https://issues.apache.org/bugzilla/show_bug.cgi?id=56818
Bug ID: 56818
Summary: SetEnvIf may set invalid string length on empty
strings
Product: Apache httpd-2
Version: 2.2.15
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_setenvif
Assignee: [email protected]
Reporter: [email protected]
I found that on a CentOS system*1 the somehow invalid but accepted
configuration sets a variable to an emtpy value, if there is no
Access-Control-Request-Headers Header:
SetEnvIfNoCase Access-Control-Request-Headers "^(.*)$"
AccessControlAllowHeaders=$0
However, in some cases (1% of the requests without
Access-Control-Request-Headers may be), the lenght of the empty value appeared
to be something like 18446744073709551615 which leads to further errors in
later processing of the requests.
The problem appeared to be visible in json data generated by mod_WebObjects*2,
it might be well possible that it's not a problem in mod_sentenvif, but seems
unlikely to me. The bug needs further investigation, as it's currently unclear
where mod_WebObjects get's the length from and whos responsibility it is to set
it. However, i currently have no sponsor for that work, so i hope someone will
pick it up.
[1] httpd-2.2.15-30.el6.centos.x86_64
[2] https://github.com/wocommunity/wonder.git
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
