Re: Bug#244174: apache: bogus requests create oversized log entries with wrong error code
Hi Carl,
On Mon, 19 Apr 2004, Carl Johnstone wrote:
> > followed by 314 (URI too long)
>
> My apache install returns a 414 - I assume that's a typo.
>
> > 1) AFAIK there exists no "SEARCH" request in HTTP1.1, (a grep for
> > "SEARCH" in the specification text gives no exploitable results)
>
> You may add your own methods to the HTTP protocol, so this in itself is
> not a bug or problem.
>
> > 2) the log entries result in lots of mails sent to me by my webalizer
>
> That is a problem with your webalizer not correctly dealing with the log
> files apache provides.
>
> > so, I think the error code should be 405 (method not allowed)
>
> That's what the HTTP specification states you should respond if you
> don't accept the protocol being requested. I would assume that the URL
> length check is done before the protocol check thus 414 is returned.
>
> > and the log lines should stop there without repeating the whole bogus
> > request.
>
> This is apache logging the full requested URI exactly the same for any
> other request it receives. (Actually it would seem that apache only logs
> the buffered amount of it's URI.) Again this is not a bug in apache,
> it's behaving exactly as it is configured.
>
> I can't see any bugs with apache, there's not much to choose between a
> 414 or a 405 error.
>
> As a suggestion - most of the attempts to exploit flaws in web servers
> are sent to an IP withough any HTTP Host headers. I have a default
> VirtualHost which catches all these types of request and logs them
> separately from all my proper web sites.
Thanks a lot for your deep analysis. I am closing this bug since i can't
see any point where apache is behaving incorrectly.
Fabio
--
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.
Reply to: