Bug 38123 - Invalid Expect header not immediately rejected
Summary: Invalid Expect header not immediately rejected
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.2.0
Hardware: All All
: P2 minor (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2006-01-04 18:13 UTC by Daniel Andersson
Modified: 2006-03-31 14:35 UTC (History)
0 users



Attachments
Improved patch against 2.2.x (1.33 KB, patch)
2006-01-22 00:33 UTC, Ruediger Pluem
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Andersson 2006-01-04 18:13:53 UTC
When Apache was sent the following lines using telnet:

GET / HTTP/1.1
Host: whatever.hostname.com
Expect: %8p


It "hangs" for some period of time, and if this is automated in a script the
server stops accepting new connections for the period of time it takes to
"process" the requests.

As of now I have tested it with version 2.0.54-r31 of Gentoo with the hardened
USE flag turned on and on OpenBSD 3.8 (don't remember the version here though).
Comment 1 Ruediger Pluem 2006-01-04 21:44:26 UTC
This is because httpd is waiting for more header data. Please lower the value of
TimeOut (default 300 seconds) to mitigate this problem. In general this can
happen with lots of other incompletely sent header situations.
Comment 2 Joshua Slive 2006-01-12 16:00:47 UTC
Not a security bug because the request does timeout.  But not a proper response
to the request either.  httpd should give an immediate error rather than waiting.
Comment 4 Ruediger Pluem 2006-01-22 00:33:17 UTC
Created attachment 17481 [details]
Improved patch against 2.2.x
Comment 5 Ruediger Pluem 2006-03-31 22:35:00 UTC
Backported to 2.2.1 as r390503
(http://svn.apache.org/viewcvs?rev=390503&view=rev).