Bug 47895 - Incorrect 413 error handling
Summary: Incorrect 413 error handling
Status: RESOLVED LATER
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.2.11
Hardware: PC All
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: MassUpdate
Depends on:
Blocks:
 
Reported: 2009-09-24 03:49 UTC by colin
Modified: 2018-11-07 21:09 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description colin 2009-09-24 03:49:06 UTC
Apache incorrectly sends the file content after sending 413 error message, for example:

POST /robots.txt HTTP/1.0
Content-Length: -75000000

HTTP/1.1 413 Request Entity Too Large
Date: Thu, 24 Sep 2009 10:42:30 GMT
Server: Apache/2.2.11 (Unix)
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/robots.txt<br />
does not allow request data with POST requests, or the amount of data provided in
the request exceeds the capacity limit.
</body></html>
User-agent: *
Disallow: /d2/
Crawl-delay: 1

Apache should close the connection after sending </html> but it doesn't.

It's a big problem when PHP scripts are requested with a wrong Content-Length because the source code is sent to a client after the error message:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/test.php<br />
does not allow request data with POST requests, or the amount of data
provided in
the request exceeds the capacity limit.
</body></html>
<?php
$dblogin = 'admin';
$dbpass = 'secret';
mysql_connect('localhost', $dblogin, $dbpass);
echo 'some output';
?>
Comment 1 Nick Kew 2009-11-01 11:03:30 UTC
I can't reproduce this, which leads me to suspect something in your configuration, or PHP.  What happens without mod_php loaded?  Do you have mod_cache loaded?

If you can reproduce it with no third-party modules loaded, please upload a minimal config to demonstrate it.
Comment 2 colin 2010-01-16 02:33:05 UTC
Without mod_php, the error message is also incorrect:

POST /forum/index.php HTTP/1.0
Host: centrump2p.com
Content-Length: -5000

HTTP/1.1 413 Request Entity Too Large
Date: Sat, 16 Jan 2010 10:25:44 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/php5-cgi/forum/index.php<br />
does not allow request data with POST requests, or the amount of data provided in
the request exceeds the capacity limit.
</body></html>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 michkol@gmail.com and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<p>Additionally, a 500 Internal Server Error
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

Server configuration: http://colin.az.pl/config.html. No third-party modules are loaded.
Comment 3 Nick Kew 2010-01-24 13:32:26 UTC
(In reply to comment #2)
> Without mod_php, the error message is also incorrect:

Are you sure that's without mod_php?  You've got mod_php configured (though using AddType, which lives on in undeath since it ceased to be the right thing with Apache 1.1.0 back in about 1996).

> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>413 Request Entity Too Large</title>
> </head><body>
> <h1>Request Entity Too Large</h1>
> The requested resource<br />/php5-cgi/forum/index.php<br />
> does not allow request data with POST requests, or the amount of data provided
> in
> the request exceeds the capacity limit.
> </body></html>

Where does that come from?  Apache's canned 413 response should have slightly different body text:

    The <!--#echo var="REDIRECT_REQUEST_METHOD" -->
    method does not allow the data transmitted, or the data volume
    exceeds the capacity limit.

Yours seems to me the better text, if we ignore the continuation (which rings a bell: I thought the double-errordocument was a bug we'd fixed).

> Server configuration: http://colin.az.pl/config.html. No third-party modules
> are loaded.
Comment 4 colin 2010-01-24 13:50:29 UTC
mod_php is not loaded. I use AddType because the Action directive requires it.

Loaded modules:
actions alias auth_basic authn_file authz_default authz_host authz_user autoindex cgi deflate dir headers mime rewrite setenvif status

The 413 response comes from:
httpd-2.2.9/modules/http/http_protocol.c:983:                           " requests, or the amount of data provided in\n"
Comment 5 colin 2010-01-24 14:47:26 UTC
I can reproduce this bug on your server:
POST / HTTP/1.0
Host: webthing.com
Content-Length: -10000000

HTTP/1.1 413 Request Entity Too Large
Date: Sun, 24 Jan 2010 22:41:50 GMT
Server: Apache/2.2.9 (Unix) DAV/2 SVN/1.4.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/index.html<br />
does not allow request data with POST requests, or the amount of data provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.2.9 (Unix) DAV/2 SVN/1.4.6 Server at webthing.com Port 80</address>
</body></html>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 webthing@webthing.com and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.9 (Unix) DAV/2 SVN/1.4.6 Server at webthing.com Port 80</address>
</body></html>
Comment 6 Nick Kew 2010-01-24 18:58:42 UTC
It's a fair cop, guv.

I'm sure we fixed a similar bug a while back, but you seem to have found another.  Bug me if I let this drop now you've provided the reproducible test case!
Comment 7 maapu 2014-01-20 12:47:44 UTC
I am facing this bug now.Has the reason for this bug is found?
php53u-5.3.21
httpd-2.2.26
Comment 8 William A. Rowe Jr. 2018-11-07 21:09:02 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.