https://bz.apache.org/bugzilla/show_bug.cgi?id=62196
Bug ID: 62196
Summary: Proxy response headers can be thrown away after
processing a large header
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy_http
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Response headers from a proxied request can be thrown away after reading a
large header. If a header exceeds the the buffer size by a small amount -- say
the buffer size is 8 KB and the header is 10 KB -- the next header that is read
will be thrown away.
This looks to be due to ap_rgetline_core throwing away the extra bit of data
when it detects that the buffer would be overrun. ap_proxy_read_headers() in
mod_proxy_http.c then tries to soak up the 'extra data' which was already
thrown away by ap_rgetline_core and causes the next header to be thrown away:
while ((len = ap_getline(field, MAX_STRING_LEN, rr, 1))
>= MAX_STRING_LEN - 1) {
/* soak up the extra data */
}
Removing the while loop does not fix the problem because extra data will be
left from a large header that is at least 3x the proxy response buffer size.
The extra data is then seen as an invalid header and results in a HTTP 502
response.
In the example below, X-Test-Header-2 will be thrown away.
Sample config:
<VirtualHost *:80>
ProxyPass "/test" "http://localhost:8080";
ProxyPassReverse "/test" "http://localhost:8080";
</VirtualHost>
<VirtualHost *:8080>
Header set X-Test-Header-1 "AAAAAAAAAAAAAAA..." # large header > 8KB
Header set X-Test-Header-2 "Testing 1 2 3"
</VirtualHost>
Request/response:
$ curl -sD - http://localhost/test -o /dev/null
HTTP/1.1 200 OK
Date: Tue, 20 Mar 2018 15:46:37 GMT
Server: Apache/2.5.1-dev (Unix)
Last-Modified: Sun, 06 Nov 2016 05:34:43 GMT
ETag: "2d-5409b43abe2c0"
Accept-Ranges: bytes
Content-Length: 45
X-Test-Header-1: AAAA... [truncated]
Content-Type: text/html
Backend trace:
[Tue Mar 20 15:46:37.801645 2018] [headers:trace2] [pid 86969:tid
123145425690624] mod_headers.c(880): AH01502: headers:
ap_headers_output_filter()
[Tue Mar 20 15:46:37.801714 2018] [http:trace3] [pid 86969:tid 123145425690624]
http_filters.c(1070): [client ::1:59315] Response sent with status 200,
headers:
[Tue Mar 20 15:46:37.801767 2018] [http:trace5] [pid 86969:tid 123145425690624]
http_filters.c(1079): [client ::1:59315] Date: Tue, 20 Mar 2018 15:46:37 GMT
[Tue Mar 20 15:46:37.801790 2018] [http:trace5] [pid 86969:tid 123145425690624]
http_filters.c(1082): [client ::1:59315] Server: Apache/2.5.1-dev (Unix)
[Tue Mar 20 15:46:37.801889 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315] Last-Modified: Sun, 06 Nov 2016
05:34:43 GMT
[Tue Mar 20 15:46:37.801915 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315] ETag: \\"2d-5409b43abe2c0\\"
[Tue Mar 20 15:46:37.801931 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315] Accept-Ranges: bytes
[Tue Mar 20 15:46:37.801944 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315] Content-Length: 45
[Tue Mar 20 15:46:37.801972 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315] X-Test-Header-1: AAAA...
[Tue Mar 20 15:46:37.802032 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315] X-Test-Header-2: Testing 1 2 3
Proxy trace:
[Tue Mar 20 15:46:37.805911 2018] [http:trace3] [pid 86970:tid 123145344696320]
http_filters.c(1070): [client ::1:59314] Response sent with status 200,
headers:
[Tue Mar 20 15:46:37.805926 2018] [http:trace5] [pid 86970:tid 123145344696320]
http_filters.c(1079): [client ::1:59314] Date: Tue, 20 Mar 2018 15:46:37 GMT
[Tue Mar 20 15:46:37.805938 2018] [http:trace5] [pid 86970:tid 123145344696320]
http_filters.c(1082): [client ::1:59314] Server: Apache/2.5.1-dev (Unix)
[Tue Mar 20 15:46:37.805952 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314] Last-Modified: Sun, 06 Nov 2016
05:34:43 GMT
[Tue Mar 20 15:46:37.805964 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314] ETag: \\"2d-5409b43abe2c0\\"
[Tue Mar 20 15:46:37.805976 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314] Accept-Ranges: bytes
[Tue Mar 20 15:46:37.805987 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314] Content-Length: 45
[Tue Mar 20 15:46:37.806009 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314] X-Test-Header-1: AAAA...
[Tue Mar 20 15:46:37.806057 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314] Content-Type: text/html
[Tue Mar 20 15:46:37.806090 2018] [core:trace6] [pid 86970:tid 123145344696320]
util_filter.c(797): [client ::1:59314] reinstate empty brigade to full brigade
in 'req_core' output filter
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
