httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: MAJOR SECURITY-PROBLEM Apache 2.4.6
Date Thu, 02 Oct 2014 20:36:08 GMT
On Wed, Oct 01, 2014 at 02:16:17PM -0400, Eric Covener wrote:
> The default handler (static file handler) is a fall-through, and there is
> not currently a way to tell it NOT to respond for something because a
> configured module unexpectedly passed control back.  It is a relatively
> easy opt-in feature to add, but not something that is safe for a shipped
> release to change by default.

The PHP SAPI doesn't handle any errors while reading request body data 
(php_apache_sapi_read_post), which it should.  The result of that is 
that the PHP script is executed as normal, and you get a 413 response 
with the ErrorDocument first, then the script output.  

I can't see any more serious bug here, Reindl, we lack a working repro 
case for dumping unprocessed source here.  Can you reproduce without 
mod_security loaded/configured?  Something must be de-configuring the 
mod_php handler, and I can't imagine how exactly that is happening.

Regards, Joe

View raw message