Bug#638011: LimitRequestLine not taken into account when talking to CGI script
Package: apache2-mpm-prefork
Version: 2.2.16-6+squeeze1
As of version 2.2.16, Apache applies a fixed line length limit of 8192
bytes when talking to a CGI script: in file `server/util_script.c`,
function `ap_scan_script_header_err_core`, at lines 403--433,
one can read:
char x[MAX_STRING_LEN];
char *w, *l;
[...]
if (buffer) {
*buffer = '\0';
}
w = buffer ? buffer : x;
[...]
while (1) {
int rv = (*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data);
where `MAX_STRING_LEN` is defined in `httpd.h` to be equal to
`HUGE_STRING_LEN`, that is, 8192.
The directive `LimitRequestLine` should apply here as well, or the
documentation should make it clear that this setting does not
influence the CGI module.
I'm using Debian squeeze, with the latest updates:
$ dpkg -l apache\* | grep ^i
ii apache2 2.2.16-6+squeeze1
Apache HTTP Server metapackage
ii apache2-doc 2.2.16-6+squeeze1
Apache HTTP Server documentation
ii apache2-mpm-prefork 2.2.16-6+squeeze1
Apache HTTP Server - traditional non-threaded model
ii apache2-utils 2.2.16-6+squeeze1
utility programs for webservers
ii apache2.2-bin 2.2.16-6+squeeze1
Apache HTTP Server common binary files
ii apache2.2-common 2.2.16-6+squeeze1
Apache HTTP Server common files
Thanks,
Riccardo
Reply to: