Bug 54578 - Bad docs or unchecked code for "LimitRequestFields"?
Summary: Bad docs or unchecked code for "LimitRequestFields"?
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.4.3
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2013-02-18 22:36 UTC by Tianyin Xu
Modified: 2014-02-13 09:35 UTC (History)
2 users (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Tianyin Xu 2013-02-18 22:36:57 UTC

From the online docs (http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields), the "LimitRequestFields" directive is specified to be "an integer from 0 (meaning unlimited) to 32767."

However, in the source code, there's no place tells that where 32767 comes from.
Also, if I configure it to be 100000, the server starts without any warning. 

I wonder whether it's a bug of documentation, or setting the number to be larger than 32767 would cause further problems? In the latter case, we'd better check the value in the parsing function.

Comment 1 Tianyin Xu 2013-02-18 22:46:06 UTC
The same thing for "LimitRequestBody", the docs say

"the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB)"

I set the number to be 2147483648 and my httpd server starts without any problem. And I also didn't find any place in the source code that shows the upper limit.

Comment 2 Yann Ylavic 2014-02-13 09:35:05 UTC
The checked limits really depends on the system (eg. 32/64/other-bit) and its integer types.

LimitRequestFields is an int (16-bit some time ago), whereas LimitRequestBody is an off_t (32-bit likewise), hence the limits specified in the (outdated-)doc.

For LimitRequestFields the code could probably enforce a reasonable hard limit below the one of today's 32-or-more-bit archs (and 32767 seems quite appropriate).

For LimitRequestBody however the documented limit may not be enough, although the code really use an off_t (which is often 64-or-more-bit now, even on LARGEFILE 32-bit archs), so maybe the doc could mention a "[file]system limit" (instead of an hard one).