Bug 52605 - Please allow request lines longer than 8k
Summary: Please allow request lines longer than 8k
Status: RESOLVED LATER
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.2.16
Hardware: PC Linux
: P2 minor (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL: http://bugs.debian.org/638011
Keywords: MassUpdate
Depends on:
Blocks:
 
Reported: 2012-02-05 17:27 UTC by Nirgal Vourgère
Modified: 2018-11-07 21:08 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nirgal Vourgère 2012-02-05 17:27:48 UTC
From: Riccardo Murri <riccardo.murri@gmail.com>

As of version 2.2.16, Apache applies a fixed line length limit of 8192
bytes when talking to a CGI script: in file `server/util_script.c`,
function `ap_scan_script_header_err_core`, at lines 403--433,
one can read:

        char x[MAX_STRING_LEN];
        char *w, *l;
        [...]
        if (buffer) {
            *buffer = '\0';
        }
        w = buffer ? buffer : x;
        [...]
        while (1) {
            int rv = (*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data);

where `MAX_STRING_LEN` is defined in `httpd.h` to be equal to
`HUGE_STRING_LEN`, that is, 8192.

The directive `LimitRequestLine` should apply here as well, or the
documentation should make it clear that this setting does not
influence the CGI module.
Comment 1 Eric Covener 2012-02-05 17:35:49 UTC
The data being read isn't a request line or a request-anything, so why would that limit apply?
Comment 2 Riccardo Murri 2012-02-05 18:07:44 UTC
Maybe I extracted the wrong bits of code, but in essence the problem
is this: Apache truncates request lines passed to a CGI script to
~8kB, and there is apparently no way of changing that setting.
Comment 3 Eric Covener 2012-02-05 18:58:13 UTC
On 2.2 I was able to send a request line >8k and see its value in the REQUEST_URI environment variable. Can you share the details of the test case?
Comment 4 Nirgal Vourgère 2012-02-15 14:22:50 UTC
I'm not sure this is related, but since commit 1200947 [1], documentation [2] says:

"Under normal conditions, the value should not be changed from the default. Also, you can't set this higher than 8190 without modifying the source and rebuilding."

See also bug 51665 [3]

[1] https://httpd.apache.org/docs/2.2/en/mod/core.html#limitrequestline

[2] https://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/core.xml?r1=1166612&r2=1200947&pathrev=1200947

[3] https://issues.apache.org/bugzilla/show_bug.cgi?id=51665
Comment 5 Riccardo Murri 2012-02-15 18:06:03 UTC
I came across this issue when diagnosing a problem with the IkiWiki
CGI.  Details of the IkiWiki issue can be found here (with pointers to
a similar bug in another software):

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638009

In essence, the problem is that the IkiWiki CGI script generates an
HTTP 302 response, with a very long `Location: ...` line (~16k;
basically it embeds the text of the whole Wiki page in the http:// URL
as a query parameter).  Then Apache (I was using the Debian "squeeze"
one) truncated the line, apparently at ~8k.

The IkiWiki bug has been corrected since (it shouldn't have issued a
redirect in the first place), so current version will not exhibit that
behavior.
Comment 6 William A. Rowe Jr. 2018-11-07 21:08:35 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.