httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Ristic <>
Subject Re: Output filter order selection
Date Sat, 26 Sep 2009 10:03:43 GMT
[Sorry for my late response Ben, I missed your reply originally.
Comments below.]

On Mon, Sep 14, 2009 at 9:14 PM, Ben Noordhuis <> wrote:
> On Mon, Sep 14, 2009 at 21:39, Ivan Ristic <> wrote:
>> There's an incompatibility between ModSecurity and mod_deflate, which
>> I would like to fix it. (It is triggered when AddOutputFilterByType is
>> used.) I basically need to ensure that ModSecurity's output filter
>> runs before mod_deflate's in all cases. I am aware of mod_filter
>> (which I suspect should be able to deal with this situation), but I
>> prefer a solution that does not require further work on the part of
>> ModSecurity users.
> It depends. If module X registers its output filter in, for example,
> the post-config hook, you can register your own hook and have it run
> before module X's like so:
> const char *runAfterUs = { "mod_x.c", NULL };
> ap_hook_post_config(your_post_config_hook, NULL, runAfterUs, HOOK_MIDDLE);
> If however the module registers its output filter during the 'register
> hooks' phase like mod_deflate does, your best bet is to register your
> own filter and manipulate the ap_filter_rec_t structure (which is
> essentially a linked list) so that your filter comes before
> mod_deflate's.

Yes, I tried that first, but it didn't work. mod_deflate does register
its hooks in the register_hooks phase, but they are added to the
filter chain only later, by whoever handles the AddOutputFilterByType
directive (the core, I am guessing).

> It's not entirely according to the book but it should be a fairly
> robust solution. ap_filter_rec_t lives in util_filter, which is part
> of the module API, and isn't a opaque structure so I don't foresee it
> changing anytime soon.
> This is, of course, to the best of my knowledge. I'm not aware of a
> better way, but if there is, I'd also like to hear it. =)

After some more poking I decided that registering ModSecurity's output
filter to run as CONTENT_SET - 3 should be all right. A review of the
Apache's code revealed that this method (subtracting and adding from
known filter values) is used throughout to ensure filters run before
or after other filters. There are some filters (SUBREQ_CORE,
mod_expires and mod_cache) that use CONTENT_SET - 1 and CONTENT_SET -
2. No core module uses CONTENT_SET - 3.

Ivan Ristic
Security assessment of your SSL servers

View raw message