Scenario: - Client sends POST data - Access checker (my custom module) returns 403 For 1.3.29 ap_die() calls ap_discard_request_body(), 1.3.31 does not. This causes the start of POST data to be interpreted as next valid request line! Code details below 1.3.31 main/http_request.c:1057 if ((r->status != HTTP_NOT_MODIFIED) && (r->status != HTTP_NO_CONTENT) && !ap_status_drops_connection(r->status) && r->connection && (r->connection->keepalive > 0 )) { (void) ap_discard_request_body(r); } 1.3.29 main/http_request.c:1110 if ((r->status != HTTP_NOT_MODIFIED) && (r->status != HTTP_NO_CONTENT) && !ap_status_drops_connection(r->status) && r->connection && (r->connection->keepalive != -1)) { (void) ap_discard_request_body(r); } I changed the this code back to 1.2.29 and everything works fine for me
Some more info: The second request re-uses the connection of the first denied POST request.
I have checked the current snapshot apache-1.3_20040615104126.tar.gz and I've seen that this bug has been already fixed! Sorry for the hassling