Am 03.10.2014 um 00:09 schrieb Eric Covener: > On Thu, Oct 2, 2014 at 5:06 PM, Reindl Harald <[email protected] wrote: > > however, control that by modsec gives you even the option to > select the status code without leak source code - if a module > can do that why not the core itself unconditional? > > The core or any other module could check the content-length earlier > and return an error a different way, but it doesn't
so that's a bug according to the intention of the option IMHO the core should stop the request and discard any output not part of the error response independent from where it is coming from similar to exit(ob_end_clean()) in a php script http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
signature.asc
Description: OpenPGP digital signature
