Am 16.09.2013 14:14, schrieb Eric Covener: > Safe to assume it's a defect, and one we would have been preferred > reported to [email protected]. Does it only happen when you > configure a literal string as your errordocument?
it is *not* the custom ErrorDocument i strongly recommend test this behavior against any possible error-condition with auto-tests in fact each time LimitRequestBody is triggered and results in a 413 error in case of a PHP script "mod_php" is skipped and the underlying script source added after the error response - not sure if this also happens with higher values because the 10 was intented to test the setting at all as reaction to the follwoing (german) article and should have become 4096 after successful test php is configured this way if it matters: AddType application/x-httpd-php .php please let me know if the is a patch available which i could add to my RPM-SPEC to test/confirm http://www.heise.de/newsticker/meldung/Lange-Passwoerter-legen-Djangos-Webapps-lahm-1957899.html Am 16.09.2013 13:56, schrieb Reindl Harald: > why in the world does Apache add the *sourcode* of the called PHP > script after the sepcified ErrorDocument? this is a major problem > and exactly *not* what should happen by a security option > ________________________________________________ > > <Location "/cms.php"> > LimitRequestBody 10 > </Location> > > ErrorDocument 413 "<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 > Transitional//EN' > 'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error 413 - Request > Entity Too Large</title><style > type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none; > font-size:16px;} body {margin:0px; > padding:15px;}</style></head><body><h1 style='margin-top:0px; > font-size:18px;'>Error 413</h1><p>Request Entity Too > Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a > href='mailto:[email protected]?subject=Server-Error-413'>[email protected]</a></p></body></html>" > ________________________________________________ > > OUTPUT TO THE BROWER (stripped, yes it adds the complete PHP sript) > > <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN' > 'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error 413 - Request > Entity Too Large</title><style > type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none; > font-size:16px;} body {margin:0px; > padding:15px;}</style></head><body><h1 style='margin-top:0px; > font-size:18px;'>Error 413</h1><p>Request Entity Too > Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a > href='mailto:[email protected]?subject=Server-Error-413'>[email protected]</a></p></body></html><?php > /** > CONTENT MANAGMENT SYSTEM / CONTENTLOUNGE > ------------------------------------------------------------------ > AENDERUNGEN UND WEITERGABE DIESER DATEI OHNE RUECKSPRACHE MIT DEM > ENTWICKLER SIND LIZENZRECHTLICH NICHT GESTATTET! > ---------------------------------------------------
signature.asc
Description: OpenPGP digital signature
