httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: DoS on POSTS
Date Sun, 28 Oct 2001 16:48:06 GMT
On Sat, 27 Oct 2001, William A. Rowe, Jr. wrote:

> Requesting this;
> POST /cgi-bin/ HTTP/1.1
> Content-Length:80
> Host:localhost
> and stalling, I get a 5 minute pause, followed by;
> HTTP/1.1 200 OK
> Date: Sat, 27 Oct 2001 16:55:02 GMT
> Server: Apache/2.0.27-dev (Win32) DAV/2 mod_ssl/3.0a0 OpenSSL/0.9.6b
> Content-Length: 1553
> Connection: close
> Content-Type: text/plain; charset=ISO-8859-1
> [content snipped]
> Now that's not pretty.  Why are we returning 200 when the input is insufficient
> for properly handling the request???  We strip the content-length, so the cgi
> wouldn't know what to expect; it can't handle the error itself!!!
> Correction, we don't strip the content length ???

> Jon, try from CVS head, I suspect the timeout may have been fixed since you
> first observed this behavior.  As for other unacceptable behaviors, well...

You are on Win32.  Unix may be broken.  Haven't checked.

> Thoughts anyone?  I'd expect such a request to 400 out.

408.  Which will be logged, and may or may not be sent to the client.

Also note that I seem to recall some suggestions to hardcode the
post-to-a-page-that-doesn't-take-posts case to act as if there were
no request body to read.  Don't do that.  Not only is it unnecessary
and just a symptom of a deeper problem, but we need to read the
request body always or error out in a way that closes the connection
(and the second is last resort only).

View raw message