naxsi icon indicating copy to clipboard operation
naxsi copied to clipboard

Published 20 hours ago verified publisher icon nbs-system

naxsi build fails with pcre*2*-enabled nginx-1.21.5: incorrect PCRE_MULTILINE usage

Open pgnd opened this issue 2 years ago • 6 comments

Building/packaging latest nginx-1.21.5

On 12/28/21 10:33, Maxim Dounin wrote:
> details:   https://hg.nginx.org/nginx/rev/d986378168fd
> branches:
> changeset: 7989:d986378168fd
> user:      Maxim Dounin <[email protected]>
> date:      Tue Dec 28 18:28:37 2021 +0300
> description:
> nginx-1.21.5-RELEASE

on Fedora 35, with PCRE2,

rpm -qa | grep pcre2 | sort
	pcre2-10.37-4.fc35.x86_64
	pcre2-devel-10.37-4.fc35.x86_64
	pcre2-syntax-10.37-4.fc35.noarch
	pcre2-utf16-10.37-4.fc35.x86_64
	pcre2-utf32-10.37-4.fc35.x86_64

and only PCRE2 enabled,

https://download.copr.fedorainfracloud.org/results/pgfed/nginx-mainline/fedora-35-x86_64/03084864-nginx/nginx.spec

fails,

https://download.copr.fedorainfracloud.org/results/pgfed/nginx-mainline/fedora-35-x86_64/03084864-nginx/builder-live.log.gz

at,

...
/usr/bin/gcc -c -fPIC -I/usr/local/lua-resty-luajit2/include/luajit-2.1 -O3 -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -march=x86-64 -mtune=generic -O3 -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -march=x86-64 -mtune=generic -DNDK_SET_VAR -Wno-deprecated-declarations -I src/core -I src/event -I src/event/modules -I src/os/unix -I src/http/modules/perl -I ../ngx_devel_kit-master/objs -I objs/addon/ndk -I ../ngx_devel_kit-master/src -I ../ngx_devel_kit-master/objs -I objs/addon/ndk -I /usr/local/lua-resty-luajit2/include/luajit-2.1 -I ../lua-nginx-module-master/src/api -I /usr/include -I ../njs-master/nginx/../src -I ../njs-master/nginx/../build -I ../njs-master/nginx/../src -I ../njs-master/nginx/../build -I /usr/include/libxml2 -I objs -I src/http -I src/http/modules -I src/http/v2 -I ../ngx_devel_kit-master/src -I src/mail -I src/stream \
	-o objs/addon/naxsi_src/naxsi_config.o \
	../naxsi-master/naxsi_src/naxsi_config.c
../naxsi-master/naxsi_src/naxsi_runtime.c: In function 'ngx_http_process_basic_rule_buffer':
../naxsi-master/naxsi_src/naxsi_runtime.c:205:61: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  205 |       (tmp_idx < len && (match = pcre_exec(rl->br->rx->regex->code,
      |                                                             ^~
../naxsi-master/naxsi_src/naxsi_runtime.c: In function 'ngx_http_naxsi_pcre_wrapper':
../naxsi-master/naxsi_src/naxsi_runtime.c:500:30: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  500 |   match = pcre_exec(rx->regex->code, 0, (const char*)str, len, 0, 0, captures, 1);
      |                              ^~
make[1]: *** [objs/Makefile:1715: objs/addon/naxsi_src/naxsi_runtime.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/builddir/build/BUILD/nginx-release-1.21.5'
make: *** [Makefile:10: build] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.hYoU7Y (%build)

pgnd avatar Dec 28 '21 17:12 pgnd

Possibly connected commits:

  • https://github.com/nginx/nginx/commit/931acbf5bcd550af8613d131f4ba49e22e909efb
  • https://github.com/nginx/nginx/commit/d5f1f169bc71d32b96960266d54e189c69af00ba (mentions NAXSI)
  • https://github.com/nginx/nginx/commit/c6fec0b027569a4e0b1d8aaee7dea0f2e4d6052b

petecooper avatar Dec 28 '21 17:12 petecooper

@petecooper

from nginx-devel ML,

https://forum.nginx.org/read.php?29,293178,293179#msg-293179

the second issue, above, seems to be the relevant one here.

and,

"The NAXSI bug mentioned in the second commit needs to be fixed before it will be possible to build NAXSI with PCRE2."

"The" bug refers to incorrect usage of PCRE_MULTILINE.

but, afaict, is not yet filed/open as an existing issue here @ naxsi

pgnd avatar Dec 28 '21 18:12 pgnd

same issue. nginx: 1.21.5 pcre2: 10.39

    ../modules/ngx_http_naxsi_module/naxsi_src/naxsi_runtime.c
../modules/ngx_http_naxsi_module/naxsi_src/naxsi_runtime.c: In function 'ngx_http_process_basic_rule_buffer':
../modules/ngx_http_naxsi_module/naxsi_src/naxsi_runtime.c:205:61: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  205 |       (tmp_idx < len && (match = pcre_exec(rl->br->rx->regex->code,
      |                                                             ^~
../modules/ngx_http_naxsi_module/naxsi_src/naxsi_runtime.c: In function 'ngx_http_naxsi_pcre_wrapper':
../modules/ngx_http_naxsi_module/naxsi_src/naxsi_runtime.c:500:30: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  500 |   match = pcre_exec(rx->regex->code, 0, (const char*)str, len, 0, 0, captures, 1);
      |                              ^~
make[1]: *** [objs/Makefile:2297: objs/addon/naxsi_src/naxsi_runtime.o] Error 1
make: *** [Makefile:10: build] Error 2

icebluey avatar Dec 30 '21 12:12 icebluey

same issue. nginx: 1.22.0 pcre2: 10.39

	-o objs/addon/naxsi_src/naxsi_runtime.o \
	/src/naxsi/naxsi_src/naxsi_runtime.c
/src/naxsi/naxsi_src/naxsi_runtime.c: In function 'ngx_http_process_basic_rule_buffer':
/src/naxsi/naxsi_src/naxsi_runtime.c:205:61: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  205 |       (tmp_idx < len && (match = pcre_exec(rl->br->rx->regex->code,
      |                                                             ^~
/src/naxsi/naxsi_src/naxsi_runtime.c: In function 'ngx_http_naxsi_pcre_wrapper':
/src/naxsi/naxsi_src/naxsi_runtime.c:500:30: error: invalid use of incomplete typedef 'ngx_regex_t' {aka 'struct pcre2_real_code_8'}
  500 |   match = pcre_exec(rx->regex->code, 0, (const char*)str, len, 0, 0, captures, 1);
      |                              ^~
make[1]: *** [objs/Makefile:3170: objs/addon/naxsi_src/naxsi_runtime.o] Error 1
make: *** [Makefile:16: modules] Error 2

vndroid avatar May 30 '22 06:05 vndroid

same here:

make[1]: *** [objs/Makefile:2244: objs/addon/naxsi_src/naxsi_runtime.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make[1]: Leaving directory '/rpm/nginx-1.22.0' make: *** [Makefile:10: build] Error 2

rickygm avatar Jun 01 '22 17:06 rickygm

For what's worth, we are using this patch on Arch to build this module: https://github.com/archlinux/svntogit-community/blob/packages/nginx-mod-naxsi/trunk/587-pcre2.patch

grazzolini avatar Jun 10 '22 14:06 grazzolini

I do not know why this is still open but it was fixed: https://github.com/wargio/naxsi/commit/9e06c5f53b2e393e40e9df7746a7b8bc4c2abfa4

wargio avatar Sep 17 '22 14:09 wargio

Hello,

Could you please release this fix 👍 ?

saez0pub avatar Oct 07 '22 16:10 saez0pub

Hello,

Could you please release this fix +1 ?

It is fixed: https://github.com/wargio/naxsi

wargio avatar Oct 07 '22 20:10 wargio

Sorry, it wasn't clear enough. Thank you for fixing this 🙏 . My question is more about making a new release, version 1.4, including this fix. 🚀

saez0pub avatar Oct 08 '22 06:10 saez0pub

Not going to happen in this repository. This repository is considered abandoned thus you should use mine.

wargio avatar Oct 08 '22 08:10 wargio