httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: 1.3.31 regression affecting Front Page?
Date Wed, 09 Jun 2004 16:45:06 GMT
On Wed, Jun 09, 2004 at 09:21:07AM -0700, Rasmus Lerdorf wrote:
> Don't see that anywhere.  Either eaten by spam filters or a gerbil.
> 
> Anyway, I don't understand why this would have broken mod_dav.  If mod_dav
> wants a keepalive connection it should determine this prior to the ap_die
> and set conn->keepalive to 1.  Or am I missing something with respect to
> what mod_dav is doing here?  I suppose we could add an ugly exception for
> a PROPFIND here, but I'd like to make sure that is actually needed.

>From my debugging: mod_dav doesn't actually get involved at all, the
check_user_id handler from the auth module returns AUTH_REQUIRED for the
request, and ap_set_keepalive is not called before ap_die is invoked in
that case. r->connection->keepalive has never been changed from 0 when
the test in question is reached - it's called later by
ap_send_error_response, but that's too late.

> Without this patch non-keepalive connections are not being dropped when we
> know there is nothing more to do.  For example, on a server that doesn't
> allow POST someone can POST to it and it will happily sit there and read
> the entire POST request.  This defeats the purpose of adding a Limit POST
> and introduces a DoS.  Same for a 404 or any other error handler.  I can
> POST to a bogus URL and Apache will read the entire POST request even
> though we know it is a 404 at this point and that we can safely discard
> the request body.  I don't think releasing .32 without addressing this
> issue is a good idea.



Mime
View raw message