56176 – mod_substitute truncates the response body if the "Line is too long"

Bug 56176 - mod_substitute truncates the response body if the "Line is too long"

Summary: mod_substitute truncates the response body if the "Line is too long"

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_substitute (show other bugs)
Version:	2.4.7
Hardware:	PC All

Importance:	P2 normal with 3 votes (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-02-21 23:04 UTC by Dan McLaughlin
Modified:	2020-03-18 15:37 UTC (History)
CC List:	2 users (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dan McLaughlin 2014-02-21 23:04:56 UTC

The following fix added in 2.3.15 

"mod_substitute: To prevent overboarding memory usage, limit line length to 1MB. [Stefan Fritsch]"

causes any line in the response body that is over 1MB to be omitted from the response, delivering a partial response, and the following entry is logged "[Fri Feb 21 16:23:46.440472 2014] [substitute:error] [pid 3912:tid 2600] [client 192.168.0.5:62707] AH01328: Line too long, URI /secure/foo/bar/Main.aspx, referer: https://myhost/secure/foo/bar/Main.aspx?evt=2001&src=Main.aspx.2001"
 
Especially considering that Apache still responds with an HTTP 200 status code, I would think the proper response would be for mod_substitute to just return the line without parsing it, because returning a partial response just ends up corrupting the response. 

I can see the argument that you may not want to return a line if substitutions fail, but I don't think that should be the default behavior or you should at least provide the ability to define the default behavior.

Comment 1 Jochen Wezel 2014-07-29 07:50:23 UTC

>for mod_substitute to just return the line without parsing it
for security reasons as well as corporate image reasons, this might be very dangerous

better just fail with a server error (e.g. HTTP 500 or 500.100 or similar value) so that it's obvious that something went wrong with it

Comment 2 Christophe JAILLET 2015-04-04 21:23:40 UTC

In 2.4.11, a new parameter SubstituteMaxLineLength has been added (see http://httpd.apache.org/docs/2.4/mod/mod_substitute.html#substitutemaxlinelength)

Comment 3 Adam 2020-03-18 15:34:34 UTC

Just ran into this.  Agree that just returning the un-parsed line is not OK.  But returning 200OK is also clearly wrong.  Would suggest it should return either 502 or 500 error.  The new setting might help avoid it, but if hit it should still not be 200.

We hit it when fetching a list from a REST API behind a reverse proxy with mod_substitute enabled. In this case, it treated the whole response body as  a single line so we got a 200 OK without a response body. A strange behaviour also was that if fetching N items triggered the error then fetching N-1 would complete in around 600ms but fetching N would take 5-6 seconds (and not have body).  Is this expected in this situation, or is it the client waiting for a body that never shows up?  Got same behaviour with command line curl and with PostMan.