Am 03.10.2014 um 02:18 schrieb Eric Covener: > On Thu, Oct 2, 2014 at 7:02 PM, Reindl Harald <[email protected] wrote: > > Am 03.10.2014 um 00:09 schrieb Eric Covener: > > On Thu, Oct 2, 2014 at 5:06 PM, Reindl Harald <[email protected] > wrote: > > > > however, control that by modsec gives you even the option to > > select the status code without leak source code - if a module > > can do that why not the core itself unconditional? > > > > ​The core or any other module could check the content-length earlier > > and return an error a different way, but it doesn't > > so that's a bug according to the intention of the option > > IMHO the core should stop the request and discard any output > not part of the error response independent from where it is > coming from similar to exit(ob_end_clean()) in a php script > > http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody > > ​Unfortunately there are considerations beyond what would make it easiest on > Reindl Harald
no idea where that polemic comes from what makes it "easiest on Reindl Harald" is just "LimitRequestBody 0" as already happened and so it's hardly about me, it's about others use the option to increase security unfortunately leak code with passwords
signature.asc
Description: OpenPGP digital signature
