php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #42404 PHP drops APR_EGENERAL from ap_get_brigade
Submitted: 2007-08-23 21:52 UTC Modified: 2008-09-14 01:00 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: cvitale at us dot ibm dot com Assigned:
Status: No Feedback Package: Apache2 related
PHP Version: 5.2.3 OS: Linux 2.4
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-08-23 21:52 UTC] cvitale at us dot ibm dot com 
Description:
------------
I've compiled php to run on Apache 2.0.59 with --with-apxs2.

The function php_apache_sapi_read_post in php-5.2.3/sapi/apache2handler/sapi_apache2.c assumes that the call to ap_get_brigade will never return an error that php should give to Apache. This violates Apache best practices.

An Apache2 input content filter may return an error, like APR_EGENERAL. I am working on a filter that will reject suspicious input content and return this value. I also set the Apache request_rec status to 403.

The requests that are returned have a 403 Forbidden status header and the normal php output body content. 

If ap_get_brigade returns an apache error php should stop processing.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-09-06 16:02 UTC] jani@php.net 
Since you seem to know the Apache quite well, maybe you could provide us a patch to fix this issue?
 [2008-09-14 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon May 20 15:01:36 2024 UTC