On Thu, Jul 19, 2018 at 2:23 PM Luca Toscano <toscano.l...@gmail.com> wrote: > > Hi again Cory, > > 2018-07-19 19:02 GMT+02:00 Cory McIntire <c...@cpanel.net>: >> >> Hi Luca, >> >> Sorry for quick reply but we were able to replicate it just now: >> >> # setup a brand new install of wp on a domain (don't have to go through the >> 'db' setup process, just configure wp-config.php to get to install.php >> redirect) >> # install mod_ratelimit, and setup a vhost.conf with the ratelimit config >> for the domain >> # restart apache >> # visit site, see you are getting the "redirect" content instead of actually >> being redirected: >> >> • curl -H'Host: cptestaddon.com' http://10.215.218.12/ >> • HTTP/1.1 302 Moved Temporarily >> • Date: Thu, 19 Jul 2018 16:47:07 GMT >> • Server: Apache >> • X-Powered-By: PHP/5.6.36 >> • Expires: Wed, 11 Jan 1984 05:00:00 GMT >> • Cache-Control: no-cache, must-revalidate, max-age=0 >> • Pragma: no-cache >> • Location: http://cptestaddon.com/wp-admin/install.php >> • Transfer-Encoding: chunked >> • Content-Type: text/html; charset=UTF-8 >> • 0 >> >> It is any CGI app but WP was an easy target to replicate on. >> > > I can see the same thing with a simple php script that says "this is a test" > on my testing environment: > > vagrant@stretch:~$ curl -k https://localhost/test.php > HTTP/1.1 200 OK > Date: Thu, 19 Jul 2018 18:15:09 GMT > Server: Apache/2.4.34-dev (Unix) OpenSSL/1.1.0f > Transfer-Encoding: chunked > Content-Type: text/html; charset=UTF-8 > > this is a test! > 0 > > (Note the zero at the end) >
You think that's weird, I see a chunk length before the status line when using a raw socket: $ printf "GET /cgi-bin/test-cgi HTTP/1.1\r\nHost: foo\r\n\r\n" | nc 0 80 23a HTTP/1.1 200 OK Date: Thu, 19 Jul 2018 19:12:05 GMT Server: Apache/2.4.34-dev (Unix) OpenSSL/1.1.0g Transfer-Encoding: chunked Content-Type: text/plain CGI/1.0 test script report: argc is 0. argv is . SERVER_SOFTWARE = Apache/2.4.34-dev (Unix) OpenSSL/1.1.0g SERVER_NAME = foo GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/1.1 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /cgi-bin/test-cgi QUERY_STRING = REMOTE_HOST = REMOTE_ADDR = 127.0.0.1 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = 0 > So this is a bug introduced by the latest patch for sure, but I still have no > idea where it comes from. I apologize for this issue, I was convinced that > the new code was tested but apparently I missed the most basic use cases. > > Yann, any idea? > > Luca -- Eric Covener cove...@gmail.com