Bug 56176

Summary: mod_substitute truncates the response body if the "Line is too long"
Product: Apache httpd-2 Reporter: Dan McLaughlin <dan>
Component: mod_substituteAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal CC: jwezel
Priority: P2    
Version: 2.4.7   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Dan McLaughlin 2014-02-21 23:04:56 UTC
The following fix added in 2.3.15 

"mod_substitute: To prevent overboarding memory usage, limit line length to 1MB. [Stefan Fritsch]"

causes any line in the response body that is over 1MB to be omitted from the response, delivering a partial response, and the following entry is logged "[Fri Feb 21 16:23:46.440472 2014] [substitute:error] [pid 3912:tid 2600] [client 192.168.0.5:62707] AH01328: Line too long, URI /secure/foo/bar/Main.aspx, referer: https://myhost/secure/foo/bar/Main.aspx?evt=2001&src=Main.aspx.2001"
 
Especially considering that Apache still responds with an HTTP 200 status code, I would think the proper response would be for mod_substitute to just return the line without parsing it, because returning a partial response just ends up corrupting the response. 

I can see the argument that you may not want to return a line if substitutions fail, but I don't think that should be the default behavior or you should at least provide the ability to define the default behavior.
Comment 1 Jochen Wezel 2014-07-29 07:50:23 UTC
>for mod_substitute to just return the line without parsing it
for security reasons as well as corporate image reasons, this might be very dangerous

better just fail with a server error (e.g. HTTP 500 or 500.100 or similar value) so that it's obvious that something went wrong with it
Comment 2 Christophe JAILLET 2015-04-04 21:23:40 UTC
In 2.4.11, a new parameter SubstituteMaxLineLength has been added (see http://httpd.apache.org/docs/2.4/mod/mod_substitute.html#substitutemaxlinelength)