HRESULT hr = pHttpRequest->SetHeader(
-        HttpHeaderContentLength,
-        lengthStr.c_str(),
-        (USHORT)lengthStr.size(),
-        TRUE);
-
-    if (FAILED(hr))
-    {
-        // possible, but there's nothing we can do
-    }
-
-    // since we clean the APR pool at the end of OnSendRequest, we must get IIS-managed memory chunk
-    //
-    void *reqbuf = pHttpContext->AllocateRequestMemory(length);
-
-    memcpy(reqbuf, buf, length);
-
-    pHttpRequest->InsertEntityBody(reqbuf, length);
-
-    return APR_SUCCESS;
-}
-
-
 REQUEST_NOTIFICATION_STATUS
 CMyHttpModule::OnSendResponse(
     IN IHttpContext * pHttpContext,
@@ -606,18 +509,12 @@ CMyHttpModule::OnSendResponse(
     RequestStoredContext* rsc = dynamic_cast<RequestStoredContext*>(pHttpContext->GetModuleContextContainer()->GetModuleContext(g_pModuleContext));
 
     CriticalSectionLock lock{cs};
-    // here we must check if response body processing is enabled
-    //
-    if (!rsc || !rsc->requestRec || rsc->responseBuffer != nullptr || !rsc->responseProcessingEnabled)
-    {
-        goto Exit;
-    }
-
-    // If we have offloaded request processing to the thread pool
-    // we need to wait for its completion before we can proceed
-    if (rsc->detectionProcessing.valid()) {
-        rsc->detectionProcessing.get();
-    }
+	// here we must check if response body processing is enabled
+	//
+	if(!rsc || !rsc->requestRec || rsc->responseBuffer != nullptr || !modsecIsResponseBodyAccessEnabled(rsc->requestRec.get()))
+	{
+		goto Exit;
+	}
 
     HRESULT hr = S_OK;
     IHttpResponse *pHttpResponse = NULL;
@@ -968,8 +865,7 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
     rsc->connRec = connRec;
     rsc->requestRec = requestRec;
     rsc->httpContext = httpContext;
-    rsc->provider = provider;
-    rsc->responseProcessingEnabled = (config->config->resbody_access == 1);
+    rsc->provider = provider;	
     RequestStoredContext* context = rsc.get();
 
     StoreIISContext(r, rsc.get());
@@ -1208,35 +1104,19 @@ CMyHttpModule::OnBeginRequest(IHttpContext* httpContext, IHttpEventProvider* pro
         return RQ_NOTIFICATION_FINISH_REQUEST;
     }
 
-    if (config->config->is_enabled == MODSEC_DETECTION_ONLY)
-    {
-        // We post the processing task to the thread pool to happen in the background.
-        // We store the future to track and wait for this processing in case if we also
-        // need to process the response because we need request processing to finish
-        // before we can start with the response.
-        context->detectionProcessing = asio::post(threadPool,
-            std::packaged_task<int()> {
-            [connRec, requestRec] {
-                return modsecProcessRequest(requestRec.get());
-            }
-        });
-    }
-    else
-    {
-        lock.unlock();
-        int status = modsecProcessRequest(r);
-        lock.lock();
+    lock.unlock();
+    int status = modsecProcessRequest(r);
+    lock.lock();
 
-        if (status != DECLINED)
-        {
-            httpContext->GetResponse()->SetStatus(status, "ModSecurity Action");
-            httpContext->SetRequestHandled();
+	if(status != DECLINED)
+	{
+		httpContext->GetResponse()->SetStatus(status, "ModSecurity Action");
+		httpContext->SetRequestHandled();
 
-            return RQ_NOTIFICATION_FINISH_REQUEST;
-        }
-    }
+        return RQ_NOTIFICATION_FINISH_REQUEST;
+	}
 
-    return RQ_NOTIFICATION_CONTINUE;
+	return RQ_NOTIFICATION_CONTINUE;
 }
 
 apr_status_t ReadResponseCallback(request_rec *r, char *buf, unsigned int length, unsigned int *readcnt, int *is_eos)
diff --git a/iis/mymodule.h b/iis/mymodule.h
@@ -12,10 +12,8 @@
 * directly using the email address security@modsecurity.org.
 */
 
-#pragma once
-
-#define ASIO_STANDALONE
-#include "asio/thread_pool.hpp"
+#ifndef __MY_MODULE_H__
+#define __MY_MODULE_H__
 
 #include "critical_section.h"
 #include "event_logger.h"
@@ -48,8 +46,8 @@ class CMyHttpModule
 private:
     CriticalSection cs;
     EventLogger logger;
-    asio::thread_pool threadPool;
     DWORD pageSize = 0;
     bool statusCallAlreadySent = false;
 };
 
+#endif
