LimitRequestBody directive doesn't work well with mod_python handlers.

                 Key: MODPYTHON-240
             Project: mod_python
          Issue Type: Bug
          Components: core
    Affects Versions: 3.3.1, 3.2.10
            Reporter: Graham Dumpleton

The problem is that mod_python doesn't check whether LimitRequestBody would be 
triggered before actually calling the mod_python handler. Thus, that the post 
data exceeds the limit is only found when of mod_python request 
object is called and a Python exception is generated because of an unknown read 

Now, because a read error of some sort is generated, mod_python handlers would 
normally see it as an unexpected exception and it would propagate back and 
result in a 500 Internal Server Error page rather than a 413 error back to the 
client. Thus a ErrorDocument handler for 413 errors would never be triggered.

FWIW, in mod_wsgi the following is done before the WSGI application is even 

     * Setup policy to apply if request contains a body. Note
     * that it is not possible to have chunked transfer encoding
     * for the request content. This is actually a limitation in
     * WSGI specification as it has no way of indicating that
     * there is content of unknown length, nor a way to deal
     * with trailers appearing after any chunked content.

    status = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR);

    if (status != OK)
        return status;

     * Check to see if request content is too large and end
     * request here. We do this as otherwise it will not be done
     * until first time input data is read in application.
     * Problem is that underlying HTTP output filter will
     * also generate a 413 response and the error raised from
     * the application will be appended to that. The call to
     * ap_discard_request_body() is hopefully enough to trigger
     * sending of the 413 response by the HTTP filter.
    limit = ap_get_limit_req_body(r);

    if (limit && limit < r->remaining) {
        return OK;

Do note though that the size check can only be done after 
ap_setup_client_block() is called. At the moment this is done first time is called. If that is to remain there, then would need to 
do the equivalent of:


Problem is that by doing this in an application may still catch it 
and treat it like an unexpected exception and raise a 500 error response 

It is for this reason that mod_wsgi does the check even before the application 
is called. If a custom error page is required then ErrorDocument directive 
would be used to redirect to a handler.

If an application itself wants to check POST content size, it simply shouldn't 
be using LimitRequestBody directive.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

Reply via email to