DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20438>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20438 LimitRequestFieldSize/LimitRequestFields Issue Summary: LimitRequestFieldSize/LimitRequestFields Issue Product: Apache httpd-2.0 Version: 2.0.46 Platform: All OS/Version: Other Status: NEW Severity: Minor Priority: Other Component: Core AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] Apache 2.0.46 and prior suffer from an error in the request field handling. Apache treats: GET / HTTP/1.1 Host: localhost Accept-Encoding: [2000 characters] Accept-Encoding: [2000 characters] Accept-Encoding: [2000 characters] Accept-Encoding: [2000 characters] Accept-Encoding: [2000 characters] AS GET / HTTP/1.1 Host: localhost Accept-Encoding: [2000],[2000],[2000],[2000],[2000] This bypasses the LimitRequestFieldSize directive. This also works on headers that normally shouldn't use multiple options (e.g, User-Agent). I am not certain of this, but wouldn't such concatenations also bypass LimitRequestFields? This is no major deal, but perhaps the docs should be updated to indicate this behavior? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
