Bug 56176 - mod_substitute truncates the response body if the "Line is too long"
Summary: mod_substitute truncates the response body if the "Line is too long"
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_substitute (show other bugs)
Version: 2.4.7
Hardware: PC All
: P2 normal with 3 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2014-02-21 23:04 UTC by Dan McLaughlin
Modified: 2015-04-04 21:23 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Dan McLaughlin 2014-02-21 23:04:56 UTC
The following fix added in 2.3.15 

"mod_substitute: To prevent overboarding memory usage, limit line length to 1MB. [Stefan Fritsch]"

causes any line in the response body that is over 1MB to be omitted from the response, delivering a partial response, and the following entry is logged "[Fri Feb 21 16:23:46.440472 2014] [substitute:error] [pid 3912:tid 2600] [client] AH01328: Line too long, URI /secure/foo/bar/Main.aspx, referer: https://myhost/secure/foo/bar/Main.aspx?evt=2001&src=Main.aspx.2001"
Especially considering that Apache still responds with an HTTP 200 status code, I would think the proper response would be for mod_substitute to just return the line without parsing it, because returning a partial response just ends up corrupting the response. 

I can see the argument that you may not want to return a line if substitutions fail, but I don't think that should be the default behavior or you should at least provide the ability to define the default behavior.
Comment 1 Jochen Wezel 2014-07-29 07:50:23 UTC
>for mod_substitute to just return the line without parsing it
for security reasons as well as corporate image reasons, this might be very dangerous

better just fail with a server error (e.g. HTTP 500 or 500.100 or similar value) so that it's obvious that something went wrong with it
Comment 2 Christophe JAILLET 2015-04-04 21:23:40 UTC
In 2.4.11, a new parameter SubstituteMaxLineLength has been added (see http://httpd.apache.org/docs/2.4/mod/mod_substitute.html#substitutemaxlinelength)