Re: Malformed request shuts down httpd
On 28.11.2014 22:51, Ezequiel Garzon wrote: Thanks for all the replies. Ville, I'm using -release, on the i386 architecture... inside a VPS. I can gather from the replies that indeed httpd is changing quite fast right now, so it doesn't seem very useful to report on -release. (In fact, apologies for my question a few days ago on the Last-Modified header: I can see in the -current changelog that it has already been implemented.) Maybe I'll roll up my sleeves and learn how to have a -current system. binary upgrade to latest snapshot from downloaded snapshot bsd.rd sysmerge check current.html change your PKG_PATH to point to snapshot packages pkg_add -ui Thanks, Stuart, too. I didn't now my malformed example was not malformed after all! Cheers, Ezequiel
Re: Malformed request shuts down httpd
On 28 November 2014 at 13:26, Ezequiel Garzon m...@ezequiel-garzon.net wrote:
Hello! I know a lot is happening to httpd lately, so maybe this is not
an issue anymore. I've noticed that a malformed HTTP request such as
$ printf 'GET /file\r\n\r\n'| nc myhost 80
doesn't just silently fail, but rather shuts down httpd. My
/etc/httpd.conf is minimal:
server default {listen on egress port 80}
Has anybody else tried this?
Thanks and cheers,
Ezequiel
Hello Ezequiel,
is that on release, stable or in current and on which hardware architecture?
--
Thanks,
Ville
Re: Malformed request shuts down httpd
Ezequiel Garzon wrote :
Hello! I know a lot is happening to httpd lately, so maybe this is not
an issue anymore. I've noticed that a malformed HTTP request such as
$ printf 'GET /file\r\n\r\n'| nc myhost 80
doesn't just silently fail, but rather shuts down httpd. My
/etc/httpd.conf is minimal:
server default {listen on egress port 80}
Has anybody else tried this?
Thanks and cheers,
Ezequiel
No crash in current, I get a HTTP/1.0 500 Internal Server Error response from
the server. However in the server logs I get different error messages as I
repeat the request:
Undefined error: 0 (500 Internal Server Error)
then:
Resource temporarily unavailable (500 Internal Server Error)
then:
No such file or directory (500 Internal Server Error)
That doesn't sound right.
-b
Re: Malformed request shuts down httpd
On 2014-11-28, Ezequiel Garzon m...@ezequiel-garzon.net wrote:
Hello! I know a lot is happening to httpd lately, so maybe this is not
an issue anymore. I've noticed that a malformed HTTP request such as
$ printf 'GET /file\r\n\r\n'| nc myhost 80
doesn't just silently fail, but rather shuts down httpd. My
/etc/httpd.conf is minimal:
server default {listen on egress port 80}
Has anybody else tried this?
Thanks and cheers,
Ezequiel
httpd in 5.6 was very early code, I think this problem should be fixed in
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/009_httpd.patch.sig
BTW, this is not malformed, it's a valid HTTP 0.9 request.
Re: Malformed request shuts down httpd
I upgraded to 5.6-STABLE (amd64) on November 26th and when I ran this against
my httpd instance it returned:
!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN
html
head
title500 Internal Server Error/title
style type=text/css!--
body { background-color: white; color: black; font-family: 'Comic Sans MS',
'Chalkboard SE', 'Comic Neue', sans-serif; }
--/style
/head
body
h1Internal Server Error/h1
div id='m'/div
hraddressOpenBSD httpd at {ADDRESSREMOVED} port 80/address
/body
/html
httpd process still running happily, and valid pages are still being served.
- Eric
On Nov 28, 2014, at 3:26 AM, Ezequiel Garzon m...@ezequiel-garzon.net wrote:
Hello! I know a lot is happening to httpd lately, so maybe this is not
an issue anymore. I've noticed that a malformed HTTP request such as
$ printf 'GET /file\r\n\r\n'| nc myhost 80
doesn't just silently fail, but rather shuts down httpd. My
/etc/httpd.conf is minimal:
server default {listen on egress port 80}
Has anybody else tried this?
Thanks and cheers,
Ezequiel
Re: Malformed request shuts down httpd
Thanks for all the replies. Ville, I'm using -release, on the i386 architecture... inside a VPS. I can gather from the replies that indeed httpd is changing quite fast right now, so it doesn't seem very useful to report on -release. (In fact, apologies for my question a few days ago on the Last-Modified header: I can see in the -current changelog that it has already been implemented.) Maybe I'll roll up my sleeves and learn how to have a -current system. Thanks, Stuart, too. I didn't now my malformed example was not malformed after all! Cheers, Ezequiel
