--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apache2-mpm-prefork: apache2 sends "400 bad request" on POST from some firefox browsers
- From: Thomas Voelkl <thomas@puzzleandplay.de>
- Date: Mon, 11 Jun 2012 16:18:46 +0200
- Message-id: <20120611141846.5954.75721.reportbug@localhost.localdomain>
Package: apache2-mpm-prefork
Version: 2.2.16-6+squeeze7
Severity: important
Tags: squeeze
Some of our users are not able to upload a file via POST Request by using their
firefox browser. They get error 400 Bad Request.
apache error.log: "request failed: error reading the headers"
The problem is reproducible (on the affected systems) and the filesize ist
important. Small files (~100 KB) work and larger files (~2 MB) do not.
Affected Browsers/Operating Systems (client side):
- it seems that only a few (~1%) of our firefox users run into that problem by
uploading a file. Normal GET requests are not affected.
- all versions of firefox are affected.
- different operating systems are affected: WinXP, Vista, 7, Mac
- no common plugins found on the affected browsers, but running firefox in
"safe-mode" solves the problem (= then the upload is possible).
- different antivirus and security suites used by the users.
Affected Webservers/Operating Systems (server side):
- only apache <= 2.2.16 (squeeze) seems to be affected. (Apache 2.2.9, Debian;
Apache 2.2.10, SUSE)
- the affected clients also have this problem when uploading a file to other
companies webservers (if they are <= apache 2.2.16)
- apache 2.2.22 (wheezy) seems to work correctly.
- nginx, IIS also worked correctly
I installed a server for TESTING and run tshark to capture the packets.
- http://uploadtest.puzzleandplay.de/goodrequest.png (upload a small file, it
works)
- http://uploadtest.puzzleandplay.de/badrequest.png (upload a large file, it
did NOT work)
Related (known) Problems did not help to solve the problem:
- http://stackoverflow.com/questions/9921052/400-bad-request-when-uploading-a
-file-from-firefox-11-mac-osx
Well, I am not sure if firefox or apache is responsible for that problem. BUT
many different users are affected and in apache 2.2.22 the problem seems to be
solved. I hope that a solution can be found for 2.2.16 (squeeze). I do not want
to upgrade to wheezy on a production system ;-)
Thanks,
Thomas
Details of apache 2.2.22:
====================
ii apache2-mpm-prefork 2.2.22-5 Apache HTTP
Server - traditional non-threaded model
Details of apache 2.2.16:
====================
ii apache2-mpm-prefork 2.2.16-6+squeeze7 Apache
HTTP Server - traditional non-threaded model
-- Package-specific info:
List of enabled modules from 'apache2 -M':
alias auth_basic authn_file authz_default authz_groupfile
authz_host authz_svn authz_user autoindex cgi dav_fs dav dav_svn
deflate dir env expires log_forensic mime negotiation php5
reqtimeout rewrite setenvif ssl status unique_id vhost_alias
List of enabled php5 extensions:
curl gd http imagick mcrypt memcache mysql mysqli pdo pdo_mysql
ssh2 suhosin uploadprogress
-- System Information:
Debian Release: 6.0.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (300, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apache2-mpm-prefork depends on:
ii apache2.2-bin 2.2.16-6+squeeze7 Apache HTTP Server common binary f
ii apache2.2-common 2.2.16-6+squeeze7 Apache HTTP Server common files
apache2-mpm-prefork recommends no packages.
apache2-mpm-prefork suggests no packages.
--- End Message ---
--- Begin Message ---
- To: 677086-close@bugs.debian.org
- Subject: Bug#677086: fixed in apache2 2.2.16-6+squeeze8
- From: Stefan Fritsch <sf@debian.org>
- Date: Wed, 12 Sep 2012 22:32:16 +0000
- Message-id: <E1TBvTk-00083o-SB@franck.debian.org>
Source: apache2
Source-Version: 2.2.16-6+squeeze8
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 677086@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 09 Sep 2012 23:08:04 +0200
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source all i386
Version: 2.2.16-6+squeeze8
Distribution: squeeze
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-itk - multiuser MPM for Apache 2.2
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-bin - Apache HTTP Server common binary files
apache2.2-common - Apache HTTP Server common files
Closes: 671204 672333 677086
Changes:
apache2 (2.2.16-6+squeeze8) squeeze; urgency=low
.
* CVE-2012-2687: mod_negotiation: Escape filenames in variant list to
prevent a possible XSS vulnerability for a site where untrusted users
can upload files to a location with MultiViews enabled.
* Send 408 status instead of 400 if reading of a request fails with a
timeout. This allows browsers to retry. Closes: #677086
* mod_cache: Prevent Partial Content responses from being cached and served
as normal response. Closes: #671204
* mpm_itk: Fix an issue where users can sometimes get spurious 403s on
persistent connections. Closes: #672333
Checksums-Sha1:
b308be271ebd4ef9870ca1bba32c38c0658290fe 1832 apache2_2.2.16-6+squeeze8.dsc
c535230f6f8c32020a2446e73cbe46092f17fa9c 225359 apache2_2.2.16-6+squeeze8.diff.gz
f9482cd65b5dccd1535033f338ce003bd20f3b92 2305160 apache2-doc_2.2.16-6+squeeze8_all.deb
d42c1a654dbfcdf023116458ee430514e6526f93 308732 apache2.2-common_2.2.16-6+squeeze8_i386.deb
68ede4f69e4cd0747c9fc6bb11ee823fc326306d 1354090 apache2.2-bin_2.2.16-6+squeeze8_i386.deb
7d0b49997613fce06d3ab2d781664dc43573cf61 2230 apache2-mpm-worker_2.2.16-6+squeeze8_i386.deb
0c665c009ff5f08687be97a527fb862f680e3548 2286 apache2-mpm-prefork_2.2.16-6+squeeze8_i386.deb
299de8890de38d0fb1474a624df4154a80b29151 2258 apache2-mpm-event_2.2.16-6+squeeze8_i386.deb
927f0935367d3525790defe597c68b2d8f6dc4a9 2292 apache2-mpm-itk_2.2.16-6+squeeze8_i386.deb
2a768453fd7afd59430c8290b0d7a4dc4d67b665 165530 apache2-utils_2.2.16-6+squeeze8_i386.deb
631e90da177de473e73caa1deadcc4e12471d9fd 100062 apache2-suexec_2.2.16-6+squeeze8_i386.deb
042142d042131e3e3a6df65515bd3f966e89ccfe 101624 apache2-suexec-custom_2.2.16-6+squeeze8_i386.deb
98a3b7a875b82bedd552615713aa8c6ff55d3ab5 1392 apache2_2.2.16-6+squeeze8_i386.deb
4979d8a8b3a141475f789e5e24911e46cd8f18e8 137238 apache2-prefork-dev_2.2.16-6+squeeze8_i386.deb
89f7e866e00ba25d7e4e6ef5589b0fae75dbedb3 138374 apache2-threaded-dev_2.2.16-6+squeeze8_i386.deb
abb7ace72b437b5a19d07592dbc9c141c9b5a071 2681686 apache2-dbg_2.2.16-6+squeeze8_i386.deb
Checksums-Sha256:
97ecd4ae85440968b15fdb529989c8e31b24767dd1f9846110364b1f04bf3a58 1832 apache2_2.2.16-6+squeeze8.dsc
6f45f0c0ca30b27bbe12696166b47be0318ead3d4bdac046369679dd15e19475 225359 apache2_2.2.16-6+squeeze8.diff.gz
018f452f7d08fe01ad3a6ae4c9258b22c0d8a89ccaef41fff438180099ecc97e 2305160 apache2-doc_2.2.16-6+squeeze8_all.deb
e4ae68774cd678361849afd593c913a3138b3e1860e951ca5c66ace16a655b84 308732 apache2.2-common_2.2.16-6+squeeze8_i386.deb
39d92447b38a40220fb0587b124649977600565b7772462f8433558f549efcff 1354090 apache2.2-bin_2.2.16-6+squeeze8_i386.deb
348a65bb43ecbfaa28368846db93617b5c3590f08cb5056469db339175a3b987 2230 apache2-mpm-worker_2.2.16-6+squeeze8_i386.deb
54ce34b4f629a2e0c099333aa0b876f1a52edf1cc922aed9de97713b50d045e8 2286 apache2-mpm-prefork_2.2.16-6+squeeze8_i386.deb
73405540e305e5820b72a59ac1540fa4b2308419e4ae33478dfd106badffeaf5 2258 apache2-mpm-event_2.2.16-6+squeeze8_i386.deb
0dac2b1dcf18a234c2f94f024e056aac2fc57d1b8edbd55358ff73ed4b4b14c6 2292 apache2-mpm-itk_2.2.16-6+squeeze8_i386.deb
172afc24e9b6193cb48d115586a53761977004b8d7fe8124efe5745607f68880 165530 apache2-utils_2.2.16-6+squeeze8_i386.deb
2faa3349cce0a332f67100f85c0e8b3da3760537b1ac2834ff7762e4d0e4b26c 100062 apache2-suexec_2.2.16-6+squeeze8_i386.deb
10ca1c9421364915c5c633c52ec74b80bc0cc968e419b86e680c4ac6349a0e96 101624 apache2-suexec-custom_2.2.16-6+squeeze8_i386.deb
4651804047fb92be73fef24cbea443cec46e206779666bbf08815a70fbbeadd4 1392 apache2_2.2.16-6+squeeze8_i386.deb
4e86b56a730226d1226b72457e49dc19b173b33ea54062ad3d1ce09d606da0c5 137238 apache2-prefork-dev_2.2.16-6+squeeze8_i386.deb
5c8fdd3c51bd114d54025383720640dd3e46aba9f4559ff355e79f9a64b647f9 138374 apache2-threaded-dev_2.2.16-6+squeeze8_i386.deb
7d641e125b469acf14523600070badb71c17fd7d1d3b244f7b4bf4094bd8b7cd 2681686 apache2-dbg_2.2.16-6+squeeze8_i386.deb
Files:
93dedf30664000765e6e9c48ca9eb81a 1832 httpd optional apache2_2.2.16-6+squeeze8.dsc
3f0e7dec82adfe5802023b07c8bc97aa 225359 httpd optional apache2_2.2.16-6+squeeze8.diff.gz
413976ec79dcc824d148761c7a3037e8 2305160 doc optional apache2-doc_2.2.16-6+squeeze8_all.deb
51cbacc577e2ac6038630abe9081949a 308732 httpd optional apache2.2-common_2.2.16-6+squeeze8_i386.deb
9cdecaf5c62a2bfec99a91767707ae76 1354090 httpd optional apache2.2-bin_2.2.16-6+squeeze8_i386.deb
a9876c92f9b4a9893b45f069bd82138e 2230 httpd optional apache2-mpm-worker_2.2.16-6+squeeze8_i386.deb
3ecd0e355098555c5095469ea2782815 2286 httpd optional apache2-mpm-prefork_2.2.16-6+squeeze8_i386.deb
9f43aff5c8b2cc6a478272b107cb6083 2258 httpd optional apache2-mpm-event_2.2.16-6+squeeze8_i386.deb
725e6637966a2c6da7af5efb05857627 2292 httpd extra apache2-mpm-itk_2.2.16-6+squeeze8_i386.deb
905ac52c11c8c177f5aab6217900ac47 165530 httpd optional apache2-utils_2.2.16-6+squeeze8_i386.deb
4bc2081e3215c535da427d027d840758 100062 httpd optional apache2-suexec_2.2.16-6+squeeze8_i386.deb
f1a87bfa633fab355ef8dcb5f78265a9 101624 httpd extra apache2-suexec-custom_2.2.16-6+squeeze8_i386.deb
706e39696e6442dbd88acf9ec6bf00b6 1392 httpd optional apache2_2.2.16-6+squeeze8_i386.deb
a10fe5ac68c48376f429c1e0af8b3257 137238 httpd extra apache2-prefork-dev_2.2.16-6+squeeze8_i386.deb
308d86aec4e498e91c527b5178490011 138374 httpd extra apache2-threaded-dev_2.2.16-6+squeeze8_i386.deb
70f27aff5fd224478b7732873ef7a42e 2681686 debug extra apache2-dbg_2.2.16-6+squeeze8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFQUOqWbxelr8HyTqQRAgzVAKDfRiukFJLYL9GGepsGdFyk4Ya29ACeM0Jh
N8QjAfoNUDD/tb9hGI9jHwc=
=YdMu
-----END PGP SIGNATURE-----
--- End Message ---