On Thu, Oct 2, 2014 at 7:02 PM, Reindl Harald <[email protected]> wrote:
> > Am 03.10.2014 um 00:09 schrieb Eric Covener: > > On Thu, Oct 2, 2014 at 5:06 PM, Reindl Harald <[email protected] > wrote: > > > > however, control that by modsec gives you even the option to > > select the status code without leak source code - if a module > > can do that why not the core itself unconditional? > > > > ​The core or any other module could check the content-length earlier > > and return an error a different way, but it doesn't > > so that's a bug according to the intention of the option > > IMHO the core should stop the request and discard any output > not part of the error response independent from where it is > coming from similar to exit(ob_end_clean()) in a php script > > http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody > > ​Unfortunately there are considerations beyond what would make it easiest on Reindl Harald.
