Fix remote resources download while hosting SSL site on Apache

Felipe Zimmerle · Felipe Zimmerle · commit 87a401af05d4 · 2014-12-11T12:39:27.000-08:00
As reported by Christian Folin and Walter Hop on our dev mailing list, Apache
mod_ssl was failing if a remote resource was utilized. That was happening
because Curl clean up was also cleaning up the OpenSSL data used by mod_ssl.
This patch moves Curl initialization to happens while ModSecurity is
initialized.
diff --git a/CHANGES b/CHANGES
@@ -1,6 +1,11 @@
 DD mmm YYYY - 2.9.????? (To be released)
 -----------------------
 
+ * Remote resources loading process is now failing in case of HTTP error.
+   [Walter Hop and ModSecurity team]
+ * Fixed start up crash on Apache with mod_ssl configured. Crash was happening
+   during the download of remote resources.
+   [Christian Folini, Walter Hop and ModSecurity team]
  * Curl is not a mandatory dependency to ModSecurity core anymore.
    [Rainer Jung and ModSecurity team]
 
diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c
@@ -23,6 +23,10 @@
 #include "msc_xml.h"
 #include "apr_version.h"
 
+#ifdef WITH_CURL
+#include <curl/curl.h>
+#endif
+
 unsigned long int DSOLOCAL unicode_codepage = 0;
 
 int DSOLOCAL *unicode_map_table = NULL;
@@ -118,6 +122,16 @@ msc_engine *modsecurity_create(apr_pool_t *mp, int processing_mode) {
 int modsecurity_init(msc_engine *msce, apr_pool_t *mp) {
     apr_status_t rc;
 
+    /**
+     * Notice that curl is initialized here but never cleaned up. First version
+     * of this implementation curl was initialized and cleaned for every
+     * utilization. Turns out that it was not only cleaning stuff that was
+     * utilized by Curl but also other OpenSSL stuff that was utilized by
+     * mod_ssl leading the SSL support to crash.
+     */
+#ifdef WITH_CURL
+    curl_global_init(CURL_GLOBAL_ALL);
+#endif
     /* Serial audit log mutext */
     rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_DEFAULT, mp);
     if (rc != APR_SUCCESS) {
diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
@@ -258,7 +258,6 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
 
     apr_id = apr_psprintf(mp, "ModSec-unique-id: %s", id);
 
-    curl_global_init(CURL_GLOBAL_ALL);
     curl = curl_easy_init();
 
     beacon_str_len = msc_beacon_string(NULL, 0);
@@ -348,7 +347,6 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
 
     curl_easy_cleanup(curl);
 
-    curl_global_cleanup();
     return 0;
 #else
     return -3;
