httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 38837] New: - post data >8k overflow via mod_ssl and mod_proxy ProxyPass
Date Fri, 03 Mar 2006 08:52:01 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38837>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38837

           Summary: post data >8k overflow via mod_ssl and mod_proxy
                    ProxyPass
           Product: Apache httpd-2
           Version: 2.0.55
          Platform: PC
        OS/Version: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: aragon@phat.za.net


Hi,

When data exceeding 8192 bytes is posted to a ProxyPass'd URL in an SSL 
virtualhost, mod_proxy or mod_ssl overflows the data and transforms it in such 
a way that it is useless after it is proxied.

I am able to consistently reproduce this as follows.

In a SSL virtualhost block:
<Location /test.cgi>
   ProxyPass http://127.0.0.1:9010/test.cgi
</Location>

http://127.0.0.1:9010/ is a netcat listener whose output I'm teeing to a file.

I generated post data looking like this:
data=by10te0001by10te0002by10te0003... etc.

Each by10teXXXX is 10 bytes and repeats until the post data is 8200 bytes long 
(including data=).

I submit it with curl:  curl -d $( cat testdata.txt ) 
https://securesite/test.cgi

The tee output from netcat is:
---
POST /test.cgi HTTP/1.1^M
Host: 127.0.0.1:9010^M
User-Agent: curl/7.15.1 (i386-portbld-freebsd5.4) libcurl/7.15.1 OpenSSL/0.9.7e 
zlib/1.2.1^M
Accept: */*^M
Content-Type: application/x-www-form-urlencoded^M
Expect: 100-continue^M
Max-Forwards: 10^M
X-Forwarded-For: <snip>^M
X-Forwarded-Host: <snip>^M
X-Forwarded-Server: <snip>^M
Content-Length: 8200^M
^M
819by10t0te0001by10te0002by10te0003<snip>by10te0818by10te0819by10t
---

I've <snip>'d information for briefness sake.

The post data comes out to 8200 bytes long, but has overflowed in some way and 
been transformed.

If I perform this post to a ProxyPass that does not run in an SSL virtualhost, 
it goes through unaltered.


Thanks,
Aragon

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message