httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yehuda Katz <>
Subject Re: MAJOR SECURITY-PROBLEM Apache 2.4.6
Date Wed, 22 Oct 2014 02:51:46 GMT
On Wed, Oct 1, 2014 at 2:19 PM, Eric Covener <> wrote:

> On Wed, Oct 1, 2014 at 2:16 PM, Eric Covener <> wrote:
>> To me, this does not exonerate mod_php, it implicates it.  I suspect your
>> source code is served because PHP swallowed the LimitRequestBody​ and then
>> passed control back to Apache.  I'm fairly certain I responded to you
>> privately with similar information already.
> ​I should add that I don't understand your scenario completely, where the
> file is not processed.​ I think my own test result was the same as Yehuda
> ITT which is not the same as what I just described with the default handler
> taking over.

1. Is this result (PHP executed) still a bug (could be in mod_php)? If a
413 comes up, shouldn't no other content be returned?
I am considering setting up a new VM to do some testing, but I want to make
sure this is not the expected behavior (whether the PHP is executed or not).

2. Is there another module that hooks in with a similar way to mod_php that
might also show this behavior (mod_lua for example)?

- Y

View raw message