Update ap-modsecurity2 to 2.5.13, partly from Matthew Sporleder in

PR 44745, rest by me.

pkgsrc changes:
   - fix up deps
   - fix Apache module handling
   - DESTDIR support

XXX: The DESTDIR support has to bypass apxs because as far as I can tell
XXX: apxs -i doesn't know how to handle DESTDIRs. Various Apache modules
XXX: do this in various different ways. Someone(TM) should teach apxs -i
XXX: about DESTDIRs and fix up all the abuse. The infrastructure for
XXX: Apache modules could use some rototilling as well.

29 Nov 2010 - 2.5.13
--------------------

 * Cleaned up some mlogc code and debugging output.

 * Remove the ability to use a relative path to a piped audit logger
   (i.e. mlogc) as Apache does not support it in their piped loggers
   and it was breaking Windows and probably other platforms that
   use spaces in filesystem paths.  Discovered by Tom Donovan.

 * Fix memory leak freeing regex.  Discovered by Tom Donovan.

 * Fix some portability issues on Windows.

 * Fixed Geo lookup concurrent connections bug

 * Fixed Skip/SkipAfter chain bug

 * Added new setvar Lua API to be used into Lua scripts

 * Added PCRE messages indicates each rule that exceed match limits

 * Added new Base64 transformation function called base64DecodeEx, which
   can decode base64 data skipping special characters.

 * Add SecReadStateLimit to limit the number of concurrent threads in BUSY connections per ip address

 * Fixed redirect action was not expanding macros in chained rules



04 Feb 2010 - 2.5.12
--------------------

 * Fixed SecUploadFileMode to set the correct mode.

 * Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.

 * Added additional file info definitions introduced in APR 0.9.5 so that
   build will work with older APRs (IBM HTTP Server v6).

 * Added SecUploadFileLimit to limit the number of uploaded file parts that
   will be processed in a multipart POST.  The default is 100.

 * Fixed path normalization to better handle backreferences that extend
   above root directories.  Reported by Sogeti/ESEC R&D.

 * Trim whitespace around phrases used with @pmFromFile and allow
   for both LF and CRLF terminated lines.

 * Allow for more robust parsing for multipart header folding.  Reported
   by Sogeti/ESEC R&D.

 * Fixed failure to match internally set TX variables with regex
   (TX:/.../) syntax.

 * Fixed failure to log full internal TX variable names and populate
   MATCHED_VAR* vars.

 * Enabled PCRE "studying" by default.  This is now a configure-time option.

 * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
   aide in REDoS type attacks.  A rule that goes over the limits will set
   TX:MSC_PCRE_LIMITS_EXCEEDED.  It is intended that the next major release
   of ModSecurity (2.6.x) will move these flags to a dedicated collection.

 * Reduced default PCRE match limits reducing impact of REDoS on poorly
   written regex rules.  Reported by Sogeti/ESEC R&D.

 * Fixed memory leak in v1 cookie parser.  Reported by Sogeti/ESEC R&D.

 * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)

 * Update copyright to 2010.

 * Reserved 700,000-799,999 IDs for Ivan Ristic.

 * Fixed SecAction not working when CONNECT request method is used
   (MODSEC-110). [Ivan Ristic]

 * Do not escape quotes in macro resolution and only escape NUL in setenv
   values.


04 Nov 2009 - 2.5.11
--------------------

 * Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
   set true if any invalid quoting is found during multipart parsing.

 * Fixed parsing quoted strings in multipart Content-Disposition headers.
   Discovered by Stefan Esser.

 * Cleanup persistence database locking code.

 * Added warning during configure if libcurl is found linked against
   gnutls for SSL.  The openssl lib is recommended as gnutls has
   proven to cause issues with mutexes and may crash.

 * Cleanup some mlogc (over)logging.

 * Do not log output filter errors in the error log.

 * Moved output filter to run before other stock filters (mod_deflate,
   mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
   in the response.  Patch originally submitted by Ivan Ristic.



18 Sep 2009 - 2.5.10
--------------------

 * Cleanup mlogc so that it builds on Windows.

 * Added more detailed messages to replace "Unknown error" in filters.

 * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
   auditlog permissions (especially with mpm-itk).

 * Cleanup SecUploadFileMode implementation.

 * Cleanup build scripts.

 * Fixed crash on configuration if SecMarker is used before any rules.

 * Fixed SecRuleUpdateActionById so that it will work on chain starters.

 * Cleanup build system for mlogc.

 * Allow mlogc to periodically flush memory pools.

 * Using nolog,auditlog will now log the "Message:" line to the auditlog, but
   nothing to the error log.  Prior versions dropped the "Message:" line from
   both logs.  To do this now, just use "nolog" or "nolog,noauditlog".

 * Forced mlogc to use SSLv3 to avoid some potential auto negotiation
   issues with some libcurl versions.

 * Fixed mlogc issue seen on big endian machines where content type
   could be listed as zero.

 * Removed extra newline from audit log message line when logging XML errors.
   This was causing problems parsing audit logs.

 * Fixed @pm/@pmFromFile case insensitivity.


 * Truncate long parameters in log message for "Match of ... against ...
   required" messages.

 * Correctly resolve chained rule actions in logs.

 * Cleanup some code for portability.

 * AIX does not support hidden visibility with xlc compiler.

 * Allow specifying EXTRA_CFLAGS during configure to override gcc specific
   values for non-gcc compilers.

 * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.

 * Handle a newer geo database more gracefully, avoiding a potential crash for
   new countries that ModSecurity is not yet aware.

 * Allow checking &GEO "@eq 0" for a failed @geoLookup.

 * Fixed mlogc global mutex locking issue and added more debugging output.

 * Cleaned up build dependencies and configure options.

3 files changed, 45 insertions, 39 deletions

diff --git a/security/ap-modsecurity2/Makefile b/security/ap-modsecurity2/Makefile
index da48b54d8a6..8f1c4830446 100644
--- a/security/ap-modsecurity2/Makefile
+++ b/security/ap-modsecurity2/Makefile
@@ -1,16 +1,21 @@
-# $NetBSD: Makefile,v 1.16 2011/03/19 13:31:52 obache Exp $
+# $NetBSD: Makefile,v 1.17 2011/03/19 21:18:06 dholland Exp $
 
-DISTNAME=	modsecurity-apache_2.5.9
+DISTNAME=	modsecurity-apache_2.5.13
 PKGNAME=	${APACHE_PKG_PREFIX}-${DISTNAME:S/apache_//}
 CATEGORIES=	www security
 MASTER_SITES=	http://www.modsecurity.org/download/
+LICENSE=	gnu-gpl-v2
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.modsecurity.org/
 COMMENT=	Intrusion detection and prevention engine for web applications
 
+PKG_DESTDIR_SUPPORT=	user-destdir
+
+APACHE_MODULE=		yes
 PKG_APACHE_ACCEPTED=	apache2 apache22
-USE_LANGUAGES+=		c++ c
+USE_APR=		yes
+USE_LANGUAGES=		c++ c
 
 .include "../../mk/apache.mk"
 .include "options.mk"
@@ -23,27 +28,30 @@ WRKSRC=			${WRKDIR}/${DISTNAME}/apache2
 CONFIGURE_ARGS+=	--with-apxs=${APXS}
 CONFIGURE_ARGS+=	--with-pcre=${BUILDLINK_PREFIX.pcre}
 CONFIGURE_ARGS+=	--with-libxml=${BUILDLINK_PREFIX.libxml2}
+CONFIGURE_ARGS+=	--with-lua=${BUILDLINK_PREFIX.lua}
+CONFIGURE_ARGS+=	--with-apr=${BUILDLINK_PREFIX.apr}
+CONFIGURE_ARGS+=	--with-apu=${BUILDLINK_PREFIX.apr-util}
+
+INSTALLATION_DIRS+=	lib/httpd
+INSTALL_ENV+=		APACHEPREFIX=${BUILDLINK_PREFIX.apache}
+INSTALL_ENV+=		DESTDIR=${DESTDIR}
 
-SUBST_CLASSES+=		config
-SUBST_STAGE.config=	post-patch
-SUBST_FILES.config=	configure
-SUBST_SED.config=       -e "s|@@PREFIX@@|${PREFIX}|g"
-SUBST_MESSAGE.config=   Fixing configuration files.
+EGDIR=			share/examples/ap-modsecurity
+DOCDIR=			share/doc/ap-modsecurity
+INSTALLATION_DIRS+=	${EGDIR} ${DOCDIR}
 
-EGDIR=			${PREFIX}/share/examples/ap-modsecurity
-CONF_FILES=		${EGDIR}/modsecurity.conf-minimal \
+CONF_FILES=		${PREFIX}/${EGDIR}/modsecurity.conf-minimal \
 			${PKG_SYSCONFDIR}/httpd/modsecurity.conf
 
 BUILDLINK_API_DEPENDS.apache+=	apache>=2.0.59nb2
 
 post-install:
-	${INSTALL_DATA_DIR} ${EGDIR}
-	${INSTALL_DATA_DIR} ${PREFIX}/share/doc/ap-modsecurity
-
-	${INSTALL_DATA} ${WRKDIR}/${DISTNAME}/modsecurity.conf-minimal ${EGDIR}
+	${INSTALL_DATA} ${WRKDIR}/${DISTNAME}/modsecurity.conf-minimal \
+			${DESTDIR}${PREFIX}/${EGDIR}
 	cd ${WRKDIR}/${DISTNAME}/doc && \
-		pax -rw . ${PREFIX}/share/doc/ap-modsecurity
+		pax -rw . ${DESTDIR}${PREFIX}/${DOCDIR}
 
 .include "../../textproc/libxml2/buildlink3.mk"
 .include "../../devel/pcre/buildlink3.mk"
+.include "../../lang/lua/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
diff --git a/security/ap-modsecurity2/distinfo b/security/ap-modsecurity2/distinfo
index 4e41638bba8..7dbef40c4a0 100644
--- a/security/ap-modsecurity2/distinfo
+++ b/security/ap-modsecurity2/distinfo
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.6 2009/03/14 13:45:38 adrianp Exp $
+$NetBSD: distinfo,v 1.7 2011/03/19 21:18:06 dholland Exp $
 
-SHA1 (modsecurity-apache_2.5.9.tar.gz) = 875919332a918956371fe8e2f7e46d88081857cf
-RMD160 (modsecurity-apache_2.5.9.tar.gz) = adab10e5eab50f0d114e3ccb47c343e744119c8f
-Size (modsecurity-apache_2.5.9.tar.gz) = 1252295 bytes
-SHA1 (patch-aa) = 19642ee3f22bd502208ee868cf24fb050bd2c56d
+SHA1 (modsecurity-apache_2.5.13.tar.gz) = dff3dc2b360aeb4a4feebc94ff3d507a4dfad0cf
+RMD160 (modsecurity-apache_2.5.13.tar.gz) = 2e7be42d5a755acc888ef28cf44598cc2540a207
+Size (modsecurity-apache_2.5.13.tar.gz) = 1421293 bytes
+SHA1 (patch-aa) = 21b8ba084e0a70d4751764433ccb4c09078e057e
diff --git a/security/ap-modsecurity2/patches/patch-aa b/security/ap-modsecurity2/patches/patch-aa
index b5a531d110a..999f8111a3f 100644
--- a/security/ap-modsecurity2/patches/patch-aa
+++ b/security/ap-modsecurity2/patches/patch-aa
@@ -1,22 +1,20 @@
-$NetBSD: patch-aa,v 1.6 2009/03/14 13:45:38 adrianp Exp $
+$NetBSD: patch-aa,v 1.7 2011/03/19 21:18:06 dholland Exp $
 
---- configure.orig	2009-03-12 06:15:45.000000000 +0000
-+++ configure
-@@ -5479,7 +5479,7 @@ fi
+destdir support.
+
+--- Makefile.in~	2011-03-19 20:34:00.000000000 +0000
++++ Makefile.in
+@@ -81,8 +81,12 @@ distclean: clean
+ maintainer-clean: distclean
+ 	@rm -rf config config.log config.status configure mod_security2_config.h autoscan.log configure.scan build/libtool.m4 build/config.guess build/config.sub build/ltmain.sh
  
- if test -z "${with_apr}"; then
-         if test -z "${apr_path}"; then
--        test_paths="/usr/local/apr /usr/local /usr"
-+        test_paths="@@PREFIX@@ /usr/local/apr /usr/local /usr"
-     else
-         test_paths="${apr_path}"
-     fi
-@@ -5562,7 +5562,7 @@ fi
++# dholland 20110319 apxs -i currently doesn't know how to cope with DESTDIRs,
++# so hack around it. XXX this is abusive and someone should fix apxs.
+ install-mods: mod_security2.la
+-	$(INSTALL_MOD_SHARED) mod_security2.la
++	#$(INSTALL_MOD_SHARED) mod_security2.la
++	${APACHEPREFIX}/share/httpd/build/instdso.sh SH_LIBTOOL='libtool' \
++		mod_security2.la ${DESTDIR}${APACHEPREFIX}/lib/httpd
  
- if test -z "${with_apu}"; then
-         if test -z "${apu_path}"; then
--        test_paths="/usr/local/apr-util /usr/local/apu /usr/local/apr /usr/local /usr"
-+        test_paths="@@PREFIX@@ /usr/local/apr-util /usr/local/apu /usr/local/apr /usr/local /usr"
-     else
-         test_paths="${apu_path}"
-     fi
+ ${MOD_SECURITY2:=.slo}: $(MOD_SECURITY2_H)
+ ${MOD_SECURITY2:=.lo}: $(MOD_SECURITY2_H)