Am 16.09.2013 um 19:33 schrieb Yehuda Katz: > I can sort-of confirm this. > > Apache 2.4.3 on Windows 7 x64 (ApacheLounge build) > For me, the PHP is executed, not displayed. > > Stock configuration with mod_php and only this added: > <Location "/phpinfo.php"> > LimitRequestBody 1 > </Location> > > The built in error is displayed with the processed PHP (in my case, just > phpinfo() ) appended. I could not > replicate this with any other directive.
2.4.10 that issue still exists and the only safe way in context of mod_php and httpd is stay at "LimitRequestBody 0" because even a file-upload exceeding that limit leads in spit out the content of the php script instead a error page mod_security and "SecRequestBodyLimit" works as expected blocking the request - so it hardly is a bug in mod_php which should not be called at all if "LimitRequestBody" takes action if it can't be re-produced there should be at least a big fat warning in the documenetation that it has the opposite effect in some environments > On Mon, Sep 16, 2013 at 7:56 AM, Reindl Harald <[email protected] > <mailto:[email protected]>> wrote: > > why in the world does Apache add the *sourcode* of the called PHP > script after the sepcified ErrorDocument? this is a major problem > and exactly *not* what should happen by a security option > ________________________________________________ > > <Location "/cms.php"> > LimitRequestBody 10 > </Location> > > ErrorDocument 413 "<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 > Transitional//EN' > 'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error 413 - > Request Entity Too Large</title><style > type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none; > font-size:16px;} body {margin:0px; > padding:15px;}</style></head><body><h1 style='margin-top:0px; > font-size:18px;'>Error 413</h1><p>Request Entity Too > Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a > href='mailto:[email protected] > > <mailto:[email protected]>?subject=Server-Error-413'>[email protected] > <mailto:[email protected]></a></p></body></html>" > ________________________________________________ > > OUTPUT TO THE BROWER (stripped, yes it adds the complete PHP sript) > > <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN' > 'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error 413 - > Request Entity Too Large</title><style > type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none; > font-size:16px;} body {margin:0px; > padding:15px;}</style></head><body><h1 style='margin-top:0px; > font-size:18px;'>Error 413</h1><p>Request Entity Too > Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a > href='mailto:[email protected] > <mailto:[email protected]>?subject=Server-Error-413'>[email protected] > <mailto:[email protected]></a></p></body></html><?php > /** > CONTENT MANAGMENT SYSTEM / CONTENTLOUNGE > ------------------------------------------------------------------ > AENDERUNGEN UND WEITERGABE DIESER DATEI OHNE RUECKSPRACHE MIT DEM > ENTWICKLER SIND LIZENZRECHTLICH NICHT GESTATTET! > ---------------------------------------------------
signature.asc
Description: OpenPGP digital signature
