Bug 50824

Summary: limiting and unsafe use of fixed length buffer for reading configuration
Product: Apache httpd-2 Reporter: Zdenek Salvet <salvet>
Component: Runtime ConfigAssignee: Apache HTTPD Bugs Mailing List <bugs>
Severity: major CC: dvutova, michalp
Priority: P2 Keywords: FixedInTrunk
Version: 2.2.9   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Zdenek Salvet 2011-02-24 05:39:27 UTC
Configuration files are read line by line using buffers of fixed length
(MAX_STRING_LEN) and exceptional conditions EOF/error/buffer-full are not
handled appropriately. The 8kB limit on configuration line length is too low,
e.g., for some uses of SSLRequire directive, it would be much better
to implement reading lines of arbitrary length.
Comment 1 Stefan Fritsch 2011-03-29 17:39:12 UTC
The error handling has been fixed in trunk in r1086756 / r1086761
Comment 2 Stefan Fritsch 2011-08-13 09:09:21 UTC
Line limit increased to 16MB in r1157354
Comment 3 Stefan Fritsch 2011-10-14 17:57:01 UTC
*** Bug 52017 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Fritsch 2012-02-26 17:10:28 UTC
fixed in 2.4.1