56818 – SetEnvIf may set invalid string length on empty strings

Bug 56818 - SetEnvIf may set invalid string length on empty strings

Summary: SetEnvIf may set invalid string length on empty strings

Status:	RESOLVED LATER

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_setenvif (show other bugs)
Version:	2.2.15
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	MassUpdate

Depends on:
Blocks:

Reported:	2014-08-05 12:38 UTC by jw
Modified:	2018-11-07 21:10 UTC (History)
CC List:	2 users (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jw 2014-08-05 12:38:31 UTC

I found that on a CentOS system*1 the somehow invalid but accepted configuration sets a variable to an emtpy value, if there is no Access-Control-Request-Headers Header:

SetEnvIfNoCase Access-Control-Request-Headers "^(.*)$"
AccessControlAllowHeaders=$0

However, in some cases (1% of the requests without Access-Control-Request-Headers may be), the lenght of the empty value appeared to be something like 18446744073709551615 which leads to further errors in later processing of the requests.

The problem appeared to be visible in json data generated by mod_WebObjects*2, it might be well possible that it's not a problem in mod_sentenvif, but seems unlikely to me. The bug needs further investigation, as it's currently unclear where mod_WebObjects get's the length from and whos responsibility it is to set it. However, i currently have no sponsor for that work, so i hope someone will pick it up.


[1] httpd-2.2.15-30.el6.centos.x86_64
[2] https://github.com/wocommunity/wonder.git

Comment 1 Eric Covener 2014-08-05 12:45:01 UTC

There is no separate length. Can you get mod_log_config to log an incorrect value with %{Access-Control-Request-Headers}e ?

Comment 2 William A. Rowe Jr. 2018-11-07 21:10:04 UTC

Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.