Hi,
I have reported that problem about a year ago and yes, this is still not
fixed. Essentially this is because the fix needs _a lot_ of changes in
the module core functions, because the whole logic has to be rewritten.
In the current code, mod_fcgid buffers the entire input data before
testing the input size (which makes MaxRequestLen useless) and no data
can be transmitted to the fastcgi process because it doesn't even exist
yet (the process spawning logic is done after the input data is
buffered). Even though the fastcgi process would already exist, the
input request is not bridged to it before the buffering step (meaning:
you cannot avoid the big memory buffering in any way).
We have really no choice but to redesign from scratch that part of the
module, which is for a
opensource-unsponsored-minor-project-used-by-3-people-on-earth-and-feeling-alone
is very long.
At least for the time being, there is no developer working actively on
the project, so any help is welcome.
The only workaround at the moment is not to use fastcgi for uploading.
You can rename your upload script to another extension or playing with
.htaccess file to do that.
I'm working on a complete rewrite of this module but because we are
really caring about the process design, this will take a while before
going public.
Gabriel
On 06/04/2008 1:39:59 PM +0200, Frank Costanza <[EMAIL PROTECTED]>
wrote:
> Several people in the past have reported problems with large uploads
> and Apache consumimg all available memory.
>
> Although it is claimed that "MaxRequestInMem" and "MaxRequestLen" introduced
> in mod_fcgid 2.2 can be used to overcome this memory consumption problem,
> it appears that it does not work as intended and the bug remains.
>
> Essentially this can quickly and easily result in a DoS attack.
>
> Memory of the Apache child process appears to increase by approximately
> the size
> of the file being uploaded. For example, if I upload a 100MB file the
> Apache child
> will grow by around 100MB of memory.
>
> I'm not much of a programmer, but I've taken a look at the code. In
> fcgid_bridge.c,
> line 552, there is the following:
>
> if (request_size > max_mem_request_len) {
>
> Just before this line is executed, I added a line in source code to log
> the values
> of 'request_size' and 'max_mem_request_len'. The value of request_size
> is usually 8000
> but is sometimes less than that, but never more than 8000. The value of
> max_mem_request_len is 65536, which is the default value (64KB).
>
> Therefore, as request_size is not greater than max_mem_request_len, the
> block of code added to use a temporary file is never executed.
>
> I'm using these versions on a Linux system
>
> Apache 2.2.8
> mod_fcgid 2.2
> PHP 5.2.6
>
>
> I would greatly appeciate if the mod_fcgid developers could take another
> look this
> problem. I am willing to test any patches in order to assist with
> fixing this problem.
>
> Regards
> -Frank
>
>
> ------------------------------------------------------------------------
> Sent from Yahoo! Mail
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52418/*http://uk.docs.yahoo.com/nowyoucan.html>.
>
>
> A Smarter Email.
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Mod-fcgid-users mailing list
> Mod-fcgid-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Mod-fcgid-users mailing list
Mod-fcgid-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
