httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <ch...@topsail.org>
Subject Re: [PATCH] log long headers
Date Thu, 27 Feb 1997 03:22:07 GMT
Yeah, you can't just return HTTP_REQUEST_URI_TOO_LARGE.

+1.

Marc Slemko wrote:
> 
> Right now when we get a header that is too long we just exit.  We should
> return a 414, but that's not overly nice given the current structure.
> 
> I think we should log the problem.  Almost a feature, but... gives
> people some way to know when someone is trying a buffer overflow
> attack.
> 
> Index: http_protocol.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/http_protocol.c,v
> retrieving revision 1.105
> diff -c -r1.105 http_protocol.c
> *** http_protocol.c     1997/02/22 00:37:18     1.105
> --- http_protocol.c     1997/02/27 02:33:48
> ***************
> *** 590,597 ****
>         }
>       }
>       bsetflag( conn->client, B_SAFEREAD, 0 );
> !     if (len == (HUGE_STRING_LEN - 1))
>           return 0;               /* Should be a 414 error status instead */
> 
>       r->request_time = time(NULL);
>       r->the_request = pstrdup (r->pool, l);
> --- 590,600 ----
>         }
>       }
>       bsetflag( conn->client, B_SAFEREAD, 0 );
> !     if (len == (HUGE_STRING_LEN - 1)) {
> !         log_printf(r->server, "request failed for %s, reason: header too long",
> !             get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME));
>           return 0;               /* Should be a 414 error status instead */
> +     }
> 
>       r->request_time = time(NULL);
>       r->the_request = pstrdup (r->pool, l);

-- 
chuck
Chuck Murcko
The Topsail Group, West Chester PA USA
chuck@topsail.org

Mime
View raw message