httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: MAJOR SECURITY-PROBLEM Apache 2.4.6
Date Fri, 03 Oct 2014 00:33:36 GMT

Am 03.10.2014 um 02:18 schrieb Eric Covener:
> On Thu, Oct 2, 2014 at 7:02 PM, Reindl Harald <h.reindl@thelounge.net wrote:
> 
>     Am 03.10.2014 um 00:09 schrieb Eric Covener:
>     > On Thu, Oct 2, 2014 at 5:06 PM, Reindl Harald <h.reindl@thelounge.net wrote:
>     >
>     >     however, control that by modsec gives you even the option to
>     >     select the status code without leak source code - if a module
>     >     can do that why not the core itself unconditional?
>     >
>     > ​The core or any other module could check the content-length earlier
>     > and return an error a different way, but it doesn't
> 
>     so that's a bug according to the intention of the option
> 
>     IMHO the core should stop the request and discard any output
>     not part of the error response independent from where it is
>     coming from similar to exit(ob_end_clean()) in a php script
> 
>     http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
> 
> ​Unfortunately there are considerations beyond what would make it easiest on Reindl
Harald

no idea where that polemic comes from

what makes it "easiest on Reindl Harald" is just "LimitRequestBody 0"
as already happened and so it's hardly about me, it's about others
use the option to increase security unfortunately leak code with passwords


Mime
View raw message