From 5beff5fe6730b71f3046de1f0ed519feef7472dd Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 18 2021 06:46:05 +0000
Subject: import mod_security-2.9.2-9.el8


---

diff --git a/SOURCES/mod_security-2.9.2-remote-rules-timeout.patch b/SOURCES/mod_security-2.9.2-remote-rules-timeout.patch
new file mode 100644
index 0000000..ec1cc59
--- /dev/null
+++ b/SOURCES/mod_security-2.9.2-remote-rules-timeout.patch
@@ -0,0 +1,85 @@
+diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
+index ce97950..5d4e9b5 100644
+--- a/apache2/apache2_config.c
++++ b/apache2/apache2_config.c
+@@ -2345,6 +2345,24 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
+ }
+ 
+ 
++static const char *cmd_remote_timeout(cmd_parms *cmd, void *_dcfg, const char *p1)
++{
++    directory_config *dcfg = (directory_config *)_dcfg;
++    long int timeout;
++
++    if (dcfg == NULL) return NULL;
++
++    timeout = strtol(p1, NULL, 10);
++    if ((timeout == LONG_MAX)||(timeout == LONG_MIN)||(timeout < 0)) {
++        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRemoteTimeout: %s", p1);
++    }
++
++    remote_rules_timeout = timeout;
++
++    return NULL;
++}
++
++
+ static const char *cmd_status_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
+ {
+     if (strcasecmp(p1, "on") == 0) {
+@@ -3658,6 +3677,14 @@ const command_rec module_directives[] = {
+         "Abort or Warn"
+     ),
+ 
++    AP_INIT_TAKE1 (
++        "SecRemoteTimeout",
++        cmd_remote_timeout,
++        NULL,
++        CMD_SCOPE_ANY,
++        "timeout in seconds"
++    ),
++
+ 
+     AP_INIT_TAKE1 (
+         "SecXmlExternalEntity",
+diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c
+index b6e98e9..1410ac7 100644
+--- a/apache2/mod_security2.c
++++ b/apache2/mod_security2.c
+@@ -79,6 +79,8 @@ msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
+ #endif
+ int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
+ char DSOLOCAL *remote_rules_fail_message = NULL;
++unsigned long int DSOLOCAL remote_rules_timeout = NOT_SET;
++
+ 
+ int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
+ 
+diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
+index f170034..d9de1f0 100644
+--- a/apache2/modsecurity.h
++++ b/apache2/modsecurity.h
+@@ -150,6 +150,7 @@ extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
+ #endif
+ extern DSOLOCAL int remote_rules_fail_action;
+ extern DSOLOCAL char *remote_rules_fail_message;
++extern DSOLOCAL unsigned long int remote_rules_timeout;
+ 
+ extern DSOLOCAL int status_engine_state;
+ 
+diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
+index 8a6df9e..af437d1 100644
+--- a/apache2/msc_remote_rules.c
++++ b/apache2/msc_remote_rules.c
+@@ -353,6 +353,11 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
+         /* We want Curl to return error in case there is an HTTP error code */
+         curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
+ 
++        /* In case we want different timeout than a default one */
++        if (remote_rules_timeout != NOT_SET){
++            curl_easy_setopt(curl, CURLOPT_TIMEOUT, remote_rules_timeout);
++        }
++
+         res = curl_easy_perform(curl);
+ 
+         if (res != CURLE_OK)
diff --git a/SPECS/mod_security.spec b/SPECS/mod_security.spec
index 2a56f55..d0e4001 100644
--- a/SPECS/mod_security.spec
+++ b/SPECS/mod_security.spec
@@ -10,7 +10,7 @@
 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
 Version: 2.9.2
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: ASL 2.0
 URL: http://www.modsecurity.org/
 Group: System Environment/Daemons
@@ -18,6 +18,7 @@ Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/
 Source1: mod_security.conf
 Source2: 10-mod_security.conf
 Source3: modsecurity_localrules.conf
+Patch1: mod_security-2.9.2-remote-rules-timeout.patch
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 # To ensure correct file ownership
 Requires(pre): httpd-filesystem
@@ -56,6 +57,7 @@ This package contains the ModSecurity Audit Log Collector.
 
 %prep
 %setup -q -n modsecurity-%{version}
+%patch1 -p1 -b .remote-rules-timeout
 
 %build
 %configure --enable-pcre-match-limit=1000000 \
@@ -134,6 +136,10 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %endif
 
 %changelog
+* Sun Nov 15 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.9.2-9
+- Resolves: #1824859 - RFE: Add a feature that can set a mod_security/libcurl
+  timeout for retrieving the rules
+
 * Mon Dec 17 2018 Joe Orton <jorton@redhat.com> - 2.9.2-8
 - enable collection global lock (#1650268)