Bug#1071102: apache2: apache 2.4.59 error of handling HTTPS 100 Continue POST CGI responces
Package: apache2
Version: 2.4.59-1~deb12u1
Severity: normal
Dear Maintainer,
apache 2.4.59 is send correct 100 Continue responce by HTTP, but not by HTTPS.
Sample html POST form is in 100c.htm, sample bash script is in 100c.cgi
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
-- Package-specific info:
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-21-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apache2 depends on:
ii apache2-bin 2.4.59-1~deb12u1
ii apache2-data 2.4.59-1~deb12u1
ii apache2-utils 2.4.59-1~deb12u1
ii init-system-helpers 1.65.2
ii lsb-base 11.6
ii media-types 10.0.0
ii perl 5.36.0-7+deb12u1
ii procps 2:4.0.2-3
ii sysvinit-utils [lsb-base] 3.06-4
Versions of packages apache2 recommends:
ii ssl-cert 1.1.2
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii lynx [www-browser] 2.9.0dev.12-1
Versions of packages apache2-bin depends on:
ii libapr1 1.7.2-3
ii libaprutil1 1.6.3-1
ii libaprutil1-dbd-sqlite3 1.6.3-1
ii libaprutil1-ldap 1.6.3-1
ii libbrotli1 1.0.9-2+b6
ii libc6 2.36-9+deb12u7
ii libcrypt1 1:4.4.33-2
ii libcurl4 7.88.1-10+deb12u5
ii libjansson4 2.14-2
ii libldap-2.5-0 2.5.13+dfsg-5
ii liblua5.3-0 5.3.6-2
ii libnghttp2-14 1.52.0-1+deb12u1
ii libpcre2-8-0 10.42-1
ii libssl3 3.0.11-1~deb12u2
ii libxml2 2.9.14+dfsg-1.3~deb12u1
ii perl 5.36.0-7+deb12u1
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii lynx [www-browser] 2.9.0dev.12-1
Versions of packages apache2 is related to:
ii apache2 2.4.59-1~deb12u1
ii apache2-bin 2.4.59-1~deb12u1
-- Configuration Files:
/etc/apache2/apache2.conf changed:
ServerRoot "/etc/apache2"
Mutex file:${APACHE_LOCK_DIR} default
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 1000
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog /var/log/httpd/error.log
LogLevel warn
NoProxy "maasoftware.ru" "192.162.244.247/32" "192.162.244.248/32" "[2a13:3d80:0:6::d]/128" "[2a13:3d80:0:6::e]/128"
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
<FilesMatch ".+\.__php$">
SetHandler application/x-httpd-php
</FilesMatch>
Include ports.conf
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
</IfModule>
</IfModule>
ServerAdmin support@maasoftware.ru
ServerName maasoftware.ru:80
DocumentRoot "/var/www"
<Directory />
Options FollowSymLinks
AllowOverride None
#Order deny,allow
#Deny from all
Require all denied
</Directory>
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
#
# Controls who can get stuff from this server.
#
<Directory "/var/www">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options +Indexes +FollowSymLinks +ExecCGI +Includes
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
#AllowOverride None
AllowOverride All
<Limit PUT DELETE>
Require all denied
</Limit>
#
# Controls who can get stuff from this server.
#
#Order allow,deny
#Allow from all
Require all granted
</Directory>
<Directory "/usr/share/php">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options +Indexes +FollowSymLinks -ExecCGI +Includes
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
#AllowOverride None
AllowOverride All
<Limit PUT DELETE>
Require all denied
</Limit>
#
# Controls who can get stuff from this server.
#
#Order allow,deny
#Allow from all
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<FilesMatch "^\.ht">
#Order allow,deny
#Deny from all
Require all denied
#Satisfy All
</FilesMatch>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
# You need to enable mod_logio.c to use %I and %O
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
</IfModule>
<IfModule cgid_module>
#
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#
Scriptsock logs/cgisock
</IfModule>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
AddHandler cgi-script .cgi
AddHandler cgi-script .__cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
#AddOutputFilter INCLUDES .__cgi
AddOutputFilter INCLUDES .__php
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
ServerLimit 210
MaxClients 210
MaxRequestWorkers 210
MaxConnectionsPerChild 4096
IncludeOptional sites-enabled-default/*.conf
IncludeOptional sites-enabled/*
/etc/apache2/conf-available/security.conf changed:
ServerTokens Prod
ServerSignature Off
TraceEnable Off
/etc/apache2/conf-available/serve-cgi-bin.conf changed:
<IfModule mod_alias.c>
<IfModule mod_cgi.c>
Define ENABLE_USR_LIB_CGI_BIN
</IfModule>
<IfModule mod_cgid.c>
Define ENABLE_USR_LIB_CGI_BIN
</IfModule>
<IfDefine ENABLE_USR_LIB_CGI_BIN>
#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Require all granted
</Directory>
</IfDefine>
</IfModule>
/etc/apache2/ports.conf changed:
Listen 192.162.244.247:80
Listen 192.162.244.248:80
Listen [2a13:3d80:0:6::d]:80
Listen [2a13:3d80:0:6::e]:80
<IfModule ssl_module>
Listen 192.162.244.247:443
Listen 192.162.244.248:443
Listen [2a13:3d80:0:6::d]:443
Listen [2a13:3d80:0:6::e]:443
</IfModule>
<IfModule mod_gnutls.c>
Listen 192.162.244.247:443
Listen 192.162.244.248:443
Listen [2a13:3d80:0:6::d]:443
Listen [2a13:3d80:0:6::e]:443
</IfModule>
/etc/logrotate.d/apache2 changed:
/var/log/apache2/*.log111 {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then
run-parts /etc/logrotate.d/httpd-prerotate
fi
endscript
postrotate
if pgrep -f ^/usr/sbin/apache2 > /dev/null; then
invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate
fi
endscript
}
-- no debconf information
#!/bin/sh
echo "Status: 100 Continue"
echo "Content-Type: text/html"
echo "Content-Length: 0"
echo "Connection: Keep-Alive"
echo "Cache-control: no-cache"
echo "Cache-control: no-transform"
echo
echo "HTTP/1.1 100 Continue"
echo "Content-Type: text/html"
echo "Content-Length: 0"
echo "Connection: Keep-Alive"
echo "Cache-control: no-cache"
echo "Cache-control: no-transform"
echo
echo "HTTP/1.1 200 OK"
echo "Content-Type: text/html"
echo "Content-Length: 10"
echo "Connection: close"
echo "Cache-control: no-cache"
echo "Cache-control: no-transform"
echo
echo -n "0123456789"
<!DOCTYPE html>
<html>
<head>
<title>100 Continue test</title>
</head>
<body>
HTTP no error, HTTPS invalid responce<br>
<br>
multipart/form-data<br>
<form action="100c.cgi" method="POST" enctype="multipart/form-data">
<input type="text" name="testname" value="testvalue">
<input type="submit" value="Submit">
</form>
<br>
application/x-www-form-urlencoded<br>
<form action="100c.cgi" method="POST" enctype="application/x-www-form-urlencoded">
<input type="text" name="testname" value="testvalue">
<input type="submit" value="Submit">
</form>
</body>
</html>
Reply to: