httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: MAJOR SECURITY-PROBLEM Apache 2.4.6
Date Wed, 01 Oct 2014 18:16:17 GMT
On Wed, Oct 1, 2014 at 1:05 PM, Reindl Harald <h.reindl@thelounge.net>
wrote:

> mod_security and "
> ​​
> SecRequestBodyLimit" works as expected
> blocking the request - so it hardly is a bug in mod_php
> which should not be called at all if "LimitRequestBody"
> takes action
>

​​SecRequestBodyLimit reads the content-length in a hook that precedes PHPs
handler.
LimitRequestBody​ acts as a filter during the read of the body during the
execution of the PHP handler.

To me, this does not exonerate mod_php, it implicates it.  I suspect your
source code is served because PHP swallowed the LimitRequestBody​ and then
passed control back to Apache.  I'm fairly certain I responded to you
privately with similar information already.

The default handler (static file handler) is a fall-through, and there is
not currently a way to tell it NOT to respond for something because a
configured module unexpectedly passed control back.  It is a relatively
easy opt-in feature to add, but not something that is safe for a shipped
release to change by default.

Mime
View raw message